RE: Solaris 8 and mit kdc - Kerberos

This is a discussion on RE: Solaris 8 and mit kdc - Kerberos ; I'd suggest dropping the SEAM component and just going with the MIT code across the board. That's what we've had forever (started this way in Sol2.6). SEAM in Solaris 10 is looking more promising (still a couple bugs to iron ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: RE: Solaris 8 and mit kdc

  1. RE: Solaris 8 and mit kdc

    I'd suggest dropping the SEAM component and just going with the MIT code
    across the board. That's what we've had forever (started this way in
    Sol2.6). SEAM in Solaris 10 is looking more promising (still a couple
    bugs to iron out).

    The keytab should go in /etc, generated by the kadmin# ktadd
    host/ command. Use the MIT version of kadmin.

    Rainer Heilke

    > -----Original Message-----
    > From: kerberos-bounces@mit.edu
    > [mailto:kerberos-bounces@mit.edu] On Behalf Of fsoliv
    > Sent: Monday, June 20, 2005 1:51 PM
    > To: kerberos@mit.edu
    > Subject: Solaris 8 and mit kdc
    >
    >
    > Hello,
    >
    > Can anyone refer a link with information in configuring kerberirezed
    > rlogin in solaris8?
    > I am using MIT-KDC 1.4.1 and SEAM on all solaris 8 clients.
    > Also, how do I add a keytab to a solaris 8 machines. Should I create a
    > file in a linux machine and then copy it ot the solaris 8 box? If so,
    > where should I put the keytab?
    >
    > Thnaks,
    > F.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Solaris 8 and mit kdc

    Thank you for your email.
    However, I need to use Solaris own kerberos implementation.
    > F.
    >
    > On 6/20/05, Heilke, Rainer wrote:
    > > I'd suggest dropping the SEAM component and just going with the MIT code
    > > across the board. That's what we've had forever (started this way in
    > > Sol2.6). SEAM in Solaris 10 is looking more promising (still a couple
    > > bugs to iron out).
    > >
    > > The keytab should go in /etc, generated by the kadmin# ktadd
    > > host/ command. Use the MIT version of kadmin.
    > >
    > > Rainer Heilke
    > >
    > > > -----Original Message-----
    > > > From: kerberos-bounces@mit.edu
    > > > [mailto:kerberos-bounces@mit.edu] On Behalf Of fsoliv
    > > > Sent: Monday, June 20, 2005 1:51 PM
    > > > To: kerberos@mit.edu
    > > > Subject: Solaris 8 and mit kdc
    > > >
    > > >
    > > > Hello,
    > > >
    > > > Can anyone refer a link with information in configuring kerberirezed
    > > > rlogin in solaris8?
    > > > I am using MIT-KDC 1.4.1 and SEAM on all solaris 8 clients.
    > > > Also, how do I add a keytab to a solaris 8 machines. Should I create a
    > > > file in a linux machine and then copy it ot the solaris 8 box? If so,
    > > > where should I put the keytab?
    > > >
    > > > Thnaks,
    > > > F.
    > > >
    > > > ________________________________________________
    > > > Kerberos mailing list Kerberos@mit.edu
    > > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > > >

    > >
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Solaris 8 and mit kdc

    fsoliv wrote:
    > Thank you for your email. However, I need to use Solaris own kerberos
    > implementation.
    >
    > >>> Hello,
    > >>>
    > >>> Can anyone refer a link with information in configuring
    > >>> kerberirezed rlogin in solaris8? I am using MIT-KDC 1.4.1 and
    > >>> SEAM on all solaris 8 clients. Also, how do I add a keytab to a
    > >>> solaris 8 machines. Should I create a file in a linux machine
    > >>> and then copy it ot the solaris 8 box? If so, where should I
    > >>> put the keytab?
    > >>>


    If you configure the MIT-KDC to use the RPCSEC_GSS protocol,
    you should be able to use the SEAM 'kadmin' client to create keys
    and populate the keytab on the Solaris 8 client.

    If you don't want to do that (or can't figure out how), you can create
    the keys on the KDC (using the MIT kadmin client tool) and then transfer
    them to the Solaris box via some secure protocol (such as SSH).

    The main keys you need on the SEAM client system are the
    "host" principals for the client system:
    ex: host/f.q.d.n@REALM

    Also, if you want to use NFS with Solaris 8 SEAM you will
    also need to create nfs/f.q.d.n principals as well and possibly
    a "root/f.q.d.n" principal in order to use automount with secure
    NFS file systems. All of this is well documented in the SEAM
    online documentation at docs.sun.com - look it up and search
    for SEAM.

    Remember - the only keys that need to be in a keytab are those
    that are specific to that host. One common misconception or
    mistake that people make is to put keys in the keytab on host A
    for services that only exist on other hosts.

    -Wyllys

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Solaris 8 and mit kdc

    Hello,

    Thank you for your answers. I have been out of the office this past
    week and only now I had some time to get back to this issue.
    Here is what is going on:

    When I rlogin from solaris8 machines to solaris 8 machines with the command:
    #/usr/krb5/bin/rlogin -F usolaris8machine I get the error message:
    #Unable to connect with Kerberos V5, trying normal rlogin
    #Enter Kerberos password:

    When I rlogin from linux machines (/usr/kerberos/bin/rlogin -F
    solaris8machine) to solaris 8 machines I get :

    #Couldn't authenticate to server: Bad application version was sent
    (via sendauth)
    #Trying krb4 rlogin...
    #krb_sendauth failed: You have no tickets cached
    #trying normal rlogin (/usr/bin/rlogin)
    #/usr/bin/rlogin: invalid option -- F
    #usage: rlogin [ -8EL] [-e char] [ -l username ] host


    Before typing this command I do kinit -f username.

    Also, i can't find a field in seam's krb5.conf file to configure the
    location of the keytabs. I have placed the krb5.keytab extracted from
    a linux machine into /etc/krb5/.


    Any help is appreatiated,

    F.

    On 6/21/05, Wyllys Ingersoll wrote:
    > fsoliv wrote:
    > > Thank you for your email. However, I need to use Solaris own kerberos
    > > implementation.
    > >
    > > >>> Hello,
    > > >>>
    > > >>> Can anyone refer a link with information in configuring
    > > >>> kerberirezed rlogin in solaris8? I am using MIT-KDC 1.4.1 and
    > > >>> SEAM on all solaris 8 clients. Also, how do I add a keytab to a
    > > >>> solaris 8 machines. Should I create a file in a linux machine
    > > >>> and then copy it ot the solaris 8 box? If so, where should I
    > > >>> put the keytab?
    > > >>>

    >
    > If you configure the MIT-KDC to use the RPCSEC_GSS protocol,
    > you should be able to use the SEAM 'kadmin' client to create keys
    > and populate the keytab on the Solaris 8 client.
    >
    > If you don't want to do that (or can't figure out how), you can create
    > the keys on the KDC (using the MIT kadmin client tool) and then transfer
    > them to the Solaris box via some secure protocol (such as SSH).
    >
    > The main keys you need on the SEAM client system are the
    > "host" principals for the client system:
    > ex: host/f.q.d.n@REALM
    >
    > Also, if you want to use NFS with Solaris 8 SEAM you will
    > also need to create nfs/f.q.d.n principals as well and possibly
    > a "root/f.q.d.n" principal in order to use automount with secure
    > NFS file systems. All of this is well documented in the SEAM
    > online documentation at docs.sun.com - look it up and search
    > for SEAM.
    >
    > Remember - the only keys that need to be in a keytab are those
    > that are specific to that host. One common misconception or
    > mistake that people make is to put keys in the keytab on host A
    > for services that only exist on other hosts.
    >
    > -Wyllys
    >
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Solaris 8 and mit kdc

    fsoliv wrote:

    > Before typing this command I do kinit -f username.
    >
    > Also, i can't find a field in seam's krb5.conf file to configure the
    > location of the keytabs. I have placed the krb5.keytab extracted
    > from a linux machine into /etc/krb5/.


    That is correct. The keytab on Solaris is /etc/krb5/krb5.keytab

    On the Solaris box (as root), run "klist -ke" - this should show
    you the contents of the keytab file. It *should* contain
    a DES key for "host/foo.bar.com@YOUR.REALM" (Solaris 8).

    Also, look in the KDC log files to see if the either the client
    or the server is requesting keys for things the KDC does
    not know about.

    Kerberos is very sensitive to naming issues - we like to recommend
    that you always use fully qualified hostnames for your host
    based service principals and make sure that your naming
    service returns f.q.d.n names for reverse address lookups.

    What naming service are you using to resolve hostnames
    (DNS, NIS, or just flat files like /etc/hosts) ?

    -Wyllys

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread