Using Kerberos as Authentication Database in Oracle iPlanet WebServer on Solaris 10

This article describes how to useKerberos authentication database inOracle iPlanet Web Server.


In this article, KDC and Web Server aresetup on the same host (serverhost.your.domain.com),Kerberos domain is YOUR.DOMAIN.COM,DNS Domain is your.domain.comand client is on host : clienthost.your.domain.com.Both these KDC/Web Server and client machines have Solaris 10.


Makesure you configure DNS properly on KDC, server and clientmachines.

"/etc/hosts" should have KDC hostname and it must be the same on allmachines. You can verify by
#getent hosts serverhost.your.domain.com serverhost.your.domain.com Note that thefirst entry is of the form hostname.domainnot just hostname.

Clock Synchronization


All hosts that participate in theKerberos authentication system musthave their internal clocks synchronized within a specified maximumamountof time. Known as clock skew, this feature provides anotherKerberos security check. If the clock skew is exceeded between any oftheparticipating hosts, requests are rejected. The default value for themaximum clock skew is 300 seconds(five minutes).


One way to synchronize all the clocks isto use the Network Time Protocol(NTP) software. See SynchronizingClocks Between KDCs and Kerberos Clients for more information.


Or you can also use rdate from clienthost as shown below


[clienthost]#rdate serverhost.your.domain.com


1. Configure Kerberos master KDC on Solaris 10


Install Solaris 10 with these options
  • Enable Kerberos: Yes
  • Kerberos default realm: YOUR.DOMAIN.COM
  • Kerberos Admin Server and KDC : serverhost.your.domain.com
* even if you do not we can edit configuration files manually.
1.1 Modify Kerberos configuration files


Modify Kerberos configuration files as shown in the tables below.

/etc/krb5/krb5.conf
[libdefaults] default_realm = YOUR.DOMAIN.COM[realms] YOUR.DOMAIN.COM= {
kdc = serverhost.your.domain.com
admin_server = serverhost.your.domain.com }[domain_realm] .your.domain.com = YOUR.DOMAIN.COM[logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 }[appdefaults] kinit = { renewable = true forwardable= true } gkadmin = { help_url = ... }

/etc/krb5/kdc.conf
[kdcdefaults] kdc_ports = 88,750[realms] YOUR.DOMAIN.COM= { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal admin_keytab = /etc/krb5/kadm5.keytab acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth }



/etc/krb5/kadm5.acl

*/admin@YOUR.DOMAIN.COM *


1.2 Start dns/client service on MasterKDC

For Kerberos to work dns/client servicemust be started before you start any other Kerberos daemons. Edit /etc/resolv.confto havenameserver entries andthen enable dns/clientservice using svcadm command as shown below.


# svcadm-v enable-s dns/client
svc:/network/dns/client:defaultenabled.



1.3 Create principal database on masterKDC


Create principal database using kdb5_util.


# kdb5_util create -s

Initializing database'/var/krb5/principal' for realm'YOUR.DOMAIN.COM',
master key name'K/M@YOUR.DOMAIN.COM'
You will be prompted for thedatabase Master Password.
It is important that you NOTFORGET this password.
Enter KDC database masterkey: