difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)
Zaakarij Selassij
zaakarij at broken.org
Mon Apr 15 13:23:48 EDT 2002
Thanks for the reply, Paul. The packages you are referring to are part of the Solaris 8 encryption pack, and, if you look at the bottom of my original post, you will notice that the encryption packages you mention are already on the systems.
Regards,
Zaakarij
Paul Sangster <paul.sangster at sun.com> wrote:
> Another thing to consider is if you have the domestic encryption
> packages installed. These packages are required for kadmin/kpasswd
> to operate since they provide the privacy support for RPCSEC.
>
> To verify that you do not have these packages installed, use
> pkginfo <pkgname>
> where <pkgname> is from the set of SUNWk5pk, SUNWk5pkx, SUNWk5pu,
> SUNWk5pux.
>
> These packages are available as a free web download for Solaris 8
> from the following URL:
> http://wwws.sun.com/software/solaris/encryption/download.html
>
> Paul
>
> Wyllys Ingersoll wrote:
> >
> > Sun does support this product, so you could try logging a call to Sun
> > support or looking online at sunsolve.sun.com for any relevant bugs
> > or patches for this product. I know there are several patches
> > depending on which version of Solaris you are running.
> >
> > It might help if you attached your /etc/krb5/krb5.conf and
> > /etc/krb5/kdc.conf files. It looks like you may have a configuration
> > problem.
> >
> > Note that Sun's "kadmin" and "kpasswd" programs can only be used
> > against SEAM (Sun's Kerberos package) KDC and Admin servers because
> > Solaris uses RPCSEC_GSS to talk to the servers and MIT uses
> > a different secure RPC protocol which is incompatible. So, if you are
> > trying to talk to a non-SEAM KDC that might explain the problem.
> >
> > The kernel modules for kgssapi and do_kmech_krb5 are only relevant if
> > you are using Kerberized NFS mounts. The standard Kerberos clients and
> > server programs distributed with SEAM do not rely on any in-kernel bits.
> >
> > -Wyllys Ingersoll
> >
> > Zaakarij Selassij wrote:
> > > Hello, I have been trying to get Sun's packaged version of Kerberos (SEAM) running on a pair of Sun Netras for nearly 2 weeks now with only partial success and was hoping someone could provide some insight to my problem.
> > >
> > > Here's the deal:
> > >
> > > Kerberos at first seemed to be running correctly on the two systems as I could issue tickets and authenticate users and hosts without issue. But when I called kadmin to create some default passwd policies, syslog reported the following error on the local machines:
> > >
> > > #########################
> > > root at kerberos2> kadmin
> > > Enter Password:
> > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> > > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> > > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > > Apr 13 17:38:00 kerberos2-ams kadmin[359]: [ID 824607 user.error] GSS-API error : No error
> > >
> > > root at kerberos1> kadmin
> > > Enter Password:
> > > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : The routine completed successfully
> > > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
> > > Apr 13 17:38:26 kerberos1-ams kadmin[2819]: [ID 824607 user.error] GSS-API error : No error
> > >
> > > (NOTE: kerberos1-ams is the KDC and kerberos2-ams is a client)
> > > #########################
> > >
> > > The same syslog error appears when I call 'kpasswd', but I receive a different , yet similar, error printed to screen:
> > >
> > > #########################
> > > root at kerberos1> kpasswd
> > > kpasswd: Changing password for root/admin at TEST.REALM.ORG
> > > Old password:
> > > kpasswd: Cannot establish a session with the Kerberos administrative server fornrealm TEST.REALM.ORG. GSS-API (or Kerberos) error.
> > > #########################
> > >
> > > I checked the KDC's modinfo to ensure that the appropriate kernel modules were loaded, and, much to my surprise, the only module I could see that related to security was the standard rpcsec module:
> > >
> > > #########################
> > > root at kerberos1> modinfo |grep sec
> > > 83 10331c47 4d9b - 1 rpcsec (kernel RPC security module.)
> > > #########################
> > >
> > > So, I manually loaded what I believe are the appropriate modules:
> > >
> > > #########################
> > > 103 102d3877 3d50 - 1 rpcsec_gss (kernel RPCSEC_GSS security ser
> > > 104 102d73f7 5b96 - 1 kgssapi (in-kernel GSSAPI)
> > > 07 102b87f8 be73 - 1 do_kmech_krb5 (in-kernel Krb5 GSS mechanis
> > > 108 78034000 bdf3 - 1 gl_kmech_krb5 (in-kernel Krb5 GSS mechanis
> > > ########################
> > >
> > > This had no effect whatsoever. All relevant patches are already on the system, so the problem does not lie there. RPC services and the kerberos daemons are running as well:
> > >
> > > #########################
> > > root at kerberos1-ams> ps -ef |grep rpc
> > > root 109 1 0 Apr 11 ? 0:00 /usr/sbin/rpcbind
> > >
> > > root at kerberos1-ams> ps -ef |grep krb5
> > > root 249 1 0 Apr 11 ? 0:00 /usr/krb5/lib/kadmind
> > > root 254 1 0 Apr 11 ? 0:00 /usr/krb5/lib/krb5kdc
> > > #########################
> > >
> > > The configuration files all seem to be in working order as well. Here is a list of pertinent packages on the systems:
> > >
> > > #########################
> > > ---here are the SEAM-installed packages---
> > > system SUNWk5pk kernel Kerberos V5 plug-in w/auth+privacy (32-bit)
> > > system SUNWk5pkx kernel Kerberos V5 plug-in w/auth+privacy (64-bit)
> > > system SUNWk5pu user Kerberos V5 gss mechanism w/auth+privacy (32-bit)
> > > system SUNWk5pux user Kerberos V5 gss mechanism w/auth+privacy (64-bit)
> > > system SUNWkr5ad Kerberos V5 Administration Tools
> > > system SUNWkr5cl Kerberos V5 clients
> > > system SUNWkr5ma Kerberos V5 Master KDC
> > > system SUNWkr5mn SEAM Manual Pages
> > > system SUNWkr5sl Kerberos V5 Slave KDC
> > > system SUNWkr5sv Kerberized Network Services
> > >
> > > ---and here are the GSS packages---
> > >
> > > system SUNWgsdhx GSS Diffie-Hellman (64-bit)
> > > system SUNWgss GSSAPI V2
> > > system SUNWgssc GSSAPI CONFIG V2
> > > system SUNWgssdh GSS Diffie-Hellman
> > > system SUNWgssk kernel GSSAPI V2
> > > system SUNWgsskx kernel GSSAPI V2 (64-bit)
> > > system SUNWgssx GSSAPI V2 (64-bit)
> > > system SUNWrsg RPCSEC_GSS
> > > system SUNWrsgk kernel RPCSEC_GSS
> > > system SUNWrsgx RPCSEC_GSS (64-bit)
> > > #########################
> > >
> > > One last error worth mentioning is with the use of' 'gsscred':
> > >
> > > #########################
> > > root at kerberos1-ams> gsscred -l
> > > Error searching gsscred table [Operation not Supported: 'gsscred'].
> > >
> > > root at kerberos1-ams> gsscred -m kerberos_v5 -a
> > > Error adding user [root, kerberos_v5].
> > > Operation not Supported: 'gsscred'
> > > #########################
> > >
> > > Perhaps there has been something that I have missed altogether? Has anyone had any experiences similar to this? I rather new to kerberos, so any help here would be greatly appreciated.
> > >
> > > -Zaakarij
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > http://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list