From 304e9af7280a96cede7da4940bbdad95bffe078d Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@debian.org>
Date: Fri, 11 Mar 2011 17:23:46 -0500
Subject: [PATCH] Note Kerberos bogosity

---
 prepare.mdwn | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/prepare.mdwn b/prepare.mdwn
index e5146d7..ed728bb 100644
--- a/prepare.mdwn
+++ b/prepare.mdwn
@@ -10,6 +10,31 @@ Create a radsec.conf in $prefix/etc/radsec.conf.
 
 Create a valid freeradius dictionary in $prefix/share/freeradius/dictionary. This may be a bug as well.
 
+# Configuring Kerberos
+
+Configure Kerberos, you ask? But I'm not using Kerberos!
+True, but the Kerberos library is kind of self-centered at the moment and doesn't believe anyone would ever want to not use Kerberos.
+So, it requires that servers be able to set up Kerberos even if they never use it.
+Please see also a bug.
+So you want something like
+
+Contents of /etc/krb5.conf:
+
+    [libdefaults]
+        default_realm = YOUR_DOMAIN_ALL_CAPS
+
+Then run ktutil
+
+    addprinc --password -p host/hostname.your_domain@YOUR_DOMAIN_ALL_CAPS -k 1 -e aes256-cts
+
+Enter a password of your choice
+
+   wkt /etc/krb5.keytab
+    quit
+
+Then <code>chmod a+r /etc/krb5.keytab</code>. Note that would be a very bad thing to do if you actually were using Kerberos. It may still be a bad thing to do if you have services enabled that can potentially use Kerberos.
+
+
 
 Todo:
 * configure libradsec
-- 
2.1.4