difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Mon Apr 15 09:08:09 EDT 2002
Sun does support this product, so you could try logging a call to Sun
support or looking online at sunsolve.sun.com for any relevant bugs
or patches for this product. I know there are several patches
depending on which version of Solaris you are running.
It might help if you attached your /etc/krb5/krb5.conf and
/etc/krb5/kdc.conf files. It looks like you may have a configuration
problem.
Note that Sun's "kadmin" and "kpasswd" programs can only be used
against SEAM (Sun's Kerberos package) KDC and Admin servers because
Solaris uses RPCSEC_GSS to talk to the servers and MIT uses
a different secure RPC protocol which is incompatible. So, if you are
trying to talk to a non-SEAM KDC that might explain the problem.
The kernel modules for kgssapi and do_kmech_krb5 are only relevant if
you are using Kerberized NFS mounts. The standard Kerberos clients and
server programs distributed with SEAM do not rely on any in-kernel bits.
-Wyllys Ingersoll
Zaakarij Selassij wrote:
> Hello, I have been trying to get Sun's packaged version of Kerberos (SEAM) running on a pair of Sun Netras for nearly 2 weeks now with only partial success and was hoping someone could provide some insight to my problem.
>
> Here's the deal:
>
> Kerberos at first seemed to be running correctly on the two systems as I could issue tickets and authenticate users and hosts without issue. But when I called kadmin to create some default passwd policies, syslog reported the following error on the local machines:
>
> #########################
> root at kerberos2> kadmin
> Enter Password:
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : No error
>
> root at kerberos1> kadmin
> Enter Password:
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : No error
>
> (NOTE: kerberos1-ams is the KDC and kerberos2-ams is a client)
> #########################
>
> The same syslog error appears when I call 'kpasswd', but I receive a different , yet similar, error printed to screen:
>
> #########################
> root at kerberos1> kpasswd
> kpasswd: Changing password for root/admin at TEST.REALM.ORG
> Old password:
> kpasswd: Cannot establish a session with the Kerberos administrative server fornrealm TEST.REALM.ORG. GSS-API (or Kerberos) error.
> #########################
>
> I checked the KDC's modinfo to ensure that the appropriate kernel modules were loaded, and, much to my surprise, the only module I could see that related to security was the standard rpcsec module:
>
> #########################
> root at kerberos1> modinfo |grep sec
> 83 10331c47 4d9b - 1 rpcsec (kernel RPC security module.)
> #########################
>
> So, I manually loaded what I believe are the appropriate modules:
>
> #########################
> 103 102d3877 3d50 - 1 rpcsec_gss (kernel RPCSEC_GSS security ser
> 104 102d73f7 5b96 - 1 kgssapi (in-kernel GSSAPI)
> 07 102b87f8 be73 - 1 do_kmech_krb5 (in-kernel Krb5 GSS mechanis
> 108 78034000 bdf3 - 1 gl_kmech_krb5 (in-kernel Krb5 GSS mechanis
> ########################
>
> This had no effect whatsoever. All relevant patches are already on the system, so the problem does not lie there. RPC services and the kerberos daemons are running as well:
>
> #########################
> root at kerberos1-ams> ps -ef |grep rpc
> root 109 1 0 Apr 11 ? 0:00 /usr/sbin/rpcbind
>
> root at kerberos1-ams> ps -ef |grep krb5
> root 249 1 0 Apr 11 ? 0:00 /usr/krb5/lib/kadmind
> root 254 1 0 Apr 11 ? 0:00 /usr/krb5/lib/krb5kdc
> #########################
>
> The configuration files all seem to be in working order as well. Here is a list of pertinent packages on the systems:
>
> #########################
> ---here are the SEAM-installed packages---
> system SUNWk5pk kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
> system SUNWk5pkx kernel Kerberos V5 plug-in w/auth+privacy (64-bit)
> system SUNWk5pu user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
> system SUNWk5pux user Kerberos V5 gss mechanism w/auth+privacy (64-bit)
> system SUNWkr5ad Kerberos V5 Administration Tools
> system SUNWkr5cl Kerberos V5 clients
> system SUNWkr5ma Kerberos V5 Master KDC
> system SUNWkr5mn SEAM Manual Pages
> system SUNWkr5sl Kerberos V5 Slave KDC
> system SUNWkr5sv Kerberized Network Services
>
> ---and here are the GSS packages---
>
> system SUNWgsdhx GSS Diffie-Hellman (64-bit)
> system SUNWgss GSSAPI V2
> system SUNWgssc GSSAPI CONFIG V2
> system SUNWgssdh GSS Diffie-Hellman
> system SUNWgssk kernel GSSAPI V2
> system SUNWgsskx kernel GSSAPI V2 (64-bit)
> system SUNWgssx GSSAPI V2 (64-bit)
> system SUNWrsg RPCSEC_GSS
> system SUNWrsgk kernel RPCSEC_GSS
> system SUNWrsgx RPCSEC_GSS (64-bit)
> #########################
>
> One last error worth mentioning is with the use of' 'gsscred':
>
> #########################
> root at kerberos1-ams> gsscred -l
> Error searching gsscred table [Operation not Supported: 'gsscred'].
>
> root at kerberos1-ams> gsscred -m kerberos_v5 -a
> Error adding user [root, kerberos_v5].
> Operation not Supported: 'gsscred'
> #########################
>
> Perhaps there has been something that I have missed altogether? Has anyone had any experiences similar to this? I rather new to kerberos, so any help here would be greatly appreciated.
>
> -Zaakarij
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list