[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
Network Installation Management Guide and Reference

Using NIM to Install Clients Configured with Kerberos Authentication

Normally, NIM relies on Standard AIX authentication to allow the NIM master to remotely execute commands. Standard AIX authentication utilizes the .rhosts file to provide this capability. While NIM functionality depends on its ability to remotely execute commands, some system environments require stricter authentication controls. Kerberos authentication provides a higher level of authentication for executing remote commands on the system without disabling NIM's capabilities.

Using NIM to Install Clients Configured with Kerberos 4 Authentication

In AIX Version 4.3.3 and later, NIM can be used to install machines in a RS/6000 SP environment configured for Kerberos 4 authentication. Clients configured for Kerberos 4 authentication will contain a $HOME/.klogin file for the root user. This file will determine what ticket is required to allow remote command execution. The user must obtain the required ticket before attempting to execute remote commands through NIM.

The NIM master and all secure clients must have the IBM Parallel System Support Program for AIX Version 3.1 or greater installed and configured.

If secure clients will be reinstalled with BOS (Base Operating System), the authentication methods on the NIM master should be set for both Kerberos 4 and Standard UNIX. This is because NIM will not have configured Kerberos 4 on the client after the BOS is installed. NIM will therefore have to rely on standard rhosts to guarantee that it can remotely execute commands on the client until the client can be configured with Kerberos 4 and made into a secure client.

If only software customization and maintenance will be performed, then the NIM master must have its authentication methods set to match those of the clients. To manage secure clients, the master will need authentication methods set to include Standard UNIX.

See the SP Administration Guide for more information on installing and configuring Kerberos 4.

Using NIM to Install Clients Configured with Kerberos 5 Authentication

In AIX Version 4.3.2 and later, NIM can be used to install machines in an environment configured for Kerberos 5 authentication. Clients configured for Kerberos 5 authentication will contain a $HOME/.k5login file for the root user. This file will contain an entry that specifies what host token is required to allow remote command execution. This entry will follow the form:

hosts/hostname/self@cell

The NIM master and all secure clients must have DCE installed and configured at a level greater than or equal to 2.2.1.

If secure clients will be reinstalled with BOS (Base Operating System), the authentication methods on the NIM master should be set for both Kerberos 5 and Standard UNIX. This is because the client will not have DCE or Kerberos 5 configured and running after the BOS is installed. NIM will therefore have to rely on standard rhosts to remotely execute commands on the client until it can be configured with Kerberos 5 and made into a secure client.

If only software customization and maintenance will be performed, then the NIM master must have its authentication methods set to match those of the clients. To manage secure clients, the master will need authentication methods set to include Standard UNIX.

See the Kerberos Version 5 Installation Guide for more information on installing and configuring Kerberos 5.


[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]