test

System Administration Guide: Security Services

ProcedureHow to Interactively Configure a Kerberos Client

This procedure uses the kclient installation utility without a installation profile. In build 90 of the Solaris Express Community Edition release, the kclient utility has been expanded to improve ease of use and ability to work with Active Directory servers. See How to Configure a Kerberos Client for an Active Directory Server for more information. See Example 23–10 for an example of running kclient on a previous Solaris release.

  1. Become superuser.

  2. Run the kclient installation script.

    You need to provide the following information:

    • Kerberos realm name

    • KDC master host name

    • KDC slave host names

    • Domains to map to the local realm

    • PAM service names and options to use for Kerberos authentication

    1. Indicate if the KDC server is not running a Solaris release.

      If this system is a client of a KDC server that is not running a Solaris release, you need to define the type of server that is running the KDC. The available servers are: Microsoft Active Directory, MIT KDC server, Heimdal KDC server, and Shishi KDC server.

    2. Select if DNS should be used for Kerberos lookups.

      If you use DNS for Kerberos lookups, you need to enter the DNS lookup option that you want to use. Valid options are dns_lookup_kdc, dns_lookup_realm, and dns_fallback. See the krb5.conf(4) man page for more information about these values.

    3. Define the name of the Kerberos realm and the master KDC hostname.

      This information is added to the /etc/krb5/krb5.conf configuration file.

    4. Select if slave KDCs exist.

      If there are slave KDCs in the realm, then you need to enter the slave KDC host names. This information is used to create additional KDC entries in the client's configuration file.

    5. Indicate if service or host keys are required.

      Normally, service or host keys are not required unless the client system is hosting Kerberized services.

    6. Specify if the client is a member of a cluster.

      If the client is a member of a cluster, then you need to provide the logical name of the cluster. The logical host name is used when creating service keys, which is required when hosting Kerberos services from clusters.

    7. Identify any domains or hosts to map to the current realm.

      This mapping allows other domains to belong in the default realm of the client.

    8. Specify if the client will use Kerberized NFS.

      NFS service keys need to be created if the client will host NFS services using Kerberos.

    9. Indicate if the /etc/pam.conf file needs to be updated.

      This allows you to set which PAM services use Kerberos for authentication. You need to enter the service name and a flag indicating how Kerberos authentication is to be used. The valid flag options are:

      • first – use Kerberos authentication first, and only use UNIX if Kerberos authentication fails

      • only – use Kerberos authentication only

      • optional – use Kerberos authentication optionally

    10. Select if the master /etc/krb5/krb5.conf file should be copied.

      This option allows for specific configuration information to be used when the arguments to kclient are not sufficient.

Example 23–9 Running the kclient Installation Utility


client# /usr/sbin/kclient

Starting client setup
---------------------------------------------------

Is this a client of a non-Solaris KDC ? [y/n]: n
        No action performed.
Do you want to use DNS for kerveros lookups ? [y/n]: n
        No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: kdc1.example.com

Note, this system and the KDC's time must be within 5 minutes of each other for
Kerberos to function. Both systems should run some form of time synchronization
system like Network Time Protocol (NTP).
Do you have any slave KDC(s) ? [y/n]: y
Enter a comma-separated list of slave KDC host names: kdc2.example.com

Will this client need service keys ? [y/n]: n
        No action performed.
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
        No action performed.
Do you have multiple domains/hosts to map to realm ? [y/n]: y
Enter a comma-separated list of domain/hosts to map to the default realm: engineering.example.com, \
        example.com

Setting up /etc/krb5/krb5.conf.

Do you plan on doing Kerberized nfs ? [y/n]: y
Do you want to update /etc/pam.conf ? [y/n]: y
Enter a comma-separated list of PAM service names in the following format:
service:{first|only|optional}: xscreensaver:first
Configuring /etc/pam.conf.

Do you want to copy over the master krb5.conf file ? [y/n]: n
        No action performed.

---------------------------------------------------
Setup COMPLETE.
Example 23–10 Running the kclient Installation Utility on the Solaris 10 Release

The following output shows the results of running the kclient command.


client# /usr/sbin/kclient

Starting client setup
---------------------------------------------------

Do you want to use DNS for kerberos lookups ? [y/n]: n
        No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: kdc1.example.com

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: clntconfig/admin
Obtaining TGT for clntconfig/admin ...
Password for clntconfig/admin@EXAMPLE.COM: <Type the password>
Do you plan on doing Kerberized nfs ? [y/n]: n

host/client.example.com entry ADDED to KDC database.
host/client.example.com entry ADDED to keytab.

Do you want to copy over the master krb5.conf file ? [y/n]: y
Enter the pathname of the file to be copied: \
/net/denver.example.com/export/install/krb5.conf

Copied /net/denver.example.com/export/install/krb5.conf.

---------------------------------------------------
Setup COMPLETE !
#