test

System Administration Guide: Security Services

ProcedureHow to Configure Automatic Migration of Users in a Kerberos Realm

Users, who do not have a Kerberos principal, can be automatically migrated to an existing Kerberos realm. The migration is achieved by using the PAM framework for the service in use by stacking the pam_krb5_migrate module in the service's authentication stack in /etc/pam.conf.

In this example, the dtlogin and other PAM service names are configured to use the automatic migration. The following configuration parameters are used:

Before You Begin

Setup server1 as a Kerberos client of the realm EXAMPLE.COM. See Configuring Kerberos Clients for more information.

  1. Check to see if a host service principal for server1 exists.

    The host service principal in the keytab file of server1 is used to authenticate the server to the master KDC.


    server1 # klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
	KVNO Principal
	---- ------------------------------------------------
	   3 host/server1.example.com@EXAMPLE.COM
	   3 host/server1.example.com@EXAMPLE.COM
	   3 host/server1.example.com@EXAMPLE.COM
	   3 host/server1.example.com@EXAMPLE.COM

  2. Make changes to the PAM configuration file.

    1. Add entries for the dtlogin service.


      # cat /etc/pam.conf
 .
 .
#
# dtlogin service (explicit because of pam_krb5_migrate)
#
dtlogin       auth requisite          pam_authtok_get.so.1
dtlogin       auth required           pam_dhkeys.so.1
dtlogin       auth required           pam_unix_cred.so.1
dtlogin       auth sufficient         pam_krb5.so.1
dtlogin       auth requisite          pam_unix_auth.so.1
dtlogin       auth optional           pam_krb5_migrate.so.1

    2. (Optional) Force an immediate password change, if needed.

      The newly created Kerberos accounts can have their password expiration time set to the current time (now), in order to force an immediate Kerberos password change. To set the expiration time to now, add the expire_pw option to the lines which use the pam_krb5_migrate module. See the pam_krb5_migrate(5) man page for more information.


      # cat /etc/pam.conf
 .
 .
dtlogin  auth optional           pam_krb5_migrate.so.1 expire_pw

    3. Add the pam_krb5 module to the account stack.

      This addition allows for password expiration in Kerberos to block access.


      # cat /etc/pam.conf
 .
 .
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_krb5.so.1
other   account required        pam_unix_account.so.1

    4. Add the pam_krb5 module to the password stack.

      This addition allows for passwords to be updated when the password expire.


      # cat /etc/pam.conf
 .
 .
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1

  3. On the master KDC, update the access control file.

    The following entries grant migrate and inquire privileges to the host/server1.example.com service principal for all users, excepting the root user. It is important that users who should not be migrated are listed in the kadm5.acl file using the U privilege. These entries need to be before the permit all or ui entry. See the kadm5.acl(4) man page for more information.


    kdc1 # cat /etc/krb5/kadm5.acl
host/server1.example.com@EXAMPLE.COM U root
host/server1.example.com@EXAMPLE.COM ui *
*/admin@EXAMPLE.COM *

  4. On the master KDC, restart the Kerberos administration daemon.

    This step allows the kadmind daemon to use the new kadm5.acl entries.


    kdc1 # svcadm restart network/security/kadmin

  5. On the master KDC, add entries to the pam.conf file.

    The following entries enable the kadmind daemon to use the k5migrate PAM service, to validate UNIX user password for accounts that require migration.


    # grep k5migrate /etc/pam.conf
k5migrate        auth    required        pam_unix_auth.so.1
k5migrate        account required        pam_unix_account.so.1