How to Configure Kerberos Clients Using AI

Ensure that your role has the appropriate rights profiles to perform this procedure. See Using Rights Profiles to Install Oracle Solaris.

In this procedure, the keytab file for the Kerberos client has already been created and stored on the AI server. In the examples use auto-registration to configure Kerberos clients by using preexisting credentials or using new principals. The auto-registration process is simpler because you do not have to create and encode keytab files for individual Kerberos clients.

1. Create an install service, if needed.

   $ installadm create-service -n krb-sparc \ 
   -d /export/auto_install/krb-sparc \ 
   -s /export/auto_install/iso/sol-11_4-ai-sparc.iso
   Creating service from:
   /export/auto_install/iso/sol-11_4-ai-sparc.iso 
   Setting up the image ... 
   Creating sparc service: krb-sparc 
   Image path: /export/auto_install/krb-sparc 
   Refreshing install services

2. Associate Kerberos clients with a service.

   Repeat this step for all clients that need to be installed running Kerberos. In this example the client using the address of 11:11:11:11:11:11 is associated with the krb-sparc install service.

   $ installadm create-client -n krb-sparc -e 11:11:11:11:11:11
   Adding host entry for 11:11:11:11:11:11 to local DHCP configuration.

3. Create credentials for the Kerberos clients.

   $ installadm set-client -c 11:11:11:11:11:11 -g 
   Generating credentials for client 11:11:11:11:11:11... 
   A new certificate key has been generated. 
   A new certificate has been generated.

4. Create a system configuration profile that defines the contents of the Kerberos configuration file.

   This example creates a profile by running the kclient command interactively. Alternatively, you could invoke the command using command-line options or using an input profile. For more information see the kclient(8) man page.

   In this example, the KDC is running on an MIT server. To view sample output for a Solaris KDC, see Example 5-6. To view sample output for an AD client, see Example 5-8.

   $ kclient -x /root/krb-sc.xml
   Starting client setup
   ---------------------------------------------------
   Is this a client of a non-Solaris KDC ? [y/n]: y
   Which type of KDC is the server: 
          ms_ad: Microsoft Active Directory 
          mit: MIT KDC server 
          heimdal: Heimdal KDC server 
          shishi: Shishi KDC server 
   Enter required KDC type: mit 
   Do you want to use DNS for Kerberos lookups ? [y/n]: n 
          No action performed. 
   Enter the Kerberos realm: EXAMPLE.COM 
   Specify the master KDCs for the above realm using a comma-separated list: kdc.example.com 
   Do you have any slave KDC(s) ? [y/n]: y 
   Enter a comma-separated list of slave KDC host names: kdc2.example.com 
   Do you have multiple domains/hosts to map to a realm ? [y/n]: n
          No action performed.
   Setting up /root/krb-sc.xml.

5. Convert a Kerberos client's binary keytab file into an XML profile.

   This step is not needed if the keys can be obtained through auto-registration or if the Kerberos client is keyless. The Kerberos client needs to have a keytab file created, which is often done by the KDC administrator when a client is first configured.

   $ kclient-kt2prof -k ./host1.keytab -p /root/host1.xml
   

6. Create client profiles to configure the rest of the Kerberos client.

   Because a profile must be used in this procedure, configure as much of the Kerberos client as possible using system configuration profiles.

7. Set the security policy for profiles.

   If the client profiles include a keytab, you should assign the require-client-auth security policy to the service so that only authenticated clients can download their keytab file.

   $ installadm set-service -p require-client-auth -n krb-sparc
   

8. Associate the client profiles with the install service.

   Associate the profiles for the Kerberos configuration file, the client keytab file, and any other profiles that you have created to the install service.

   $ installadm create-profile -n krb-sparc -f /root/krb-sc.xml 
   Profile krb-sc.xml added to database. 
   $ installadm create-profile -n krb-sparc -f /root/host1.xml -c mac="11:11:11:11:11:11"
   Profile host1.xml added to database.

9. Boot the Kerberos client to start the AI process.

Example 5-6 Downloading Existing Keys While Deploying Kerberos Clients

Note that using auto-registration only works if the KDC is either an Oracle Solaris KDC or an MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.

In order to use auto-registration to download existing keys, you must first have created an admin principal on the KDC with c and i administration privileges. In this example, the name of the principal is download/admin.

In this example, the KDC is running Oracle Solaris. Also, the keys for the Kerberos client have already been created.

This example shows how to add the download/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The download/admin principal is a special admin principal that is used to transfer existing keys from the KDC server when the Kerberos client is deployed.

$ kclient -x /root/krb-sc.xml	
Starting client setup 
--------------------------------------------------- 
Is this a client of a non-Solaris KDC ? [y/n]: n 
        No action performed. 
Do you want to use DNS for Kerberos lookups ? [y/n]: n 
        No action performed. 
Enter the Kerberos realm: EXAMPLE.COM 
Specify the master KDCs for the above realm using a comma-separated
list: kdc.example.com 
Do you have any slave KDC(s) ? [y/n]: y 
Enter a comma-separated list of slave KDC host names: kdc2.example.com 
Do you have multiple domains/hosts to map to realm  ? EXAMPLE.COM [y/n]: n
        No action performed.
Should the client automatically join the realm ? [y/n]: y
Enter the krb5 administrative principal to be used: download/admin
Password for download/admin: xxxxxxxx
Do you plan on doing Kerberized nfs ? [y/n]: n 
        No action performed.   
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
        No action performed. 
Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n
        No action performed.
Setting up /root/krb-sc.xml.

Example 5-7 Creating New Keys While Deploying Kerberos Clients

Note that using auto-registration only works if the KDC is either an Oracle Solaris KDC or an MS AD. If the KDC is MIT, Heimdal or Shishi, only pre-generated keytab transfer is possible.

In order to use auto-registration to download new keys, you must first have created an admin principal on the KDC with a, c and i administration privileges. In this example, the name of the principal is create/admin.

In this example, the KDC is running Oracle Solaris. This example adds the create/admin principal when you are creating the system configuration profile for the Kerberos configuration file. The create/admin principal is a special admin principal that is used to transfer new keys from the KDC server when the Kerberos client is deployed. This command includes more options so fewer questions are asked.

$ kclient -x /root/krb-sc.xml -R EXAMPLE.COM -a create/admin -d none -m kdc.example.com	
Starting client setup 
--------------------------------------------------- 
Do you have multiple domains/hosts to map to realm  ? EXAMPLE.COM [y/n]: n
        No action performed.
Should the client automatically join the realm ? [y/n]: y
Password for create/admin: xxxxxxxx
Setting up /root/krb-sc.xml.

Example 5-8 Automatically Joining an Kerberos Client to a MS AD Domain

In this example, the Kerberos client is joining an AD domain. Use the following command to add the Administrator principal when you are creating the system configuration profile for the Kerberos configuration file.

$ kclient -x /root/krb-sc.xml	
Starting client setup 
--------------------------------------------------- 
Is this a client of a non-Solaris KDC ? [y/n]: y 
Which type of KDC is the server: 
        ms_ad: Microsoft Active Directory 
        mit: MIT KDC server 
        heimdal: Heimdal KDC server 
        shishi: Shishi KDC server 
Enter required KDC type: ms_ad 
Should the client automatically join AD domain ? [y/n]: y
Enter the Kerberos realm: EXAMPLE.COM 
Enter the krb5 administrative principal to be used: Administrator
Password for Administrator: xxxxxxxx
Setting up /root/krb-sc.xml.