diff options
| author | Jelmer Vernooij <jelmer@samba.org> | 2014-04-25 02:36:25 +0200 |
|---|---|---|
| committer | Jelmer Vernooij <jelmer@samba.org> | 2014-04-25 02:42:17 +0200 |
| commit | 70e43e98086ccfc26d52d7a048fa0c949c6c3ada (patch) | |
| tree | be64f3c4928af3a216797124a634b67b1a4afed8 /doc | |
| parent | 80a514219f944ad376cde78c3c094da120fe0c3b (diff) | |
Fix some typos.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/setup.texi | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/doc/setup.texi b/doc/setup.texi index 48bcc6a8f..eeddf9a7c 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -108,7 +108,7 @@ SRV-record for your realm, or your Kerberos server has DNS CNAME @cindex KRB5_CONFIG If you want to use a different configuration file then the default you -can point a file with the enviroment variable @samp{KRB5_CONFIG}. +can point a file with the environment variable @samp{KRB5_CONFIG}. @example env KRB5_CONFIG=$HOME/etc/krb5.conf kinit user@@REALM @@ -1295,21 +1295,21 @@ the mapping in the principals entry in the kerberos database. This and following subsection documents the requirements on the KDC and client certificates and the format used in the id-pkinit-san -OtherName extention. +OtherName extension. On how to create certificates, you should read @ref{Use OpenSSL to create certificates}. @subsection KDC certificate -The certificate for the KDC has serveral requirements. +The certificate for the KDC has several requirements. First, the certificate should have an Extended Key Usage (EKU) id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in the type field and a DER encoded KRB5PrincipalName that matches the name of the TGS of the target realm. Also, if the certificate has a -nameConstraints extention with a Generalname with dNSName or iPAdress, +nameConstraints extension with a Generalname with dNSName or iPAdress, it must match the hostname or adress of the KDC. The client is not required by the standard to check the server @@ -1343,7 +1343,7 @@ This behavior is controlled by KDC configuration option: @subsubsection Using KRB5PrincipalName in id-pkinit-san -The OtherName extention in the GeneralName is used to do the mapping +The OtherName extension in the GeneralName is used to do the mapping between certificate and principal. For the KDC certificate, this stores the krbtgt principal name for that KDC. For the client certificate, this stores the principal for which that certificate is |