[deployment-guide: 93/185] fixed minor mistakes in SSSD chapter
Jaromir Hradilek
jhradile at fedoraproject.org
Sun May 15 21:18:55 UTC 2011
commit 1dd14b644a5b77a6e98667ea3eb05095594d283a
Author: Martin Prpic <mprpic at redhat.com>
Date: Fri Feb 11 14:33:48 2011 +0100
fixed minor mistakes in SSSD chapter
en-US/SSSD.xml | 77 ++++++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 58 insertions(+), 19 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index eaedd64..8307ba7 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -1265,17 +1265,17 @@ krb5_auth_timeout = 15
<important>
<title>Important</title>
<para>
- The following setup works correctly on all &MAJOROS; 6.1 systems and any systems released after it. However, when using &MAJOROS; 6.0, you must correctly configure the <option>default_realm</option> option in the <option>[libdefaults]</option> section and <option>kdc</option> option for your realm in the <option>[realms]</option> section in your <filename>/etc/krb5.conf</filename> configuration file. For more information on various <filename>/etc/krb5.conf</filename> options, refer to <command>man krb5.conf</command>
+ The following setup works correctly on all &MAJOROS; 6.1 systems and any systems released after it. However, when using &MAJOROS; 6.0, you must correctly configure the <option>default_realm</option> option in the <option>[libdefaults]</option> section and <option>kdc</option> option for your realm in the <option>[realms]</option> section in the <filename>/etc/krb5.conf</filename> configuration file not only on the directory server and the KDC but also on the client running SSSD. For more information on various <filename>/etc/krb5.conf</filename> options, refer to <command>man krb5.conf</command>
</para>
</important>
<variablelist>
<varlistentry>
- <term>On the LDAP Server</term>
+ <term>On the KDC</term>
<listitem>
<orderedlist>
<listitem>
<para>
- Using <application>kadmin</application>, set up a Kerberos service principal for the LDAP server. Use the <option>-randkey</option> option for the <application>kadmin</application>'s <command>addprinc</command> command to create the principal and assign it a random key:
+ Using <application>kadmin</application>, set up a Kerberos service principal for the directory server. Use the <option>-randkey</option> option for the <application>kadmin</application>'s <command>addprinc</command> command to create the principal and assign it a random key:
</para>
<screen>kadmin: addprinc -randkey ldap/server.example.com</screen>
</listitem>
@@ -1283,39 +1283,78 @@ krb5_auth_timeout = 15
<para>
Use <application>kadmin</application>'s <command>ktadd</command> to write the service principal to a file:
</para>
- <screen>kadmin: ktadd -k /etc/openldap/ldap.keytab ldap/server.example.com</screen>
+ <screen>kadmin: ktadd -k /root/ldap.keytab ldap/server.example.com</screen>
+ </listitem>
+ <listitem>
<para>
- The command above assumes you are using OpenLDAP. In this case, the keytab file must be named <filename>ldap.keytab</filename> and placed in the <filename>/etc/openldap/</filename> directory. The file must be owned by a user called <parameter>ldap</parameter> and a group called <parameter>ldap</parameter>.
- </para>
+ Using <application>kadmin</application>, set up a Kerberos host principal for the client running SSSD. Use the <option>-randkey</option> option for the <application>kadmin</application>'s <command>addprinc</command> command to create the principal and assign it a random key:
+ </para>
+ <screen>kadmin: addprinc -randkey host/client.example.com</screen>
+ </listitem>
+ <listitem>
+ <para>
+ Use <application>kadmin</application>'s <command>ktadd</command> to write the host principal to a file:
+ </para>
+ <screen>kadmin: ktadd -k /root/client.keytab host/client.example.com</screen>
+ </listitem>
+ </orderedlist>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>On the Directory Server</term>
+ <listitem>
+ <para>
+ Complete the following steps for a directory server of your choice:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>OpenLDAP</term>
+ <listitem>
+ <orderedlist>
+ <listitem>
+ <para>
+ Copy the previously created <filename>/root/ldap.keytab</filename> file from the KDC to the <filename>/etc/openldap/</filename> directory and name it <filename>ldap.keytab</filename>.</para>
+ </listitem>
+ <listitem>
<para>
- When using the Red Hat Directory Server, name the file <filename>ds.keytab</filename> and place it in the <filename>/etc/dirsrv/</filename> directory. Uncomment the <varname>KRB5_KTNAME</varname> line in the <filename>/etc/sysconfig/dirsrv</filename> (or instance-specific) file, and set the keytab location for the <varname>KRB5_KTNAME</varname> variable. For example:
+ Make the <filename>/etc/openldap/ldap.keytab</filename> file read-writeable for the <systemitem class="username">ldap</systemitem> user and readable for the <systemitem class="username">ldap</systemitem> group only.
</para>
- <screen>
+ </listitem>
+ </orderedlist>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Red Hat Directory Server</term>
+ <listitem>
+ <orderedlist>
+ <listitem>
+ <para>Copy the previously created <filename>/root/ldap.keytab</filename> file from the KDC to the <filename>/etc/dirsrv/</filename> directory and name it <filename>ldap.keytab</filename>.</para>
+ </listitem>
+ <listitem>
+ <para>
+ Uncomment the <varname>KRB5_KTNAME</varname> line in the <filename>/etc/sysconfig/dirsrv</filename> (or instance-specific) file, and set the keytab location for the <varname>KRB5_KTNAME</varname> variable. For example:
+ <screen>
# In order to use SASL/GSSAPI the directory
# server needs to know where to find its keytab
# file - uncomment the following line and set
# the path and filename appropriately
-KRB5_KTNAME=/etc/dirsrv/krb5.keytab ; export KRB5_KTNAME</screen>
+KRB5_KTNAME=/etc/dirsrv/ldap.keytab; export KRB5_KTNAME</screen>
+ </para>
</listitem>
</orderedlist>
-
+ </listitem>
+ </varlistentry>
+ </variablelist>
</listitem>
</varlistentry>
<varlistentry>
- <term>On the KDC</term>
+ <term>On the Client</term>
<listitem>
<orderedlist>
<listitem>
<para>
- Using <application>kadmin</application>, set up a Kerberos host principal for the client running SSSD. Use the <option>-randkey</option> option for the <application>kadmin</application>'s <command>addprinc</command> command to create the principal and assign it a random key:
- </para>
- <screen>kadmin: addprinc -randkey host/client.example.com</screen>
- </listitem>
- <listitem>
- <para>
- Use <application>kadmin</application>'s <command>ktadd</command> to write the host principal to a file:
+ Copy the previously created <filename>/root/client.keytab</filename> file from the KDC to the <filename>/etc/</filename> directory and name it <filename>krb5.keytab</filename>. If the <filename>/etc/krb5.keytab</filename> file exists already, use the <application>ktutil</application> utility to merge both files properly. For more information on the <application>ktutil</application> utility, refer to <command>man ktutil</command>.
</para>
- <screen>kadmin: ktadd -k /etc/krb5.keytab host/client.example.com</screen>
</listitem>
<listitem>
<para>
More information about the docs-commits
mailing list