In this procedure, the keytab file for the client has already been created and stored on the AI server. In the examples use auto-registration to configure Kerberos clients by using pre-existing credentials or using new principals. The auto-registration process is simplier because you do not have to create and encode keytab files for individual clients.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.2 Administration: Security Services.
# installadm create-service -n krb-sparc \ -d /export/auto_install/krb-sparc \ -s /export/auto_install/iso/sol-11_2-ai-sparc.iso Creating service from: /export/auto_install/iso/sol-11_2-ai-sparc.iso Setting up the image ... Creating sparc service: krb-sparc Image path: /export/auto_install/krb-sparc Refreshing install services
Repeat this step for all clients that need to be installed running Kerberos. In this example the client using the address of 11:11:11:11:11:11 is associated with the krb-sparc install service.
# installadm create-client -n krb-sparc -e 11:11:11:11:11:11 Adding host entry for 11:11:11:11:11:11 to local DHCP configuration.
# installadm set-client -c 11:11:11:11:11:11 -g Generating credentials for client 11:11:11:11:11:11... A new certificate key has been generated. A new certificate has been generated.
This example creates a profile by running the kclient command interactively. Alternatively, you could invoke the command using command-line options or using an input profile. For more information see the kclient (1M) man page.
In this example, the KDC is running on an MIT server. To view sample output for a Solaris KDC, see Example 8–31. To view sample output for an AD client, see Example 8–33.
# kclient -x /root/krb-sc.xml Starting client setup --------------------------------------------------- Is this a client of a non-Solaris KDC ? [y/n]: y Which type of KDC is the server: ms_ad: Microsoft Active Directory mit: MIT KDC server heimdal: Heimdal KDC server shishi: Shishi KDC server Enter required KDC type: mit Do you want to use DNS for kerberos lookups ? [y/n]: n No action performed. Enter the Kerberos realm: EXAMPLE.COM Specify the master KDCs for the above realm using a comma-separated list: kdc.example.com Do you have any slave KDC(s) ? [y/n]: y Enter a comma-separated list of slave KDC host names: kdc2.example.com Do you have multiple domains/hosts to map to a realm ? [y/n]: n No action performed. Setting up /root/krb-sc.xml.
This step is not needed if the keys can be obtained through auto-registration or if the client is keyless. The client needs to have a keytab file created, which is often done by the KDC administrator when a client is first configured.
# kclient-kt2prof -k ./host1.keytab -p /root/host1.xml
Because a profile must be used in this procedure, configure as much of the client as possible using system configuration profiles.
If the client profiles include a keytab, you should assign the require-client-auth security policy to the service so that only authenticated clients can download their keytab file.
# installadm set-service -p require-client-auth -n krb-sparc
Associate the profiles for the Kerberos configuration file, the client keytab file, and any other profiles that you have created to the install service.
# installadm create-profile -n krb-sparc -f /root/krb-sc.xml Profile krb-sc.xml added to database. # installadm create-profile -n krb-sparc -f /root/host1.xml -c mac="11:11:11:11:11:11" Profile host1.xml added to database.
Note that using auto-registration only works if the KDC is either Solaris KDC or MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.
In order to use auto-registration to download existing keys, you must first have created a admin principal on the KDC with c and i administration privileges. In this example, the name of the principal is download/admin. For instructions, see Creating a New Kerberos Principal in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 and Modifying Principals’ Kerberos Administration Privileges in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 .
In this example, the KDC is running Oracle Solaris. Also, the keys for the client have already been created.
This example shows how to add the download/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The download/admin principal is a special admin principal that is used to transfer existing keys from the KDC server when the Kerberos client is deployed.
# kclient -x /root/krb-sc.xml Starting client setup --------------------------------------------------- Is this a client of a non-Solaris KDC ? [y/n]: n No action performed. Do you want to use DNS for kerberos lookups ? [y/n]: n No action performed. Enter the Kerberos realm: EXAMPLE.COM Specify the master KDCs for the above realm using a comma-separated list: kdc.example.com Do you have any slave KDC(s) ? [y/n]: y Enter a comma-separated list of slave KDC host names: kdc2.example.com Do you have multiple domains/hosts to map to realm ? EXAMPLE.COM [y/n]: n No action performed. Should the client automatically join the realm ? [y/n]: y Enter the krb5 administrative principal to be used: download/admin Password for download/admin: xxxxxxxx Do you plan on doing Kerberized nfs ? [y/n]: n No action performed. Is this client a member of a cluster that uses a logical host name ? [y/n]: n No action performed. Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n No action performed. Setting up /root/krb-sc.xml.Example 8-32 Creating New Keys While Deploying Kerberos Clients
Note that using auto-registration only works if the KDC is either Solaris KDC or MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.
In order to use auto-registration to download new keys, you must first have created an admin principal on the KDC with a, c and i administration privileges. In this example, the name of the principal is create/admin. For instructions, see Creating a New Kerberos Principal in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 and Modifying Principals’ Kerberos Administration Privileges in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 .
In this example, the KDC is running Oracle Solaris. This example adds the create/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The create/admin principal is a special admin principal that is used to transfer new keys from the KDC server when the Kerberos client is deployed. This command includes more options so fewer questions are asked.
# kclient -x /root/krb-sc.xml -R EXAMPLE.COM -a create/admin -d none -m kdc.example.com Starting client setup --------------------------------------------------- Do you have multiple domains/hosts to map to realm ? EXAMPLE.COM [y/n]: n No action performed. Should the client automatically join the realm ? [y/n]: y Password for create/admin: xxxxxxxx Setting up /root/krb-sc.xml.Example 8-33 Automatically Joining an AI Client to a MS AD Domain
In this example, the client is joining an AD domain. Use the following command to add the Adminstrator principal when you are creating the system configuration profile for the Kerberos configuration file.
# kclient -x /root/krb-sc.xml Starting client setup --------------------------------------------------- Is this a client of a non-Solaris KDC ? [y/n]: y Which type of KDC is the server: ms_ad: Microsoft Active Directory mit: MIT KDC server heimdal: Heimdal KDC server shishi: Shishi KDC server Enter required KDC type: ms_ad Should the client automatically join AD domain ? [y/n]: y Enter the Kerberos realm: EXAMPLE.COM Enter the krb5 administrative principal to be used: Administrator Password for Administrator: xxxxxxxx Setting up /root/krb-sc.xml.