Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Heilke, Rainer Rainer.Heilke at atcoitek.com
Fri Jun 3 15:13:23 EDT 2005


A bug... Well, that makes us feel better in the sense that we aren't
losing our marbles. I guess now, we just have to wait for the bug to get
fixed. Unfortunately, this is now one of two issues that hold back any
Solaris 10 rollout for us.

Thanks to everyone for your help on this. We'll keep our eyes open for
the bug fix from Sun in their weekly patch club report.

Rainer Heilke

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert
> Sent: Friday, June 03, 2005 12:48 PM
> To: 'kerberos at mit.edu'
> Cc: Nicolas Williams
> Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
> 
> 
> I got it to work. It looks like the Solaris 10 is checking the
> realm of the kadmind server host, but why? It already got
> a ticket for it.  It does not check that the host of the kdc is
> in the realm so why check the kadmind? Is this some gss implementation
> imposed restriction?
> 
> What this means is that a kadmind can only serve a single realm.
> 
> This looks like a Solaris bug to me.
> 
> 
> Sam Hartman wrote:
> 
> >>>>>>"Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
> > 
> > 
> >     Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to 
> use hostbased
> >     Nicolas> princs for the server, and MIT krb5, though it now
> >     Nicolas> implements RPCSEC_GSS, did not match this behaviour.
> > 
> > No.  If you create the hostbased principal in your kdc database it
> > should work fine.  The MIT code supports both kadmin/fqdn and
> > kadmin/admin.
> > 
> 
> I have the principal and the Solaris 10 kadmin gets a ticket for the
> service.  The server is Solaris 7, with the krb5-1.4.1
> 
> Using ethereal on the Solaris 10 to watch the Solaris 10 show
> shows the kadmin doing a tcp connetcion to the kadmind, then doing
> a DNS lookup of the host name, then closing the connection. No user
> data was sent only SYN, ACK and FIN. See attachment.
> 
> I am using a test realm and KDC on a seperate machine that is in
> another realm. I was using the KRB5_CONFIG to point at my test
> krb5.conf on both the client and server. Once I added
> on the kadmin client  <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
> [domain_realm] it started working!
> 
> 
> 
> 
> > 
> > 
> > 
> 
> -- 
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> 



More information about the Kerberos mailing list