MIT Kerberos and Solaris 10 Kerberos

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Jan 10 20:16:14 EST 2005


Heilke, Rainer wrote:
> Greetings, everyone.
> 
> We run a number of Solaris 8 systems using Sun's SEAM PAM implementation
> and MIT's Kerberos (which we're up to date on). We are starting to look
> at Solaris 10, and are hoping to move towards Sun's implementation of
> Kerberos. We are having a bit of trouble getting the two to talk
> properly, however.

I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
It is linked directly with the Solaris kerberos libraries (private).

Solaris 10 Kerberos interops very well with MIT, Heimdal, and Microsoft.
It has support for all of the enctypes (AES, RC4, 3DES, DES) finally.

> 
> If we SSH (from production to test, for example) to a Solaris 8 machine,
> then we can rlogin (Kerberized) to the Solaris 10 machine and, from
> there, rlogin to a Sol8 machine again. If, however, we SSH directly to
> the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing
> various experiments (for example, trying to ksu on the Sol 10 machine),
> the only error we ever get is:
> 
> ksu
> WARNING: Your password may be exposed if you enter it here and are
> logged
>          in remotely using an unsecure (non-encrypted) channel.
> Kerberos password for ux5p at ATCOTEST.CA: :
> ksu: Server not found in Kerberos database while geting credentials from
> kdc
> Authentication failed.

ksu is an  MIT client, it is not part of Solaris 10.   Whose Kerberized apps
are you using on Solaris 10 (MIT or the stuff bundled with Solaris 10) ?

> 
> Doing an rlogin to a Sol 8 machine gives no errors at all; it just
> quietly fails.

- Which rlogin client are you using (MIT or Solaris) ?
- Which rlogin server is running on the Sol 8 system?

> 
> The above error seems to indicate that the Solaris 10 Kerberos isn't
> passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon
> certain differences, would not be a big surprise). Has anyone gotten

What "certain differences" are you referring to?   Solaris 10 will 
interoperate
with Solaris 8 SEAM, but if your KDC is Solaris 10 (or MIT)  you will 
have to
restrict the enctypes used by the Solaris 8 services because Solaris 8 only
supports DES and Solaris  10 uses AES by default.

> this to work? The Sol 10 system is using the default Solaris 10 PAM
> implementation as well; not sure if this is part of the problem, but the
> configuration files are significantly different. The Sol 10 version
> doesn't explicitly list the entire path to the libraries, and breaks
> things up based upon Authentication/ Account/ Session/ Password rather
> than service (sshd, login, etc.). I have tried adding the MIT libraries
> into the pam.conf requirements, but that seems to break even more things
> (again, not a great shock).

What service are you trying to use pam_krb5 with - rlogin or ssh?
ssh in Solaris 10 supports GSSAPI authentication, so you should
not need to use pam_krb5 in that case.

> 
> BTW, we have the same issues going from the Sol 10 system to our RedHat
> box.
> 
> I know Sol 10 isn't finalized, but any help/suggestions would be greatly
> appreciated, even if it's to say it will never work for reason X. I
> don't see Sun changing this radically before GA. We are running the
> latest available build, 72.

It most certainly DOES work,  it seems that you have something misconfigured
between the various systems you are trying to use.
It may be that you are running into problems due to Solaris 8 only
supporting DES tickets, but it sounds like your problems are related
to how you are using PAM and the services you are using.

I need more info in order to be able to help you:
- What OS is the KDC running on?
- Whose KDC are you using (Solaris 10, Solaris 8 SEAM, MIT, MS AD ) ?
- What OS is the client (rlogin or ssh) running on?
- What OS is the server (rlogind or sshd) running on?
- Which Kerberos implementation is being used on the client system and 
server
   system?

-Wyllys


More information about the Kerberos mailing list