Error using GSS-API on Solaris 9 Platform

Ahluwalia, Ish iahluwalia at sonusnet.com
Wed Aug 25 14:38:05 EDT 2004 

Hi Wyllys:

Thanks very much for the response.  Below please find my response.  Thanks in advance for the help.

>>>>>>>>>>>>>>>>>>>You wrote<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
It sounds like your server process does not have access to its credentials.
Is the server running with permissions to read the keytab file that 
contains its keys?
If you are using a standard service like "host/foo.bar.com", then its 
probably in the
system keytab (/etc/krb5/krb5.keytab) and your process will need root 
privilege to read
that file.

If your service principal keys are not in a keytab, they should be added 
using kadmin.

kadmin > ktadd host/foo.bar.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Yes, I'm planning to be a service(running on application server different from KDC) with "service/<FQDN>@REALM" name.  It is our own service, nothing like telnet or ftp.  Notheless, clients have to authenticate with KDC and then they communicate with my service which handles all the AP-REQ and AP-REP.  
I thinnk, you are right that I don't have a keytab entry.  Infact, I searched the whole system and didn't even find a file called "krb5.keytab".  Is it supposed to be there by default or does it gets created as part of "ktadd" command?

Also, there is a bit of an issue - I'm not using SUN Solaris distribution KDC.  It is some other company which does not have interface for KADMIN command, which I'm assuming communicates with KADMIND process running on KDC and creates the service entries.  Assuming if I figure out how to add a service on the KDC with a shared key (which needs be the same key at application server), is there a way to create a key tab entry on my service host without using kadmin?  KADMIN fails for me since the there is no KADMIND running anywhere on my KDC(it doesn't support it).  Is there a way to create a keytab file and other stuff that I may need to have a successful generation of TGS's with my service's master key which is also on the KDC.

I greatly appreciate your help.

Thanks.

Ish....

More information about the Kerberos mailing list