Solaris K5, MIT K5 compatibility issues
Mike Friedman
mikef at ack.berkeley.edu
Tue Aug 7 19:12:59 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I know this has been discussed here a lot over the years, but until now it
hasn't been an issue for me. My question is, what are the compatibility
issues between Solaris (in particular Solaris 10) clients and an MIT K5
KDC?
More specifically, I've just put up a test KDC using MIT's 1.6.2 (with no
mods). I'm also working in a test Solaris 10 environment in which MIT K5
hasn't yet been installed. We're trying, for some application testing
that needs to be done before we can set up a production environment, to
run the Solaris 10 supplied kadmin (and API code derived from kadmin)
against the MIT 1.6.2 KDC.
My initial expectation was that kadmin wouldn't work, because of the
discussion I've seen here about incompatible RPCs. So I was surprised,
last week, when Solaris (/usr/sbin/) kadmin appeared to work just fine,
against our production KDC: MIT 1.4.2.
Today, however, I tried Solaris kadmin against my test 1.6.2 KDC and got
this message, after authenticating:
GSS-API (or Kerberos) error while initializing kadmin interface
As no error was logged in the (MIT) KDC, I figured this meant the problem
was on the client side, or else at a lower layer that the KDC daemons
wouldn't log.
It happens that I built my 1.4.2 statically linked, on a Solaris 8 system,
so I copied over the kadmin binary to the Solaris 10 system and used it
against the 1.6.2 KDC, with success.
So, it appears that Solaris 10 kadmin libraries are more compatible with a
1.4.2 KDC than with 1.6.2, which seems counter-intuitive. (I would have
expected compatibility to be improved with later versions of both Kerberos
implementations).
I've probably missed some recent discussion on this, but now I want to
find out what the actual story is on Solaris/MIT kadmin compatibility.
Any clarification would be appreciated.
Thanks.
Mike
_________________________________________________________________________
Mike Friedman Information Services & Technology
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://socrates.berkeley.edu/~mikef http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBRrj8f60bf1iNr4mCEQJOQgCg8IQrrmu76NyQhF8bLqk6kGGTi/4An0M1
DzZObLwttyljylsSQO98iHlK
=HbKA
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list