System Administration Commands kclient(1M)
NAME
kclient - set up a machine as a Kerberos client
SYNOPSIS
/usr/sbin/kclient [-n] [-R realm] [-k kdc] [-a adminuser]
[-c filepath] [-d dnsarg] [-f fqdnlist] [-h logicalhostname]
[-k kdclist] [-m masterkdc] [-p profile] [-s pamservice]
[-T kdcvendor]
DESCRIPTION
By specifying the various command options, you can use the
kclient utility to:
o Configure a machine as a Kerberos client for a
specified realm and for KDC by setting up
krb5.conf(4).
o Add the Kerberos host principal to the local host's
keytab file (/etc/krb5/krb5.keytab).
o Set up the machine to do kerberized NFS.
o Bring over a master krb5.conf copy from a specified
pathname.
o Setup a machine to do server and/or host/domain
name-to-realm mapping lookups by means of DNS.
o Configure a Kerberos client to use an MS Active
Directory server. This generates a keytab file with
the Kerberos client's service keys populated.
o Setup a Kerberos client that has no service keys.
This is useful when the client does not require
service keys, because the client does not wish to
host a service that uses Kerberos for security.
o Configure a Kerberos client that is part of a clus-
ter. This option requires the logical host name of
the cluster so that the proper service keys are
created and populated in the client's keytab file.
o Setup a Kerberos client to join an environment that
consists of Kerberos servers that are non-Solaris
and non-MS Active Directory servers.
o Configure pam.conf(4) to use Kerberos authentica-
tion for specified services.
o Configure the client as a simple NTP
broadcast/multicast client.
SunOS 5.11 Last change: 9 May 2008 1
System Administration Commands kclient(1M)
o Specify custom domain/host name-to-realm name map-
pings.
o Setup the Kerberos client to use multiple KDC
servers.
The kclient utility needs to be run on the client machine
with root permission and can be run either interactively or
non-interactively. In the non-interactive mode, the user
feeds in the required inputs by means of a profile,
command-line options, or a combination of profile and
command-line options. The user is prompted for "required"
parameter values (realm and adminuser), if found missing in
the non-interactive run. The interactive mode is invoked
when the utility is run without any command-line arguments.
Both the interactive and non-interactive forms of kclient
can add the host/fqdn entry to the local host's keytab file.
They also can require the user to enter the password for the
administrative user requested, to obtain the Kerberos Ticket
Granting Ticket (TGT) for adminuser. The host/fqdn,
nfs/fqdn, and root/fqdn principals can be added to the KDC
database (if not already present) before their possible
addition to the local host's keytab.
The kclient utility assumes that the local host has been
setup for DNS and requires the presence of a valid
resolv.conf(4). Also, kclient can fail if the localhost time
is not synchronized with that of the KDC. For Kerberos to
function the localhost time must be within five minutes of
that of the KDC. It is advised that both systems run some
form of time synchronization protocol, such as the Network
Time Protocol (NTP). See xntpd(1M).
OPTIONS
The non-interactive mode supports the following options:
-n
Set up the machine for kerberized NFS. This involves
making changes to krb5* security flavors in
nfssec.conf(4). This option will also add nfs/fqdn and
root/fqdn entries to the local host's keytab file if the
-K option has not been specified.
-R [ realm ]
Specifies the Kerberos realm.
SunOS 5.11 Last change: 9 May 2008 2
System Administration Commands kclient(1M)
-k kdclist
The -k option specifies the KDC host names for the Ker-
beros client. kdclist is a comma-separated list of
KDCs. If the -m option is not used, it is assumed that
the first (or only) host in kdclist is the master KDC
host name. Note that the list specified is used verba-
tim. This is helpful when specifying non-fully qualified
KDC host names that can be canonicalized by DNS.
-a [ adminuser ]
Specifies the Kerberos administrative user.
-T kdcvendor
Configure the Kerberos client to associate with a third
party server. Valid kdcvendor currently supported are:
msad
Microsoft Active Directory
mit
MIT KDC server
heimdal
Heimdal KDC server
shishi
Shishi KDC server
Knowing the administrative password will be required to
associate the client with the server if the msad option
is specified.
-c [ filepath ]
Specifies the pathname to the krb5.conf(4) master file,
to be copied over to the local host. The path specified
normally points to a master copy on a remote host and
brought over to the local host by means of NFS.
SunOS 5.11 Last change: 9 May 2008 3
System Administration Commands kclient(1M)
-d [ dnsarg ]
Specifies the DNS lookup option to be used and specified
in the krb5.conf(4) file. Valid dnsarg entries are:
none, dnslookupkdc, dnslookuprealm and dnsfallback.
Any other entry is considered invalid. The latter three
dnsarg values assume the same meaning as those described
in krb5.conf. dnslookupkdc implies DNS lookups for the
KDC and the other servers. dnslookuprealm is for
host/domain name-to-realm mapping by means of DNS.
dnsfallback is a superset and does DNS lookups for both
the servers and the host/domain name-to-realm mapping. A
lookup option of none specifies that DNS is not be used
for any kind of mapping lookup.
-D domainlist
Specifies the host and/or domain names to be mapped to
the Kerberos client's default realm name. domainlist is
a comma-separated list, for example
"example.com,host1.example.com". If the -D option is not
used, then only the client's domain is used for this
mapping. For example, if the client is
host1.eng.example.com, then the domain that is mapped to
the EXAMPLE.COM realm is example.com.
-K
Configure the Kerberos client without service keys,
which are usually stored in /etc/krb5/krb5.keytab. This
is useful in the following scenarios:
o The client IP address is dynamically assigned
and therefore does not host Kerberized ser-
vices.
o Client has a static IP address, but does not
want to host any Kerberized services.
o Client has a static IP address, but the local
administrator does not currently have service
keys available for the machine. It is expected
that, at a later time, these keys will be
installed on the machine.
-f [ fqdnlist ]
This option creates a service principal entry
(host/nfs/root) associated with each of the listed
SunOS 5.11 Last change: 9 May 2008 4
System Administration Commands kclient(1M)
fqdn's, if required, and subsequently adds the entries
to the local host's keytab.
fqdnlist is a comma-separated list of one or more fully
qualified DNS domain names.
This option is especially useful in Kerberos realms hav-
ing systems offering kerberized services, but situated
in multiple different DNS domains.
-h logicalhostname
Specifies that the Kerberos client is a node in a clus-
ter. The logicalhostname is the logical host name
given to the cluster. The resulting /etc/krb5/krb5.conf
and /etc/krb5/krb5.keytab files must be manually copied
over to the other members of the cluster.
-m masterkdc
This option specifies the master KDC to be used by the
Kerberos client. masterkdc is the host name of the mas-
ter KDC for the client. If the -m option is not used,
then it is assumed that the first KDC host name listed
with the -k option is the master KDC.
-p [ profile ]
Specifies the profile to be used to enable the reading
in of the values of all the parameters required for
setup of the machine as a Kerberos client.
The profile should have entries in the format:
PARAM
Valid PARAM entries are: REALM, KDC, ADMIN, FILEPATH,
NFS, DNSLOKUP, FQDN, NOKEY, NOSOL, LHN, KDCVENDOR,
RMAP, MAS, and PAM.
These profile entries correspond to the -R [realm], -k
[kdc], -a [adminuser], -c [filepath], -n, -d [dnsarg],
-f [fqdnlist], -K, -h [logicalhostname], -T
[kdcvendor], -D [domainlist], -m [masterkdc], and -s
[pamservice] command-line options, respectively. Any
other PARAM entry is considered invalid and is ignored.
The NFS profile entry can have a value of 0 (do nothing)
SunOS 5.11 Last change: 9 May 2008 5
System Administration Commands kclient(1M)
or 1 (operation is requested). Any other value is con-
sidered invalid and is ignored.
Keep in mind that the command line options override the
PARAM values listed in the profile.
-s pamservice
Specifies that the PAM service names, listed in
pamservice, are authenticated through Kerberos before
any other type of authentication. Using this option
updates pam.conf(4) to include pamkrb5(5) to existing
authentication stacks for the specified service(s) in
pamservice. An example of a possible pamservice value
is: dtlogin,sshd-kbdint.
EXAMPLES
Example 1 Setting Up a Kerberos Client Using Command-Line
Options
To setup a Kerberos client using the clntconfig/admin admin-
istrative principal for realm 'ABC.COM', kdc `example1.com'
and that also does kerberized NFS, enter:
# /usr/sbin/kclient -n -R ABC.COM -k example1.com -a clntconfig
Alternatively, to set up a Kerberos client using the
clntconfig/admin administrative principal for the realm
`EAST.ABC.COM', kdc `example2.east.abc.com' and that also
needs service principal(s) created and/or added to the local
keytab for multiple DNS domains, enter:
# /usr/sbin/kclient -n -R EAST.ABC.COM -k example2.east.abc.com \
-f west.abc.com,central.abc.com -a clntconfig
Note that the krb5 administrative principal used by the
administrator needs to have only add, inquire, change-pwd
and modify privileges (for the principals in the KDC data-
base) in order for the kclient utility to run. A sample
kadm5.acl(4) entry is:
SunOS 5.11 Last change: 9 May 2008 6
System Administration Commands kclient(1M)
clntconfig/admin@ABC.COM acmi
Example 2 Setting Up a Kerberos Client Using the Profile
Option
To setup a Kerberos client using the clntconfig/admin admin-
istrative principal for realm `ABC.COM', kdc `example1.com'
and that also copies over the master krb5.conf from a speci-
fied location, enter:
# /usr/sbin/kclient -p /net/example1.com/export/profile.krb5
The contents of profile.krb5:
REALM ABC.COM
KDC example1
ADMIN clntconfig
FILEPATH /net/example1.com/export/krb5.conf
NFS 0
DNSLOKUP none
Example 3 Setting Up a Kerberos Client That Has a Dynamic IP
Address
In this example a Kerberos client is a DHCP client that has
a dynamic IP address. This client does not wish to host any
Kerberized services and therefore does not require a keytab
(/etc/krb5/krb5.keytab) file.
For this type of client the administrator would issue the
following command to configure this machine to be a Kerberos
client of the ABC.COM realm with the KDC server
kdc1.example.com:
# /usr/sbin/kclient -K -R EXAMPLE.COM -k kdc1.example.com
SunOS 5.11 Last change: 9 May 2008 7
System Administration Commands kclient(1M)
FILES
/etc/krb5/kadm5.acl
Kerberos access control list (ACL) file.
/etc/krb5/krb5.conf
Default location for the local host's configuration
file.
/etc/krb5/krb5.keytab
Default location for the local host's keytab file.
/etc/nfssec.conf
File listing NFS security modes.
/etc/resolv.conf
DNS resolver configuration file.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWkdcu
Interface Stability Committed
SEE ALSO
encrypt(1), ksh93(1), ldapdelete(1), ldapmodify(1), ldap-
search(1), dd(1M), smbadm(1M), xntpd(1M), kadm5.acl(4),
krb5.conf(4), nfssec.conf(4), pam.conf(4), resolv.conf(4),
attributes(5), pamkrb5(5)
NOTES
fqdn stands for the Fully Qualified Domain Name of the local
host. The kclient utility saves copies of both the
krb5.conf(4) and nfssec.conf(4) files to files with
SunOS 5.11 Last change: 9 May 2008 8
System Administration Commands kclient(1M)
corresponding names and .sav extensions. The optional copy
of the krb5.conf(4) master file is neither encrypted nor
integrity-protected and it takes place over regular NFS.
SunOS 5.11 Last change: 9 May 2008 9
|
