Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Configure a cron Host for Access to Kerberos Services

    This procedure uses the following configuration parameters:

  • cron host =

  • NFS server =

  • LDAP server =

  1. Configure the cron service to support Kerberos.
    • If the cron host is not configured for Kerberos, then run the kclient command on the system.

      For more information, see the kclient(1M) man page.

      For example, the following command configures the client in the EXAMPLE.COM realm. The command includes the pam_gss_s4u file in the /etc/pam.d/cron service file by using the include mechanism.

      # kclient -s cron:optional -R EXAMPLE.COM
    • If the cron host is already configured for Kerberos, then you must modify the PAM configuration for the cron service on that host manually.

      Ensure that the PAM configuration for the cron service includes the pam_gss_s4u file.

      # cd /etc/pam.d ; cp cron cron.orig
      # pfedit cron
            # PAM include file for optional set credentials
            # through Kerberos keytab and GSS-API S4U support
            auth include          pam_gss_s4u
  2. Enable the cron host to act as a delegate.

    For example:

    # kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: modprinc +ok_as_delegate host/
    Principal “host/” modified.
  3. Enable the cron host to request tickets for itself on behalf of the user who created the cron job.
    kadmin: modprinc +ok_to_auth_as_delegate host/
    Principal “host/” modified.
    kadmin: quit
  4. In LDAP, configure the cron host to specify the services that it uses as a delegate.

    For example, to enable the cron host to access the user's home directory on host2, a Kerberized NFS server, add the NFS host to the krbAllowedToDelegateTo parameter in the cron server's LDAP definition.

    1. Create the delegate assignment.
      # pfedit /tmp/delghost.ldif
      dn: krbprincipalname=host/,cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com
      changetype: modify
      krbAllowedToDelegateTo: nfs/
    2. Add the assignment to LDAP.
      # ldapmodify -h host3 -D "cn=directory manager" -f delghost.ldif