SEAM Package Contents

The SEAM software can be installed on either a client, a KDC slave server, or a KDC master server. Any other types of servers (such as a SEAM application or SEAM NFS server) are configured after the client software packages are installed. Each type of installation adds one or more packages, some of which change files that are important to system security.

SEAM Client Packages

The client packages install the SEAM man pages, the Kerberos applications (such as klist), the administrative applications (kadmin and gkadmin), as well as the kerberized daemons and utilities (ftp and ftpd, for example). During the install process the following files are edited: /etc/inetd.conf, /etc/services, /etc/pam.conf, and /etc/krb5/krb5.conf. If you have site-specific alterations to these files, you should check the file contents after the installation.

In addition, on Solaris 2.6 clients only, files that provide support for the GSS_API framework and RPCSEC_GSS are installed. These are already part of the Solaris 7 release, so they are added only to Solaris 2.6 clients. New security-related files that are installed include /etc/gss/gsscred.conf, /etc/gss/mech, /etc/gss/qop, and /etc/nfssec.conf. Also, the crontab file for root and /etc/inetd.conf are edited. Again, if you have site-specific alterations to these files, you should check the file contents after the installation.

Slave KDC Packages

The slave KDC installation process installs all of the client packages, as well as an additional package that includes the utilities needed by any KDC server. A start-up script is installed in /etc/init.d/kdc, which starts the slave KDC daemons. Also, the /etc/krb5/kdc.conf and /etc/inetd.conf files are edited.

Master KDC Packages

The master KDC installation process installs all of the client packages, the slave KDC package, and a package that includes the files and utilities needed only on the master KDC server. The process edits the crontab file for root and installs a start-up script in /etc/init.d/kdc.master. A file to control access to the KDC, /etc/krb5/kadm5.acl, and a file to control the propagation of the KDC database, /etc/krb5/kpropd.acl, are added. Securing these files is important for the security of the KDC database.

Patches

All the patches included with the SEAM release are for Solaris^TM 2.6 SPARC^TM and Intel systems. Some of the patches incorporate fixes unrelated to SEAM. This is because the SEAM and non-SEAM fixes impact the same binary, and all the patches included are official.

All of these patches are required if you want to use Kerberos V5 security with NFS file systems and exports. If you are not using SEAM to secure the NFS file system, then the patches are not needed.

Solaris patches are numbered as XXXXXX-VV where XXXXXX is the patch base ID number, and VV is the version number. Typically the i386 patch base ID number is equal to the SPARC base ID number incremented by one.

Here is a list of all of the patches included with the SEAM 1.0 release. The SPARC patch IDs are listed first.

105472-04 / 105473-04 -- Without this fix, the automounter will crash when accessing NFS file systems that are mounted with Kerberos V5 security (that is, the NFS server is sharing the file system with sec= krb5, krb5i, or krb5p).

105564-03 / 105565-03 -- Without this fix, the chgrp command will not work on NFS file systems that are mounted with Kerberos V5 security.

105615-04 / 105616-04 -- Without this fix, you will not be able to successfully export NFS file systems from servers with a command like: share -o sec=krb5,rw=mpk16-labnets,ro=engineering /export/krb5. Less complex commands like: share -o sec=krb5 /export/krb5 will succeed with or without the patch.

106639-01 / 106640-01 -- This patch fixes a memory leak that occurs when using NFS file systems that are using Kerberos V5 security.

107228-01 / 107281-01 -- This patch fixes XFN to scale to large tables suitable for use with gsscred command. If you choose to not use XFN, then you do not need this patch.