1 -Build heimdal. Include --enable-kaserver and --enable-kaserver-db when you configure. You also need kth-krb installed and --with-krb4 turned on for maximum utility.
5 -Set up /var/heimdal. You need on the master:
6 -A text file named slaves with e.g.:
8 iprop/full.name.of.slave1@YOUR.REALM
9 iprop/full.name.of.slave2@YOUR.REALM
11 if you had only these 2 slaves
13 -A text file named kadmind.acl with e.g.:
14 --Begin kadmind.acl file--
17 --End kadmind.acl file--
18 The man page for kadmind explains the format and rights for this file.
20 -Set up inetd.conf or equivalent. You want at least krb5 kadmind, which is:
21 kerberos-adm stream tcp nowait root /usr/local/libexec/kadmind kadmind
22 You may also want krb4 kadmind (which also allows krb4 password clients to work):
23 kerberos_master stream tcp nowait root /usr/local/libexec/kadmind v4kadmind
25 Obviously these may vary for your particular inetd and installed paths.
27 -Set up your rc scripts. Your master will run e.g.:
28 /usr/local/libexec/kdc
29 /usr/local/libexec/kpasswdd
30 /usr/local/libexec/ipropd-master
33 /usr/local/libexec/kdc
34 /usr/local/libexec/ipropd-slave host.name.of.master
36 Mine run out of the bosserver.
40 --Beginning of krb5.conf--
42 default_realm = YOUR.REALM
43 default_tgs_enctypes = des-cbc-crc
44 default_tkt_enctypes = des-cbc-crc
45 default_etypes = des-cbc-crc
46 default_etypes_des = des-cbc-crc
49 v4_instance_resolve = false
64 kdc = host.name.of.master
65 kdc = host.name.of.slave1
66 kdc = host.name.of.slave2
67 admin_server = host.name.of.master
68 default_domain = my.domain
69 v4_domains = my.domain subdomain.my.domain other.domain.using.my.realm
73 .my.domain = YOUR.REALM
74 .subdomain.my.domain = YOUR.REALM
75 .other.domain.using.my.realm = YOUR.REALM
78 default = SYSLOG:NOTICE:DAEMON
79 kdc = FILE:/var/heimdal/kdc.log
80 admin_server = FILE:/var/heimdal/kadm5.log
83 enable-kerberos4 = true
84 enable-kaserver = true
90 Note that I make kadmin create v4 and v5 but no afs keys. This is deliberate. AFS can deal with v4 keys and that has been so since around AFS 3.1b. You don't need afs keys for anything other than kas and AFS kpasswd, and you're done with those now. the v4_domains and domain_realm section are to ease your burden if you support a realm which spans multiple dns domains, and may not apply to you.
92 -Create a master key on your master and slaves:
95 Verifying password - Master key:
97 -Create a krb5 database
100 Realm max ticket life [unlimited]:
101 Realm max renewable ticket life [unlimited]:
102 The questions are a matter of policy. You have to decide what's appropriate.
105 # hprop --source=kaserver -c your.cell -r YOUR.REALM -R YOUR.REALM -n|hpropd -n
107 -Create the other keys you need on the master using kadmin -l:
108 On your master you will need in /etc/krb5.keytab all of the following:
109 iprop/host.name.of.master@YOUR.REALM
110 kadmin/hprop@YOUR.REALM
111 kadmin/admin@YOUR.REALM
112 kadmin/changepw@YOUR.REALM
113 and if you use v4kadmind,
114 changepw/kerberos@YOUR.REALM
116 Create using ank -r, then use ext_keytab to get them in your keytab.
118 -Start your kdc, and make sure kadmind is running, at least
120 -On your slaves you will need only
121 iprop/host.name.of.this.slave@YOUR.REALM
123 You can now run kadmin -p some/admin if that admin is in kadmind.acl on the master, and use ank -r and ext_keytab to do this step.
125 -Now, you can enable the master and slave ipropds. Run a client against a slave kdc and/or read the logs. Hopefully you're in business.
127 -Enable kpasswdd on the master. You should now be done.