This section includes the following information:
NOTE:You need to know the following about the sample setup shown below:
The Kerberos Realm name is KERBEROS.YOURCOMPANY.COM.
The Kerberos username is testuser.
Kerberos workstation is testworkstation.
The eDirectory root context is Novell.
The Kerberos user context is Users.Novell.
The supported encryption types are des-cbc-crc and hmac. These are exclusive.
Commands are case sensitive. Make sure that the commands are entered correctly.
Use the following sample procedure for setting up the KDC to run Kerberos authentication on a SLES 9 (or later) server:
Install Novell eDirectory 8.8.1 for Linux, available from the ZENworks 7 Desktop Management with SP1 Companion 1 CD.
Download the Novell Kerberos KDC for Linux from the Novell Download site.
Using the documentation for the Novell Kerberos KDC, install the Novell Kerberos KDC for Linux.
Enter the following commands to set up the proper search paths, based on the installation location of the Novell Kerberos KDC:
export PATH=/opt/novell/kerberos/bin/:/opt/novell/kerberos/sbin/:$PATH
export LD_LIBRARY_PATH=/opt/novell/kerberos/lib/:/opt/novell/lib/:$LD_LIBRARY_PATH
Enter the following command to start the Kerberos daemon:
/etc/init.d/krb5kdc start
Run kadmin.local from the shell, then run the following commands for each user and workstation that you want to add to the Kerberos realm:
Command |
Comments |
---|---|
addprinc -x userdn=cn=testuser,ou=Users,o=Novell -e des-cbc-crc:normal,rc4-hmac:normal -pw password testuser |
|
addprinc -x containerdn=o=Novell -e rc4-hmac:normal,des-cbc-crc:normal -pw password host/testworkstation.kerberos.yourcompany.com |
|
From a new shell, run tail -f /var/log/krb5kdc.log before you attempt to connect to the Kerberos server. This command displays all messages or errors in the transaction.
NOTE:In this sample setup, testuser.Users.Novell is a user in eDirectory. The workstation (testworkstation) is a workstation to add to the Kerberos realm / domain, not necessarily in eDirectory.
Use the following sample procedure for setting up the KDC to run Kerberos authentication on Windows workstations:
Download the ksetup.exe utility from Microsoft. The utility is included in the support tools for Windows workstations.
Set up the workstation’s Kerberos information:
(Optional) Run the following commands from the Windows command line:
Command |
Comment |
---|---|
ksetup /SetRealm UPPERCASE_REALM_NAME |
Obtain the Realm Name from the /etc/krb5.conf file. |
ksetup.exe /AddKdc UPPERCASE_REALM_NAME KDC_DNS_name |
This command associates the Kerberos server to the Realm where the computer belongs so that the workstation recognizes the server that it needs to contact. |
ksetup.exe /AddKpasswd UPPERCASE_REALM_NAME Kerberos_Password_Server_DNS_name |
This command allows access to the Password Server so that you can change Kerberos user passwords from the workstation GINA. |
ksetup.exe /SetComputerPassword computer_password_for_Kerberos_authentication |
This command sets the workstation password to authenticate to the Kerberos server. The password must be the same on both the workstation and the server. |
(Optional) Run a batch filewith the following configuration (modified according to your Kerberos server) from the Windows command line:
@echo off ksetup.exe /SetRealm KERBEROS.YOURCOMPANY.COM ksetup.exe /AddKdc KERBEROS.YOURCOMPANY.COM your_kerberos_server.your_company.com ksetup.exe /SetComputerPassword password ksetup.exe /AddKpasswd KERBEROS.YOURCOMPANY.COM novell ksetup.exe /MapUser testuser@KERBEROS.YOURCOMPANY.COM testuser ksetup.exe
Reboot the workstation.
Although ZENworks DLU can do so, you have the option of adding users to the Windows Kerberos registry mappings (local users to kerberos user). Use the following procedure to add users:
Run the following command:
ksetup.exe /MapUser testuser@KERBEROS.YOURCOMPANY.COM testuser
The functionality for enabling DLU on the workstation is set in the Windows Registry at HKLM\Software\Novell\NWGina\Security. The DWORD value is AllowKerberosLoginWithDLU. When enabled, the setting is 1.