Solaris 10 kadmin client

[Will Fiveash]

On Tue, Mar 01, 2005 at 12:20:54PM +0000, Ian Grant wrote:
> Dear Kerberos types
> 
> I am having trouble with Sun's Solaris 10 kadmin client. When run it
> tries to authenticate to the service principal kadmin/kdc.example.com,
> contrary to the man page's statement that it " ... authenticates  the
> user to the Kerberos administration server, kadmind, whose service
> principal is kadmin/admin." There is no mention in Sun's documentation
> on how to set this to something different (my heimdal kadmind has
> associated principal kadmin/admin.) Does anyone have an explanation
> for this behaviour? Here's my /etc/krb5/krb5.conf on the Solaris 10

Here's what the S10 'man kadmin' states:

     -p principal

         Authenticate principal to the kadmin/admin service. Oth-
         erwise, kadmin will append /admin to the primary princi-
         pal name of the default credentials cache, the value  of
         the  USER  environment  variable,  or  the  username  as
         obtained with getpwuid, in that order of preference.

so if you run kadmin without -p then it's trying to authenticate
your_user_ID/admin as the admin princiapl.  If you have a principal that
is authorized to use kadmin (see 'man kadm5.acl') then you can do:
kadmin -p <admin-princ>

Note, Solaris kadmin uses secure RPC and does not interoperate with
MIT's kadmind.  I'm betting the same holds for Heimdal kadmind.  If you
are trying to create a keytab for the Solaris system using a Heimdal
KDC, create the keytab on the Heimdal box, securely transfer it to the
Solaris box and name it /etc/krb5/krb5.keytab (readable only by root).
Note, I assuming the Heimdal keytab format is compatible with the
Solaris keytab format (Solaris Kerberos is based on MIT).  
You can test this by (running as root) doing a kinit -k <keytab-princ>
and then klist to make sure you successfully got a credential for one of
the principals in the keytab.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)