Managing Kerberos in Oracle^® Solaris 11.4

How to Configure Automatic Migration of Users in a Kerberos Realm

Users who do not have a Kerberos principal can be automatically migrated to an existing Kerberos realm by using PAM. You customize per-system PAM configuration files on the migration server and the master server to handle the recognition of UNIX credentials and the re-authentication in the Kerberos realm.

For information about PAM, see Chapter 1, Using Pluggable Authentication Modules in Managing Authentication in Oracle Solaris 11.4 and the pam.conf(5) man page.

In this procedure, the login service names are configured to use automatic migration. This example uses the following configuration parameters:

• Realm name = EXAMPLE.COM

• Master KDC = kdc1.example.com

• Machine hosting the migration service = server1.example.com

• Migration service principal = host/server1.example.com

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

1. Ensure that a host service principal for server1 exists.

   The host service principal in the keytab file of server1 is used to authenticate the server to the master KDC.

   server1 # klist -k
   Keytab name: FILE:/etc/krb5/krb5.keytab
   KVNO Principal
   ---- ------------------------------------------------
   3 host/server1.example.com@EXAMPLE.COM
   ...

   For information about the options to the klist command, see the klist(1) man page.

2. If server1 is not listed, configure it as a Kerberos client of the realm EXAMPLE.COM.

   For the steps, see the examples in Configuring Kerberos Clients.

3. Modify the PAM policy for server1.

   For more information, see Assigning a Per-User PAM Policy in Managing Authentication in Oracle Solaris 11.4.

   ---

   Note -  If you are using the account-policy SMF stencil and the config/etc_default_login property is enabled, the following substeps will not work. Rather, PAM policy is determined by the value of the login_policy/pam_policy SMF property for server1. For examples of changing account-policy properties, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

   ---

   1. Determine which Kerberos policy is in use on server1.

      $ grep PAM_POLICY /etc/security/policy.conf
      # PAM_POLICY specifies the system-wide PAM policy (see pam_user_policy(5))
      ...
      PAM_POLICY=krb5_first

   2. Copy that PAM policy file, then modify the new policy file to append the pam_krb5_migrate.so.1 module to each authentication stack.

      server1 # cd /etc/security/pam_policy/; cp krb5_first krb5_firstmigrate
      server1 # pfedit /etc/security/pam_policy/krb5_firstmigrate
      # login service (explicit because of pam_dial_auth)
      ...
      login	auth required		pam_unix_auth.so.1
      login    auth optional		pam_krb5_migrate.so.1
      #
      # PPP service (explicit because of pam_dial_auth)
      ...
      ppp	auth required		pam_unix_auth.so.1
      ppp	auth optional		pam_krb5_migrate.so.1
      #
      # GDM Autologin (explicit because of pam_allow). ... 
      #
      gdm-autologin auth  required    pam_unix_cred.so.1
      gdm-autologin auth  sufficient  pam_allow.so.1
      gdm-autologin auth optional    pam_krb5_migrate.so.1
      #
      # Default definitions for Authentication management
      ...
      OTHER   auth required           pam_unix_auth.so.1
      OTHER   auth optional    pam_krb5_migrate.so.1
      #
      # passwd command (explicit because of a different authentication module)
      #
      passwd  auth required           pam_passwd_auth.so.1
      passwd  auth optional    pam_krb5_migrate.so.1
      #
      ...

      ---

      Note - PPP was removed in the Oracle Solaris 11.4 SRU 24 release.

      ---

   3. (Optional) Edit the krb5_firstmigrate file to force an immediate password change.

      For the newly created Kerberos accounts, set the password expiration time to the current time by adding the –expire_pw option to the pam_krb5_migrate entries. For more information, see the pam_krb5_migrate(7) man page.

      service-name auth optional     pam_krb5_migrate.so.1 expire_pw

   4. In this policy file, modify the OTHER account stack to block access if the Kerberos password has expired.

      # Definition for Account management
      # Used when service name is not explicitly mentioned for account management
      # Re-ordered pam_krb5 causes a Kerberos password expiration to block access
      #
      OTHER   account	requisite   pam_roles.so.1
      OTHER   account	required	pam_krb5.so.1
      OTHER   account	required	pam_unix_account.so.1
      OTHER   account	required	pam_tsol_account.so.1
      ## OTHER	account	required	pam_krb5.so.1
      #
      ...

   5. Change the PAM_POLICY entry in the policy.conf file to use the modified configuration file.

      ---

      Note -  If you are using the account-policy SMF stencil and the config/etc_default_login property is enabled, editing the policy.conf file will not work. Rather, system-wide PAM policy is set by the value of the login_policy/pam_policy SMF property. For examples of changing account-policy properties, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

      ---

      server1 # pfedit /etc/security/policy.conf
      ...
      # PAM_POLICY=krb5_first
      PAM_POLICY=krb5_firstmigrate

      For more information, review the comments in the policy.conf file.

4. On the master KDC, update the kadm5.acl access control file.

   The following entries grant migrate and inquire privileges to the host/server1.example.com service principal for all users except the root user. Use the U privilege to list users who must not be migrated. These exceptions must precede the permit all or ui entry. For more information. see the kadm5.acl(5) man page.

   kdc1# pfedit /etc/krb5/kadm5.acl
   host/server1.example.com@EXAMPLE.COM U root
   host/server1.example.com@EXAMPLE.COM ui *
   */admin@EXAMPLE.COM *

5. On the master KDC, enable the kadmind daemon to use the k5migrate PAM service.

   If a k5migrate service file is not in the /etc/pam.d directory, add the service file to the directory. The contents are as follows:

   kdc1# cat /etc/pam.d/k5migrate
   ...
   ## Permits validation of migrated UNIX accounts
   auth    required        pam_unix_auth.so.1
   account required        pam_unix_account.so.1

   This modification enables the validation of UNIX user passwords for accounts that require migration. For more information, see the pam.d(5) man page.

   ---

   Note -  k5migrate is the name of a PAM service. The file must be named k5migrate.

   ---

6. Test your configuration before putting it in production.
   • As a regular user, test each modified PAM service.
   • As root, test each modified PAM service.
   • Force a password change, then test the modified PAM services.