diff --git a/nfsv4-kerberos-debian.org b/nfsv4-kerberos-debian.org index 82ff26b..49f94a5 100644 --- a/nfsv4-kerberos-debian.org +++ b/nfsv4-kerberos-debian.org @@ -15,8 +15,7 @@ with this document./ /SPDX-License-Identifier: [[https://spdx.org/licenses/GFDL-1.3-or-later.html][GFDL-1.3-or-later]]/ #+END_QUOTE -* Table of Contents :TOC: - +* Table of Contents **** Table of Contents #+TOC: headlines 3 @@ -39,6 +38,7 @@ security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https - NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps. - DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]]. A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]]. +- * Kerberos (V5) There are basically two major implementations of [[https://datatracker.ietf.org/doc/html/rfc4120][Kerberos v5]] on GNU/Linux: The original [[http://web.mit.edu/kerberos/www/][MIT]] one, and the [[https://github.com/heimdal/heimdal][Heimdal]] one. There was also a GNU implementation ([[http://www.gnu.org/software/shishi/][Shishi]]), but developement looks stalled for 10+ years. @@ -67,11 +67,11 @@ On server side, install the necessary packages with : #+BEGIN_SRC sh sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm #+END_SRC -And on client(s), install the following : +And on client(s), install instead ~krb5-config~ and ~heimdal-clients~ packages : #+BEGIN_SRC sh sudo apt-get install krb5-config heimdal-clients #+END_SRC -On your desktop, you may also want to install some documentation with: +On your desktop, you may also want to install Heimdal documentation : #+BEGIN_SRC sudo apt-get install heimdal-docs #+END_SRC @@ -81,8 +81,8 @@ The ~krb5-config~ package installation will ask you some questions, you can just - Kerberos servers for your realm: ~kdc1.lan kdc2.lan~ - Administrative server for your Kerberos realm: ~kadmin.lan~ -After this initial configutation, edit ~/etc/krb5.conf~, clean up everything and add a section in domain_realm section for your local network. You should end up with something similar to : -#+BEGIN_SRC conf +After this initial configutation, edit ~/etc/krb5.conf~, clean up everything and add a domain_realm section for your local network. You should end up with something similar to : +*** #+BEGIN_SRC conf [libdefaults] default_realm = LAN kdc_timesync = true @@ -103,7 +103,7 @@ After this initial configutation, edit ~/etc/krb5.conf~, clean up everything and ** Kerberos database initialization It is possible installation process may have created files in ~/var/lib/heimdal-kdc~, manual is unclear. To be on secure side, we remove everything before going further : -#+BEGIN_SRC conf +#+BEGIN_SRC docker [libdefaults] default_realm = LAN [realms] @@ -113,6 +113,11 @@ It is possible installation process may have created files in ~/var/lib/heimdal- admin_server = kadmin.lan } #+END_SRC +#+BEGIN_SRC conf +foo bar +line 2 +third line +#+END_SRC ** Server side *** Heimdal Kerberos installation @@ -125,7 +130,7 @@ heimdal-docs heimdal-clients ** Testing * Sources Kerberos setup: -- ~info heimdal~ (documentation from heimdal-docs). +- ~info heimdal~ (documentation from heimdal-docs) - [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]] - [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]] - [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]]