|
version 1.7, 2011/08/06 00:09:47
|
version 1.12, 2015/02/04 03:16:53
|
|
Line 1
|
Line 1
|
| [[!tag kerberos howto]] |
[[!tag kerberos howto]] |
| |
|
| #### Why enable Kerberos on your system? |
## Why enable Kerberos on your system? |
| |
|
| Convenience and security. With |
Convenience and security. With |
| [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single |
[Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single |
| login grants access to all NetBSD web services. Configuration is easy |
login grants access to all NetBSD web services. Configuration is easy |
| and you only have to do it once (sometimes less). |
and you only have to do it once (sometimes less). |
| |
|
| #### [[!toggle id="macosx" text="Mac OS X"]] |
|
| [[!toggleable id="macosx" text=""" |
|
| OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS. |
|
| To use Kerberized TNF services, log in with your Kerberos [[password]]: |
|
| |
|
| `$ kinit <username>@NETBSD.ORG` |
|
| |
|
| The right-hand side is a Kerberos realm, not a DNS domain. Case is significant! |
|
| |
|
| ##### A Keychain.app trick |
|
| |
|
| To pop up a GUI password dialog: |
|
| |
|
| `$ kinit <username>@NETBSD.ORG </dev/null` |
## NetBSD |
| |
|
| Check "Remember this password in my keychain" to make future Kerberos |
|
| logins (sans input redirection) prompt-free. |
|
| """]] |
|
| |
|
| #### [[!toggle id="netbsd" text="NetBSD"]] |
|
| [[!toggleable id="netbsd" text=""" |
|
| NetBSD needs to be configured to prevent Kerberos from being used |
NetBSD needs to be configured to prevent Kerberos from being used |
| to log into _your_ system, and then to enable Kerberos. |
to log into _your_ system, and then to enable Kerberos. |
| |
|
|
Line 42 NetBSD will now autodiscover and uses th
|
Line 24 NetBSD will now autodiscover and uses th
|
| in DNS. To use Kerberized TNF services, log in with your Kerberos |
in DNS. To use Kerberized TNF services, log in with your Kerberos |
| [[password]]: |
[[password]]: |
| |
|
| `$ kinit <username>@NETBSD.ORG` |
$ kinit <username>@NETBSD.ORG |
| |
|
| The right-hand side is a Kerberos realm, not a DNS domain. Case is significant! |
The right-hand side is a Kerberos realm, not a DNS domain. *Case is significant!* |
| """]] |
|
| |
|
| #### [[!toggle id="windows" text="Windows XP"]] |
|
| [[!toggleable id="windows" text=""" |
|
| |
|
| Windows does not provide an easy way to configure and use KDCs different from the one embedded into an Active Directory. |
## Mac OS X |
| |
|
| Therefore, to use [[Kerberos]], you should follow the following steps: |
OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS. |
| |
To use Kerberized TNF services, log in with your Kerberos [[password]]: |
| |
|
| 7. Download the [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2) installer. It is composed of different tools traditionally found with Kerberos distributions, like [[!template id=man name=kinit section=1]] or [[!template id=man name=klist section=1]], and a Network Identity Manager, an application used to manage credential caching of Kerberos tickets. |
7. Launch the `Ticket Viewer.app` from `/System/Library/CoreServices` |
| |
|
| 7. Install the package. Use the default provided options, then restart the computer. |
7. Press the "Add Identity" button |
| |
|
| 7. The Network Identity Manager [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf) should automatically start when you login. As there is no principal currently configured, it should open a dialog box to obtain the new credentials. |
7. In the identity field enter your `<username>@NETBSD.ORG` |
| |
|
| 7. Enter your principal: |
The right-hand side is a Kerberos realm, not a DNS domain. *Case is significant!* |
| |
|
| |
7. Enter the password associated with this identity in the password field |
| |
|
| Username: <username> |
By default Ticket Viewer.app will save password details in keychain, un-tick "Remember password in my keychain" if this is not desired behaviour |
| Realm: NETBSD.ORG |
|
| |
7. Press continue |
| |
|
| |
If successful, you'll be returned to the main window with a new entry below the icons containing `<username>@NETBSD.ORG` and the date and time which the ticket obtained is due to expired. |
| |
|
| |
## Windows XP |
| |
|
| |
Windows does not provide an easy way to configure and use KDCs |
| |
different from the one embedded into an Active Directory. |
| |
|
| |
Therefore, to use [[Kerberos]], you should follow the following |
| |
steps: |
| |
|
| |
7. Download the |
| |
[MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2) |
| |
installer. It is composed of different tools traditionally found |
| |
with Kerberos distributions, like |
| |
[[!template id=man name=kinit section=1]] or |
| |
[[!template id=man name=klist section=1]], and a Network Identity |
| |
Manager, an application used to manage credential caching of |
| |
Kerberos tickets. |
| |
|
| |
7. Install the package. Use the default provided options, then |
| |
restart the computer. |
| |
|
| |
7. The Network Identity Manager |
| |
[(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf) |
| |
should automatically start when you login. As there is no principal |
| |
currently configured, it should open a dialog box to obtain the |
| |
new credentials. |
| |
|
| |
7. Enter your principal: |
| |
|
| 7. Click `Ok`. After a few seconds, it should obtain the TGT for you from NetBSD.ORG KDC. |
Username: <username> |
| |
Realm: NETBSD.ORG |
| |
|
| """]] |
7. Click `Ok`. After a few seconds, it should obtain the TGT for |
| |
you from the NETBSD.ORG KDC. |
![[BACK]](/icons/back.gif){kind=icon}
Return to system.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / kerberos