File: README.Debian

package info (click to toggle)
pam-krb5-migrate 0.0.11-5
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, buster, sid, trixie
  • size: 192 kB
  • ctags: 20
  • sloc: ansic: 379; makefile: 61; sh: 10
file content (51 lines) | stat: -rw-r--r-- 2,237 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
pam-krb5-migrate for Debian
---------------------------
This package has been built with support for accessing the Kerberos 
administration over the network.

SETTING UP THE PAM_KRB5_MIGRATE MODULE

If you do not already have a KDC, you will need to set up a Kerberos
database for your realm.  See the Kerberos V5 Installation Guide for
details.

If you will be updating against a live database from a machine other than
the KDC, or if you intend to run the migration module on more than one
machine at a time, you will need to use kadmin (or kadmin.local) to create
a special Kerberos principal called pam_migrate/<hostname>, where
<hostname> is the full domain name (FQDN) of the host where you're
deploying the pam module.

% kadmin
Authenticating as principal admin/admin@REALM with password.
kadmin.local:  add --use-defaults -r pam_migrate/hostname@REALM
WARNING: no policy specified for pam_migrate/hostname@REALM; defaulting to no policy
Principal "pam_migrate/hostname@REALM" created.

Then extract the key for this principal to a keytab for use on the host:

kadmin.local:   ext -k /var/kerberos/krb5kdc/hostname.keytab pam_migrate/hostname
Entry for principal pam_migrate/hostname with kvno 4, encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/var/kerberos/krb5kdc/hostname.keytab.
Entry for principal pam_migrate/hostname with kvno 4, encryption type Triple DES cbc mode raw added to keytab
WRFILE:/var/kerberos/krb5kdc/hostname.keytab.


This principal should *only* have permission to add principals to the
database and should have no other permissions.  To give the principal
permission to add to the database, add this line to the top of your
kadmind.acl file:

pam_migrate/hostname@REALM		add

You can also give all principals of the form pam_migrate/<hostname>
permission to add by using the line

pam_migrate/*@REALM			add

You will then need to copy your new keytab (securely!) to the appropriate
machine and install it as /etc/security/pam_krb5.keytab.  Like all
keytabs, this file should be readable only by root and should be treated
with the utmost care when transferring it to the destination host.
*Anyone with access to this keytab will be able to create new Kerberos
principals in your realm.*