Error using GSS-API on Solaris 9 Platform

Will Fiveash william.fiveash at sun.com
Tue Aug 31 14:25:20 EDT 2004


On Wed, Aug 25, 2004 at 02:38:05PM -0400, Ahluwalia, Ish wrote:
> Hi Wyllys:
> 
> Thanks very much for the response.  Below please find my response.  Thanks in advance for the help.
> 
> >>>>>>>>>>>>>>>>>>>You wrote<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> It sounds like your server process does not have access to its credentials.
> Is the server running with permissions to read the keytab file that 
> contains its keys?
> If you are using a standard service like "host/foo.bar.com", then its 
> probably in the
> system keytab (/etc/krb5/krb5.keytab) and your process will need root 
> privilege to read
> that file.
> 
> If your service principal keys are not in a keytab, they should be added 
> using kadmin.
> 
> kadmin > ktadd host/foo.bar.com
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> 

> Yes, I'm planning to be a service(running on application server
> different from KDC) with "service/<FQDN>@REALM" name.  It is our own
> service, nothing like telnet or ftp.  Notheless, clients have to
> authenticate with KDC and then they communicate with my service which
> handles all the AP-REQ and AP-REP.  I thinnk, you are right that I
> don't have a keytab entry.  Infact, I searched the whole system and
> didn't even find a file called "krb5.keytab".  Is it supposed to be
> there by default or does it gets created as part of "ktadd" command?

The /etc/krb5/krb5.keytab file is typically created by the kadmin ktadd
command.

> Also, there is a bit of an issue - I'm not using SUN Solaris
> distribution KDC.  It is some other company which does not have
> interface for KADMIN command, which I'm assuming communicates with
> KADMIND process running on KDC and creates the service entries.
> Assuming if I figure out how to add a service on the KDC with a shared
> key (which needs be the same key at application server), is there a
> way to create a key tab entry on my service host without using kadmin?

You'll have to ask your KDC vendor that question.  It sounds like you'll
have to produce a Solaris Kerberos (based on MIT) compatible keytab file
on the KDC system and then copy it (securely) on to the Solaris system
as /etc/krb5/krb5.keytab.  You can test it by doing a:

kinit -k <service princ>

to make sure kinit can get a cred based on the keytab entry.

> KADMIN fails for me since the there is no KADMIND running anywhere on
> my KDC(it doesn't support it).  Is there a way to create a keytab file
> and other stuff that I may need to have a successful generation of
> TGS's with my service's master key which is also on the KDC.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)


More information about the Kerberos mailing list