Trying to get Kerberos5 with Solaris 10.

Douglas E. Engert deengert at anl.gov
Tue Apr 1 16:08:28 EDT 2008 


Mukarram Syed wrote:
> Any help regarding this would be appreciated.  We are pretty much stuck.
> 
>  
> 
> Thanks
> 
>  
> 
>  # mukarram
> 
>  
> 
>   _____  
> 
> From: Mukarram Syed [mailto:muksyed at stanford.edu] 
> Sent: Wednesday, March 26, 2008 5:12 PM
> To: 'kerberos at mit.edu'
> Subject: Trying to get Kerberos5 with Solaris 10.
> 
>  
> 
> Hi,
> 
>  
> 
> I am trying to install krb5 on Solaris 10 and have been rather successful.

What version of Kerberos?
How do you know you are successful?

> But I am running into some problems, hence this email.
> 
> I could login to the box using a local account.  I could then "kinit
> username" and I get my kerberos tokens and I could view them via "kinit".  I
> could also do a "kdestroy" 

Note: Solaris 10 has Kerberos too. Are you using the Solaris commands
in /usr/bin? (but not ksu.)

> 
> However when I do a "ksu", I get the following error:
> 
>  
> 
> bash-3.00$ ksu
> 
> WARNING: Your password may be exposed if you enter it here and are logged 
> 
>          in remotely using an unsecure (non-encrypted) channel. 
> 
> Kerberos password for username/root at stanford.edu: : 
> 

Do you have that principal in the KDC database? Why is the realm name
in lowercase? Kerberos is case sensitive, and usually has uppercase realm names.

> ksu: Server not found in Kerberos database while geting credentials from kdc
> Authentication failed.
> 
>  
> 
> I checked the krb5.keytab which I have downloaded with wallet and installed
> it.
> 
> I have also checked google
> 
> and this error usually appears when there is a FQDN problem.  I have checked
> this and fixed this problem.
> 

If you fixed it then what problem are you seeing?

> The below clip is from this link:
> 
> http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/troubleshootin
> g.html#misc_2
> 
>  
> 
> ---CLIP START---
> 
>  
> 
> (various clients): Requesting host principal without fully-qualified domain
> name
> 
> ksu: Server not found in Kerberos database while getting credentials from
> kdc
> 
> ksu: Incorrect net address while geting credentials from kdc
> 
>  
> 
> I've seen this caused because the host uses /etc/hosts to resolve name
> lookups before dns and the line for the host in /etc/hosts contains the
> un-fully qualified domain name before the fully-qualified one.
> 
>  
> 
> For example /etc/hosts might contain:
> 
>  
> 
> 141.142.1.1              trepid trepid.ncsa.uiuc.edu
> 
>  
> 
> Change this to:
> 
>  
> 
> 141.142.1.1              trepid.ncsa.uiuc.edu trepid
> 
>  
> 
> I have also seen this problem caused by the /etc/hosts has a different IP
> address in it for a host from what the DNS server has (using an nslookup).
> 
>  
> 
> ---CLIP END---
> 
>  
> 
> I don't know what else could be the issue.
> 
>  
> 
> Also when I try to login to the box using my krb password, I get permission
> denied errors even though I have populated my ~/.k5login file with
> username at stanford.edu
> 
>  
> 
> Appreciate the advice.
> 
>  
> 
> Thanks
> 
>  
> 
> # mukarram syed.
> 
>  
> 
>  
> 
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list