KRB5 & Sun Solaris 9
Will Fiveash
William.Fiveash at Sun.COM
Thu Apr 23 11:35:56 EDT 2009
On Wed, Apr 22, 2009 at 03:12:51PM -0500, McGranahan, Jamen wrote:
>
>
> What options to configure did you use?
> -- $ ./configure CC=gcc --prefix=/usr/local/krb5-1.6.3
>
> Where is the krb5.conf?
> -- /etc/krb5
/etc/krb5 is where the native Solaris krb5.conf file exists. By default
MIT krb looks for /etc/krb5.conf not /etc/krb5/krb5.conf. You should
also take care not to mix and match use of native Solaris services that
use native Solaris krb while using MIT krb on the same system. For
example it's best to avoid using the native Solaris pam_krb5.so.1 module
when one is using some version of MIT krb kinit on the system.
In general, I'd suggest using the native Solaris krb support unless you
need a feature not supported by that krb (more on this below).
> Is it world readable?
> -- unknown
>
> Firewall issues?
> -- I've wondered about that, but thought I would check here first.
>
> Is you realm name DS.VANDERBILT.EDU?
> -- yes
>
> Is the KDC for DS.VANDERBUILT.ED Windows AD?
> -- yes (I've got 2 other Sun boxes setup already with the same settings,
> but they're running Sun Solaris 10)
One issue we've seen when a MS AD is the KDC is that the AD may use TCP
to send krb messages depending on how large the message is. This is a
problem for Solaris 9 krb which only expects UDP to be used for krb
messages. This issue has been addressed in Solaris 10 and OpenSolaris
along with a number of krb related enhancements. The 1.6 MIT krb also
supports this so I can understand why one may want to use MIT krb in
this situation but you may want to consider upgrading Solaris.
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
More information about the Kerberos
mailing list