Lexmark X782e PKI-Enabled Pre-Installation Guide - Page 36

PKI Pre-Installation Guide

Get Lexmark X782e PDF manuals and user guides View all Lexmark X782e manuals
Add to My Manuals
Save this manual to your list of manuals

Page 36 highlights

PKI Pre-Installation Guide The IP address or fully qualified domain name for the Windows Domain Controller described in section 3.2.2, item 1 should be used for the kdc and default_domain fields in the [realms] section of the example below. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = #####_DOMAIN.NAME.MIL_##### dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 12h default_etypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_etypes_des = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_tgt_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC default_tgs_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC [appdefaults] [realms] Each supported Kerberos Realm needs to be listed in this section; repeat all of the following for each realm. #####_DOMAIN.NAME.MIL_##### = { KDCs can be listed in either ip address or fully qualified domain name. More than one KDC can be listed. If the first KDC cannot be contacted, then the next KDC is contacted. This process repeats until all KDCs are contacted. Note that if multiple KDCs are used, certificate chains will need to be present in the MFP for all KDCs. kdc = tcp/#####_ip_address_or_name_of_domain_controller_##### default_domain = #####_same_as_kdc_##### pkinit_require_eku = false pkinit_require_krbtgt_otherName = false Microsoft implemented to "draft" versions of the IETF Kerberos PKINIT specifications. This resulted in some slight differences between software supporting the final IETF specification and those supporting the Microsoft implementations. This configuration flag informs the firmware to use the Microsoft format for PKINIT protocol commands. pkinit_win2k = yes pkinit_win2k_require_binding = no } [domain_realm] Define a mapping between domain names found in the user's certificate and the Kerberos realm. The lines with "." allow for matching with names before suffix - i.e. "dc1.mil" matches ".mil" but not "mil". It is acceptable to map multiple domain names to the same realm. .mil = #####_DOMAIN.NAME.MIL_##### Version 2.0.0 Page 32

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
PKI Pre-Installation Guide
Version 2.0.0
Page 32
The IP address or fully qualified domain name for the Windows Domain Controller described in
section 3.2.2, item 1 should be used for the
kdc
and
default_domain
fields in the
[realms]
section
of the example below.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = #####_DOMAIN.NAME.MIL_#####
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 12h
default_etypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_etypes_des = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
default_tgt_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC
default_tgs_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC
[appdefaults]
[realms]
Each supported Kerberos Realm needs to be listed in this section; repeat all of
the following for each realm.
#####_DOMAIN.NAME.MIL_##### = {
KDCs can be listed in either ip address or fully qualified domain name.
More
than one KDC can be listed.
If the first KDC cannot be contacted, then the next
KDC is contacted.
This process repeats until all KDCs are contacted.
Note that
if multiple KDCs are used, certificate chains will need to be present in the MFP
for all KDCs.
kdc = tcp/#####_ip_address_or_name_of_domain_controller_#####
default_domain = #####_same_as_kdc_#####
pkinit_require_eku = false
pkinit_require_krbtgt_otherName = false
Microsoft implemented to “draft” versions of the IETF Kerberos PKINIT
specifications.
This resulted in some slight differences between software
supporting the final IETF specification and those supporting the Microsoft
implementations.
This configuration flag informs the firmware to use the
Microsoft format for PKINIT protocol commands.
pkinit_win2k = yes
pkinit_win2k_require_binding = no
}
[domain_realm]
Define a mapping between domain names found in the user’s certificate and
the Kerberos realm.
The lines with “.” allow for matching with names before
suffix – i.e. “dc1.mil” matches “.mil” but not “mil”.
It is acceptable to map
multiple domain names to the same realm.
.mil = #####_DOMAIN.NAME.MIL_#####