|
Lines 2425-2431
Link Here
|
| 2425 |
<para>Now it is time to start up the <acronym>KDC</acronym> services. |
2425 |
<para>Now it is time to start up the <acronym>KDC</acronym> services. |
| 2426 |
Run <command>/etc/rc.d/kerberos start</command> and |
2426 |
Run <command>/etc/rc.d/kerberos start</command> and |
| 2427 |
<command>/etc/rc.d/kadmind start</command> to bring up the |
2427 |
<command>/etc/rc.d/kadmind start</command> to bring up the |
| 2428 |
services. Note that you won't have any kerberized daemons running |
2428 |
services. Note that you will not have any kerberized daemons running |
| 2429 |
at this point but you should be able to confirm the that the |
2429 |
at this point but you should be able to confirm the that the |
| 2430 |
<acronym>KDC</acronym> is functioning by obtaining and listing a |
2430 |
<acronym>KDC</acronym> is functioning by obtaining and listing a |
| 2431 |
ticket for the principal (user) that you just created from the |
2431 |
ticket for the principal (user) that you just created from the |
|
Lines 2697-2703
Link Here
|
| 2697 |
and reverse) in <acronym>DNS</acronym> (or |
2697 |
and reverse) in <acronym>DNS</acronym> (or |
| 2698 |
<filename>/etc/hosts</filename> as a minimum). CNAMEs |
2698 |
<filename>/etc/hosts</filename> as a minimum). CNAMEs |
| 2699 |
will work, but the A and PTR records must be correct and in |
2699 |
will work, but the A and PTR records must be correct and in |
| 2700 |
place. The error message isn't very intuitive: |
2700 |
place. The error message is not very intuitive: |
| 2701 |
<errorname>Kerberos5 refuses authentication because Read req |
2701 |
<errorname>Kerberos5 refuses authentication because Read req |
| 2702 |
failed: Key table entry not found</errorname>.</para> |
2702 |
failed: Key table entry not found</errorname>.</para> |
| 2703 |
</listitem> |
2703 |
</listitem> |
|
Lines 3371-3377
Link Here
|
| 3371 |
</listitem> |
3371 |
</listitem> |
| 3372 |
<listitem> |
3372 |
<listitem> |
| 3373 |
<para>The internal addresses of the two networks can be |
3373 |
<para>The internal addresses of the two networks can be |
| 3374 |
public or private IP addresses, it doesn't matter. You can |
3374 |
public or private IP addresses, it does not matter. You can |
| 3375 |
be running NAT on the gateway machine if necessary.</para> |
3375 |
be running NAT on the gateway machine if necessary.</para> |
| 3376 |
</listitem> |
3376 |
</listitem> |
| 3377 |
<listitem> |
3377 |
<listitem> |
|
Lines 3733-3739
Link Here
|
| 3733 |
</listitem> |
3733 |
</listitem> |
| 3734 |
<listitem> |
3734 |
<listitem> |
| 3735 |
<para>There must be a mechanism for specifying which traffic |
3735 |
<para>There must be a mechanism for specifying which traffic |
| 3736 |
should be encrypted. Obviously, you don't want to encrypt |
3736 |
should be encrypted. Obviously, you do not want to encrypt |
| 3737 |
all your outgoing traffic -- you only want to encrypt the |
3737 |
all your outgoing traffic -- you only want to encrypt the |
| 3738 |
traffic that is part of the VPN. The rules that you put in |
3738 |
traffic that is part of the VPN. The rules that you put in |
| 3739 |
place to determine what traffic will be encrypted are called |
3739 |
place to determine what traffic will be encrypted are called |
|
Lines 3811-3817
Link Here
|
| 3811 |
this to encrypt the traffic over the VPN. They periodically |
3811 |
this to encrypt the traffic over the VPN. They periodically |
| 3812 |
change this secret, so that even if an attacker were to crack one |
3812 |
change this secret, so that even if an attacker were to crack one |
| 3813 |
of the keys (which is as theoretically close to unfeasible as it |
3813 |
of the keys (which is as theoretically close to unfeasible as it |
| 3814 |
gets) it won't do them much good -- by the time they've cracked |
3814 |
gets) it will not do them much good -- by the time they have cracked |
| 3815 |
the key the two daemons have chosen another one.</para> |
3815 |
the key the two daemons have chosen another one.</para> |
| 3816 |
|
3816 |
|
| 3817 |
<para>racoon's configuration is stored in |
3817 |
<para>racoon's configuration is stored in |