X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=prepare.mdwn;h=db1ec73e9b09e6bd8635a6c882376eeec18d0f51;hb=c545c8a863cad78670934b715e5b907d9b018549;hp=a239733ffe269a6ffcacc4577b5feb54a0d65d5a;hpb=bbac5dd80636b7e412c353a0a820eea06e579728;p=devwiki.git

diff --git a/prepare.mdwn b/prepare.mdwn
index a239733..db1ec73 100644
--- a/prepare.mdwn
+++ b/prepare.mdwn
@@ -1,10 +1,55 @@
 # Preparing to use Moonshot
 
-First, look at the mech file in the mech_eap directory of the source
-tree. Copy this file to /etc/gss/mech and change the location of
-mech_eap.so to be correct for your installation.
+First, look at the mech file in the mech_eap directory of the source tree. Copy this file to /etc/gss/mech (or on Debian/Ubuntu systems /usr/etc/gss/mech). The Debian path is a bug that will be fixed; this page will be updated after.
+
+Then, create a symlink from /usr/lib/gss/mech_eap.so to the installed mech_eap.so. Are you getting the feeling you're running down some untested code paths here yet?
+
+On Debian systems make sure /usr/lib/freeradius is in your default linker search path. Perhaps edit /etc/ld.so.conf and run ldconfig. Yes, that too is a bug.
+
+Create a radsec.conf in $prefix/etc/radsec.conf.
+
+Create a valid freeradius dictionary in $prefix/share/freeradius/dictionary. This may be a bug as well.
+
+# Configuring Kerberos
+
+Configure Kerberos, you ask? But I'm not using Kerberos!
+True, but the Kerberos library is kind of self-centered at the moment and doesn't believe anyone would ever want to not use Kerberos.
+So, it requires that servers be able to set up Kerberos even if they never use it.
+Please see also a bug.
+So you want something like
+
+Contents of /etc/krb5.conf:
+
+    [libdefaults]
+        default_realm = YOUR_DOMAIN_ALL_CAPS
+
+Then run ktutil
+
+    addprinc --password -p host/hostname.your_domain@YOUR_DOMAIN_ALL_CAPS -k 1 -e aes256-cts
+
+Enter a password of your choice
+
+   wkt /etc/krb5.keytab
+    quit
+
+Then <code>chmod a+r /etc/krb5.keytab</code>. Note that would be a very bad thing to do if you actually were using Kerberos. It may still be a bad thing to do if you have services enabled that can potentially use Kerberos.
+
+# Configuring libradsec
+
+        cat > $prefix/etc/radsec.conf << EOF
+        config gss-eap {
+            type = "UDP"
+            server {
+                hostname = "127.0.0.1"
+                service = "1820"
+                secret = "$secret"
+            }
+        }
+        EOF
+
+$secret is the secret you share with the radius server, i.e. the "secret" entry in FreeRADIUS configuration "client" clause.
+
 
 Todo:
-* configure libradsec
 * Set up RADIUS