Go to main content

Installing Oracle® Solaris 11.3 Systems

Exit Print View

Updated: April 2019
 
 

How to Configure Kerberos Clients Using AI

In this procedure, the keytab file for the Kerberos client has already been created and stored on the AI server. In the examples use auto-registration to configure Kerberos clients by using pre-existing credentials or using new principals. The auto-registration process is simpler because you do not have to create and encode keytab files for individual Kerberos clients.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Create an install service, if needed.
    $ installadm create-service -n krb-sparc \ 
        -d /export/auto_install/krb-sparc \ 
        -s /export/auto_install/iso/sol-11_3-ai-sparc.iso
    Creating service from:
    /export/auto_install/iso/sol-11_3-ai-sparc.iso 
    Setting up the image ... 
    Creating sparc service: krb-sparc 
    Image path: /export/auto_install/krb-sparc 
    Refreshing install services
      
  3. Associate Kerberos clients with a service.

    Repeat this step for all AI clients that need to be installed running Kerberos. In this example the AI client using the address of 11:11:11:11:11:11 is associated with the krb-sparc install service.

    $ installadm create-client -n krb-sparc -e 11:11:11:11:11:11
    Adding host entry for 11:11:11:11:11:11 to local DHCP configuration.
      
  4. Create credentials for the Kerberos clients.
    $ installadm set-client -c 11:11:11:11:11:11 -g 
    Generating credentials for client 11:11:11:11:11:11... 
    A new certificate key has been generated. 
    A new certificate has been generated.
      
  5. Create a system configuration profile that defines the contents of the Kerberos configuration file.

    This example creates a profile by running the kclient command interactively. Alternatively, you could invoke the command using command-line options or using an input profile. For more information see the kclient(1M) man page.

    In this example, the KDC is running on an MIT server. To view sample output for a Solaris KDC, see Example 39, Downloading Existing Keys While Deploying Kerberos Clients. To view sample output for an AD client, see Example 41, Automatically Joining an Kerberos Client to a MS AD Domain.

    $ kclient -x /root/krb-sc.xml
    Starting client setup
    ---------------------------------------------------
    Is this a client of a non-Solaris KDC ? [y/n]: y
    Which type of KDC is the server: 
           ms_ad: Microsoft Active Directory 
           mit: MIT KDC server 
           heimdal: Heimdal KDC server 
           shishi: Shishi KDC server 
    Enter required KDC type: mit 
    Do you want to use DNS for kerberos lookups ? [y/n]: n 
           No action performed. 
    Enter the Kerberos realm: EXAMPLE.COM 
    Specify the master KDCs for the above realm using a comma-separated list: kdc.example.com 
    Do you have any slave KDC(s) ? [y/n]: y 
    Enter a comma-separated list of slave KDC host names: kdc2.example.com 
    Do you have multiple domains/hosts to map to a realm ? [y/n]: n
           No action performed.
    Setting up /root/krb-sc.xml.
  6. (Optional) Convert a Kerberos client's binary keytab file into an XML profile.

    This step is not needed if the keys can be obtained through auto-registration or if the Kerberos client is keyless. The Kerberos client needs to have a keytab file created, which is often done by the KDC administrator when a client is first configured.

    $ kclient-kt2prof -k ./host1.keytab -p /root/host1.xml
      
  7. Create client profiles to configure the rest of the Kerberos client.

    Because a profile must be used in this procedure, configure as much of the Kerberos client as possible using system configuration profiles.

  8. (Optional) Set the security policy for profiles.

    If the client profiles include a keytab, you should assign the require-client-auth security policy to the service so that only authenticated AI clients can download their keytab file.

    $ installadm set-service -p require-client-auth -n krb-sparc
  9. Associate the client profiles with the stall service.

    Associate the profiles for the Kerberos configuration file, the client keytab file, and any other profiles that you have created to the install service.

    $ installadm create-profile -n krb-sparc -f /root/krb-sc.xml 
    Profile krb-sc.xml added to database. 
    $ installadm create-profile -n krb-sparc -f /root/host1.xml -c mac="11:11:11:11:11:11"
    Profile host1.xml added to database.
      
  10. Boot the Kerberos client to start the AI process.
Example 39  Downloading Existing Keys While Deploying Kerberos Clients

Note that using auto-registration only works if the KDC is either Solaris KDC or MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.

In order to use auto-registration to download existing keys, you must first have created a admin principal on the KDC with c and i administration privileges. In this example, the name of the principal is download/admin.

In this example, the KDC is running Oracle Solaris. Also, the keys for the Kerberos client have already been created.

This example shows how to add the download/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The download/admin principal is a special admin principal that is used to transfer existing keys from the KDC server when the Kerberos client is deployed.

$ kclient -x /root/krb-sc.xml	
Starting client setup 
--------------------------------------------------- 
Is this a client of a non-Solaris KDC ? [y/n]: n 
        No action performed. 
Do you want to use DNS for kerberos lookups ? [y/n]: n 
        No action performed. 
Enter the Kerberos realm: EXAMPLE.COM 
Specify the master KDCs for the above realm using a comma-separated
list: kdc.example.com 
Do you have any slave KDC(s) ? [y/n]: y 
Enter a comma-separated list of slave KDC host names: kdc2.example.com 
Do you have multiple domains/hosts to map to realm  ? EXAMPLE.COM [y/n]: n
        No action performed.
Should the client automatically join the realm ? [y/n]: y
Enter the krb5 administrative principal to be used: download/admin
Password for download/admin: xxxxxxxx
Do you plan on doing Kerberized nfs ? [y/n]: n 
        No action performed.   
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
        No action performed. 
Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n
        No action performed.
Setting up /root/krb-sc.xml.
Example 40  Creating New Keys While Deploying Kerberos Clients

Note that using auto-registration only works if the KDC is either Solaris KDC or MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.

In order to use auto-registration to download new keys, you must first have created an admin principal on the KDC with a, c and i administration privileges. In this example, the name of the principal is create/admin.

In this example, the KDC is running Oracle Solaris. This example adds the create/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The create/admin principal is a special admin principal that is used to transfer new keys from the KDC server when the Kerberos client is deployed. This command includes more options so fewer questions are asked.

$ kclient -x /root/krb-sc.xml -R EXAMPLE.COM -a create/admin -d none -m kdc.example.com	
Starting client setup 
--------------------------------------------------- 
Do you have multiple domains/hosts to map to realm  ? EXAMPLE.COM [y/n]: n
        No action performed.
Should the client automatically join the realm ? [y/n]: y
Password for create/admin: xxxxxxxx
Setting up /root/krb-sc.xml.
Example 41  Automatically Joining an Kerberos Client to a MS AD Domain

In this example, the Kerberos client is joining an AD domain. Use the following command to add the Administrator principal when you are creating the system configuration profile for the Kerberos configuration file.

$ kclient -x /root/krb-sc.xml	
Starting client setup 
--------------------------------------------------- 
Is this a client of a non-Solaris KDC ? [y/n]: y 
Which type of KDC is the server: 
        ms_ad: Microsoft Active Directory 
        mit: MIT KDC server 
        heimdal: Heimdal KDC server 
        shishi: Shishi KDC server 
Enter required KDC type: ms_ad 
Should the client automatically join AD domain ? [y/n]: y
Enter the Kerberos realm: EXAMPLE.COM 
Enter the krb5 administrative principal to be used: Administrator
Password for Administrator: xxxxxxxx
Setting up /root/krb-sc.xml.