Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.3

Introduction to MIT Kerberos on Oracle Solaris

MIT Kerberos on Oracle Solaris takes advantage of Oracle Solaris features, such as the Image Packaging Service (IPS), SMF services, and Automated Installation (AI). See also Native Oracle Solaris Features Integrated With Kerberos.

Comparison of MIT Kerberos and Oracle Solaris Kerberos

The following table describes the differences between MIT Kerberos and the Oracle Solaris version.

Table 2  Differences Between MIT Kerberos and Oracle Solaris Kerberos

MIT Kerberos Behavior Oracle Solaris Kerberos Behavior Difference in Oracle Solaris Users download MIT Kerberos from the web. Administrators install Kerberos as IPS packages. IPS repositories provide security for data at rest and data in transit. k* commands run Kerberos. svc* commands run Kerberos, which is an SMF service. Some Kerberos commands are replaced by SMF commands. See Differences in Defaults Between MIT Kerberos and Oracle Solaris Kerberos. Users create scripts to configure Kerberos clients identically. Kerberos is integrated with the Automated Install (AI) feature. Kerberos clients can be installed automatically and identically through AI. Users create scripts to configure Kerberos clients identically. Oracle Solaris provides a kclient configuration script. The kclient configuration script can configure clients similarly. Users configure KDCs manually. Oracle Solaris provides a kdcmgr configuration script. The kdcmgr configuration script can configure the KDC with minimal input. Tickets cannot be automatically renewed. Oracle Solaris provides the ktkt_warnd daemon. The ktkt_warnd daemon can enable automatic ticket renewal. Relation default values can be different. Oracle Solaris changes the default for some relations and adds relations. Oracle Solaris changes the defaults of some Kerberos relations. See Differences in Defaults Between MIT Kerberos and Oracle Solaris Kerberos.

For additional information, see Documentation About Kerberos and Configuring the Kerberos Service.

Differences in Defaults Between MIT Kerberos and Oracle Solaris Kerberos

SMF services for Kerberos and some relations are unique to Oracle Solaris Kerberos. Also, some relations in Oracle Solaris have different default values than the relations in MIT Kerberos.

kadmin service

The svc:/network/security/kadmin:default SMF service manages the Kerberos database administration daemon in Oracle Solaris. SMF administrative commands include svcs for determining the status of the service and svcadm for administering the service.

krb5kdc service

The svc:/network/security/krb5kdc:default SMF service manages the KDC in Oracle Solaris.

krb5_prop service

The svc:/network/security/krb5_prop:default SMF service manages the Kerberos database propagation daemon in Oracle Solaris.

–u permission

In the kadm5.acl file, allows or disallows the creation of one-component user principals whose password can be validated with PAM.

kdc_max_tcp_connections relation

In the kdc.conf file, controls the maximum number of TCP connections that the KDC allows. The minimum value is 10. If this relation is not specified, the Kerberos server allows a maximum of 30 TCP connections.

admin_server_rotate and kdc_rotate relations

In the kdc.conf file, enables log files to be rotated to multiple files on a schedule. The admin_server_rotate relation controls the kadmin log file and the kdc_rotate relation controls the kdc log file.

Rotation can be used to avoid logging to a file which might grow too large and halt the KDC. See the kdc.conf(4) man page for how to set file versions and the time interval.

auth_to_local_realm relation

In the krb5.conf file, enables non-default realms to equate with the default realm for authenticated name-to-local name mapping. Unique to Oracle Solaris.

verify_ap_req_nofail relation

In the krb5.conf file, causes credential verification to fail if the client system does not have a keytab. The default value in Oracle Solaris is true.

Documentation About Kerberos

Kerberos documentation for features that Oracle Solaris does not change is on the MIT Kerberos Documentation web site (http://web.mit.edu/kerberos/krb5-1.14/doc/index.html). This guide documents Oracle Solaris changes to default Kerberos behavior or Kerberos behaviors that are integrated with Oracle Solaris features.

Kerberos Documentation

Kerberos documentation from MIT covers the following topics:

• What is Kerberos? – Describes the Kerberos environment.

• Administrator Documentation – Includes planning; administering the Key Distribution Center (KDC), also called the database; configuring Kerberos in an LDAP environment; and so on. Includes man pages and troubleshooting. See the Table of Contents.

• User Documentation – Includes ticket and password management, configuration files, and user commands.

Other topics on the MIT Kerberos Documentation web site include developer and build information, plugins, and advanced configuration.

Oracle Solaris Documentation for Kerberos

Supplementary information or information specific to Oracle Solaris is covered in this guide in the following sections:

• How the Kerberos Service Works – Discusses details about ticket handling by Kerberos.

• Kerberos and FIPS 140-2 Mode – Describes configuring Kerberos in FIPS 140-2 mode in Oracle Solaris.

• Planning for the Kerberos Service – Describes planning issues that are specify to Oracle Solaris.

• Configuring the Kerberos Service – Describes procedures that use Oracle Solaris features to install and configure Kerberos.

• Users Using Kerberos – Describes Kerberos password, ticketing, and remote login considerations in an Oracle Solaris environment.

• Modified MIT Kerberos man pages – Delivered in the Kerberos IPS packages to describe Oracle Solaris-specific features of Kerberos.