Configuring SEAM Clients

SEAM clients include any host, not a KDC server, on the network that needs to use SEAM services. This section provides a procedure for installing a SEAM client, as well as specific information about using root authentication to mount NFS file systems.

There are two procedures which can be used to configure a SEAM client. "How to Finish the Configuration of a SEAM Client" provides information for configuring a SEAM client that has been partially setup during the installation of the system."How to Configure a SEAM Client" provides the steps for configuring a SEAM client where no configuration of SEAM was attempted during the installation of the Solaris 8 release.

How to Configure a SEAM Client

The following configuration parameters are used:

realm name = ACME.COM




DNS domain name = acme.com




master KDC = kdc1.acme.com




slave KDC = kdc2.acme.com




client = client.acme.com




admin principal = kws/admin




user principal = mre

1. Prerequisites for configuring a SEAM client.

   A KDC with an admin server must be configured and running. In addition, DNS must be installed and the /etc/resolv.conf file should be configured properly.

2. Become superuser on the client.

3. Edit the PAM configuration file (pam.conf).

   Remove the comments from the last eight lines to enable the Kerberos PAM module.

   client1 # tail -11 /etc/pam.conf # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 other account optional /usr/lib/security/$ISA/pam_krb5.so.1 other session optional /usr/lib/security/$ISA/pam_krb5.so.1 other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass

4. Edit the NFS security service configuration file (nfssec.conf).

   Remove the comments from the lines describing the Kerberos services.

   client1 # cat /etc/nfssec.conf . . # # Uncomment the following lines to use Kerberos V5 with NFS # krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS default 1 - - - # default is AUTH_SYS

5. Edit the Kerberos configuration file (krb5.conf).

   To change the file from the default version, you need to change the realm names and the names of the servers.

   client1 # cat /etc/krb5/krb5.conf [libdefaults] default_realm = ACME.COM [realms] ACME.COM = { kdc = kdc1.acme.com kdc = kdc2.acme.com admin_server = kdc1.acme.com } [domain_realm] .acme.com = ACME.COM

6. (Optional) Synchronize with the master KDC's clock using NTP or another clock synchronization mechanism.

   See "Synchronizing Clocks Between KDCs and SEAM Clients" for information about NTP.

7. Add new principals.

   Using the administration tool provided with your KDC add new principals for the client.

   1. Create the NFS service principal.

      Create a principal named: nfs/client1.acme.com.

   2. Create a root principal.

      Create a principal named: root/client1.acme.com.

   3. Create a host principal.

      Create a principal named: host/client1.acme.com.

   4. Add the root principal to the keytab file.

      Make sure that the root/client1.acme.com principal is included in the keytab file.

8. If you want the client to warn users about Kerberos ticket expiration, configure an entry in the /etc/krb5/warn.conf file.

   See warn.conf(4) for more information.

How to Finish the Configuration of a SEAM Client

To configure a SEAM client, after a partial installation has been done when installing the client, follow the instructions in "How to Configure a SEAM Client". Because the installation has been started, verify the contents of pam.conf, nfssec.conf, and krb5.conf instead of editting them.