In the default Kerberos environment, credentials expire after a limited amount of time. For processes that can execute at arbitrary times, such as cron and at, the limited time presents a problem.
This procedure describes how to configure the Kerberos environment to support delayed execution processes that require authenticated services through Kerberos. Oracle Solaris provides PAM modules, uses service keys, and uses kclient configuration options to make delayed execution with Kerberos authentication possible and more secure than alternative solutions.
This procedure uses the following configuration parameters:
cron host = host1.example.com
NFS server = host2.example.com
LDAP server = host3.example.com
For more information, see the kclient(1M) man page.
For example, the following command configures the client in the EXAMPLE.COM realm. The command includes the pam_gss_s4u file in the /etc/pam.d/cron service file by using the include mechanism.
# kclient -s cron:optional -R EXAMPLE.COM
Ensure that the PAM configuration for the cron service includes the pam_gss_s4u file.
# cd /etc/pam.d ; cp cron cron.orig # pfedit cron # PAM include file for optional set credentials # through Kerberos keytab and GSS-API S4U support auth include pam_gss_s4u
For example:
# kadmin -p kws/admin Enter password: xxxxxxxx kadmin: modprinc +ok_as_delegate host/host1.example.com@EXAMPLE.COM Principal host/host1.example.com@EXAMPLE.COM modified.
kadmin: modprinc +ok_to_auth_as_delegate host/host1.example.com@EXAMPLE.COM Principal host/host1.example.com@EXAMPLE.COM modified. kadmin: quit
For example, to enable the cron host to access the user's home directory on host2, a Kerberized NFS server, add the NFS host to the krbAllowedToDelegateTo parameter in the cron server's LDAP definition.
# pfedit /tmp/delghost.ldif dn: krbprincipalname=host/host1.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com changetype: modify krbAllowedToDelegateTo: nfs/host2.example.com@EXAMPLE.COM
# ldapmodify -h host3 -D "cn=directory manager" -f delghost.ldif