A little somethings about Sun's Solaris 10 implementation of Kerberos
By michel on Mar 03, 2008
The following are answers to some questions I researched for several of my customers regarding Sun Kerberos. I wrote this article thinking it might be helpful for someone else curious about Sun Kerberos. I am not going to call this a FAQ because this is really a point in time response as I will not be maintaining this overtime as you would a real FAQ. If you find this useful, by all means you can use it to start a FAQ if you so desire.
So what is Sun Kerberos?
It is a network authentication protocol and it was designed to provide strong authentication for client/server applications by using secret-key cryptography. Originally developed at the Massachusetts Institute of Technology (MIT), it has been included as part of the Solaris Operating Environment to provide strong authentication for Solaris network applications. Sun's Kerberos implementation before Solaris 10 was formerly know as the "Sun Enterprise Authentication Mechanism" (SEAM).
Kerberos in addition to providing a secure authentication protocol, also offers the ability to add privacy support (encrypted data streams) for remote applications such as ssh, telnet, ftp, rsh, rlogin, and other common Unix network applications. In a Solaris environment, Kerberos can also be used to provide strong authentication and privacy support for Network File System (NFS) filesystems, allowing secure and private file sharing across the network.
Question 1. Can Microsoft Active Directory (AD) act as the primary KDC for Sun Kerberos Clients?
Answer 1. Yes.
Question 2. It is my understanding that SEAM has a KDC that is not in Sun LDAP and is a separate repository.
Answer 2. True.
Question 3. Does SEAM require a KDC to be in the Sun LDAP server inorder to be integrated it with AD?
Answer 3. If the primary server is Active Directory, then the Solaris Kerberos clients will work fine and do not need a Sun LDAP server. Clients can get their Kerberos tickets using standard Kerberos protocols talking to AD or Linux or any other system that supports the standard Kerberos protocols.
Question 4. It is my understanding that Sun LDAP can be made to Synchronize with MS Active Directory.
Answer 4. If you only want your Solaris clients to be able to use AD as a KDC to issue tickets, then there is no need for LDAP sync unless you are trying to use AD as a naming service also.
Question 5. Can Sun Kerberos Clients be made to use AD Kerberos directly?
Answer 5. Yes, Solaris Kerberos clients can get tickets directly from an AD server. No special plugins are needed.
Question 6. I am confused on how this all works, please point me in the right direction and provide information such as Blueprints, whitepapers and roadmap.
Qusetion 7. SEAM information on roadmap was confusing and not really clear. After chasing links around
opensolaris.org, It appears all the work is done on projects.
Answer 7. Correct. OpenSolaris is organized into "communities" and "projects". Projects are (mostly) where the actual programming/implementation is done.
Question 8. It looks like most all Kerberos projects were integrated into NV50 , so I am guessing all these
features have been available in Solaris 10 since 11/06?
Answer 8. You can't assume that. The next update to Solaris 10 in 2008 will have almost all of the enhancements/bug fixes which are currently in Nevada but not in Solaris 10. Just because something is in NV\*\* does not mean it is part of Solaris 10, backports are handled on a case-by-case basis. You should email "kerberos-discuss" at opensolaris.org and ask the kerberos team directly about particular projects.
Question 9. Can you please confirm that this means that the information on http://opensolaris.org kerberos web page
(http://opensolaris.org/os/project/kerberos/) is dated, when it eludes that MIT 1.6: client-side referrals (AD compatible) is only in NV.
Answer 9. Client-side referrals are only one small feature enhancing the AD compatibility already available, client-side referrals are not necessary for AD compatability – Solaris 10 clients should work fine with AD. The opensolaris website info is pretty recent and up to date.
Question 10. After googling around I found the following "how to" pdf on Solaris 10 & MS Active Directory (http://www.csnc.ch/static/download/misc/Solaris10_AD_Integration_V1.0.pdf), which is based on NV68. Theoretically do you think this will work with Solaris 10 since projects Sparks/Winchester/Reno/Duckwater are done?
Answer 10. What is described will work fine with Solaris 10, I don't think that the OpenSolaris Sparks/Winchester projects are needed to get that level of interoperability working. One thing to remember is
that the kerberos page on opensolaris.org (http://opensolaris.org/os/project/kerberos ) is aimed at opensolaris/nevada development, information on S10 is normally found www.sun.com.
Question 11. I want to use AD as a naming server instead of having a separate data store for users and hosts in
Answer 11. This is possible in that it requires administrating the AD server to create and maintain a separate schema RFC2307bis and I believe W2k3 R2 already has this schema by default, so if this is used then it would involve administrative steps in Solaris as outlined in the document mentioned above. The long term solution that requires no additional administration with AD and less administration on the Solaris clients involves projects such as Winchester (already integrated into snv), the creation of a separate name service back-end for AD (yet to be integrated), and kclientv2 (planned to integrate into snv_80).
Question 12. How do I change my AD password in Solaris?
Answer 12. Please look at the following bigadmin article - Changing Your Active Directory Password From a Solaris System , Mike Myers, September, 2004;
Description: Leveraging Kerberos, you can change your Windows Active Directory password from a system running the Solaris OS, with just a little configuration.
Question 13. What about Solaris 10 CIFS?
Answer 13. There is information at the OpenSolaris (opensolaris.org) Projects for both CIFS server and client for Solaris. There is also information for Active Directory domain CIFS member server at URL:http://blogs.sun.com/jurasek/category/Samba It describes a procedure to setup the Samba server included with Solaris 10 update 8/07 to serve as the CIFS volume server authenticating users against the ADS Domain Controller.
Question 14. Is there a SunEd Class about SEAM?
Answer 14. There is also a SunEd class called "Enterprise Security Using Kerberos and LDAP (SC-360)" you
may want to consider taking. Here is a brief description:
The Enterprise Security Using Kerberos course provides students with the knowledge and skills necessary to
deploy Kerberos in the enterprise and to secure enterprise deployments of Lightweight Directory Access Protocol (LDAP).
Question 15. Are there any books on Sun LDAP and Naming services?
There are two Sun Blueprint books: