From: Sam Hartman Date: Fri, 11 Mar 2011 22:23:46 +0000 (-0500) Subject: Note Kerberos bogosity X-Git-Url: http://www.project-moonshot.org/gitweb/?p=devwiki.git;a=commitdiff_plain;h=304e9af7280a96cede7da4940bbdad95bffe078d Note Kerberos bogosity --- diff --git a/prepare.mdwn b/prepare.mdwn index e5146d7..ed728bb 100644 --- a/prepare.mdwn +++ b/prepare.mdwn @@ -10,6 +10,31 @@ Create a radsec.conf in $prefix/etc/radsec.conf. Create a valid freeradius dictionary in $prefix/share/freeradius/dictionary. This may be a bug as well. +# Configuring Kerberos + +Configure Kerberos, you ask? But I'm not using Kerberos! +True, but the Kerberos library is kind of self-centered at the moment and doesn't believe anyone would ever want to not use Kerberos. +So, it requires that servers be able to set up Kerberos even if they never use it. +Please see also a bug. +So you want something like + +Contents of /etc/krb5.conf: + + [libdefaults] + default_realm = YOUR_DOMAIN_ALL_CAPS + +Then run ktutil + + addprinc --password -p host/hostname.your_domain@YOUR_DOMAIN_ALL_CAPS -k 1 -e aes256-cts + +Enter a password of your choice + + wkt /etc/krb5.keytab + quit + +Then chmod a+r /etc/krb5.keytab. Note that would be a very bad thing to do if you actually were using Kerberos. It may still be a bad thing to do if you have services enabled that can potentially use Kerberos. + + Todo: * configure libradsec