Scalix Forums

Skip to content

Utilizing Existing Kerberos Realm

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

Post Reply
dresdn
Posts: 92
Joined: Wed Apr 05, 2006 5:11 pm

Utilizing Existing Kerberos Realm

Postby dresdn » Wed Apr 05, 2006 5:17 pm

Hello.

We're currently evaluating Scalix 10 and so far, so good! However, one of the things that I'm unable to figure out is how to get Scalix to utilize our existing Kerberos realm for authentication. I've searched the knowledge base, but it just seems to be the same information from the Administation Guide (under Non-SSO Kerberos Authentication).

From what I can tell, using the Non-SSO steps and ormkrbinstall, it actually creates a *new* realm. I don't want that as we don't need a realm specific to just Scalix. I have a box already setup as the main KDC and admin, and another box setup as my secondary KDC.

So my question is, does Scalix support this, and if so, what command should I be looking at in order to get it to utilize my current realm?

Thanks!

-Mike
Top
dresdn
Posts: 92
Joined: Wed Apr 05, 2006 5:11 pm

Postby dresdn » Wed Apr 05, 2006 6:22 pm

Looking at it again, I complete skipped the Single Sign-on steps (since I don't have AD or use IE), but in looking at it, the principles are the same. I just mimicked what omaddprincs does and used the ommergekeys from the generated keytab file.

Then using the rest of the SSO steps, I was able to map my users authid's to the appropriate Kerberos principle.

On a side now, can anyone point me to some documentation regarding password expiration/changing using Kerberos?

Thanks!

-Mike
Top
ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Thu Apr 06, 2006 7:58 am

Hi,

you mean password expiration on Scalix? With Kerberos, there are no passwords to expire. It depends on where your KDC is and how it is configured on that side - maybe I am misunderstanding, though.

Cheers,

Sascha.
Top
dresdn
Posts: 92
Joined: Wed Apr 05, 2006 5:11 pm

Postby dresdn » Thu Apr 06, 2006 1:33 pm

I think this is my fault for not really explaining myself well. We're going to be using Kerberos authentication if (more like when) we start using Scalix. Right now we don't have a very good policy in place on the KDC for all our accounts.

Does Scalix support changing Kerberos passwords (if they expire, if the user wants a new one, etc.), or do I have to come up with an alternate way for people to do this?

We're going to be accessing Scalix mainly through the web interface, so that is why I am asking the question here.

-Mike
Top
ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Thu Apr 06, 2006 3:05 pm

Kerberos password changing is provided through the om_krb5 pam module. So, if you've set up external authentication with Kerberos, you're going to be fine.

Cheers

Dave
Top
Post Reply

Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 15 guests

Powered by phpBB® Forum Software © phpBB Limited