Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020
 
 

How to Configure a Kerberos Network Application Server

    This procedure uses the following configuration parameters:

  • Application server = boston

  • admin principal = kws/admin

  • DNS domain name = example.com

  • Realm name = EXAMPLE.COM

Before You Begin

Make sure the master KDC is configured and the clocks are synchronized as described in Synchronizing Clocks Between KDCs and Kerberos Clients. To fully test the process, you need several clients.

You must assume the root role on the application server. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Determine if a host principal exists for the new server.

    The following command reports the existence of the host principal:

    boston # klist -k | grep host
    4 host/boston.example.com@EXAMPLE.COM
    4 host/boston.example.com@EXAMPLE.COM
    4 host/boston.example.com@EXAMPLE.COM
    4 host/boston.example.com@EXAMPLE.COM

    If the command does returns a principal, you are done. If it does not return a principal, then create new principals by using the following steps.

  2. Log in to the server with one of the admin principal names that you created when configuring the master KDC.
    boston # /usr/sbin/kadmin -p kws/admin
    Enter password: xxxxxxxx
    kadmin: 
  3. Create the server's host principal.
    kadmin: addprinc -randkey host/boston.example.com
    Principal "host/boston.example.com" created.
    kadmin: 

      The host principal is used in the following ways:

    • To authenticate traffic when using remote commands such as ftp.

    • By pam_krb5 to prevent KDC spoofing attacks by using the host principal to verify that a user's Kerberos credential was obtained from a trusted KDC.

    • To enable the root user to automatically acquire a Kerberos credential without requiring that a root principal exist. This capability can be useful when doing a manual NFS mount where the share requires a Kerberos credential.

    This principal is required if traffic using the remote application is to be authenticated using the Kerberos service. If the server has multiple host names associated with it, then create a principal for each host name using the FQDN form of the host name.

  4. Add the server's host principal to the server's keytab file and quit kadmin.

    If the kadmin command is not running, restart it with a command similar to the following: /usr/sbin/kadmin -p kws/admin

    If the server has multiple host names associated with it, then add a principal to the keytab for each host name.

    kadmin: ktadd host/boston.example.com
    Entry for principal host/boston.example.com with kvno 3, encryption type AES-256 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal host/boston.example.com with kvno 3, encryption type AES-128 CTS mode
    with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
    Entry for principal host/boston.example.com with kvno 3, encryption type Triple DES cbc
    mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
    kadmin: quit