f



MIT Kerberos and Solaris 10 Kerberos

Greetings, everyone.

We run a number of Solaris 8 systems using Sun's SEAM PAM implementation
and MIT's Kerberos (which we're up to date on). We are starting to look
at Solaris 10, and are hoping to move towards Sun's implementation of
Kerberos. We are having a bit of trouble getting the two to talk
properly, however.

If we SSH (from production to test, for example) to a Solaris 8 machine,
then we can rlogin (Kerberized) to the Solaris 10 machine and, from
there, rlogin to a Sol8 machine again. If, however, we SSH directly to
the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing
various experiments (for example, trying to ksu on the Sol 10 machine),
the only error we ever get is:

ksu
WARNING: Your password may be exposed if you enter it here and are
logged
         in remotely using an unsecure (non-encrypted) channel.
Kerberos password for ux5p@ATCOTEST.CA: :
ksu: Server not found in Kerberos database while geting credentials from
kdc
Authentication failed.

Doing an rlogin to a Sol 8 machine gives no errors at all; it just
quietly fails.

The above error seems to indicate that the Solaris 10 Kerberos isn't
passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon
certain differences, would not be a big surprise). Has anyone gotten
this to work? The Sol 10 system is using the default Solaris 10 PAM
implementation as well; not sure if this is part of the problem, but the
configuration files are significantly different. The Sol 10 version
doesn't explicitly list the entire path to the libraries, and breaks
things up based upon Authentication/ Account/ Session/ Password rather
than service (sshd, login, etc.). I have tried adding the MIT libraries
into the pam.conf requirements, but that seems to break even more things
(again, not a great shock).

BTW, we have the same issues going from the Sol 10 system to our RedHat
box.

I know Sol 10 isn't finalized, but any help/suggestions would be greatly
appreciated, even if it's to say it will never work for reason X. I
don't see Sun changing this radically before GA. We are running the
latest available build, 72.

TIA

Rainer Heilke
Unix Systems Administrator
ATCO I-Tek
Phone:  780-420-7806
Fax:  780-420-3939
Email:  rainer.heilke@atcoitek.com

The information transmitted is intended only for the addressee and may
contain confidential, proprietary and/or privileged material. Any
unauthorized review, distribution or other use of or the taking of any
action in reliance upon this information is prohibited. If you receive
this in error, please contact the sender and delete or destroy this
message and any copies. 

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
1/6/2005 10:07:13 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
1201 Views

Similar Articles

[PageSpeed] 33

Heilke, Rainer wrote:
> Greetings, everyone.
> 
> We run a number of Solaris 8 systems using Sun's SEAM PAM implementation
> and MIT's Kerberos (which we're up to date on). We are starting to look
> at Solaris 10, and are hoping to move towards Sun's implementation of
> Kerberos. We are having a bit of trouble getting the two to talk
> properly, however.

I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
It is linked directly with the Solaris kerberos libraries (private).

Solaris 10 Kerberos interops very well with MIT, Heimdal, and Microsoft.
It has support for all of the enctypes (AES, RC4, 3DES, DES) finally.

> 
> If we SSH (from production to test, for example) to a Solaris 8 machine,
> then we can rlogin (Kerberized) to the Solaris 10 machine and, from
> there, rlogin to a Sol8 machine again. If, however, we SSH directly to
> the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing
> various experiments (for example, trying to ksu on the Sol 10 machine),
> the only error we ever get is:
> 
> ksu
> WARNING: Your password may be exposed if you enter it here and are
> logged
>          in remotely using an unsecure (non-encrypted) channel.
> Kerberos password for ux5p@ATCOTEST.CA: :
> ksu: Server not found in Kerberos database while geting credentials from
> kdc
> Authentication failed.

ksu is an  MIT client, it is not part of Solaris 10.   Whose Kerberized apps
are you using on Solaris 10 (MIT or the stuff bundled with Solaris 10) ?

> 
> Doing an rlogin to a Sol 8 machine gives no errors at all; it just
> quietly fails.

- Which rlogin client are you using (MIT or Solaris) ?
- Which rlogin server is running on the Sol 8 system?

> 
> The above error seems to indicate that the Solaris 10 Kerberos isn't
> passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon
> certain differences, would not be a big surprise). Has anyone gotten

What "certain differences" are you referring to?   Solaris 10 will 
interoperate
with Solaris 8 SEAM, but if your KDC is Solaris 10 (or MIT)  you will 
have to
restrict the enctypes used by the Solaris 8 services because Solaris 8 only
supports DES and Solaris  10 uses AES by default.

> this to work? The Sol 10 system is using the default Solaris 10 PAM
> implementation as well; not sure if this is part of the problem, but the
> configuration files are significantly different. The Sol 10 version
> doesn't explicitly list the entire path to the libraries, and breaks
> things up based upon Authentication/ Account/ Session/ Password rather
> than service (sshd, login, etc.). I have tried adding the MIT libraries
> into the pam.conf requirements, but that seems to break even more things
> (again, not a great shock).

What service are you trying to use pam_krb5 with - rlogin or ssh?
ssh in Solaris 10 supports GSSAPI authentication, so you should
not need to use pam_krb5 in that case.

> 
> BTW, we have the same issues going from the Sol 10 system to our RedHat
> box.
> 
> I know Sol 10 isn't finalized, but any help/suggestions would be greatly
> appreciated, even if it's to say it will never work for reason X. I
> don't see Sun changing this radically before GA. We are running the
> latest available build, 72.

It most certainly DOES work,  it seems that you have something misconfigured
between the various systems you are trying to use.
It may be that you are running into problems due to Solaris 8 only
supporting DES tickets, but it sounds like your problems are related
to how you are using PAM and the services you are using.

I need more info in order to be able to help you:
- What OS is the KDC running on?
- Whose KDC are you using (Solaris 10, Solaris 8 SEAM, MIT, MS AD ) ?
- What OS is the client (rlogin or ssh) running on?
- What OS is the server (rlogind or sshd) running on?
- Which Kerberos implementation is being used on the client system and 
server
   system?

-Wyllys
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
1/11/2005 1:16:14 AM
Reply: