Solaris 9/kadmin problems

Wyllys Ingersoll wyllys.ingersoll at sun.com
Wed Aug 7 09:29:49 EDT 2002


Joe Sunday wrote:
> I've got a Solaris 9 client (Using the Sun libraries) trying to talk to a
> NetBSD
> kdc running on a Dec 3000, and I've got the kpasswd_protocol =
> SET_CHANGE flag in the krb5.conf file.
> 
> I can start kadmin and login, but as soon as I try to do anything with a
> principal like getprinc or ktadd to create my machine's keytab so the pam
> module works, kadmin segfaults

Sorry for the core dump, we should exit more gracefully than that :)

The SET_CHANGE flag is only to allow Solaris users to change
their  passwords on an MIT-based admin server (using 'kpasswd'
or PAM), it does not affect the kadmin client communication.
Thus, 'kpasswd' can interoperate with MIT-based servers but
'kadmin' cannot.

The Solaris kadmin client will only talk to a Solaris kadmin daemon
because Solaris uses RPCSEC_GSS for the underlying protocol and
MIT uses a slightly different RPC based protocol.

MIT, Microsoft and others support an alternative password
changing protocol (based on port 464) that is separate from
the regular RPC-based administrative protocol used to talk to the admin
daemon, so the 2 functions are treated separately.

> 
> kinit itself seems to work, as I can grab a ticket from the kdc for a user,
> but without a keytab file the pam module doesn't work, so I can't use it to
> authenticate logins.
> 

Except for the incompatibility of the administrative protocols, the Solaris
and MIT software will work together just fine.   The Solaris clients will work
with an MIT KDC and vice-versa.   The administrative protocol is not part of
the Kerberos spec, thus different implementations are free to choose different
protocols (for example, Microsoft uses yet another method for doing their
administration).

-Wyllys Ingersoll
   Sun Microsystems




More information about the Kerberos mailing list