1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
Note on ksu
-----------
This program is not installed setuid root be default. If you want to
install it setuid root, then you can override the package permissions
with:
dpkg-statoverride --update --add root root 4755 /usr/bin/ksu
Note on ipropd and/or hpropd
----------------------------
The following entries may be required in you /etc/services
file (see bug #139845):
krb_prop 754/tcp # Kerberos slave propagation
iprop 2121/tcp # incremental propagation
Note on kerberos.8 man page
---------------------------
This man page is not currently included due to conflict with kerberos4kth-kdc
package. For more information on Kerberos, see:
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
Installing heimdal for Debian
-----------------------------
(Note: if you do not have a krb4 KDC, you may need to include
"krb4_get_tickets = no" in the [libdefaults] section of
kdc.conf; otherwise kinit will complain with an error).
Things you will have to do manually (see info documentation for
details):
On KDC:
1. Add adminstrator keys using kadmin.
For example:
# kadmin -l
kadmin> add bam/admin
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
bam/admin@CHOCBIT.ORG.AU's Password:
Verifying password - bam/admin@CHOCBIT.ORG.AU's Password:
2. Add kadmin/admin key to KDC:
For example:
# kadmin -l
kadmin> add -r kadmin/admin@CHOCBIT.ORG.AU
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
(note: this key doesn't need to be extracted).
3. Enable remote admistration by creating /etc/heimdal-kdc/kadmind.acl
For example:
echo 'bam/admin@CHOCBIT.ORG.AU all' > /etc/heimdal-kdc/kadmind.acl
4. Test.
For example:
# kadmin -p bam/admin
bam/admin@CHOCBIT.ORG.AU's Password:
kadmin> list *
[should list all keys]
5. Add user keys
For example:
# kadmin -p bam/admin
bam/admin@CHOCBIT.ORG.AU's Password:
kadmin> add bam
On other computers:
1. If you installed heimdal-clients-x or heimdal-servers-x,
then you will need to add the following entry to /etc/services
kx 2111/tcp # X over kerberos
(check to make sure this doesn't already exist).
2. edit /etc/krb5.conf
3. setup secret keys each computer, using kadmin and/or ktutil.
For example, on remote computer dewey.chocbit.org.au:
bam/admin@CHOCBIT.ORG.AU's Password:
kadmin> add -r host/dewey.chocbit.org.au
[...]
kadmin> ext host/dewey.chocbit.org.au
kadmin> add -r ftp/dewey.chocbit.org.au
[...]
kadmin> ext ftp/dewey.chocbit.org.au
The ext command extracts keys to /etc/krb5.keytab, where
they can be inspected with the "ktutil list" command at the
shell prompt.
Tell me if any files conflict with any other package - do not
try to force the package to install, otherwise things may break...
In general, this package conflicts with kerberos4kth and
probably MIT Kerberos (not packaged as of potato). Local
installations under /usr/local should be OK.
Changes from upstream source:
1. popper checks for $HOME/Maildir, $HOME/Mailbox and /var/spool/mail/<user>
in that order.
2. /var/lib/heimdal-kdc used instead of /var/heimdal
3. /usr/bin/login moved to /usr/lib/heimdal-servers
4. /usr/lib/heimdal-servers used instead of /usr/libexec
5. telnet and ftp have been renamed to ktelnet and kftp, and
use the update-alternatives mechanism. In the future, this
should allow heimdal-clients to exist at the same time
as telnet-ssl.
6. kdc config files kdc.conf and kadmind.acl stored in
/etc/heimdal-kdc instead of /usr/lib/heimdal-servers.
-- Brian May <bam@debian.org>, Wed, 8 Dec 1999 11:54:13 +1100
|
