System Administration Commands kclient(1M)
NAME
kclient - set up a machine as a Kerberos client
SYNOPSIS
/usr/sbin/kclient [-n] [-R realm] [-k kdc] [-a adminuser]
[-c filepath] [-d dnsarg] [-f fqdn_list] [-h logical_host_name]
[-k kdc_list] [-m master_kdc] [-p profile] [-s pam_service]
[-T kdc_vendor]
DESCRIPTION
By specifying the various command options, you can use thekclient utility to:
o Configure a machine as a Kerberos client for a specified realm and for KDC by setting up krb5.conf(4). o Add the Kerberos host principal to the local host's keytab file (/etc/krb5/krb5.keytab). o Set up the machine to do kerberized NFS. o Bring over a master krb5.conf copy from a specified pathname. o Setup a machine to do server and/or host/domainname-to-realm mapping lookups by means of DNS.
o Configure a Kerberos client to use an MS Active Directory server. This generates a keytab file with the Kerberos client's service keys populated. o Setup a Kerberos client that has no service keys. This is useful when the client does not require service keys, because the client does not wish to host a service that uses Kerberos for security.o Configure a Kerberos client that is part of a clus-
ter. This option requires the logical host name of the cluster so that the proper service keys are created and populated in the client's keytab file. o Setup a Kerberos client to join an environment thatconsists of Kerberos servers that are non-Solaris
and non-MS Active Directory servers.
o Configure pam.conf(4) to use Kerberos authentica-
tion for specified services. o Configure the client as a simple NTP broadcast/multicast client.SunOS 5.11 Last change: 22 Oct 2009 1
System Administration Commands kclient(1M)
o Specify custom domain/host name-to-realm name map-
pings. o Setup the Kerberos client to use multiple KDC servers.The kclient utility needs to be run on the client machine
with root permission and can be run either interactively ornon-interactively. In the non-interactive mode, the user
feeds in the required inputs by means of a profile,command-line options, or a combination of profile and
command-line options. The user is prompted for "required"
parameter values (realm and adminuser), if found missing inthe non-interactive run. The interactive mode is invoked
when the utility is run without any command-line arguments.
Both the interactive and non-interactive forms of kclient
can add the host/fqdn entry to the local host's keytab file. They also can require the user to enter the password for the administrative user requested, to obtain the Kerberos Ticket Granting Ticket (TGT) for adminuser. The host/fqdn, nfs/fqdn, and root/fqdn principals can be added to the KDC database (if not already present) before their possible addition to the local host's keytab.The kclient utility assumes that the local host has been
setup for DNS and requires the presence of a validresolv.conf(4). Also, kclient can fail if the localhost time
is not synchronized with that of the KDC. For Kerberos to function the localhost time must be within five minutes of that of the KDC. It is advised that both systems run some form of time synchronization protocol, such as the Network Time Protocol (NTP). See the ntpd man page, delivered in the SUNWntpu package (not a SunOS man page). OPTIONSThe non-interactive mode supports the following options:
-n
Set up the machine for kerberized NFS. This involves making changes to krb5* security flavors in nfssec.conf(4). This option will also add nfs/fqdn and root/fqdn entries to the local host's keytab file if the-K option has not been specified.
-R [ realm ]
SunOS 5.11 Last change: 22 Oct 2009 2
System Administration Commands kclient(1M)
Specifies the Kerberos realm.-k kdc_list
The -k option specifies the KDC host names for the Ker-
beros client. kdc_list is a comma-separated list of
KDCs. If the -m option is not used, it is assumed that
the first (or only) host in kdc_list is the master KDC
host name. Note that the list specified is used verba-
tim. This is helpful when specifying non-fully qualified
KDC host names that can be canonicalized by DNS.-a [ adminuser ]
Specifies the Kerberos administrative user.-T kdc_vendor
Configure the Kerberos client to associate with a thirdparty server. Valid kdc_vendor currently supported are:
ms_ad
Microsoft Active Directory mit MIT KDC server heimdal Heimdal KDC server shishi Shishi KDC server Knowing the administrative password will be required toassociate the client with the server if the ms_ad option
is specified.-c [ filepath ]
Specifies the pathname to the krb5.conf(4) master file, to be copied over to the local host. The path specifiedSunOS 5.11 Last change: 22 Oct 2009 3
System Administration Commands kclient(1M)
normally points to a master copy on a remote host and brought over to the local host by means of NFS.-d [ dnsarg ]
Specifies the DNS lookup option to be used and specified in the krb5.conf(4) file. Valid dnsarg entries are:none, dns_lookup_kdc, dns_lookup_realm and dns_fallback.
Any other entry is considered invalid. The latter three dnsarg values assume the same meaning as those describedin krb5.conf. dns_lookup_kdc implies DNS lookups for the
KDC and the other servers. dns_lookup_realm is for
host/domain name-to-realm mapping by means of DNS.
dns_fallback is a superset and does DNS lookups for both
the servers and the host/domain name-to-realm mapping. A
lookup option of none specifies that DNS is not be used for any kind of mapping lookup.-D domain_list
Specifies the host and/or domain names to be mapped tothe Kerberos client's default realm name. domain_list is
a comma-separated list, for example
"example.com,host1.example.com". If the -D option is not
used, then only the client's domain is used for this mapping. For example, if the client is host1.eng.example.com, then the domain that is mapped tothe EXAMPLE.COM realm is example.com.
-K
Configure the Kerberos client without service keys, which are usually stored in /etc/krb5/krb5.keytab. This is useful in the following scenarios: o The client IP address is dynamically assignedand therefore does not host Kerberized ser-
vices. o Client has a static IP address, but does not want to host any Kerberized services. o Client has a static IP address, but the local administrator does not currently have service keys available for the machine. It is expected that, at a later time, these keys will be installed on the machine.SunOS 5.11 Last change: 22 Oct 2009 4
System Administration Commands kclient(1M)
-f [ fqdn_list ]
This option creates a service principal entry (host/nfs/root) associated with each of the listed fqdn's, if required, and subsequently adds the entries to the local host's keytab.fqdn_list is a comma-separated list of one or more fully
qualified DNS domain names.This option is especially useful in Kerberos realms hav-
ing systems offering kerberized services, but situated in multiple different DNS domains.-h logical_host_name
Specifies that the Kerberos client is a node in a clus-
ter. The logical_host_name is the logical host name
given to the cluster. The resulting /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab files must be manually copied over to the other members of the cluster.-m master_kdc
This option specifies the master KDC to be used by theKerberos client. master_kdc is the host name of the mas-
ter KDC for the client. If the -m option is not used,
then it is assumed that the first KDC host name listedwith the -k option is the master KDC.
-p [ profile ]
Specifies the profile to be used to enable the reading in of the values of all the parameters required for setup of the machine as a Kerberos client. The profile should have entries in the format: PARAMValid PARAM entries are: REALM, KDC, ADMIN, FILEPATH, NFS, DNSLOOKUP, FQDN, NOKEY, NOSOL, LHN, KDCVENDOR, RMAP, MAS, and PAM. These profile entries correspond to the -R [realm], -k
[kdc], -a [adminuser], -c [filepath], -n, -d [dnsarg],
-f [fqdn_list], -K, -h [logical_host_name], -T
[kdc_vendor], -D [domain_list], -m [master_kdc], and -s
SunOS 5.11 Last change: 22 Oct 2009 5
System Administration Commands kclient(1M)
[pam_service] command-line options, respectively. Any
other PARAM entry is considered invalid and is ignored. The NFS profile entry can have a value of 0 (do nothing)or 1 (operation is requested). Any other value is con-
sidered invalid and is ignored. Keep in mind that the command line options override the PARAM values listed in the profile.-s pam_service
Specifies that the PAM service names, listed inpam_service, are authenticated through Kerberos before
any other type of authentication. Using this optionupdates pam.conf(4) to include pam_krb5(5) to existing
authentication stacks for the specified service(s) inpam_service. An example of a possible pam_service value
is: gdm,sshd-kbdint.
EXAMPLES
Example 1 Setting Up a Kerberos Client Using Command-Line
OptionsTo setup a Kerberos client using the clntconfig/admin admin-
istrative principal for realm 'ABC.COM', kdc `example1.com' and that also does kerberized NFS, enter:# /usr/sbin/kclient -n -R ABC.COM -k example1.com -a clntconfig
Alternatively, to set up a Kerberos client using the clntconfig/admin administrative principal for the realm `EAST.ABC.COM', kdc `example2.east.abc.com' and that also needs service principal(s) created and/or added to the local keytab for multiple DNS domains, enter:# /usr/sbin/kclient -n -R EAST.ABC.COM -k example2.east.abc.com \
-f west.abc.com,central.abc.com -a clntconfig
Note that the krb5 administrative principal used by theadministrator needs to have only add, inquire, change-pwd
and modify privileges (for the principals in the KDCSunOS 5.11 Last change: 22 Oct 2009 6
System Administration Commands kclient(1M)
database) in order for the kclient utility to run. A sample
kadm5.acl(4) entry is: clntconfig/admin@ABC.COM acmi Example 2 Setting Up a Kerberos Client Using the Profile OptionTo setup a Kerberos client using the clntconfig/admin admin-
istrative principal for realm `ABC.COM', kdc `example1.com'and that also copies over the master krb5.conf from a speci-
fied location, enter:# /usr/sbin/kclient -p /net/example1.com/export/profile.krb5
The contents of profile.krb5: REALM ABC.COM KDC example1 ADMIN clntconfig FILEPATH /net/example1.com/export/krb5.conf NFS 0 DNSLOOKUP none Example 3 Setting Up a Kerberos Client That Has a Dynamic IP Address In this example a Kerberos client is a DHCP client that has a dynamic IP address. This client does not wish to host any Kerberized services and therefore does not require a keytab (/etc/krb5/krb5.keytab) file. For this type of client the administrator would issue the following command to configure this machine to be a Kerberos client of the ABC.COM realm with the KDC server kdc1.example.com:SunOS 5.11 Last change: 22 Oct 2009 7
System Administration Commands kclient(1M)
# /usr/sbin/kclient -K -R EXAMPLE.COM -k kdc1.example.com
FILES /etc/krb5/kadm5.acl Kerberos access control list (ACL) file. /etc/krb5/krb5.conf Default location for the local host's configuration file. /etc/krb5/krb5.keytab Default location for the local host's keytab file. /etc/nfssec.conf File listing NFS security modes. /etc/resolv.conf DNS resolver configuration file.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | system/security/kerberos-5 |
|_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
encrypt(1), ksh93(1), ldapdelete(1), ldapmodify(1), ldap-
search(1), dd(1M), smbadm(1M), kadm5.acl(4), krb5.conf(4), nfssec.conf(4), pam.conf(4), resolv.conf(4), attributes(5),pam_krb5(5)
SunOS 5.11 Last change: 22 Oct 2009 8
System Administration Commands kclient(1M)
NOTES fqdn stands for the Fully Qualified Domain Name of the localhost. The kclient utility saves copies of both the
krb5.conf(4) and nfssec.conf(4) files to files with corresponding names and .sav extensions. The optional copy of the krb5.conf(4) master file is neither encrypted norintegrity-protected and it takes place over regular NFS.
SunOS 5.11 Last change: 22 Oct 2009 9