svn rev #25006: trunk/doc/rst_source/krb_admins/ install_clients/ install_kdc/

tsitkova@MIT.EDU tsitkova at MIT.EDU
Thu Jun 30 14:22:44 EDT 2011 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25006
Commit By: tsitkova
Log Message:
Added "Installing and configuring UNIX client machines" section





Changed Files:
U   trunk/doc/rst_source/krb_admins/index.rst
U   trunk/doc/rst_source/krb_admins/install_appl_srv.rst
A   trunk/doc/rst_source/krb_admins/install_clients/cl_config.rst
U   trunk/doc/rst_source/krb_admins/install_clients/index.rst
A   trunk/doc/rst_source/krb_admins/install_clients/mac_osX_config.rst
U   trunk/doc/rst_source/krb_admins/install_kdc/index.rst
Modified: trunk/doc/rst_source/krb_admins/index.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/index.rst	2011-06-30 16:13:44 UTC (rev 25005)
+++ trunk/doc/rst_source/krb_admins/index.rst	2011-06-30 18:22:44 UTC (rev 25006)
@@ -5,17 +5,14 @@
 Contents:
 ---------
 
+
 .. toctree::
    :maxdepth: 1
 
    install.rst
-
-.. toctree::
-   :maxdepth: 2
-
    conf_files/index.rst
-   dns.rst
    realm_config/index.rst
+   dns.rst
    database/index.rst
    conf_ldap.rst
    appl_servers/index.rst

Modified: trunk/doc/rst_source/krb_admins/install_appl_srv.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_appl_srv.rst	2011-06-30 16:13:44 UTC (rev 25005)
+++ trunk/doc/rst_source/krb_admins/install_appl_srv.rst	2011-06-30 18:22:44 UTC (rev 25006)
@@ -8,7 +8,7 @@
 .. _kt_file_label:
 
 
-The Keytab File
+The keytab file
 ----------------------
 
 All Kerberos server machines need a *keytab* file, called */etc/krb5.keytab*, to authenticate to the KDC. The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (See :ref:`create_db_label`) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The *keytab* file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password itself.
@@ -35,7 +35,7 @@
 
 If you generate the *keytab* file on another host, you need to get a copy of the *keytab* file onto the destination host (*trillium*, in the above example) without sending it unencrypted over the network.
 
-Some Advice about Secure Hosts
+Some advice about secure hosts
 --------------------------------------
 
 Kerberos V5 can protect your host from certain types of break-ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them.

Added: trunk/doc/rst_source/krb_admins/install_clients/cl_config.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_clients/cl_config.rst	                        (rev 0)
+++ trunk/doc/rst_source/krb_admins/install_clients/cl_config.rst	2011-06-30 18:22:44 UTC (rev 25006)
@@ -0,0 +1,24 @@
+Client machine configuration files
+=====================================
+
+
+Each machine running Kerberos must have a */etc/krb5.conf* file. (See :ref:`krb5_conf_label`.)
+
+Also, for most UNIX systems, you must add the appropriate Kerberos services to each client machine's */etc/services* file. If you are using the default configuration for Kerberos V5, you should be able to just insert the following code::
+
+     kerberos      88/udp    kdc    # Kerberos V5 KDC
+     kerberos      88/tcp    kdc    # Kerberos V5 KDC
+     kerberos-adm  749/tcp          # Kerberos 5 admin/changepw
+     kerberos-adm  749/udp          # Kerberos 5 admin/changepw
+     krb5_prop     754/tcp          # Kerberos slave propagation
+     krb524        4444/tcp         # Kerberos 5 to 4 ticket translator
+     
+
+------------
+
+Feedback:
+
+Please, provide your feedback or suggest a new topic at krb5-bugs at mit.edu?subject=Documentation___cl_install
+
+
+

Modified: trunk/doc/rst_source/krb_admins/install_clients/index.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_clients/index.rst	2011-06-30 16:13:44 UTC (rev 25005)
+++ trunk/doc/rst_source/krb_admins/install_clients/index.rst	2011-06-30 18:22:44 UTC (rev 25006)
@@ -1,4 +1,21 @@
-Installing and Configuring UNIX Client Machines
+Installing and configuring UNIX client machines
 =====================================================
 
+The Kerberized client programs are *kinit, klist, kdestroy, kpasswd,* and *ksu*. All of these programs are in the directory */usr/local/bin*. MIT recommends that you use login.krb5 in place of /bin/login to give your users a single-sign-on system. You will need to make sure your users know to use their Kerberos passwords when they log in.
 
+You will also need to educate your users to use the ticket management programs *kinit, klist, kdestroy,* and to use the Kerberos programs *ksu* and *kpasswd* in place of their non-Kerberos counterparts *su* and *passwd*. 
+
+.. toctree::
+   :maxdepth: 1
+
+   cl_config.rst
+   mac_osX_config.rst
+
+------------
+
+Feedback:
+
+Please, provide your feedback or suggest a new topic at krb5-bugs at mit.edu?subject=Documentation___cl_install
+
+
+

Added: trunk/doc/rst_source/krb_admins/install_clients/mac_osX_config.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_clients/mac_osX_config.rst	                        (rev 0)
+++ trunk/doc/rst_source/krb_admins/install_clients/mac_osX_config.rst	2011-06-30 18:22:44 UTC (rev 25006)
@@ -0,0 +1,63 @@
+Mac OS X configuration
+=======================
+
+To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the directions for generic Unix-based OS's, except for the */etc/services* updates described above.
+
+Mac OS X and Mac OS X Server use a database called NetInfo to store the contents of files normally found in */etc*. Instead of modifying */etc/services*, you should run the following commands to add the Kerberos service entries to NetInfo::
+
+     $ niutil -create . /services/kerberos
+     $ niutil -createprop . /services/kerberos name kerberos kdc
+     $ niutil -createprop . /services/kerberos port 750
+     $ niutil -createprop . /services/kerberos protocol tcp udp
+     $ niutil -create . /services/krbupdate
+     $ niutil -createprop . /services/krbupdate name krbupdate kreg
+     $ niutil -createprop . /services/krbupdate port 760
+     $ niutil -createprop . /services/krbupdate protocol tcp
+     $ niutil -create . /services/kpasswd
+     $ niutil -createprop . /services/kpasswd name kpasswd kpwd
+     $ niutil -createprop . /services/kpasswd port 761
+     $ niutil -createprop . /services/kpasswd protocol tcp
+     $ niutil -create . /services/klogin
+     $ niutil -createprop . /services/klogin port 543
+     $ niutil -createprop . /services/klogin protocol tcp
+     $ niutil -create . /services/eklogin
+     $ niutil -createprop . /services/eklogin port 2105
+     $ niutil -createprop . /services/eklogin protocol tcp
+     $ niutil -create . /services/kshell
+     $ niutil -createprop . /services/kshell name kshell krcmd
+     $ niutil -createprop . /services/kshell port 544
+     $ niutil -createprop . /services/kshell protocol tcp
+     
+
+In addition to adding services to NetInfo, you must also modify the resolver configuration in NetInfo so that the machine resolves its own hostname as a FQDN (fully qualified domain name). By default, Mac OS X and Mac OS X Server machines query NetInfo to resolve hostnames before falling back to DNS. Because NetInfo has an unqualified name for all the machines in the NetInfo database, the machine's own hostname will resolve to an unqualified name. Kerberos needs a FQDN to look up keys in the machine's keytab file.
+
+Fortunately, you can change the lookupd caching order to query DNS first. Run the following NetInfo commands and reboot the machine::
+
+     $ niutil -create . /locations/lookupd/hosts
+     $ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
+      NIAgent NILAgent
+     
+
+Once you have rebooted, you can verify that the resolver now behaves correctly. Compile the Kerberos 5 distribution and run::
+
+     $ cd .../src/tests/resolve
+     $ ./resolve
+     
+
+This will tell you whether or not your machine returns FQDNs on name lookups. If the test still fails, you can also try turning off DNS caching. Run the following commands and reboot::
+
+     $ niutil -create . /locations/lookupd/hosts
+     $ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
+      CacheAgent NIAgent NILAgent
+     
+
+The remainder of the setup of a Mac OS X client machine or application server should be the same as for other UNIX-based systems.
+
+------------
+
+Feedback:
+
+Please, provide your feedback or suggest a new topic at krb5-bugs at mit.edu?subject=Documentation___cl_install
+
+
+

Modified: trunk/doc/rst_source/krb_admins/install_kdc/index.rst
===================================================================
--- trunk/doc/rst_source/krb_admins/install_kdc/index.rst	2011-06-30 16:13:44 UTC (rev 25005)
+++ trunk/doc/rst_source/krb_admins/install_kdc/index.rst	2011-06-30 18:22:44 UTC (rev 25006)
@@ -48,7 +48,7 @@
 
 Now that the slave KDCs have copies of the Kerberos database, you can create stash files for them and start the krb5kdc daemon. 
 
-Finish Installing the Slave KDCs
+Finish installing the Slave KDCs
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. toctree::

More information about the cvs-krb5 mailing list