Solaris 10 kadmin client

Ian Grant ian.grant at cl.cam.ac.uk
Wed Mar 2 05:06:21 EST 2005 

On Tue, 2005-03-01 at 12:17 -0600, Will Fiveash wrote:
> On Tue, Mar 01, 2005 at 12:20:54PM +0000, Ian Grant wrote:
> > Dear Kerberos types
> > 
> > I am having trouble with Sun's Solaris 10 kadmin client. When run it
> > tries to authenticate to the service principal kadmin/kdc.example.com,
> > contrary to the man page's statement that it " ... authenticates  the
> > user to the Kerberos administration server, kadmind, whose service
> > principal is kadmin/admin." There is no mention in Sun's documentation
> > on how to set this to something different (my heimdal kadmind has
> > associated principal kadmin/admin.) Does anyone have an explanation
> > for this behaviour? Here's my /etc/krb5/krb5.conf on the Solaris 10
> 
> Here's what the S10 'man kadmin' states:
> 
>      -p principal
> 
>          Authenticate principal to the kadmin/admin service. Oth-
>          erwise, kadmin will append /admin to the primary princi-
>          pal name of the default credentials cache, the value  of
>          the  USER  environment  variable,  or  the  username  as
>          obtained with getpwuid, in that order of preference.
> 
> so if you run kadmin without -p then it's trying to authenticate
> your_user_ID/admin as the admin princiapl.  If you have a principal that
> is authorized to use kadmin (see 'man kadm5.acl') then you can do:
> kadmin -p <admin-princ>

But the problem is not with the user principal, it is with the service
principal. Read my message again. There is an undocumented -O switch on
kadmind which, (in krb5-1.4 which is all I have source code for) reverts
to KADM5_CONFIG_OLD_AUTH_GSSAPI and sets the service name to what one
would expect (kadmin/admin). I have tried giving this switch to the
Solaris kadmind without success:

bash-3.00# kadmin -O
Authenticating as principal someguy/admin at EXAMPLE.COM with password.
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

> Note, Solaris kadmin uses secure RPC and does not interoperate with
> MIT's kadmind.  I'm betting the same holds for Heimdal kadmind.  

That's not progress! Why can't it fall back to the MIT protocol?

> If you
> are trying to create a keytab for the Solaris system using a Heimdal
> KDC, create the keytab on the Heimdal box, securely transfer it to the
> Solaris box and name it /etc/krb5/krb5.keytab (readable only by root).
> Note, I assuming the Heimdal keytab format is compatible with the
> Solaris keytab format (Solaris Kerberos is based on MIT).  
> You can test this by (running as root) doing a kinit -k <keytab-princ>
> and then klist to make sure you successfully got a credential for one of
> the principals in the keytab.

Thanks, I'll try this now. I'll also try building the heimdal kadmin
client on Solaris 10.

More information about the Kerberos mailing list