JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Cluster Data Service for Kerberos Guide
Oracle Technology Network
Library
PDF
Print View
Feedback
search filter icon
search icon

Document Information

Preface

1.  Installing and Configuring Oracle Solaris Cluster for Kerberos

Oracle Solaris Cluster HA for Kerberos

Installing and Configuring Oracle Solaris Cluster HA for Kerberos

Configuring Oracle Solaris Cluster HA for Kerberos in Non-Global Zones

How to Configure Oracle Solaris Cluster HA for Kerberos in Non-Global Zones

Installing Kerberos

How to Install Kerberos

Installing the Oracle Solaris Cluster HA for Kerberos Packages

How to Install the Oracle Solaris Cluster HA for Kerberos Packages

Registering and Configuring Oracle Solaris Cluster HA for Kerberos

How to Register and Configure Oracle Solaris Cluster HA for Kerberos

How to Configure the HAStoragePlus Resource Type

Tuning the Oracle Solaris Cluster HA for Kerberos Fault Monitor

Operations by the Fault Monitor During a Probe

Verifying Oracle Solaris Cluster HA for Kerberos Installation and Configuration

How to Verify Oracle Solaris Cluster HA for Kerberos Installation and Configuration

A.  Oracle Solaris Cluster HA for Kerberos Extension

Index

Installing Kerberos

This section describes the steps to install Kerberos and to enable Kerberos to run as Oracle Solaris Cluster HA for Kerberos.

Oracle Solaris Cluster HA for Kerberos uses the Kerberos server and mechanism libraries co-packaged with the Solaris 10 operating system or later versions of the operating system. See the krb5.conf(4) and kdc.conf(4) man pages for information on how to configure the Kerberos environment. The Oracle Solaris Cluster configuration for Kerberos differs from the Solaris configuration for Kerberos in the following ways:

How to Install Kerberos

In this procedure, the following parameters are used:

  1. Become superuser on a cluster member.
  2. Choose the logical hostname that will provide the Kerberos service.

    Select the logical hostname so that it corresponds to an IP address set up when you installed the Oracle Solaris Cluster software. See the Oracle Solaris Cluster Concepts Guide for details about logical hostnames.

  3. Create the krb5.conf, kdc.conf, and the other configuration files required to run a Kerberos server, then run the command kdb5_util(1M) as described in the Chapter 23, Configuring the Kerberos Service (Tasks), in System Administration Guide: Security Services.

    When populating the hostnames in these configuration files, ensure that they refer to the host's logical name, not the physical name.

    Note - This detail ensures that applications running in the same zone as the logical hostname are configured to the corresponding IP addresses.

    Here is an example of configuration files with the logical hostnames:

    pkdc1# cat /etc/krb5/krb5.conf
    [libdefaults]
         default_realm = EXAMPLE.COM

[realms]
       EXAMPLE.COM = {
               kdc = kdc-1.example.com
               admin_server = kdc-1.example.com
       }
[domain_realm]
       .example.com = EXAMPLE.COM
[logging]
       default = FILE:/var/krb5/kdc.log
       kdc = FILE:/var/krb5/kdc.log
       kdc_rotate = {
               period = 1d
               versions = 10
       }

[appdefaults]
       kinit = {
               renewable = true
               forwardable = true
       }
    pkdc1# cat /etc/krb5/kdc.conf
    [kdcdefaults]
         kdc_ports = 88,750
 
[realms]
         ACME.COM = {
                 profile = /etc/krb5/krb5.conf
                 database_name = /var/krb5/principal
                 admin_keytab = /etc/krb5/kadm5.keytab
                 acl_file = /etc/krb5/kadm5.acl
                 kadmind_port = 749
                 max_life = 8h 0m 0s
                 max_renewable_life = 7d 0h 0m 0s
                 default_principal_flags = +preauth
         }

    Make sure that you also have a valid /etc/resolv.conf file and /etc/nsswitch.conf file configured, for example:

    pkdc1# cat /etc/resolv.conf
    domain example.com
    nameserver 1.2.3.4
    nameserver 1.2.3.5
    pkdc1# grep dns nsswitch.conf
    hosts:        files nis dns
    ipnodes:      files nis dns
  4. Create the KDC database by running the kdb5_util(1M)
     pkdc1# kdb5_util create
    Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
    Enter KDC database master key:<Type the new master key password>
    Re-enter KDC database master key:<Type the above new master key password>
  5. Add the following line in the /etc/krb5/kadm5.acl file:
    sckrb5-probe/admin@EXAMPLE.COM i

    Where:

    EXAMPLE.COM

    Realm name chosen in Step 3

    i

    The privilege that enables queries to the database for the sckrb5-probe/admin principal

  6. Start the kadmin.local command.
    pkdc1# kadmin.local
    Authenticating as principal host/admin@EXAMPLE.COM with password
    1. Use the kadmin.local command to add kadmin and changepw service principals for the fully qualified logical hostname for the cluster, kdc-1.example.com.
      kadmin.local: ank -randkey -allow_tgs_req kadmin/kdc-1.example.com
      NOTICE: no policy specified for kadmin/kdc-1.example.com@EXAMPLE.COM; 
assigning "default" Principal "kadmin/kdc-1.example.com@EXAMPLE.COM" 
created.
      kadmin.local: ank -randkey -allow_tgs_req +password_changing_service \ changepw/kdc-1.example.com
      NOTICE: no policy specified for changepw/kdc-1.example.com@EXAMPLE.COM; 
assigning "default"    
Principal "changepw/kdc-1.example.com@EXAMPLE.COM" created.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc-1.example.com changepw/kdc-1.example.com
Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type AES-+ 128 CTS mode with \
96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type Triple
DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type
DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type
DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
    2. Add the new service principals for the host services for the fully qualified logical hostname for the cluster, kdc-1.example.com:
      kadmin.local: ank -randkey host/kdc-1.example.com
      NOTICE: no policy specified for host/kdc-1.example.com@EXAMPLE.COM; assigning "default"
Principal "host/kdc-1.example.com@EXAMPLE.COM" created.
kadmin.local:  ktadd host/kdc-1.example.com
Entry for principal host/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 \
HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \
added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab \
WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to \
keytab WRFILE:/etc/krb5/krb5.keytab.
      kdc-1.example.com

      Fully qualified logical hostname for the cluster

    3. Add a new service principal for the kiprop service for the fully qualified logical hostname for the cluster, kdc-1.example.com.
      kadmin.local: ank -randkey kiprop/kdc-1.example.com
      NOTICE: no policy specified for kiprop/kdc-1.example.com@EXAMPLE.COM; assigning "default"
Principal "kiprop/kdc-1.example.com@EXAMPLE.COM" created.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kiprop/kdc-1.example.com
Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit \
SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \
added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to \
keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added \
to keytab WRFILE:/etc/krb5/kadm5.keytab.
  7. Move the /etc/krb5 and /var/krb5 directories to either a global or a failover file system.

    For example, move /etc/krb5 and /var/krb5 to a global file system, /global/fs/, as follows:

    pkdc1# mv /etc/krb5 /global/fs/krb-conf
    pkdc1# mv /var/krb5 /global/fs/krb-db

    See the Oracle Solaris Cluster Software Installation Guide for information on setting up cluster file systems.

  8. Create symbolic links back to the /etc/krb5 and /var/krb5 directories:
    pkdc1# ln -s /global/fs/krb-conf /etc/krb5
    pkdc1# ln -s /global/fs/krb-db /var/krb5
  9. Repeat the symbolic link creation on all the other cluster nodes or zones.
    pkdc2# mv /etc/krb5 /etc/krb5.old
    pkdc2# mv /var/krb5 /var/krb5.old
    pkdc2# ln -s /global/fs/krb-conf /etc/krb5
    pkdc2# ln -s /global/fs/krb-db /var/krb5
Copyright © 2000, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous Next