Howto:How to configure Kerberos using commands: Difference between revisions
(10 intermediate revisions by 3 users not shown) | |||
Line 20: | Line 20: | ||
=== Automated Client Configuration (V8 Hotfix8 and later) === | === Automated Client Configuration (V8 Hotfix8 and later) === | ||
Alternatively the steps above | Alternatively the steps above can be automated by writing the parameters to the var <code>CMD0/KCMD</code> and restarting the box. After restart the box will continuously try to join the realm until success. | ||
The format of the XML is like follows: | The format of the XML is like follows: | ||
<code xml> | |||
<join realm="..." host="..." user="..." password="..." disable-local="..." force="..."> | |||
<server realm="..." address="..." port="..." secondary-address="..." secondary-port="..."/> | |||
</join> | |||
</code> | |||
* | * '''join''' | ||
** '''realm:''' The realm to join | ** '''realm:''' The realm to join | ||
** '''host:''' The host name for the box (optional, otherwise the hardware id will be used) | ** '''host:''' The host name for the box (optional, otherwise the hardware id will be used) | ||
Line 32: | Line 36: | ||
** '''password:''' Admin password from the Kerberos server | ** '''password:''' Admin password from the Kerberos server | ||
** '''disable-local:''' tells if the local accounts shall be disabled (true or false, optional, defaulting to false) | ** '''disable-local:''' tells if the local accounts shall be disabled (true or false, optional, defaulting to false) | ||
** '''default-realm:''' The default realm for user authentication (optional, from v10) | |||
** '''force:''' tells if an existing realm membership shall be discarded (true or false, optional, defaulting to false) | ** '''force:''' tells if an existing realm membership shall be discarded (true or false, optional, defaulting to false) | ||
** '''server:''' | ** '''server:''' This is a list of kerberos realms with their servers (that is, the <code>server</code> tag my appear multiple times). It will be copied in to the list of kerberos servers in [[Reference10:General/Admin#Authentication_Servers|General/Admin/Authentication Servers]]. If kerberos servers are known via DNS, it may be ommitted | ||
*** '''realm:''' The realm of the Kerberos server | *** '''realm:''' The realm of the Kerberos server | ||
*** '''address:''' The address of the primary Kerberos server | *** '''address:''' The address of the primary Kerberos server | ||
Line 40: | Line 45: | ||
*** '''secondary-port:''' The port of the secondary Kerberos server (optional, defaulting to 88) | *** '''secondary-port:''' The port of the secondary Kerberos server (optional, defaulting to 88) | ||
For writing the XML to the VAR all | For writing the XML to the VAR all line breaks have to be removed and all spaces have to be replaced by plus signs. | ||
<code xml>vars create CMD0/KCMD p <join+realm="REALM"+user="admin"+password="secret"+default-realm="REALM"+disable-local="true"+force="true"><server+realm="REALM"+address="172.16.17.1"/></join></code> | |||
== Known Problems == | |||
If you use special character in the password you have to use URL-Encoding. http://en.wikipedia.org/wiki/URL-Encoding. | |||
=== Example === | |||
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test# | |||
URL-Encode | |||
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test%23 |
Latest revision as of 16:03, 26 April 2013
Summary
You can use the following commands to configure devices to use Kerberos for authentication.
Applies To
- all innovaphone devices
- firmware V8 and later
More Information
Client Configuration
Configure Server Addresses
vars create KDC/<REALM-NAME> p udp:<SERVER-ADDRESS>:88:464
or
vars create KDC/<REALM-NAME> p udp:<PRIMARY-SERVER-ADDRESS>:88:464,udp:<SECONDARY-SERVER-ADDRESS>:88:464
Join a realm
mod cmd CMD0 join-realm /realm <REALM-NAME> [/name <DEVICE-ID>] /user <ADMIN-NAME> /pass <ADMIN-PASSWORD>
The parameter /name <DEVICE-ID> can be omitted and the added device will use an own HW-ID instead.
Automated Client Configuration (V8 Hotfix8 and later)
Alternatively the steps above can be automated by writing the parameters to the var CMD0/KCMD
and restarting the box. After restart the box will continuously try to join the realm until success.
The format of the XML is like follows:
<join realm="..." host="..." user="..." password="..." disable-local="..." force="...">
<server realm="..." address="..." port="..." secondary-address="..." secondary-port="..."/>
</join>
- join
- realm: The realm to join
- host: The host name for the box (optional, otherwise the hardware id will be used)
- user: Admin user name from the Kerberos server
- password: Admin password from the Kerberos server
- disable-local: tells if the local accounts shall be disabled (true or false, optional, defaulting to false)
- default-realm: The default realm for user authentication (optional, from v10)
- force: tells if an existing realm membership shall be discarded (true or false, optional, defaulting to false)
- server: This is a list of kerberos realms with their servers (that is, the
server
tag my appear multiple times). It will be copied in to the list of kerberos servers in General/Admin/Authentication Servers. If kerberos servers are known via DNS, it may be ommitted- realm: The realm of the Kerberos server
- address: The address of the primary Kerberos server
- port: The port of the primary Kerberos server (optional, defaulting to 88)
- secondary-address: The address of the secondary Kerberos server (optional)
- secondary-port: The port of the secondary Kerberos server (optional, defaulting to 88)
For writing the XML to the VAR all line breaks have to be removed and all spaces have to be replaced by plus signs.
vars create CMD0/KCMD p <join+realm="REALM"+user="admin"+password="secret"+default-realm="REALM"+disable-local="true"+force="true"><server+realm="REALM"+address="172.16.17.1"/></join>
Known Problems
If you use special character in the password you have to use URL-Encoding. http://en.wikipedia.org/wiki/URL-Encoding.
Example
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test#
URL-Encode
mod cmd CMD0 join-realm /realm Testrealm /user kerberos /pass test%23