Configuring the Kerberos integrated login
After Kerberos installation is complete, you must configure the system to use Kerberos as the primary means of user authentication.
To configure systems to use Kerberos as the primary means
of user authentication, run the mkkrb5clnt command
with the following parameters:
mkkrb5clnt -c KDC -r realm -a admin -s server -d domain -A -i database -K -T
The variable values in Table 1 are used in the following example of how to configure a system for Kerberos integrated login with a local file system as the AIX® user/group repository.
Variable Name | Variable Value |
---|---|
Realm Name | MYREALM |
KDC Server | kdcsrv.austin.ibm.com |
Domain Name | austin.ibm.com |
Administration Server | kdcsrv.austin.ibm.com |
Administrator Name | admin/admin |
AIX User/Group Database | files |
The following command is an example of how to configure a system for Kerberos integrated login with a local file system as the AIX user/group repository.
Run the following command:
mkkrb5clnt -r MYREALM -c kdcsrv.austin.ibm.com -s kdcsrv.austin.ibm.com\
-a admin/admin -d austin.ibm.com -A -i files -K -T
The previous example results in the following actions:
- The command creates the /etc/krb5/krb5.conf file. Values for realm name, Kerberos administration server, and domain name are set as specified on the command line. The paths for default_keytab_name, kdc, and kadmin log files are also updated.
- The -i flag configures a fully integrated login. The database entered is the location where AIX user identification information is stored. This is different than the Kerberos principal storage. The storage where Kerberos principals are stored is set during the Kerberos configuration.
- The -K flag configures Kerberos as the default authentication scheme. This allows the users to become authenticated with Kerberos at login time.
- The -A flag adds an entry in the Kerberos Database to make root an admin user for Kerberos.
- The -T flag acquires the server admin ticket-granting ticket.
Note: Do not use the -D option in the mkkrb5clnt command to configure the Kerberos client environment for authentication
against the IBM® Network Authentication
Service (NAS). If you do not specify the -D option in the mkkrb5clnt command, the is_kadmind_compat attribute is
not included in the /usr/lib/security/methods.cfg file and the Kerberos client environment is configured for authentication
against the IBM NAS.
Verify the configuration by examining the /etc/krb5/krb5.conf file. The following is an example
of a /etc/krb5/krb5.conf file on a client machine:
[libdefaults]
default_realm = MYREALM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
MYREALM = {
kdc = kdcsrv.austin.ibm.com:88
admin_server = kdcsrv.austin.ibm.com:749
default_domain = austin.ibm.com
}
[domain_realm]
.austin.ibm.com = MYREALM
kdcsrv.austin.ibm.com = MYREALM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
Note: If LDAP is used for Kerberos principal storage, then the krb5.conf file will contain the following line under the
[realms]
stanza:vdb_plugin_lib = /usr/lib/libkrb5ldplug.a
If a system is installed that is located in a different
DNS domain than the KDC, the following additional actions must be
performed:
- Edit the /etc/krb5/krb5.conf file and add another entry after [domain realm].
- Map the different domain to your realm.
For example, if you want to include a client that is
in the abc.xyz.com domain into your MYREALM realm,
modify the /etc/krb5/krb5.conf file as follows:
[domain realm]
.austin.ibm.com = MYREALM
.raleigh.ibm.com = MYREALM
When the Network
Authentication Service configuration is complete, the login process
to the operating system remains unchanged. After a successful login,
users will have Kerberos ticket-granting tickets associated with their
running processes. The user's $KRB5CCNAME environment variable
points to that ticket-granting ticket. To verify that the login is
successful and the user has a ticket-granting ticket, use the klist command.
Note: When you
run the mkkrb5clnt command, the following stanza
is added to the methods.cfg file.
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = is_kadmind_compat=yes
KRB5files:
options = db=BUILTIN,auth=KRB5
For
additional information about:
- the mkkrb5clnt command, see the mkkrb5clnt command.
- the methods.cfg file, see the methods.cfg file.