What's new for Kerberos in Solaris 10 5/08
By mbp on Apr 17, 2008
Solaris 10 5/08 was just released and it contains a number of significant enhancements to Kerberos. I've drawn up a list of new features, singling out the ones I think are most significant. Even apart from these new features there were many bug fixes and other minor improvements.
- Support for Kerberos principal and policy records in LDAP
Adds support for accessing Kerberos principal and policy records stored on a Directory Server, via LDAP. Storing Kerberos records in LDAP has a number of advantages over the default db2 database such as simplified administration and allowing for multi-master KDC configuration. The KDC now supports a pluggable system for database storage. Both the new LDAP support and the older db2 database storage system are now implemented as plugins. Configuring a KDC with an LDAP database backend is a little different from the older db2 administration. A new utility kdb5_ldap_util and new configuration options are needed. You can find an updated Kerberos administration guide here which covers this new feature.
- Zero-configuration Kerberos clients
This is not a single feature per-se but rather a number of relatively minor changes which can obviate the need to explicitly configure Kerberos clients. The following changes were made
- dns_lookup_kdc is enabled by default
- The Kerberos realm for a given host (or default realm) is determined heuristically from the DNS domain name of the host ( or local host)
- krb5.conf has been modified so that it is not mis-configured by default
- Client-side referral support was added which allows the KDC to inform the client what realm they are in. Microsoft's Active Directory is an example of a KDC which supports this