How to Configure Automatic Migration of Users in a Kerberos Realm

Users who do not have a Kerberos principal can be automatically migrated to an existing Kerberos realm by using PAM. You customize per-system PAM configuration files on the migration server and the master server to handle the recognition of UNIX credentials and the re-authentication in the Kerberos realm.

For information about PAM, see Chapter 1, Using Pluggable Authentication Modules and the pam.conf(4) man page.

In this procedure, the login service names are configured to use automatic migration. This example uses the following configuration parameters:

• Realm name = EXAMPLE.COM

• Master KDC = kdc1.example.com

• Machine hosting the migration service = server1.example.com

• Migration service principal = host/server1.example.com

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

1. Ensure that a host service principal for server1 exists.

   The host service principal in the keytab file of server1 is used to authenticate the server to the master KDC.

   server1 # klist -k
   Keytab name: FILE:/etc/krb5/krb5.keytab
   KVNO Principal
   ---- ------------------------------------------------
   3 host/[email protected]
   ...

   For information about the options to the command, see the klist(1) man page.

2. If server1 is not listed, configure it as a Kerberos client of the realm EXAMPLE.COM.

   For the steps, see the examples in Configuring Kerberos Clients.

3. Modify the PAM policy for server1.

   For more information, see Assigning a Per-User PAM Policy.

   1. Determine which Kerberos policy is in use on server1.

      % grep PAM_POLICY /etc/security/policy.conf
      # PAM_POLICY specifies the system-wide PAM policy (see pam_user_policy(5))
      ...
      PAM_POLICY=krb5_first

   2. Copy that PAM policy file, then modify the new policy file to append the pam_krb5_migrate.so.1 module to each authentication stack.

      server1 # cd /etc/security/pam_policy/; cp krb5_first krb5_firstmigrate
      server1 # pfedit /etc/security/pam_policy/krb5_firstmigrate.
      # login service (explicit because of pam_dial_auth)
      #
      login	auth requisite	   pam_authtok_get.so.1
      ...
      login	auth required		pam_unix_auth.so.1
      login    auth optional		pam_krb5_migrate.so.1
      #
      # rlogin service (explicit because of pam_rhost_auth)
      #
      rlogin	auth sufficient	 pam_rhosts_auth.so.1
      ...
      rlogin	auth required	   pam_unix_auth.so.1
      rlogin   auth optional        pam_krb5_migrate.so.1
      #
      # Kerberized rlogin service
      #
      krlogin	auth required		pam_unix_cred.so.1
      krlogin	auth required		pam_krb5.so.1
      krlogin	auth optional		pam_krb5_migrate.so.1
      #
      # rsh service (explicit because of pam_rhost_auth)
      #
      rsh	auth sufficient		pam_rhosts_auth.so.1
      rsh	auth required		  pam_unix_cred.so.1
      rsh	auth optional		  pam_krb5_migrate.so.1
      #
      # Kerberized rsh service
      #
      krsh	auth required		pam_unix_cred.so.1
      krsh	auth required		pam_krb5.so.1
      krsh	auth optional		pam_krb5_migrate.so.1
      #
      # Kerberized telnet service
      #
      ktelnet	auth required		pam_unix_cred.so.1
      ktelnet	auth required		pam_krb5.so.1
      ktelnet	auth optional		pam_krb5_migrate.so.1
      #
      # PPP service (explicit because of pam_dial_auth)
      #
      ppp	auth requisite	   pam_authtok_get.so.1
      ...
      ppp	auth required		pam_unix_auth.so.1
      ppp	auth optional		pam_krb5_migrate.so.1
      #
      # GDM Autologin (explicit because of pam_allow).  These need to be
      # here as there is no mechanism for packages to amend pam.conf as
      # they are installed.
      #
      gdm-autologin auth  required    pam_unix_cred.so.1
      gdm-autologin auth  sufficient  pam_allow.so.1
      gdm-autologin auth optional    pam_krb5_migrate.so.1
      #
      # Default definitions for Authentication management
      # Used when service name is not explicitly mentioned for authentication
      #
      OTHER	auth requisite	   pam_authtok_get.so.1
      ...
      OTHER	auth required		pam_unix_auth.so.1
      OTHER	auth optional		pam_krb5_migrate.so.1
      #
      # passwd command (explicit because of a different authentication module)
      #
      passwd	auth required		pam_passwd_auth.so.1
      #
      # cron service (explicit because of non-usage of pam_roles.so.1)
      #
      cron	account required	pam_unix_account.so.1
      #
      # cups service (explicit because of non-usage of pam_roles.so.1)
      #
      cups	account	required	pam_unix_account.so.1
      #
      # GDM Autologin (explicit because of pam_allow) This needs to be here
      # as there is no mechanism for packages to amend pam.conf as they are
      # installed.
      #modified
      gdm-autologin account  sufficient  pam_allow.so.1
      #
      .
      .
      .

   3. (Optional) Force an immediate password change.

      For the newly created Kerberos accounts, set the password expiration time to the current time by adding the –expire_pw option to the pam_krb5_migrate entries. For more information, see the pam_krb5_migrate(5) man page.

      service-name auth optional     pam_krb5_migrate.so.1 expire_pw

   4. In this configuration file, modify the OTHER account stack to block access if the Kerberos password has expired.

      # Definition for Account management
      # Used when service name is not explicitly mentioned for account management
      # Re-ordered pam_krb5 causes password expiration in Kerberos to block access
      #
      OTHER	account	requisite   pam_roles.so.1
      OTHER	account	required	pam_krb5.so.1
      OTHER	account	required	pam_unix_account.so.1
      OTHER	account	required	pam_tsol_account.so.1
      # OTHER	account	required	pam_krb5.so.1
      #
      .
      .
      .

   5. Change the PAM_POLICY entry in the policy.conf file to use the modified configuration file.

      server1 # pfedit /etc/security/policy.conf
      ...
      # PAM_POLICY=krb5_first
      PAM_POLICY=krb5_firstmigrate

      For more information, read the policy.conf file.

4. On the master KDC, update the kadm5.acl access control file.

   The following entries grant migrate and inquire privileges to the host/server1.example.com service principal for all users except the root user. Use the U privilege to list users who must not be migrated. These entries must precede the permit all or ui entry. For more information. see the kadm5.acl(4) man page.

   kdc1 # pfedit /etc/krb5/kadm5.acl
   host/[email protected] U root
   host/[email protected] ui *
   */[email protected] *

5. On the master KDC, enable the kadmind daemon to use the k5migrate PAM service.

   If a k5migrate service file is not in the /etc/pam.d directory, add the service file to the directory.For more information, see the pam.d(4) man page.

   This modification enables the validation of UNIX user passwords for accounts that require migration.

   kdc1 # pfedit /etc/pam.d/k5migrate
   ...
   # Permits validation of migrated UNIX accounts
   auth    required        pam_unix_auth.so.1
   account required        pam_unix_account.so.1

   ---

   Note -  k5migrate is the name of a PAM service. The file must be named k5migrate.

   ---

6. Test your configuration before putting it in production.
   • As a regular user, test each modified PAM service.
   • As root, test each modified PAM service.
   • Force a password change, then test the modified PAM services.