Chapter 2 SEAM Installation

This chapter includes the steps necessary to install the SEAM product and should be used by anyone doing an installation. The procedures to preconfigure and install SEAM are included in this chapter. The first procedure allows for the preconfiguration of much of the site-specific data so that files need not be manually edited as part of the install process; it also includes a local installation. The second procedure actually adds all of the SEAM software using the preconfiguration information.

These topics are covered in this chapter:

• "SEAM Package Contents"

• "Installing SEAM Software"

• "Uninstalling SEAM"

SEAM Package Contents

The SEAM software can be installed on either a client, a KDC slave server, or a KDC master server. Any other types of servers (such as a SEAM application or SEAM NFS server) are configured after the client software packages are installed. Each type of installation adds one or more packages, some of which change files that are important to system security.

SEAM Client Packages

The client packages install the SEAM man pages, the Kerberos applications (such as klist), the administrative applications (kadmin and gkadmin), as well as the kerberized daemons and utilities (ftp and ftpd, for example). During the install process the following files are edited: /etc/inetd.conf, /etc/services, /etc/pam.conf, and /etc/krb5/krb5.conf. If you have site-specific alterations to these files, you should check the file contents after the installation.

In addition, on Solaris 2.6 clients only, files that provide support for the GSS_API framework and RPCSEC_GSS are installed. These are already part of the Solaris 7 release, so they are added only to Solaris 2.6 clients. New security-related files that are installed include /etc/gss/gsscred.conf, /etc/gss/mech, /etc/gss/qop, and /etc/nfssec.conf. Also, the crontab file for root and /etc/inetd.conf are edited. Again, if you have site-specific alterations to these files, you should check the file contents after the installation.

Slave KDC Packages

The slave KDC installation process installs all of the client packages, as well as an additional package that includes the utilities needed by any KDC server. A start-up script is installed in /etc/init.d/kdc, which starts the slave KDC daemons. Also, the /etc/krb5/kdc.conf and /etc/inetd.conf files are edited.

Master KDC Packages

The master KDC installation process installs all of the client packages, the slave KDC package, and a package that includes the files and utilities needed only on the master KDC server. The process edits the crontab file for root and installs a start-up script in /etc/init.d/kdc.master. A file to control access to the KDC, /etc/krb5/kadm5.acl, and a file to control the propagation of the KDC database, /etc/krb5/kpropd.acl, are added. Securing these files is important for the security of the KDC database.

Patches

All the patches included with the SEAM release are for Solaris^TM 2.6 SPARC^TM and Intel systems. Some of the patches incorporate fixes unrelated to SEAM. This is because the SEAM and non-SEAM fixes impact the same binary, and all the patches included are official.

All of these patches are required if you want to use Kerberos V5 security with NFS file systems and exports. If you are not using SEAM to secure the NFS file system, then the patches are not needed.

Solaris patches are numbered as XXXXXX-VV where XXXXXX is the patch base ID number, and VV is the version number. Typically the i386 patch base ID number is equal to the SPARC base ID number incremented by one.

Here is a list of all of the patches included with the SEAM 1.0 release. The SPARC patch IDs are listed first.

105472-04 / 105473-04 -- Without this fix, the automounter will crash when accessing NFS file systems that are mounted with Kerberos V5 security (that is, the NFS server is sharing the file system with sec= krb5, krb5i, or krb5p).

105564-03 / 105565-03 -- Without this fix, the chgrp command will not work on NFS file systems that are mounted with Kerberos V5 security.

105615-04 / 105616-04 -- Without this fix, you will not be able to successfully export NFS file systems from servers with a command like: share -o sec=krb5,rw=mpk16-labnets,ro=engineering /export/krb5. Less complex commands like: share -o sec=krb5 /export/krb5 will succeed with or without the patch.

106639-01 / 106640-01 -- This patch fixes a memory leak that occurs when using NFS file systems that are using Kerberos V5 security.

107228-01 / 107281-01 -- This patch fixes XFN to scale to large tables suitable for use with gsscred command. If you choose to not use XFN, then you do not need this patch.

SEAM Installation Task Map

To best utilize SEAM, the product installation should be done in a specific order. You can alter this order if you need to, but some steps might have to be repeated or you might need to make manual changes to the configuration files.

Table 2-1 First Steps: SEAM Configuration Order

Task	Description	For Instructions, Go To ...
1. Plan for your SEAM Installation	Consider configuration issues and make decisions about them before starting the software installation process.	"Planning for SEAM" in Sun Enterprise Authentication Mechanism Guide
2. (Optional) Install NTP	In order for SEAM to work properly, the clocks on all systems in the realm must be kept in sync.	"Synchronizing Clocks between KDCs and SEAM Clients" in Sun Enterprise Authentication Mechanism Guide
3. (Optional) Run SEAM preconfiguration procedure	To make the installation of a site with many hosts easier, the procedure can be run to store much of the installation information on an NFS server. This information can then be used during installation.	"How to Preconfigure SEAM Installations "
4. Run SEAM software installation procedure	To install the SEAM software packages on a client or a server	"How to Install SEAM Software Using the GUI"
5. Configure the master KDC server	Steps to configure and build the master KDC server and database for a realm.	"Configuring KDC Servers" in Sun Enterprise Authentication Mechanism Guide
6. Additional steps to configure SEAM	Steps to configure slave KDCs, SEAM clients, SEAM NFS servers, and other useful tasks	"SEAM Configuration Task Map" in Sun Enterprise Authentication Mechanism Guide

Installing SEAM Software

The installation process is best done using the following procedures. The first step is to establish a writeable area to place files that are used during the configuration process. This writeable file system and an image of the SEAM packages should be exportable to all systems that need SEAM installed. You can choose to either:

1. Copy the SEAM CD to a local disk on an NFS server that can be exported -- see "How to Copy the SEAM Image to a Local File System".

2. Mount a writable file system on the CD and export both -- see "How to Mount a Writeable File System on the SEAS CD".

After a writeable area is prepared, the next step is to define needed information for the configuration files, so you don't need to enter this information manually. This is called the preconfiguration procedure. The last procedure installs the SEAM software using the preconfiguration information, if available.

The procedure to establish configuration files for the master KDC, slave KDCs, and SEAM clients is optional, but in sites with many systems, using the configuration files has many advantages.

1. The data needs to be entered only once, so the installations run faster

2. Since the configuration files are shared by all of the installations, the chances of making an error during the installation are reduced.

The tool used in this process gathers information such as the realm name, the KDC server names, and other important information, and stores it.

The next step is to install the SEAM product. Before attempting to install, you need to determine what type of system you need. The installation process allows you to select a master KDC installation, a slave KDC installation, or a SEAM client installation. The master KDC packages should only be included on the KDC master server; likewise, the slave KDC packages should only be installed on KDC slave servers (see "How to Install SEAM Software Using the GUI").

The SEAM client packages should be installed on any host that requires SEAM. These hosts can include network application servers, NFS servers, and all clients. A simpler procedure can be used for installing the SEAM clients if the preconfiguration process has been completed (see "How to Install SEAM Clients Without the GUI").

The last procedure in this section explains how to fix a system that had all of the software installed before the preconfiguration step was completed. This can happen when the default SEAS 3.0 installation is done without doing the preconfiguration process first. Refer to "How to Fix an Unconfigured System" for a complete explanation.

How to Copy the SEAM Image to a Local File System

If you do not want to leave the SEAS 3.0 CD mounted on a server while SEAM installations are occurring, then copying the packages from the SEAS CD is the best way to make the SEAM image available. The packages require about 50MB. This procedure requires that you have the SEAS 3.0 CD available on the server.

1. Become root on an NFS server.

2. Copy the SEAM image from the SEAS 3.0 CD to a local file system.

   # cd /export # mkdir SEAM # cd /cdrom # find .install products/Sun_Enterprise_Authentication_Mechanism_1.0 -print| cpio -dump /export/SEAM

   ---

   Note -

   The last line is split on two lines to make it readable, but should be entered as one command.

   ---

3. Export the file system.

   To make the configuration files available for all installations, /export or /export/SEAM needs to be NFS-mountable by all hosts.

   1. Edit the /etc/dfs/dfstab file.

      Add an entry for either /export or /export/SEAM if one does not exist.

      share -f nfs -ro /export/SEAM

   2. Start the NFS services.

      If this is the first share command or set of share commands that you have initiated, the NFS daemons are probably not running. The following commands kill the daemons and restart them.

      # /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start

Where to Go From Here

Now that an area has been prepared to store the configuration file, you can follow the steps in "How to Preconfigure SEAM Installations ".

How to Mount a Writeable File System on the SEAS CD

If you want to leave the SEAS CD on a server while SEAM installations are occurring, then you need to mount a writeable file system onto of the CD to provide an area for the preconfiguration information to be stored. This procedure requires that you have the SEAS 3.0 CD available on the server.

1. Become root on an NFS server.

2. Create a file system for the preconfiguration files.

   # cd /export # mkdir SEAM_preconfig

3. Mount the file system on the SEAS CD.

   # SEAM=/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0/\ > .install/pkgutil/siteconfig_response # mount -F lofs /export/SEAM_preconfig $SEAM

4. Export the file system.

   To make the configuration files available for all installations, /export or /export/SEAM needs to be NFS-mountable by all hosts.

   1. Edit the /etc/dfs/dfstab file.

      Add an entry for /cdrom and for the new directory /export/SEAM_preconfig, if one does not exist.

      share -f nfs -ro /cdrom share -f nfs -ro /export/SEAM_preconfig

   2. Start the NFS services.

      If this is the first share command or set of share commands that you have initiated, the NFS daemons are probably not running. The following commands kill the daemons and restart them.

      # /etc/init.d/nfs.server stop # /etc/init.d/nfs.server start

Where to Go From Here

Now that an area has been prepared to store the configuration file, you can follow the steps in "How to Preconfigure SEAM Installations ".

How to Preconfigure SEAM Installations

This procedure can be followed to preconfigure much of the information needed when configuring either the KDCs or the SEAM clients. If preconfiguration is needed, a writeable file system must be available for the preconfiguration information (see "How to Copy the SEAM Image to a Local File System" or "How to Mount a Writeable File System on the SEAS CD"). The information stored on the NFS file system can be accessed by each host in the realm during the installation procedure. This process is optional, but should be very helpful for large sites.

---

Note -

This procedure will install SEAM on the NFS server using the preconfiguration information, but none of the SEAM applications will work until at least a KDC master is installed.

---

In this procedure the following configuration parameters are used:

hardware configuration = SPARC




realm name = ACME.COM




DNS domain name = acme.com




master kdc = kdc1.acme.com




slave kdc = kdc2.acme.com




answerbook server = denver




online help URL = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/8897




file system holding SEAM packages = /export/SEAM

1. Become root on an NFS server.

2. Start the install process.

   # cd /export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0 # ./installer

   ---

   Note -

   If you are using the CD for package installations instead of using an NFS server, then installer is found in: /net/denver/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0.

   ---

3. Click Next in the Welcome screen.

4. Select the type of installation.

   The next screen asks you to select a default installation or a custom installation. Select the custom installation to get to the preconfiguration screens. Click Next to proceed.

5. Click Next in the Locale Selection screen.

6. Select the software components to be installed.

   If the NFS server is not going to be a SEAM client or if you are just collecting preconfiguration information, then none of the components need to be selected. For a Solaris 7 NFS server that is going to provide Kerberized NFS support, the only components that should be selected are Kernel Module and SEAM Client. For a Solaris 2.6 NFS server that is going to provide Kerberized NFS support, select the same components but make sure to add the "5.6 Patches" and the GSS-API component. Click Next to proceed.

   ---

   Note -

   A disk space check is done after this step. If there is enough space then you should not have to do anything.

   ---

7. Define site configuration information.

   The next screen allows you to select the configuration procedure as well as entering configuration information.

   1. Select the configuration procedure.

      The top part of the screen allows you to select how the machine will be configured. For this procedure you should select "Re-configure site information." You can select to:

      • Use previously configured site information -- Use after the preconfiguration process has been completed

      • Re-configure site information -- Use this to enter new information

      • Configure just this machine -- Use to enter new information for this host

      • Configure this machine later -- Use when you are not sure about all of the configuration parameters, but want to install the packages anyway

   2. Identify the site configuration directory.

      The path should be to a file system that is mountable by all of the systems that require SEAM installations.

   3. Specify the realm name.

      By convention, the realm name is capitalized to help differentiate it from other domain names. For this example, the domain name is ACME.COM.

   4. Identify the master KDC and slave KDC server names.

      Use fully-qualified host names. For this example, the host names are kdc1.acme.com for the master and kdc2.acme.com for the slave. You can add as many slaves as needed.

   5. Enter the DNS domain name for this realm.

   6. Specify the URL for online help.

      This URL is used by the SEAM Administration Tool, so the URL should be defined properly to enable the "Help Contents" menu to work. The web version of this manual can be installed on any appropriate AnswerBook2 server. You will need to change the localhost entry and add information after the SEAM portion of the address.

      For this example, the URL should point to http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6685, unless another location is more appropriate. The section titled "SEAM Administration Tool" in the "Administering Principals and Policies" chapter of the Sun Enterprise Authentication Mechanism Guide is the suggested location to use.

      You can verify the URL by entering the URL into any web browser and verifing that the page is available. Make sure that the SEAS documentation has been installed before attempting to verify the URL.

   7. Identify the maximum lifetime for tickets.

      If the default value is acceptable, do not change it.

   8. Identify the maximum lifetime for renewable tickets.

      If the default value is acceptable, do not change it.

   9. Review the definitions that you have set.

      If the definitions are correct, click Next to proceed. When you click Next, the preconfiguration information is saved to the configuration directory.

      

8. Click Install Now to start the installation.

   The screen will show the components selected. If there are no components selected and you are just collecting the preconfiguration information, you can click Exit.

9. A summary of the installation process is displayed; click Next to proceed.

10. Additional information is displayed in the next screen; click Exit to finish the procedure.

    A window is displayed asking if you want to reboot. Rebooting is not necessary until the server needs to use SEAM.

How to Install SEAM Software Using the GUI

In this example, the SEAM master server installation is selected, but the process is much the same for the slave and client installations. The SEAM packages have been installed on /net/denver/export/SEAM, although they could be installed on a local file system or you can install using the SEAS CD.

SEAM client installations can be made faster by following the instructions in "How to Install SEAM Clients Without the GUI".

1. Start the installation script.

   # cd /net/denver/export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0 # ./installer

2. Click Next in the Welcome screen.

3. Select the type of installation.

   The next screen asks you to select a default installation or a custom installation. Select the custom installation. Click Next to proceed.

4. Click Next in the Locale Selection screen.

   Currently there are no locales to select in the SEAS release.

5. Click Next in the Select Install Directory screen.

   SEAM will install files in several directories. You must leave the path as "/".

6. Select the software components to be installed.

   For a master, select the Master Server package. For a slave, select the Slave Server package. Other packages are added as needed. Click Next to proceed.

   ---

   Note -

   A disk space check is done after this step. If there is enough space then you should not have to do anything.

   ---

7. Click Install Now to start the installation.

   The screen will show the components selected.

8. Select the configuration procedure and directory.

   The next screen allows you to select the configuration procedure, as well as identifying the path to the configuration files. If you have preconfigured site information, select "Use previously configured site information" and specify the directory path to the configuration files.

   

9. A summary of the installation process is displayed; click Next to proceed.

10. Additional information is displayed in the next screen; click Exit to finish the procedure.

Where to Go From Here

The Sun Enterprise Authentication Mechanism Guide includes a list of the tasks that can be done after the SEAM software is installed.

How to Install SEAM Clients Without the GUI

SEAM clients can be installed without using the GUI, after the preconfiguration process is complete. Not using the GUI means that you do not need to go through any of the screens, so the installation should run faster. Because you do not use any of the screens, you might only add client packages.

If necessary you can install all of the clients before the preconfiguration process is complete and use the script mentioned in "How to Fix an Unconfigured System" to complete the configuration.

1. Become root on the client.

2. Change directory to the preconfiguration area.

   # cd /net/denver/export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0

   ---

   Note -

   To load packages from the CD, use the path: /net/denver/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0.

   ---

3. Start the installer.

   # ./installer -nodisplay

How to Fix an Unconfigured System

If a full installation is done without creating the preconfiguration files first, you can correct the system using the following procedure.

1. Become root on the system.

2. Run the script to fix the configuration.

   # cd /net/denver/export/SEAM/products/Sun_Enterprise_Authentication_Mechanism_1.0 # ./sparc/Tools/seamfixconfig

   ---

   Note -

   If you are using the SEAS 3.0 CD, the path would be: /net/denver/cdrom/products/Sun_Enterprise_Authentication_Mechanism_1.0.

   ---

Uninstalling SEAM

SEAM, like other products in the Sun Easy Access Server 3.0 release, can be uninstalled using prodreg. More information about this utility can be found in "How to Uninstall a Product From the Registry" in Solaris Easy Access Server 3.0 Installation Guide.

Additions to the Solaris Management Console

After SEAM has been installed, you can launch the SEAM Administration Tool from the Solaris Management Console (SMC). To start the GUI, double-click on the "security" category in the left pane of the SMC window, and double-click the SEAM icon in the right pane.