System Administration Guide, Volume 2

Configuring SEAM Clients

SEAM clients include any host, not a KDC server, on the network that needs to use SEAM services. This section provides a procedure for installing a SEAM client, as well as specific information about using root authentication to mount NFS file systems.

There are two procedures which can be used to configure a SEAM client. "How to Finish the Configuration of a SEAM Client" provides information for configuring a SEAM client that has been partially setup during the installation of the system."How to Configure a SEAM Client" provides the steps for configuring a SEAM client where no configuration of SEAM was attempted during the installation of the Solaris 8 release.

How to Configure a SEAM Client

The following configuration parameters are used:

  1. Prerequisites for configuring a SEAM client.

    A KDC with an admin server must be configured and running. In addition, DNS must be installed and the /etc/resolv.conf file should be configured properly.

  2. Become superuser on the client.

  3. Edit the PAM configuration file (pam.conf).

    Remove the comments from the last eight lines to enable the Kerberos PAM module.


    client1 # tail -11 /etc/pam.conf
    #
    # Support for Kerberos V5 authentication (uncomment to use Kerberos)
    #
    rlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    login  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    dtlogin        auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    other  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
    dtlogin        account optional /usr/lib/security/$ISA/pam_krb5.so.1
    other  account optional /usr/lib/security/$ISA/pam_krb5.so.1
    other  session optional /usr/lib/security/$ISA/pam_krb5.so.1
    other  password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
  4. Edit the NFS security service configuration file (nfssec.conf).

    Remove the comments from the lines describing the Kerberos services.


    client1 # cat /etc/nfssec.conf
      .
      .
    #
    # Uncomment the following lines to use Kerberos V5 with NFS
    #
    krb5           390003  kerberos_v5     default -       # RPCSEC_GSS
    krb5i          390004  kerberos_v5     default integrity       # RPCSEC_GSS
    default         1       -       -       -       # default is AUTH_SYS
  5. Edit the Kerberos configuration file (krb5.conf).

    To change the file from the default version, you need to change the realm names and the names of the servers.


    client1 # cat /etc/krb5/krb5.conf
    [libdefaults]
            default_realm = ACME.COM
    
    [realms]
                    ACME.COM = {
                    kdc = kdc1.acme.com
                    kdc = kdc2.acme.com
                    admin_server = kdc1.acme.com
            }
    
    [domain_realm]
            .acme.com = ACME.COM
    
  6. (Optional) Synchronize with the master KDC's clock using NTP or another clock synchronization mechanism.

    See "Synchronizing Clocks Between KDCs and SEAM Clients" for information about NTP.

  7. Add new principals.

    Using the administration tool provided with your KDC add new principals for the client.

    1. Create the NFS service principal.

      Create a principal named: nfs/client1.acme.com.

    2. Create a root principal.

      Create a principal named: root/client1.acme.com.

    3. Create a host principal.

      Create a principal named: host/client1.acme.com.

    4. Add the root principal to the keytab file.

      Make sure that the root/client1.acme.com principal is included in the keytab file.

  8. If you want the client to warn users about Kerberos ticket expiration, configure an entry in the /etc/krb5/warn.conf file.

    See warn.conf(4) for more information.

How to Finish the Configuration of a SEAM Client

To configure a SEAM client, after a partial installation has been done when installing the client, follow the instructions in "How to Configure a SEAM Client". Because the installation has been started, verify the contents of pam.conf, nfssec.conf, and krb5.conf instead of editting them.