没有 Kerberos 主体的用户可以使用 PAM 自动迁移到现有 Kerberos 领域。可以在迁移服务器和主服务器上定制基于系统的 PAM 配置文件,以处理 UNIX 凭证的识别和 Kerberos 领域中的重新验证。
有关 PAM 的信息,请参见Chapter 1, 使用可插拔验证模块和 pam.conf(4) 手册页。
在此过程中,login 服务名称配置为使用自动迁移。本示例使用以下配置参数:
领域名称 = EXAMPLE.COM
主 KDC = kdc1.example.com
托管迁移服务的计算机 = server1.example.com
迁移服务主体 = host/server1.example.com
开始之前
您必须承担 root 角色。有关更多信息,请参见在 Oracle Solaris 11.2 中确保用户和进程的安全 中的使用所指定的管理权限。
server1 的 keytab 文件中的 host 服务主体用于向主 KDC 服务器验证该服务器。
server1 # klist -k Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- ------------------------------------------------ 3 host/server1.example.com@EXAMPLE.COM ...
有关该命令的选项的更多信息,请参见 klist(1) 手册页。
有关步骤,请参见配置 Kerberos 客户机中的示例。
有关更多信息,请参见分配基于用户的 PAM 策略。
% grep PAM_POLICY /etc/security/policy.conf # PAM_POLICY specifies the system-wide PAM policy (see pam_user_policy(5)) ... PAM_POLICY=krb5_first
server1 # cd /etc/security/pam_policy/; cp krb5_first krb5_firstmigrate server1 # pfedit /etc/security/pam_policy/krb5_firstmigrate. # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 ... login auth required pam_unix_auth.so.1 login auth optional pam_krb5_migrate.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 ... rlogin auth required pam_unix_auth.so.1 rlogin auth optional pam_krb5_migrate.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 krlogin auth optional pam_krb5_migrate.so.1 # # rsh service (explicit because of pam_rhost_auth) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 rsh auth optional pam_krb5_migrate.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 krsh auth optional pam_krb5_migrate.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 ktelnet auth optional pam_krb5_migrate.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ... ppp auth required pam_unix_auth.so.1 ppp auth optional pam_krb5_migrate.so.1 # # GDM Autologin (explicit because of pam_allow). These need to be # here as there is no mechanism for packages to amend pam.conf as # they are installed. # gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 gdm-autologin auth optional pam_krb5_migrate.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # OTHER auth requisite pam_authtok_get.so.1 ... OTHER auth required pam_unix_auth.so.1 OTHER auth optional pam_krb5_migrate.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # cups service (explicit because of non-usage of pam_roles.so.1) # cups account required pam_unix_account.so.1 # # GDM Autologin (explicit because of pam_allow) This needs to be here # as there is no mechanism for packages to amend pam.conf as they are # installed. #modified gdm-autologin account sufficient pam_allow.so.1 # . . .
对于新创建的 Kerberos 帐户,请通过以下方法将口令失效时间设置为当前时间:将 –expire_pw 选项添加到 pam_krb5_migrate 项。有关更多信息,请参见 pam_krb5_migrate(5) 手册页。
service-name auth optional pam_krb5_migrate.so.1 expire_pw
# Definition for Account management # Used when service name is not explicitly mentioned for account management # Re-ordered pam_krb5 causes password expiration in Kerberos to block access # OTHER account requisite pam_roles.so.1 OTHER account required pam_krb5.so.1 OTHER account required pam_unix_account.so.1 OTHER account required pam_tsol_account.so.1 # OTHER account required pam_krb5.so.1 # . . .
server1 # pfedit /etc/security/policy.conf ... # PAM_POLICY=krb5_first PAM_POLICY=krb5_firstmigrate
有关更多信息,请阅读 policy.conf 文件。
以下项将为所有用户(root 用户除外)授予对 host/server1.example.com 服务主体的迁移和查询特权。使用 U 特权列出不得迁移的用户。这些项必须位于 "permit all" 或 ui 项之前。有关更多信息,请参见 kadm5.acl(4) 手册页。
kdc1 # pfedit /etc/krb5/kadm5.acl host/server1.example.com@EXAMPLE.COM U root host/server1.example.com@EXAMPLE.COM ui * */admin@EXAMPLE.COM *
如果 k5migrate 服务文件不在 /etc/pam.d 目录中,请将该服务文件添加到此目录。有关更多信息,请参见pam.d(4) 手册页。
这项修改可实现对需要迁移的帐户执行 UNIX 用户口令验证。
kdc1 # pfedit /etc/pam.d/k5migrate ... # Permits validation of migrated UNIX accounts auth required pam_unix_auth.so.1 account required pam_unix_account.so.1