Difference between revisions of "Cool Solution - Solaris and Kerberos"

From Univention Wiki

Jump to: navigation, search
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
{{Version|UCS=4.1}}
 
{{Version|UCS=4.1}}
 
{{Cool Solutions Disclaimer|Repository=no}}
 
{{Cool Solutions Disclaimer|Repository=no}}
{{Review-Status}}
+
{{#seo:
 +
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
 +
<!--|description=-->
 +
}}
  
 
This article is about the configuration of Kerberos on a Solaris 11 Client against an UCS 4.1 server system.
 
This article is about the configuration of Kerberos on a Solaris 11 Client against an UCS 4.1 server system.
Line 19: Line 22:
  
 
For the sector 2.5 in our manual, you can use the following alternative way to configure Kerberos:
 
For the sector 2.5 in our manual, you can use the following alternative way to configure Kerberos:
Go to your Solaris client or open a ssh session and execute the command "kclient". An interactive Kerberos wizard will started.
+
Go to your Solaris client or open a ssh session and execute the command "kclient" as user root. An interactive Kerberos wizard will started.
  
 
For an example:
 
For an example:
Line 51: Line 54:
  
 
Do you plan on doing Kerberized nfs ? [y/n]: y
 
Do you plan on doing Kerberized nfs ? [y/n]: y
Do you want to update /etc/pam.conf ? [y/n]: y
+
Do you want to update/add PAM per-service policy file(s) ? [y/n]: y
 
Enter a comma-separated list of PAM service names in the following format:
 
Enter a comma-separated list of PAM service names in the following format:
 
service:{first|only|optional}: first
 
service:{first|only|optional}: first
Line 68: Line 71:
 
Execute the following command on your Solaris system to generate a Kerberos ticket:
 
Execute the following command on your Solaris system to generate a Kerberos ticket:
 
<pre>
 
<pre>
kinit <Username>@<ucs domain>
+
kinit <Username>@<uppercase ucs domain>
 
</pre>
 
</pre>
  

Latest revision as of 14:06, 8 September 2017

Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This article is about the configuration of Kerberos on a Solaris 11 Client against an UCS 4.1 server system.

Requirements

First of all make sure you installed the Application DHCP from the App Center via the Univention Management Console (UMC in short) on your UCS Server. The next step is to add a new computer object for your Solaris system via the UMC, too. Note: It's important to assign the computer object the MAC address of your Soalris client and an available IP address.

Integration of Solaris into a UCS domain

This part of configuration is described in detail in our manual. [1]

For the sector 2.5 in our manual, you can use the following alternative way to configure Kerberos: Go to your Solaris client or open a ssh session and execute the command "kclient" as user root. An interactive Kerberos wizard will started.

For an example:

client# /usr/sbin/kclient

Starting client setup
---------------------------------------------------

Is this a client of a non-Solaris KDC ? [y/n]: n
        No action performed.
Do you want to use DNS for kerveros lookups ? [y/n]: n
        No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: kdc1.example.com

Note, this system and the KDC's time must be within 5 minutes of each other for
Kerberos to function. Both systems should run some form of time synchronization
system like Network Time Protocol (NTP).
Do you have any slave KDC(s) ? [y/n]: y
Enter a comma-separated list of slave KDC host names: kdc2.example.com

Will this client need service keys ? [y/n]: n
        No action performed.
Is this client a member of a cluster that uses a logical host name ? [y/n]: n
        No action performed.
Do you have multiple domains/hosts to map to realm ? [y/n]: y
Enter a comma-separated list of domain/hosts to map to the default realm: engineering.example.com, \ example.com

Setting up /etc/krb5/krb5.conf.

Do you plan on doing Kerberized nfs ? [y/n]: y
Do you want to update/add PAM per-service policy file(s) ? [y/n]: y
Enter a comma-separated list of PAM service names in the following format:
service:{first|only|optional}: first
Configuring /etc/pam.conf.

Do you want to copy over the master krb5.conf file ? [y/n]: n
        No action performed.

---------------------------------------------------
Setup COMPLETE.

Verification

The last part is to verify the correct configuration of Kerberos. Execute the following command on your Solaris system to generate a Kerberos ticket:

kinit <Username>@<uppercase ucs domain>

It could be possible, that a warning like the following shows up. This can be ignored:

kinit: no ktkt_warnd warning possible

To prove that the Kerberos ticket was generate successfully enter the command:

klist

For example:

Default principal: Administrator@EXAMPLE.COM

Valid starting                     Expires                              Service principle
08/12/2016 21:11    09/12/2016 07:13 krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 15/12/2017 21:11

Further information

Personal tools