Configuring Sun Solaris

Edit online

A Kerberos client can be configured against Sun Solaris.

The Sun Enterprise Authentication Mechanism (SEAM) and AIX® NAS client are interoperable at the Kerberos protocol level (RFC1510). Because the Solaris kadmind daemon interface is not compatible with the AIX NAS client kadmin interface, include the –D flag in the mkkrb5clnt command when you configure AIX clients. Use Solaris tools to do principal management on Solaris systems. Because the protocol for changing passwords is different between SEAM Kerberos servers and AIX NAS clients, changing the password of a principal causes the configuration to fail.

Solaris is used in the following example.

Use the following procedure to configure an AIX client for Kerberos-based authentication against SEAM.
  1. Configure SEAM by using the Sun documentation.
  2. If the NAS client is not installed on the AIX client, install the krb5.client.rte file set from the AIX Expansion Pack.
  3. To configure an AIX Kerberos client, use the mkkrb5clnt command with the following configuration information:
    realm
    Solaris Kerberos realm name: AUSTIN.IBM.COM
    domain
    Domain name of the machine that hosts the Kerberos servers: Austin.ibm.com
    KDC
    Host name of the Solaris system that hosts the KDC: sunsys.austin.ibm.com
    server
    Host name of the Solaris system that hosts the kadmin daemon (usually the same as KDC): sunsys.austin.ibm.com
    Note: Because the Solaris and AIX NAS client kadmin interfaces are different, the server name is not used by the NAS clients, and you must use the –D flag with the mkkrb5clnt command.

    The following is an example of the mkkrb5clnt command:

    mkkrb5clnt -r AUSTIN.IBM.COM -d austin.ibm.com\
 -c sunsys.austin.ibm.com -s sunsys.austin.ibm.com -D

    The -D option in the mkkrb5clnt command creates the is_kadmind_compat=no option in the /etc/security/methods.cfg file and configures the Kerberos client environment for authentication against non-AIX systems. Do not use the -D option in the mkkrb5clnt command to configure the Kerberos client environment for authentication against the IBM® Network Authentication Service (NAS).

    Note: When you run the mkkrb5clnt command, the following stanza is added to the methods.cfg file.
    KRB5:
        program = /usr/lib/security/KRB5
        program_64 = /usr/lib/security/KRB5_64
        options = authonly,is_kadmind_compat=no

KRB5files:
        options = db=BUILTIN,auth=KRB5
    For more information about:
    • the mkkrb5clnt command and allowable flags, see the mkkrb5clnt command.
    • the methods.cfg file, see the methods.cfg file.
  4. Use the Solaris kadmin tool to create a host/tx3d.austin.ibm.com@MYREALM host principal and save it to a file, similar to the following:
    kadmin: add_principal -randkey host/tx3d.austin.ibm.com
Principal "host/tx3d.austin.ibm.com@AUSTIN.IBM.COM" created.

kadmin:ktadd -k /tmp/tx3d.keytab host/tx3d.austin.ibm.com
Entry for principal host/tx3d.austin.ibm.com with kvno 3, 
    encryption type DES-CBC-CRC added to keytab WRFILE:/tmp/tx3d.keytab.

kadmin: quit
  5. Copy the tx3d.keytab file to the AIX host system.
  6. Merge the tx3d.keytab file into the /etc/krb5/krb5.keytab file on the AIX system as follows:
    ktutil
rkt tx3d.keytab
l
slot KVNO Principal
wkt /etc/krb5/krb5.keytab
q
  7. To create a Kerberos principal, use the Solaris kadmin tool .
    add_principal sunuser
  8. To create AIX accounts that correspond to the Solaris Kerberos principal and use Kerberos authentication, enter the following command:
    mkuser registry=KRB5files SYSTEM=KRB5files sunuser
  9. Use the telnet command to log into the AIX system with the sunuser user name and password, and verify the configuration.
    The following is an example of a Kerberos integrated login session that uses KRB5 against the Solaris KDC:
    telnet tx3d

echo $AUTHSTATE
KRB5files

echo $KRB5CCNAME
FILE:/var/krb5/security/creds/krb5cc_sunuser@AUSTIN.IBM.COM_207

View credentials:
/usr/krb5/bin/klist