How to Configure a cron Host for Access to Kerberos Services - Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.2

Exit Print View

» ...Documentation Home » Oracle Solaris 11.2 Information Library » Managing Kerberos and Other Authentication ... » Configuring the Kerberos Service » Configuring Delayed Execution for Access to ... » How to Configure a cron Host for Access to ...

Updated: August 2014

Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.2

Document Information

Using This Documentation

Chapter 1 Using Pluggable Authentication Modules

Chapter 2 About the Kerberos Service

Chapter 3 Planning for the Kerberos Service

Chapter 4 Configuring the Kerberos Service

Configuring the Kerberos Service

Configuring Additional Kerberos Services

Configuring KDC Servers

How to Install the KDC Package

How to Configure Kerberos to Run in FIPS 140 Mode

How to Use kdcmgr to Configure the Master KDC

How to Use kdcmgr to Configure a Slave KDC

How to Manually Configure a Master KDC

How to Manually Configure a Slave KDC

How to Configure the Master KDC to Use an LDAP Directory Server

Replacing the Ticket-Granting Service Keys on a Master Server

Managing a KDC on an LDAP Directory Server

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

How to Destroy a Realm on an LDAP Directory Server

Configuring Kerberos Clients

How to Create a Kerberos Client Installation Profile

How to Automatically Configure a Kerberos Client

How to Interactively Configure a Kerberos Client

How to Join a Kerberos Client to an Active Directory Server

How to Manually Configure a Kerberos Client

Disabling Verification of the Ticket-Granting Ticket

How to Access a Kerberos Protected NFS File System as the root User

How to Configure Automatic Migration of Users in a Kerberos Realm

Automatically Renewing All Ticket-Granting Tickets

Configuring Kerberos Network Application Servers

How to Configure a Kerberos Network Application Server

How to Use the Generic Security Service With Kerberos When Running FTP

Configuring Kerberos NFS Servers

How to Configure Kerberos NFS Servers

How to Create and Modify a Credential Table

How to Provide Credential Mapping Between Realms

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

Configuring Delayed Execution for Access to Kerberos Services

How to Configure a cron Host for Access to Kerberos Services

Configuring Cross-Realm Authentication

How to Establish Hierarchical Cross-Realm Authentication

How to Establish Direct Cross-Realm Authentication

Synchronizing Clocks Between KDCs and Kerberos Clients

Swapping a Master KDC and a Slave KDC

How to Configure a Swappable Slave KDC

How to Swap a Master KDC and a Slave KDC

Administering the Kerberos Database

Backing Up and Propagating the Kerberos Database

How to Restore a Backup of the Kerberos Database

How to Convert a Kerberos Database After a Server Upgrade

How to Reconfigure a Master KDC to Use Incremental Propagation

How to Reconfigure a Slave KDC to Use Incremental Propagation

How to Verify That the KDC Servers Are Synchronized

Manually Propagating the Kerberos Database to the Slave KDCs

Setting Up Parallel Propagation for Kerberos

Configuration Steps for Setting Up Parallel Propagation

Administering the Stash File for the Kerberos Database

How to Create, Use, and Store a New Master Key for the Kerberos Database

Increasing Security on Kerberos Servers

Restricting Access to KDC Servers

Using a Dictionary File to Increase Password Security

Chapter 5 Administering Kerberos Principals and Policies

Chapter 6 Using Kerberos Applications

Chapter 7 Kerberos Service Reference

Chapter 8 Kerberos Error Messages and Troubleshooting

Chapter 9 Using Simple Authentication and Security Layer

Chapter 10 Configuring Network Services Authentication

Appendix A DTrace Probes for Kerberos

Security Glossary

Language:

How to Configure a cron Host for Access to Kerberos Services

This procedure uses the following configuration parameters:

cron host = host1.example.com
NFS server = host2.example.com
LDAP server = host3.example.com

Configure the cron service to support Kerberos.
- If the cron host is not configured for Kerberos, then run the kclient command on the system.
  For more information, see the kclient(1M) man page.
  
  For example, the following command configures the client in the EXAMPLE.COM realm. The command includes the pam_gss_s4u file in the /etc/pam.d/cron service file by using the include mechanism.
```
# kclient -s cron:optional -R EXAMPLE.COM
```
- If the cron host is already configured for Kerberos, then you must modify the PAM configuration for the cron service on that host manually.
  Ensure that the PAM configuration for the cron service includes the pam_gss_s4u file.
```
# cd /etc/pam.d ; cp cron cron.orig
# pfedit cron
      # PAM include file for optional set credentials
      # through Kerberos keytab and GSS-API S4U support
      auth include          pam_gss_s4u
```

Enable the cron host to act as a delegate.

For example:

# kadmin -p kws/admin
Enter password: xxxxxxxx
kadmin: modprinc +ok_as_delegate host/[email protected]
Principal “host/[email protected]” modified.

Enable the cron host to request tickets for itself on behalf of the user who created the cron job.

kadmin: modprinc +ok_to_auth_as_delegate host/[email protected]
Principal “host/[email protected]” modified.
kadmin: quit

In LDAP, configure the cron host to specify the services that it uses as a delegate.
For example, to enable the cron host to access the user's home directory on host2, a Kerberized NFS server, add the NFS host to the krbAllowedToDelegateTo parameter in the cron server's LDAP definition.
1. Create the delegate assignment.
```
# pfedit /tmp/delghost.ldif
dn: krbprincipalname=host/[email protected],cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com
changetype: modify
krbAllowedToDelegateTo: nfs/[email protected]
```
2. Add the assignment to LDAP.
```
# ldapmodify -h host3 -D "cn=directory manager" -f delghost.ldif
```

Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices