difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)

Zaakarij Selassij zaakarij at broken.org
Mon Apr 15 08:28:56 EDT 2002 

Hello, I  have been trying to get Sun's packaged version of Kerberos (SEAM) running on a pair of Sun Netras for nearly 2 weeks now with only partial success and was hoping someone could provide some insight to my problem.

Here's the deal:

Kerberos at first seemed to be running correctly on the two systems as I could issue tickets and authenticate users and hosts without issue.  But when I called kadmin to create some default passwd policies, syslog reported the following error on the local machines:

#########################
root at kerberos2> kadmin
Enter Password:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : The routine completed successfully
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : No error

root at kerberos1> kadmin
Enter Password:
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : The routine completed successfully
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : No error

(NOTE: kerberos1-ams is the KDC and kerberos2-ams is a client)
#########################

The same syslog error appears when I call 'kpasswd', but I receive a different , yet similar, error printed to screen:

#########################
root at kerberos1> kpasswd 
kpasswd: Changing password for root/admin at TEST.REALM.ORG
Old password:
kpasswd: Cannot establish a session with the Kerberos administrative server fornrealm TEST.REALM.ORG. GSS-API (or Kerberos) error.
#########################

I checked the KDC's modinfo to ensure that the appropriate kernel modules were loaded, and, much to my surprise, the only module I could see that related to security was the standard rpcsec module:

#########################
root at kerberos1> modinfo |grep sec
83 10331c47   4d9b   -   1  rpcsec (kernel RPC security module.)
#########################

So, I manually loaded what I believe are the appropriate modules:

#########################
103 102d3877   3d50   -   1  rpcsec_gss (kernel RPCSEC_GSS security ser
104 102d73f7   5b96   -   1  kgssapi (in-kernel GSSAPI)
07 102b87f8   be73   -   1  do_kmech_krb5 (in-kernel Krb5 GSS mechanis
108 78034000   bdf3   -   1  gl_kmech_krb5 (in-kernel Krb5 GSS mechanis
########################

This had no effect whatsoever.  All relevant patches are already on the system, so the problem does not lie there.  RPC services and the kerberos daemons are running as well:

#########################
root at kerberos1-ams> ps -ef |grep rpc
root   109     1  0   Apr 11 ?        0:00 /usr/sbin/rpcbind

root at kerberos1-ams> ps -ef |grep krb5
root   249     1  0   Apr 11 ?        0:00 /usr/krb5/lib/kadmind
root   254     1  0   Apr 11 ?        0:00 /usr/krb5/lib/krb5kdc
#########################

The configuration files all seem to be in working order as well.  Here is a list of pertinent packages on the systems:

#########################
---here are the SEAM-installed packages---
system      SUNWk5pk       kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
system      SUNWk5pkx      kernel Kerberos V5 plug-in w/auth+privacy (64-bit)
system      SUNWk5pu       user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
system      SUNWk5pux      user Kerberos V5 gss mechanism w/auth+privacy (64-bit)
system      SUNWkr5ad      Kerberos V5 Administration Tools
system      SUNWkr5cl      Kerberos V5 clients
system      SUNWkr5ma      Kerberos V5 Master KDC
system      SUNWkr5mn      SEAM Manual Pages
system      SUNWkr5sl      Kerberos V5 Slave KDC
system      SUNWkr5sv      Kerberized Network Services

---and here are the GSS packages---

system      SUNWgsdhx      GSS Diffie-Hellman (64-bit)
system      SUNWgss        GSSAPI V2
system      SUNWgssc       GSSAPI CONFIG V2
system      SUNWgssdh      GSS Diffie-Hellman
system      SUNWgssk       kernel GSSAPI V2
system      SUNWgsskx      kernel GSSAPI V2 (64-bit)
system      SUNWgssx       GSSAPI V2 (64-bit)
system      SUNWrsg        RPCSEC_GSS
system      SUNWrsgk       kernel RPCSEC_GSS
system      SUNWrsgx       RPCSEC_GSS (64-bit)
#########################

One last error worth mentioning is with the use of' 'gsscred':

#########################
root at kerberos1-ams> gsscred -l
Error searching gsscred table [Operation not Supported: 'gsscred'].

root at kerberos1-ams> gsscred -m kerberos_v5 -a
Error adding user [root, kerberos_v5].
Operation not Supported: 'gsscred'
#########################

Perhaps there has been something that I have missed altogether?  Has anyone had any experiences similar to this?  I rather new to kerberos, so any help here would be greatly appreciated.

-Zaakarij

More information about the Kerberos mailing list