Solaris K5, MIT K5 compatibility issues

Mike Friedman mikef at ack.berkeley.edu
Tue Aug 7 19:12:59 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I know this has been discussed here a lot over the years, but until now it 
hasn't been an issue for me.  My question is, what are the compatibility 
issues between Solaris (in particular Solaris 10) clients and an MIT K5 
KDC?

More specifically, I've just put up a test KDC using MIT's 1.6.2 (with no 
mods).  I'm also working in a test Solaris 10 environment in which MIT K5 
hasn't yet been installed.  We're trying, for some application testing 
that needs to be done before we can set up a production environment, to 
run the Solaris 10 supplied kadmin (and API code derived from kadmin) 
against the MIT 1.6.2 KDC.

My initial expectation was that kadmin wouldn't work, because of the 
discussion I've seen here about incompatible RPCs.  So I was surprised, 
last week, when Solaris (/usr/sbin/) kadmin appeared to work just fine, 
against our production KDC:  MIT 1.4.2.

Today, however, I tried Solaris kadmin against my test 1.6.2 KDC and got 
this message, after authenticating:

   GSS-API (or Kerberos) error while initializing kadmin interface

As no error was logged in the (MIT) KDC, I figured this meant the problem 
was on the client side, or else at a lower layer that the KDC daemons 
wouldn't log.

It happens that I built my 1.4.2 statically linked, on a Solaris 8 system, 
so I copied over the kadmin binary to the Solaris 10 system and used it 
against the 1.6.2 KDC, with success.

So, it appears that Solaris 10 kadmin libraries are more compatible with a 
1.4.2 KDC than with 1.6.2, which seems counter-intuitive. (I would have 
expected compatibility to be improved with later versions of both Kerberos 
implementations).

I've probably missed some recent discussion on this, but now I want to 
find out what the actual story is on Solaris/MIT kadmin compatibility.

Any clarification would be appreciated.

Thanks.

Mike

_________________________________________________________________________
Mike Friedman                        Information Services & Technology
mikef at ack.Berkeley.EDU               2484 Shattuck Avenue
1-510-642-1410                       University of California at Berkeley
http://socrates.berkeley.edu/~mikef  http://ist.berkeley.edu
_________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBRrj8f60bf1iNr4mCEQJOQgCg8IQrrmu76NyQhF8bLqk6kGGTi/4An0M1
DzZObLwttyljylsSQO98iHlK
=HbKA
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list