Issue
How do I create principals with MIT KDC for Kerberos authentication?
Solution
To ensure that no problems arise due to MIT KDC and heimdal GSS interaction, create principals as follows (hostname is the fully-qualified host name):
1. Login and delete the service (imap/hostname, in this example):
$ kadmin.local
Authenticating as principal root/admin@domain-name with password.
kadmin.local: delete_principal imap/hostname
Are you sure you want to delete the principal "imap/hostname"? (yes/no): yes
Principal "imap/hostname" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
2. Delete the principal:
kadmin.local: delete_principal user@domain-name
Are you sure you want to delete the principal "user@domain-name"? (yes/no): yes
Principal "user@domain-name" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
3. Create the new service:
kadmin.local: add_principal -e DES-CBC-CRC:normal -randkey imap/hostname
WARNING: no policy specified for imap/hostname; defaulting to no policy
Principal "imap/hostname" created.
4. Create the new principal:
kadmin.local: add_principal -e DES-CBC-CRC:normal user@domain-name
WARNING: no policy specified for user@domain-name; defaulting to no policy
Enter password for principal "user@domain-name":
Re-enter password for principal "user@domain-name":
Principal "user@domain-name" created.
5. Add the new principal to the keytab:
kadmin.local: ktadd -e DES-CBC-CRC:normal imap/hostname
Entry for principal imap/$mas with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/etc/kerb5.keytab.
kadmin.local: q
Comments
0 comments
Please sign in to leave a comment.