Trying to get Kerberos5 with Solaris 10.

Mukarram Syed muksyed at stanford.edu
Tue Apr 1 17:20:53 EDT 2008


Thanks Douglas for the response.

>What version of Kerberos?
>How do you know you are successful?

Kerberos5, don't know the exact version.  The way I know that I am
successful is that I could do a kinit, klist and kdestroy.
 
>Do you have that principal in the KDC database? Why is the realm name
>in lowercase? Kerberos is case sensitive, and usually has uppercase realm
>names.

Yes that principal is in the KDC database.  I have confirmed this with the
Kerberos server admins.  The realm name is in lowercase.

>If you fixed it then what problem are you seeing?
What I meant by this is that I have gone through this error and I have put
the servers FQDN in the /etc/hosts file and the server name/IP matches that
with the DNS entry. 


My question is if anyone has successfully installed krb5 on Solaris10 with
PAM and OpenSSH.  

The problem I was having that I couldn't ssh into the server.  The ksu gives
the error that I mentioned below.  I installed Stanford Kerberos Stow
packages in Solaris 10 and was trying to use that, but someone told me I
could use Solaris10's native Kerberos as you just did.  

I don't know what needs to be done with PAM to work with Stanford's
Kerberos5 and SSH.

If any of you have any suggestions I'd appreciate it.

I'll reinstall Solaris10 and use the native Kerberos5 modify the krb5.conf
etc. and let you know how things progress.

Thanks.

# mukarram.



-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, April 01, 2008 1:08 PM
To: Mukarram Syed
Cc: kerberos at mit.edu
Subject: Re: Trying to get Kerberos5 with Solaris 10.



Mukarram Syed wrote:
> Any help regarding this would be appreciated.  We are pretty much stuck.
> 
>  
> 
> Thanks
> 
>  
> 
>  # mukarram
> 
>  
> 
>   _____  
> 
> From: Mukarram Syed [mailto:muksyed at stanford.edu] 
> Sent: Wednesday, March 26, 2008 5:12 PM
> To: 'kerberos at mit.edu'
> Subject: Trying to get Kerberos5 with Solaris 10.
> 
>  
> 
> Hi,
> 
>  
> 
> I am trying to install krb5 on Solaris 10 and have been rather successful.

What version of Kerberos?
How do you know you are successful?

> But I am running into some problems, hence this email.
> 
> I could login to the box using a local account.  I could then "kinit
> username" and I get my kerberos tokens and I could view them via "kinit".
I
> could also do a "kdestroy" 

Note: Solaris 10 has Kerberos too. Are you using the Solaris commands
in /usr/bin? (but not ksu.)

> 
> However when I do a "ksu", I get the following error:
> 
>  
> 
> bash-3.00$ ksu
> 
> WARNING: Your password may be exposed if you enter it here and are logged 
> 
>          in remotely using an unsecure (non-encrypted) channel. 
> 
> Kerberos password for username/root at stanford.edu: : 
> 

Do you have that principal in the KDC database? Why is the realm name
in lowercase? Kerberos is case sensitive, and usually has uppercase realm
names.

> ksu: Server not found in Kerberos database while geting credentials from
kdc
> Authentication failed.
> 
>  
> 
> I checked the krb5.keytab which I have downloaded with wallet and
installed
> it.
> 
> I have also checked google
> 
> and this error usually appears when there is a FQDN problem.  I have
checked
> this and fixed this problem.
> 

If you fixed it then what problem are you seeing?

> The below clip is from this link:
> 
>
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/troubleshootin
> g.html#misc_2
> 
>  
> 
> ---CLIP START---
> 
>  
> 
> (various clients): Requesting host principal without fully-qualified
domain
> name
> 
> ksu: Server not found in Kerberos database while getting credentials from
> kdc
> 
> ksu: Incorrect net address while geting credentials from kdc
> 
>  
> 
> I've seen this caused because the host uses /etc/hosts to resolve name
> lookups before dns and the line for the host in /etc/hosts contains the
> un-fully qualified domain name before the fully-qualified one.
> 
>  
> 
> For example /etc/hosts might contain:
> 
>  
> 
> 141.142.1.1              trepid trepid.ncsa.uiuc.edu
> 
>  
> 
> Change this to:
> 
>  
> 
> 141.142.1.1              trepid.ncsa.uiuc.edu trepid
> 
>  
> 
> I have also seen this problem caused by the /etc/hosts has a different IP
> address in it for a host from what the DNS server has (using an nslookup).
> 
>  
> 
> ---CLIP END---
> 
>  
> 
> I don't know what else could be the issue.
> 
>  
> 
> Also when I try to login to the box using my krb password, I get
permission
> denied errors even though I have populated my ~/.k5login file with
> username at stanford.edu
> 
>  
> 
> Appreciate the advice.
> 
>  
> 
> Thanks
> 
>  
> 
> # mukarram syed.
> 
>  
> 
>  
> 
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




More information about the Kerberos mailing list