Howto:How to configure Kerberos using commands

From innovaphone wiki
Jump to navigation Jump to search

Summary

You can use the following commands to configure devices to use Kerberos for authentication.

Applies To

  • all innovaphone devices
  • firmware V8 and later

More Information

Client Configuration

Configure Server Addresses

vars create KDC/<REALM-NAME> p udp:<SERVER-ADDRESS>:88:464

or

vars create KDC/<REALM-NAME> p udp:<PRIMARY-SERVER-ADDRESS>:88:464,udp:<SECONDARY-SERVER-ADDRESS>:88:464

Join a realm

mod cmd CMD0 join-realm /realm <REALM-NAME> [/name <DEVICE-ID>] /user <ADMIN-NAME> /pass <ADMIN-PASSWORD>

The parameter /name <DEVICE-ID> can be omitted and the added device will use an own HW-ID instead.

Automated Client Configuration (V8 Hotfix8 and later)

Alternatively the steps above can be automated by writing the parameters to the var CMD0/KCMD and restarting the box. After restart the box will continuously try to join the realm until success.

The format of the XML is like follows:

<join realm="..." host="..." user="..." password="..." disable-local="..." force="...">

   <server realm="..." address="..." port="..." secondary-address="..." secondary-port="..."/>

</join>

  • join
    • realm: The realm to join
    • host: The host name for the box (optional, otherwise the hardware id will be used)
    • user: Admin user name from the Kerberos server
    • password: Admin password from the Kerberos server
    • disable-local: tells if the local accounts shall be disabled (true or false, optional, defaulting to false)
    • default-realm: The default realm for user authentication (optional, from v10)
    • force: tells if an existing realm membership shall be discarded (true or false, optional, defaulting to false)
    • server: This is a list of kerberos realms with their servers (that is, the server tag my appear multiple times). It will be copied in to the list of kerberos servers in General/Admin/Authentication Servers. If kerberos servers are known via DNS, it may be ommitted
      • realm: The realm of the Kerberos server
      • address: The address of the primary Kerberos server
      • port: The port of the primary Kerberos server (optional, defaulting to 88)
      • secondary-address: The address of the secondary Kerberos server (optional)
      • secondary-port: The port of the secondary Kerberos server (optional, defaulting to 88)

For writing the XML to the VAR all line breaks have to be removed and all spaces have to be replaced by plus signs.

vars create CMD0/KCMD p <join+realm="REALM"+user="admin"+password="secret"+default-realm="REALM"+disable-local="true"+force="true"><server+realm="REALM"+address="172.16.17.1"/></join>

Known Problems

If you use special character in the password you have to use URL-Encoding. http://en.wikipedia.org/wiki/URL-Encoding.

Example

mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test#

URL-Encode

mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test%23