G-RAD Applications Using Kerberos
The RAD server must be configured to host Kerberos and to utilize the G-RAD transport for Kerberos. Configuring the RAD server includes creating a rad
service principal for the system and adding the associated keys to its key table. For more information about configuring the RAD server with Kerberos, see Configuring Kerberos Clients in Managing Kerberos in Oracle Solaris 11.4.
After the system is configured for Kerberos, create the rad
service principal, such as rad/server.example.com
, on the RAD server. You can authenticate as a RAD user on the RAD client by using the kinit
command or by authenticating through PAM with pam_krb5
.
Using the RAD client's initial authentication through the system key table file (/etc/krb5/krb5.keytab
), the root
user can also be configured as a RAD user in Kerberos. The host service principal is used in this scenario, therefore the client must be configured as a Kerberos system. For more information, see Configuring Kerberos Clients in Managing Kerberos in Oracle Solaris 11.4.
To authorize RAD requests as root
, the RAD server must also map the authenticated host service principal of the client to the local root
user. For example, on the RAD server, the /etc/krb5/krb5.conf
file is updated to include auth_to_local_names
in the realms section as follows:
server# cat /etc/krb5/krb5.conf
...
[realms]
EXAMPLE.COM = {
...
auth_to_local_names = {
host/client.example.com = root
}
}
Example 2-46 G-RAD Application Example
The following example shows G-RAD transport utilization with live zone migration as a privileged user:
client$ id uid=1234567(mre) gid=1(other) client $ profiles Zone Configuration Zone Migration Basic Solaris User All client$ auths solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read, solaris.zone.config/zone1,solaris.zone.migrate/zone1 client$ kinit Password for mre@EXAMPLE.COM: client$ pfexec /usr/sbin/zoneadm -z zone1 migrate radg://server zoneadm: zone 'zone1': Using existing zone configuration on destination. zoneadm: zone 'zone1': Attaching zone. zoneadm: zone 'zone1': Booting zone in 'migrating-in' mode. zoneadm: zone 'zone1': Checking migration compatibility. zoneadm: zone 'zone1': Performing initial copy (total 8192MB). ... zoneadm: zone 'zone1': Migration successful.