Using Solaris 10 kadmin with MIT 1.4.1 kadmind - Kerberos

This is a discussion on Using Solaris 10 kadmin with MIT 1.4.1 kadmind - Kerberos ; While trying to use the Solaris 10 Kerberos, most things in a mixed environment sort of work, but the kadmin does not. It appears that the Solaris 10 /usr/sbin/kadmin program is using the sun gss rpcs, and the MIT kadmind ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

  1. Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    While trying to use the Solaris 10 Kerberos, most things in a mixed
    environment sort of work, but the kadmin does not.

    It appears that the Solaris 10 /usr/sbin/kadmin program is
    using the sun gss rpcs, and the MIT kadmind is not. The MIT kadmin
    is running on an older Solaris version.

    The kadmin gets a ticket for the admin doug/admin@TEST.REALM for
    kadmin/kdc.test.anl.gov@TEST.REALM as shown by the KDC logs.

    The Solaris 10 client says:
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
    and syslog says:
    GSS-API error: rpc_gss_seccreate failed
    three times for the client.

    This looks similar to the thread from 5/26-27 on
    "mixing sun solaris's rpc with mit's rpc"

    Any one (especially at Sun) have a solution?




    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    Known bug.

    Our RPCSEC_GSS APIs force us to use hostbased princs for the server, and
    MIT krb5, though it now implements RPCSEC_GSS, did not match this behaviour.

    On Thu, Jun 02, 2005 at 02:20:36PM -0500, Douglas E. Engert wrote:
    > While trying to use the Solaris 10 Kerberos, most things in a mixed
    > environment sort of work, but the kadmin does not.
    >
    > It appears that the Solaris 10 /usr/sbin/kadmin program is
    > using the sun gss rpcs, and the MIT kadmind is not. The MIT kadmin
    > is running on an older Solaris version.
    >
    > The kadmin gets a ticket for the admin doug/admin@TEST.REALM for
    > kadmin/kdc.test.anl.gov@TEST.REALM as shown by the KDC logs.
    >
    > The Solaris 10 client says:
    > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
    > and syslog says:
    > GSS-API error: rpc_gss_seccreate failed
    > three times for the client.
    >
    > This looks similar to the thread from 5/26-27 on
    > "mixing sun solaris's rpc with mit's rpc"
    >
    > Any one (especially at Sun) have a solution?
    >
    >
    >
    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    >>>>> "Nicolas" == Nicolas Williams writes:

    Nicolas> Known bug. Our RPCSEC_GSS APIs force us to use hostbased
    Nicolas> princs for the server, and MIT krb5, though it now
    Nicolas> implements RPCSEC_GSS, did not match this behaviour.

    No. If you create the hostbased principal in your kdc database it
    should work fine. The MIT code supports both kadmin/fqdn and
    kadmin/admin.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind



    Sam Hartman wrote:

    >>>>>>"Nicolas" == Nicolas Williams writes:

    >
    >
    > Nicolas> Known bug. Our RPCSEC_GSS APIs force us to use hostbased
    > Nicolas> princs for the server, and MIT krb5, though it now
    > Nicolas> implements RPCSEC_GSS, did not match this behaviour.
    >
    > No. If you create the hostbased principal in your kdc database it
    > should work fine. The MIT code supports both kadmin/fqdn and
    > kadmin/admin.



    I have both, and it looks like the client kadmin is getting a ticket for
    kadmin/fqdn.

    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    I'd definitely expect this to work against a 1.4.1 kadmin server
    assuming the server has the same idea of its hostname as your client.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    I got it to work. It looks like the Solaris 10 is checking the
    realm of the kadmind server host, but why? It already got
    a ticket for it. It does not check that the host of the kdc is
    in the realm so why check the kadmind? Is this some gss implementation
    imposed restriction?

    What this means is that a kadmind can only serve a single realm.

    This looks like a Solaris bug to me.


    Sam Hartman wrote:

    >>>>>>"Nicolas" == Nicolas Williams writes:

    >
    >
    > Nicolas> Known bug. Our RPCSEC_GSS APIs force us to use hostbased
    > Nicolas> princs for the server, and MIT krb5, though it now
    > Nicolas> implements RPCSEC_GSS, did not match this behaviour.
    >
    > No. If you create the hostbased principal in your kdc database it
    > should work fine. The MIT code supports both kadmin/fqdn and
    > kadmin/admin.
    >


    I have the principal and the Solaris 10 kadmin gets a ticket for the
    service. The server is Solaris 7, with the krb5-1.4.1

    Using ethereal on the Solaris 10 to watch the Solaris 10 show
    shows the kadmin doing a tcp connetcion to the kadmind, then doing
    a DNS lookup of the host name, then closing the connection. No user
    data was sent only SYN, ACK and FIN. See attachment.

    I am using a test realm and KDC on a seperate machine that is in
    another realm. I was using the KRB5_CONFIG to point at my test
    krb5.conf on both the client and server. Once I added
    on the kadmin client = TEST.KRB5.ANL.GOV to the
    [domain_realm] it started working!




    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

    No. Time Source Destination Protocol Info
    92 9.412518 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [SYN] Seq=0 Ack=0 Win=49640 [CHECKSUM INCORRECT] Len=0 MSS=1460 WS=0
    93 9.412968 146.137.180.13 146.137.238.151 TCP kerberos-adm > 32936 [SYN, ACK] Seq=0 Ack=1 Win=33580 Len=0 WS=0 MSS=1460
    94 9.413022 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [ACK] Seq=1 Ack=1 Win=49640 [CHECKSUM INCORRECT] Len=0
    97 10.425515 146.137.238.151 130.202.20.3 DNS Standard query A mercutio.ctd.anl.gov
    98 10.426194 130.202.20.3 146.137.238.151 DNS Standard query response A 146.137.180.13
    99 10.429928 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [FIN, ACK] Seq=1 Ack=1 Win=49640 [CHECKSUM INCORRECT] Len=0
    100 10.430183 146.137.180.13 146.137.238.151 TCP kerberos-adm > 32936 [ACK] Seq=1 Ack=2 Win=33580 Len=0
    101 10.430555 146.137.180.13 146.137.238.151 TCP kerberos-adm > 32936 [FIN, ACK] Seq=1 Ack=2 Win=33580 Len=0
    102 10.430601 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [ACK] Seq=2 Ack=2 Win=49640 [CHECKSUM INCORRECT] Len=0

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    On Fri, Jun 03, 2005 at 01:47:40PM -0500, Douglas E. Engert wrote:
    > Is this some gss implementation
    > imposed restriction?


    An RPCSEC_GSS API issue.

    > What this means is that a kadmind can only serve a single realm.


    We've never claimed to support more than one. IIRC neither has MIT, but
    I'm sure someone will correct me if I'm wrong

    > This looks like a Solaris bug to me.


    And to me.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind



    Nicolas Williams wrote:

    > On Fri, Jun 03, 2005 at 01:47:40PM -0500, Douglas E. Engert wrote:
    >
    >> Is this some gss implementation
    >>imposed restriction?

    >
    >
    > An RPCSEC_GSS API issue.
    >
    >
    >>What this means is that a kadmind can only serve a single realm.

    >
    >
    > We've never claimed to support more than one. IIRC neither has MIT, but
    > I'm sure someone will correct me if I'm wrong


    OK... the MIT man page for krb5kdc says:
    "The KDC may service requests for multiple realms (maximun 32 realms)"
    and the man page for kadmind talks about serving multiple realms,
    but I dont' see how it does.

    Its not clear how much this is actually used, but someone
    might run in to this problem. Our intent is it have the kdc and kadmind
    server only one realm, and the server hosts will be in that realm.
    so the chencking of the realm of the kadmind server host is not a real problem.


    >
    >
    >>This looks like a Solaris bug to me.

    >
    >
    > And to me.
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    On Fri, Jun 03, 2005 at 02:16:09PM -0500, Douglas E. Engert wrote:
    > Nicolas Williams wrote:
    > >On Fri, Jun 03, 2005 at 01:47:40PM -0500, Douglas E. Engert wrote:
    > >>What this means is that a kadmind can only serve a single realm.

    > >
    > >
    > >We've never claimed to support more than one. IIRC neither has MIT, but
    > >I'm sure someone will correct me if I'm wrong

    >
    > OK... the MIT man page for krb5kdc says:
    > "The KDC may service requests for multiple realms (maximun 32 realms)"
    > and the man page for kadmind talks about serving multiple realms,
    > but I dont' see how it does.


    The _KDC_, yes, but kadmind?
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    >>>>> "Douglas" == Douglas E Engert writes:

    Douglas> and the man page for kadmind talks about serving multiple
    Douglas> realms, but I dont' see how it does.


    *sigh*

    An older kadmind (1995 era) did sort of support multiple realms,
    although it did not actually support some more critical operations
    like actually working.

    I don't think the OV kadmind as integrated by MIT has ever supported
    this. You can run multiple realms out of a database and have all
    administrative operations go through one of the realms.


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind



    Sam Hartman wrote:

    >>>>>>"Douglas" == Douglas E Engert writes:

    >
    >
    > Douglas> and the man page for kadmind talks about serving multiple
    > Douglas> realms, but I dont' see how it does.
    >
    >
    > *sigh*
    >
    > An older kadmind (1995 era) did sort of support multiple realms,
    > although it did not actually support some more critical operations
    > like actually working.
    >
    > I don't think the OV kadmind as integrated by MIT has ever supported
    > this. You can run multiple realms out of a database and have all
    > administrative operations go through one of the realms.


    OK, then this is not an issue, *as long as* the kadmind server host
    is in the realm that the kadmind is serving. Its just another thing
    to keep track of.

    And no I don't need a RFE, but thanks for asking.


    >
    >
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  12. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    On Fri, Jun 03, 2005 at 02:32:20PM -0500, Douglas E. Engert wrote:
    >
    >
    > Sam Hartman wrote:
    >
    > >>>>>>"Douglas" == Douglas E Engert writes:

    > >
    > >
    > > Douglas> and the man page for kadmind talks about serving multiple
    > > Douglas> realms, but I dont' see how it does.
    > >
    > >
    > >*sigh*
    > >
    > >An older kadmind (1995 era) did sort of support multiple realms,
    > >although it did not actually support some more critical operations
    > >like actually working.
    > >
    > >I don't think the OV kadmind as integrated by MIT has ever supported
    > >this. You can run multiple realms out of a database and have all
    > >administrative operations go through one of the realms.

    >
    > OK, then this is not an issue, *as long as* the kadmind server host
    > is in the realm that the kadmind is serving. Its just another thing
    > to keep track of.
    >
    > And no I don't need a RFE, but thanks for asking.


    Ok, I won't file one.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread