RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind - Kerberos

This is a discussion on RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind - Kerberos ; So, if this issue is in a SINGLE realm, it IS a bug, correct? We are doing this in our test lab, in a single domain. There are no other domains involved. Both the Solaris 10 and the MIT Kerberos ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

  1. RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    So, if this issue is in a SINGLE realm, it IS a bug, correct? We are
    doing this in our test lab, in a single domain. There are no other
    domains involved. Both the Solaris 10 and the MIT Kerberos
    clients/servers are all in the same realm.

    > Heilke, Rainer wrote:
    >
    > > A bug... Well, that makes us feel better in the sense that we aren't
    > > losing our marbles. I guess now, we just have to wait for

    > the bug to get
    > > fixed. Unfortunately, this is now one of two issues that

    > hold back any
    > > Solaris 10 rollout for us.

    >
    > Well it may be a bug, but since our production KDCs and kadmind are
    > serving a single realm, and the server is in that realm its not
    > going to stop us. It was the test environment that was the problem.
    >
    > P.S. What is the other issue?


    Sun's lack of a ksu binary. The way we use ksu, RBAC and su simply do
    not provide the same functionality. We have an RFE open on this. BTW, if
    anyone else needs ksu, please add your names to the RFE.

    Rainer

    >
    > >
    > > Thanks to everyone for your help on this. We'll keep our

    > eyes open for
    > > the bug fix from Sun in their weekly patch club report.
    > >
    > > Rainer Heilke
    > >
    > >
    > >>-----Original Message-----
    > >>From: kerberos-bounces@mit.edu
    > >>[mailto:kerberos-bounces@mit.edu] On Behalf Of Douglas E. Engert
    > >>Sent: Friday, June 03, 2005 12:48 PM
    > >>To: 'kerberos@mit.edu'
    > >>Cc: Nicolas Williams
    > >>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
    > >>
    > >>
    > >>I got it to work. It looks like the Solaris 10 is checking the
    > >>realm of the kadmind server host, but why? It already got
    > >>a ticket for it. It does not check that the host of the kdc is
    > >>in the realm so why check the kadmind? Is this some gss

    > implementation
    > >>imposed restriction?
    > >>
    > >>What this means is that a kadmind can only serve a single realm.
    > >>
    > >>This looks like a Solaris bug to me.
    > >>
    > >>
    > >>Sam Hartman wrote:
    > >>
    > >>
    > >>>>>>>>"Nicolas" == Nicolas Williams

    > writes:
    > >>>
    > >>>
    > >>> Nicolas> Known bug. Our RPCSEC_GSS APIs force us to
    > >>
    > >>use hostbased
    > >>
    > >>> Nicolas> princs for the server, and MIT krb5, though it now
    > >>> Nicolas> implements RPCSEC_GSS, did not match this behaviour.
    > >>>
    > >>>No. If you create the hostbased principal in your kdc database it
    > >>>should work fine. The MIT code supports both kadmin/fqdn and
    > >>>kadmin/admin.
    > >>>
    > >>
    > >>I have the principal and the Solaris 10 kadmin gets a ticket for the
    > >>service. The server is Solaris 7, with the krb5-1.4.1
    > >>
    > >>Using ethereal on the Solaris 10 to watch the Solaris 10 show
    > >>shows the kadmin doing a tcp connetcion to the kadmind, then doing
    > >>a DNS lookup of the host name, then closing the connection. No user
    > >>data was sent only SYN, ACK and FIN. See attachment.
    > >>
    > >>I am using a test realm and KDC on a seperate machine that is in
    > >>another realm. I was using the KRB5_CONFIG to point at my test
    > >>krb5.conf on both the client and server. Once I added
    > >>on the kadmin client = TEST.KRB5.ANL.GOV to the
    > >>[domain_realm] it started working!
    > >>
    > >>
    > >>
    > >>
    > >>
    > >>>
    > >>>
    > >>--
    > >>
    > >> Douglas E. Engert
    > >> Argonne National Laboratory
    > >> 9700 South Cass Avenue
    > >> Argonne, Illinois 60439
    > >> (630) 252-5444
    > >>

    > >
    > >
    > >
    > >

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind



    Heilke, Rainer wrote:

    > So, if this issue is in a SINGLE realm, it IS a bug, correct? We are
    > doing this in our test lab, in a single domain. There are no other
    > domains involved. Both the Solaris 10 and the MIT Kerberos
    > clients/servers are all in the same realm.


    No, I would bet that the client is somehow using a different krb5.conf
    or is assuming the realm of the server is something other then the
    the test realm. i.e. deriving the realm from the DNS domain name.

    Try and add to the krb5.conf on the client
    [domain_realm]

    host.of.kdc.fqdn = TEST.REALM

    Using the FQDN of the test kadmin server, and the name of your test realm.



    >
    >
    >>Heilke, Rainer wrote:
    >>
    >>
    >>>A bug... Well, that makes us feel better in the sense that we aren't
    >>>losing our marbles. I guess now, we just have to wait for

    >>
    >>the bug to get
    >>
    >>>fixed. Unfortunately, this is now one of two issues that

    >>
    >>hold back any
    >>
    >>>Solaris 10 rollout for us.

    >>
    >>Well it may be a bug, but since our production KDCs and kadmind are
    >>serving a single realm, and the server is in that realm its not
    >>going to stop us. It was the test environment that was the problem.
    >>
    >>P.S. What is the other issue?

    >
    >
    > Sun's lack of a ksu binary. The way we use ksu, RBAC and su simply do
    > not provide the same functionality. We have an RFE open on this. BTW, if
    > anyone else needs ksu, please add your names to the RFE.
    >
    > Rainer
    >
    >
    >>>Thanks to everyone for your help on this. We'll keep our

    >>
    >>eyes open for
    >>
    >>>the bug fix from Sun in their weekly patch club report.
    >>>
    >>>Rainer Heilke
    >>>
    >>>
    >>>
    >>>>-----Original Message-----
    >>>>From: kerberos-bounces@mit.edu
    >>>>[mailto:kerberos-bounces@mit.edu] On Behalf Of Douglas E. Engert
    >>>>Sent: Friday, June 03, 2005 12:48 PM
    >>>>To: 'kerberos@mit.edu'
    >>>>Cc: Nicolas Williams
    >>>>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
    >>>>
    >>>>
    >>>>I got it to work. It looks like the Solaris 10 is checking the
    >>>>realm of the kadmind server host, but why? It already got
    >>>>a ticket for it. It does not check that the host of the kdc is
    >>>>in the realm so why check the kadmind? Is this some gss

    >>
    >>implementation
    >>
    >>>>imposed restriction?
    >>>>
    >>>>What this means is that a kadmind can only serve a single realm.
    >>>>
    >>>>This looks like a Solaris bug to me.
    >>>>
    >>>>
    >>>>Sam Hartman wrote:
    >>>>
    >>>>
    >>>>
    >>>>>>>>>>"Nicolas" == Nicolas Williams

    >>
    >> writes:
    >>
    >>>>>
    >>>>> Nicolas> Known bug. Our RPCSEC_GSS APIs force us to
    >>>>
    >>>>use hostbased
    >>>>
    >>>>
    >>>>> Nicolas> princs for the server, and MIT krb5, though it now
    >>>>> Nicolas> implements RPCSEC_GSS, did not match this behaviour.
    >>>>>
    >>>>>No. If you create the hostbased principal in your kdc database it
    >>>>>should work fine. The MIT code supports both kadmin/fqdn and
    >>>>>kadmin/admin.
    >>>>>
    >>>>
    >>>>I have the principal and the Solaris 10 kadmin gets a ticket for the
    >>>>service. The server is Solaris 7, with the krb5-1.4.1
    >>>>
    >>>>Using ethereal on the Solaris 10 to watch the Solaris 10 show
    >>>>shows the kadmin doing a tcp connetcion to the kadmind, then doing
    >>>>a DNS lookup of the host name, then closing the connection. No user
    >>>>data was sent only SYN, ACK and FIN. See attachment.
    >>>>
    >>>>I am using a test realm and KDC on a seperate machine that is in
    >>>>another realm. I was using the KRB5_CONFIG to point at my test
    >>>>krb5.conf on both the client and server. Once I added
    >>>>on the kadmin client = TEST.KRB5.ANL.GOV to the
    >>>>[domain_realm] it started working!
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>>
    >>>>--
    >>>>
    >>>> Douglas E. Engert
    >>>> Argonne National Laboratory
    >>>> 9700 South Cass Avenue
    >>>> Argonne, Illinois 60439
    >>>> (630) 252-5444
    >>>>
    >>>
    >>>
    >>>
    >>>

    >>--
    >>
    >> Douglas E. Engert
    >> Argonne National Laboratory
    >> 9700 South Cass Avenue
    >> Argonne, Illinois 60439
    >> (630) 252-5444
    >>

    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. RE: Using Solaris 10 kadmin with MIT 1.4.1 kadmind

    On Friday, June 03, 2005 01:32:20 PM -0600 "Heilke, Rainer"
    wrote:

    >> P.S. What is the other issue?

    >
    > Sun's lack of a ksu binary. The way we use ksu, RBAC and su simply do
    > not provide the same functionality. We have an RFE open on this. BTW, if
    > anyone else needs ksu, please add your names to the RFE.



    What do you need in a ksu that you don't get from Solaris's su and a
    properly-configured PAM stack?

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread