Solaris 10 kadmin client
Will Fiveash
william.fiveash at sun.com
Tue Mar 1 13:17:03 EST 2005
On Tue, Mar 01, 2005 at 12:20:54PM +0000, Ian Grant wrote:
> Dear Kerberos types
>
> I am having trouble with Sun's Solaris 10 kadmin client. When run it
> tries to authenticate to the service principal kadmin/kdc.example.com,
> contrary to the man page's statement that it " ... authenticates the
> user to the Kerberos administration server, kadmind, whose service
> principal is kadmin/admin." There is no mention in Sun's documentation
> on how to set this to something different (my heimdal kadmind has
> associated principal kadmin/admin.) Does anyone have an explanation
> for this behaviour? Here's my /etc/krb5/krb5.conf on the Solaris 10
Here's what the S10 'man kadmin' states:
-p principal
Authenticate principal to the kadmin/admin service. Oth-
erwise, kadmin will append /admin to the primary princi-
pal name of the default credentials cache, the value of
the USER environment variable, or the username as
obtained with getpwuid, in that order of preference.
so if you run kadmin without -p then it's trying to authenticate
your_user_ID/admin as the admin princiapl. If you have a principal that
is authorized to use kadmin (see 'man kadm5.acl') then you can do:
kadmin -p <admin-princ>
Note, Solaris kadmin uses secure RPC and does not interoperate with
MIT's kadmind. I'm betting the same holds for Heimdal kadmind. If you
are trying to create a keytab for the Solaris system using a Heimdal
KDC, create the keytab on the Heimdal box, securely transfer it to the
Solaris box and name it /etc/krb5/krb5.keytab (readable only by root).
Note, I assuming the Heimdal keytab format is compatible with the
Solaris keytab format (Solaris Kerberos is based on MIT).
You can test this by (running as root) doing a kinit -k <keytab-princ>
and then klist to make sure you successfully got a credential for one of
the principals in the keytab.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list