difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)
Zaakarij Selassij
zaakarij at broken.org
Mon Apr 15 08:28:56 EDT 2002
Hello, I have been trying to get Sun's packaged version of Kerberos (SEAM) running on a pair of Sun Netras for nearly 2 weeks now with only partial success and was hoping someone could provide some insight to my problem.
Here's the deal:
Kerberos at first seemed to be running correctly on the two systems as I could issue tickets and authenticate users and hosts without issue. But when I called kadmin to create some default passwd policies, syslog reported the following error on the local machines:
#########################
root at kerberos2> kadmin
Enter Password:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : The routine completed successfully
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : No error
root at kerberos1> kadmin
Enter Password:
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : The routine completed successfully
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : No error
(NOTE: kerberos1-ams is the KDC and kerberos2-ams is a client)
#########################
The same syslog error appears when I call 'kpasswd', but I receive a different , yet similar, error printed to screen:
#########################
root at kerberos1> kpasswd
kpasswd: Changing password for root/admin at TEST.REALM.ORG
Old password:
kpasswd: Cannot establish a session with the Kerberos administrative server fornrealm TEST.REALM.ORG. GSS-API (or Kerberos) error.
#########################
I checked the KDC's modinfo to ensure that the appropriate kernel modules were loaded, and, much to my surprise, the only module I could see that related to security was the standard rpcsec module:
#########################
root at kerberos1> modinfo |grep sec
83 10331c47 4d9b - 1 rpcsec (kernel RPC security module.)
#########################
So, I manually loaded what I believe are the appropriate modules:
#########################
103 102d3877 3d50 - 1 rpcsec_gss (kernel RPCSEC_GSS security ser
104 102d73f7 5b96 - 1 kgssapi (in-kernel GSSAPI)
07 102b87f8 be73 - 1 do_kmech_krb5 (in-kernel Krb5 GSS mechanis
108 78034000 bdf3 - 1 gl_kmech_krb5 (in-kernel Krb5 GSS mechanis
########################
This had no effect whatsoever. All relevant patches are already on the system, so the problem does not lie there. RPC services and the kerberos daemons are running as well:
#########################
root at kerberos1-ams> ps -ef |grep rpc
root 109 1 0 Apr 11 ? 0:00 /usr/sbin/rpcbind
root at kerberos1-ams> ps -ef |grep krb5
root 249 1 0 Apr 11 ? 0:00 /usr/krb5/lib/kadmind
root 254 1 0 Apr 11 ? 0:00 /usr/krb5/lib/krb5kdc
#########################
The configuration files all seem to be in working order as well. Here is a list of pertinent packages on the systems:
#########################
---here are the SEAM-installed packages---
system SUNWk5pk kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
system SUNWk5pkx kernel Kerberos V5 plug-in w/auth+privacy (64-bit)
system SUNWk5pu user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
system SUNWk5pux user Kerberos V5 gss mechanism w/auth+privacy (64-bit)
system SUNWkr5ad Kerberos V5 Administration Tools
system SUNWkr5cl Kerberos V5 clients
system SUNWkr5ma Kerberos V5 Master KDC
system SUNWkr5mn SEAM Manual Pages
system SUNWkr5sl Kerberos V5 Slave KDC
system SUNWkr5sv Kerberized Network Services
---and here are the GSS packages---
system SUNWgsdhx GSS Diffie-Hellman (64-bit)
system SUNWgss GSSAPI V2
system SUNWgssc GSSAPI CONFIG V2
system SUNWgssdh GSS Diffie-Hellman
system SUNWgssk kernel GSSAPI V2
system SUNWgsskx kernel GSSAPI V2 (64-bit)
system SUNWgssx GSSAPI V2 (64-bit)
system SUNWrsg RPCSEC_GSS
system SUNWrsgk kernel RPCSEC_GSS
system SUNWrsgx RPCSEC_GSS (64-bit)
#########################
One last error worth mentioning is with the use of' 'gsscred':
#########################
root at kerberos1-ams> gsscred -l
Error searching gsscred table [Operation not Supported: 'gsscred'].
root at kerberos1-ams> gsscred -m kerberos_v5 -a
Error adding user [root, kerberos_v5].
Operation not Supported: 'gsscred'
#########################
Perhaps there has been something that I have missed altogether? Has anyone had any experiences similar to this? I rather new to kerberos, so any help here would be greatly appreciated.
-Zaakarij
More information about the Kerberos
mailing list