Solaris 9/kadmin problems
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Wed Aug 7 09:29:49 EDT 2002
Joe Sunday wrote:
> I've got a Solaris 9 client (Using the Sun libraries) trying to talk to a
> NetBSD
> kdc running on a Dec 3000, and I've got the kpasswd_protocol =
> SET_CHANGE flag in the krb5.conf file.
>
> I can start kadmin and login, but as soon as I try to do anything with a
> principal like getprinc or ktadd to create my machine's keytab so the pam
> module works, kadmin segfaults
Sorry for the core dump, we should exit more gracefully than that :)
The SET_CHANGE flag is only to allow Solaris users to change
their passwords on an MIT-based admin server (using 'kpasswd'
or PAM), it does not affect the kadmin client communication.
Thus, 'kpasswd' can interoperate with MIT-based servers but
'kadmin' cannot.
The Solaris kadmin client will only talk to a Solaris kadmin daemon
because Solaris uses RPCSEC_GSS for the underlying protocol and
MIT uses a slightly different RPC based protocol.
MIT, Microsoft and others support an alternative password
changing protocol (based on port 464) that is separate from
the regular RPC-based administrative protocol used to talk to the admin
daemon, so the 2 functions are treated separately.
>
> kinit itself seems to work, as I can grab a ticket from the kdc for a user,
> but without a keytab file the pam module doesn't work, so I can't use it to
> authenticate logins.
>
Except for the incompatibility of the administrative protocols, the Solaris
and MIT software will work together just fine. The Solaris clients will work
with an MIT KDC and vice-versa. The administrative protocol is not part of
the Kerberos spec, thus different implementations are free to choose different
protocols (for example, Microsoft uses yet another method for doing their
administration).
-Wyllys Ingersoll
Sun Microsystems
More information about the Kerberos
mailing list