Greetings, everyone.
We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however.
I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. It is linked directly with the Solaris kerberos libraries (private).
Solaris 10 Kerberos interops very well with MIT, Heimdal, and Microsoft. It has support for all of the enctypes (AES, RC4, 3DES, DES) finally.
If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is:
ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for [EMAIL PROTECTED]: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed.
ksu is an MIT client, it is not part of Solaris 10. Whose Kerberized apps are you using on Solaris 10 (MIT or the stuff bundled with Solaris 10) ?
Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails.
- Which rlogin client are you using (MIT or Solaris) ? - Which rlogin server is running on the Sol 8 system?
The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten
What "certain differences" are you referring to? Solaris 10 will interoperate
with Solaris 8 SEAM, but if your KDC is Solaris 10 (or MIT) you will have to
restrict the enctypes used by the Solaris 8 services because Solaris 8 only
supports DES and Solaris 10 uses AES by default.
this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. The Sol 10 version doesn't explicitly list the entire path to the libraries, and breaks things up based upon Authentication/ Account/ Session/ Password rather than service (sshd, login, etc.). I have tried adding the MIT libraries into the pam.conf requirements, but that seems to break even more things (again, not a great shock).
What service are you trying to use pam_krb5 with - rlogin or ssh? ssh in Solaris 10 supports GSSAPI authentication, so you should not need to use pam_krb5 in that case.
BTW, we have the same issues going from the Sol 10 system to our RedHat box.
I know Sol 10 isn't finalized, but any help/suggestions would be greatly appreciated, even if it's to say it will never work for reason X. I don't see Sun changing this radically before GA. We are running the latest available build, 72.
It most certainly DOES work, it seems that you have something misconfigured between the various systems you are trying to use. It may be that you are running into problems due to Solaris 8 only supporting DES tickets, but it sounds like your problems are related to how you are using PAM and the services you are using.
I need more info in order to be able to help you:
- What OS is the KDC running on?
- Whose KDC are you using (Solaris 10, Solaris 8 SEAM, MIT, MS AD ) ?
- What OS is the client (rlogin or ssh) running on?
- What OS is the server (rlogind or sshd) running on?
- Which Kerberos implementation is being used on the client system and server
system?
-Wyllys ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
