X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=prepare.mdwn;h=da84a2e4448868813eda1f9199d1cc2abfa77368;hb=cc27f9c40bbb6ed3c620f2b181678642489c58b9;hp=e5146d7510af8c7b3b87d114309c3430df68f6ee;hpb=f7f82687b1ff8b8700008b9801d9b048eae01bba;p=devwiki.git diff --git a/prepare.mdwn b/prepare.mdwn index e5146d7..da84a2e 100644 --- a/prepare.mdwn +++ b/prepare.mdwn @@ -1,17 +1,56 @@ # Preparing to use Moonshot +This set of instructions assumes you are using system Kerberos libraries; some things will be relative to the installation prefix of Kerberos if you are using Kerberos built from source. + + First, look at the mech file in the mech_eap directory of the source tree. Copy this file to /etc/gss/mech (or on Debian/Ubuntu systems /usr/etc/gss/mech). The Debian path is a bug that will be fixed; this page will be updated after. Then, create a symlink from /usr/lib/gss/mech_eap.so to the installed mech_eap.so. Are you getting the feeling you're running down some untested code paths here yet? -On Debian systems make sure /usr/lib/freeradius is in your default linker search path. Perhaps edit /etc/ld.so.conf and run ldconfig. Yes, that too is a bug. +On Debian systems if you are using the system freeradius libraries make sure /usr/lib/freeradius is in your default linker search path. Perhaps edit /etc/ld.so.conf and run ldconfig. Yes, that too is a bug. If you are not using system freeradius libraries you probably have to do something similar. + +Create a valid freeradius dictionary in $prefix/etc/radb/dictionary. This may be a bug as well. + +# Configuring Kerberos + +Configure Kerberos, you ask? But I'm not using Kerberos! +True, but the Kerberos library is kind of self-centered at the moment and doesn't believe anyone would ever want to not use Kerberos. +So, it requires that servers be able to set up Kerberos even if they never use it. +Please see also a bug. +So you want something like + +Contents of /etc/krb5.conf: + + [libdefaults] + default_realm = YOUR_DOMAIN_ALL_CAPS + +Then run ktutil + + addprinc --password -p host/hostname.your_domain@YOUR_DOMAIN_ALL_CAPS -k 1 -e aes256-cts + +Enter a password of your choice + + wkt /etc/krb5.keytab + quit + +Then chmod a+r /etc/krb5.keytab. Note that would be a very bad thing to do if you actually were using Kerberos. It may still be a bad thing to do if you have services enabled that can potentially use Kerberos. + +# Configuring libradsec -Create a radsec.conf in $prefix/etc/radsec.conf. + cat > $prefix/etc/radsec.conf << EOF + config gss-eap { + type = "UDP" + server { + hostname = "127.0.0.1" + service = "1820" + secret = "$secret" + } + } + EOF -Create a valid freeradius dictionary in $prefix/share/freeradius/dictionary. This may be a bug as well. +$secret is the secret you share with the radius server, i.e. the "secret" entry in FreeRADIUS configuration "client" clause. Todo: -* configure libradsec * Set up RADIUS