Configuring the Kerberos integrated login

Edit online

After Kerberos installation is complete, you must configure the system to use Kerberos as the primary means of user authentication.

To configure systems to use Kerberos as the primary means of user authentication, run the mkkrb5clnt command with the following parameters:

mkkrb5clnt -c KDC -r realm -a admin -s server -d domain -A -i database -K -T

The variable values in Table 1 are used in the following example of how to configure a system for Kerberos integrated login with a local file system as the AIX® user/group repository.

Table 1. The mkkrb5clnt command variable names
Variable Name	Variable Value
Realm Name	MYREALM
KDC Server	kdcsrv.austin.ibm.com
Domain Name	austin.ibm.com
Administration Server	kdcsrv.austin.ibm.com
Administrator Name	admin/admin
AIX User/Group Database	files

The following command is an example of how to configure a system for Kerberos integrated login with a local file system as the AIX user/group repository.

Run the following command:

mkkrb5clnt -r MYREALM -c kdcsrv.austin.ibm.com -s kdcsrv.austin.ibm.com\
-a admin/admin -d austin.ibm.com -A -i files -K -T

The previous example results in the following actions:

The command creates the /etc/krb5/krb5.conf file. Values for realm name, Kerberos administration server, and domain name are set as specified on the command line. The paths for default_keytab_name, kdc, and kadmin log files are also updated.
The -i flag configures a fully integrated login. The database entered is the location where AIX user identification information is stored. This is different than the Kerberos principal storage. The storage where Kerberos principals are stored is set during the Kerberos configuration.
The -K flag configures Kerberos as the default authentication scheme. This allows the users to become authenticated with Kerberos at login time.
The -A flag adds an entry in the Kerberos Database to make root an admin user for Kerberos.
The -T flag acquires the server admin ticket-granting ticket.

Note: Do not use the -D option in the mkkrb5clnt command to configure the Kerberos client environment for authentication against the IBM® Network Authentication Service (NAS). If you do not specify the -D option in the mkkrb5clnt command, the is_kadmind_compat attribute is not included in the /usr/lib/security/methods.cfg file and the Kerberos client environment is configured for authentication against the IBM NAS.

Verify the configuration by examining the /etc/krb5/krb5.conf file. The following is an example of a /etc/krb5/krb5.conf file on a client machine:

[libdefaults]
     default_realm = MYREALM
     default_keytab_name = FILE:/etc/krb5/krb5.keytab
     default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
     default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
     MYREALM = {
        kdc = kdcsrv.austin.ibm.com:88
        admin_server = kdcsrv.austin.ibm.com:749
        default_domain = austin.ibm.com
     }
[domain_realm]
    .austin.ibm.com = MYREALM
    kdcsrv.austin.ibm.com = MYREALM
[logging]
     kdc = FILE:/var/krb5/log/krb5kdc.log
     admin_server = FILE:/var/krb5/log/kadmin.log
     default = FILE:/var/krb5/log/krb5lib.log

Note: If LDAP is used for Kerberos principal storage, then the krb5.conf file will contain the following line under the [realms] stanza:

vdb_plugin_lib = /usr/lib/libkrb5ldplug.a

If a system is installed that is located in a different DNS domain than the KDC, the following additional actions must be performed:

Edit the /etc/krb5/krb5.conf file and add another entry after [domain realm].
Map the different domain to your realm.

For example, if you want to include a client that is in the abc.xyz.com domain into your MYREALM realm, modify the /etc/krb5/krb5.conf file as follows:

[domain realm]
     .austin.ibm.com = MYREALM
     .raleigh.ibm.com = MYREALM

When the Network Authentication Service configuration is complete, the login process to the operating system remains unchanged. After a successful login, users will have Kerberos ticket-granting tickets associated with their running processes. The user's $KRB5CCNAME environment variable points to that ticket-granting ticket. To verify that the login is successful and the user has a ticket-granting ticket, use the klist command.

Note: When you run the mkkrb5clnt command, the following stanza is added to the methods.cfg file.

KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = is_kadmind_compat=yes

KRB5files:
        options = db=BUILTIN,auth=KRB5

For additional information about:

the mkkrb5clnt command, see the mkkrb5clnt command.
the methods.cfg file, see the methods.cfg file.