이 콘텐츠는 선택한 언어로 제공되지 않습니다.
19.6. Configuring a Kerberos 5 Client
Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client packages and provide each client with a valid
krb5.conf configuration file. Kerberized versions of rsh and rlogin also requires some configuration changes.
- Be sure that time synchronization is in place between the Kerberos client and the KDC. Refer to Section 19.5, “Configuring a Kerberos 5 Server” for more information. In addition, verify that DNS is working properly on the Kerberos client before configuring the Kerberos client programs.
- Install the
krb5-libsandkrb5-workstationpackages on all of the client machines. Supply a valid/etc/krb5.conffile for each client (usually this can be the samekrb5.conffile used by the KDC). - Before a workstation in the realm can allow users to connect using kerberized
rshandrlogin, that workstation must have thexinetdpackage installed and have its own host principal in the Kerberos database. Thekshdandklogindserver programs also need access to the keys for their service's principal.Usingkadmin, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the-randkeyoption for thekadmin'saddprinccommand to create the principal and assign it a random key:addprinc -randkey host/blah.example.comNow that the principal has been created, keys can be extracted for the workstation by runningkadminon the workstation itself, and using thektaddcommand withinkadmin:ktadd -k /etc/krb5.keytab host/blah.example.com - To use other kerberized network services, they must first be started. Below is a list of some common kerberized services and instructions about enabling them:
rshandrlogin— To use the kerberized versions ofrshandrlogin, enableklogin,eklogin, andkshell.- Telnet — To use kerberized Telnet,
krb5-telnetmust be enabled. - FTP — To provide FTP access, create and extract a key for the principal with a root of
ftp. Be certain to set the instance to the fully qualified hostname of the FTP server, then enablegssftp. - IMAP — To use a kerberized IMAP server, the
cyrus-imappackage uses Kerberos 5 if it also has thecyrus-sasl-gssapipackage installed. Thecyrus-sasl-gssapipackage contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP should function properly with Kerberos as long as thecyrususer is able to find the proper key in/etc/krb5.keytab, and the root for the principal is set toimap(created withkadmin).Thedovecotpackage also contains an IMAP server alternative tocyrus-imap, which is also included with Red Hat Enterprise Linux, but does not support GSS-API and Kerberos to date. - CVS — To use a kerberized CVS server,
gserveruses a principal with a root ofcvsand is otherwise identical to the CVSpserver.
For details about how to enable services, refer to the chapter titled Controlling Access to Services in the System Administrators Guide.
