This procedure uses the kclient installation utility without an installation profile. If the client is to join an Active Directory server, go to How to Join a Kerberos Client to an Active Directory Server.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
client# /usr/sbin/kclient
The script prompts you for the following information:
Kerberos realm name
KDC master host name
KDC slave host names
Domains to map to the local realm
PAM service names and options to use for Kerberos authentication
For more information, see the kclient(1M) man page.
For the list of available servers, see the –T option in the kclient(1M) man page.
Valid options are –dns_lookup_kdc, –dns_lookup_realm, and –dns_fallback. Use the man command to view a description of these values in the krb5.conf(4) man page.
This information is added to the /etc/krb5/krb5.conf configuration file.
This information is used to create additional KDC entries in the client's configuration file.
Service or host keys are required only when the client system is hosting Kerberized services.
The logical host name is used when creating service keys, which is required when hosting Kerberos services from clusters.
This mapping enables the client to recognize other domains as belonging to the client's default domain.
NFS service keys need to be created if the client will host NFS services using Kerberos.
To set which PAM services use Kerberos for authentication, you provide the service name and a flag that indicates how Kerberos authentication is to be used. The valid flag options are:
first – Use Kerberos authentication first, and only use UNIX if Kerberos authentication fails
only – Use Kerberos authentication only
optional – Use Kerberos authentication optionally
For information about provided PAM services for Kerberos, review the files in the /etc/security/pam_policy directory.
This option enables specific configuration information to be used when the arguments to kclient are not sufficient.
... Starting client setup --------------------------------------------------- Is this a client of a non-Solaris KDC ? [y/n]: n No action performed. Do you want to use DNS for kerberos lookups ? [y/n]: y ... Enter the Kerberos realm: EXAMPLE.COM Specify the KDC host name for the above realm: kdc1.example.com Note, this host and the KDC's time must be within 5 minutes of each other for Kerberos to function. Both hosts should run some form of time synchronization system like Network Time Protocol (NTP). Do you have any slave KDC(s) ? [y/n]: y Enter a comma-separated list of slave KDC host names: kdc2.example.com Will this client need service keys ? [y/n]: n No action performed. Is this client a member of a cluster that uses a logical host name ? [y/n]: n No action performed. Do you have multiple domains/hosts to map to realm ? [y/n]: y Enter a comma-separated list of domain/hosts to map to the default realm: corphdqtrs.example.com, \ example.com Setting up /etc/krb5/krb5.conf. Do you plan on doing Kerberized nfs ? [y/n]: y Do you want to update /etc/pam.conf ? [y/n]: y Enter a comma-separated list of PAM service names in the following format: service:{first|only|optional}: gdm:first Configuring /etc/pam.conf. Do you want to copy over the master krb5.conf file ? [y/n]: n No action performed. --------------------------------------------------- Setup COMPLETE.