Improvements to the 13.5. Kerberos chapter?
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 30 Jun 2025 14:52:27 UTC
Hello, Is this the right place to make suggestions? I used the FreeBSD Handbook for setting up Kerberos (Heimdal) and wanted to recommend two ideas. You might consider them for the Handbook chapter '13.5. Kerberos'. ## Missing kpasswd daemon inhibits usage of remote '$ passwd' I would suggest starting the kpasswd daemon, too. Without it, nobody will be able to change their own password after the first login. Therefore, in chapter '13.5.1 Setting up a Heimdal KDC' you would like to add something like kpasswdd_enable="YES" after kdc_enable="YES" kadmind_enable="YES" in your 'rc.conf' file (found under '13.5.1. Setting up a Heimdal KDC'). ## Is this configuration still ok? Maybe I got this wrong, but in '13.5.4. MIT Differences' you said 'When using MIT Kerberos as a KDC on FreeBSD, the following edits should also be made to rc.conf': kerberos5_server="/usr/local/sbin/krb5kdc" kadmind5_server="/usr/local/sbin/kadmind" kerberos5_server_flags="" This confuses me. In my default 'rc.conf' under 13.4-RELEASE-p5 I found these values (should this not work with 'security/krb5' aka MIT Kerberos?): kdc_program="/usr/libexec/kdc" kadmind_program="/usr/libexec/kadmind" kpasswdd_program="/usr/libexec/kpasswdd" I run Heimdal and I had to alter them in my 'rc.conf' to this: kdc_program="/usr/local/libexec/kdc" kadmind_program="/usr/local/libexec/kadmind" kpasswdd_program="/usr/local/libexec/kpasswdd" For me that sounds like you believe the default setting is suitable for Heimdal, but I use my config as shown. (I found my settings by using '$ pkg list heimdal | grep libexec' and they are fine to me.) Regards, Michael