Novell Kerberos Login Method 1.0 for NMAS July 2004 1.0 Overview 2.0 Supported Platforms 3.0 Installing and Configuring the Kerberos Login Method for NMAS 4.0 Best Practice 5.0 Known Issues 6.0 Limitations 7.0 Documentation Updates 8.0 Legal Notices 1.0 Overview The Novell Kerberos Login Method for NMAS provides support for users to log in to eDirectory with the Kerberos credentials acquired from a KDC. This method plugs in to and makes use of the Novell Modular Authentication Services (NMAS). 2.0 Supported Platforms - NetWare - Linux - Solaris - Windows 3.0 Installing and Configuring the Kerberos Login Method for NMAS For information on installing and configuring the Kerberos Login Method for NMAS, refer to the Quick Start Card (nmaskrb_quickstart.pdf) located at \NMAS_Kerberos_Method_10\Novell\Kerber os\docs\nmaskrb_quickstart and the Administration Guide (nmaskrb_admin.pdf) located at \NMAS_Kerberos_Method_10\Novell\Kerber os\docs\nmaskrb_admin, where is the directory where you extracted the NMAS_Kerberos.zip file. 4.0 Best Practice Service principals for eDirectory must be readily accessible to all servers enabled for Kerberos Login Method for NMAS. If these eDirectory service principals are not created under the Kerberos Realm container inside the Security container, we strongly recommend that you create the container that contains these eDirectory service principals as a separate partition, and that the container be widely replicated. 5.0 Known Issues Kerberos LDAP Extensions - Before installing the Kerberos LDAP Extensions on NetWare or Windows, you must install the C LDAP libraries. For more information, refer to http://developer.novell.com/ndk/cldap.htm. NMAS Kerberos Login Client Method (LCM) - The Kerberos Login Method for NMAS might not be displayed in the Sequence field while using the Novell Client. You must first log in to the NDS method for Novell Client to detect the Kerberos Login Method for NMAS. - You must use the ms2mit utility to populate the MIT Cache when the Microsoft Kerberos Client Cache option is enabled. In this case, do not select the Retain the Novell Credential cache option while installing the Kerberos Login Method for NMAS. Instead, modify the Novell login script to invoke the ms2mit utility. The ms2mit utility is part of the kfw distribution from MIT. - If you log in to eDirectory using the Kerberos Login Method for NMAS and then try to log in to some other tree using a script, the login is done using the Kerberos method and not any other method. Login fails if the Kerberos Login Method for NMAS is not installed on the other tree. iManager - The Delete Principal task does not work if you are using a Mozilla or Netscape browser. However, you can use the Delete Object task of the eDirectory Administration Role in iManager to delete a principal. 6.0 Limitations NMAS Kerberos Login Client Method (LCM) - If you selected Retain the Novell Credential cache option during installation and then use NWGINA as the initial login to the workstation, the tickets are stored temporarily in the krb5cc_system file instead of the krb5cc_username file. - By default, the Kerberos tickets are deleted from the Novell cache after successful login. To retain the cache, select the Cache Tickets option on the NMAS Kerberos Method Ticket Option screen. However, if you chose this option, you must manually destroy the tickets before you log out. - If NWGINA is configured as the initial login, fresh tickets are obtained from the KDC whenever you lock and unlock the workstation. 7.0 Documentation Updates For the most recent version of the Novell Kerberos Login Method for NMAS Administration Guide and Quick Start Card, see the Novell Kerberos Login Method Documentation Web Site (http://www.novell.com/documentation/nmaslm/index.html). Additional Information For more information on iManager, refer to the iManager Documentation at http://www.novell.com/documentation/imanager20/index.htm l. 8.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not use, export, or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright (C) 2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Patents Pending. Novell and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE AG, a Novell company. eDirectory and NMAS are trademarks of Novell, Inc. All third-party trademarks are the property of their respective owners.