poptop_ads_howto_6.htm 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
  2. "http://www.w3.org/TR/html4/loose.dtd">
  3. <html>
  4. <head>
  5. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  6. <title>Poptop MSCHAP2 ADS Howto</title>
  7. </head>
  8. <body>
  9. <p><strong>10. Kerberos</strong></p>
  10. <p>There are two different versions of the Kerberos client, version 4 from KTH and 5 from MIT. As Microsoft uses version 5, you should use the MIT version. Fedora includes the MIT one so you will be ok to use the stock standard one.</p>
  11. <p>Packages krb5-lib and krb5-workstation are required. They are installed by default. If they are not, please get the latest version from <em>yum</em>.</p>
  12. <hr>
  13. <a name="krbconf"></a><strong>10.1 Configure Kerberos</strong>
  14. <p>The configuration file of Kerberos is /etc/krb5.conf. To connect to AD, the settings must match the domain configuration.</p>
  15. <blockquote>
  16. <pre>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log</pre>
  17. <p>[libdefaults]<br>
  18. <strong>default_realm = EXAMPLENET.ORG</strong><br>
  19. dns_lookup_realm = false<br>
  20. dns_lookup_kdc = false<br>
  21. ticket_lifetime = 24h<br>
  22. forwardable = yes</p>
  23. <p>[realms]<br>
  24. <strong>EXAMPLENET.ORG = {</strong><br>
  25. <strong>kdc = dc1.examplenet.org:88</strong><br>
  26. # admin_server = kerberos.example.com:749<br>
  27. <strong>default_domain = examplenet.org</strong><br>
  28. }</p>
  29. <p>[domain_realm]<br>
  30. <strong>.examplenet.org = EXAMPLENET.ORG<br>
  31. examplenet.org = EXAMPLENET.ORG</strong></p>
  32. <p>[kdc]<br>
  33. profile = /var/kerberos/krb5kdc/kdc.conf</p>
  34. <p>[appdefaults]<br>
  35. pam = {<br>
  36. debug = false<br>
  37. ticket_lifetime = 36000<br>
  38. renew_lifetime = 36000<br>
  39. forwardable = true<br>
  40. krb4_convert = false<br>
  41. }</p>
  42. </blockquote>
  43. <p>Lines shown in bold are the ones you should pay attention to. Use uppercase as shown. </p>
  44. <hr>
  45. <a name="krbtest"></a><strong>10.2 Test Kerberos</strong>
  46. <p>Before trying to connect to AD, the AD DNS should have a A record for the pptp server. To add the A record, on your Windows DNS server, click Start -&gt; Administrative Tools -&gt; DNS. The dnsmgmt window pops up. Click on the &quot;+&quot; of &quot;Forward Lookup Zones&quot;. Right click on AD Domain name, in our test environment is EXAMPLENET.ORG, and choose &quot;New Host (A)...&quot;. Put in the server Netbios name which is defined in smb.conf and the ip address. Then press the &quot;Add Host&quot; button.</p>
  47. <p>When the DNS is ready, it is time to test Kerberos. Please note that the domain name must be in capital. </p>
  48. <blockquote>
  49. <pre>[root@pptp etc]# kinit -V skwok@EXAMPLENET.ORG<br>Password for skwok@EXAMPLENET.ORG: <br>Authenticated to Kerberos v5 </pre>
  50. </blockquote>
  51. <p>To check the Kerberos tickets:</p>
  52. <blockquote>
  53. <pre>[root@pptp etc]# klist<br>Ticket cache: FILE:/tmp/krb5cc_0<br>Default principal: skwok@EXAMPLENET.ORG</pre>
  54. <pre>Valid starting Expires Service principal
  55. 09/03/05 14:43:47 09/04/05 00:43:04 krbtgt/EXAMPLENET.ORG@EXAMPLENET.ORG
  56. renew until 09/04/05 14:43:47</pre>
  57. <pre>Kerberos 4 ticket cache: /tmp/tkt0
  58. klist: You have no tickets cached</pre>
  59. </blockquote>
  60. <p></p>
  61. <hr>
  62. <a href="poptop_ads_howto_6a.htm">Next</a> &nbsp;&nbsp;<a href="poptop_ads_howto_5.htm">Previous</a>&nbsp;&nbsp;<a href="poptop_ads_howto_1.htm#toc">Content</a>
  63. <p>&nbsp;</p>
  64. </body>
  65. </html>