Solaris K5, MIT K5 compatibility issues
Will Fiveash
William.Fiveash at sun.com
Thu Aug 9 22:32:31 EDT 2007
On Tue, Aug 07, 2007 at 04:12:59PM -0700, Mike Friedman wrote:
> I know this has been discussed here a lot over the years, but until now it
> hasn't been an issue for me. My question is, what are the compatibility
> issues between Solaris (in particular Solaris 10) clients and an MIT K5
> KDC?
>
> More specifically, I've just put up a test KDC using MIT's 1.6.2 (with no
> mods). I'm also working in a test Solaris 10 environment in which MIT K5
> hasn't yet been installed. We're trying, for some application testing
> that needs to be done before we can set up a production environment, to
> run the Solaris 10 supplied kadmin (and API code derived from kadmin)
> against the MIT 1.6.2 KDC.
>
> My initial expectation was that kadmin wouldn't work, because of the
> discussion I've seen here about incompatible RPCs. So I was surprised,
> last week, when Solaris (/usr/sbin/) kadmin appeared to work just fine,
> against our production KDC: MIT 1.4.2.
>
> Today, however, I tried Solaris kadmin against my test 1.6.2 KDC and got
> this message, after authenticating:
>
> GSS-API (or Kerberos) error while initializing kadmin interface
>
> As no error was logged in the (MIT) KDC, I figured this meant the problem
> was on the client side, or else at a lower layer that the KDC daemons
> wouldn't log.
>
> It happens that I built my 1.4.2 statically linked, on a Solaris 8 system,
> so I copied over the kadmin binary to the Solaris 10 system and used it
> against the 1.6.2 KDC, with success.
>
> So, it appears that Solaris 10 kadmin libraries are more compatible with a
> 1.4.2 KDC than with 1.6.2, which seems counter-intuitive. (I would have
> expected compatibility to be improved with later versions of both Kerberos
> implementations).
>
> I've probably missed some recent discussion on this, but now I want to
> find out what the actual story is on Solaris/MIT kadmin compatibility.
>
> Any clarification would be appreciated.
This is a long standing issue between MIT and Sun regarding the kadmin
related principals. For more read:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=3064
The workaround on Solaris 10 is to set:
kpasswd_protocol = SET_CHANGE
in krb5.conf. Other than this Solaris 10 should be very compatible with
a MIT KDC.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list