System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

How to Initialize a Client Using Per-User Credentials

Before You Begin

Before you set up a client with per-user credentials the following items must already be configured:

One or more Kerberos KDC servers must be configured and running.
DNS, client access to a DNS server, and at least one DNS server, must be configured and running.
Kerberos on the client machine must be configured and enabled.

A Kerberos client installation profile must exist. Such a profile might be:

# cat /usr/tmp/krb5.profile
REALM SPARKS.COM
KDC kdc.example.com
ADMIN super/admin
FILEPATH /usr/tmp/krb5.conf
NFS 1
DNSLOOKUP none

The LDAP server must be installed and configured to support the sasl/GSSAPI.
Appropriate identity mapping configurations must exist.
Kerberos host principals for the directory server and the KDC must be set up in the KDC.
idsconfig must have been run on the directory server DIT to be used.

An appropriate per-user gssapi profile (such as gssapi_EXAMPLE.COM) must have been created.

An illustration of a per-user profile in idsconfig is shown in the following partial example:

# /usr/lib/ldap/idsconfig
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the iPlanet Directory Server's (iDS) hostname to setup: kdc.example.com
Enter the port number for iDS (h=help): [389] <Enter your port>
Enter the directory manager DN: [cn=Directory Manager] <Enter your DN>
Enter passwd for cn=Directory Manager : <Enter your password>
Enter the domainname to be served (h=help): [example.com] <Enter your domain>
Enter LDAP Base DN (h=help): [dc=example,dc=com] <Enter your DN>
GSSAPI is supported. Do you want to set up gssapi:(y/n) [n] y
Enter Kerberos Realm: [EXAMPLE.COM] EXAMPLE.COMYou can create a sasl/GSSAPI enabled profile with default values now. Do you
want to create a sasl/GSSAPI default profile ? [n] y Enter. the profile name
(h=help): [gssapi_EXAMPLE.COM] <Enter>
GSSAPI setup is done. ...

The necessary user principals must exist in the Key Distribution Center (KDC).
On the client machine, Kerberos must be initialized using the client profile with a command such as:
# /usr/sbin/kclient -p /usr/tmp/krb5.profile
/etc/nsswitch.ldap must be configured to use dns for hosts and ipnodes. Modify this file with an editor as necessary, as in the following:
host: files dns ipnodes: files dns
/etc/resolv.conf must be configured and the dns service must be running. See the DNS chapters in this document for details.
The directory server DIT must be pre-loaded with (at a minimum) the users of this client machine, the client host and necessary auto_home LDAP entries. See other sections of this manual for details on how to add entries using ldapaddent.

Run ldapclient init to initialize the client by using the gssapi profile:

# /usr/sbin/ldapclient init -a profilename=gssapi_SPARKS.COM -a \
domainname=example.com 9.9.9.50

Try to log in as a user:

Run kinit -p user.

Run ldaplist -l passwd user in user's login session and you should see “userpassword.”

But ldaplist -l passwd bar can get the entry without userpassword. By default root can still see userpassword of everybody.

Notes About Using Per-User Credentials

If the syslog has messages: libsldap: Status: 7 Mesg: openConnection: GSSAPI bind failed - 82 Local error, it is likely that Kerberos is not initialized or its ticket is expired. Run klist to browse it. Run kinit -p foo or kinit -R -p foo and try again.
If you want to, you can add pam_krb5.so.1 to /etc/pam.conf so it will automatically kinit when you log in.

For example:

login   auth optional pam_krb5.so.1
rlogin  auth optional pam_krb5.so.1
other   auth optional pam_krb5.so.1

If a user is kinited and the syslog message indicates Invalid credential, then the problem could be the host entry (root) or user entry is not in LDAP directory or mapping rules are not correct.
When ldapclient init is executed, it makes some checks if the LDAP profile contains self/ sasl/GSSAPI configuration. If it fails at /etc/nsswitch.ldap check, then the usual reason is that dns was not added to host: and ipnodes:.
If it fails because the DNS client not enabled, run svcs -l dns/client to see if /etc/resolv.conf is missing or it is just disabled. Run svcadm enable dns/client to enable it.
If the check fails because of sasl/GSSAPI bind, check syslog to find out what went wrong.

See other references in this guide and in the System Administration Guide: Security Services for details.