Commit d31f67f5 authored by Eric Cano's avatar Eric Cano
Browse files

Changed keytab creation receipe with usage of service specific principal.

parent 643ccbf2
......@@ -195,12 +195,49 @@ at CERN and runs a CERN supported version of linux.
\end{verbatim}
In order for the EOS \texttt{mgm} to authenticate users using kerberos, create a
kerberos \texttt{keytab} file based on the system one and make it readable by
the EOS \texttt{xrootd} daemons.
\begin{verbatim}
sudo cp /etc/krb5.keytab /etc/krb5.keytab.eos
sudo chown daemon /etc/krb5.keytab.eos
\end{verbatim}
a new \texttt{eos} service principal in the \texttt{kdc}, and get the key installed in the keytab.
This will also recreate new version of every other key for this host. The key the eos principal
can then be extracted to a new keytab, which will be owned by user daemon so it becomes readable
by the \texttt{mgm}.
\begin{verbatim}
[root@devbox ~]# cern-get-keytab --service eostest -f
Waiting for password replication (0 seconds past)
Waiting for password replication (5 seconds past)
Waiting for password replication (10 seconds past)
Keytab file saved: /etc/krb5.keytab
[root@lxc2dev3d1 ~]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 14 devbox$@CERN.CH
2 14 devbox$@CERN.CH
3 14 devbox$@CERN.CH
4 14 eos/devbox.cern.ch@CERN.CH
5 14 eos/devbox.cern.ch@CERN.CH
6 14 eos/devbox.cern.ch@CERN.CH
7 14 host/devbox.cern.ch@CERN.CH
8 14 host/devbox.cern.ch@CERN.CH
9 14 host/devbox.cern.ch@CERN.CH
ktutil: delent 1
ktutil: delent 1
ktutil: delent 1
ktutil: delent 4
ktutil: delent 4
ktutil: delent 4
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 14 eos/devbox.cern.ch@CERN.CH
2 14 eos/devbox.cern.ch@CERN.CH
3 14 eos/devbox.cern.ch@CERN.CH
ktutil: wkt /etc/krb5.keytab.eos
ktutil: q
[root@devbox ~]# chown daemon.daemon /etc/krb5.keytab.eos
\end{verbatim}
This operation will re-generate all the keys of the host. It might require the client users to
\texttt{kdestroy} their corresponding tickets in caches.
\subsection{Setup the \texttt{/etc/xrd.cf.mgm} configuration file}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment