test

Sun Enterprise Authentication Mechanism Guide

How to Configure a SEAM Client

The following configuration parameters are used:

  1. Prerequisites for configuring a SEAM client.

    The SEAM client software must be installed.

  2. Edit the Kerberos configuration file (krb5.conf).

    If you used the preconfiguration procedure, you do not need to edit this file, but you should review the contents. To change the file from the SEAM default version, you need to change the realm names and the names of the servers, as well as identifying the path to the help files for gkadmin. 


    kdc1 # cat /etc/krb5/krb5.conf
[libdefaults]
        default_realm = ACME.COM

[realms]
                ACME.COM = {
                kdc = kdc1.acme.com
                kdc = kdc2.acme.com
                admin_server = kdc1.acme.com
        }

[domain_realm]
        .acme.com = ACME.COM
#
# if the domain name and realm name are equivalent, 
# this entry is not needed
#
[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log

[appdefaults]
    gkadmin = {
        help_url = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956

  3. Optional: Synchronize with the master KDC's clock using NTP or another clock synchronization mechanism.

    See "Synchronizing Clocks between KDCs and SEAM Clients" for information about NTP.

  4. Optional: Create a user principal if one does not already exist.

    You only need to create a user principal, if the user associated with this host does not have a principal assigned already. See "How to Create a New Principal" for instructions using the SEAM Administration Tool. A command line example is shown below.


    client1 # /usr/krb5/sbin/kadmin -p kws/admin
Enter password: <Enter kws/admin password>
kadmin: addprinc mre
Enter password for principal mre@ACME.COM: <type the password>
Re-enter password for principal mre@ACME.COM: <type it again>
kadmin:

  5. Create a root principal.


    kadmin: addprinc root/client1.acme.com
Enter password for principal root/client1.acme.com@ACME.COM: <type the password>
Re-enter password for principal root/client1.acme.com@ACME.COM: <type it again>
kadmin: quit

  6. (Optional) If you want a user on the SEAM client to automatically mount Kerberized NFS file systems using Kerberos authentication, you must authenticate the root user.

    This process is done most securely by using the kinit command; however, users will need to use kinit as root every time they need to mount a file system secured by Kerberos. You can choose to use a keytab file instead. See "Setting Up Root Authentication to Mount NFS File Systems" for detailed information about the keytab requirement. 


    client1 # /usr/krb5/bin/kinit root/client1.acme.com
Password for root/client1.acme.com@ACME.COM: <Enter password>

    To use the keytab file option, add the root principal to the client's keytab using kadmin:


    client1 # /usr/krb5/sbin/kadmin -p kws/admin
Enter password: <Enter kws/admin password>
kadmin: ktadd root/client1.acme.com
kadmin: Entry for principal root/client.acme.com with
  kvno 3, encryption type DES-CBC-CRC added to keytab
  WRFILE:/etc/krb5/krb5.keytab
kadmin: quit

  7. If you want the client to warn users about Kerberos ticket expiration, create an entry in the /etc/krb5/warn.conf file.

    See warn.conf(4) for more information.

  8. Update the user's shell search path to include the location of the SEAM commands and man pages.

    If you installed the SEAM software using the configuration files, and selected to automatically update the PATH definition, you only need to change the MANPATH variable. If you use the C shell, type:


    % set path=(/usr/krb5/bin $path)
% set MANPATH=(/usr/krb5/man $MANPATH)

    To permanently affect these changes to your shell search path, edit your .cshrc or .login startup file.

    If you use the Bourne or Korn shell, type:


    $ PATH=/usr/krb5/bin:$PATH
$ MANPATH=/usr/krb5/man:$MANPATH

    To permanently affect these changes to your shell search path, edit your .profile startup file.