Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Heilke, Rainer Rainer.Heilke at atcoitek.com
Fri Jun 3 16:15:07 EDT 2005 

OK, I'm getting a little confused as to the differences we're talking
about here. I've forwarded this to my co-worker who's working on the
problem to add the line you suggest, but I don't understand how the
Solaris 10 client can be assuming a realm other than that configured
(which is the same as all of the other systems in the test lab).

Thanks.

Rainer

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Friday, June 03, 2005 1:38 PM
> To: Heilke, Rainer
> Cc: kerberos at mit.edu
> Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
> 
> 
> 
> 
> Heilke, Rainer wrote:
> 
> > So, if this issue is in a SINGLE realm, it IS a bug, correct? We are
> > doing this in our test lab, in a single domain. There are no other
> > domains involved. Both the Solaris 10 and the MIT Kerberos
> > clients/servers are all in the same realm.
> 
> No, I would bet that the client is somehow using a different krb5.conf
> or is assuming the realm of the server is something other then the
> the test realm. i.e. deriving the realm from the DNS domain name.
> 
> Try and add to the krb5.conf on the client
> [domain_realm]
> 
>   host.of.kdc.fqdn = TEST.REALM
> 
> Using the FQDN of the test kadmin server, and the name of 
> your test realm.
> 
> 
> 
> > 
> > 
> >>Heilke, Rainer wrote:
> >>
> >>
> >>>A bug... Well, that makes us feel better in the sense that 
> we aren't
> >>>losing our marbles. I guess now, we just have to wait for 
> >>
> >>the bug to get
> >>
> >>>fixed. Unfortunately, this is now one of two issues that 
> >>
> >>hold back any
> >>
> >>>Solaris 10 rollout for us.
> >>
> >>Well it may be a bug, but since our production KDCs and kadmind are
> >>serving a single realm, and the server is in that realm its not
> >>going to stop us. It was the test environment that was the problem.
> >>
> >>P.S. What is the other issue?
> > 
> > 
> > Sun's lack of a ksu binary. The way we use ksu, RBAC and su 
> simply do
> > not provide the same functionality. We have an RFE open on 
> this. BTW, if
> > anyone else needs ksu, please add your names to the RFE.
> > 
> > Rainer
> > 
> > 
> >>>Thanks to everyone for your help on this. We'll keep our 
> >>
> >>eyes open for
> >>
> >>>the bug fix from Sun in their weekly patch club report.
> >>>
> >>>Rainer Heilke
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: kerberos-bounces at mit.edu 
> >>>>[mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert
> >>>>Sent: Friday, June 03, 2005 12:48 PM
> >>>>To: 'kerberos at mit.edu'
> >>>>Cc: Nicolas Williams
> >>>>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
> >>>>
> >>>>
> >>>>I got it to work. It looks like the Solaris 10 is checking the
> >>>>realm of the kadmind server host, but why? It already got
> >>>>a ticket for it.  It does not check that the host of the kdc is
> >>>>in the realm so why check the kadmind? Is this some gss 
> >>
> >>implementation
> >>
> >>>>imposed restriction?
> >>>>
> >>>>What this means is that a kadmind can only serve a single realm.
> >>>>
> >>>>This looks like a Solaris bug to me.
> >>>>
> >>>>
> >>>>Sam Hartman wrote:
> >>>>
> >>>>
> >>>>
> >>>>>>>>>>"Nicolas" == Nicolas Williams 
> >>
> >><Nicolas.Williams at sun.com> writes:
> >>
> >>>>>
> >>>>>   Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to 
> >>>>
> >>>>use hostbased
> >>>>
> >>>>
> >>>>>   Nicolas> princs for the server, and MIT krb5, though it now
> >>>>>   Nicolas> implements RPCSEC_GSS, did not match this behaviour.
> >>>>>
> >>>>>No.  If you create the hostbased principal in your kdc 
> database it
> >>>>>should work fine.  The MIT code supports both kadmin/fqdn and
> >>>>>kadmin/admin.
> >>>>>
> >>>>
> >>>>I have the principal and the Solaris 10 kadmin gets a 
> ticket for the
> >>>>service.  The server is Solaris 7, with the krb5-1.4.1
> >>>>
> >>>>Using ethereal on the Solaris 10 to watch the Solaris 10 show
> >>>>shows the kadmin doing a tcp connetcion to the kadmind, then doing
> >>>>a DNS lookup of the host name, then closing the 
> connection. No user
> >>>>data was sent only SYN, ACK and FIN. See attachment.
> >>>>
> >>>>I am using a test realm and KDC on a seperate machine that is in
> >>>>another realm. I was using the KRB5_CONFIG to point at my test
> >>>>krb5.conf on both the client and server. Once I added
> >>>>on the kadmin client  <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
> >>>>[domain_realm] it started working!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>
> >>>>-- 
> >>>>
> >>>> Douglas E. Engert  <DEEngert at anl.gov>
> >>>> Argonne National Laboratory
> >>>> 9700 South Cass Avenue
> >>>> Argonne, Illinois  60439
> >>>> (630) 252-5444
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>-- 
> >>
> >>  Douglas E. Engert  <DEEngert at anl.gov>
> >>  Argonne National Laboratory
> >>  9700 South Cass Avenue
> >>  Argonne, Illinois  60439
> >>  (630) 252-5444
> >>
> > 
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> > 
> > 
> 
> -- 
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>

More information about the Kerberos mailing list