From 0d57013b4ef790e0b428eb41645199434cce2ecd Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Sun, 21 Feb 2010 20:20:14 -0800 Subject: Further README updates for Heimdal support --- README | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) (limited to 'README') diff --git a/README b/README index 86b0ac4..cb8942c 100644 --- a/README +++ b/README @@ -45,14 +45,16 @@ DESCRIPTION infrastructure. Currently, the only ACL type supported matches a single Kerberos principal name, but this will be extended in future releases. - Currently, the only object type supported is a Kerberos keytab. By - default, whenever a Kerberos keytab object is retrieved from the wallet, - the key is changed in the Kerberos KDC and the wallet returns a keytab - for the new key. However, also included in the wallet distribution is a - script that can be run via remctl on the Kerberos KDC to extract the - existing key for a principal, and the wallet system will use that - interface to retrieve the current key if the unchanging flag is set on a - Kerberos keytab object. + Currently, the object types supported are simple files and Kerberos + keytabs. By default, whenever a Kerberos keytab object is retrieved + from the wallet, the key is changed in the Kerberos KDC and the wallet + returns a keytab for the new key. However, a keytab object can also be + configured to preserve the existing keys when retrieved. Included in + the wallet distribution is a script that can be run via remctl on an MIT + Kerberos KDC to extract the existing key for a principal, and the wallet + system will use that interface to retrieve the current key if the + unchanging flag is set on a Kerberos keytab object for MIT Kerberos. + (Heimdal doesn't require any special support.) REQUIREMENTS @@ -90,15 +92,15 @@ REQUIREMENTS to create, modify, and delete principals from the KDC (as configured in kadm5.acl on an MIT Kerberos KDC). - To support the unchanging flag on keytab objects, the Net::Remctl Perl - module (shipped with remctl) must be installed on the server and the - keytab-backend script must be runnable via remctl on the KDC. This - script also requires an MIT Kerberos kadmin.local binary that supports - the -norandkey option to ktadd. This option will be included in MIT - Kerberos 1.7 and later. + To support the unchanging flag on keytab objects with an MIT Kerberos + KDC, the Net::Remctl Perl module (shipped with remctl) must be installed + on the server and the keytab-backend script must be runnable via remctl + on the KDC. This script also requires an MIT Kerberos kadmin.local + binary that supports the -norandkey option to ktadd. This option is + included in MIT Kerberos 1.7 and later. To support the NetDB ACL verifier (only of interest at sites using NetDB - to manage DNS), the Net::Remctl Perl module must be installed on the + to manage DNS), the Net::Remctl Perl module must be installed on the server. To run the test suite, you must have Perl 5.8 or later and the Perl DBI @@ -114,10 +116,10 @@ REQUIREMENTS checked. The full test suite also requires the Test::Pod Perl module (available from CPAN), that remctld be installed and available on the user's path or in /usr/local/sbin or /usr/sbin, that test cases can run - services on and connect to ports 14373 and 14444 on 127.0.0.1, and that - kinit and kvno (which come with Kerberos) be installed and available on - the user's path. The full test suite also requires a local keytab and - some additional configuration. + services on and connect to port 14373 on 127.0.0.1, and that kinit and + either kvno or kgetcred (which come with Kerberos) be installed and + available on the user's path. The full test suite also requires a local + keytab and some additional configuration. To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or -- cgit v1.2.3