How to Configure a SEAM Client (System Administration Guide, Volume 2)

System Administration Guide, Volume 2

How to Configure a SEAM Client

The following configuration parameters are used:

realm name = ACME.COM

DNS domain name = acme.com

master KDC = kdc1.acme.com

slave KDC = kdc2.acme.com

client = client.acme.com

admin principal = kws/admin

user principal = mre

Prerequisites for configuring a SEAM client.

A KDC with an admin server must be configured and running. In addition, DNS must be installed and the /etc/resolv.conf file should be configured properly.

Become superuser on the client.

Edit the PAM configuration file (pam.conf).

Remove the comments from the last eight lines to enable the Kerberos PAM module.

client1 # tail -11 /etc/pam.conf
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
rlogin auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
login  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
dtlogin        auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
other  auth optional   /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
dtlogin        account optional /usr/lib/security/$ISA/pam_krb5.so.1
other  account optional /usr/lib/security/$ISA/pam_krb5.so.1
other  session optional /usr/lib/security/$ISA/pam_krb5.so.1
other  password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass

Edit the NFS security service configuration file (nfssec.conf).

Remove the comments from the lines describing the Kerberos services.

client1 # cat /etc/nfssec.conf
  .
  .
#
# Uncomment the following lines to use Kerberos V5 with NFS
#
krb5           390003  kerberos_v5     default -       # RPCSEC_GSS
krb5i          390004  kerberos_v5     default integrity       # RPCSEC_GSS
default         1       -       -       -       # default is AUTH_SYS

Edit the Kerberos configuration file (krb5.conf).

To change the file from the default version, you need to change the realm names and the names of the servers.

client1 # cat /etc/krb5/krb5.conf
[libdefaults]
        default_realm = ACME.COM

[realms]
                ACME.COM = {
                kdc = kdc1.acme.com
                kdc = kdc2.acme.com
                admin_server = kdc1.acme.com
        }

[domain_realm]
        .acme.com = ACME.COM

(Optional) Synchronize with the master KDC's clock using NTP or another clock synchronization mechanism.

See "Synchronizing Clocks Between KDCs and SEAM Clients" for information about NTP.

Add new principals.

Using the administration tool provided with your KDC add new principals for the client.
1. Create the NFS service principal.
  
  Create a principal named: nfs/client1.acme.com.
2. Create a root principal.
  
  Create a principal named: root/client1.acme.com.
3. Create a host principal.
  
  Create a principal named: host/client1.acme.com.
4. Add the root principal to the keytab file.
  
  Make sure that the root/client1.acme.com principal is included in the keytab file.

If you want the client to warn users about Kerberos ticket expiration, configure an entry in the /etc/krb5/warn.conf file.

See warn.conf(4) for more information.