In this procedure, the keytab file for the Kerberos client has already been created and stored on the AI server. In the examples use auto-registration to configure Kerberos clients by using pre-existing credentials or using new principals. The auto-registration process is simpler because you do not have to create and encode keytab files for individual Kerberos clients.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
$ installadm create-service -n krb-sparc \
-d /export/auto_install/krb-sparc \
-s /export/auto_install/iso/sol-11_3-ai-sparc.iso
Creating service from:
/export/auto_install/iso/sol-11_3-ai-sparc.iso
Setting up the image ...
Creating sparc service: krb-sparc
Image path: /export/auto_install/krb-sparc
Refreshing install services
Repeat this step for all AI clients that need to be installed running Kerberos. In this example the AI client using the address of 11:11:11:11:11:11 is associated with the krb-sparc install service.
$ installadm create-client -n krb-sparc -e 11:11:11:11:11:11 Adding host entry for 11:11:11:11:11:11 to local DHCP configuration.
$ installadm set-client -c 11:11:11:11:11:11 -g Generating credentials for client 11:11:11:11:11:11... A new certificate key has been generated. A new certificate has been generated.
This example creates a profile by running the kclient command interactively. Alternatively, you could invoke the command using command-line options or using an input profile. For more information see the kclient(1M) man page.
In this example, the KDC is running on an MIT server. To view sample output for a Solaris KDC, see Example 33, Downloading Existing Keys While Deploying Kerberos Clients. To view sample output for an AD client, see Example 35, Automatically Joining an Kerberos Client to a MS AD Domain.
$ kclient -x /root/krb-sc.xml
Starting client setup
---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: y
Which type of KDC is the server:
ms_ad: Microsoft Active Directory
mit: MIT KDC server
heimdal: Heimdal KDC server
shishi: Shishi KDC server
Enter required KDC type: mit
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the master KDCs for the above realm using a comma-separated list: kdc.example.com
Do you have any slave KDC(s) ? [y/n]: y
Enter a comma-separated list of slave KDC host names: kdc2.example.com
Do you have multiple domains/hosts to map to a realm ? [y/n]: n
No action performed.
Setting up /root/krb-sc.xml.
This step is not needed if the keys can be obtained through auto-registration or if the Kerberos client is keyless. The Kerberos client needs to have a keytab file created, which is often done by the KDC administrator when a client is first configured.
$ kclient-kt2prof -k ./host1.keytab -p /root/host1.xml
Because a profile must be used in this procedure, configure as much of the Kerberos client as possible using system configuration profiles.
If the client profiles include a keytab, you should assign the require-client-auth security policy to the service so that only authenticated AI clients can download their keytab file.
$ installadm set-service -p require-client-auth -n krb-sparc
Associate the profiles for the Kerberos configuration file, the client keytab file, and any other profiles that you have created to the install service.
$ installadm create-profile -n krb-sparc -f /root/krb-sc.xml Profile krb-sc.xml added to database. $ installadm create-profile -n krb-sparc -f /root/host1.xml -c mac="11:11:11:11:11:11" Profile host1.xml added to database.
Note that using auto-registration only works if the KDC is either Solaris KDC or MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.
In order to use auto-registration to download existing keys, you must first have created a admin principal on the KDC with c and i administration privileges. In this example, the name of the principal is download/admin.
In this example, the KDC is running Oracle Solaris. Also, the keys for the Kerberos client have already been created.
This example shows how to add the download/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The download/admin principal is a special admin principal that is used to transfer existing keys from the KDC server when the Kerberos client is deployed.
$ kclient -x /root/krb-sc.xml
Starting client setup
---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: n
No action performed.
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the master KDCs for the above realm using a comma-separated
list: kdc.example.com
Do you have any slave KDC(s) ? [y/n]: y
Enter a comma-separated list of slave KDC host names: kdc2.example.com
Do you have multiple domains/hosts to map to realm ? EXAMPLE.COM [y/n]: n
No action performed.
Should the client automatically join the realm ? [y/n]: y
Enter the krb5 administrative principal to be used: download/admin
Password for download/admin: xxxxxxxx
Do you plan on doing Kerberized nfs ? [y/n]: n
No action performed.
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
No action performed.
Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n
No action performed.
Setting up /root/krb-sc.xml.
Example 34 Creating New Keys While Deploying Kerberos Clients
Note that using auto-registration only works if the KDC is either Solaris KDC or MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.
In order to use auto-registration to download new keys, you must first have created an admin principal on the KDC with a, c and i administration privileges. In this example, the name of the principal is create/admin.
In this example, the KDC is running Oracle Solaris. This example adds the create/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The create/admin principal is a special admin principal that is used to transfer new keys from the KDC server when the Kerberos client is deployed. This command includes more options so fewer questions are asked.
$ kclient -x /root/krb-sc.xml -R EXAMPLE.COM -a create/admin -d none -m kdc.example.com
Starting client setup
---------------------------------------------------
Do you have multiple domains/hosts to map to realm ? EXAMPLE.COM [y/n]: n
No action performed.
Should the client automatically join the realm ? [y/n]: y
Password for create/admin: xxxxxxxx
Setting up /root/krb-sc.xml.
Example 35 Automatically Joining an Kerberos Client to a MS AD Domain
In this example, the Kerberos client is joining an AD domain. Use the following command to add the Administrator principal when you are creating the system configuration profile for the Kerberos configuration file.
$ kclient -x /root/krb-sc.xml
Starting client setup
---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: y
Which type of KDC is the server:
ms_ad: Microsoft Active Directory
mit: MIT KDC server
heimdal: Heimdal KDC server
shishi: Shishi KDC server
Enter required KDC type: ms_ad
Should the client automatically join AD domain ? [y/n]: y
Enter the Kerberos realm: EXAMPLE.COM
Enter the krb5 administrative principal to be used: Administrator
Password for Administrator: xxxxxxxx
Setting up /root/krb-sc.xml.