1. Remote Administration Daemon Client User's Guide
  2. Connecting to RAD
  3. Generic Security Services API Transport in RAD
  4. G-RAD Applications Using Kerberos

G-RAD Applications Using Kerberos

The RAD server must be configured to host Kerberos and to utilize the G-RAD transport for Kerberos. Configuring the RAD server includes creating a rad service principal for the system and adding the associated keys to its key table. For more information about configuring the RAD server with Kerberos, see Configuring Kerberos Clients in Managing Kerberos in Oracle Solaris 11.4.

After the system is configured for Kerberos, create the rad service principal, such as rad/server.example.com, on the RAD server. You can authenticate as a RAD user on the RAD client by using the kinit command or by authenticating through PAM with pam_krb5.

Using the RAD client's initial authentication through the system key table file (/etc/krb5/krb5.keytab), the root user can also be configured as a RAD user in Kerberos. The host service principal is used in this scenario, therefore the client must be configured as a Kerberos system. For more information, see Configuring Kerberos Clients in Managing Kerberos in Oracle Solaris 11.4.

To authorize RAD requests as root, the RAD server must also map the authenticated host service principal of the client to the local root user. For example, on the RAD server, the /etc/krb5/krb5.conf file is updated to include auth_to_local_names in the realms section as follows: 

server# cat /etc/krb5/krb5.conf
...
[realms]
    EXAMPLE.COM = {
        ...
        auth_to_local_names = {
            host/client.example.com = root 
        }
    }

Example 2-46 G-RAD Application Example

The following example shows G-RAD transport utilization with live zone migration as a privileged user:

client$ id
uid=1234567(mre) gid=1(other)
client $ profiles
Zone Configuration
Zone Migration
Basic Solaris User
All
client$ auths
solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,
solaris.zone.config/zone1,solaris.zone.migrate/zone1
client$ kinit
Password for mre@EXAMPLE.COM:
client$ pfexec /usr/sbin/zoneadm -z zone1 migrate radg://server
zoneadm: zone 'zone1': Using existing zone configuration on 
destination.
zoneadm: zone 'zone1': Attaching zone.
zoneadm: zone 'zone1': Booting zone in 'migrating-in' mode.
zoneadm: zone 'zone1': Checking migration compatibility.
zoneadm: zone 'zone1': Performing initial copy (total 8192MB).
...
zoneadm: zone 'zone1': Migration successful.