difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)

Paul Sangster paul.sangster at sun.com
Mon Apr 15 11:54:39 EDT 2002 

Another thing to consider is if you have the domestic encryption 
packages installed.  These packages are required for kadmin/kpasswd
to operate since they provide the privacy support for RPCSEC.

To verify that you do not have these packages installed, use 
   pkginfo <pkgname> 
where <pkgname> is from the set of SUNWk5pk, SUNWk5pkx, SUNWk5pu, 
SUNWk5pux.

These packages are available as a free web download for Solaris 8
from the following URL:
   http://wwws.sun.com/software/solaris/encryption/download.html

Paul

Wyllys Ingersoll wrote:
> 
> Sun does support this product, so you could try logging a call to Sun
> support or looking online at sunsolve.sun.com for any relevant bugs
> or patches for this product. I know there are several patches
> depending on which version of Solaris you are running.
> 
> It might help if you attached your /etc/krb5/krb5.conf and
> /etc/krb5/kdc.conf files.  It looks like you may have a configuration
> problem.
> 
> Note that Sun's "kadmin" and "kpasswd" programs can only be used
> against SEAM (Sun's Kerberos package) KDC and Admin servers because
> Solaris uses RPCSEC_GSS to talk to the servers and MIT uses
> a different secure RPC protocol which is incompatible.  So, if you are
> trying to talk to a non-SEAM KDC that might explain the problem.
> 
> The kernel modules for kgssapi and do_kmech_krb5 are only relevant if
> you are using Kerberized NFS mounts.  The standard Kerberos clients and
> server programs distributed with SEAM do not rely on any in-kernel bits.
> 
> -Wyllys Ingersoll
> 
> Zaakarij Selassij wrote:
> > Hello, I  have been trying to get Sun's packaged version of Kerberos (SEAM) running on a pair of Sun Netras for nearly 2 weeks now with only partial success and was hoping someone could provide some insight to my problem.
> >
> > Here's the deal:
> >
> > Kerberos at first seemed to be running correctly on the two systems as I could issue tickets and authenticate users and hosts without issue.  But when I called kadmin to create some default passwd policies, syslog reported the following error on the local machines:
> >
> > #########################
> > root at kerberos2> kadmin
> > Enter Password:
> > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : No error
> >
> > root at kerberos1> kadmin
> > Enter Password:
> > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : No error
> >
> > (NOTE: kerberos1-ams is the KDC and kerberos2-ams is a client)
> > #########################
> >
> > The same syslog error appears when I call 'kpasswd', but I receive a different , yet similar, error printed to screen:
> >
> > #########################
> > root at kerberos1> kpasswd
> > kpasswd: Changing password for root/admin at TEST.REALM.ORG
> > Old password:
> > kpasswd: Cannot establish a session with the Kerberos administrative server fornrealm TEST.REALM.ORG. GSS-API (or Kerberos) error.
> > #########################
> >
> > I checked the KDC's modinfo to ensure that the appropriate kernel modules were loaded, and, much to my surprise, the only module I could see that related to security was the standard rpcsec module:
> >
> > #########################
> > root at kerberos1> modinfo |grep sec
> > 83 10331c47   4d9b   -   1  rpcsec (kernel RPC security module.)
> > #########################
> >
> > So, I manually loaded what I believe are the appropriate modules:
> >
> > #########################
> > 103 102d3877   3d50   -   1  rpcsec_gss (kernel RPCSEC_GSS security ser
> > 104 102d73f7   5b96   -   1  kgssapi (in-kernel GSSAPI)
> > 07 102b87f8   be73   -   1  do_kmech_krb5 (in-kernel Krb5 GSS mechanis
> > 108 78034000   bdf3   -   1  gl_kmech_krb5 (in-kernel Krb5 GSS mechanis
> > ########################
> >
> > This had no effect whatsoever.  All relevant patches are already on the system, so the problem does not lie there.  RPC services and the kerberos daemons are running as well:
> >
> > #########################
> > root at kerberos1-ams> ps -ef |grep rpc
> > root   109     1  0   Apr 11 ?        0:00 /usr/sbin/rpcbind
> >
> > root at kerberos1-ams> ps -ef |grep krb5
> > root   249     1  0   Apr 11 ?        0:00 /usr/krb5/lib/kadmind
> > root   254     1  0   Apr 11 ?        0:00 /usr/krb5/lib/krb5kdc
> > #########################
> >
> > The configuration files all seem to be in working order as well.  Here is a list of pertinent packages on the systems:
> >
> > #########################
> > ---here are the SEAM-installed packages---
> > system      SUNWk5pk       kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
> > system      SUNWk5pkx      kernel Kerberos V5 plug-in w/auth+privacy (64-bit)
> > system      SUNWk5pu       user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
> > system      SUNWk5pux      user Kerberos V5 gss mechanism w/auth+privacy (64-bit)
> > system      SUNWkr5ad      Kerberos V5 Administration Tools
> > system      SUNWkr5cl      Kerberos V5 clients
> > system      SUNWkr5ma      Kerberos V5 Master KDC
> > system      SUNWkr5mn      SEAM Manual Pages
> > system      SUNWkr5sl      Kerberos V5 Slave KDC
> > system      SUNWkr5sv      Kerberized Network Services
> >
> > ---and here are the GSS packages---
> >
> > system      SUNWgsdhx      GSS Diffie-Hellman (64-bit)
> > system      SUNWgss        GSSAPI V2
> > system      SUNWgssc       GSSAPI CONFIG V2
> > system      SUNWgssdh      GSS Diffie-Hellman
> > system      SUNWgssk       kernel GSSAPI V2
> > system      SUNWgsskx      kernel GSSAPI V2 (64-bit)
> > system      SUNWgssx       GSSAPI V2 (64-bit)
> > system      SUNWrsg        RPCSEC_GSS
> > system      SUNWrsgk       kernel RPCSEC_GSS
> > system      SUNWrsgx       RPCSEC_GSS (64-bit)
> > #########################
> >
> > One last error worth mentioning is with the use of' 'gsscred':
> >
> > #########################
> > root at kerberos1-ams> gsscred -l
> > Error searching gsscred table [Operation not Supported: 'gsscred'].
> >
> > root at kerberos1-ams> gsscred -m kerberos_v5 -a
> > Error adding user [root, kerberos_v5].
> > Operation not Supported: 'gsscred'
> > #########################
> >
> > Perhaps there has been something that I have missed altogether?  Has anyone had any experiences similar to this?  I rather new to kerberos, so any help here would be greatly appreciated.
> >
> > -Zaakarij
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list