KCLIENT(8) Maintenance Commands and Procedures KCLIENT(8)
NAME
kclient - set up a machine as a Kerberos client
SYNOPSIS
/usr/sbin/kclient [
-n] [
-R realm] [
-k kdc] [
-a adminuser]
[
-c filepath] [
-d dnsarg] [
-f fqdn_list] [
-h logical_host_name]
[
-k kdc_list] [
-m master_kdc] [
-p profile] [
-s pam_service]
[
-T kdc_vendor]
DESCRIPTION
By specifying the various command options, you can use the
kclient utility to:
o Configure a machine as a Kerberos client for a specified
realm and for KDC by setting up
krb5.conf(5).
o Add the Kerberos host principal to the local host's
keytab file (
/etc/krb5/krb5.keytab).
o Set up the machine to do kerberized NFS.
o Bring over a master
krb5.conf copy from a specified
pathname.
o Setup a machine to do server and/or host/domain name-to-
realm mapping lookups by means of DNS.
o Configure a Kerberos client to use an MS Active Directory
server. This generates a
keytab file with the Kerberos
client's service keys populated.
o Setup a Kerberos client that has no service keys. This is
useful when the client does not require service keys,
because the client does not wish to host a service that
uses Kerberos for security.
o Configure a Kerberos client that is part of a cluster.
This option requires the logical host name of the cluster
so that the proper service keys are created and populated
in the client's
keytab file.
o Setup a Kerberos client to join an environment that
consists of Kerberos servers that are non-Solaris and non-
MS Active Directory servers.
o Configure
pam.conf(5) to use Kerberos authentication for
specified services.
o Configure the client as a simple NTP broadcast/multicast
client.
o Specify custom domain/host name-to-realm name mappings.
o Setup the Kerberos client to use multiple KDC servers.
The
kclient utility needs to be run on the client machine with root
permission and can be run either interactively or non-interactively.
In the non-interactive mode, the user feeds in the required inputs by
means of a profile, command-line options, or a combination of profile
and command-line options. The user is prompted for "required"
parameter values (
realm and
adminuser), if found missing in the non-
interactive run. The interactive mode is invoked when the utility is
run without any command-line arguments.
Both the interactive and non-interactive forms of
kclient can add the
host/fqdn entry to the local host's
keytab file. They also can
require the user to enter the password for the administrative user
requested, to obtain the Kerberos Ticket Granting Ticket (TGT) for
adminuser. The
host/fqdn,
nfs/fqdn, and
root/fqdn principals can be
added to the KDC database (if not already present) before their
possible addition to the local host's
keytab.
The
kclient utility assumes that the local host has been setup for
DNS and requires the presence of a valid
resolv.conf(5). Also,
kclient can fail if the localhost time is not synchronized with that
of the KDC. For Kerberos to function the localhost time must be
within five minutes of that of the KDC. It is advised that both
systems run some form of time synchronization protocol, such as the
Network Time Protocol (NTP). See the
ntpd man page, delivered in
the
SUNWntpu package (not a SunOS man page).
OPTIONS
The non-interactive mode supports the following options:
-n Set up the machine for kerberized NFS. This involves making
changes to
krb5* security flavors in
nfssec.conf(5). This option
will also add
nfs/fqdn and
root/fqdn entries to the local host's
keytab file if the
-K option has not been specified.
-R [
realm ]
Specifies the Kerberos realm.
-k kdc_list The
-k option specifies the KDC host names for the Kerberos
client.
kdc_list is a comma-separated list of KDCs. If the
-m option is not used, it is assumed that the first (or only) host
in
kdc_list is the master KDC host name. Note that the list
specified is used verbatim. This is helpful when specifying non-
fully qualified KDC host names that can be canonicalized by DNS.
-a [
adminuser ]
Specifies the Kerberos administrative user.
-T kdc_vendor Configure the Kerberos client to associate with a third party
server. Valid
kdc_vendor currently supported are:
ms_ad Microsoft Active Directory
mit MIT KDC server
heimdal Heimdal KDC server
shishi Shishi KDC server
Knowing the administrative password will be required to associate
the client with the server if the
ms_ad option is specified.
-c [
filepath ]
Specifies the pathname to the
krb5.conf(5) master file, to be
copied over to the local host. The path specified normally points
to a master copy on a remote host and brought over to the local
host by means of NFS.
-d [
dnsarg ]
Specifies the DNS lookup option to be used and specified in the
krb5.conf(5) file. Valid
dnsarg entries are:
none,
dns_lookup_kdc,
dns_lookup_realm and
dns_fallback. Any other
entry is considered invalid. The latter three
dnsarg values
assume the same meaning as those described in
krb5.conf.
dns_lookup_kdc implies DNS lookups for the KDC and the other
servers.
dns_lookup_realm is for host/domain name-to-realm
mapping by means of DNS.
dns_fallback is a superset and does DNS
lookups for both the servers and the host/domain name-to-realm
mapping. A lookup option of
none specifies that DNS is not be
used for any kind of mapping lookup.
-D domain_list Specifies the host and/or domain names to be mapped to the
Kerberos client's default realm name.
domain_list is a comma-
separated list, for example "
example.com,host1.example.com". If
the
-D option is not used, then only the client's domain is used
for this mapping. For example, if the client is
host1.eng.example.com, then the domain that is mapped to the
EXAMPLE.COM realm is
example.com.
-K Configure the Kerberos client without service keys, which are
usually stored in
/etc/krb5/krb5.keytab. This is useful in the
following scenarios:
o The client IP address is dynamically assigned and
therefore does not host Kerberized services.
o Client has a static IP address, but does not want to
host any Kerberized services.
o Client has a static IP address, but the local
administrator does not currently have service keys
available for the machine. It is expected that, at a
later time, these keys will be installed on the
machine.
-f [
fqdn_list ]
This option creates a service principal entry (host/nfs/root)
associated with each of the listed fqdn's, if required, and
subsequently adds the entries to the local host's
keytab.
fqdn_list is a comma-separated list of one or more fully
qualified DNS domain names.
This option is especially useful in Kerberos realms having
systems offering kerberized services, but situated in multiple
different DNS domains.
-h logical_host_name Specifies that the Kerberos client is a node in a cluster. The
logical_host_name is the logical host name given to the cluster.
The resulting
/etc/krb5/krb5.conf and
/etc/krb5/krb5.keytab files
must be manually copied over to the other members of the cluster.
-m master_kdc This option specifies the master KDC to be used by the Kerberos
client.
master_kdc is the host name of the master KDC for the
client. If the
-m option is not used, then it is assumed that the
first KDC host name listed with the
-k option is the master KDC.
-p [
profile ]
Specifies the profile to be used to enable the reading in of the
values of all the parameters required for setup of the machine as
a Kerberos client.
The profile should have entries in the format:
PARAM <value> Valid
PARAM entries are:
REALM,
KDC,
ADMIN,
FILEPATH,
NFS,
DNSLOOKUP,
FQDN,
NOKEY,
NOSOL,
LHN,
KDCVENDOR,
RMAP,
MAS, and
PAM.
These profile entries correspond to the
-R [
realm],
-k [
kdc],
-a [
adminuser],
-c [
filepath],
-n,
-d [
dnsarg],
-f [
fqdn_list],
-K,
-h [
logical_host_name],
-T [
kdc_vendor],
-D [
domain_list],
-m [
master_kdc], and
-s [
pam_service] command-line options,
respectively. Any other
PARAM entry is considered invalid and is
ignored.
The NFS profile entry can have a value of 0 (do nothing) or 1
(operation is requested). Any other value is considered invalid
and is ignored.
Keep in mind that the command line options override the
PARAM values listed in the profile.
-s pam_service Specifies that the PAM service names, listed in
pam_service, are
authenticated through Kerberos before any other type of
authentication. Using this option updates
pam.conf(5) to include
pam_krb5(7) to existing authentication stacks for the specified
service(s) in
pam_service. An example of a possible
pam_service value is:
dtlogin,sshd-kbdint.
EXAMPLES
Example 1: Setting Up a Kerberos Client Using Command-Line Options
To setup a Kerberos client using the
clntconfig/admin administrative
principal for realm
'EXAMPLE.COM', kdc `example1.example.com' and
that also does kerberized NFS, enter:
# /usr/sbin/kclient -n -R EXAMPLE.COM -k example1.example.com -a clntconfig
Alternatively, to set up a Kerberos client using the
clntconfig/admin administrative principal for the realm
`EAST.EXAMPLE.COM', kdc `example2.east.example.com' and that also needs service principal(s)
created and/or added to the local
keytab for multiple DNS domains,
enter:
# /usr/sbin/kclient -n -R EAST.EXAMPLE.COM -k example2.east.example.com \
-f west.example.com,central.example.com -a clntconfig
Note that the
krb5 administrative principal used by the administrator
needs to have only
add,
inquire,
change-pwd and
modify privileges
(for the principals in the KDC database) in order for the
kclient utility to run. A sample
kadm5.acl(5) entry is:
clntconfig/admin@EXAMPLE.COM acmi
Example 2: Setting Up a Kerberos Client Using the Profile Option
To setup a Kerberos client using the
clntconfig/admin administrative
principal for realm
`EXAMPLE.COM', kdc `example1.example.com' and
that also copies over the master
krb5.conf from a specified location,
enter:
# /usr/sbin/kclient -p /net/example1.example.com/export/profile.krb5
The contents of
profile.krb5:
REALM EXAMPLE.COM
KDC example1.example.com
ADMIN clntconfig
FILEPATH /net/example1.example.com/export/krb5.conf
NFS 0
DNSLOOKUP none
Example 3: Setting Up a Kerberos Client That Has a Dynamic IP Address
In this example a Kerberos client is a DHCP client that has a dynamic
IP address. This client does not wish to host any Kerberized services
and therefore does not require a
keytab (
/etc/krb5/krb5.keytab) file.
For this type of client the administrator would issue the following
command to configure this machine to be a Kerberos client of the
EXAMPLE.COM realm with the KDC server
kdc1.example.com:
#
/usr/sbin/kclient -K -R EXAMPLE.COM -k kdc1.example.comFILES
/etc/krb5/kadm5.acl Kerberos access control list (ACL) file.
/etc/krb5/krb5.conf Default location for the local host's configuration file.
/etc/krb5/krb5.keytab Default location for the local host's
keytab file.
/etc/nfssec.conf File listing NFS security modes.
/etc/resolv.conf DNS resolver configuration file.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
encrypt(1),
ksh93(1),
ldapdelete(1),
ldapmodify(1),
ldapsearch(1),
kadm5.acl(5),
krb5.conf(5),
nfssec.conf(5),
pam.conf(5),
resolv.conf(5),
attributes(7),
pam_krb5(7),
dd(8),
smbadm(8)NOTES
fqdn stands for the Fully Qualified Domain Name of the local host.
The
kclient utility saves copies of both the
krb5.conf(5) and
nfssec.conf(5) files to files with corresponding names and
.sav extensions. The optional copy of the
krb5.conf(5) master file is
neither encrypted nor integrity-protected and it takes place over
regular NFS.
November 22, 2021 KCLIENT(8)
