1kclient(1M) System Administration Commands kclient(1M)
2
6 kclient - set up a machine as a Kerberos client
7
9 /usr/sbin/kclient [-n] [-R realm] [-k kdc] [-a adminuser]
10 [-c filepath] [-d dnsarg] [-f fqdn_list] [-h logical_host_name]
11 [-k kdc_list] [-m master_kdc] [-p profile] [-s pam_service]
12 [-T kdc_vendor]
13
16 By specifying the various command options, you can use the kclient
17 utility to:
18 o Configure a machine as a Kerberos client for a specified
20 realm and for KDC by setting up krb5.conf(4).
21 o Add the Kerberos host principal to the local host's keytab
23 file (/etc/krb5/krb5.keytab).
24 o Set up the machine to do kerberized NFS.
26 o Bring over a master krb5.conf copy from a specified path‐
28 name.
29 o Setup a machine to do server and/or host/domain name-to-
31 realm mapping lookups by means of DNS.
32 o Configure a Kerberos client to use an MS Active Directory
34 server. This generates a keytab file with the Kerberos
35 client's service keys populated.
36 o Setup a Kerberos client that has no service keys. This is
38 useful when the client does not require service keys,
39 because the client does not wish to host a service that uses
40 Kerberos for security.
41 o Configure a Kerberos client that is part of a cluster. This
43 option requires the logical host name of the cluster so that
44 the proper service keys are created and populated in the
45 client's keytab file.
46 o Setup a Kerberos client to join an environment that consists
48 of Kerberos servers that are non-Solaris and non-MS Active
49 Directory servers.
50 o Configure pam.conf(4) to use Kerberos authentication for
52 specified services.
53 o Configure the client as a simple NTP broadcast/multicast
55 client.
56 o Specify custom domain/host name-to-realm name mappings.
58 o Setup the Kerberos client to use multiple KDC servers.
60 The kclient utility needs to be run on the client machine with root
63 permission and can be run either interactively or non-interactively. In
64 the non-interactive mode, the user feeds in the required inputs by
65 means of a profile, command-line options, or a combination of profile
66 and command-line options. The user is prompted for "required" parameter
67 values (realm and adminuser), if found missing in the non-interactive
68 run. The interactive mode is invoked when the utility is run without
69 any command-line arguments.
70 Both the interactive and non-interactive forms of kclient can add the
73 host/fqdn entry to the local host's keytab file. They also can require
74 the user to enter the password for the administrative user requested,
75 to obtain the Kerberos Ticket Granting Ticket (TGT) for adminuser. The
76 host/fqdn, nfs/fqdn, and root/fqdn principals can be added to the KDC
77 database (if not already present) before their possible addition to the
78 local host's keytab.
79 The kclient utility assumes that the local host has been setup for DNS
82 and requires the presence of a valid resolv.conf(4). Also, kclient can
83 fail if the localhost time is not synchronized with that of the KDC.
84 For Kerberos to function the localhost time must be within five minutes
85 of that of the KDC. It is advised that both systems run some form of
86 time synchronization protocol, such as the Network Time Protocol (NTP).
87 See the ntpd man page, delivered in the SUNWntpu package (not a
88 SunOS man page).
89
91 The non-interactive mode supports the following options:
92 -n
94 Set up the machine for kerberized NFS. This involves making changes
96 to krb5* security flavors in nfssec.conf(4). This option will also
97 add nfs/fqdn and root/fqdn entries to the local host's keytab file
98 if the -K option has not been specified.
99 -R [ realm ]
102 Specifies the Kerberos realm.
104 -k kdc_list
107 The -k option specifies the KDC host names for the Kerberos client.
109 kdc_list is a comma-separated list of KDCs. If the -m option is not
110 used, it is assumed that the first (or only) host in kdc_list is
111 the master KDC host name. Note that the list specified is used ver‐
112 batim. This is helpful when specifying non-fully qualified KDC host
113 names that can be canonicalized by DNS.
114 -a [ adminuser ]
117 Specifies the Kerberos administrative user.
119 -T kdc_vendor
122 Configure the Kerberos client to associate with a third party
124 server. Valid kdc_vendor currently supported are:
125 ms_ad
127 Microsoft Active Directory
129 mit
132 MIT KDC server
134 heimdal
137 Heimdal KDC server
139 shishi
142 Shishi KDC server
144 Knowing the administrative password will be required to associate
146 the client with the server if the ms_ad option is specified.
147 -c [ filepath ]
150 Specifies the pathname to the krb5.conf(4) master file, to be
152 copied over to the local host. The path specified normally points
153 to a master copy on a remote host and brought over to the local
154 host by means of NFS.
155 -d [ dnsarg ]
158 Specifies the DNS lookup option to be used and specified in the
160 krb5.conf(4) file. Valid dnsarg entries are: none, dns_lookup_kdc,
161 dns_lookup_realm and dns_fallback. Any other entry is considered
162 invalid. The latter three dnsarg values assume the same meaning as
163 those described in krb5.conf. dns_lookup_kdc implies DNS lookups
164 for the KDC and the other servers. dns_lookup_realm is for
165 host/domain name-to-realm mapping by means of DNS. dns_fallback is
166 a superset and does DNS lookups for both the servers and the
167 host/domain name-to-realm mapping. A lookup option of none speci‐
168 fies that DNS is not be used for any kind of mapping lookup.
169 -D domain_list
172 Specifies the host and/or domain names to be mapped to the Kerberos
174 client's default realm name. domain_list is a comma-separated list,
175 for example "example.com,host1.example.com". If the -D option is
176 not used, then only the client's domain is used for this mapping.
177 For example, if the client is host1.eng.example.com, then the
178 domain that is mapped to the EXAMPLE.COM realm is example.com.
179 -K
182 Configure the Kerberos client without service keys, which are usu‐
184 ally stored in /etc/krb5/krb5.keytab. This is useful in the follow‐
185 ing scenarios:
186 o The client IP address is dynamically assigned and there‐
188 fore does not host Kerberized services.
189 o Client has a static IP address, but does not want to
191 host any Kerberized services.
192 o Client has a static IP address, but the local adminis‐
194 trator does not currently have service keys available
195 for the machine. It is expected that, at a later time,
196 these keys will be installed on the machine.
197 -f [ fqdn_list ]
200 This option creates a service principal entry (host/nfs/root) asso‐
202 ciated with each of the listed fqdn's, if required, and subse‐
203 quently adds the entries to the local host's keytab.
204 fqdn_list is a comma-separated list of one or more fully qualified
206 DNS domain names.
207 This option is especially useful in Kerberos realms having systems
209 offering kerberized services, but situated in multiple different
210 DNS domains.
211 -h logical_host_name
214 Specifies that the Kerberos client is a node in a cluster. The log‐
216 ical_host_name is the logical host name given to the cluster. The
217 resulting /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab files must
218 be manually copied over to the other members of the cluster.
219 -m master_kdc
222 This option specifies the master KDC to be used by the Kerberos
224 client. master_kdc is the host name of the master KDC for the
225 client. If the -m option is not used, then it is assumed that the
226 first KDC host name listed with the -k option is the master KDC.
227 -p [ profile ]
230 Specifies the profile to be used to enable the reading in of the
232 values of all the parameters required for setup of the machine as a
233 Kerberos client.
234 The profile should have entries in the format:
236 PARAM <value>
238 Valid PARAM entries are: REALM, KDC, ADMIN, FILEPATH, NFS,
241 DNSLOOKUP, FQDN, NOKEY, NOSOL, LHN, KDCVENDOR, RMAP, MAS, and PAM.
242 These profile entries correspond to the -R [realm], -k [kdc], -a
244 [adminuser], -c [filepath], -n, -d [dnsarg], -f [fqdn_list], -K, -h
245 [logical_host_name], -T [kdc_vendor], -D [domain_list], -m [mas‐
246 ter_kdc], and -s [pam_service] command-line options, respectively.
247 Any other PARAM entry is considered invalid and is ignored.
248 The NFS profile entry can have a value of 0 (do nothing) or 1
250 (operation is requested). Any other value is considered invalid and
251 is ignored.
252 Keep in mind that the command line options override the PARAM val‐
254 ues listed in the profile.
255 -s pam_service
258 Specifies that the PAM service names, listed in pam_service, are
260 authenticated through Kerberos before any other type of authentica‐
261 tion. Using this option updates pam.conf(4) to include pam_krb5(5)
262 to existing authentication stacks for the specified service(s) in
263 pam_service. An example of a possible pam_service value is: dtlo‐
264 gin,sshd-kbdint.
265
268 Example 1 Setting Up a Kerberos Client Using Command-Line Options
269 To setup a Kerberos client using the clntconfig/admin administrative
272 principal for realm 'ABC.COM', kdc `example1.com' and that also does
273 kerberized NFS, enter:
274 # /usr/sbin/kclient -n -R ABC.COM -k example1.com -a clntconfig
277 Alternatively, to set up a Kerberos client using the clntconfig/admin
282 administrative principal for the realm `EAST.ABC.COM', kdc `exam‐
283 ple2.east.abc.com' and that also needs service principal(s) created
284 and/or added to the local keytab for multiple DNS domains, enter:
285 # /usr/sbin/kclient -n -R EAST.ABC.COM -k example2.east.abc.com \
288 -f west.abc.com,central.abc.com -a clntconfig
289 Note that the krb5 administrative principal used by the administrator
293 needs to have only add, inquire, change-pwd and modify privileges (for
294 the principals in the KDC database) in order for the kclient utility to
295 run. A sample kadm5.acl(4) entry is:
296 clntconfig/admin@ABC.COM acmi
299 Example 2 Setting Up a Kerberos Client Using the Profile Option
303 To setup a Kerberos client using the clntconfig/admin administrative
306 principal for realm `ABC.COM', kdc `example1.com' and that also copies
307 over the master krb5.conf from a specified location, enter:
308 # /usr/sbin/kclient -p /net/example1.com/export/profile.krb5
311 The contents of profile.krb5:
316 REALM ABC.COM
319 KDC example1
320 ADMIN clntconfig
321 FILEPATH /net/example1.com/export/krb5.conf
322 NFS 0
323 DNSLOOKUP none
324 Example 3 Setting Up a Kerberos Client That Has a Dynamic IP Address
328 In this example a Kerberos client is a DHCP client that has a dynamic
331 IP address. This client does not wish to host any Kerberized services
332 and therefore does not require a keytab (/etc/krb5/krb5.keytab) file.
333 For this type of client the administrator would issue the following
337 command to configure this machine to be a Kerberos client of the
338 ABC.COM realm with the KDC server kdc1.example.com:
339 # /usr/sbin/kclient -K -R EXAMPLE.COM -k kdc1.example.com
342
346 /etc/krb5/kadm5.acl
347 Kerberos access control list (ACL) file.
349 /etc/krb5/krb5.conf
352 Default location for the local host's configuration file.
354 /etc/krb5/krb5.keytab
357 Default location for the local host's keytab file.
359 /etc/nfssec.conf
362 File listing NFS security modes.
364 /etc/resolv.conf
367 DNS resolver configuration file.
369
372 See attributes(5) for descriptions of the following attributes:
373 ┌─────────────────────────────┬─────────────────────────────┐
378 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
379 ├─────────────────────────────┼─────────────────────────────┤
380 │Availability │SUNWkdcu │
381 ├─────────────────────────────┼─────────────────────────────┤
382 │Interface Stability │Committed │
383 └─────────────────────────────┴─────────────────────────────┘
384
386 encrypt(1), ksh93(1), ldapdelete(1), ldapmodify(1), ldapsearch(1),
387 dd(1M), smbadm(1M), kadm5.acl(4), krb5.conf(4), nfssec.conf(4),
388 pam.conf(4), resolv.conf(4), attributes(5), pam_krb5(5)
389
391 fqdn stands for the Fully Qualified Domain Name of the local host. The
392 kclient utility saves copies of both the krb5.conf(4) and
393 nfssec.conf(4) files to files with corresponding names and .sav exten‐
394 sions. The optional copy of the krb5.conf(4) master file is neither
395 encrypted nor integrity-protected and it takes place over regular NFS.
396SunOS 5.11 27 May 2009 kclient(1M)