MIT Kerberos and Solaris 10 Kerberos
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue Jan 11 12:42:13 EST 2005
Heilke, Rainer wrote:
> BTW, as a further clarification, the system was installed initially
> using our MIT Kerberos build (i.e. the same as we use on all of the
> Solaris 8 machines). I am now trying to get it to work with the Solaris
> 10 SEAM.
>
> One problem I see immediately (refreshing my memory with a couple quick
> tests) is that, when using the Sol10 SEAM to install the keytab, I
> immediately get:
>
> # kadmin -p rheilke/admin
> Authenticating as principal rheilke/admin at ATCOTEST.CA with password.
> Password for rheilke/admin at ATCOTEST.CA:
> kadmin: ktadd host/salty.atcotest.ca
> kadmin: Communication failure with server while changing
> host/salty.atcotest.ca's key
> kadmin:
>
> So, the Sol10 SEAM cannot seem to talk to the KDC.
That's because Solaris 10 'kadmin' uses RPCSEC_GSS and
MIT uses a slightly different RPC protocol. This is not a new
issue, its been a problem ever since we introduced SEAM.
The solution is that if your KDC is MIT, then you must use the MIT
'kadmin' client to manage it.
There have been patches submitted to the MIT codebase to make
it able to support RPCSEC_GSS (and thus interop with Solaris kadmin),
but Im not sure if those are in the latest release or not.
-Wyllys
More information about the Kerberos
mailing list