Using DICE from Fedora

This document details the steps necessary to take a vanilla Fedora Core machine, and get it to play nicely with the DICE infrastructure. With Fedora, there's usually (at least) two ways of acheiving the same result - by using the GUI, or by editing configuration files. In what follows, I will generally provide GUI instructions.

I assume that you are just wanting to access services provided from DICE machines, and not have your local machines authentication, and user lists controlled by DICE.


Locating our KDCs

The machine needs to be either told explicitly about the DICE Kerberos realm, or allowed to get the necessary information from the DNS. The default Fedora installation permits neither of these.

* Launch the 'authconfig' application (by selecting System>Administration>Authentication on the top menu bar) * Click on the Authentication tab in the window that appears * Click on the Enable Kerberos support tickbox (so that it is ticked) * Click on the 'Configure Kerberos' button * Tick the 'Use DNS to locate KDCs for realms' box in the window that appears * Click OK * Uncheck the 'Enable Kerberos support button' * Click OK

Or, on the command line, become root and edit /etc/krb5.conf. Change the line saying

dns_lookup_realm = false
to read
dns_lookup_realm = true

Installing additional software

If you want to use applications which rely on Kerberos authentication, then you will also need the cyrus-sasl-gssapi package, which, for some reason, is not installed by default. To install it

  • Run the Package Manager, by selecting Applications>Add/Remove Software
  • Click on 'Search'
  • Type cyrus-sasl-gssapi into the box and lick on the Search button to the right of it
  • Tick the box beside cyrus-sasl-gssapi in the search results below
  • Click Apply

Or, on the command line, become root and run yum install cyrus-sasl-gssapi

After this, you can gain Kerberos credentials by running kinit <user>@INF.ED.AC.UK


OpenSSH will support Kerberos after the steps above have been performed. However, if you wish to be able to forward your Kerberos credentials to our machines when you log into them, you will need to add the GSSAPIDelegateCredentials yes configuration option to your calls to ssh. This can be done with either ssh -o 'GSSAPIDelegateCredentials yes' <hostname>, or by adding GSSAPIDelegateCredentials yes to either your ~/.ssh/config file, or (as root) to the system wide /etc/ssh/ssh_config file


Accessing the DICE Jabber service requires a client which supports Kerberos authentication.


-- SimonWilkinson - 20 Sep 2006

Topic revision: r1 - 20 Sep 2006 - 14:05:17 - SimonWilkinson
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies