From commits-return-36124-apmail-directory-commits-archive=directory.apache.org@directory.apache.org Fri Feb 15 10:08:19 2013 Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 04A1EEBF3 for ; Fri, 15 Feb 2013 10:08:19 +0000 (UTC) Received: (qmail 86306 invoked by uid 500); 15 Feb 2013 10:08:18 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 86259 invoked by uid 500); 15 Feb 2013 10:08:18 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 86252 invoked by uid 99); 15 Feb 2013 10:08:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Feb 2013 10:08:18 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Feb 2013 10:08:16 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id C934923889B3 for ; Fri, 15 Feb 2013 10:07:57 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r850675 - in /websites/staging/directory/trunk/content: ./ apacheds/kerberos-ug/ Date: Fri, 15 Feb 2013 10:07:57 -0000 To: commits@directory.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130215100757.C934923889B3@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: buildbot Date: Fri Feb 15 10:07:57 2013 New Revision: 850675 Log: Staging update by buildbot for directory Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/2-kerberos-config.html websites/staging/directory/trunk/content/apacheds/kerberos-ug/3-kerberos-admin.html websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.2-authenticate-studio.html Modified: websites/staging/directory/trunk/content/ (props changed) websites/staging/directory/trunk/content/apacheds/kerberos-ug/4-using-kerberos.html websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.1-authenticate-kinit.html Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Fri Feb 15 10:07:57 2013 @@ -1 +1 @@ -1446272 +1446490 Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/2-kerberos-config.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/kerberos-ug/2-kerberos-config.html (added) +++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/2-kerberos-config.html Fri Feb 15 10:07:57 2013 @@ -0,0 +1,180 @@ + + + + + 2 - Kerberos Configuration — Apache Directory + + + + + + + + + + + + +
+ + + +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/3-kerberos-admin.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/kerberos-ug/3-kerberos-admin.html (added) +++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/3-kerberos-admin.html Fri Feb 15 10:07:57 2013 @@ -0,0 +1,180 @@ + + + + + 3 - Kerberos administration — Apache Directory + + + + + + + + + + + + +
+ + + +
+ + \ No newline at end of file Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/4-using-kerberos.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/kerberos-ug/4-using-kerberos.html (original) +++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/4-using-kerberos.html Fri Feb 15 10:07:57 2013 @@ -142,7 +142,7 @@
  • 4.1 - Authenticate with kinit on Linux
  • 4.2 - Authenticate with Studio
  • -

    1 - Using Kerberos

    +

    4 - Using Kerberos

    We will now describe how to use kerberos, namely how to obtain tickets.

    We will use either the kinit program installed on Linux or Studio for that.

    Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.1-authenticate-kinit.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.1-authenticate-kinit.html (original) +++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/4.1-authenticate-kinit.html Fri Feb 15 10:07:57 2013 @@ -125,7 +125,7 @@ - +

    4.1 - Authenticate with kinit on Linux

    +

    Setup

    +

    You first have to kake sure kinit is installed.

    +

    You can check that by typinhg kinit in a console :

    +
    $ kinit --version
    +kinit (Heimdal 1.4.1apple1)
    +Copyright 1995-2010 Kungliga Tekniska Högskolan
    +Send bug-reports to heimdal-bugs@h5l.org
    +$
    +
    + + +

    Then, you have to configure the krb5.conf file (it can be found in /etc/krb5.conf, if not just add it).

    +

    A minimal /etc/krb5.conf file looks as follows (make sure the port and host name matches!):

    +
    [libdefaults]
    +    default_realm = EXAMPLE.COM
    +
    +[realms]
    +    EXAMPLE.COM = {
    +            kdc = localhost:60088
    +    }
    +
    +[domain_realm]
    +    .example.com = EXAMPLE.COM
    +    example.com = EXAMPLE.COM
    +
    + + +

    Check that the Kerberos sevrer is started, then try to get a ticket from a user that exists in the base (here, we use hnelson, which is a user we created for test purposes. His password is 'secret')

    +
    $ kinit hnelson@EXAMPLE.COM
    +Password for hnelson@EXAMPLE.COM:
    +$
    +
    + + +

    You should not get any error. If you've get some, see later in this chapter.

    +

    Now, let's check that we have correctly obtained a ticket. We will use the klist tool for that :

    +
    $ klist -v
    +Credentials cache: API:501:9
    +        Principal: hnelson@EXAMPLE.COM
    +    Cache version: 0
    +
    +Server: krbtgt/EXAMPLE.COM@EXAMPLE.COM
    +Client: hnelson@EXAMPLE.COM
    +Ticket etype: aes128-cts-hmac-sha1-96
    +Ticket length: 256
    +Auth time:  Feb 11 16:11:36 2013
    +End time:   Feb 12 02:11:22 2013
    +Renew till: Feb 18 16:11:36 2013
    +Ticket flags: pre-authent, initial, renewable, forwardable
    +Addresses: addressless
    +$
    +
    + + +

    As we can see, we have obtained a ticket which will expire 6 hours after its creation, which can be renexed for 7 days, encrypted using AES-128 algorithm, ticket that can be used by the TGS.

    +

    All is good !
    +

    +

    Troubleshooting

    +

    So it does not work...

    +

    There are many possible reason why you can't get a ticket.

    +

    kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM

    +

    Such a error says that the server is not reachable. Check those points :

    +
      +
    • Is the server started ?
    • +
    • Is the EXAMPLE.COM domain declared in your DNS (or /etc/hosts file) ?
    • +