Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Join a Kerberos Client to an Active Directory Server

This procedure uses the kclient command without an installation profile.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. (Optional) Enable DNS resource record creation for the client.
    client# sharectl set -p ddns_enable=true smb
  2. Run the kclient command.

    The following output shows sample output from running the kclient command to join the client to the AD domain, EXAMPLE.COM.

    The –T option selects a KDC server type, in this case, a Microsoft Active Directory (AD) server type. By default, you must provide the password for the Administrator principal of the AD server.

    client# /usr/sbin/kclient -T ms_ad
    Starting client setup
    ---------------------------------------------------
    
    Attempting to join 'CLIENT' to the 'EXAMPLE.COM' domain.
    Password for Administrator@EXAMPLE.COM: xxxxxxxx
    Forest name found: example.com
    Looking for local KDCs, DCs and global catalog servers (SVR RRs).
    
    Setting up /etc/krb5/krb5.conf
    
    Creating the machine account in AD via LDAP.
    ---------------------------------------------------
    Setup COMPLETE.
    #

    For more information, see the kclient(8) man page.

Example 4  Sample Kerberos Client of a Non-Oracle Solaris KDC

A Kerberos client can be set up to work with a non-Oracle Solaris KDC by adding a line to the /etc/krb5/krb5.conf file in the realms section. This line changes the protocol that is used when the client is communicating with the Kerberos password-changing server. The following excerpt shows the format of this line.

[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
admin_server = kdc1.example.com
kpasswd_protocol = SET_CHANGE
}