kclient(1M) System Administration Commands kclient(1M)NAMEkclient - set up a machine as a Kerberos client
SYNOPSIS
/usr/sbin/kclient [-n] [-R realm] [-k kdc] [-a adminuser] [-c filepath]
[-d dnsarg] [-f fqdn_list] [-p profile]
DESCRIPTION
You can use the kclient utility to:
· Configure a machine as a Kerberos client for a specified realm and
for KDC by setting up krb5.conf(4).
· Add the Kerberos host principal to the local host's keytab file
(/etc/krb5/krb5.keytab).
· Optionally set up the machine to do kerberized NFS.
· Optionally bring over a master krb5.conf copy from a specified
pathname.
· Optionally setup a machine to do server and/or host/domain name-
to-realm mapping lookups by means of DNS.
The kclient utility needs to be run on the client machine with root
permission and can be run either interactively or non-interactively.
In the non-interactive mode, the user feeds in the required inputs by
means of a profile, command-line options, or a combination of profile
and command-line options. The user is prompted for "required" parameter
values (realm, kdc, and adminuser), if found missing in the non-inter‐
active run. The interactive mode is invoked when the utility is run
without any command-line arguments.
Both the interactive and non-interactive forms of kclient always add
the host/fqdn entry to the local host's keytab file. They also require
the user to enter the password for the administrative user requested,
to obtain the Kerberos Ticket Granting Ticket (TGT) for adminuser. The
host/fqdn, nfs/fqdn, and root/fqdn principals are added to the KDC
database (if not already present) before their addition to the local
host's keytab.
The kclient utility assumes that the local host has been setup for DNS
and requires the presence of a valid resolv.conf(4). Also, kclient can
fail if the localhost time is not synchronized with that of the KDC.
For Kerberos to function the localhost time must be within five minutes
of that of the KDC. It is advised that both systems run some form of
time synchronization protocol, such as the Network Time Protocol (NTP).
See xntpd(1M).
OPTIONS
The non-interactive mode supports the following options:
-n
Set up the machine for kerberized NFS. This involves making changes
to nfssec.conf(4) and addition of the nfs/fqdn and root/fqdn
entries to the local host's keytab file.
-R [ realm]
Specifies the Kerberos realm.
-k [ kdc]
Specifies the machine to be used as the Kerberos Key Distribution
Center (KDC).
-a [ adminuser ]
Specifies the Kerberos administrative user.
-c [ filepath ]
Specifies the pathname to the krb5.conf(4) master file, to be
copied over to the local host. The path specified normally points
to a master copy on a remote host and brought over to the local
host by means of NFS.
-d [ dnsarg]
Specifies the DNS lookup option to be used and specified in the
krb5.conf(4) file. Valid dnsarg entries are: none, dns_lookup_kdc,
dns_lookup_realm and dns_fallback. Any other entry is considered
invalid. The latter three dnsarg values assume the same meaning as
those described in krb5.conf. dns_lookup_kdc implies DNS lookups
for the KDC and the other servers. dns_lookup_realm is for
host/domain name-to-realm mapping by means of DNS. dns_fallback is
a superset and does DNS lookups for both the servers and the
host/domain name-to-realm mapping. A lookup option of none speci‐
fies that DNS is not be used for any kind of mapping lookup.
-f [ fqdn_list]
This option creates a service principal entry (host/nfs/root) asso‐
ciated with each of the listed fqdn's, if required, and subse‐
quently adds the entries to the local host's keytab.
fqdn_list is a comma-separated list of one or more fully qualified
DNS domain names.
This option is especially useful in Kerberos realms having systems
offering kerberized services, but situated in multiple different
DNS domains.
-p [ profile]
Specifies the profile to be used to enable the reading in of the
values of all the parameters required for setup of the machine as a
Kerberos client.
The profile should have entries in the format:
PARAM <value>
Valid PARAM entries are: REALM, KDC, ADMIN, FILEPATH, NFS,
DNSLOOKUP, and FQDN. These profile entries correspond to the -R
[realm], -k [kdc], -a [adminuser], -c [filepath], -n, -d [dnsarg],
and -f [fqdn_list] command-line options, respectively. Any other
PARAM entry is considered invalid and is ignored.
The NFS profile entry can have a value of 0 (do nothing) or 1
(operation is requested). Any other value is considered invalid and
is ignored.
Keep in mind that the command line options override the PARAM val‐
ues listed in the profile.
EXAMPLES
Example 1: Setting Up a Kerberos Client Using Command-Line Options
To setup a Kerberos client using the clntconfig/admin administrative
principal for realm 'ABC.COM', kdc `example1.com' and that also does
kerberized NFS, enter:
# /usr/sbin/kclient -n -R ABC.COM -k example1.com -a clntconfig
Alternatively, to set up a Kerberos client using the clntconfig/admin
administrative principal for the realm `EAST.ABC.COM', kdc `exam‐
ple2.east.abc.com' and that also needs service principal(s) created
and/or added to the local keytab for multiple DNS domains, enter:
# /usr/sbin/kclient -n -R EAST.ABC.COM -k example2.east.abc.com \
-f west.abc.com,central.abc.com -a clntconfig
Note that the krb5 administrative principal used by the administrator
needs to have only add, inquire, change-pwd and modify privileges (for
the principals in the KDC database) in order for the kclient utility to
run. A sample kadm5.acl(4) entry is:
clntconfig/admin@ABC.COM acmi
Example 2: Setting Up a Kerberos Client Using the Profile Option
To setup a Kerberos client using the clntconfig/admin administrative
principal for realm `ABC.COM', kdc `example1.com' and that also copies
over the master krb5.conf from a specified location, enter:
# /usr/sbin/kclient -p /net/example1.com/export/profile.krb5
The contents of profile.krb5:
REALM ABC.COM
KDC example1
ADMIN clntconfig
FILEPATH /net/example1.com/export/krb5.conf
NFS 0
DNSLOOKUP none
FILES
/etc/krb5/kadm5.acl
Kerberos access control list (ACL) file.
/etc/krb5/krb5.conf
Default location for the local host's configuration file.
/etc/krb5/krb5.keytab
Default location for the local host's keytab file.
/etc/nfssec.conf
File listing NFS security modes.
/etc/resolv.conf
DNS resolver configuration file.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWkdcu │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOxntpd(1M), kadm5.acl(4), krb5.conf(4), nfssec.conf(4), resolv.conf(4),
attributes(5)NOTES
fqdn stands for the Fully Qualified Domain Name of the local host. The
kclient utility saves copies of both the krb5.conf(4) and
nfssec.conf(4) files to files with corresponding names and .sav exten‐
sions. The optional copy of the krb5.conf(4) master file is neither
encrypted nor integrity-protected and it takes place over regular NFS.
SunOS 5.10 20 Aug 2004 kclient(1M)
