Now it works For your information, the problem was that the KDC was listening only on port 88 and not 750, so kinit and kadmind was unable to communicate with it.
Apache authentication with mod_auth_kerb works fine.
I tried to authenticate my solaris8 box with the bundled PAM_Kerb5 module, and it doesnt work because Sun SEAM Kdc is working with a SecureRPC method different than the one MIT Kerberos use. >
SEAM clients work just fine for standard Kerberos exchanges. The secure RPC differences only affect the use of administrative tools like kadmin. Clients like 'kinit' and using pam_krb5 for authentication work just fine talking to SEAM or MIT KDCs.
There are several SEAM patches for pam that you should try to download. Also, verify that you have installed the encryption pack for Solaris 8 SEAM (free unbundled download).
--- Patch 112390 delivers patches for the "domestic" krb5 library (/usr/lib/gss/do/mech_krb5.so.1)
Patch 112237 delivers the same patches for the "global" krb5 library (usr/lib/gss/gl/mech_krb5.so.1)
The "domestic" library is the one with full encryption support (for Solaris 8).
For Solaris 9, there is no difference in the do and gl mechs, both deliver encryption.
Thus, if you are patching a Solaris 8 system with crypto support, use 112390. ---
Note, SEAM does not support Kerberos V4 in any way, so if you are trying to use KrbV4 with SEAM, then you should expect it to fail.
Is there a way to authenticate my solaris clients with the MIT kerberos KDC ?
Use 'kinit' just like you always do.
-Wyllys
Thank you, Yan --------------
Heres the messages I exchanged with Srini from the newsgroup, the problem remains unsolved looking forward for more help
Yan
Hi group, I compiled it from source on Solaris8. I followed the installation guide, created an admin principal, an ACL, filled krb5.conf and kdc.conf. The installation as /opt/k5 for --prefix so I created /opt/k5/etc and /opt/k5/var manually to put my config files.
When starting krb5kdc this port appears : -begin------------------------------------------------------- UDP: IPv4 192.168.0.8.88 Idle -end-------------------------------------------------------
and the ports for kadmind : -begin------------------------------------------------------- UDP: IPv4 *.464 Idle TCP: IPv4 *.749 *.* 0 0 24576 0
LISTEN
-end-------------------------------------------------------
So I assume my servers are up and running, the procs are in ps -ef output as well.
kadmin.local works here is the getprincs output: -begin------------------------------------------------------- kadmin.local: getprincs K/[EMAIL PROTECTED] kadmin/[EMAIL PROTECTED] kadmin/[EMAIL PROTECTED] kadmin/[EMAIL PROTECTED] krbtgt/[EMAIL PROTECTED] yan/[EMAIL PROTECTED] -end-------------------------------------------------------
I found while googling that someone has had this problem before, and he was told to make sure that its host file was configured to have the FQDN of the machine appearing first in the host file for that IP. It didnt solved my problem.
Heres the problem : -begin------------------------------------------------------- sun2# kadmin -p yan/[EMAIL PROTECTED] Authenticating as principal yan/[EMAIL PROTECTED] with password. kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface -end-------------------------------------------------------
Here is my krb5.conf file : -begin------------------------------------------------------- [libdefaults] ticket_lifetime = 600 default_realm = NEOTOKYO.COM default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms] NEOTOKYO.COM = { kdc = SUN2.NEOTOKYO.COM admin_server = SUN2.NEOTOKYO.COM default_domain = NEOTOKYO.COM }
[domain_realm] .neotokyo.com = NEOTOKYO.COM neotokyo.com = NEOTOKYO.COM
[logging] kdc = FILE:/opt/k5/var/krb5kdc/kdc.log admin_server = FILE:/opt/k5/var/krb5kdc/kadmin.log -end-------------------------------------------------------
Neither kdc.log nor kadmind.log are showing anything special, not even the connection requests.
You can reach me at [EMAIL PROTECTED] if you wish to help
Yannick
________________________________________________
---------------------- Hi, Try to get the TGT first by giving the command "kinit <principal
name>".
Did you update the /etc/services file with the following services: kerberos 88/udp kdc # Kerberos authentication (udp) kerberos 88/tcp kdc # Kerberos authentication (tcp) krb5_prop 754/tcp # Kerberos slave propagation kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp) kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp) eklogin 2105/tcp # Kerberos encrypted rlogin
Also what does your kdc.conf look like and where(path) is it exactly.
Good Luck, Srini
------------------- Hi, my /etc/services wasnt updated so I added the entries you specified below, thank you
The problem is still here though : -begin------------------------------- sun2# kinit -V yan/[EMAIL PROTECTED] kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials -end-------------------------------
Here is my kdc.conf : -begin------------------------------- sun2# pwd /opt/k5/var/krb5kdc sun2# cat kdc.conf [kdcdefaults] kdc_ports = 88
[realms] NEOTOKYO.COM = { database_name = /opt/k5/var/krb5kdc/principal key_stash_file = /opt/k5/var/krb5kdc/.k5.NEOTOKYO.COM kadmind_port = 749 admin_keytab = /opt/k5/var/krb5kdc/kadm5.keytab acl_file = /opt/k5/var/krb5kdc/kadm5.acl max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 kdc_supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal
des-cbc-crc:v4 }
sun2# -end----------------------------------------------
---------------------
Hi Yan, I think it is unable to locate the kdc. Where is your krb5.conf? - it is currently in /opt/k5/etc - I think it is used by kadmin when connecting - because I tested it changing the hostname of the kdc in there and sniffing the - network, I see kadmin trying to connect to the other machine. The
thing
I
- found strange is that it is trying to connect to a udp port which is
not
- listening on the server. I have not specified any port in the config files, I - assumed the client and server would use the default ports..
Copy the krb5.conf to /etc and check. Then Please try to kill the
krb5kdc
and start it again. - Ill try that this evening when back at home.
Are you able to ping SUN2.NEOTOKYO.COM? - Yep thats the same machine Are the KDC and the client on the same m/c? - Yep
Cheers, Srini
Can you run 'telnet SUN2.NEOTOKYO.COM 749' ?
Christian.
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
