MIT Kerberos on Oracle Solaris takes advantage of Oracle Solaris features, such as the Image Packaging Service (IPS), SMF services, Security Extensions, and Automated Installation (AI). See also Native Oracle Solaris Features Integrated With Kerberos.
The following table describes the differences between MIT Kerberos and the Oracle Solaris version.
SMF services for Kerberos and some relations are unique to Oracle Solaris Kerberos. Also, some relations in Oracle Solaris have different default values than the relations in MIT Kerberos.
The svc:/network/security/kadmin:default SMF service manages the Kerberos database administration daemon in Oracle Solaris. SMF administrative commands include svcs for determining the status of the service and svcadm for administering the service.
The svc:/network/security/krb5kdc:default SMF service manages the KDC in Oracle Solaris.
The svc:/network/security/krb5_prop:default SMF service manages the Kerberos database propagation daemon in Oracle Solaris.
In the kadm5.acl file, allows or disallows the creation of one-component user principals whose password can be validated with PAM.
In the kdc.conf file, controls the maximum number of TCP connections that the KDC allows. The minimum value is 10. If this relation is not specified, the Kerberos server allows a maximum of 30 TCP connections.
In the kdc.conf file, enables log files to be rotated to multiple files on a schedule. The admin_server_rotate relation controls the kadmin log file and the kdc_rotate relation controls the kdc log file.
Rotation can be used to avoid logging to a file which might grow too large and halt the KDC. See the kdc.conf(5) man page for how to set file versions and the time interval.
In the krb5.conf file, enables non-default realms to equate with the default realm for authenticated name-to-local name mapping. Unique to Oracle Solaris.
In the krb5.conf file, causes credential verification to fail if the client system does not have a keytab. The default value in Oracle Solaris is true.
Kerberos documentation for features that Oracle Solaris does not change is on the MIT Kerberos Documentation web site (http://web.mit.edu/kerberos/krb5-1.14/doc/index.html). This guide documents Oracle Solaris changes to default Kerberos behavior or Kerberos behaviors that are integrated with Oracle Solaris features.
Kerberos documentation from MIT covers the following topics:
What is Kerberos? – Describes the Kerberos environment.
Administrator Documentation – Includes planning; administering the Key Distribution Center (KDC), also called the database; configuring Kerberos in an LDAP environment; and so on. Includes man pages and troubleshooting. See the Table of Contents.
User Documentation – Includes ticket and password management, configuration files, and user commands.
Other topics on the MIT Kerberos Documentation web site include developer and build information, plugins, and advanced configuration.
Supplementary information or information specific to Oracle Solaris is covered in this guide in the following sections:
How the Kerberos Service Works – Discusses details about ticket handling by Kerberos.
Kerberos and FIPS 140-2 Mode; – Describes configuring Kerberos in FIPS 140-2 mode in Oracle Solaris.
Planning for the Kerberos Service – Describes planning issues that are specify to Oracle Solaris.
Configuring the Kerberos Service – Describes procedures that use Oracle Solaris features to install and configure Kerberos.
Users Using Kerberos – Describes Kerberos password, ticketing, and remote login considerations in an Oracle Solaris environment.
Modified MIT Kerberos man pages – Delivered in the Kerberos IPS packages to describe Oracle Solaris-specific features of Kerberos.