Using Solaris 10 kadmin with MIT 1.4.1 kadmind
Heilke, Rainer
Rainer.Heilke at atcoitek.com
Fri Jun 3 16:15:07 EDT 2005
OK, I'm getting a little confused as to the differences we're talking
about here. I've forwarded this to my co-worker who's working on the
problem to add the line you suggest, but I don't understand how the
Solaris 10 client can be assuming a realm other than that configured
(which is the same as all of the other systems in the test lab).
Thanks.
Rainer
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Friday, June 03, 2005 1:38 PM
> To: Heilke, Rainer
> Cc: kerberos at mit.edu
> Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
>
>
>
>
> Heilke, Rainer wrote:
>
> > So, if this issue is in a SINGLE realm, it IS a bug, correct? We are
> > doing this in our test lab, in a single domain. There are no other
> > domains involved. Both the Solaris 10 and the MIT Kerberos
> > clients/servers are all in the same realm.
>
> No, I would bet that the client is somehow using a different krb5.conf
> or is assuming the realm of the server is something other then the
> the test realm. i.e. deriving the realm from the DNS domain name.
>
> Try and add to the krb5.conf on the client
> [domain_realm]
>
> host.of.kdc.fqdn = TEST.REALM
>
> Using the FQDN of the test kadmin server, and the name of
> your test realm.
>
>
>
> >
> >
> >>Heilke, Rainer wrote:
> >>
> >>
> >>>A bug... Well, that makes us feel better in the sense that
> we aren't
> >>>losing our marbles. I guess now, we just have to wait for
> >>
> >>the bug to get
> >>
> >>>fixed. Unfortunately, this is now one of two issues that
> >>
> >>hold back any
> >>
> >>>Solaris 10 rollout for us.
> >>
> >>Well it may be a bug, but since our production KDCs and kadmind are
> >>serving a single realm, and the server is in that realm its not
> >>going to stop us. It was the test environment that was the problem.
> >>
> >>P.S. What is the other issue?
> >
> >
> > Sun's lack of a ksu binary. The way we use ksu, RBAC and su
> simply do
> > not provide the same functionality. We have an RFE open on
> this. BTW, if
> > anyone else needs ksu, please add your names to the RFE.
> >
> > Rainer
> >
> >
> >>>Thanks to everyone for your help on this. We'll keep our
> >>
> >>eyes open for
> >>
> >>>the bug fix from Sun in their weekly patch club report.
> >>>
> >>>Rainer Heilke
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: kerberos-bounces at mit.edu
> >>>>[mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert
> >>>>Sent: Friday, June 03, 2005 12:48 PM
> >>>>To: 'kerberos at mit.edu'
> >>>>Cc: Nicolas Williams
> >>>>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
> >>>>
> >>>>
> >>>>I got it to work. It looks like the Solaris 10 is checking the
> >>>>realm of the kadmind server host, but why? It already got
> >>>>a ticket for it. It does not check that the host of the kdc is
> >>>>in the realm so why check the kadmind? Is this some gss
> >>
> >>implementation
> >>
> >>>>imposed restriction?
> >>>>
> >>>>What this means is that a kadmind can only serve a single realm.
> >>>>
> >>>>This looks like a Solaris bug to me.
> >>>>
> >>>>
> >>>>Sam Hartman wrote:
> >>>>
> >>>>
> >>>>
> >>>>>>>>>>"Nicolas" == Nicolas Williams
> >>
> >><Nicolas.Williams at sun.com> writes:
> >>
> >>>>>
> >>>>> Nicolas> Known bug. Our RPCSEC_GSS APIs force us to
> >>>>
> >>>>use hostbased
> >>>>
> >>>>
> >>>>> Nicolas> princs for the server, and MIT krb5, though it now
> >>>>> Nicolas> implements RPCSEC_GSS, did not match this behaviour.
> >>>>>
> >>>>>No. If you create the hostbased principal in your kdc
> database it
> >>>>>should work fine. The MIT code supports both kadmin/fqdn and
> >>>>>kadmin/admin.
> >>>>>
> >>>>
> >>>>I have the principal and the Solaris 10 kadmin gets a
> ticket for the
> >>>>service. The server is Solaris 7, with the krb5-1.4.1
> >>>>
> >>>>Using ethereal on the Solaris 10 to watch the Solaris 10 show
> >>>>shows the kadmin doing a tcp connetcion to the kadmind, then doing
> >>>>a DNS lookup of the host name, then closing the
> connection. No user
> >>>>data was sent only SYN, ACK and FIN. See attachment.
> >>>>
> >>>>I am using a test realm and KDC on a seperate machine that is in
> >>>>another realm. I was using the KRB5_CONFIG to point at my test
> >>>>krb5.conf on both the client and server. Once I added
> >>>>on the kadmin client <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
> >>>>[domain_realm] it started working!
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>
> >>>>--
> >>>>
> >>>> Douglas E. Engert <DEEngert at anl.gov>
> >>>> Argonne National Laboratory
> >>>> 9700 South Cass Avenue
> >>>> Argonne, Illinois 60439
> >>>> (630) 252-5444
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>
> >> Douglas E. Engert <DEEngert at anl.gov>
> >> Argonne National Laboratory
> >> 9700 South Cass Avenue
> >> Argonne, Illinois 60439
> >> (630) 252-5444
> >>
> >
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
More information about the Kerberos
mailing list