difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Apr 15 09:08:09 EDT 2002


Sun does support this product, so you could try logging a call to Sun
support or looking online at sunsolve.sun.com for any relevant bugs
or patches for this product. I know there are several patches
depending on which version of Solaris you are running.

It might help if you attached your /etc/krb5/krb5.conf and
/etc/krb5/kdc.conf files.  It looks like you may have a configuration
problem.

Note that Sun's "kadmin" and "kpasswd" programs can only be used
against SEAM (Sun's Kerberos package) KDC and Admin servers because
Solaris uses RPCSEC_GSS to talk to the servers and MIT uses
a different secure RPC protocol which is incompatible.  So, if you are
trying to talk to a non-SEAM KDC that might explain the problem.

The kernel modules for kgssapi and do_kmech_krb5 are only relevant if
you are using Kerberized NFS mounts.  The standard Kerberos clients and
server programs distributed with SEAM do not rely on any in-kernel bits.

-Wyllys Ingersoll


Zaakarij Selassij wrote:
> Hello, I  have been trying to get Sun's packaged version of Kerberos (SEAM) running on a pair of Sun Netras for nearly 2 weeks now with only partial success and was hoping someone could provide some insight to my problem.
> 
> Here's the deal:
> 
> Kerberos at first seemed to be running correctly on the two systems as I could issue tickets and authenticate users and hosts without issue.  But when I called kadmin to create some default passwd policies, syslog reported the following error on the local machines:
> 
> #########################
> root at kerberos2> kadmin
> Enter Password:
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : No error
> 
> root at kerberos1> kadmin
> Enter Password:
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : No error
> 
> (NOTE: kerberos1-ams is the KDC and kerberos2-ams is a client)
> #########################
> 
> The same syslog error appears when I call 'kpasswd', but I receive a different , yet similar, error printed to screen:
> 
> #########################
> root at kerberos1> kpasswd 
> kpasswd: Changing password for root/admin at TEST.REALM.ORG
> Old password:
> kpasswd: Cannot establish a session with the Kerberos administrative server fornrealm TEST.REALM.ORG. GSS-API (or Kerberos) error.
> #########################
> 
> I checked the KDC's modinfo to ensure that the appropriate kernel modules were loaded, and, much to my surprise, the only module I could see that related to security was the standard rpcsec module:
> 
> #########################
> root at kerberos1> modinfo |grep sec
> 83 10331c47   4d9b   -   1  rpcsec (kernel RPC security module.)
> #########################
> 
> So, I manually loaded what I believe are the appropriate modules:
> 
> #########################
> 103 102d3877   3d50   -   1  rpcsec_gss (kernel RPCSEC_GSS security ser
> 104 102d73f7   5b96   -   1  kgssapi (in-kernel GSSAPI)
> 07 102b87f8   be73   -   1  do_kmech_krb5 (in-kernel Krb5 GSS mechanis
> 108 78034000   bdf3   -   1  gl_kmech_krb5 (in-kernel Krb5 GSS mechanis
> ########################
> 
> This had no effect whatsoever.  All relevant patches are already on the system, so the problem does not lie there.  RPC services and the kerberos daemons are running as well:
> 
> #########################
> root at kerberos1-ams> ps -ef |grep rpc
> root   109     1  0   Apr 11 ?        0:00 /usr/sbin/rpcbind
> 
> root at kerberos1-ams> ps -ef |grep krb5
> root   249     1  0   Apr 11 ?        0:00 /usr/krb5/lib/kadmind
> root   254     1  0   Apr 11 ?        0:00 /usr/krb5/lib/krb5kdc
> #########################
> 
> The configuration files all seem to be in working order as well.  Here is a list of pertinent packages on the systems:
> 
> #########################
> ---here are the SEAM-installed packages---
> system      SUNWk5pk       kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
> system      SUNWk5pkx      kernel Kerberos V5 plug-in w/auth+privacy (64-bit)
> system      SUNWk5pu       user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
> system      SUNWk5pux      user Kerberos V5 gss mechanism w/auth+privacy (64-bit)
> system      SUNWkr5ad      Kerberos V5 Administration Tools
> system      SUNWkr5cl      Kerberos V5 clients
> system      SUNWkr5ma      Kerberos V5 Master KDC
> system      SUNWkr5mn      SEAM Manual Pages
> system      SUNWkr5sl      Kerberos V5 Slave KDC
> system      SUNWkr5sv      Kerberized Network Services
> 
> ---and here are the GSS packages---
> 
> system      SUNWgsdhx      GSS Diffie-Hellman (64-bit)
> system      SUNWgss        GSSAPI V2
> system      SUNWgssc       GSSAPI CONFIG V2
> system      SUNWgssdh      GSS Diffie-Hellman
> system      SUNWgssk       kernel GSSAPI V2
> system      SUNWgsskx      kernel GSSAPI V2 (64-bit)
> system      SUNWgssx       GSSAPI V2 (64-bit)
> system      SUNWrsg        RPCSEC_GSS
> system      SUNWrsgk       kernel RPCSEC_GSS
> system      SUNWrsgx       RPCSEC_GSS (64-bit)
> #########################
> 
> One last error worth mentioning is with the use of' 'gsscred':
> 
> #########################
> root at kerberos1-ams> gsscred -l
> Error searching gsscred table [Operation not Supported: 'gsscred'].
> 
> root at kerberos1-ams> gsscred -m kerberos_v5 -a
> Error adding user [root, kerberos_v5].
> Operation not Supported: 'gsscred'
> #########################
> 
> Perhaps there has been something that I have missed altogether?  Has anyone had any experiences similar to this?  I rather new to kerberos, so any help here would be greatly appreciated.
> 
> -Zaakarij
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos






More information about the Kerberos mailing list