You may also want to use UDP port 4444, for the krb524 service which converts version 5 tickets to version 4. This is required if you want to use AFS file sharing.
Download the Windows Server 2003 Resource Kit Tools from Microsoft to get the KerbTray and KList tools. This file is supported under Windows XP.
Run the following commands:
KSETUP /AddKdc LEWIN.NU (If the machines is to authenticate with LEWIN.NU at login:) KSETUP /SetRealm LEWIN.NU KSETUP /SetComputerPasswordNow, create the host principal on the Kerberos server.KSETUP /MapUser * *
/usr/heimdal/sbin/kadmin kadmin> ank -pw password host/datan kadmin> ank -pw password host/datan.lewin.nu kadmin> ank -pw password cifs/datan kadmin> ank -pw password cifs/datan.lewin.nu
Download and install Kerberos For Windows (KfW) from MIT
Done!
kadmin kadin> add --random-key tivo Max ticket life [1 day]:1 week Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []: kadmin> ext --keytab=/srv/tivo/keytab tivo
This creates the Kerberos principal 'tivo', with a random key, and then stores the key info in /srv/tivo/keytab.
A script can then get a kerberos token by running:
kauth -k -t keytab --renewable -l 24h --afslog tivo@LEWIN.NU
See the /srv/slimp/slimp-afs-login.sh script for a simple script which loops forever renewing the ticket every 8 hours.
For any user that should be able to su root, add a
To authenticate for AFS, use the new Network Identity Manager software, from MIT I think. You also need an AFS plugin for it from Secure Endpoints, Inc. I think it should be set to use the Krb524 method to do AFS authentication.