MIT Kerberos and Solaris 10 Kerberos

Heilke, Rainer Rainer.Heilke at atcoitek.com
Tue Jan 11 10:43:30 EST 2005


Greetings, and thanks for the response.

> > We run a number of Solaris 8 systems using Sun's SEAM PAM 
> implementation
> > and MIT's Kerberos (which we're up to date on). We are 
> starting to look
> > at Solaris 10, and are hoping to move towards Sun's 
> implementation of
> > Kerberos. We are having a bit of trouble getting the two to talk
> > properly, however.
> 
> I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
> It is linked directly with the Solaris Kerberos libraries (private).

I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to
talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems.

> Solaris 10 Kerberos interops very well with MIT, Heimdal, and 
> Microsoft.
> It has support for all of the enctypes (AES, RC4, 3DES, DES) finally.

But I can't seem to get it to work.

> > If we SSH (from production to test, for example) to a 
> Solaris 8 machine,
> > then we can rlogin (Kerberized) to the Solaris 10 machine and, from
> > there, rlogin to a Sol8 machine again. If, however, we SSH 
> directly to
> > the Solaris 10 machine, we cannot rlogin to a Solaris 8 
> machine. Doing
> > various experiments (for example, trying to ksu on the Sol 
> 10 machine),
> > the only error we ever get is:
> > 
> > ksu
> > WARNING: Your password may be exposed if you enter it here and are
> > logged
> >          in remotely using an unsecure (non-encrypted) channel.
> > Kerberos password for ux5p at ATCOTEST.CA: :
> > ksu: Server not found in Kerberos database while geting 
> credentials from
> > kdc
> > Authentication failed.
> 
> ksu is an  MIT client, it is not part of Solaris 10.   Whose 
> Kerberized apps
> are you using on Solaris 10 (MIT or the stuff bundled with 
> Solaris 10) ?

I understand that. I'm pointing out that the Solaris 10 system doesn't
seem to be using the MIT Kerberos, nor the Sun Kerberos cleanly (or
rather, the Sol10 Kerberos isn't talking to the MIT Kerberos?). It seems
to be getting confused. (I should double-check that I'm not accidentally
calling the MIT commands doing any of this on the Sol10 system by making
sure they aren't in my path...) As an aside, I was told that Solaris had
it's own ksu, possibly in something called the Encryption Kit, or
something like that. I was able to find this package when Solaris 10
went to Beta 6, but then it seems to have disappeared off of Sun's
website. ??

> > Doing an rlogin to a Sol 8 machine gives no errors at all; it just
> > quietly fails.
> 
> - Which rlogin client are you using (MIT or Solaris) ?
> - Which rlogin server is running on the Sol 8 system?

Both. All Solaris systems other than this one (the Solaris 10 system)
are running MIT on Solaris 8.

> > The above error seems to indicate that the Solaris 10 Kerberos isn't
> > passing the tickets to the Sol 8/MIT Kerberos servers 
> (which, based upon
> > certain differences, would not be a big surprise). Has anyone gotten
> 
> What "certain differences" are you referring to?

Differences in the configuration files and the libraries the Solaris 10
Kerberos uses as opposed to the MIT Kerberos.

>   Solaris 10 will 
> interoperate
> with Solaris 8 SEAM, but if your KDC is Solaris 10 (or MIT)  you will 
> have to
> restrict the enctypes used by the Solaris 8 services because 
> Solaris 8 only
> supports DES and Solaris  10 uses AES by default.

Then our entire environment is DES. Where does one set the Solaris 10
SEAM to use DES?

> What service are you trying to use pam_krb5 with - rlogin or ssh?
> ssh in Solaris 10 supports GSSAPI authentication, so you should
> not need to use pam_krb5 in that case.

We have SSH working with the MIT Kerberos (that is, logging in with SSH
creates forwardable tickets, etc.). What I am trying to do is to SSH in
to the Solaris 10 machine from our production lab (production and test
are separated by a firewall, and are two different Kerberos domains),
and then be able to rlogin to other (Solaris 8/MIT) systems in the test
lab (that is, in the same Kerberos domain).

> It most certainly DOES work,  it seems that you have 
> something misconfigured
> between the various systems you are trying to use.
> It may be that you are running into problems due to Solaris 8 only
> supporting DES tickets, but it sounds like your problems are related
> to how you are using PAM and the services you are using.

OK, so you confirmed it works (and I'd be surprised if it didn't). I
agree also with where you think the problem is. I just can't find it.

> I need more info in order to be able to help you:
> - What OS is the KDC running on?

Solaris 8, using MIT's Kerberos.

> - Whose KDC are you using (Solaris 10, Solaris 8 SEAM, MIT, MS AD ) ?

MIT on Solaris 8.

> - What OS is the client (rlogin or ssh) running on?

Solaris 10, SEAM going one way, Solaris 8/MIT going the other.

> - What OS is the server (rlogind or sshd) running on?

Solaris 8, MIT for rlogind in one direction, and Solaris 10/SEAM in the
other. Typically, I am SSH'ing in to the Solaris 10 system initially
(from our production lab) and then trying to rlogin to the Solaris 8/MIT
systems in the test lab (where the Solaris 10 system sits). I have also
SSH'd to a test lab Solaris 8/MIT system, and tried to rlogin to the
Solaris 10/SEAM system.

> - Which Kerberos implementation is being used on the client 
> system and 
> server
>    system?

See above. Note that I have been trying to get this to work in both
directions (perhaps that is where your confusion over my previous email
is coming from).

Thank you for all of the help. I'd love to get this working.

Rainer



More information about the Kerberos mailing list