RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially
using our MIT Kerberos build (i.e. the same as we use on all of the
Solaris 8 machines). I am now trying to get it to work with the Solaris
One problem I see immediately (refreshing my memory with a couple quick
tests) is that, when using the Sol10 SEAM to install the keytab, I
# kadmin -p rheilke/admin
Authenticating as principal rheilke/admin@ATCOTEST.CA with password.
Password for rheilke/admin@ATCOTEST.CA:
kadmin: ktadd host/salty.atcotest.ca
kadmin: Communication failure with server while chan...RE: MIT Kerberos and Solaris 10 Kerberos
> possibly 'su' with pam_krb5 for the authentication. Its not quite
> the same as 'ksu', though.
Douglas says the same. The su man page indicates something about this,
but not a lot of details there. I'll look into this further. As far as a
co-worker is concerned (and in our environment, I can see his point),
this would be a show stopper. We use ksu for all sorts of things,
including giving DBA's access to Oracle ID's.
Thanks again for all of the help. I'll go through the su and pam.conf
man pages, and see if I can figure it out.
______________...Re: Anyone here EVER gotten Kerberos authentication working #2
Doug Lawry wrote:
>>I don't want to send it to the whole list ...
> Why not?! See attached.
Because he might accidentally send it as a mime attachment to an ascii
| Mark D. Stock mailto:mdstock@MydasSolutions.com |//////// /|
| |///// / //|
| +-----------------------------------+//// / ///|
| |We value your comments, which have |//...Kerberos Decrypted
...RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response.
> > We run a number of Solaris 8 systems using Sun's SEAM PAM
> > and MIT's Kerberos (which we're up to date on). We are
> starting to look
> > at Solaris 10, and are hoping to move towards Sun's
> implementation of
> > Kerberos. We are having a bit of trouble getting the two to talk
> > properly, however.
> I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
> It is linked directly with the Solaris Kerberos libraries (private).
I am trying to g...Re: Kerberos with FileZilla #2
The identity is the default identity.
I think it's not so easy as I think and I am missing some particular
Do I have to create a principal also for the service ftp or only for the
identity who is logging?
That is what I did:
i) I activated ftp server service and set the firewall to permit inbound
traffic on ftp ports
ii) i installed the NIM and activated the kerberos support service from
iii) i did all the settings i have been asked from NIM
But when I test the filezilla with gss i get that msg.
I am really confused!
----- Original Message -----
Fro...RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be
> compatible with the
> > Sol8/MIT systems (which is everything but the one Sol10 box)?
> If you are using MIT Kerberos on the Solaris 8 systems (including
> pam_krb5 made for MIT, not the one that comes with SEAM), then
> you should not worry about the enctypes because MIT already
> supports all of the enctypes that S10 supports.
> The only time you need to worry about enctypes is when you
> are using pre-S10 systems with SEAM apps. IN that situation,
> ONLY the pre-solaris 10 systems need ...RE: kerberos
I suggest we continue this discussion offline rather than via
From: firstname.lastname@example.org [mailto:email@example.com] On
Behalf Of Carretti Enrico
Sent: 09 July 2004 11:16
Subject: kerberos - proxy
>We have a product which is designed to use Kerberos with Apache (1.3 or
>2.0) when it is configured as a proxy. The regular SPNEGO Kerberos
>solution available for Apache, IE, Mozilla etc. will not work with
>Please let me know if you are interested and I can ...RE: MIT Kerberos and Solaris 10 Kerberos #6
OK, I think I have fixed the services. I have:
# svcs -v | grep login
online - 13:25:02 35
online - 13:25:11 - svc:/network/login:eklogin
online - 13:25:12 - svc:/network/login:klogin
online - 13:25:12 - svc:/network/login:rlogin
(Just to make sure, those ARE the correct versions? The ones I removed
# svcadm disable svc:/network/klogin/tcp:default
# svcadm disable svc:/network/eklogin/tcp:default
The first entry in the svcs listing is, I assume, ...RE: RBAC and Kerberos? #2
>>>Kerberos fits in best as an AuthN system. It can very easily tie into
LDAP which can support your AuthZ needs.
This is true within a single enterprise. LDAP support for authorization
becomes more difficult once you are talking about federation between
different organizations. It requires you to expose your directory server
outside your internal firewall and for partner site(s) to have intimate
knowledge of your directory schema. In the web authentication world SAML
was developed to ease some of these some of these burdens by defining a
language to share attributes more easily...RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline...
> In Solaris 10, all of the Kerberos services are already bundled,
> there is no longer any external packages that need to be added.
> Whoever told you 'ksu' was part of the encryption kit was mistaken,
> ksu has never been part of SEAM.
OK, thanks for that clarification. It was a bit of a surprise to me when
I was told it was there. So, does the Solaris 10 SEAM have any
functionality similar to ksu, or just the standard su command?
> The encryption kit for Solaris 10 enhances the overall crypto
> capabilities ...RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4.
> -----Original Message-----
> From: Tom Yu [mailto:firstname.lastname@example.org]
> Sent: Tuesday, January 11, 2005 11:12 AM
> To: Wyllys Ingersoll
> Cc: Heilke, Rainer; email@example.com
> Subject: Re: MIT Kerberos and Solaris 10 Kerberos
> >>>>> "Wyllys" == Wyllys Ingersoll <firstname.lastname@example.org> writes:
> Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and
> Wyllys> MIT uses a slightly different RPC protocol.
>...Re: [TCPware V5.6-2,KERBEROS V2.1-72,VMS V7.3-2] TCPIP$IPC_SHR SHRIDMISMAT
At 03:10 PM 8/19/2005, Peter 'EPLAN' LANGSTOEGER wrote:
>In article <email@example.com>, Dan
>O'Reilly <firstname.lastname@example.org> writes:
> >Peter -
> >At this time, you can't use Kerberos V2.1-72 on a TCPware system, so you'll
> >have to regress back to the previous version (2.0-6). We're working on
> >getting an ECO together to allow this, but it will be at least a week or
> >if not longer.
>Ok. In the meantime I found out that I already had this problem in Feb 200...RE: apache & Kerberos #2
Currently Windows NT, 2k and XP. We are currently porting to Linux and MacOSX.
The server component is being ported to support :
Windows/Apache 1.3 and 2.0
Linux/Apache 1.3 and 2.0
Solaris/Apache 1.3 and 2.0
We are interested to discuss requirements for other platforms/browsers if you have any.
From: Matthew Smith [mailto:email@example.com]
Sent: 01 August 2003 19:18
To: Tim Alsop
Subject: Re: apache & Kerberos
What OS support is available for the local proxy?
Tim Alsop wrote: