difficulty implementing Kerberos on Solaris 8 (via Sun's SEAM)

Zaakarij Selassij zaakarij at broken.org
Tue Apr 16 08:54:47 EDT 2002 

Thanks again for your attention, Wyllis.

/etc/gss/mech is updated by the SUNWk5pk (which is part of the Solaris 8 Encryption pack) automatically upon installation to reflect 'do' instead of 'gl'.  However, I think this is pertinent only if you are protecting NFS with kerberos though.. not sure.

Anyhow, here is some output from attempts to alleviate the 'rpc_gss_seccreate failed' error that this entire thread is about.  I thought that perhaps it would help to actually create and populate a gsscred_db... I really have no idea if this is necessary, but I thought perhaps this has something to do with the error.  Here 'tis:

###############################
root at kerberos1-ams> cd /etc/gss
root at kerberos1-ams> more mech
---snip---
# Mechanism Name        Object Identifier       Shared Library  Kernel Module
#
diffie_hellman_640_0    1.3.6.4.1.42.2.26.2.4   dh640-0.so.1
diffie_hellman_1024_0   1.3.6.4.1.42.2.26.2.5   dh1024-0.so.1
# kerberos_v5           1.2.840.113554.1.2.2    gl/mech_krb5.so gl_kmech_krb5 
kerberos_v5             1.2.840.113554.1.2.2    do/mech_krb5.so do_kmech_krb5   # SUNWk5pk

root at kerberos1-ams> modinfo | grep do_kmech_krb5
107 102b87f8   be73   -   1  do_kmech_krb5 (in-kernel Krb5 GSS mechanis

root at kerberos1-ams> ls -la
total 16
drwxr-xr-x   2 root     sys          512 Mar 29 16:28 .
drwxr-xr-x  42 root     sys         3584 Apr 11 08:55 ..
-rw-r--r--   1 root     sys          537 Mar 29 16:28 gsscred.conf
-rw-r--r--   1 root     sys          625 Apr  2 12:05 mech
-rw-r--r--   1 root     sys          393 Apr  2 12:05 qop

root at kerberos1-ams> vi gsscred.conf

--snip---
#       xfn_nisplus
#       files
#
files

root at kerberos1-ams> gsscred -l

Error searching gsscred table [Unable to open gsscred file [/etc/gss/gsscred_db]].

root at kerberos1-ams> gsscred -m kerberos_v5 –a

root at kerberos1-ams> ls -la
total 20
drwxr-xr-x   2 root     sys          512 Apr 16 10:38 .
drwxr-xr-x  42 root     sys         3584 Apr 11 08:55 ..
-rw-r--r--   1 root     sys          539 Apr 16 10:36 gsscred.conf
-rw-r--r--   1 root     other       1622 Apr 16 10:38 gsscred_db
-rw-r--r--   1 root     sys          625 Apr  2 12:05 mech
-rw-r--r--   1 root     sys          393 Apr  2 12:05 qop

root at kerberos1-ams> gsscred -m kerberos_v5 -n host/kerberos1-ams -u 0 -a

root at kerberos1-ams> gsscred -m kerberos_v5 -n root/admin -u 0 -a

root at kerberos1-ams> gsscred -l
---snip---
0401000B06092A864886F7120102020000002D000A2A864886F71201020101686F73742F6B65726265726F73312D616D7340434F52502E4D4D464E2E434F4D00        0       host/kerberos1-ams, kerberos_v5
0401000B06092A864886F71201020200000025000A2A864886F71201020101726F6F742F61646D696E40434F52502E4D4D464E2E434F4D00        0       root/admin, kerberos_v5
###############################

Alas, this had no effect as the error I receive is unchanged:

###############################
root at kerberos1-ams> /usr/krb5/sbin/kadmin
Enter Password:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Apr 16 11:14:29 kerberos1-ams kadmin[3652]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 16 11:14:29 kerberos1-ams kadmin[3652]: [ID 824607 user.error] GSS-API error : The routine completed successfully
Apr 16 11:14:29 kerberos1-ams kadmin[3652]: [ID 824607 user.error] GSS-API error : rpc_gss_seccreate failed
Apr 16 11:14:29 kerberos1-ams kadmin[3652]: [ID 824607 user.error] GSS-API error : No error
###############################

I'm at a loss... I've even reinstalled the entire Solaris OE and followed your Sun Blueprints Article, "Kerberos Network Security in the Solaris Operating Environment" step-by-step with identical results.  Obviously I must be doing something wrong if this has worked for you, I just really do not know what.  I can send you formatted output of the installation process if you wouldn't mind going over the steps that I've taken.

If I can't overcome this in the next few days my only alternative will be to turn to the MIT source and compile on BSD or Linux... this will be somewhat funny since I'll be using a couple $500 BSD/Linux machines to provide authentication for a $3,000,000 SF15K+HDS.  =)

Respectfully,

Zaakarij

Wyllys Ingersoll <wyllys.ingersoll at sun.com> wrote:

> 
> What does your /etc/gss/mech file look like?
> 
> Specifically, I'm interested in what the 'kerberos_v5'
> mech is defined:
> 
> For kerberos you should have a line like this:
> kerberos_v5  1.2.840.113554.1.2.2  do/mech_krb5.so do_kmech_krb5
> 
> If it is referencing "gl/mech_krb5.so gl_kmech_krb5", then
> change it to use "do".
> 
> -wyllys
> 
>

More information about the Kerberos mailing list