• QUICK LINKS
  • answers.stanford.edu
  • apple.stanford.edu
  • computing.stanford.edu
  • courses.stanford.edu
  • datarates.stanford.edu
  • dell.stanford.edu
  • departmentphone.stanford.edu
  • email.stanford.edu
  • ess.stanford.edu
  • helpsu.stanford.edu
  • myitserviceshelp.stanford.edu
  • orderithelp.stanford.edu
  • software.stanford.edu
  • studentphone.stanford.edu
  • techtraining.stanford.edu
  • tools.stanford.edu
  • unixcomputing.stanford.edu
  • vpn.stanford.edu
  • web.stanford.edu
  • windows.stanford.edu
• SERVICES
  • IT Services Only
  • All Campus Providers
    → computing.stanford.edu
• GETTING HELP
  • Stanford Answers
  • HelpSU: IT Help Desk
  • Training
• PROJECTS
• ABOUT US
  • What We Do
  • Organization Chart
  • Strategic Plan
  • Jobs
  • Contact info
  • Service & System Metrics
• INTERNAL
• SEARCH

  • Search IT Services:
     

• User Guide
• Sysadmin Guide
• UNIX Install Guide
• Developer Information

• IT Services
• Kerberos
• UNIX Install Guide
• Solaris 10

Installing Kerberos on Solaris 10

As of Solaris 10, the Kerberos support that comes with Solaris is sufficient for most purposes. This is particularly true as of the Solaris 10 update that included full development libraries for the native Kerberos API in addition to the GSSAPI API.

Please note that Solaris 10 is not supported by IT Services. We provide these instructions as part of our support for Kerberos on campus, but we will not be able to help with issues specific to Solaris 10.

Clients and Basic Configuration

The basic Kerberos clients (kinit, klist, kdestroy) come with the Solaris operating system, as do the basic Kerberos libraries.

You will need to install an /etc/krb5.conf file with the appropriate configuration for Stanford's Kerberos realm. You can download the sitewide version or just add the realm information for the stanford.edu realm by adding:

    stanford.edu = {
        kdc            = krb5auth1.stanford.edu:88
        kdc            = krb5auth2.stanford.edu:88
        kdc            = krb5auth3.stanford.edu:88
        master_kdc     = krb5auth1.stanford.edu:88
        admin_server   = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }

to the [realms] section and:

    stanford.edu              = stanford.edu
    .stanford.edu             = stanford.edu

to the [domain_realm] section. The sitewide version contains some additional realm mappings that are sometimes useful.

If you are using AFS on this system, you will need to compile aklog. aklog comes with the OpenAFS source distribution, available from the OpenAFS web site. The latest Solaris 10 update provides the necessary Kerberos libraries and interfaces to build aklog. For older versions of Solaris 10, you will need to install a third-party implementation of Kerberos, such as MIT Kerberos or Heimdal so that you can compile aklog.

The SSH client that comes with Solaris supports GSSAPI authentication. See the Solaris documentation for how to enable it.

Solaris 10 does not provide Kerberos rlogin, rsh, and rcp binaries. If you want to use those protocols, you will need to install a third-party Kerberos implementation.

Remote Logins

First, before enabling remote logins with Kerberos, you should make sure that all accounts on your system with logins enabled either match the SUNet IDs of those users or contain a .k5login file (which should be empty if Kerberos logins aren't permitted for that account). By default, the servers that accept Kerberos logins will allow a user to log in to an account if their Kerberos principal matches the account name. The presence of a .k5login file overrides this logic and only principals listed in that file will be permitted to log in to that account.

See UNIX Kerberos Commands in the user guide for more information on creating a .k5login file.

To authenticate connections to your system using Kerberos, the system needs its own Kerberos service principal and a keytab for that principal. The service principal is an account in Kerberos, similar to a SUNet ID but for a service instead of a person. The keytab is, in essence, the password for that account stored in a file on your system. For information on how to obtain a service principal, see Downloading Keytabs with Wallet.

The SSH server that comes with Solaris includes GSSAPI support. See the Solaris documentation for how to enable it. To allow users to log in with a username and password but check that password against Kerberos and use it to acquire Kerberos tickets, see the next section.

Solaris 10 does not provide servers for the Kerberized rlogin, rsh, and rcp protocols. If you want to allow Kerberos rlogin, rsh, and rcp connections, you will need to download and compile a third-party Kerberos distribution. Once the binaries are installed, you normally run them by adding something like:

    eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -5ec
    kshell  stream tcp nowait root /usr/local/sbin/kshd kshd -5ec

to /etc/inetd.conf and (if necessary) something like:

    kshell          544/tcp         kcmd krcmd
    eklogin         2105/tcp

to /etc/services.

Local Logins

Logins with a username and password, which includes console logins, dtlogin, SSH with a username and password, and screen lock programs, use PAM to verify that password and to obtain user credentials such as Kerberos tickets. Therefore, enabling use of Kerberos passwords for local login means adding a Kerberos PAM module to your PAM configuration.

Solaris 10 provides a Kerberos PAM module which is generally sufficient. See the Solaris documentation for how to configure it, which will generally involve modifying /etc/pam.conf.

Be aware, however, that Solaris's PAM module doesn't handle the case where local usernames are different than the user's SUNet IDs. (In other words, it doesn't support the search_k5login option supported by the PAM module shipped with Debian.) If this support is important to you, you may want to build and install pam-krb5 and use it instead. See its documentation for more details on how to configure it.