In this procedure, the following parameters are used:
Realm name = EXAMPLE.COM
DNS domain name = example.com
Cluster physical node names = pkdc1.example.com and pkdc2.example.com
Cluster logical hostname = kdc-1.example.com
Become superuser on a cluster member.
Choose the logical hostname that will provide the Kerberos service.
Select the logical hostname so that it corresponds to an IP address set up when you installed the Sun Cluster software. See the Sun Cluster Concepts Guide for Solaris OS for details about logical hostnames.
Create the krb5.conf, kdc.conf, and the other configuration files required to run a Kerberos server, then run the command kdb5_util(1M) as described in the Chapter 23, Configuring the Kerberos Service (Tasks), in System Administration Guide: Security Services.
When populating the hostnames in these configuration files, ensure that they refer to the host's logical name, not the physical name.
This detail ensures that applications running in the same zone as the logical hostname are configured to the corresponding IP addresses.
Here is an example of configuration files with the logical hostnames:
pkdc1# cat /etc/krb5/krb5.conf |
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kdc-1.example.com admin_server = kdc-1.example.com } [domain_realm] .example.com = EXAMPLE.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable = true }
pkdc1# cat /etc/krb5/kdc.conf |
[kdcdefaults] kdc_ports = 88,750 [realms] ACME.COM = { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal admin_keytab = /etc/krb5/kadm5.keytab acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth }
Make sure that you also have a valid /etc/resolv.conf file and /etc/nsswitch.conf file configured, for example:
pkdc1# cat /etc/resolv.conf |
domain example.com
nameserver 1.2.3.4
nameserver 1.2.3.5
pkdc1# grep dns nsswitch.conf |
hosts: files nis dns
ipnodes: files nis dns
Create the KDC database by running the kdb5_util(1M)
pkdc1# kdb5_util create |
Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password.
Enter KDC database master key:<Type the new master key password> |
Re-enter KDC database master key:<Type the above new master key password> |
Add the following line in the /etc/krb5/kadm5.acl file:
sckrb5-probe/admin@EXAMPLE.COM i
Where:
Realm name chosen in Step 3
The privilege that enables queries to the database for the sckrb5-probe/admin principal
Start the kadmin.local command.
pkdc1# kadmin.local |
Authenticating as principal host/admin@EXAMPLE.COM with password
Use the kadmin.local command to add kadmin and changepw service principals for the fully qualified logical hostname for the cluster, kdc-1.example.com.
kadmin.local: ank -randkey -allow_tgs_req kadmin/kdc-1.example.com |
NOTICE: no policy specified for kadmin/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "kadmin/kdc-1.example.com@EXAMPLE.COM" created.
kadmin.local: ank -randkey -allow_tgs_req +password_changing_service \ changepw/kdc-1.example.com |
NOTICE: no policy specified for changepw/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "changepw/kdc-1.example.com@EXAMPLE.COM" created. kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc-1.example.com changepw/kdc-1.example.com Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type AES-+ 128 CTS mode with \ 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Add the new service principals for the host services for the fully qualified logical hostname for the cluster, kdc-1.example.com:
kadmin.local: ank -randkey host/kdc-1.example.com |
NOTICE: no policy specified for host/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "host/kdc-1.example.com@EXAMPLE.COM" created. kadmin.local: ktadd host/kdc-1.example.com Entry for principal host/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 \ HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \ added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab \ WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to \ keytab WRFILE:/etc/krb5/krb5.keytab.
Fully qualified logical hostname for the cluster
Add a new service principal for the kiprop service for the fully qualified logical hostname for the cluster, kdc-1.example.com.
kadmin.local: ank -randkey kiprop/kdc-1.example.com |
NOTICE: no policy specified for kiprop/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "kiprop/kdc-1.example.com@EXAMPLE.COM" created. kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/kdc-1.example.com Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit \ SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \ added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to \ keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added \ to keytab WRFILE:/etc/krb5/kadm5.keytab.
Move the /etc/krb5 and /var/krb5 directories to either a global or a failover file system.
For example, move /etc/krb5 and /var/krb5 to a global file system, /global/fs/, as follows:
pkdc1# mv /etc/krb5 /global/fs/krb-conf |
pkdc1# mv /var/krb5 /global/fs/krb-db |
See the Sun Cluster Software Installation Guide for Solaris OS for information on setting up cluster file systems.
Create symbolic links back to the /etc/krb5 and /var/krb5 directories:
pkdc1# ln -s /global/fs/krb-conf /etc/krb5 |
pkdc1# ln -s /global/fs/krb-db /var/krb5 |
Repeat the symbolic link creation on all the other cluster nodes or zones.
pkdc2# mv /etc/krb5 /etc/krb5.old |
pkdc2# mv /var/krb5 /var/krb5.old |
pkdc2# ln -s /global/fs/krb-conf /etc/krb5 |
pkdc2# ln -s /global/fs/krb-db /var/krb5 |