This is based on my demo lab. If you follow the steps and just insert your info you should be fine. I’ll post Kerberized NFS and other services soon.
1) Verify packages are installed. If not, install them.
-> pkginfo SUNWkrbr SUNWkrbu SUNWkdcu SUNWkdcr
system SUNWkdcr Kerberos V5 KDC (root)
system SUNWkdcu Kerberos V5 Master KDC (user)
system SUNWkrbr Kerberos version 5 support (Root)
system SUNWkrbu Kerberos version 5 support (Usr)
2) If not installed, insert DVD, mount ISO or use NFS mount:
-> pkgadd -d /path/to/package/SUNWkrbr
-> pkgadd -d /path/to/package/SUNWkrbu
-> pkgadd -d /path/to/package/SUNWkdcu
-> pkgadd -d /path/to/package/SUNWkdcr
3) Make sure all of the SSH packages are installed.
-> pkginfo SUNWsshcu SUNWsshdr SUNWsshdu SUNWsshr SUNWsshu
system SUNWsshcu SSH Common, (Usr)
system SUNWsshdr SSH Server, (Root)
system SUNWsshdu SSH Server, (Usr)
system SUNWsshr SSH Client and utilities, (Root)
system SUNWsshu SSH Client and utilities, (Usr)
4) Define these elements before you start.
a. Realm name = LAB.SLICE2.COM. This is the name of your Kerberos Realm. Think of it like your Active Directory domain.
b. Master KDC = labkdc01.slice2.com. This is your Kerberos Key Distribution Center. Think of it like your Windows Domain Controller.
c. admin principal and password = kws/admin. This is your administrative principle user account. Think of it like your Windows Domain Admin.
d. The KDC Master password = (your choice). This is the KDC master database password. Do no forget this password or you will be hosed.
e. Host OS: Solaris 10. This was done with Solaris 10 x86 Update 11.
f. Hosts: Solaris 10u11 KDC and Solaris 10u11 client.
5) Configure NTP. Time is critical to Kerberos. If NTP is already done, skip this step.
-> /var/ntp/ntp.drift
-> cp /etc/inet/ntp.client /etc/inet/ntp.conf
-> vi /etc/inet/ntp.conf
server 10.10.10.2
server 10.10.10.3
driftfile /var/ntp/ntp.drift
multicastclient 224.0.1.1
-> wq!
-> svcadm restart ntp (or svcadm enable ntp if never run before)
a. Verify ntp:
-> ntpq -p
remote refid st t when poll reach delay offset disp
=======================================================
labdc01.lab.sli .LOCL. 1 u 23 64 3 1.17 -25.978 7887.18
labdc02.lab.sli labdc01.lab.sli 2 u 22 64 3 0.99 -36.954 7895.22
6) Login as root on the Solaris host to become the KDC. Edit the Kerberos configuration file krb5.conf to fit your environment. Only change where the text is red below.
-> cp /etc/krb5/krb5.conf /etc/krb5/krb5.conf.orig
-> vi /etc/krb5/krb5.conf
[libdefaults]
default_realm = LAB.SLICE2.COM
[realms]
LAB.SLICE2.COM = {
kdc = labkdc01.lab.slice2.com
# kdc = ___slave_kdc1___
# kdc = ___slave_kdc2___
# kdc = ___slave_kdcN___
admin_server = labkdc01.lab.slice2.com
}
[domain_realm]
lab.slice2.com = LAB.SLICE2.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, …)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
# help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
-> wq!
7) Edit the KDC file kdc.conf. Change the text in red with your environment and add the lines in blue to the end of the [realms] header.
-> cp /etc/krb5/kdc.conf /etc/krb5/kdc.conf.orig
-> vi /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[realms]
LAB.SLICE2.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}
-> wq!
8) Create the KDC database.
-> /usr/sbin/kdb5_util create -s
Initializing database ‘/var/krb5/principal’ for realm ‘LAB.SLICE2.COM’,
master key name ‘K/M@LAB.SLICE2.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
9) Edit the Kerberos access control list.
-> cp /etc/krb5/kadm5.acl /etc/krb5/kadm5.acl.orig
-> vi /etc/krb5/kadm5.acl and add:
*/admin@LAB.SLICE2.COM *
-> wq!
10) Add principals.
-> /usr/sbin/kadmin.local
Authenticating as principal root/admin@LAB.SLICE2.COM with password.
kadmin.local:
a. Add administration principals to the database.
kadmin.local: addprinc kws/admin
WARNING: no policy specified for kws/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “kws/admin@LAB.SLICE2.COM”:
Re-enter password for principal “kws/admin@LAB.SLICE2.COM”:
Principal “kws/admin@LAB.SLICE2.COM” created.
b. Create the kiprop principals.
admin.local: addprinc -randkey kiprop/labkdc01.lab.slice2.com
WARNING: no policy specified for kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy add_principal: Principal or policy already exists while creating “kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM”.
c. Create a keytab file for the kadmind service.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/labkdc01.lab.slice2.com
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/labkdc01.lab.slice2.com
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
d. Add the kiprop principal for the master KDC server to the kadmind keytab file.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/labkdc01.lab.slice2.com
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
e. Quit kadmin.local.
kadmin.local: quit
11) Start the Kerberos daemons.
-> svcadm enable -r network/security/krb5kdc
-> svcadm enable -r network/security/kadmin
12) Start kadmin and add more principals.
-> /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin with password.
Password for kws/admin@LAB.SLICE2.COM:
a. Create the master KDC host principal.
kadmin: addprinc -randkey host/labkdc01.lab.slice2.com
WARNING: no policy specified for host/labkdc01.lab.slice2.com@LAB.SLICE2.COM; defaulting to no policy
Principal “host/labkdc01.lab.slice2.com@LAB.SLICE2.COM” created.
b. Create the kclient principal.
kadmin: addprinc clntconfig/admin
WARNING: no policy specified for clntconfig/admin@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Re-enter password for principal “clntconfig/admin@LAB.SLICE2.COM”:
Principal “clntconfig/admin@LAB.SLICE2.COM” created.
c. Add the master KDC’s host principal to the master KDC’s keytab file.
kadmin: ktadd host/labkdc01.lab.slice2.com
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/labkdc01.lab.slice2.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
d. Quit kadmin.
kadmin: quit
13) Synchronize the master KDCs clock.
-> svcadm restart ntp
14) Copy the Master KDC’s krb5.conf file to an NFS share for clients. Create a folder and share it out for clients.
-> mkdir -p /export/install/kerberos_files/
-> vi /etc/dfstab/dfs and add something like this to fit your environment:
share -F nfs -o rw=krbclient01.lab.slice2.com -d “Kerberos Files for Clients” /export/install/kerberos_files
-> wq!
-> shareall
-> cp /etc/krb5/krb5.conf /export/install/kerberos_files/
15) Backup the KDC database
-> /usr/sbin/kdb5_util dump -verbose /export/install/kerberos_files/krb5.db.bkp
K/M@LAB.SLICE2.COM
changepw/labkdc01.lab.slice2.com@LAB.SLICE2.COM
clntconfig/admin@LAB.SLICE2.COM
host/krbclient01.lab.slice2.com@LAB.SLICE2.COM
host/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kadmin/changepw@LAB.SLICE2.COM
kadmin/history@LAB.SLICE2.COM
kadmin/labkdc01.lab.slice2.com@LAB.SLICE2.COM
kiprop/labkdc01.lab.slice2.com@LAB.SLICE2.COM
krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
kws/admin@LAB.SLICE2.COM
nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM
16) Create user principles.
-> kadmin kws/admin
-> addprinc johndoe
WARNING: no policy specified for johndoe@LAB.SLICE2.COM; defaulting to no policy
Enter password for principal “johndoe@LAB.SLICE2.COM”:
Re-enter password for principal “johndoe@LAB.SLICE2.COM”:
Principal “johndoe@LAB.SLICE2.COM” created.
Test user:
-> kinit johndoe
-> klist -c
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: johndoe@LAB.SLICE2.COM
Valid starting Expires Service principal
06/07/13 11:50:45 06/07/13 19:50:45 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 11:50:45
Configure a Solaris client to use Kerberos.
1) Login as root to the client. Interactively Configure Kerberos by answering the questions in red:
-> /usr/sbin/kclient
Starting client setup
—————————————————
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: LAB.SLICE2.COM
Specify the KDC hostname for the above realm: labkdc01.lab.slice2.com
labkdc01.lab.slice2.com
Note, this system and the KDC’s time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP).
Setting up /etc/krb5/krb5.conf.
Enter the krb5 administrative principal to be used: kws/admin
Obtaining TGT for kws/admin …
Password for kws/admin@LAB.SLICE2.COM:
Do you have multiple DNS domains spanning the Kerberos realm LAB.SLICE2.COM ? [y/n]: n
No action performed.
Do you plan on doing Kerberized nfs ? [y/n]: y
nfs/krbclient01.lab.slice2.com entry ADDED to KDC database.
nfs/krbclient01.lab.slice2.com entry ADDED to keytab.
host/krbclient01.lab.slice2.com entry ADDED to KDC database.
host/krbclient01.lab.slice2.com entry ADDED to keytab.
Do you want to copy over the master krb5.conf file ? [y/n]: y
Enter the pathname of the file to be copied: /net/10.10.10.101/export/install/kerberos_files/krb5.conf
Copied /net/10.10.10.101/export/install/kerberos_files/krb5.conf.
—————————————————
Setup COMPLETE.
2) Check the configuration.
-> klist -e -k -t
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp Principal
—- —————– ———————————————————
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:21 nfs/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (Triple DES cbc mode with HMAC/sha1)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (ArcFour with HMAC/md5)
3 06/07/13 10:28:25 host/krbclient01.lab.slice2.com@LAB.SLICE2.COM (DES cbc mode with RSA-MD5)
3) Configure ssh to user Kerberos.
3) Create a Kerberos principal to local Solaris user connection using the gsscred command. In this example, link my Kerberos principal johndoe@LAB.SLICE2.COM to my local Solaris user johndoe.
-> gsscred -m kerberos_v5 -a -c John Doe -n johndoe@LAB.SLICE2.COM -u johndoe
a. Check the Kerberos association database:
-> gsscred -l
0401000B06092A864886F712010202000000166A6F686E646F65404C41422E534C494345322E434F4D 100 johndoe, kerberos_v5
4) Ticket info. Sometimes you have to destroy the ticket to properly obtain a new one.
-> kdestroy
Get a fresh ticket:
-> kinit kws/admin
Password for kws/admin@LAB.SLICE2.COM:
Now list your new ticket:
-> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kws/admin@LAB.SLICE2.COM
Valid starting Expires Service principal
06/07/13 15:12:31 06/07/13 23:12:31 krbtgt/LAB.SLICE2.COM@LAB.SLICE2.COM
renew until 06/14/13 15:12:31
Now you can login to kadmin as the kws admin user.
-> kadmin kws/admin
Authenticating as principal kws/admin@LAB.SLICE2.COM with password.
Password for kws/admin@LAB.SLICE2.COM: