MIT Kerberos and Solaris 10 Kerberos

Heilke, Rainer Rainer.Heilke at atcoitek.com
Thu Jan 6 17:07:13 EST 2005 

Greetings, everyone.

We run a number of Solaris 8 systems using Sun's SEAM PAM implementation
and MIT's Kerberos (which we're up to date on). We are starting to look
at Solaris 10, and are hoping to move towards Sun's implementation of
Kerberos. We are having a bit of trouble getting the two to talk
properly, however.

If we SSH (from production to test, for example) to a Solaris 8 machine,
then we can rlogin (Kerberized) to the Solaris 10 machine and, from
there, rlogin to a Sol8 machine again. If, however, we SSH directly to
the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing
various experiments (for example, trying to ksu on the Sol 10 machine),
the only error we ever get is:

ksu
WARNING: Your password may be exposed if you enter it here and are
logged
         in remotely using an unsecure (non-encrypted) channel.
Kerberos password for ux5p at ATCOTEST.CA: :
ksu: Server not found in Kerberos database while geting credentials from
kdc
Authentication failed.

Doing an rlogin to a Sol 8 machine gives no errors at all; it just
quietly fails.

The above error seems to indicate that the Solaris 10 Kerberos isn't
passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon
certain differences, would not be a big surprise). Has anyone gotten
this to work? The Sol 10 system is using the default Solaris 10 PAM
implementation as well; not sure if this is part of the problem, but the
configuration files are significantly different. The Sol 10 version
doesn't explicitly list the entire path to the libraries, and breaks
things up based upon Authentication/ Account/ Session/ Password rather
than service (sshd, login, etc.). I have tried adding the MIT libraries
into the pam.conf requirements, but that seems to break even more things
(again, not a great shock).

BTW, we have the same issues going from the Sol 10 system to our RedHat
box.

I know Sol 10 isn't finalized, but any help/suggestions would be greatly
appreciated, even if it's to say it will never work for reason X. I
don't see Sun changing this radically before GA. We are running the
latest available build, 72.

TIA

Rainer Heilke
Unix Systems Administrator
ATCO I-Tek
Phone:  780-420-7806
Fax:  780-420-3939
Email:  rainer.heilke at atcoitek.com

The information transmitted is intended only for the addressee and may
contain confidential, proprietary and/or privileged material. Any
unauthorized review, distribution or other use of or the taking of any
action in reliance upon this information is prohibited. If you receive
this in error, please contact the sender and delete or destroy this
message and any copies.

More information about the Kerberos mailing list