[Fwd: kclient version 2 [PSARC/2007/401 FastTrack timeout 07/13/2007]]
Shawn M Emery
Shawn.Emery at Sun.COM
Tue Jul 31 16:14:39 PDT 2007
Here are the contextual diffs from the initial one-pager to the current
version:
@@ -43,13 +43,26 @@
be mapped to the Kerberos realm specified
-K: configure a client that does not have host/service keys
-h logical_host_name: where logical_host_name is the logical host name of the
cluster
-m master_kdc: where master_kdc is the master KDC host name
--s pam_service: where pam_service is the service name to be configured for
- Kerberos authentication in the pam.conf(4) file
--t: configure a simple broadcast/multicast NTP client
+-s pam_service:{first | only | optional}[,...]
+ where pam_service is the service name to be configured for
+ Kerberos as the account authority in the pam.conf(4) file
+ first: try authenticating through Kerberos first, if this fails try to
+ authenticate through Unix
+ only: only try to authenticate through Kerberos
+ optional: try authenticating through Unix first, if this is successful
+ try to authenticate through Kerberos
+ multiple services can be delimited by commas (",")
+
+ Three files will be installed with this project under /usr/lib/security:
+ pam_krb5_first
+ pam_krb5_only
+ pam_krb5_optional
+ These files pertain to the "include" references in pam.conf when the -s
+ option has been used for any service names specified.
-T kdc_vendor: specify the KDC of the client to be of kdc_vendor. Supported
vendors are currently:
ms_ad: Microsoft Active Directory
mit: MIT KDC server
heimdal: Heimdal KDC server
@@ -88,11 +101,11 @@
is a matrix that indicates which is used by the clients for the various types
of servers:
MIT<1.4 Heimdal Shishi AD Solaris No keys MIT1.4+
-------------------------------------------------------------------------------
-option (-t) mit heimdal shishi ms_ad none -K none
+option (-T) mit heimdal shishi ms_ad none -K none
-------------------------------------------------------------------------------
keytab X X X
-------------------------------------------------------------------------------
no keytab X X X X
-------------------------------------------------------------------------------
@@ -115,11 +128,11 @@
- /usr/sbin/kclient [-n] [-R realm] [-k kdc] [-a adminuser]
- [-c filepath] [-d dnsarg] [-f fqdn_list] [-p profile]
+ /usr/sbin/kclient [ -K ] [ -R realm ] [ -a adminuser ]
+ [ -c filepath ] [ -d dnsarg ] [ -f fqdn_list ] [ -h logical_host_name ]
+ [ -k kdc_list ] [ -m master_kdc ] [ -n ] [ -p profile ]
-+ [ -s pam_service ] [ -t ] [ -T kdc_vendor ]
++ [ -s pam_service ] [ -T kdc_vendor ]
DESCRIPTION
You can use the kclient utility to:
o Configure a machine as a Kerberos client for a speci-
@@ -301,17 +314,17 @@
- NFS, DNSLOOKUP, and FQDN. These profile entries
- correspond to the -R [realm], -k [kdc], -a [adminuser],
- -c [filepath], -n, -d [dnsarg], and -f [fqdn_list]
- command-line options, respectively. Any other PARAM
- entry is considered invalid and is ignored.
-+ NFS, DNSLOOKUP, FQDN, NOKEY, NOSOL, LHN, KDCVENDOR, RMAP, MAS, PAM,
-+ and NTP.
++ NFS, DNSLOOKUP, FQDN, NOKEY, NOSOL, LHN, KDCVENDOR, RMAP,
++ MAS, and PAM.
+
+ These profile entries correspond to the -R [realm], -k [kdc_list],
+ -a [adminuser], -c [filepath], -n, -d [dnsarg], -f [fqdn_list],
+ -K, -h [logical_host_name], -T [kdc_vendor], -D [domain_list],
-+ -m [master_kdc], -s [pam_service], and -t command-line options,
++ -m [master_kdc], and -s [pam_service] command-line options,
+ respectively. Any other PARAM entry is considered invalid and is
+ ignored.
The NFS profile entry can have a value of 0 (do nothing)
or 1 (operation is requested). Any other value is con-
@@ -323,15 +336,10 @@
+ to authenticate through Kerberos foremost. Using this option updates
+ pam.conf(4) to include pam_krb5(5) to existing authentication stacks
+ for the specified service(s) in pam_service. An example of a possible
+ pam_service is "dtlogin,sshd-kbdint".
+
-+ -t
-+
-+ Configures the client to be a NTP broadcast/multicast client if it
-+ has not already been configured to be one.
-+
...
ADMIN clntconfig
FILEPATH /net/example1.com/export/krb5.conf
NFS 0
DNSLOOKUP none
Gary Winiger wrote:
>>> Following diff shows:
>>>
>>> 1. revised -s text
>>>
>>> --s pam_service: where pam_service is the service name to be configured for
>>> - Kerberos authentication in the pam.conf(4) file
>>> --t: configure a simple broadcast/multicast NTP client
>>> +-s pam_service:{first | only | optional}[,...]
>>> + where pam_service is the service name to be configured for
>>> + Kerberos as the account authority in the pam.conf(4) file
>>> + first: try authenticating through Kerberos first, if this fails try to
>>> + authenticate through Unix
>>> + only: only try to authenticate through Kerberos
>>> + optional: try authenticating through Unix first, if this is successful
>>> + try to authenticate through Kerberos
>>> + multiple services can be delimited by commas (",")
>>> +
>>> + Three files will be installed with this project under /etc/security/pam:
>>> + pam_krb5_first
>>> + pam_krb5_only
>>> + pam_krb5_optional
>>> + These files pertain to the "include" references in pam.conf when the -s
>>> + option has been used for any service names specified.
>>>
>> Please install the files to "include" in the default place defined
>> in PSARC/2005/217 PAM include control flag. That is:
>> included PAM configuration
>> files are assumed to be relative to /usr/lib/security/.
>>
>> Then absolute paths will not be required in "master" pam.conf.
>>
>
> Can we close on this issue from 2 weeks ago?
>
> Gary..
>
>
--
Shawn.
More information about the opensolaris-arc
mailing list