Issue with Kerberos setting in Sun Solaris 10

Will Fiveash will.fiveash at oracle.com
Mon Apr 22 14:00:46 EDT 2013 

On Fri, Apr 19, 2013 at 01:26:01PM -0700, Ray Vand wrote:
> Hello,
> 
> I am new to Kerberos world and having issue with setting this up and need help and direction. 
> 
> I am trying to setup SSO in the following environment.
> 
> Domain: company.com
> Short Domain: AD  (This how we login to User Client - AD\<Login Name>
> 
> AD domain server  -->  ads (Windows 2008 R2 )
> SAP Server             -->  SAPSVR (Sun Solaris 10)
> User Client              -->  Mac OS 10.8
> 
> I have created user in AD domain server as below
> 
> user: sapldap
> Password: Changem3 (never expire)
> Use DES encryption type for this account
> 
> Then I ran the following two command in AD Domain sever 
> 
> C:\Windows\system32>setspn -A sapldap/ads.company.com AD\sapldap
> Registering ServicePrincipalNames for CN=sapldap,CN=Users,DC=company,DC=com
>         sapldap/ads.company.com
> Updated object
> 
> C:\Windows\system32>ktpass -princ sapldap/ads.company.com at COMPANY.COM -mapuser AD\sapldap -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass Changem3 -out sapldap.keytab
> Targeting domain controller: ADS.company.com
> Using legacy password setting method
> Successfully mapped sapldap/ads.company.com to sapldap.
> Key created.
> Output keytab to sapldap.keytab:
> Keytab version: 0x502
> keysize 66 sapldap/ads.company.com at COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 7 etype 0x3 (DES-CBC-MD5) keylength 8 (0x5785314ff4ada2b6)
> Account sapldap has been set for DES-only encryption.
> 
> Then I moved the sapldap.keytab to my SAP Server in tmp directory
> 
> In my SAP Server, I ran the following commands
> 
> modify /etc/krb5.conf as below:

Are you using Kerberos from MIT or the native Solaris 10 Kerberos?
If the answer is the latter, you need to read the Solaris 10 System
Administration Guide: Security Services
<http://docs.oracle.com/cd/E26505_01/html/E27224/index.html>.  There is
a section on configuring Kerberos on Solaris 10.  Also the native
Solaris krb expects the default system keytab to be
/etc/krb5/krb5.keytab and to be read/write only by root.  
If you are using MIT krb then you need to refer to their documentation
as the paths to various krb related config files and keytab differ from
Solaris.

-- 
Will Fiveash
Oracle Solaris Software Engineer

More information about the Kerberos mailing list