Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Douglas E. Engert deengert at anl.gov
Fri Jun 3 15:19:12 EDT 2005 


Heilke, Rainer wrote:

> A bug... Well, that makes us feel better in the sense that we aren't
> losing our marbles. I guess now, we just have to wait for the bug to get
> fixed. Unfortunately, this is now one of two issues that hold back any
> Solaris 10 rollout for us.

Well it may be a bug, but since our production KDCs and kadmind are
serving a single realm, and the server is in that realm its not
going to stop us. It was the test environment that was the problem.

P.S. What is the other issue?

> 
> Thanks to everyone for your help on this. We'll keep our eyes open for
> the bug fix from Sun in their weekly patch club report.
> 
> Rainer Heilke
> 
> 
>>-----Original Message-----
>>From: kerberos-bounces at mit.edu 
>>[mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert
>>Sent: Friday, June 03, 2005 12:48 PM
>>To: 'kerberos at mit.edu'
>>Cc: Nicolas Williams
>>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
>>
>>
>>I got it to work. It looks like the Solaris 10 is checking the
>>realm of the kadmind server host, but why? It already got
>>a ticket for it.  It does not check that the host of the kdc is
>>in the realm so why check the kadmind? Is this some gss implementation
>>imposed restriction?
>>
>>What this means is that a kadmind can only serve a single realm.
>>
>>This looks like a Solaris bug to me.
>>
>>
>>Sam Hartman wrote:
>>
>>
>>>>>>>>"Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
>>>
>>>
>>>    Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to 
>>
>>use hostbased
>>
>>>    Nicolas> princs for the server, and MIT krb5, though it now
>>>    Nicolas> implements RPCSEC_GSS, did not match this behaviour.
>>>
>>>No.  If you create the hostbased principal in your kdc database it
>>>should work fine.  The MIT code supports both kadmin/fqdn and
>>>kadmin/admin.
>>>
>>
>>I have the principal and the Solaris 10 kadmin gets a ticket for the
>>service.  The server is Solaris 7, with the krb5-1.4.1
>>
>>Using ethereal on the Solaris 10 to watch the Solaris 10 show
>>shows the kadmin doing a tcp connetcion to the kadmind, then doing
>>a DNS lookup of the host name, then closing the connection. No user
>>data was sent only SYN, ACK and FIN. See attachment.
>>
>>I am using a test realm and KDC on a seperate machine that is in
>>another realm. I was using the KRB5_CONFIG to point at my test
>>krb5.conf on both the client and server. Once I added
>>on the kadmin client  <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
>>[domain_realm] it started working!
>>
>>
>>
>>
>>
>>>
>>>
>>-- 
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list