Solaris K5, MIT K5 compatibility issues

Will Fiveash William.Fiveash at sun.com
Thu Aug 9 22:32:31 EDT 2007 

On Tue, Aug 07, 2007 at 04:12:59PM -0700, Mike Friedman wrote:
> I know this has been discussed here a lot over the years, but until now it 
> hasn't been an issue for me.  My question is, what are the compatibility 
> issues between Solaris (in particular Solaris 10) clients and an MIT K5 
> KDC?
> 
> More specifically, I've just put up a test KDC using MIT's 1.6.2 (with no 
> mods).  I'm also working in a test Solaris 10 environment in which MIT K5 
> hasn't yet been installed.  We're trying, for some application testing 
> that needs to be done before we can set up a production environment, to 
> run the Solaris 10 supplied kadmin (and API code derived from kadmin) 
> against the MIT 1.6.2 KDC.
> 
> My initial expectation was that kadmin wouldn't work, because of the 
> discussion I've seen here about incompatible RPCs.  So I was surprised, 
> last week, when Solaris (/usr/sbin/) kadmin appeared to work just fine, 
> against our production KDC:  MIT 1.4.2.
> 
> Today, however, I tried Solaris kadmin against my test 1.6.2 KDC and got 
> this message, after authenticating:
> 
>    GSS-API (or Kerberos) error while initializing kadmin interface
> 
> As no error was logged in the (MIT) KDC, I figured this meant the problem 
> was on the client side, or else at a lower layer that the KDC daemons 
> wouldn't log.
> 
> It happens that I built my 1.4.2 statically linked, on a Solaris 8 system, 
> so I copied over the kadmin binary to the Solaris 10 system and used it 
> against the 1.6.2 KDC, with success.
> 
> So, it appears that Solaris 10 kadmin libraries are more compatible with a 
> 1.4.2 KDC than with 1.6.2, which seems counter-intuitive. (I would have 
> expected compatibility to be improved with later versions of both Kerberos 
> implementations).
> 
> I've probably missed some recent discussion on this, but now I want to 
> find out what the actual story is on Solaris/MIT kadmin compatibility.
> 
> Any clarification would be appreciated.

This is a long standing issue between MIT and Sun regarding the kadmin
related principals.  For more read:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=3064

The workaround on Solaris 10 is to set:

    kpasswd_protocol = SET_CHANGE

in krb5.conf.  Other than this Solaris 10 should be very compatible with
a MIT KDC.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the Kerberos mailing list