Subject: Kerberos and Exceed - working together? Date: Wed, 06 Dec 2000 11:04:14 -0500 From: Richard Partridge To: d0-nt_users@fnal.gov I have succeeded in getting past the mutant dog using Hummingbird V7.0. Despite prior reports that this is not for novices, I found it fairly simple to get going...anyone who regularly installs PC software on their computer without breaking it should succeed. Below is a fairly detailed recipe that worked for me. Please note that I have only tried this on my office PC, which is running Win2k SP1 and Hummingbird V7.0. Also, I did this installation from an account with administrative privleges...don't know if it will work from a non-administrator account. (I don't get paid to do this...and those that do can't seem to be bothered to provide instructions). 1. Download the Kerberos client software from MIT. This is called MINK and can be found at: http://web.mit.edu/network/kerberos-form.html You will first need to answer some questions before getting to the "Welcome to the MIT Kerberos Distribution Page". Scroll down to the section on "MIT Kerberos for Microsoft Operating Systems Release 2.0" and click on the file listed next to "Windows NT binaries". Save the file to disk (currently mink-10-18-99.exe). Execute this file to install it. You will be asked a series of questions, but you can pretty much keep hitting the "next" button. When you come to the "Select Components: screen, the only component you need to install is "Support for 32 bit applications". After installing the files, it will ask if its OK to restart your computer. On my computer, it only logged me off and didn't do a restart. To be safe, I would suggest rebooting manually. 2. Configure your Kerberos client There will now be a "Kerberos Utilities" menu under Programs on the Start menu. You will find here a shortcut to the Leash32, which is a GUI for configuring your Kerberos client. Here are the steps for configuring your client using Leash32: Select Kerberos Properties on the Tools Menu Under Ticket lieftime, choose how long you would like your tickets to last (I used 1500 minutes) Under Realm/Server Mapping, add the PILOT.FNAL.GOV realm. Then add the following Servers to this realm: krb-pilot-1.fnal.gov krb-pilot-2.fnal.gov and krb-pilot-admin.fnal.gov (hit the make administrator button for this server) Under DNS/Realm mapping, map the .fnal.gov domain to the PILOT.FNAL.GOV realm. Under Default Realm Configuration, make sure your default realm is PILOT.FNAL.GOV and that your computer address is listed correctly. Now, select Kerberos 5 Properties on the Tools menu, select the configuration options tab, and make sure the forwardable and proxiable boxes are checked. 3. Make sure you can get a ticket. You can either use the Leash32 utility (Get Ticket on the Action menu) or type "kinit -5" from the command line. A Kerberos 5 ticket will show up in the Leash32 GUI, or you can type klist to list your tickets from the command line. On my computer, the Leash32 utility gives an error message saying "Something weird happened"...just hit OK and cancel when it sends you back to the login box...it worked despite the error message. I suspect this is a bug in the MIT software when it tries to get a Kerberos 4 ticket. No such error is reported if you use the kinit -5 from the command line, but just typing "kinit" also gives an error when it tries to get a Kerberos 4 ticket. This is a nuisance, but not really a problem since Fermilab uses Kerberos 5. It may be that this bug only appears for Win2k or is due to some other conflict on my computer. 4. Configure the Hummingbird Telnet application - note these instructions are for Exceed V7.0!! Start the exceed telnet program (select programs/Hummingbird Connectivity/Host Explorer/Telnet from the Start menu). Right click on VT220 and select properties to configure telnet to use Kerberos Select Security and set the Kerberbos version to 5 and make sure the authentication, encryption, and forwardable boxes are checked. 5. Connect to Fermilab You should now be able to select a Fermilab unix host and connect using telnet provided you have a valid ticket from step 3. If you get the login prompt, something isn't set right. Go back and check steps 3-4. In principle, you can also use the "XStart" application provided with Exceed, but I found that this didn't provide tickets that could be forwarded. Thus, I suggest using Telnet to access the host initially. Good Luck! Rich