Configuring Kerberos Clients
Kerberos clients include any host, that is not a KDC server, on
the network that needs to use Kerberos services. This section provides procedures for installing
a Kerberos client, as well as specific information about using root authentication
to mount NFS file systems.
Configuring Kerberos Clients (Task Map)
The following task map includes all of the procedures associated with setting up
Kerberos clients. Each row includes a task identifier, a description of why you
would want to do that task, followed by a link to the
task.
How to Create a Kerberos Client Installation Profile
This procedure creates a kclient profile that can be used when you
install a Kerberos client. By using the kclient profile, you reduce the likelihood of
typing errors. Also, using the profile reduces user intervention as compared to the
interactive process.
- Become superuser.
- Create a kclient installation profile.
A sample kclient profile could look similar to the following:
client# cat /net/denver.example.com/export/install/profile
REALM EXAMPLE.COM
KDC kdc1.example.com
ADMIN clntconfig
FILEPATH /net/denver.example.com/export/install/krb5.conf
NFS 1
DNSLOOKUP none
How to Automatically Configure a Kerberos Client
Before You Begin
This procedure uses an installation profile. See How to Create a Kerberos Client Installation Profile.
- Become superuser.
- Run the kclient installation script.
You need to provide the password for the clntconfig principal to complete the
process.
client# /usr/sbin/kclient -p /net/denver.example.com/export/install/profile
Starting client setup
---------------------------------------------------
kdc1.example.com
Setting up /etc/krb5/krb5.conf.
Obtaining TGT for clntconfig/admin ...
Password for clntconfig/[email protected]: <Type the password>
nfs/client.example.com entry ADDED to KDC database.
nfs/client.example.com entry ADDED to keytab.
host/client.example.com entry ADDED to KDC database.
host/client.example.com entry ADDED to keytab.
Copied /net/denver.example.com/export/install/krb5.conf.
---------------------------------------------------
Setup COMPLETE.
client#
Example 23-7 Automatically Configuring a Kerberos Client With Command-Line Overrides
The following example overrides the DNSARG and the KDC parameters that are
set in the installation profile.
# /usr/sbin/kclient -p /net/denver.example.com/export/install/profile\
-d dns_fallback -k kdc2.example.com
Starting client setup
---------------------------------------------------
kdc1.example.com
Setting up /etc/krb5/krb5.conf.
Obtaining TGT for clntconfig/admin ...
Password for clntconfig/[email protected]: <Type the password>
nfs/client.example.com entry ADDED to KDC database.
nfs/client.example.com entry ADDED to keytab.
host/client.example.com entry ADDED to KDC database.
host/client.example.com entry ADDED to keytab.
Copied /net/denver.example.com/export/install/krb5.conf.
---------------------------------------------------
Setup COMPLETE.
client#
How to Interactively Configure a Kerberos Client
This procedure uses the kclient installation utility without a installation profile. In build
90 of the Solaris Express Community Edition release, the kclient utility has been expanded
to improve ease of use and ability to work with Active Directory servers.
See How to Configure a Kerberos Client for an Active Directory Server for more information. See Example 23-9 for an example of running
kclient on a previous Solaris release.
- Become superuser.
- Run the kclient installation script.
You need to provide the following information:
- Indicate if the KDC server is not running a Solaris release.
If this system is a client of a KDC server that is
not running a Solaris release, you need to define the type of server
that is running the KDC. The available servers are: Microsoft Active Directory, MIT
KDC server, Heimdal KDC server, and Shishi KDC server.
- Select if DNS should be used for Kerberos lookups.
If you use DNS for Kerberos lookups, you need to enter the DNS
lookup option that you want to use. Valid options are dns_lookup_kdc, dns_lookup_realm, and
dns_fallback. See the krb5.conf(4) man page for more information about these values.
- Define the name of the Kerberos realm and the master KDC hostname.
This information is added to the /etc/krb5/krb5.conf configuration file.
- Select if slave KDCs exist.
If there are slave KDCs in the realm, then you need to enter
the slave KDC host names. This information is used to create additional KDC
entries in the client's configuration file.
- Indicate if service or host keys are required.
Normally, service or host keys are not required unless the client system is
hosting Kerberized services.
- Specify if the client is a member of a cluster.
If the client is a member of a cluster, then you need to
provide the logical name of the cluster. The logical host name is used
when creating service keys, which is required when hosting Kerberos services from clusters.
- Identify any domains or hosts to map to the current realm.
This mapping allows other domains to belong in the default realm of the
client.
- Specify if the client will use Kerberized NFS.
NFS service keys need to be created if the client will host NFS
services using Kerberos.
- Indicate if the /etc/pam.conf file needs to be updated.
This allows you to set which PAM services use Kerberos for authentication. You
need to enter the service name and a flag indicating how Kerberos
authentication is to be used. The valid flag options are:
first – use Kerberos authentication first, and only use UNIX if Kerberos authentication fails
only – use Kerberos authentication only
optional – use Kerberos authentication optionally
- Select if the master /etc/krb5/krb5.conf file should be copied.
This option allows for specific configuration information to be used when the arguments
to kclient are not sufficient.
Example 23-8 Running the kclient Installation Utility
client# /usr/sbin/kclient
Starting client setup
---------------------------------------------------
Is this a client of a non-Solaris KDC ? [y/n]: n
No action performed.
Do you want to use DNS for kerveros lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: kdc1.example.com
Note, this system and the KDC's time must be within 5 minutes of each other for
Kerberos to function. Both systems should run some form of time synchronization
system like Network Time Protocol (NTP).
Do you have any slave KDC(s) ? [y/n]: y
Enter a comma-separated list of slave KDC host names: kdc2.example.com
Will this client need service keys ? [y/n]: n
No action performed.
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
No action performed.
Do you have multiple domains/hosts to map to realm ? [y/n]: y
Enter a comma-separated list of domain/hosts to map to the default realm: engineering.example.com, \ example.com
Setting up /etc/krb5/krb5.conf.
Do you plan on doing Kerberized nfs ? [y/n]: y
Do you want to update /etc/pam.conf ? [y/n]: y
Enter a comma-separated list of PAM service names in the following format:
service:{first|only|optional}: xscreensaver:first
Configuring /etc/pam.conf.
Do you want to copy over the master krb5.conf file ? [y/n]: n
No action performed.
---------------------------------------------------
Setup COMPLETE.
Example 23-9 Running the kclient Installation Utility on the Solaris 10 Release
The following output shows the results of running the kclient command.
client# /usr/sbin/kclient
Starting client setup
---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: kdc1.example.com
Setting up /etc/krb5/krb5.conf.
Enter the krb5 administrative principal to be used: clntconfig/admin
Obtaining TGT for clntconfig/admin ...
Password for clntconfig/[email protected]: <Type the password>
Do you plan on doing Kerberized nfs ? [y/n]: n
host/client.example.com entry ADDED to KDC database.
host/client.example.com entry ADDED to keytab.
Do you want to copy over the master krb5.conf file ? [y/n]: y
Enter the pathname of the file to be copied: \
/net/denver.example.com/export/install/krb5.conf
Copied /net/denver.example.com/export/install/krb5.conf.
---------------------------------------------------
Setup COMPLETE !
#
How to Configure a Kerberos Client for an Active Directory Server
This procedure uses the kclient installation utility without a installation profile.
- Become superuser.
- (Optional) Enable DNS resource record creation for the client.
This command causes DNS records to be created when the client is joined
to the Active Directory domain.
client# svccfg -s smb/server setprop smbd/ddns_enable=true
- Run the kclient installation script.
You need to provide the following information:
Example 23-10 Configuring a Kerberos Client for an Active Directory Server Using kclient.
The following output shows the results of running the kclient command using the
ms_ad (Microsoft Active Directory) server type argument. The client will be joined to
the Active Directory domain called EXAMPLE.COM.
client# /usr/sbin/kclient -T ms_ad
Starting client setup
---------------------------------------------------
Attempting to join 'CLIENT' to the 'EXAMPLE.COM' domain.
Password for [email protected]: <Type the password>
Forest name found: example.com
Looking for local KDCs, DCs and global catalog servers (SVR RRs).
Setting up /etc/krb5/krb5.conf
Creating the machine account in AD via LDAP.
---------------------------------------------------
Setup COMPLETE.
#
How to Manually Configure a Kerberos Client
In this procedure, the following configuration parameters are used:
Realm name = EXAMPLE.COM
DNS domain name = example.com
Master KDC = kdc1.example.com
Slave KDC = kdc2.example.com
NFS server = denver.example.com
Client = client.example.com
admin principal = kws/admin
User principal = mre
Online help URL = https://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
Note - Adjust the URL to point to the “Graphical Kerberos Administration Tool” section, as described in the Online Help URL in the Graphical Kerberos Administration Tool.
- Become superuser.
- Edit the Kerberos configuration file (krb5.conf).
To change the file from the Kerberos default version, you need to change
the realm names and the server names. You also need to identify the
path to the help files for gkadmin.
kdc1 # cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
admin_server = kdc1.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
#
# if the domain name and realm name are equivalent,
# this entry is not needed
#
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
[appdefaults]
gkadmin = {
help_url = https://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
Note - If you want to restrict the encryption types, you can set the
default_tkt_enctypes or default_tgs_enctypes lines. Refer to Using Kerberos Encryption Types for a description of the issues involved
with restricting the encryption types.
- (Optional) Change the process used to locate the KDCs.
Starting with the Solaris 10 5/08 and Solaris Express Developer Edition 1/08
releases, by default the Kerberos realm to KDC mapping is determined in the
following order:
You can change this behavior by adding dns_lookup_kdc or dns_fallback to the
libdefaults section of the krb5.conf file. See the krb5.conf(4) man page for
more information. Note that referrals are always tried first.
- (Optional) Change the process used to determine the realm for a host.
Starting with the Solaris 10 5/08 and Solaris Express Developer Edition 1/08
releases, by default the host to realm mapping is determined in the following
order:
If the KDC supports referrals, then the KDC may inform the client which realm the host belongs to.
By the definition of domain_realm in the krb5.conf file.
The DNS domainname of the host.
The default realm.
You can change this behavior by adding dns_lookup_kdc or dns_fallback to the
libdefaults section of the krb5.conffile. See the krb5.conf(4) man page for more
information. Note that referrals will always be tried first.
- (Optional) Synchronize the client's clock with the master KDC's clock by using NTP or
another clock synchronization mechanism.
Installing and using the Network Time Protocol (NTP) is not required. However, every
clock must be synchronized with the time on the KDC server within a
maximum difference defined in the clockskew relation in the krb5.conf file for authentication
to succeed. See Synchronizing Clocks Between KDCs and Kerberos Clients for information about NTP.
- Start kadmin.
You can use the Graphical Kerberos Administration Tool to add a principal, as
explained in How to Create a New Kerberos Principal. To do so, you must log in with one of the
admin principal names that you created when you configured the master KDC. However,
the following example shows how to add the required principals by using the
command line.
denver # /usr/sbin/kadmin -p kws/admin
Enter password: <Type kws/admin password>
kadmin:
- (Optional) Create a user principal if a user principal does not already exist.
You need to create a user principal only if the user associated with
this host does not already have a principal assigned to him or her.
kadmin: addprinc mre
Enter password for principal [email protected]: <Type the password>
Re-enter password for principal [email protected]: <Type it again>
kadmin:
- (Optional) Create a root principal and add the principal to the server's keytab file.
This step is required so that the client can have root access to
file systems mounted using the NFS service. This step is also required if
non-interactive root access is needed, such as running cron jobs as root.
If the client does not require root access to a remote file system
which is mounted using the NFS service, then you can skip this step.
The root principal should be a two component principal with the second component
the host name of the Kerberos client system to avoid the creation
of a realm wide root principal. Note that when the principal instance is
a host name, the FQDN must be specified in lowercase letters, regardless of
the case of the domain name in the /etc/resolv.conf file.
kadmin: addprinc -randkey root/client.example.com
Principal "root/client.example.com" created.
kadmin: ktadd root/client.example.com
Entry for principal root/client.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin:
- Create a host principal and add the principal to the server's keytab file.
The host principal is used by remote access services to provide authentication. The
principal allows root to acquire a credential, if there is not one already in
the keytab file.
kadmin: addprinc -randkey host/denver.example.com
Principal "host/[email protected]" created.
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin:
- (Optional) Add the server's NFS service principal to the server's keytab file.
This step is only required if the client needs to access NFS file
systems using Kerberos authentication.
kadmin: ktadd nfs/denver.example.com
Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal nfs/denver.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal nfs/denver.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal nfs/denver.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal nfs/denver.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin:
- Add the host principal to the server's keytab file.
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin:
- Quit kadmin.
kadmin: quit
- (Optional) Enable Kerberos with NFS.
- Enable Kerberos security modes in the /etc/nfssec.conf file.
Edit the /etc/nfssec.conf file and remove the “#” that is placed in front
of the Kerberos security modes.
# cat /etc/nfssec.conf
.
.
#
# Uncomment the following lines to use Kerberos V5 with NFS
#
krb5 390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
- Enable DNS.
If the /etc/resolv.conf file has not already been created, then create this file
as the service principal canonicalization is dependent upon DNS to do this. See
the resolv.conf(4) man page for more information.
- Restart the gssd service.
After the /etc/resolv.conf file has been created or modified you must then restart the
gssd daemon to reread any changes.
# svcadm restart network/rpc/gss
- If you want the client to automatically renew the TGT or to warn
users about Kerberos ticket expiration, create an entry in the /etc/krb5/warn.conf file.
See the warn.conf(4) man page for more information.
Example 23-11 Setting Up a Kerberos Client Using a Non-Solaris KDC
A Kerberos client can be set up to work with a non-Solaris
KDC. In this case, a line must be included in the /etc/krb5/krb5.conf file in
the realms section. This line changes the protocol that is used when the
client is communicating with the Kerberos password-changing server. The format of this line
follows.
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
kdc = kdc2.example.com
admin_server = kdc1.example.com
kpasswd_protocol = SET_CHANGE
}
Example 23-12 DNS TXT Records for the Mapping of Host and Domain Name to Kerberos Realm
@ IN SOA kdc1.example.com root.kdc1.example.com (
1989020501 ;serial
10800 ;refresh
3600 ;retry
3600000 ;expire
86400 ) ;minimum
IN NS kdc1.example.com.
kdc1 IN A 192.146.86.20
kdc2 IN A 192.146.86.21
_kerberos.example.com. IN TXT "EXAMPLE.COM"
_kerberos.kdc1.example.com. IN TXT "EXAMPLE.COM"
_kerberos.kdc2.example.com. IN TXT "EXAMPLE.COM"
Example 23-13 DNS SRV Records for Kerberos Server Locations
This example defines the records for the location of the KDCs, the admin
server, and the kpasswd server, respectively.
@ IN SOA kdc1.example.com root.kdc1.example.com (
1989020501 ;serial
10800 ;refresh
3600 ;retry
3600000 ;expire
86400 ) ;minimum
IN NS kdc1.example.com.
kdc1 IN A 192.146.86.20
kdc2 IN A 192.146.86.21
_kerberos._udp.EXAMPLE.COM IN SRV 0 0 88 kdc2.example.com
_kerberos._tcp.EXAMPLE.COM IN SRV 0 0 88 kdc2.example.com
_kerberos._udp.EXAMPLE.COM IN SRV 1 0 88 kdc1.example.com
_kerberos._tcp.EXAMPLE.COM IN SRV 1 0 88 kdc1.example.com
_kerberos-adm._tcp.EXAMPLE.COM IN SRV 0 0 749 kdc1.example.com
_kpasswd._udp.EXAMPLE.COM IN SRV 0 0 749 kdc1.example.com
How to Access a Kerberos Protected NFS File System as the root User
This procedure allows a client to access a NFS file system that
requires Kerberos authentication with the root ID privilege. In particular, if the NFS file
system is shared with options like: -o sec=krb5,root=client1.sun.com.
- Become superuser.
- Start kadmin.
You can use the Graphical Kerberos Administration Tool to add a principal, as
explained in How to Create a New Kerberos Principal. To do so, you must log in with one of
the admin principal names that you created when you configured the master KDC.
However, the following example shows how to add the required principals by using
the command line.
denver # /usr/sbin/kadmin -p kws/admin
Enter password: <Type kws/admin password>
kadmin:
- Create a root principal for the NFS client.
This principal is used to provide root equivalent access to NFS mounted file
systems that require Kerberos authentication. The root principal should be a two component
principal with the second component the host name of the Kerberos client system
to avoid the creation of a realm wide root principal. Note that
when the principal instance is a host name, the FQDN must be specified
in lowercase letters, regardless of the case of the domain name in the
/etc/resolv.conf file.
kadmin: addprinc -randkey root/client.example.com
Principal "root/client.example.com" created.
kadmin:
- Add the root principal to the server's keytab file.
This step is required if you added a root principal so that the
client can have root access to file systems mounted using the NFS service.
This step is also required if non-interactive root access is needed, such
as running cron jobs as root.
kadmin: ktadd root/client.example.com
Entry for principal root/client.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal root/client.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin:
- Quit kadmin.
kadmin: quit
How to Configure Automatic Migration of Users in a Kerberos Realm
Users, who do not have a Kerberos principal, can be automatically migrated to
an existing Kerberos realm. The migration is achieved by using the PAM framework
for the service in use by stacking the pam_krb5_migrate module in
the service's authentication stack in /etc/pam.conf.
In this example, the dtlogin and other PAM service names are configured to
use the automatic migration. The following configuration parameters are used:
Realm name = EXAMPLE.COM
Master KDC = kdc1.example.com
Machine hosting the migration service = server1.example.com
Migration service principal = host/server1.example.com
Before You Begin
Setup server1 as a Kerberos client of the realm EXAMPLE.COM. See Configuring Kerberos Clients
for more information.
- Check to see if a host service principal for server1 exists.
The host service principal in the keytab file of server1 is used to
authenticate the server to the master KDC.
server1 # klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ------------------------------------------------
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
3 host/[email protected]
- Make changes to the PAM configuration file.
- Add entries for the dtlogin service.
# cat /etc/pam.conf
.
.
# # dtlogin service (explicit because of pam_krb5_migrate) # dtlogin auth requisite pam_authtok_get.so.1 dtlogin auth required pam_dhkeys.so.1 dtlogin auth required pam_unix_cred.so.1 dtlogin auth sufficient pam_krb5.so.1 dtlogin auth requisite pam_unix_auth.so.1 dtlogin auth optional pam_krb5_migrate.so.1
- (Optional) Force an immediate password change, if needed.
The newly created Kerberos accounts can have their password expiration time set to
the current time (now), in order to force an immediate Kerberos password change.
To set the expiration time to now, add the expire_pw option to
the lines which use the pam_krb5_migrate module. See the pam_krb5_migrate(5) man page
for more information.
# cat /etc/pam.conf
.
.
dtlogin auth optional pam_krb5_migrate.so.1 expire_pw
- Add the pam_krb5 module to the account stack.
This addition allows for password expiration in Kerberos to block access.
# cat /etc/pam.conf
.
.
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_krb5.so.1
other account required pam_unix_account.so.1
- Add the pam_krb5 module to the password stack.
This addition allows for passwords to be updated when the password expire.
# cat /etc/pam.conf
.
.
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
- On the master KDC, update the access control file.
The following entries grant migrate and inquire privileges to the host/server1.example.com service principal
for all users, excepting the root user. It is important that users who
should not be migrated are listed in the kadm5.acl file using the U
privilege. These entries need to be before the permit all or ui entry.
See the kadm5.acl(4) man page for more information.
kdc1 # cat /etc/krb5/kadm5.acl
host/[email protected] U root
host/[email protected] ui *
*/[email protected] *
- On the master KDC, restart the Kerberos administration daemon.
This step allows the kadmind daemon to use the new kadm5.acl entries.
kdc1 # svcadm restart network/security/kadmin
- On the master KDC, add entries to the pam.conf file.
The following entries enable the kadmind daemon to use the k5migrate PAM service,
to validate UNIX user password for accounts that require migration.
# grep k5migrate /etc/pam.conf
k5migrate auth required pam_unix_auth.so.1
k5migrate account required pam_unix_account.so.1