Starting kpropd as a service in Solaris 10 - Kerberos

This is a discussion on Starting kpropd as a service in Solaris 10 - Kerberos ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm putting up a KDC (krb5-1.4.2) on a Solaris 10 system, an OS that is new to me (I've installed MIT K5 on Solaris 8 and 9 and other systems). It seems that kpropd ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Starting kpropd as a service in Solaris 10

  1. Starting kpropd as a service in Solaris 10

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I'm putting up a KDC (krb5-1.4.2) on a Solaris 10 system, an OS that is
    new to me (I've installed MIT K5 on Solaris 8 and 9 and other systems).
    It seems that kpropd won't start correctly from inetd.conf, though if I
    run it standalone (-S option) it works fine.

    Our sysadmin talked to Sun support, who suggested contacting the 'vendor'
    (that's you folks!) about whether there's a special way to start kpropd as
    a service. I suspect there isn't, but our Unix sysadmin doesn't know why
    it's not working.

    What is apparently happening is that when I connect to port 754 from the
    master KDC, /usr/lib/krb5/kpropd (the Solaris version) gets launched,
    rather than /usr/local/kerberos/sbin/kpropd (the MIT version). And, of
    course, the former doesn't work since it doesn't know about my (MIT)
    Kerberos configuration.

    But /etc/inetd.conf has the following entry:

    krb5_prop stream tcp nowait root /usr/local/kerberos/sbin/kpropd kpropd

    The sympton I get on the kprop client end is a message that authentication
    to the server failed. Which I'd expect if the native Solaris kpropd is
    being run instead of MIT's kropd.

    I know that Solaris 10 introduces the 'smf' facility for managing
    services, so I figure this has something to do with the problem. But so
    far our sysadmin, and our Sun contact apparently, has nothing further to
    suggest.

    The sysadmin has tried several times to 'refresh' inetd via smf commands,
    to no avail.

    Any ideas?

    Thanks.

    Mike

    __________________________________________________ _______________________
    Mike Friedman IST/System and Network Security
    mikef@berkeley.edu 2484 Shattuck Avenue
    1-510-642-1410 University of California at Berkeley
    http://socrates.berkeley.edu/~mikef http://security.berkeley.edu
    __________________________________________________ _______________________

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBRQi+ha0bf1iNr4mCEQK9dQCcC/u1kl4y7tG8J7iNPJdqF7D+tdwAoLR2
    oXGor6+zQiOo9uYFkndhZjym
    =3kNr
    -----END PGP SIGNATURE-----
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  2. Re: Starting kpropd as a service in Solaris 10



    On Wednesday, September 13, 2006 07:29:22 PM -0700 Mike Friedman
    wrote:

    > The sysadmin has tried several times to 'refresh' inetd via smf commands,
    > to no avail.

    The issue here is very likely that there is already a service in smf for
    Sun's kpropd, which is conflicting with the one created as a result of your
    line in /etc/inetd.conf. The particularly annoying bit is that the
    existing service may even use inetd to start Sun's kpropd, but the existing
    inetd-based service won't be in the same place in smf as one created by
    conversion from inetd.conf, which means they can (and do) exist at the same
    time, but yours loses because inetd knew about the other one first.

    You have a couple of choices here...

    - Find the existing smf service for Sun's kpropd and remove or disable it.
    - Figure out what package contains Sun's kpropd and uninstall it.n

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  3. Re: Starting kpropd as a service in Solaris 10

    Mike Friedman wrote:
    > I'm putting up a KDC (krb5-1.4.2) on a Solaris 10 system, an OS that
    > new to me (I've installed MIT K5 on Solaris 8 and 9 and other
    > systems).
    > It seems that kpropd won't start correctly from inetd.conf, though if
    > I run it standalone (-S option) it works fine.
    >
    > I know that Solaris 10 introduces the 'smf' facility for managing
    > services, so I figure this has something to do with the problem. But
    > so
    > far our sysadmin, and our Sun contact apparently, has nothing further
    > to suggest.
    >
    > The sysadmin has tried several times to 'refresh' inetd via smf
    > commands, to no avail.

    Did you read the lines at the top of the inetd.conf file?

    Specifically the:
    # Any records remaining in this file after installation or upgrade,
    # or later created by installing additional software, must be converted
    # to smf(5) services and imported into the smf repository using
    # inetconv(1M), otherwise the service will not be available. Once
    # a service has been converted using inetconv, further changes made to
    # its entry here are not reflected in the service.

    Also, having run KDCs on Solaris 10, I highly recomend that you do not
    install Sun's packages if you are using MIT. It gets very confusing.

    < --
    Christopher D. Clausen
    ACM@UIUC SysAdmin


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

  4. Re: Starting kpropd as a service in Solaris 10

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thu, 14 Sep 2006 at 23:01 (-0400), Jeffrey Hutzelman wrote:

    > On Wednesday, September 13, 2006 07:29:22 PM -0700 Mike Friedman
    > wrote:
    >
    >> The sysadmin has tried several times to 'refresh' inetd via smf
    >> commands, to no avail.
    >
    > The issue here is very likely that there is already a service in smf for
    > Sun's kpropd, which is conflicting with the one created as a result of
    > your line in /etc/inetd.conf. The particularly annoying bit is that the
    > existing service may even use inetd to start Sun's kpropd, but the
    > existing inetd-based service won't be in the same place in smf as one
    > created by conversion from inetd.conf, which means they can (and do)
    > exist at the same time, but yours loses because inetd knew about the
    > other one first.
    >
    > You have a couple of choices here...
    >
    > - Find the existing smf service for Sun's kpropd and remove or disable it.
    >
    > - Figure out what package contains Sun's kpropd and uninstall it.

    Jeffrey,

    Your description of the situation is pretty much correct and our sysadmin
    figured out how to carry out essentially your first suggestion above. I
    don't know all the details, but the MIT kpropd is now being started up by
    inetd, which is what I care about.

    Thanks.

    Mike

    __________________________________________________ _______________________
    Mike Friedman IST/System and Network Security
    mikef@berkeley.edu 2484 Shattuck Avenue
    1-510-642-1410 University of California at Berkeley
    http://socrates.berkeley.edu/~mikef http://security.berkeley.edu
    __________________________________________________ _______________________

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBRQolbK0bf1iNr4mCEQIipQCeIfg3Gl9IVHgV+zAs7eMQal tZ+ZoAoJ02
    bukSpaBiUOckuF6IJcLuftiL
    =PB6M
    -----END PGP SIGNATURE-----
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

+ Reply to Thread
« Sudo for Kerberos TGTs? | Anybody know how to use auth_to_local with Redhat's Kerberos? »