...RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response.
> > We run a number of Solaris 8 systems using Sun's SEAM PAM
> > and MIT's Kerberos (which we're up to date on). We are
> starting to look
> > at Solaris 10, and are hoping to move towards Sun's
> implementation of
> > Kerberos. We are having a bit of trouble getting the two to talk
> > properly, however.
> I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
> It is linked directly with the Solaris Kerberos libraries (private).
I am trying to g...RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline...
> In Solaris 10, all of the Kerberos services are already bundled,
> there is no longer any external packages that need to be added.
> Whoever told you 'ksu' was part of the encryption kit was mistaken,
> ksu has never been part of SEAM.
OK, thanks for that clarification. It was a bit of a surprise to me when
I was told it was there. So, does the Solaris 10 SEAM have any
functionality similar to ksu, or just the standard su command?
> The encryption kit for Solaris 10 enhances the overall crypto
> capabilities ...RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4.
> -----Original Message-----
> From: Tom Yu [mailto:firstname.lastname@example.org]
> Sent: Tuesday, January 11, 2005 11:12 AM
> To: Wyllys Ingersoll
> Cc: Heilke, Rainer; email@example.com
> Subject: Re: MIT Kerberos and Solaris 10 Kerberos
> >>>>> "Wyllys" == Wyllys Ingersoll <firstname.lastname@example.org> writes:
> Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and
> Wyllys> MIT uses a slightly different RPC protocol.
>...RE: MIT Kerberos and Solaris 10 Kerberos #6
OK, I think I have fixed the services. I have:
# svcs -v | grep login
online - 13:25:02 35
online - 13:25:11 - svc:/network/login:eklogin
online - 13:25:12 - svc:/network/login:klogin
online - 13:25:12 - svc:/network/login:rlogin
(Just to make sure, those ARE the correct versions? The ones I removed
# svcadm disable svc:/network/klogin/tcp:default
# svcadm disable svc:/network/eklogin/tcp:default
The first entry in the svcs listing is, I assume, ...RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be
> compatible with the
> > Sol8/MIT systems (which is everything but the one Sol10 box)?
> If you are using MIT Kerberos on the Solaris 8 systems (including
> pam_krb5 made for MIT, not the one that comes with SEAM), then
> you should not worry about the enctypes because MIT already
> supports all of the enctypes that S10 supports.
> The only time you need to worry about enctypes is when you
> are using pre-S10 systems with SEAM apps. IN that situation,
> ONLY the pre-solaris 10 systems need ...RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially
using our MIT Kerberos build (i.e. the same as we use on all of the
Solaris 8 machines). I am now trying to get it to work with the Solaris
One problem I see immediately (refreshing my memory with a couple quick
tests) is that, when using the Sol10 SEAM to install the keytab, I
# kadmin -p rheilke/admin
Authenticating as principal rheilke/admin@ATCOTEST.CA with password.
Password for rheilke/admin@ATCOTEST.CA:
kadmin: ktadd host/salty.atcotest.ca
kadmin: Communication failure with server while chan...RE: MIT Kerberos and Solaris 10 Kerberos
I read the man page for rlogin, and it is both the old rlogin, and the
new (or something like that). Seems that you just have to give it the
correct switches, and it Kerberizes the command. So, I did:
rlogin -AF <sol8server>
and it works!
Thank you to Wyllys for all of your help.
Now I'm going to try installing from scratch, and make sure I do the
One question left for Wyllys before I do, though. Since ksu doesn't
exist in the Solaris SEAM product, is our only option su?
Kerberos mailing list ...RE: MIT Kerberos and Solaris 10 Kerberos
> possibly 'su' with pam_krb5 for the authentication. Its not quite
> the same as 'ksu', though.
Douglas says the same. The su man page indicates something about this,
but not a lot of details there. I'll look into this further. As far as a
co-worker is concerned (and in our environment, I can see his point),
this would be a show stopper. We use ksu for all sorts of things,
including giving DBA's access to Oracle ID's.
Thanks again for all of the help. I'll go through the su and pam.conf
man pages, and see if I can figure it out.
______________...RE: MIT Kerberos and Solaris 10 Kerberos
<laugh> Yup, I learned (the hard way!) to always stay logged in to a
console session as root.
> Make sure you have a root window open before testing PAM. I
> stumbled on
> this when I tried to su and my test pam exit failed!
Kerberos mailing list Kerberos@mit.edu
...Re: Anyone here EVER gotten Kerberos authentication working
PAM support first appeared in 9.40.UC2 (rather than 9.40.UC1). That is
why it is not in the manuals for 9.4. However, with 9.4 you have in
"$INFORMIXDIR/release/en_us/0333" a file named "pam.txt" which
documents the support of PAM.
It could be, that the documentation in IDS 10 manuals is not as detailed
(or with as many examples) as this "pam.txt" file from 9.4. I would send
you the file, however, I don't want to send it to the whole list ...
If you can't get the file, then let me know and supply an e-mail address
to which I can send the...MIT Kerberos or Heimdal Kerberos?
How do I know the server install in the system is MIT Kerberos or Heimdal?
I m using FreeBSD 5.2.1
...Re: Anyone here EVER gotten Kerberos authentication working #2
Doug Lawry wrote:
>>I don't want to send it to the whole list ...
> Why not?! See attached.
Because he might accidentally send it as a mime attachment to an ascii
| Mark D. Stock mailto:mdstock@MydasSolutions.com |//////// /|
| |///// / //|
| +-----------------------------------+//// / ///|
| |We value your comments, which have |//...RE: Anyone here EVER gotten Kerberos authentication working #3
> -----Original Message-----
> From: Mark D. Stock [mailto:email@example.com]
> Sent: Monday, December 05, 2005 3:34 PM
> To: Doug Lawry
> Cc: firstname.lastname@example.org
> Subject: Re: Anyone here EVER gotten Kerberos authentication working
> Doug Lawry wrote:
> >>I don't want to send it to the whole list ...
> > Why not?! See attached.
> Because he might accidentally send it as a mime attachment to an ascii
> newsgroup? :-D
If you send a picture of Marcel Marceau, is that by definition...