KRB5 & Sun Solaris 9
McGranahan, Jamen
jamen.mcgranahan at Vanderbilt.Edu
Fri Apr 24 15:50:47 EDT 2009
Error:
lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj at DS.VANDERBILT.EDU
Kerberos initialization on lib240
kinit: Can't send request (send_to_kdc) for principal
mcgranj at DS.VANDERBILT.EDU
Ldd command:
lib240:/usr/local/krb5-1.6.3/bin#ldd kinit
libkrb4.so.2 => /usr/local/krb5-1.6.3/lib/libkrb4.so.2
libdes425.so.3 =>
/usr/local/krb5-1.6.3/lib/libdes425.so.3
libkrb5.so.3 => /usr/local/krb5-1.6.3/lib/libkrb5.so.3
libk5crypto.so.3 =>
/usr/local/krb5-1.6.3/lib/libk5crypto.so.3
libcom_err.so.3 =>
/usr/local/krb5-1.6.3/lib/libcom_err.so.3
libkrb5support.so.0 =>
/usr/local/krb5-1.6.3/lib/libkrb5support.so.0
libresolv.so.2 => /lib/libresolv.so.2
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libdl.so.1 => /lib/libdl.so.1
libc.so.1 => /lib/libc.so.1
libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1
libmp.so.2 => /lib/libmp.so.2
/usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1
Krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DS.VANDERBILT.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
udp_preference_limit = 1
[realms]
DS.VANDERBILT.EDU = {
kdc = 129.59.1.26
admin_server = ds.vanderbilt.edu
default_domain = vanderbilt.edu
}
VANDERBILT.EDU = {
kdc = ds.vanderbilt.edu
admin_server = ds.vanderbilt.edu
default_domain = vanderbilt.edu
}
[domain_realm]
.vanderbilt.edu = DS.VANDERBILT.EDU
vanderbilt.edu = DS.VANDERBILT.EDU
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
renewable = true
forwardable = true
}
-------------------
Jamen McGranahan
Systems Services Librarian
Vanderbilt University
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Douglas E. Engert
Sent: Friday, April 24, 2009 2:33 PM
To: Jamen
Cc: kerberos at mit.edu
Subject: Re: KRB5 & Sun Solaris 9
Jamen wrote:
> In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's
> will not work with Samba on Solaris 9. I've been told that there is a
> version on 10 that does work, but I couldn't get it to work on our
> box, but did with MIT's. Our goal is to create share drives on these
> servers through Active Directory, and we're utilizing Samba, KRB, and
> OpenLDAP for this purpose. I've installed Samba and Samba is seeing
> all of the resources, but Keberos fails when I issue the kinit
> command.
The MIT kinit should work. What is the error again?
What does
ldd /usr/local/krb5-1.6.3/bin/kinit
show?
You have not sent a copy of the krb5.conf to the list,
are you willing to do so? Or to selected individuals?
As Will said below, it might be a UDP/TCP issue.
Have you added a udp_preference_limit = 1
to the [libdefaults] section? This says prefer UDP
if the packet size is less then 1. In other words
always use TCP.
Wireshark (or other network trace program) can be is very handy
yo see packets sent by kinit, and to where it is sending
them. It will also show DNS activity trying to locate the KDCs.
More information about the Kerberos
mailing list