KRB5 & Sun Solaris 9

Douglas E. Engert deengert at anl.gov
Fri Apr 24 16:14:58 EDT 2009 


McGranahan, Jamen wrote:
> Error: 
> lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj at DS.VANDERBILT.EDU
> Kerberos initialization on lib240
> kinit: Can't send request (send_to_kdc) for principal
> mcgranj at DS.VANDERBILT.EDU
> 
> Ldd command:
> lib240:/usr/local/krb5-1.6.3/bin#ldd kinit
>         libkrb4.so.2 =>  /usr/local/krb5-1.6.3/lib/libkrb4.so.2
>         libdes425.so.3 =>
> /usr/local/krb5-1.6.3/lib/libdes425.so.3
>         libkrb5.so.3 =>  /usr/local/krb5-1.6.3/lib/libkrb5.so.3
>         libk5crypto.so.3 =>
> /usr/local/krb5-1.6.3/lib/libk5crypto.so.3
>         libcom_err.so.3 =>
> /usr/local/krb5-1.6.3/lib/libcom_err.so.3
>         libkrb5support.so.0 =>
> /usr/local/krb5-1.6.3/lib/libkrb5support.so.0
>         libresolv.so.2 =>        /lib/libresolv.so.2
>         libsocket.so.1 =>        /lib/libsocket.so.1
>         libnsl.so.1 =>   /lib/libnsl.so.1
>         libdl.so.1 =>    /lib/libdl.so.1
>         libc.so.1 =>     /lib/libc.so.1
>         libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
>         libmp.so.2 =>    /lib/libmp.so.2
>         /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1
> 

Above looks OK.

So you have two realms? Which one is AD? Are both?
Do you have cross realm setup? (But should not effect
kinit if the user is in realm DS.VANDERBUILT.EDU

Why the IP number for the kdc in DS.VANDERBUILT.EDU?

Why are the admin_servers the same for both realms?
This can work if the KDC services both realms,
but you said you wanted to use AD!

I hope you are not trying to have two realms one AD and
the other based MIT both with the same realm name?

> Krb5.conf:
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = DS.VANDERBILT.EDU
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  forwardable = yes
>  default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
>  default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
>  preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
>  udp_preference_limit = 1
> 
> [realms]
>  DS.VANDERBILT.EDU = {
>   kdc = 129.59.1.26
>   admin_server = ds.vanderbilt.edu
>   default_domain = vanderbilt.edu
>  }
>  VANDERBILT.EDU = {
>   kdc = ds.vanderbilt.edu
>   admin_server = ds.vanderbilt.edu
>   default_domain = vanderbilt.edu
>  }
> 
> [domain_realm]
> .vanderbilt.edu = DS.VANDERBILT.EDU
> vanderbilt.edu = DS.VANDERBILT.EDU
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> kinit = {
>   renewable = true
>   forwardable = true
> }
> 
> -------------------
> 
> Jamen McGranahan
> Systems Services Librarian
> Vanderbilt University
> 
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Douglas E. Engert
> Sent: Friday, April 24, 2009 2:33 PM
> To: Jamen
> Cc: kerberos at mit.edu
> Subject: Re: KRB5 & Sun Solaris 9
> 
> 
> 
> Jamen wrote:
>> In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's
>> will not work with Samba on Solaris 9. I've been told that there is a
>> version on 10 that does work, but I couldn't get it to work on our
>> box, but did with MIT's. Our goal is to create share drives on these
>> servers through Active Directory, and we're utilizing Samba, KRB, and
>> OpenLDAP for this purpose. I've installed Samba and Samba is seeing
>> all of the resources, but Keberos fails when I issue the kinit
>> command. 
> 
> The MIT kinit should work. What is the error again?
> What does
> ldd /usr/local/krb5-1.6.3/bin/kinit
> show?
> 
> You have not sent a copy of the krb5.conf to the list,
> are you willing to do so? Or to selected individuals?
> 
> As Will said below, it might be a UDP/TCP issue.
> Have you added a udp_preference_limit = 1
> to the [libdefaults] section? This says prefer UDP
> if the packet size is less then 1. In other words
> always use TCP.
> 
> Wireshark (or other network trace program) can be is very handy
> yo see packets sent by kinit, and to where it is sending
> them. It will also show DNS activity trying to locate the KDCs.
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list