KRB5 & Sun Solaris 9

McGranahan, Jamen jamen.mcgranahan at Vanderbilt.Edu
Fri Apr 24 15:50:47 EDT 2009 

Error: 
lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj at DS.VANDERBILT.EDU
Kerberos initialization on lib240
kinit: Can't send request (send_to_kdc) for principal
mcgranj at DS.VANDERBILT.EDU

Ldd command:
lib240:/usr/local/krb5-1.6.3/bin#ldd kinit
        libkrb4.so.2 =>  /usr/local/krb5-1.6.3/lib/libkrb4.so.2
        libdes425.so.3 =>
/usr/local/krb5-1.6.3/lib/libdes425.so.3
        libkrb5.so.3 =>  /usr/local/krb5-1.6.3/lib/libkrb5.so.3
        libk5crypto.so.3 =>
/usr/local/krb5-1.6.3/lib/libk5crypto.so.3
        libcom_err.so.3 =>
/usr/local/krb5-1.6.3/lib/libcom_err.so.3
        libkrb5support.so.0 =>
/usr/local/krb5-1.6.3/lib/libkrb5support.so.0
        libresolv.so.2 =>        /lib/libresolv.so.2
        libsocket.so.1 =>        /lib/libsocket.so.1
        libnsl.so.1 =>   /lib/libnsl.so.1
        libdl.so.1 =>    /lib/libdl.so.1
        libc.so.1 =>     /lib/libc.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1

Krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DS.VANDERBILT.EDU
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 udp_preference_limit = 1

[realms]
 DS.VANDERBILT.EDU = {
  kdc = 129.59.1.26
  admin_server = ds.vanderbilt.edu
  default_domain = vanderbilt.edu
 }
 VANDERBILT.EDU = {
  kdc = ds.vanderbilt.edu
  admin_server = ds.vanderbilt.edu
  default_domain = vanderbilt.edu
 }

[domain_realm]
.vanderbilt.edu = DS.VANDERBILT.EDU
vanderbilt.edu = DS.VANDERBILT.EDU

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

kinit = {
  renewable = true
  forwardable = true
}

-------------------

Jamen McGranahan
Systems Services Librarian
Vanderbilt University


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Douglas E. Engert
Sent: Friday, April 24, 2009 2:33 PM
To: Jamen
Cc: kerberos at mit.edu
Subject: Re: KRB5 & Sun Solaris 9



Jamen wrote:
> In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's
> will not work with Samba on Solaris 9. I've been told that there is a
> version on 10 that does work, but I couldn't get it to work on our
> box, but did with MIT's. Our goal is to create share drives on these
> servers through Active Directory, and we're utilizing Samba, KRB, and
> OpenLDAP for this purpose. I've installed Samba and Samba is seeing
> all of the resources, but Keberos fails when I issue the kinit
> command. 

The MIT kinit should work. What is the error again?
What does
ldd /usr/local/krb5-1.6.3/bin/kinit
show?

You have not sent a copy of the krb5.conf to the list,
are you willing to do so? Or to selected individuals?

As Will said below, it might be a UDP/TCP issue.
Have you added a udp_preference_limit = 1
to the [libdefaults] section? This says prefer UDP
if the packet size is less then 1. In other words
always use TCP.

Wireshark (or other network trace program) can be is very handy
yo see packets sent by kinit, and to where it is sending
them. It will also show DNS activity trying to locate the KDCs.

More information about the Kerberos mailing list