KCLIENT(8) Maintenance Procedures KCLIENT(8)


kclient - set up a machine as a Kerberos client


/usr/sbin/kclient [-n] [-R realm] [-k kdc] [-a adminuser]
[-c filepath] [-d dnsarg] [-f fqdn_list] [-h logical_host_name]
[-k kdc_list] [-m master_kdc] [-p profile] [-s pam_service]
[-T kdc_vendor]


By specifying the various command options, you can use the kclient
utility to:

o Configure a machine as a Kerberos client for a specified realm
and for KDC by setting up krb5.conf(5).

o Add the Kerberos host principal to the local host's keytab
file (/etc/krb5/krb5.keytab).

o Set up the machine to do kerberized NFS.

o Bring over a master krb5.conf copy from a specified pathname.

o Setup a machine to do server and/or host/domain name-to-realm
mapping lookups by means of DNS.

o Configure a Kerberos client to use an MS Active Directory
server. This generates a keytab file with the Kerberos
client's service keys populated.

o Setup a Kerberos client that has no service keys. This is
useful when the client does not require service keys, because
the client does not wish to host a service that uses Kerberos
for security.

o Configure a Kerberos client that is part of a cluster. This
option requires the logical host name of the cluster so that
the proper service keys are created and populated in the
client's keytab file.

o Setup a Kerberos client to join an environment that consists
of Kerberos servers that are non-Solaris and non-MS Active
Directory servers.

o Configure pam.conf(5) to use Kerberos authentication for
specified services.

o Configure the client as a simple NTP broadcast/multicast

o Specify custom domain/host name-to-realm name mappings.

o Setup the Kerberos client to use multiple KDC servers.

The kclient utility needs to be run on the client machine with root
permission and can be run either interactively or non-interactively. In
the non-interactive mode, the user feeds in the required inputs by means
of a profile, command-line options, or a combination of profile and
command-line options. The user is prompted for "required" parameter
values (realm and adminuser), if found missing in the non-interactive
run. The interactive mode is invoked when the utility is run without any
command-line arguments.

Both the interactive and non-interactive forms of kclient can add the
host/fqdn entry to the local host's keytab file. They also can require
the user to enter the password for the administrative user requested, to
obtain the Kerberos Ticket Granting Ticket (TGT) for adminuser. The
host/fqdn, nfs/fqdn, and root/fqdn principals can be added to the KDC
database (if not already present) before their possible addition to the
local host's keytab.

The kclient utility assumes that the local host has been setup for DNS
and requires the presence of a valid resolv.conf(5). Also, kclient can
fail if the localhost time is not synchronized with that of the KDC. For
Kerberos to function the localhost time must be within five minutes of
that of the KDC. It is advised that both systems run some form of time
synchronization protocol, such as the Network Time Protocol (NTP). See
the ntpd man page, delivered in the SUNWntpu package (not a SunOS man


The non-interactive mode supports the following options:


Set up the machine for kerberized NFS. This involves making changes
to krb5* security flavors in nfssec.conf(5). This option will also
add nfs/fqdn and root/fqdn entries to the local host's keytab file if
the -K option has not been specified.

-R [ realm ]

Specifies the Kerberos realm.

-k kdc_list

The -k option specifies the KDC host names for the Kerberos client.
kdc_list is a comma-separated list of KDCs. If the -m option is not
used, it is assumed that the first (or only) host in kdc_list is the
master KDC host name. Note that the list specified is used verbatim.
This is helpful when specifying non-fully qualified KDC host names
that can be canonicalized by DNS.

-a [ adminuser ]

Specifies the Kerberos administrative user.

-T kdc_vendor

Configure the Kerberos client to associate with a third party server.
Valid kdc_vendor currently supported are:


Microsoft Active Directory


MIT KDC server


Heimdal KDC server


Shishi KDC server

Knowing the administrative password will be required to associate the
client with the server if the ms_ad option is specified.

-c [ filepath ]

Specifies the pathname to the krb5.conf(5) master file, to be copied
over to the local host. The path specified normally points to a
master copy on a remote host and brought over to the local host by
means of NFS.

-d [ dnsarg ]

Specifies the DNS lookup option to be used and specified in the
krb5.conf(5) file. Valid dnsarg entries are: none, dns_lookup_kdc,
dns_lookup_realm and dns_fallback. Any other entry is considered
invalid. The latter three dnsarg values assume the same meaning as
those described in krb5.conf. dns_lookup_kdc implies DNS lookups for
the KDC and the other servers. dns_lookup_realm is for host/domain
name-to-realm mapping by means of DNS. dns_fallback is a superset and
does DNS lookups for both the servers and the host/domain name-to-
realm mapping. A lookup option of none specifies that DNS is not be
used for any kind of mapping lookup.

-D domain_list

Specifies the host and/or domain names to be mapped to the Kerberos
client's default realm name. domain_list is a comma-separated list,
for example "example.com,host1.example.com". If the -D option is not
used, then only the client's domain is used for this mapping. For
example, if the client is host1.eng.example.com, then the domain that
is mapped to the EXAMPLE.COM realm is example.com.


Configure the Kerberos client without service keys, which are usually
stored in /etc/krb5/krb5.keytab. This is useful in the following

o The client IP address is dynamically assigned and
therefore does not host Kerberized services.

o Client has a static IP address, but does not want to host
any Kerberized services.

o Client has a static IP address, but the local
administrator does not currently have service keys
available for the machine. It is expected that, at a later
time, these keys will be installed on the machine.

-f [ fqdn_list ]

This option creates a service principal entry (host/nfs/root)
associated with each of the listed fqdn's, if required, and
subsequently adds the entries to the local host's keytab.

fqdn_list is a comma-separated list of one or more fully qualified
DNS domain names.

This option is especially useful in Kerberos realms having systems
offering kerberized services, but situated in multiple different DNS

-h logical_host_name

Specifies that the Kerberos client is a node in a cluster. The
logical_host_name is the logical host name given to the cluster. The
resulting /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab files must be
manually copied over to the other members of the cluster.

-m master_kdc

This option specifies the master KDC to be used by the Kerberos
client. master_kdc is the host name of the master KDC for the
client. If the -m option is not used, then it is assumed that the
first KDC host name listed with the -k option is the master KDC.

-p [ profile ]

Specifies the profile to be used to enable the reading in of the
values of all the parameters required for setup of the machine as a
Kerberos client.

The profile should have entries in the format:

PARAM <value>


These profile entries correspond to the -R [realm], -k [kdc], -a
[adminuser], -c [filepath], -n, -d [dnsarg], -f [fqdn_list], -K, -h
[logical_host_name], -T [kdc_vendor], -D [domain_list], -m
[master_kdc], and -s [pam_service] command-line options,
respectively. Any other PARAM entry is considered invalid and is

The NFS profile entry can have a value of 0 (do nothing) or 1
(operation is requested). Any other value is considered invalid and
is ignored.

Keep in mind that the command line options override the PARAM values
listed in the profile.

-s pam_service

Specifies that the PAM service names, listed in pam_service, are
authenticated through Kerberos before any other type of
authentication. Using this option updates pam.conf(5) to include
pam_krb5(7) to existing authentication stacks for the specified
service(s) in pam_service. An example of a possible pam_service value
is: dtlogin,sshd-kbdint.


Example 1: Setting Up a Kerberos Client Using Command-Line Options

To setup a Kerberos client using the clntconfig/admin administrative
principal for realm 'EXAMPLE.COM', kdc `example1.example.com' and that
also does kerberized NFS, enter:

# /usr/sbin/kclient -n -R EXAMPLE.COM -k example1.example.com -a clntconfig

Alternatively, to set up a Kerberos client using the clntconfig/admin
administrative principal for the realm `EAST.EXAMPLE.COM', kdc
`example2.east.example.com' and that also needs service principal(s)
created and/or added to the local keytab for multiple DNS domains, enter:

# /usr/sbin/kclient -n -R EAST.EXAMPLE.COM -k example2.east.example.com \
-f west.example.com,central.example.com -a clntconfig

Note that the krb5 administrative principal used by the administrator
needs to have only add, inquire, change-pwd and modify privileges (for
the principals in the KDC database) in order for the kclient utility to
run. A sample kadm5.acl(5) entry is:

clntconfig/admin@EXAMPLE.COM acmi

Example 2: Setting Up a Kerberos Client Using the Profile Option

To setup a Kerberos client using the clntconfig/admin administrative
principal for realm `EXAMPLE.COM', kdc `example1.example.com' and that
also copies over the master krb5.conf from a specified location, enter:

# /usr/sbin/kclient -p /net/example1.example.com/export/profile.krb5

The contents of profile.krb5:

KDC example1.example.com
ADMIN clntconfig
FILEPATH /net/example1.example.com/export/krb5.conf

Example 3: Setting Up a Kerberos Client That Has a Dynamic IP Address

In this example a Kerberos client is a DHCP client that has a dynamic IP
address. This client does not wish to host any Kerberized services and
therefore does not require a keytab (/etc/krb5/krb5.keytab) file.

For this type of client the administrator would issue the following
command to configure this machine to be a Kerberos client of the
EXAMPLE.COM realm with the KDC server kdc1.example.com:

# /usr/sbin/kclient -K -R EXAMPLE.COM -k kdc1.example.com



Kerberos access control list (ACL) file.


Default location for the local host's configuration file.


Default location for the local host's keytab file.


File listing NFS security modes.


DNS resolver configuration file.


See attributes(7) for descriptions of the following attributes:

|Interface Stability | Committed |


encrypt(1), ksh93(1), ldapdelete(1), ldapmodify(1), ldapsearch(1),
kadm5.acl(5), krb5.conf(5), nfssec.conf(5), pam.conf(5), resolv.conf(5),
attributes(7), pam_krb5(7), dd(8), smbadm(8)


fqdn stands for the Fully Qualified Domain Name of the local host. The
kclient utility saves copies of both the krb5.conf(5) and nfssec.conf(5)
files to files with corresponding names and .sav extensions. The optional
copy of the krb5.conf(5) master file is neither encrypted nor integrity-
protected and it takes place over regular NFS.

November 22, 2021 KCLIENT(8)