Solaris 9/kadmin problems
Ken Raeburn
raeburn at MIT.EDU
Tue Aug 6 10:54:16 EDT 2002
"Joe Sunday" <sunday at csh.rit.edu> writes:
> I've got a Solaris 9 client (Using the Sun libraries) trying to talk to a
> NetBSD
> kdc running on a Dec 3000, and I've got the kpasswd_protocol =
> SET_CHANGE flag in the krb5.conf file.
Sun's RPC library uses Kerberos for authentication, as MIT's does,
however the lower-level RPC protocol is different. So even if you're
running MIT code and not Heimdal on the NetBSD box, they won't be able
to talk to each other. (The RPC calls for MIT and Heimdal aren't the
same, either.)
> I can start kadmin and login, but as soon as I try to do anything with a
> principal like getprinc or ktadd to create my machine's keytab so the pam
> module works, kadmin segfaults.
That's a bit disappointing, but I doubt the MIT client would be any
more robust if the situation were reversed. :-(
> kinit itself seems to work, as I can grab a ticket from the kdc for a user,
That just depends on the Kerberos protocol, which is independent of
the implemenation.
> but without a keytab file the pam module doesn't work, so I can't use it to
> authenticate logins.
Try running kadmin on the NetBSD box to extract the keytab, then use
encrypted file transfer (scp, Kerberos rcp/ftp) from the Sun to copy
it over. Or register the principal with a password-based key, and if
Sun provides ktutil, use that to create the keytab using the same
password.
Ken
More information about the Kerberos
mailing list