difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)
Zaakarij Selassij
zaakarij at broken.org
Mon Apr 15 10:40:31 EDT 2002
Thanks for the reply, Wyllys. My comments are below.
> Sun does support this product, so you could try logging a call to Sun
> support or looking online at sunsolve.sun.com for any relevant bugs
> or patches for this product. I know there are several patches
> depending on which version of Solaris you are running.
I have already searched throughout Sun's online services... I've found nothign specific to my particular problem. SEAM 1.0.1 is in use on both servers (Solaris 8 02/02 OE SPARC) and is patched to the most current level (110060-11):
------------------------
Patch-ID# 110060-11
Keywords: security login.krb5 chdir ftpd telnetd rshd krb5kdc role kerberos
Synopsis: SEAM 1.0.1: Patch for Solaris 8
Date: Apr/04/2002
------------------------
I have a number of Sun ProServ engineers here on-site where I am and none of them have been able to provide any assistance... I hope to receive further support from Sun in the coming days.
> It might help if you attached your /etc/krb5/krb5.conf and
> /etc/krb5/kdc.conf files. It looks like you may have a configuration
> problem.
Here goes:
#########################
root at kerberos1-ams> cat kdc.conf
#
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)kdc.conf 1.2 98/08/17 SMI"
[kdcdefaults]
kdc_ports = 88,750
[realms]
TEST.REALM.ORG = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
dict_file = /usr/share/lib/dict/words
}
----------------and------------------
root at kerberos1-ams> cat krb5.conf
#
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)krb5.conf 1.10 98/11/11 SMI"
[libdefaults]
ticket_lifetime = 600
default_realm = TEST.REALM.ORG
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# des3-hmac-sha1 is not supported by Sun's implementation of
# Kerberos yet, this is added for future use.
[realms]
TEST.REALM.ORG = {
kdc = kerberos1-ams.test.realm.org
kdc = kerberos2-ams.test.realm.org
admin_server = kerberos1-ams.test.realm.org
default_domain = realm.org
}
[domain_realm]
.corp.mmfn.com = TEST.REALM.ORG
corp.mmfn.com = TEST.REALM.ORG
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
gkadmin = {
help_url = http://localhost:8888/ab2/coll.384.2/SEAM
}
kinit = {
renewable = true
forwardable= true
}
rlogin = {
forwardable= true
}
rsh = {
forwardable= true
}
telnet = {
autologin = true
forwardable= true
}
#########################
Seems fine to me.. anyone see something that I've missed?
> Note that Sun's "kadmin" and "kpasswd" programs can only be used
> against SEAM (Sun's Kerberos package) KDC and Admin servers because
> Solaris uses RPCSEC_GSS to talk to the servers and MIT uses
> a different secure RPC protocol which is incompatible. So, if you are
> trying to talk to a non-SEAM KDC that might explain the problem.
All relevant systems are running SEAM, not MIT Kerberos.
> The kernel modules for kgssapi and do_kmech_krb5 are only relevant if
> you are using Kerberized NFS mounts. The standard Kerberos clients and
> server programs distributed with SEAM do not rely on any in-kernel bits.
Good to know... so the SEAM "5.8 Kernel Module" is not necessary to install unless protecting NFS mounts?
Thanks for the help!
-Zaakarij
More information about the Kerberos
mailing list