The following configuration parameters are used:
realm name = ACME.COM
DNS domain name = acme.com
master KDC = kdc1.acme.com
slave KDC = kdc2.acme.com
client = client.acme.com
admin principal = kws/admin
user principal = mre
Prerequisites for configuring a SEAM client.
A KDC with an admin server must be configured and running. In addition, DNS must be installed and the /etc/resolv.conf file should be configured properly.
Become superuser on the client.
Edit the PAM configuration file (pam.conf).
Remove the comments from the last eight lines to enable the Kerberos PAM module.
client1 # tail -11 /etc/pam.conf # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # rlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass other auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1 other account optional /usr/lib/security/$ISA/pam_krb5.so.1 other session optional /usr/lib/security/$ISA/pam_krb5.so.1 other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass |
Edit the NFS security service configuration file (nfssec.conf).
Remove the comments from the lines describing the Kerberos services.
client1 # cat /etc/nfssec.conf . . # # Uncomment the following lines to use Kerberos V5 with NFS # krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS default 1 - - - # default is AUTH_SYS |
Edit the Kerberos configuration file (krb5.conf).
To change the file from the default version, you need to change the realm names and the names of the servers.
client1 # cat /etc/krb5/krb5.conf [libdefaults] default_realm = ACME.COM [realms] ACME.COM = { kdc = kdc1.acme.com kdc = kdc2.acme.com admin_server = kdc1.acme.com } [domain_realm] .acme.com = ACME.COM |
(Optional) Synchronize with the master KDC's clock using NTP or another clock synchronization mechanism.
See "Synchronizing Clocks Between KDCs and SEAM Clients" for information about NTP.
Add new principals.
Using the administration tool provided with your KDC add new principals for the client.
Create the NFS service principal.
Create a principal named: nfs/client1.acme.com.
Create a root principal.
Create a principal named: root/client1.acme.com.
Create a host principal.
Create a principal named: host/client1.acme.com.
Add the root principal to the keytab file.
Make sure that the root/client1.acme.com principal is included in the keytab file.
If you want the client to warn users about Kerberos ticket expiration, configure an entry in the /etc/krb5/warn.conf file.
See warn.conf(4) for more information.