Configuring Sun Solaris
A Kerberos client can be configured against Sun Solaris.
The Sun Enterprise Authentication Mechanism (SEAM) and AIX® NAS client are interoperable at the Kerberos protocol level (RFC1510). Because the Solaris kadmind daemon interface is not compatible with the AIX NAS client kadmin interface, include the –D flag in the mkkrb5clnt command when you configure AIX clients. Use Solaris tools to do principal management on Solaris systems. Because the protocol for changing passwords is different between SEAM Kerberos servers and AIX NAS clients, changing the password of a principal causes the configuration to fail.
Solaris is used in the following example.
- Configure SEAM by using the Sun documentation.
- If the NAS client is not installed on the AIX client, install the krb5.client.rte file set from the AIX Expansion Pack.
- To configure an AIX Kerberos client, use the mkkrb5clnt command with
the following configuration information:
- realm
- Solaris Kerberos realm name: AUSTIN.IBM.COM
- domain
- Domain name of the machine that hosts the Kerberos servers: Austin.ibm.com
- KDC
- Host name of the Solaris system that hosts the KDC: sunsys.austin.ibm.com
- server
- Host name of the Solaris system that hosts the kadmin daemon (usually the same as KDC): sunsys.austin.ibm.com
Note: Because the Solaris and AIX NAS client kadmin interfaces are different, the server name is not used by the NAS clients, and you must use the –D flag with the mkkrb5clnt command.The following is an example of the mkkrb5clnt command:
mkkrb5clnt -r AUSTIN.IBM.COM -d austin.ibm.com\ -c sunsys.austin.ibm.com -s sunsys.austin.ibm.com -DThe -D option in the mkkrb5clnt command creates the is_kadmind_compat=no option in the /etc/security/methods.cfg file and configures the Kerberos client environment for authentication against non-AIX systems. Do not use the -D option in the mkkrb5clnt command to configure the Kerberos client environment for authentication against the IBM® Network Authentication Service (NAS).
Note: When you run the mkkrb5clnt command, the following stanza is added to the methods.cfg file.KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no KRB5files: options = db=BUILTIN,auth=KRB5For more information about:- the mkkrb5clnt command and allowable flags, see the mkkrb5clnt command.
- the methods.cfg file, see the methods.cfg file.
- Use the Solaris kadmin tool to create a host/tx3d.austin.ibm.com@MYREALM host principal and save
it to a file, similar to the following:
kadmin: add_principal -randkey host/tx3d.austin.ibm.com Principal "host/tx3d.austin.ibm.com@AUSTIN.IBM.COM" created. kadmin:ktadd -k /tmp/tx3d.keytab host/tx3d.austin.ibm.com Entry for principal host/tx3d.austin.ibm.com with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/tmp/tx3d.keytab. kadmin: quit - Copy the tx3d.keytab file to the AIX host system.
- Merge the tx3d.keytab file into the /etc/krb5/krb5.keytab file on the AIX system as follows:
ktutil rkt tx3d.keytab l slot KVNO Principal wkt /etc/krb5/krb5.keytab q - To create a Kerberos principal, use the Solaris kadmin tool .
add_principal sunuser - To create AIX accounts
that correspond to the Solaris Kerberos principal and use Kerberos
authentication, enter the following command:
mkuser registry=KRB5files SYSTEM=KRB5files sunuser - Use the telnet command to log into the AIX system with the sunuser
user name and password, and verify the configuration.The following is an example of a Kerberos integrated login session that uses KRB5 against the Solaris KDC:
telnet tx3d echo $AUTHSTATE KRB5files echo $KRB5CCNAME FILE:/var/krb5/security/creds/krb5cc_sunuser@AUSTIN.IBM.COM_207 View credentials: /usr/krb5/bin/klist