KRB5 & Sun Solaris 9

Douglas E. Engert deengert at anl.gov
Fri Apr 24 15:32:36 EDT 2009 


Jamen wrote:
> In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's
> will not work with Samba on Solaris 9. I've been told that there is a
> version on 10 that does work, but I couldn't get it to work on our
> box, but did with MIT's. Our goal is to create share drives on these
> servers through Active Directory, and we're utilizing Samba, KRB, and
> OpenLDAP for this purpose. I've installed Samba and Samba is seeing
> all of the resources, but Keberos fails when I issue the kinit
> command. 

The MIT kinit should work. What is the error again?
What does
ldd /usr/local/krb5-1.6.3/bin/kinit
show?

You have not sent a copy of the krb5.conf to the list,
are you willing to do so? Or to selected individuals?

As Will said below, it might be a UDP/TCP issue.
Have you added a udp_preference_limit = 1
to the [libdefaults] section? This says prefer UDP
if the packet size is less then 1. In other words
always use TCP.

Wireshark (or other network trace program) can be is very handy
yo see packets sent by kinit, and to where it is sending
them. It will also show DNS activity trying to locate the KDCs.


> Currently, we are not able to upgrade the box to 10 since it
> is a heavily used server. Any other guidance would be greatly
> appreciated!
> 
> Jamen McGranahan
> 
> ---------------------
> 
> One issue we've seen when a MS AD is the KDC is that the AD may use
> TCP to send krb messages depending on how large the message is.  This
> is a problem for Solaris 9 krb which only expects UDP to be used for
> krb messages.  This issue has been addressed in Solaris 10 and
> OpenSolaris along with a number of krb related enhancements.  The 1.6
> MIT krb also supports this so I can understand why one may want to use
> MIT krb in this situation but you may want to consider upgrading
> Solaris.
> --
> Will Fiveash
> Sun Microsystems Inc.http://opensolaris.org/os/project/kerberos/
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list