Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Kerberos Client Configuration Options

You can configure Kerberos clients by using the kclient configuration utility or by manually editing files. The utility runs in interactive mode and noninteractive mode. In interactive mode, you are prompted for Kerberos-specific parameter values, so you can make changes when configuring the client. In noninteractive mode, you supply a file with parameter values. Also, you can add command-line options in the noninteractive mode. Because the interactive and noninteractive modes require fewer steps than manual configuration, they are quicker and less prone to error.

    If the following setup is in effect, then no explicit configuration of your Kerberos client is necessary:

  • DNS is configured to return SRV records for KDCs.

  • The realm name matches the DNS domain name, or the KDC supports referrals.

  • The Kerberos client does not require keys that are different from the KDC server's keys.

    You still might want to explicitly configure the Kerberos client for the following reasons:

  • The zero-configuration process performs more DNS lookups than a directly configured client, and therefore is less efficient than direct configuration.

  • If referrals are not used, the zero-configuration logic depends on the DNS domain name of the host to determine the realm. This configuration introduces a small security risk, but the risk is much smaller than enabling dns_lookup_realm.

  • The pam_krb5 module relies on a host key entry in the keytab file. Although this requirement can be disabled in the krb5.conf file, doing so is not recommended for security reasons. For more information, see Kerberos Client Login Security and the krb5.conf(4) man page.

For a full description of client configuration, see Configuring Kerberos Clients.