Cool Solution - Solaris and Kerberos

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This article is about the configuration of Kerberos on a Solaris 11 Client against an UCS 4.1 server system.

Requirements

First of all make sure you installed the Application DHCP from the App Center via the Univention Management Console (UMC in short) on your UCS Server. The next step is to add a new computer object for your Solaris system via the UMC, too. Note: It's important to assign the computer object the MAC address of your Soalris client and an available IP address.

Integration of Solaris into a UCS domain

This part of configuration is described in detail in our manual. [1]

For the sector 2.5 in our manual, you can use the following alternative way to configure Kerberos: Go to your Solaris client or open a ssh session and execute the command "kclient" as user root. An interactive Kerberos wizard will started.

For an example:

client# /usr/sbin/kclient

Starting client setup
---------------------------------------------------

Is this a client of a non-Solaris KDC ? [y/n]: n
        No action performed.
Do you want to use DNS for kerveros lookups ? [y/n]: n
        No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: kdc1.example.com

Note, this system and the KDC's time must be within 5 minutes of each other for
Kerberos to function. Both systems should run some form of time synchronization
system like Network Time Protocol (NTP).
Do you have any slave KDC(s) ? [y/n]: y
Enter a comma-separated list of slave KDC host names: kdc2.example.com

Will this client need service keys ? [y/n]: n
        No action performed.
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
        No action performed.
Do you have multiple domains/hosts to map to realm ? [y/n]: y
Enter a comma-separated list of domain/hosts to map to the default realm: engineering.example.com, \ example.com

Setting up /etc/krb5/krb5.conf.

Do you plan on doing Kerberized nfs ? [y/n]: y
Do you want to update/add PAM per-service policy file(s) ? [y/n]: y
Enter a comma-separated list of PAM service names in the following format:
service:{first|only|optional}: first
Configuring /etc/pam.conf.

Do you want to copy over the master krb5.conf file ? [y/n]: n
        No action performed.

---------------------------------------------------
Setup COMPLETE.

Verification

The last part is to verify the correct configuration of Kerberos. Execute the following command on your Solaris system to generate a Kerberos ticket:

kinit <Username>@<uppercase ucs domain>

It could be possible, that a warning like the following shows up. This can be ignored:

kinit: no ktkt_warnd warning possible

To prove that the Kerberos ticket was generate successfully enter the command:

klist

For example:

Default principal: Administrator@EXAMPLE.COM

Valid starting                     Expires                              Service principle
08/12/2016 21:11    09/12/2016 07:13 krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 15/12/2017 21:11

Further information

Personal tools