svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
kclient(8)
System Administration Commands kclient(8)
NAME
kclient - set up a machine as a Kerberos client
SYNOPSIS
/usr/sbin/kclient [-n] [-R realm] [-a adminuser] [-c filepath]
[-d dnsarg] [-f fqdn_list] [-h logical_host_name] [-k kdc_list]
[-m master_kdc_list] [-p profile]
[-s pam_service:{first|only|optional}[,..]] [-T kdc_vendor]
DESCRIPTION
By specifying the various command options, you can use the kclient
utility to:
o Configure a machine as a Kerberos client for a specified
realm and Key Distribution Center (KDC) by setting up a
krb5.conf(5) file.
o Add the Kerberos host principal to the local host's keytab
file (/etc/krb5/krb5.keytab).
o Set up the machine to do kerberized NFS.
o Bring over a master krb5.conf copy from a specified path‐
name.
o Set up a machine to do server and/or host/domain name-to-
realm mapping lookups by means of DNS.
o Configure a Kerberos client to use a Microsoft Active Direc‐
tory server. This generates a keytab file with the Kerberos
client's service keys populated.
o Set up a Kerberos client that has no service keys. This is
useful when the client does not require service keys,
because the client does not wish to host a service that uses
Kerberos for security.
o Configure a Kerberos client that is part of a cluster. This
option requires the logical host name of the cluster so that
the proper service keys are created and populated in the
client's keytab file.
o Set up a Kerberos client to join an environment that con‐
sists of Kerberos servers that are non-Solaris and non-Mi‐
crosoft Active Directory servers.
o Configure pam.conf(5) to use Kerberos authentication for
specified services.
o Configure the client as a simple NTP broadcast/multicast
client.
o Specify custom domain/host name-to-realm name mappings.
o Set up the Kerberos client to use multiple KDC servers.
The kclient utility needs to be run on the client machine with root
permission and can be run either interactively or non-interactively. In
the non-interactive mode, the user feeds in the required inputs by
means of a profile, command-line options, or a combination of profile
and command-line options. The user is prompted for "required" parameter
values (realm and adminuser), if found missing in the non-interactive
run. The interactive mode is invoked when the utility is run without
any command-line arguments.
Both the interactive and non-interactive forms of kclient can add the
host/fqdn entry to the local host's keytab file. They also can require
the user to enter the password for the administrative user requested,
to obtain the Kerberos Ticket Granting Ticket (TGT) for adminuser. The
host/fqdn, nfs/fqdn, and root/fqdn principals can be added to the KDC
database (if not already present) before their possible addition to the
local host's keytab.
The kclient utility assumes that the local host has been set up for DNS
and requires the presence of a valid resolv.conf(5). Also, kclient can
fail if the localhost time is not synchronized with that of the KDC.
For Kerberos to function the localhost time must be within five minutes
of that of the KDC. It is advised that both systems run some form of
time synchronization protocol, such as the Network Time Protocol (NTP).
OPTIONS
The non-interactive mode supports the following options:
-n
Set up the machine for kerberized NFS. This involves making changes
to krb5* security flavors in nfssec.conf(5). This option will also
add nfs/fqdn and root/fqdn entries to the local host's keytab file
if the -K option has not been specified.
-R realm
Specifies the Kerberos realm.
-k kdc_list
The -k option specifies the KDC host names for the Kerberos client.
kdc_list is a comma-separated list of KDCs. If the -m option is not
used, it is assumed that the first (or only) host in kdc_list is
the master KDC host name. Note that the list specified is used ver‐
batim. This is helpful when specifying non-fully qualified KDC host
names that can be canonicalized by DNS. For more information, see
example 1 in the EXAMPLES section below.
-a adminuser
Specifies the Kerberos administrative user.
-T kdc_vendor
Configure the Kerberos client to associate with a third party
server. Valid kdc_vendor currently supported are:
ms_ad
Microsoft Active Directory
mit
MIT KDC server
heimdal
Heimdal KDC server
shishi
Shishi KDC server
Knowing the administrative password will be required to associate
the client with the server if the ms_ad option is specified.
-c filepath
Specifies the pathname to the krb5.conf master file, to be copied
over to the local host. The path specified normally points to a
master copy on a remote host and brought over to the local host by
means of NFS.
-d dnsarg
Specifies the DNS lookup option to be used and specified in the
krb5.conf file. Valid dnsarg entries are: none, dns_lookup_kdc,
dns_lookup_realm, and dns_fallback. Any other entry is considered
invalid. The latter three dnsarg values assume the same meaning as
those described in krb5.conf. dns_lookup_kdc implies DNS lookups
for the KDC and the other servers. dns_lookup_realm is for
host/domain name-to-realm mapping by means of DNS. dns_fallback is
a superset and does DNS lookups for both the servers and the
host/domain name-to-realm mapping. A lookup option of none speci‐
fies that DNS is not be used for any kind of mapping lookup.
-D domain_list
Specifies the host and/or domain names to be mapped to the Kerberos
client's default realm name. domain_list is a comma-separated list,
for example "example.com,host1.example.com". If the -D option is
not used, then only the client's domain is used for this mapping.
For example, if the client is host1.eng.example.com, then the
domain that is mapped to the EXAMPLE.COM realm is example.com.
-K
Configure the Kerberos client without service keys, which are usu‐
ally stored in /etc/krb5/krb5.keytab. This is useful in the follow‐
ing scenarios:
o The client IP address is dynamically assigned and there‐
fore does not host Kerberized services.
o Client has a static IP address, but does not want to
host any Kerberized services.
o Client has a static IP address, but the local adminis‐
trator does not currently have service keys available
for the machine. It is expected that, at a later time,
these keys will be installed on the machine.
-f fqdn_list
This option creates a service principal entry (host/nfs/root) asso‐
ciated with each of the listed fqdn's, if required, and subse‐
quently adds the entries to the local host's keytab.
fqdn_list is a comma-separated list of one or more fully qualified
DNS domain names.
This option is especially useful in Kerberos realms having systems
offering kerberized services, but situated in multiple different
DNS domains. For more information, see example 1 in the EXAMPLES
section below.
-h logical_host_name
Specifies that the Kerberos client is a node in a cluster. The log‐
ical_host_name is the logical host name given to the cluster. The
resulting /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab files must
be manually copied over to the other members of the cluster.
-m master_kdc_list
This option specifies the master KDC host names to be used by the
Kerberos client. master_kdc_list is a comma-separated list of the
host names of master KDCs for the client. If the -m option is not
used, then it is assumed that the first KDC host name listed with
the -k option is the master KDC.
-p profile
Specifies the profile to be used to enable the reading in of the
values of all the parameters required for set up of the machine as
a Kerberos client.
The profile should have entries in the format:
PARAM value
Valid PARAM entries are: REALM, KDC, ADMIN, FILEPATH, NFS,
DNSLOOKUP, FQDN, NOKEY, NOSOL, LHN, KDCVENDOR, RMAP, MAS, and PAM.
These profile entries correspond to the -R realm, -k kdc, -a
adminuser, -c filepath, -n, -d dnsarg, -f fqdn_list, -K, -h
logical_host_name, -T kdc_vendor, -D domain_list, -m master_kdc,
and -s pam_service command-line options, respectively. Any other
PARAM entry is considered invalid and is ignored.
The NFS profile entry can have a value of 0 (do nothing) or 1
(operation is requested). Any other value is considered invalid and
is ignored.
Keep in mind that the command line options override the PARAM val‐
ues listed in the profile.
-s pam_service:auth_type[,...]
Specifies that the PAM service names, specified in pam_service, are
authenticated through Kerberos. Using this option updates/creates
/etc/pam.d/<pam_service> to include a separate authentication stack
with pam_krb5(7). Examples of pam_service names are sshd-kbdint,
su, and so forth.
auth_type can be one of the following keywords:
first
Try authenticating through Kerberos first. If this fails try to
authenticate through UNIX.
only
Try to authenticate only through Kerberos.
optional
Try authenticating through UNIX first. If this is successful
try to authenticate through Kerberos.
-x output_profile
Does not modify the machine configuration, instead collects all the
information and writes it into configuration profile output_pro‐
file. This profile can be later used by installadm create-profile
to configure Kerberos on client of Automated Installation.
In addition, the system's PAM_POLICY is updated to the associated
/etc/security/pam_policy/krb5* policy file.
EXAMPLES
Example 1 Setting Up a Kerberos Client Using Command-Line Options
To set up a Kerberos client using the clntconfig/admin administrative
principal for realm 'EXAMPLE.COM', kdc 'example1.com', and that also
does kerberized NFS, enter:
# /usr/sbin/kclient -n -R EXAMPLE.COM -k example1.com -a clntconfig
Alternatively, to set up a Kerberos client using the clntconfig/admin
administrative principal for the realm 'EAST.EXAMPLE.COM', kdc 'exam‐
ple2.east.example.com', and that also needs service principal(s) cre‐
ated and/or added to the local keytab for multiple DNS domains, enter:
# /usr/sbin/kclient -n -R EAST.EXAMPLE.COM -k example2.east.example.com \
-f west.example.com,central.example.com -a clntconfig
Note that the krb5 administrative principal used by the administrator
needs to have only add, inquire, change-pwd, and modify privileges (for
the principals in the KDC database) in order for the kclient utility to
run. A sample kadm5.acl entry is:
clntconfig/admin@EXAMPLE.COM acmi
Example 2 Setting Up a Kerberos Client Using the Profile Option
To set up a Kerberos client using the clntconfig/admin administrative
principal for realm 'EXAMPLE.COM', kdc 'example1.com', and that also
copies over the master krb5.conf from a specified location, enter:
# /usr/sbin/kclient -p /net/example1.com/export/profile.krb5
The contents of profile.krb5:
REALM EXAMPLE.COM
KDC example1
ADMIN clntconfig
FILEPATH /net/example1.com/export/krb5.conf
NFS 0
DNSLOOKUP none
Example 3 Setting Up a Kerberos Client That Has a Dynamic IP Address
In this example a Kerberos client is a DHCP client that has a dynamic
IP address. This client does not wish to host any Kerberized services
and therefore does not require a keytab (/etc/krb5/krb5.keytab) file.
For this type of client the administrator would issue the following
command to configure this machine to be a Kerberos client of the EXAM‐
PLE.COM realm with the KDC server kdc1.example.com:
# /usr/sbin/kclient -K -R EXAMPLE.COM -k kdc1.example.com
FILES
/etc/krb5/kadm5.acl
Kerberos access control list (ACL) file.
/etc/krb5/krb5.conf
Default location for the local host's configuration file.
/etc/krb5/krb5.keytab
Default location for the local host's keytab file.
/etc/nfssec.conf
File listing NFS security modes.
/etc/resolv.conf
DNS resolver configuration file.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilityservice/security/kerberos-5 _ Interface
StabilityCommitted
SEE ALSO
kadm5.acl(5), krb5.conf(5), nfssec.conf(5), pam.conf(5),
resolv.conf(5), attributes(7), kerberos(7), pam_krb5(7), kclient-
kt2prof(8), smbadm(8)
Managing Kerberos in Oracle Solaris 11.4
NOTES
fqdn stands for the Fully Qualified Domain Name of the local host. The
kclient utility saves copies of both the krb5.conf(5) and
nfssec.conf(5) files to files with corresponding names and .sav exten‐
sions. The optional copy of the krb5.conf master file is neither
encrypted nor integrity-protected and it takes place over regular NFS.
Oracle Solaris 11.4 21 Jun 2021 kclient(8)