Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Use the kclient Utility Without an Installation Profile

This procedure uses the kclient installation utility without an installation profile. If the client is to join an Active Directory server, go to How to Join a Kerberos Client to an Active Directory Server.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Run the kclient command with no arguments.
    client# /usr/sbin/kclient

      The script prompts you for the following information:

    • Kerberos realm name

    • KDC master host name

    • KDC slave host names

    • Domains to map to the local realm

    • PAM service names and options to use for Kerberos authentication

    For more information, see the kclient(8) man page.

  2. If the KDC server is not running an Oracle Solaris release, answer y and define the type of server that is running the KDC.

    For the list of available servers, see the –T option in the kclient(8) man page.

  3. If DNS should be used for Kerberos lookups, answer y and indicate the DNS lookup option to use.

    Valid options are –dns_lookup_kdc, –dns_lookup_realm, and –dns_fallback. For more information about these values, see the krb5.conf(5) man page.

  4. Define the name of the Kerberos realm and the master KDC host name.

    This information is added to the /etc/krb5/krb5.conf configuration file.

  5. If slave KDCs are in the realm, answer y and provide the slave KDC host names.

    This information is used to create additional KDC entries in the client's configuration file.

  6. If service or host keys are required, answer y.

    Tip  -  For security, all clients should have a host key. See Verifying Kerberos Clients Without a Host Principal.

    Service or host keys are required only when the client system is hosting Kerberized services.

  7. If the client is a member of a cluster, answer y and provide the logical name of the cluster.

    The logical host name is used when creating service keys, which is required when hosting Kerberos services from clusters.

  8. Identify any domains or hosts to map to the current realm.

    This mapping enables the client to recognize other domains as belonging to the client's default domain.

  9. Specify whether the client will use Kerberized NFS.

    NFS service keys need to be created if the client will host NFS services using Kerberos.

  10. Indicate whether a new PAM policy needs to be created.

      To set which PAM services use Kerberos for authentication, you provide the service name and a flag that indicates how Kerberos authentication is to be used. The valid flag options are:

    • first – Use Kerberos authentication first, and only use UNIX if Kerberos authentication fails

    • only – Use Kerberos authentication only

    • optional – Use Kerberos authentication optionally

    For information about provided PAM services for Kerberos, review the files in the /etc/security/pam_policy directory.

  11. Specify whether the master /etc/krb5/krb5.conf file should be copied.

    This option enables specific configuration information to be used when the arguments to kclient are not sufficient.

Example 3  Sample Run of the kclient Script
...
Starting client setup
---------------------------------------------------

Is this a client of a non-Solaris KDC ? [y/n]: n
No action performed.
Do you want to use DNS for kerberos lookups ? [y/n]: y
...
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC host name for the above realm: kdc1.example.com

Note, this host and the KDC's time must be within 5 minutes of each other for
Kerberos to function. Both hosts should run some form of time synchronization
system like Network Time Protocol (NTP).
Do you have any slave KDC(s) ? [y/n]: y
Enter a comma-separated list of slave KDC host names: kdc2.example.com

Will this client need service keys ? [y/n]: n
No action performed.
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
No action performed.
Do you have multiple domains/hosts to map to realm ? [y/n]: y
Enter a comma-separated list of domain/hosts to map to the default realm: corphdqtrs.example.com, \
example.com

Setting up /etc/krb5/krb5.conf.

Do you plan on doing Kerberized nfs ? [y/n]: y
Do you want to update /etc/pam.conf ? [y/n]: y
Enter a comma-separated list of PAM service names in the following format:
service:{first|only|optional}: gdm:first
Configuring /etc/pam.conf.

Do you want to copy over the master krb5.conf file ? [y/n]: n
No action performed.

---------------------------------------------------
Setup COMPLETE.