Setting up FreeBSD to be a an AD Slave with KerberosV

Jason C. Wells idontwantspam at anywhere.com
Mon May 19 18:03:49 EDT 2003


The kerberos docs on the MIT site make a lot more sense when you already
know what they mean.

That said, if you want a login authentication for host (i.e. shell)
access on your FreeBSD box, your FreeBSD box must have a host principal
in your KDC.  A host principal is of format
'host/fully_qualified_domain_name at REALM'.  Then the FreeBSD host itself
must have a host key (the machine's password) installed in its key
table, or keytab.

The syntax between the FreeBSD docs and the MIT docs do vary.  This was
a source of frustration for me as I got started with Kerberos.  Now I
don't use either the based Krb4 or Heimdal that came with FreeBSD.  I
use MIT Kerberos from the ports tree.

You will not need to run kadmind on the FreeBSD if you are administering
the Win2K AD server from whatever mechanism Win2K uses.  In fact, you
should only run kadmind on the master KDC.

To say that FreeBSD would be a slave is probably not correct.  Do you
intend to run a secondary KDC on your FreeBSD box?  If you are not
propogating your database from your primary Win2K KDC to a secondary
FreeBSD KDC, then your FreeBSD box is not a slave.  (BTW, master and
slave as we use them in reference to DNS do not have exactly the same
meaning in kerbspeak.  You are able to propogate databases from any
server to any server, thought it might not be wise.)

Your FreeBSD box would be a client.

MS has a pretty good UNIX interoperabiliy doc in their knowledge base. 
Sorry, you'll have to find the link.

Later,
Jason C. Wells

ME wrote:
> 
> I am having a tough time finding information on setting up a FreeBSD 4.8 box
> to authenticate via an internal Microsoft Active Directory domain using
> Kerberos 5.  What little I have found suggests that I need to setup a ticket
> file and srvtab file on the FreeBSD box.  I have attempted to do this but
> the documentation for KerberosV that I have found (
> http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/install.html#SEC49 )
> does not coincide with the FreeBSD kadmin syntax.  The Kerberos section in
> the FreeBSD handbook seems to discuss only Kerberos 4, and only setting up a
> server at that.  It is my understanding that the FreeBSD box would not be a
> server but simply a slave or client and the server would be AD server.  Is
> there any one that has had success at setting this up on FreeBSD 4.8?  If so
> do you have any documentation that I could read?
> 
> Thanks,
> 
> Matt


More information about the Kerberos mailing list