This procedure uses the following configuration parameters:
Realm name = EXAMPLE.COM
DNS domain name = example.com
Master KDC = kdc1.example.com
Slave KDC = kdc2.example.com
NFS server = denver.example.com
Client = client.example.com
admin principal = kws/admin
User principal = mre
Online help URL = http://docs.oracle.com/cd/E23824_01/html/821-1456/aadmin-23.html
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Change the realm names and the server names in the Kerberos configuration file. You can also specify the path to the help files for gkadmin.
kdc1 # pfedit /etc/krb5/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
admin_server = kdc1.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
#
# if the domain name and realm name are equivalent,
# this entry is not needed
#
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
[appdefaults]
gkadmin = {
help_url = http://www.example.com/doclib/OSMKA/aadmin-23.html
By default, the Kerberos realm to KDC mapping is determined in the following order:
The definition in the realms section in krb5.conf
Looking up SRV records in DNS
You can change this behavior by adding dns_lookup_kdc or dns_fallback to the libdefaults section of the krb5.conf file. For more information, see the krb5.conf(4). Note that referrals are always tried first.
By default the host to realm mapping is determined in the following order:
If the KDC supports referrals, then the KDC can inform the client which realm the host belongs to.
The definition of domain_realm in the krb5.conf file.
The DNS domain name of the host.
The default realm.
You can change this behavior by adding dns_lookup_kdc or dns_fallback to the libdefaults section of the krb5.conffile. For more information, see the krb5.conf(4) man page. Note that referrals are always tried first.
For authentication to succeed, every clock must be synchronized with the time on the KDC server within a maximum difference defined in the clockskew relation in the krb5.conf file. For more information, see the krb5.conf(4) man page. For information about the Network Time Protocol (NTP), see Synchronizing Clocks Between KDCs and Kerberos Clients.
denver # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
For more information, see the kadmin(1M) man page.
You need to create a user principal only if the user associated with this host does not already have a principal assigned.
kadmin: addprinc mre Enter password for principal mre@EXAMPLE.COM:/** Type strong password **/ Re-enter password for principal mre@EXAMPLE.COM: xxxxxxxx kadmin:
If non-interactive root access is needed, such as running cron jobs as root, then perform this step.
The root principal should be a two-component principal. The second component should be the host name of the Kerberos client system to avoid the creation of a realm-wide root principal. When the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service.
kadmin: addprinc -randkey root/client.example.com Principal "root/client.example.com" created. kadmin: ktadd root/client.example.com Entry for principal root/client.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal root/client.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal root/client.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:
The host principal is used by remote access services to provide authentication. The principal enables root to acquire a credential, if a credential is not already in the keytab file.
kadmin: addprinc -randkey host/denver.example.com Principal "host/denver.example.com@EXAMPLE.COM" created. kadmin: ktadd host/denver.example.com Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:
This step is required only if the client needs to access NFS file systems using Kerberos authentication.
kadmin: ktadd nfs/denver.example.com Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal nfs/denver.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:
kadmin: quit
In the /etc/nfssec.conf file, remove the “#” that comments out the Kerberos security modes.
# pfedit /etc/nfssec.conf . . # # Uncomment the following lines to use Kerberos V5 with NFS # krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
If the svc:/network/dns/client:default service is not enabled, enable it. For more information, see the resolv.conf(4) man page.
# svcadm enable network/dns/client:default
# svcadm restart network/rpc/gss
For more information, see the warn.conf(4) man page and Automatically Renewing All Ticket-Granting Tickets.
The Microsoft Active Directory (AD) Kerberos service provides a KDC that runs on multiple master servers. For an Oracle Solaris client to update information, either the admin_server or the kpasswd_server declaration in the /etc/krb5/krb5.conf file must list all the servers. This example shows how to enable the client to update information about the KDC that kdc1 and kdc2 share.
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
admin_server = kdc1.example.com
admin_server = kdc2.example.com
}
Example 4-5 Configuring a Kerberos Client for a Non-Oracle Solaris KDC
A Kerberos client can be set up to work with a non-Oracle Solaris KDC, by adding a line to the /etc/krb5/krb5.conf file in the realms section. This line changes the protocol that is used when the client is communicating with the Kerberos password-changing server. The following excerpt shows the format of this line.
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
admin_server = kdc1.example.com
kpasswd_protocol = SET_CHANGE
}
Example 4-6 DNS TXT Records for the Mapping of Host and Domain Name to a Kerberos Realm
@ IN SOA kdc1.example.com root.kdc1.example.com ( 1989020501 ;serial 10800 ;refresh 3600 ;retry 3600000 ;expire 86400 ) ;minimum IN NS kdc1.example.com. kdc1 IN A 192.146.86.20 kdc2 IN A 192.146.86.21 _kerberos.example.com. IN TXT "EXAMPLE.COM" _kerberos.kdc1.example.com. IN TXT "EXAMPLE.COM" _kerberos.kdc2.example.com. IN TXT "EXAMPLE.COM"Example 4-7 DNS SRV Records for Kerberos Server Locations
This example defines the records for the location of the KDCs, the admin server, and the kpasswd server, respectively.
@ IN SOA kdc1.example.com root.kdc1.example.com ( 1989020501 ;serial 10800 ;refresh 3600 ;retry 3600000 ;expire 86400 ) ;minimum IN NS kdc1.example.com. kdc1 IN A 192.146.86.20 kdc2 IN A 192.146.86.21 _kerberos._udp.EXAMPLE.COM IN SRV 0 0 88 kdc2.example.com _kerberos._tcp.EXAMPLE.COM IN SRV 0 0 88 kdc2.example.com _kerberos._udp.EXAMPLE.COM IN SRV 1 0 88 kdc1.example.com _kerberos._tcp.EXAMPLE.COM IN SRV 1 0 88 kdc1.example.com _kerberos-adm._tcp.EXAMPLE.COM IN SRV 0 0 464 kdc1.example.com _kpasswd._udp.EXAMPLE.COM IN SRV 0 0 464 kdc1.example.com