Solaris 8 and mit kdc

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Solaris 8 and mit kdc

Francisco Oliveira-2
Hello,

Can anyone refer a link with information in configuring kerberirezed
rlogin in solaris8?
I am using MIT-KDC 1.4.1 and SEAM on all solaris 8 clients.
Also, how do I add a keytab to a solaris 8 machines. Should I create a
file in a linux machine and then copy it ot the solaris 8 box? If so,
where should I put the keytab?

Thnaks,
F.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Solaris 8 and mit kdc

Heilke, Rainer
I'd suggest dropping the SEAM component and just going with the MIT code
across the board. That's what we've had forever (started this way in
Sol2.6). SEAM in Solaris 10 is looking more promising (still a couple
bugs to iron out).

The keytab should go in /etc, generated by the kadmin# ktadd
host/<host.domain.com> command. Use the MIT version of kadmin.

Rainer Heilke

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of fsoliv
> Sent: Monday, June 20, 2005 1:51 PM
> To: [hidden email]
> Subject: Solaris 8 and mit kdc
>
>
> Hello,
>
> Can anyone refer a link with information in configuring kerberirezed
> rlogin in solaris8?
> I am using MIT-KDC 1.4.1 and SEAM on all solaris 8 clients.
> Also, how do I add a keytab to a solaris 8 machines. Should I create a
> file in a linux machine and then copy it ot the solaris 8 box? If so,
> where should I put the keytab?
>
> Thnaks,
> F.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 8 and mit kdc

Francisco Oliveira-2
Thank you for your email.
However, I need to use Solaris own kerberos implementation.

> F.
>
> On 6/20/05, Heilke, Rainer <[hidden email]> wrote:
> > I'd suggest dropping the SEAM component and just going with the MIT code
> > across the board. That's what we've had forever (started this way in
> > Sol2.6). SEAM in Solaris 10 is looking more promising (still a couple
> > bugs to iron out).
> >
> > The keytab should go in /etc, generated by the kadmin# ktadd
> > host/<host.domain.com> command. Use the MIT version of kadmin.
> >
> > Rainer Heilke
> >
> > > -----Original Message-----
> > > From: [hidden email]
> > > [mailto:[hidden email]] On Behalf Of fsoliv
> > > Sent: Monday, June 20, 2005 1:51 PM
> > > To: [hidden email]
> > > Subject: Solaris 8 and mit kdc
> > >
> > >
> > > Hello,
> > >
> > > Can anyone refer a link with information in configuring kerberirezed
> > > rlogin in solaris8?
> > > I am using MIT-KDC 1.4.1 and SEAM on all solaris 8 clients.
> > > Also, how do I add a keytab to a solaris 8 machines. Should I create a
> > > file in a linux machine and then copy it ot the solaris 8 box? If so,
> > > where should I put the keytab?
> > >
> > > Thnaks,
> > > F.
> > >
> > > ________________________________________________
> > > Kerberos mailing list           [hidden email]
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > >
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 8 and mit kdc

Wyllys Ingersoll
fsoliv wrote:

>  Thank you for your email. However, I need to use Solaris own kerberos
>  implementation.
>
> >>> Hello,
> >>>
> >>> Can anyone refer a link with information in configuring
> >>> kerberirezed rlogin in solaris8? I am using MIT-KDC 1.4.1 and
> >>> SEAM on all solaris 8 clients. Also, how do I add a keytab to a
> >>> solaris 8 machines. Should I create a file in a linux machine
> >>> and then copy it ot the solaris 8 box? If so, where should I
> >>> put the keytab?
> >>>

If you configure the MIT-KDC to use the RPCSEC_GSS protocol,
you should be able to use the SEAM 'kadmin' client to create keys
and populate the keytab on the Solaris 8 client.

If you don't want to do that (or can't figure out how), you can create
the keys on the KDC (using the MIT kadmin client tool) and then transfer
them to the Solaris box via some secure protocol (such as SSH).

The main keys you need on the SEAM client system are the
"host" principals for the client system:
ex:    host/f.q.d.n@REALM

Also, if you want to use NFS with Solaris 8 SEAM you will
also need to create nfs/f.q.d.n principals as well and possibly
a "root/f.q.d.n" principal in order to use automount with secure
NFS file systems.  All of this is well documented in the SEAM
online documentation at docs.sun.com - look it up and search
for SEAM.

Remember - the only keys that need to be in a keytab are those
that are specific to that host.   One common misconception or
mistake that people make is to put keys in the keytab on host A
for services that only exist on other hosts.

-Wyllys

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 8 and mit kdc

Francisco Oliveira-2
Hello,

Thank you for your answers. I  have been out of the office this past
week and only now I had some time to get back to this issue.
Here is what is going on:

When I rlogin from solaris8 machines to solaris 8 machines with the command:
#/usr/krb5/bin/rlogin -F  usolaris8machine I get the error message:
#Unable to connect with Kerberos V5, trying normal rlogin
#Enter Kerberos password:

When I rlogin from linux machines  (/usr/kerberos/bin/rlogin -F
solaris8machine) to solaris 8 machines I get :

#Couldn't authenticate to server: Bad application version was sent
(via sendauth)
#Trying krb4 rlogin...
#krb_sendauth failed: You have no tickets cached
#trying normal rlogin (/usr/bin/rlogin)
#/usr/bin/rlogin: invalid option -- F
#usage: rlogin [ -8EL] [-e char] [ -l username ] host


Before typing this command I do kinit -f  username.

Also, i can't find a field in seam's krb5.conf file to configure the
location of the keytabs. I have  placed the krb5.keytab extracted from
a linux machine into /etc/krb5/.


Any help is appreatiated,

F.

On 6/21/05, Wyllys Ingersoll <[hidden email]> wrote:

> fsoliv wrote:
> >  Thank you for your email. However, I need to use Solaris own kerberos
> >  implementation.
> >
> > >>> Hello,
> > >>>
> > >>> Can anyone refer a link with information in configuring
> > >>> kerberirezed rlogin in solaris8? I am using MIT-KDC 1.4.1 and
> > >>> SEAM on all solaris 8 clients. Also, how do I add a keytab to a
> > >>> solaris 8 machines. Should I create a file in a linux machine
> > >>> and then copy it ot the solaris 8 box? If so, where should I
> > >>> put the keytab?
> > >>>
>
> If you configure the MIT-KDC to use the RPCSEC_GSS protocol,
> you should be able to use the SEAM 'kadmin' client to create keys
> and populate the keytab on the Solaris 8 client.
>
> If you don't want to do that (or can't figure out how), you can create
> the keys on the KDC (using the MIT kadmin client tool) and then transfer
> them to the Solaris box via some secure protocol (such as SSH).
>
> The main keys you need on the SEAM client system are the
> "host" principals for the client system:
> ex:    host/f.q.d.n@REALM
>
> Also, if you want to use NFS with Solaris 8 SEAM you will
> also need to create nfs/f.q.d.n principals as well and possibly
> a "root/f.q.d.n" principal in order to use automount with secure
> NFS file systems.  All of this is well documented in the SEAM
> online documentation at docs.sun.com - look it up and search
> for SEAM.
>
> Remember - the only keys that need to be in a keytab are those
> that are specific to that host.   One common misconception or
> mistake that people make is to put keys in the keytab on host A
> for services that only exist on other hosts.
>
> -Wyllys
>
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Solaris 8 and mit kdc

Wyllys Ingersoll
fsoliv wrote:

>  Before typing this command I do kinit -f username.
>
>  Also, i can't find a field in seam's krb5.conf file to configure the
>  location of the keytabs. I have placed the krb5.keytab extracted
>  from a linux machine into /etc/krb5/.

That is correct.   The keytab on Solaris is /etc/krb5/krb5.keytab

On the Solaris box (as root), run "klist -ke" - this should show
you the contents of the keytab file.  It *should* contain
a DES key for "host/[hidden email]" (Solaris 8).

Also, look in the KDC log files to see if the either the client
or the server is requesting keys for things the KDC does
not know about.

Kerberos is very sensitive to naming issues - we like to recommend
that you always use fully qualified hostnames for your host
based service principals and make sure that your naming
service returns f.q.d.n names for reverse address lookups.

What naming service are you using to resolve hostnames
(DNS, NIS, or just flat files like /etc/hosts) ?

-Wyllys

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos