diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-09-14 11:57:38 -0700 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-09-14 11:57:38 -0700 |
commit | 7ef7ec7be88f365ebd0c9da425283375188be2d1 (patch) | |
tree | 0b4e0b6fbf9980441b8a12c60d90b77e69bc1911 /docs-xml | |
parent | f84893a54b27828946ca75e72542116a560315d6 (diff) | |
download | samba-7ef7ec7be88f365ebd0c9da425283375188be2d1.tar.gz samba-7ef7ec7be88f365ebd0c9da425283375188be2d1.tar.bz2 samba-7ef7ec7be88f365ebd0c9da425283375188be2d1.zip |
docs: update for modern kerberos libs
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml | 52 |
1 files changed, 2 insertions, 50 deletions
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml b/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml index 53b7d1aedc..fb81ac0b34 100644 --- a/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml +++ b/docs-xml/Samba3-HOWTO/TOSHARG-DomainMember.xml @@ -913,11 +913,7 @@ When manually configuring <filename>krb5.conf</filename>, the minimal configurat <screen> [libdefaults] default_realm = YOUR.KERBEROS.REALM - -[realms] - YOUR.KERBEROS.REALM = { - kdc = your.kerberos.server - } + dns_lookup_kdc = true [domain_realms] .kerberos.server = YOUR.KERBEROS.REALM @@ -925,13 +921,10 @@ When manually configuring <filename>krb5.conf</filename>, the minimal configurat </para> <para> -<indexterm><primary>Heimdal</primary></indexterm> -When using Heimdal versions before 0.6, use the following configuration settings: +If you must specify the KDC directly, the minimal configuration is: <screen> [libdefaults] default_realm = YOUR.KERBEROS.REALM - default_etypes = des-cbc-crc des-cbc-md5 - default_etypes_des = des-cbc-crc des-cbc-md5 [realms] YOUR.KERBEROS.REALM = { @@ -951,19 +944,6 @@ Test your config by doing a <userinput>kinit making sure that your password is accepted by the Win2000 KDC. </para> -<para> -<indexterm><primary>Heimdal</primary></indexterm> -<indexterm><primary>ADS</primary></indexterm> -<indexterm><primary>KDC</primary></indexterm> -<indexterm><primary>Windows 2003</primary></indexterm> -With Heimdal versions earlier than 0.6.x you can use only newly created accounts -in ADS or accounts that have had the password changed once after migration, or -in case of <constant>Administrator</constant> after installation. At the -moment, a Windows 2003 KDC can only be used with Heimdal releases later than 0.6 -(and no default etypes in krb5.conf). Unfortunately, this whole area is still -in a state of flux. -</para> - <note><para> <indexterm><primary>realm</primary></indexterm> <indexterm><primary>uppercase</primary></indexterm> @@ -989,25 +969,6 @@ Clock skew limits are configurable in the Kerberos protocols. The default settin </para> <para> -<indexterm><primary>DNS</primary></indexterm> -<indexterm><primary>KDC</primary></indexterm> -<indexterm><primary>hostname</primary></indexterm> -<indexterm><primary>realm</primary></indexterm> -You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that -this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain -attached) or it can be the NetBIOS name followed by the realm. -</para> - -<para> -<indexterm><primary>/etc/hosts</primary></indexterm> -<indexterm><primary>KDC</primary></indexterm> -<indexterm><primary>realm</primary></indexterm> -The easiest way to ensure you get this right is to add a <filename>/etc/hosts</filename> entry mapping the IP -address of your KDC to its NetBIOS name. If you do not get this correct, then you will get a <errorname>local -error</errorname> when you try to join the realm. -</para> - -<para> <indexterm><primary>Kerberos</primary></indexterm> <indexterm><primary>Create the Computer Account</primary></indexterm> <indexterm><primary>Testing Server Setup</primary></indexterm> @@ -1094,15 +1055,6 @@ name, it may need to be quadrupled to pass through the shell escape and ldap esc <replaceable>USERNAME</replaceable>@<replaceable>REALM</replaceable></userinput>. <replaceable>USERNAME</replaceable> must be a user who has rights to add a machine to the domain. </para></listitem></varlistentry> - - <varlistentry><term>Unsupported encryption/or checksum types</term> - <listitem><para> - <indexterm><primary>/etc/krb5.conf</primary></indexterm> - <indexterm><primary>unsupported encryption</primary></indexterm> - <indexterm><primary>Kerberos</primary></indexterm> - Make sure that the <filename>/etc/krb5.conf</filename> is correctly configured - for the type and version of Kerberos installed on the system. - </para></listitem></varlistentry> </variablelist> </para> |