Using Solaris 10 kadmin with MIT 1.4.1 kadmind

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Douglas E. Engert
While trying to use the Solaris 10 Kerberos, most things  in a mixed
environment sort of work, but the kadmin does not.

It appears that the Solaris 10 /usr/sbin/kadmin program is
using the sun gss rpcs, and the MIT kadmind is not. The MIT kadmin
is running on an older Solaris version.

The kadmin gets a ticket for the admin doug/[hidden email] for
kadmin/[hidden email] as shown by the KDC logs.

The Solaris 10 client says:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
and syslog says:
GSS-API error: rpc_gss_seccreate failed
three times for the client.

This looks similar to the thread from 5/26-27 on
"mixing sun solaris's rpc with mit's rpc"

Any one (especially at Sun) have a solution?




--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Nicolas Williams
Known bug.

Our RPCSEC_GSS APIs force us to use hostbased princs for the server, and
MIT krb5, though it now implements RPCSEC_GSS, did not match this behaviour.

On Thu, Jun 02, 2005 at 02:20:36PM -0500, Douglas E. Engert wrote:

> While trying to use the Solaris 10 Kerberos, most things  in a mixed
> environment sort of work, but the kadmin does not.
>
> It appears that the Solaris 10 /usr/sbin/kadmin program is
> using the sun gss rpcs, and the MIT kadmind is not. The MIT kadmin
> is running on an older Solaris version.
>
> The kadmin gets a ticket for the admin doug/[hidden email] for
> kadmin/[hidden email] as shown by the KDC logs.
>
> The Solaris 10 client says:
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
> and syslog says:
> GSS-API error: rpc_gss_seccreate failed
> three times for the client.
>
> This looks similar to the thread from 5/26-27 on
> "mixing sun solaris's rpc with mit's rpc"
>
> Any one (especially at Sun) have a solution?
>
>
>
>
> --
>
>  Douglas E. Engert  <[hidden email]>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

hartmans
>>>>> "Nicolas" == Nicolas Williams <[hidden email]> writes:

    Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to use hostbased
    Nicolas> princs for the server, and MIT krb5, though it now
    Nicolas> implements RPCSEC_GSS, did not match this behaviour.

No.  If you create the hostbased principal in your kdc database it
should work fine.  The MIT code supports both kadmin/fqdn and
kadmin/admin.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Douglas E. Engert


Sam Hartman wrote:

>>>>>>"Nicolas" == Nicolas Williams <[hidden email]> writes:
>
>
>     Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to use hostbased
>     Nicolas> princs for the server, and MIT krb5, though it now
>     Nicolas> implements RPCSEC_GSS, did not match this behaviour.
>
> No.  If you create the hostbased principal in your kdc database it
> should work fine.  The MIT code supports both kadmin/fqdn and
> kadmin/admin.


I have both, and it looks like the client kadmin is getting a ticket for
kadmin/fqdn.

>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

hartmans
I'd definitely expect this to work against a 1.4.1 kadmin server
assuming the server has the same idea of its hostname as your client.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Heilke, Rainer
In reply to this post by Douglas E. Engert
I've just forwarded your responses on to the person working on this
problem. He'll probably follow up on it really quickly.

Thanks for keeping this issue in your minds. We really want to get this
to work.

Rainer

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Sam Hartman
> Sent: Thursday, June 02, 2005 2:01 PM
> To: Douglas E. Engert
> Cc: '[hidden email]'
> Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
>
>
> I'd definitely expect this to work against a 1.4.1 kadmin server
> assuming the server has the same idea of its hostname as your client.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Douglas E. Engert
In reply to this post by hartmans
I got it to work. It looks like the Solaris 10 is checking the
realm of the kadmind server host, but why? It already got
a ticket for it.  It does not check that the host of the kdc is
in the realm so why check the kadmind? Is this some gss implementation
imposed restriction?

What this means is that a kadmind can only serve a single realm.

This looks like a Solaris bug to me.


Sam Hartman wrote:

>>>>>>"Nicolas" == Nicolas Williams <[hidden email]> writes:
>
>
>     Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to use hostbased
>     Nicolas> princs for the server, and MIT krb5, though it now
>     Nicolas> implements RPCSEC_GSS, did not match this behaviour.
>
> No.  If you create the hostbased principal in your kdc database it
> should work fine.  The MIT code supports both kadmin/fqdn and
> kadmin/admin.
>
I have the principal and the Solaris 10 kadmin gets a ticket for the
service.  The server is Solaris 7, with the krb5-1.4.1

Using ethereal on the Solaris 10 to watch the Solaris 10 show
shows the kadmin doing a tcp connetcion to the kadmind, then doing
a DNS lookup of the host name, then closing the connection. No user
data was sent only SYN, ACK and FIN. See attachment.

I am using a test realm and KDC on a seperate machine that is in
another realm. I was using the KRB5_CONFIG to point at my test
krb5.conf on both the client and server. Once I added
on the kadmin client  <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
[domain_realm] it started working!




>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

No.     Time        Source                Destination           Protocol Info
     92 9.412518    146.137.238.151       146.137.180.13        TCP      32936 > kerberos-adm [SYN] Seq=0 Ack=0 Win=49640 [CHECKSUM INCORRECT] Len=0 MSS=1460 WS=0
     93 9.412968    146.137.180.13        146.137.238.151       TCP      kerberos-adm > 32936 [SYN, ACK] Seq=0 Ack=1 Win=33580 Len=0 WS=0 MSS=1460
     94 9.413022    146.137.238.151       146.137.180.13        TCP      32936 > kerberos-adm [ACK] Seq=1 Ack=1 Win=49640 [CHECKSUM INCORRECT] Len=0
     97 10.425515   146.137.238.151       130.202.20.3          DNS      Standard query A mercutio.ctd.anl.gov
     98 10.426194   130.202.20.3          146.137.238.151       DNS      Standard query response A 146.137.180.13
     99 10.429928   146.137.238.151       146.137.180.13        TCP      32936 > kerberos-adm [FIN, ACK] Seq=1 Ack=1 Win=49640 [CHECKSUM INCORRECT] Len=0
    100 10.430183   146.137.180.13        146.137.238.151       TCP      kerberos-adm > 32936 [ACK] Seq=1 Ack=2 Win=33580 Len=0
    101 10.430555   146.137.180.13        146.137.238.151       TCP      kerberos-adm > 32936 [FIN, ACK] Seq=1 Ack=2 Win=33580 Len=0
    102 10.430601   146.137.238.151       146.137.180.13        TCP      32936 > kerberos-adm [ACK] Seq=2 Ack=2 Win=49640 [CHECKSUM INCORRECT] Len=0

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Nicolas Williams
On Fri, Jun 03, 2005 at 01:47:40PM -0500, Douglas E. Engert wrote:
>                                        Is this some gss implementation
> imposed restriction?

An RPCSEC_GSS API issue.

> What this means is that a kadmind can only serve a single realm.

We've never claimed to support more than one.  IIRC neither has MIT, but
I'm sure someone will correct me if I'm wrong :)

> This looks like a Solaris bug to me.

And to me.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Heilke, Rainer
In reply to this post by Douglas E. Engert
A bug... Well, that makes us feel better in the sense that we aren't
losing our marbles. I guess now, we just have to wait for the bug to get
fixed. Unfortunately, this is now one of two issues that hold back any
Solaris 10 rollout for us.

Thanks to everyone for your help on this. We'll keep our eyes open for
the bug fix from Sun in their weekly patch club report.

Rainer Heilke

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Douglas E. Engert
> Sent: Friday, June 03, 2005 12:48 PM
> To: '[hidden email]'
> Cc: Nicolas Williams
> Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
>
>
> I got it to work. It looks like the Solaris 10 is checking the
> realm of the kadmind server host, but why? It already got
> a ticket for it.  It does not check that the host of the kdc is
> in the realm so why check the kadmind? Is this some gss implementation
> imposed restriction?
>
> What this means is that a kadmind can only serve a single realm.
>
> This looks like a Solaris bug to me.
>
>
> Sam Hartman wrote:
>
> >>>>>>"Nicolas" == Nicolas Williams <[hidden email]> writes:
> >
> >
> >     Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to
> use hostbased
> >     Nicolas> princs for the server, and MIT krb5, though it now
> >     Nicolas> implements RPCSEC_GSS, did not match this behaviour.
> >
> > No.  If you create the hostbased principal in your kdc database it
> > should work fine.  The MIT code supports both kadmin/fqdn and
> > kadmin/admin.
> >
>
> I have the principal and the Solaris 10 kadmin gets a ticket for the
> service.  The server is Solaris 7, with the krb5-1.4.1
>
> Using ethereal on the Solaris 10 to watch the Solaris 10 show
> shows the kadmin doing a tcp connetcion to the kadmind, then doing
> a DNS lookup of the host name, then closing the connection. No user
> data was sent only SYN, ACK and FIN. See attachment.
>
> I am using a test realm and KDC on a seperate machine that is in
> another realm. I was using the KRB5_CONFIG to point at my test
> krb5.conf on both the client and server. Once I added
> on the kadmin client  <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
> [domain_realm] it started working!
>
>
>
>
> >
> >
> >
>
> --
>
>   Douglas E. Engert  <[hidden email]>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Douglas E. Engert
In reply to this post by Nicolas Williams


Nicolas Williams wrote:

> On Fri, Jun 03, 2005 at 01:47:40PM -0500, Douglas E. Engert wrote:
>
>>                                       Is this some gss implementation
>>imposed restriction?
>
>
> An RPCSEC_GSS API issue.
>
>
>>What this means is that a kadmind can only serve a single realm.
>
>
> We've never claimed to support more than one.  IIRC neither has MIT, but
> I'm sure someone will correct me if I'm wrong :)

OK... the MIT man page for krb5kdc says:
"The KDC may service requests for multiple realms (maximun 32 realms)"
and the man page for kadmind talks about serving multiple realms,
but I dont' see how it does.

Its not clear how much this is actually used, but someone
might run in to this problem.   Our intent is it have the kdc and kadmind
server only one realm, and the server hosts will be in that realm.
so the chencking of the realm of the kadmind server host is not a real problem.


>
>
>>This looks like a Solaris bug to me.
>
>
> And to me.
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Douglas E. Engert
In reply to this post by Heilke, Rainer


Heilke, Rainer wrote:

> A bug... Well, that makes us feel better in the sense that we aren't
> losing our marbles. I guess now, we just have to wait for the bug to get
> fixed. Unfortunately, this is now one of two issues that hold back any
> Solaris 10 rollout for us.

Well it may be a bug, but since our production KDCs and kadmind are
serving a single realm, and the server is in that realm its not
going to stop us. It was the test environment that was the problem.

P.S. What is the other issue?

>
> Thanks to everyone for your help on this. We'll keep our eyes open for
> the bug fix from Sun in their weekly patch club report.
>
> Rainer Heilke
>
>
>>-----Original Message-----
>>From: [hidden email]
>>[mailto:[hidden email]] On Behalf Of Douglas E. Engert
>>Sent: Friday, June 03, 2005 12:48 PM
>>To: '[hidden email]'
>>Cc: Nicolas Williams
>>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
>>
>>
>>I got it to work. It looks like the Solaris 10 is checking the
>>realm of the kadmind server host, but why? It already got
>>a ticket for it.  It does not check that the host of the kdc is
>>in the realm so why check the kadmind? Is this some gss implementation
>>imposed restriction?
>>
>>What this means is that a kadmind can only serve a single realm.
>>
>>This looks like a Solaris bug to me.
>>
>>
>>Sam Hartman wrote:
>>
>>
>>>>>>>>"Nicolas" == Nicolas Williams <[hidden email]> writes:
>>>
>>>
>>>    Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to
>>
>>use hostbased
>>
>>>    Nicolas> princs for the server, and MIT krb5, though it now
>>>    Nicolas> implements RPCSEC_GSS, did not match this behaviour.
>>>
>>>No.  If you create the hostbased principal in your kdc database it
>>>should work fine.  The MIT code supports both kadmin/fqdn and
>>>kadmin/admin.
>>>
>>
>>I have the principal and the Solaris 10 kadmin gets a ticket for the
>>service.  The server is Solaris 7, with the krb5-1.4.1
>>
>>Using ethereal on the Solaris 10 to watch the Solaris 10 show
>>shows the kadmin doing a tcp connetcion to the kadmind, then doing
>>a DNS lookup of the host name, then closing the connection. No user
>>data was sent only SYN, ACK and FIN. See attachment.
>>
>>I am using a test realm and KDC on a seperate machine that is in
>>another realm. I was using the KRB5_CONFIG to point at my test
>>krb5.conf on both the client and server. Once I added
>>on the kadmin client  <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
>>[domain_realm] it started working!
>>
>>
>>
>>
>>
>>>
>>>
>>--
>>
>>  Douglas E. Engert  <[hidden email]>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>
>
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

hartmans
In reply to this post by Heilke, Rainer
>>>>> "Heilke," == Heilke, Rainer <[hidden email]> writes:

    Heilke,> A bug... Well, that makes us feel better in the sense
    Heilke,> that we aren't losing our marbles. I guess now, we just
    Heilke,> have to wait for the bug to get fixed. Unfortunately,
    Heilke,> this is now one of two issues that hold back any Solaris
    Heilke,> 10 rollout for us.


I'm not sure there is a bug here.  Neither MIT nor Sun have claimed
support for kadmind supporting multiple realms.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Nicolas Williams
In reply to this post by Douglas E. Engert
On Fri, Jun 03, 2005 at 02:16:09PM -0500, Douglas E. Engert wrote:

> Nicolas Williams wrote:
> >On Fri, Jun 03, 2005 at 01:47:40PM -0500, Douglas E. Engert wrote:
> >>What this means is that a kadmind can only serve a single realm.
> >
> >
> >We've never claimed to support more than one.  IIRC neither has MIT, but
> >I'm sure someone will correct me if I'm wrong :)
>
> OK... the MIT man page for krb5kdc says:
> "The KDC may service requests for multiple realms (maximun 32 realms)"
> and the man page for kadmind talks about serving multiple realms,
> but I dont' see how it does.

The _KDC_, yes, but kadmind?
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Nicolas Williams
In reply to this post by hartmans
On Fri, Jun 03, 2005 at 03:20:07PM -0400, Sam Hartman wrote:

> >>>>> "Heilke," == Heilke, Rainer <[hidden email]> writes:
>
>     Heilke,> A bug... Well, that makes us feel better in the sense
>     Heilke,> that we aren't losing our marbles. I guess now, we just
>     Heilke,> have to wait for the bug to get fixed. Unfortunately,
>     Heilke,> this is now one of two issues that hold back any Solaris
>     Heilke,> 10 rollout for us.
>
>
> I'm not sure there is a bug here.  Neither MIT nor Sun have claimed
> support for kadmind supporting multiple realms.

Right.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Nicolas Williams
In reply to this post by Heilke, Rainer
On Fri, Jun 03, 2005 at 01:13:23PM -0600, Heilke, Rainer wrote:
> A bug... Well, that makes us feel better in the sense that we aren't
> losing our marbles. I guess now, we just have to wait for the bug to get
> fixed. Unfortunately, this is now one of two issues that hold back any
> Solaris 10 rollout for us.
>
> Thanks to everyone for your help on this. We'll keep our eyes open for
> the bug fix from Sun in their weekly patch club report.

Sam's statement about MIT support for multiple realms in kadmind
convinces me that this is an RFE, not a bug.

I can file one if you want.

Nico
--
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Heilke, Rainer
In reply to this post by Douglas E. Engert
We aren't doing multiple domains; just the one.

Rainer

> -----Original Message-----
> From: Sam Hartman [mailto:[hidden email]]
> Sent: Friday, June 03, 2005 1:20 PM
> To: Heilke, Rainer
> Cc: Douglas E. Engert; [hidden email]; Nicolas Williams
> Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
>
>
> >>>>> "Heilke," == Heilke, Rainer <[hidden email]> writes:
>
>     Heilke,> A bug... Well, that makes us feel better in the sense
>     Heilke,> that we aren't losing our marbles. I guess now, we just
>     Heilke,> have to wait for the bug to get fixed. Unfortunately,
>     Heilke,> this is now one of two issues that hold back any Solaris
>     Heilke,> 10 rollout for us.
>
>
> I'm not sure there is a bug here.  Neither MIT nor Sun have claimed
> support for kadmind supporting multiple realms.
>
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Nicolas Williams
On Fri, Jun 03, 2005 at 01:26:42PM -0600, Heilke, Rainer wrote:
> We aren't doing multiple domains; just the one.

So then there's no issue for you.  Doug may still want an RFE filed.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

hartmans
In reply to this post by Douglas E. Engert
>>>>> "Douglas" == Douglas E Engert <[hidden email]> writes:

    Douglas> and the man page for kadmind talks about serving multiple
    Douglas> realms, but I dont' see how it does.


*sigh*

An older kadmind (1995 era) did sort of support multiple realms,
although it did not actually support some more critical operations
like actually working.  

I don't think the OV kadmind as integrated by MIT has ever supported
this.  You can run multiple realms out of a database and have all
administrative operations go through one of the realms.


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Heilke, Rainer
In reply to this post by Douglas E. Engert
So, if this issue is in a SINGLE realm, it IS a bug, correct? We are
doing this in our test lab, in a single domain. There are no other
domains involved. Both the Solaris 10 and the MIT Kerberos
clients/servers are all in the same realm.

> Heilke, Rainer wrote:
>
> > A bug... Well, that makes us feel better in the sense that we aren't
> > losing our marbles. I guess now, we just have to wait for
> the bug to get
> > fixed. Unfortunately, this is now one of two issues that
> hold back any
> > Solaris 10 rollout for us.
>
> Well it may be a bug, but since our production KDCs and kadmind are
> serving a single realm, and the server is in that realm its not
> going to stop us. It was the test environment that was the problem.
>
> P.S. What is the other issue?

Sun's lack of a ksu binary. The way we use ksu, RBAC and su simply do
not provide the same functionality. We have an RFE open on this. BTW, if
anyone else needs ksu, please add your names to the RFE.

Rainer

>
> >
> > Thanks to everyone for your help on this. We'll keep our
> eyes open for
> > the bug fix from Sun in their weekly patch club report.
> >
> > Rainer Heilke
> >
> >
> >>-----Original Message-----
> >>From: [hidden email]
> >>[mailto:[hidden email]] On Behalf Of Douglas E. Engert
> >>Sent: Friday, June 03, 2005 12:48 PM
> >>To: '[hidden email]'
> >>Cc: Nicolas Williams
> >>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
> >>
> >>
> >>I got it to work. It looks like the Solaris 10 is checking the
> >>realm of the kadmind server host, but why? It already got
> >>a ticket for it.  It does not check that the host of the kdc is
> >>in the realm so why check the kadmind? Is this some gss
> implementation
> >>imposed restriction?
> >>
> >>What this means is that a kadmind can only serve a single realm.
> >>
> >>This looks like a Solaris bug to me.
> >>
> >>
> >>Sam Hartman wrote:
> >>
> >>
> >>>>>>>>"Nicolas" == Nicolas Williams
> <[hidden email]> writes:
> >>>
> >>>
> >>>    Nicolas> Known bug.  Our RPCSEC_GSS APIs force us to
> >>
> >>use hostbased
> >>
> >>>    Nicolas> princs for the server, and MIT krb5, though it now
> >>>    Nicolas> implements RPCSEC_GSS, did not match this behaviour.
> >>>
> >>>No.  If you create the hostbased principal in your kdc database it
> >>>should work fine.  The MIT code supports both kadmin/fqdn and
> >>>kadmin/admin.
> >>>
> >>
> >>I have the principal and the Solaris 10 kadmin gets a ticket for the
> >>service.  The server is Solaris 7, with the krb5-1.4.1
> >>
> >>Using ethereal on the Solaris 10 to watch the Solaris 10 show
> >>shows the kadmin doing a tcp connetcion to the kadmind, then doing
> >>a DNS lookup of the host name, then closing the connection. No user
> >>data was sent only SYN, ACK and FIN. See attachment.
> >>
> >>I am using a test realm and KDC on a seperate machine that is in
> >>another realm. I was using the KRB5_CONFIG to point at my test
> >>krb5.conf on both the client and server. Once I added
> >>on the kadmin client  <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
> >>[domain_realm] it started working!
> >>
> >>
> >>
> >>
> >>
> >>>
> >>>
> >>--
> >>
> >>  Douglas E. Engert  <[hidden email]>
> >>  Argonne National Laboratory
> >>  9700 South Cass Avenue
> >>  Argonne, Illinois  60439
> >>  (630) 252-5444
> >>
> >
> >
> >
> >
>
> --
>
>   Douglas E. Engert  <[hidden email]>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

Douglas E. Engert
In reply to this post by hartmans


Sam Hartman wrote:

>>>>>>"Douglas" == Douglas E Engert <[hidden email]> writes:
>
>
>     Douglas> and the man page for kadmind talks about serving multiple
>     Douglas> realms, but I dont' see how it does.
>
>
> *sigh*
>
> An older kadmind (1995 era) did sort of support multiple realms,
> although it did not actually support some more critical operations
> like actually working.  
>
> I don't think the OV kadmind as integrated by MIT has ever supported
> this.  You can run multiple realms out of a database and have all
> administrative operations go through one of the realms.

OK, then this is not an issue, *as long as* the kadmind server host
is in the realm that the kadmind is serving. Its just another thing
to keep track of.

And no I don't need a RFE, but thanks for asking.


>
>
>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
12