D.4 Setting Up the Novell Kerberos KDC for ZENworks DLU

This section includes the following information:

NOTE:You need to know the following about the sample setup shown below:

  • The Kerberos Realm name is KERBEROS.YOURCOMPANY.COM.

  • The Kerberos username is testuser.

  • Kerberos workstation is testworkstation.

  • The eDirectory root context is Novell.

  • The Kerberos user context is Users.Novell.

  • The supported encryption types are des-cbc-crc and hmac. These are exclusive.

  • Commands are case sensitive. Make sure that the commands are entered correctly.

D.4.1 Setting Up the Linux Server

Use the following sample procedure for setting up the KDC to run Kerberos authentication on a SLES 9 (or later) server:

  1. Install Novell eDirectory 8.8.1 for Linux, available from the ZENworks 7 Desktop Management with SP1 Companion 1 CD.

  2. Download the Novell Kerberos KDC for Linux from the Novell Download site.

  3. Using the documentation for the Novell Kerberos KDC, install the Novell Kerberos KDC for Linux.

  4. Enter the following commands to set up the proper search paths, based on the installation location of the Novell Kerberos KDC:

    export PATH=/opt/novell/kerberos/bin/:/opt/novell/kerberos/sbin/:$PATH

    export LD_LIBRARY_PATH=/opt/novell/kerberos/lib/:/opt/novell/lib/:$LD_LIBRARY_PATH

  5. Enter the following command to start the Kerberos daemon:

    /etc/init.d/krb5kdc start

  6. Run kadmin.local from the shell, then run the following commands for each user and workstation that you want to add to the Kerberos realm:

    Command

    Comments

    addprinc -x userdn=cn=testuser,ou=Users,o=Novell -e des-cbc-crc:normal,rc4-hmac:normal -pw password testuser

    • Type for each user (testuser.Users.Novell) in eDirectory, to create a corresponding Kerberos user principal

    • The command maps the eDirectory user (testuser.Users.Novell) to the kerberos user (testuser)

    • Make sure that the password for this newly created user principal is the same as the password for the user in eDirectory.

    addprinc -x containerdn=o=Novell -e rc4-hmac:normal,des-cbc-crc:normal -pw password host/testworkstation.kerberos.yourcompany.com

    • Type for each workstation (testworkstation).

    • Make sure that the password for this newly created workstation principal is the same as the password set with /SetComputerPassword in ksetup.exe on the Windows workstation.

  7. From a new shell, run tail -f /var/log/krb5kdc.log before you attempt to connect to the Kerberos server. This command displays all messages or errors in the transaction.

NOTE:In this sample setup, testuser.Users.Novell is a user in eDirectory. The workstation (testworkstation) is a workstation to add to the Kerberos realm / domain, not necessarily in eDirectory.

D.4.2 Setting Up the KDC for Windows Workstations

Use the following sample procedure for setting up the KDC to run Kerberos authentication on Windows workstations:

  1. Download the ksetup.exe utility from Microsoft. The utility is included in the support tools for Windows workstations.

  2. Set up the workstation’s Kerberos information:

    1. (Optional) Run the following commands from the Windows command line:

      Command

      Comment

      ksetup /SetRealm UPPERCASE_REALM_NAME

      Obtain the Realm Name from the /etc/krb5.conf file.

      ksetup.exe /AddKdc UPPERCASE_REALM_NAME KDC_DNS_name

      This command associates the Kerberos server to the Realm where the computer belongs so that the workstation recognizes the server that it needs to contact.

      ksetup.exe /AddKpasswd UPPERCASE_REALM_NAME Kerberos_Password_Server_DNS_name

      This command allows access to the Password Server so that you can change Kerberos user passwords from the workstation GINA.

      ksetup.exe /SetComputerPassword computer_password_for_Kerberos_authentication

      This command sets the workstation password to authenticate to the Kerberos server. The password must be the same on both the workstation and the server.

    2. (Optional) Run a batch filewith the following configuration (modified according to your Kerberos server) from the Windows command line:

      @echo off
ksetup.exe /SetRealm KERBEROS.YOURCOMPANY.COM
ksetup.exe /AddKdc KERBEROS.YOURCOMPANY.COM your_kerberos_server.your_company.com
ksetup.exe /SetComputerPassword password
ksetup.exe /AddKpasswd KERBEROS.YOURCOMPANY.COM novell
ksetup.exe /MapUser testuser@KERBEROS.YOURCOMPANY.COM testuser
ksetup.exe

  3. Reboot the workstation.

D.4.3 Setup Options

Although ZENworks DLU can do so, you have the option of adding users to the Windows Kerberos registry mappings (local users to kerberos user). Use the following procedure to add users:

  1. Run the following command:

    ksetup.exe /MapUser testuser@KERBEROS.YOURCOMPANY.COM testuser

The functionality for enabling DLU on the workstation is set in the Windows Registry at HKLM\Software\Novell\NWGina\Security. The DWORD value is AllowKerberosLoginWithDLU. When enabled, the setting is 1.