Installing Kerberos

This section describes the steps to install Kerberos and to enable Kerberos to run as Sun Cluster HA for Kerberos.

Sun Cluster HA for Kerberos uses the Kerberos server and mechanism libraries co-packaged with the Solaris 10 operating system or later versions of the operating system. See the krb5.conf(4) and kdc.conf(4) man pages for information on how to configure the Kerberos environment. The Sun Cluster configuration for Kerberos differs from the Solaris configuration for Kerberos in the following ways:

• The Kerberos principal and policy databases are located on the cluster file system, not on a local file system. How to Install Kerberos describes how to configure the server by using a global file system. However, the server can be configured with the HAStoragePlus file system if your environment is heavily loaded with write requests.

• A relocatable IP address, not the name of a physical host, identifies the name of a Kerberos server.

How to Install Kerberos

In this procedure, the following parameters are used:

• Realm name = EXAMPLE.COM

• DNS domain name = example.com

• Cluster physical node names = pkdc1.example.com and pkdc2.example.com

• Cluster logical hostname = kdc-1.example.com

1. Become superuser on a cluster member.

2. Choose the logical hostname that will provide the Kerberos service.

   Select the logical hostname so that it corresponds to an IP address set up when you installed the Sun Cluster software. See the Sun Cluster Concepts Guide for Solaris OS for details about logical hostnames.

3. Create the krb5.conf, kdc.conf, and the other configuration files required to run a Kerberos server, then run the command kdb5_util(1M) as described in the Chapter 23, Configuring the Kerberos Service (Tasks), in System Administration Guide: Security Services.

   When populating the hostnames in these configuration files, ensure that they refer to the host's logical name, not the physical name.

   ---

   Note –

   This detail ensures that applications running in the same zone as the logical hostname are configured to the corresponding IP addresses.

   ---

   Here is an example of configuration files with the logical hostnames:

   pkdc1# cat /etc/krb5/krb5.conf

   [libdefaults]
            default_realm = EXAMPLE.COM
   
   [realms]
          EXAMPLE.COM = {
                  kdc = kdc-1.example.com
                  admin_server = kdc-1.example.com
          }
   [domain_realm]
          .example.com = EXAMPLE.COM
   [logging]
          default = FILE:/var/krb5/kdc.log
          kdc = FILE:/var/krb5/kdc.log
          kdc_rotate = {
                  period = 1d
                  versions = 10
          }
   
   [appdefaults]
          kinit = {
                  renewable = true
                  forwardable = true
          }

   pkdc1# cat /etc/krb5/kdc.conf

   [kdcdefaults]
            kdc_ports = 88,750
    
   [realms]
            ACME.COM = {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    default_principal_flags = +preauth
            }

   Make sure that you also have a valid /etc/resolv.conf file and /etc/nsswitch.conf file configured, for example:

   pkdc1# cat /etc/resolv.conf

   domain example.com

   nameserver 1.2.3.4

   nameserver 1.2.3.5

   pkdc1# grep dns nsswitch.conf

   hosts:        files nis dns

   ipnodes:      files nis dns

4. Create the KDC database by running the kdb5_util(1M)

   pkdc1# kdb5_util create

   Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM',
   master key name 'K/M@EXAMPLE.COM'
   You will be prompted for the database Master Password.
   It is important that you NOT FORGET this password.

   Enter KDC database master key:<Type the new master key password>

   Re-enter KDC database master key:<Type the above new master key password>

5. Add the following line in the /etc/krb5/kadm5.acl file:

   sckrb5-probe/admin@EXAMPLE.COM i

   Where:

   EXAMPLE.COM

   Realm name chosen in Step 3

   i

   The privilege that enables queries to the database for the sckrb5-probe/admin principal

6. Start the kadmin.local command.

   pkdc1# kadmin.local

   Authenticating as principal host/admin@EXAMPLE.COM with password

   1. Use the kadmin.local command to add kadmin and changepw service principals for the fully qualified logical hostname for the cluster, kdc-1.example.com.

      kadmin.local: ank -randkey -allow_tgs_req kadmin/kdc-1.example.com

      NOTICE: no policy specified for kadmin/kdc-1.example.com@EXAMPLE.COM; 
      assigning "default" Principal "kadmin/kdc-1.example.com@EXAMPLE.COM" 
      created.

      kadmin.local: ank -randkey -allow_tgs_req +password_changing_service \ changepw/kdc-1.example.com

      NOTICE: no policy specified for changepw/kdc-1.example.com@EXAMPLE.COM; 
      assigning "default"	
      Principal "changepw/kdc-1.example.com@EXAMPLE.COM" created.
      
      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc-1.example.com changepw/kdc-1.example.com
      Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type AES-+ 128 CTS mode with \
      96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type Triple
      DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type
      ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type
      DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
      AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
      Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
      ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
      DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

   2. Add the new service principals for the host services for the fully qualified logical hostname for the cluster, kdc-1.example.com:

      kadmin.local: ank -randkey host/kdc-1.example.com

      NOTICE: no policy specified for host/kdc-1.example.com@EXAMPLE.COM; assigning "default"
      Principal "host/kdc-1.example.com@EXAMPLE.COM" created.
      kadmin.local:  ktadd host/kdc-1.example.com
      Entry for principal host/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 \
      HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \
      added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab \
      WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to \
      keytab WRFILE:/etc/krb5/krb5.keytab.

      kdc-1.example.com

      Fully qualified logical hostname for the cluster

   3. Add a new service principal for the kiprop service for the fully qualified logical hostname for the cluster, kdc-1.example.com.

      kadmin.local: ank -randkey kiprop/kdc-1.example.com

      NOTICE: no policy specified for kiprop/kdc-1.example.com@EXAMPLE.COM; assigning "default"
      Principal "kiprop/kdc-1.example.com@EXAMPLE.COM" created.
      kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kiprop/kdc-1.example.com
      Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit \
      SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \
      added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to \
      keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added \
      to keytab WRFILE:/etc/krb5/kadm5.keytab.

7. Move the /etc/krb5 and /var/krb5 directories to either a global or a failover file system.

   For example, move /etc/krb5 and /var/krb5 to a global file system, /global/fs/, as follows:

   pkdc1# mv /etc/krb5 /global/fs/krb-conf

   pkdc1# mv /var/krb5 /global/fs/krb-db

   See the Sun Cluster Software Installation Guide for Solaris OS for information on setting up cluster file systems.

8. Create symbolic links back to the /etc/krb5 and /var/krb5 directories:

   pkdc1# ln -s /global/fs/krb-conf /etc/krb5

   pkdc1# ln -s /global/fs/krb-db /var/krb5

9. Repeat the symbolic link creation on all the other cluster nodes or zones.

   pkdc2# mv /etc/krb5 /etc/krb5.old

   pkdc2# mv /var/krb5 /var/krb5.old

   pkdc2# ln -s /global/fs/krb-conf /etc/krb5

   pkdc2# ln -s /global/fs/krb-db /var/krb5