Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020

Configuring Delayed Execution for Access to Kerberos Services

In the default Kerberos environment, credentials expire after a limited amount of time. For processes that can execute at arbitrary times, such as cron and at, the limited time presents a problem.

This procedure describes how to configure the Kerberos environment to support delayed execution processes that require authenticated services through Kerberos. Oracle Solaris provides PAM modules, uses service keys, and uses kclient configuration options to make delayed execution with Kerberos authentication possible and more secure than alternative solutions.

Note -  If the cron server becomes compromised, an attacker could impersonate users to gain access to target services that are configured for the cron server. Therefore, consider that the cron host that is configured in this procedure as a more sensitive system, because it provides intermediate services for users.

How to Configure a cron Host for Access to Kerberos Services

    This procedure uses the following configuration parameters:

  • cron host = host1.example.com

  • NFS server = host2.example.com

  • LDAP server = host3.example.com

Note -  Delayed execution works only with an LDAP back end.
  1. Configure the cron service to support Kerberos.
    • If the cron host is not configured for Kerberos, then run the kclient command on the system.

      For more information, see the kclient(8) man page.

      For example, the following command configures the client in the EXAMPLE.COM realm. The command includes the pam_gss_s4u file in the /etc/pam.d/cron service file by using the include mechanism.

      # kclient -s cron:optional -R EXAMPLE.COM
    • If the cron host is already configured for Kerberos, then you must modify the PAM configuration for the cron service on that host manually.

      Ensure that the PAM configuration for the cron service includes the pam_gss_s4u file.

      # cd /etc/pam.d ; cp cron cron.orig
      # pfedit cron
            # PAM include file for optional set credentials
            # through Kerberos keytab and GSS-API S4U support
            auth include          pam_gss_s4u
  2. Enable the cron host to act as a delegate.

    For example:

    # kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: modprinc +ok_as_delegate host/host1.example.com@EXAMPLE.COM
    Principal host/host1.example.com@EXAMPLE.COM modified.
  3. Enable the cron host to request tickets for itself on behalf of the user who created the cron job.
    kadmin: modprinc +ok_to_auth_as_delegate host/host1.example.com@EXAMPLE.COM
    Principal host/host1.example.com@EXAMPLE.COM modified.
    kadmin: quit
  4. In LDAP, configure the cron host to specify the services that it uses as a delegate.

    For example, to enable the cron host to access the user's home directory on host2, a Kerberized NFS server, add the NFS host to the krbAllowedToDelegateTo parameter in the cron server's LDAP definition.

    1. Create the delegate assignment.
      # pfedit /tmp/delghost.ldif
      dn: krbprincipalname=host/host1.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com
      changetype: modify
      krbAllowedToDelegateTo: nfs/host2.example.com@EXAMPLE.COM
    2. Add the assignment to LDAP.
      # ldapmodify -h host3 -D "cn=directory manager" -f delghost.ldif