Lexmark X782e PKI-Enabled Pre-Installation Guide - Page 36
PKI Pre-Installation Guide
View all Lexmark X782e manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 36 highlights
PKI Pre-Installation Guide The IP address or fully qualified domain name for the Windows Domain Controller described in section 3.2.2, item 1 should be used for the kdc and default_domain fields in the [realms] section of the example below. [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = #####_DOMAIN.NAME.MIL_##### dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 12h default_etypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_etypes_des = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_tgt_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC default_tgs_enctypes = arcfour-hmac-md5 DES-CBC-MD5 DES-CBC-CRC [appdefaults] [realms] Each supported Kerberos Realm needs to be listed in this section; repeat all of the following for each realm. #####_DOMAIN.NAME.MIL_##### = { KDCs can be listed in either ip address or fully qualified domain name. More than one KDC can be listed. If the first KDC cannot be contacted, then the next KDC is contacted. This process repeats until all KDCs are contacted. Note that if multiple KDCs are used, certificate chains will need to be present in the MFP for all KDCs. kdc = tcp/#####_ip_address_or_name_of_domain_controller_##### default_domain = #####_same_as_kdc_##### pkinit_require_eku = false pkinit_require_krbtgt_otherName = false Microsoft implemented to "draft" versions of the IETF Kerberos PKINIT specifications. This resulted in some slight differences between software supporting the final IETF specification and those supporting the Microsoft implementations. This configuration flag informs the firmware to use the Microsoft format for PKINIT protocol commands. pkinit_win2k = yes pkinit_win2k_require_binding = no } [domain_realm] Define a mapping between domain names found in the user's certificate and the Kerberos realm. The lines with "." allow for matching with names before suffix - i.e. "dc1.mil" matches ".mil" but not "mil". It is acceptable to map multiple domain names to the same realm. .mil = #####_DOMAIN.NAME.MIL_##### Version 2.0.0 Page 32