RE: Solaris 8 and mit kdc

Printable View

10-02-2007, 01:14 PM
unix

RE: Solaris 8 and mit kdc

I'd suggest dropping the SEAM component and just going with the MIT code
across the board. That's what we've had forever (started this way in
Sol2.6). SEAM in Solaris 10 is looking more promising (still a couple
bugs to iron out).

The keytab should go in /etc, generated by the kadmin# ktadd
host/<host.domain.com> command. Use the MIT version of kadmin.

Rainer Heilke
[color=blue]
> -----Original Message-----
> From: [email]kerberos-bounces@mit.edu[/email]
> [mailto:kerberos-bounces@mit.edu] On Behalf Of fsoliv
> Sent: Monday, June 20, 2005 1:51 PM
> To: [email]kerberos@mit.edu[/email]
> Subject: Solaris 8 and mit kdc
>
>
> Hello,
>
> Can anyone refer a link with information in configuring kerberirezed
> rlogin in solaris8?
> I am using MIT-KDC 1.4.1 and SEAM on all solaris 8 clients.
> Also, how do I add a keytab to a solaris 8 machines. Should I create a
> file in a linux machine and then copy it ot the solaris 8 box? If so,
> where should I put the keytab?
>
> Thnaks,
> F.
>
> ________________________________________________
> Kerberos mailing list [email]Kerberos@mit.edu[/email]
> [url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
>[/color]

________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
10-02-2007, 01:14 PM
unix

Re: Solaris 8 and mit kdc

Thank you for your email.
However, I need to use Solaris own kerberos implementation.[color=blue]
> F.
>
> On 6/20/05, Heilke, Rainer <Rainer.Heilke@atcoitek.com> wrote:[color=green]
> > I'd suggest dropping the SEAM component and just going with the MIT code
> > across the board. That's what we've had forever (started this way in
> > Sol2.6). SEAM in Solaris 10 is looking more promising (still a couple
> > bugs to iron out).
> >
> > The keytab should go in /etc, generated by the kadmin# ktadd
> > host/<host.domain.com> command. Use the MIT version of kadmin.
> >
> > Rainer Heilke
> >[color=darkred]
> > > -----Original Message-----
> > > From: [email]kerberos-bounces@mit.edu[/email]
> > > [mailto:kerberos-bounces@mit.edu] On Behalf Of fsoliv
> > > Sent: Monday, June 20, 2005 1:51 PM
> > > To: [email]kerberos@mit.edu[/email]
> > > Subject: Solaris 8 and mit kdc
> > >
> > >
> > > Hello,
> > >
> > > Can anyone refer a link with information in configuring kerberirezed
> > > rlogin in solaris8?
> > > I am using MIT-KDC 1.4.1 and SEAM on all solaris 8 clients.
> > > Also, how do I add a keytab to a solaris 8 machines. Should I create a
> > > file in a linux machine and then copy it ot the solaris 8 box? If so,
> > > where should I put the keytab?
> > >
> > > Thnaks,
> > > F.
> > >
> > > ________________________________________________
> > > Kerberos mailing list [email]Kerberos@mit.edu[/email]
> > > [url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
> > >[/color]
> >
> > ________________________________________________
> > Kerberos mailing list [email]Kerberos@mit.edu[/email]
> > [url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
> >[/color]
>[/color]

________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
10-02-2007, 01:15 PM
unix

Re: Solaris 8 and mit kdc

fsoliv wrote:[color=blue]
> Thank you for your email. However, I need to use Solaris own kerberos
> implementation.
>[color=green][color=darkred]
> >>> Hello,
> >>>
> >>> Can anyone refer a link with information in configuring
> >>> kerberirezed rlogin in solaris8? I am using MIT-KDC 1.4.1 and
> >>> SEAM on all solaris 8 clients. Also, how do I add a keytab to a
> >>> solaris 8 machines. Should I create a file in a linux machine
> >>> and then copy it ot the solaris 8 box? If so, where should I
> >>> put the keytab?
> >>>[/color][/color][/color]

If you configure the MIT-KDC to use the RPCSEC_GSS protocol,
you should be able to use the SEAM 'kadmin' client to create keys
and populate the keytab on the Solaris 8 client.

If you don't want to do that (or can't figure out how), you can create
the keys on the KDC (using the MIT kadmin client tool) and then transfer
them to the Solaris box via some secure protocol (such as SSH).

The main keys you need on the SEAM client system are the
"host" principals for the client system:
ex: host/f.q.d.n@REALM

Also, if you want to use NFS with Solaris 8 SEAM you will
also need to create nfs/f.q.d.n principals as well and possibly
a "root/f.q.d.n" principal in order to use automount with secure
NFS file systems. All of this is well documented in the SEAM
online documentation at docs.sun.com - look it up and search
for SEAM.

Remember - the only keys that need to be in a keytab are those
that are specific to that host. One common misconception or
mistake that people make is to put keys in the keytab on host A
for services that only exist on other hosts.

-Wyllys

________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
10-02-2007, 01:16 PM
unix

Re: Solaris 8 and mit kdc

Hello,

Thank you for your answers. I have been out of the office this past
week and only now I had some time to get back to this issue.
Here is what is going on:

When I rlogin from solaris8 machines to solaris 8 machines with the command:
#/usr/krb5/bin/rlogin -F usolaris8machine I get the error message:
#Unable to connect with Kerberos V5, trying normal rlogin
#Enter Kerberos password:

When I rlogin from linux machines (/usr/kerberos/bin/rlogin -F
solaris8machine) to solaris 8 machines I get :

#Couldn't authenticate to server: Bad application version was sent
(via sendauth)
#Trying krb4 rlogin...
#krb_sendauth failed: You have no tickets cached
#trying normal rlogin (/usr/bin/rlogin)
#/usr/bin/rlogin: invalid option -- F
#usage: rlogin [ -8EL] [-e char] [ -l username ] host

Before typing this command I do kinit -f username.

Also, i can't find a field in seam's krb5.conf file to configure the
location of the keytabs. I have placed the krb5.keytab extracted from
a linux machine into /etc/krb5/.

Any help is appreatiated,

F.

On 6/21/05, Wyllys Ingersoll <wyllys.ingersoll@sun.com> wrote:[color=blue]
> fsoliv wrote:[color=green]
> > Thank you for your email. However, I need to use Solaris own kerberos
> > implementation.
> >[color=darkred]
> > >>> Hello,
> > >>>
> > >>> Can anyone refer a link with information in configuring
> > >>> kerberirezed rlogin in solaris8? I am using MIT-KDC 1.4.1 and
> > >>> SEAM on all solaris 8 clients. Also, how do I add a keytab to a
> > >>> solaris 8 machines. Should I create a file in a linux machine
> > >>> and then copy it ot the solaris 8 box? If so, where should I
> > >>> put the keytab?
> > >>>[/color][/color]
>
> If you configure the MIT-KDC to use the RPCSEC_GSS protocol,
> you should be able to use the SEAM 'kadmin' client to create keys
> and populate the keytab on the Solaris 8 client.
>
> If you don't want to do that (or can't figure out how), you can create
> the keys on the KDC (using the MIT kadmin client tool) and then transfer
> them to the Solaris box via some secure protocol (such as SSH).
>
> The main keys you need on the SEAM client system are the
> "host" principals for the client system:
> ex: host/f.q.d.n@REALM
>
> Also, if you want to use NFS with Solaris 8 SEAM you will
> also need to create nfs/f.q.d.n principals as well and possibly
> a "root/f.q.d.n" principal in order to use automount with secure
> NFS file systems. All of this is well documented in the SEAM
> online documentation at docs.sun.com - look it up and search
> for SEAM.
>
> Remember - the only keys that need to be in a keytab are those
> that are specific to that host. One common misconception or
> mistake that people make is to put keys in the keytab on host A
> for services that only exist on other hosts.
>
> -Wyllys
>
>[/color]

________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
10-02-2007, 01:16 PM
unix

Re: Solaris 8 and mit kdc

fsoliv wrote:
[color=blue]
> Before typing this command I do kinit -f username.
>
> Also, i can't find a field in seam's krb5.conf file to configure the
> location of the keytabs. I have placed the krb5.keytab extracted
> from a linux machine into /etc/krb5/.[/color]

That is correct. The keytab on Solaris is /etc/krb5/krb5.keytab

On the Solaris box (as root), run "klist -ke" - this should show
you the contents of the keytab file. It *should* contain
a DES key for "host/foo.bar.com@YOUR.REALM" (Solaris 8).

Also, look in the KDC log files to see if the either the client
or the server is requesting keys for things the KDC does
not know about.

Kerberos is very sensitive to naming issues - we like to recommend
that you always use fully qualified hostnames for your host
based service principals and make sure that your naming
service returns f.q.d.n names for reverse address lookups.

What naming service are you using to resolve hostnames
(DNS, NIS, or just flat files like /etc/hosts) ?

-Wyllys

________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]