[H-GEN] Problems setting up Kerberos

Sarah Kelly sarah at uow.edu.au
Tue Jan 22 17:37:14 EST 2002


[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

Thanks for your answer, James. Mine is below ...

On Wed, Jan 23, 2002 at 09:24:59AM +1100, James McPherson - TSG Engineer wrote:
> 
> On 14 Jan 2002, 09:34:20 AM Sarah Kelly wrote:
> > I'm trying to set up Kerberos using the Sun packages (Sun Enterprise
> > Authentication Mechanism) and I'm having some troubles.
> > From my machine, I started up kdc and kdc.master. I then tried to use
> > kadmin:
> > 
> > sarah at avatar init.d$ /usr/krb5/sbin/kadmin -p sarah/admin at UOW.EDU.AU
> > Enter Password:
> > kadmin: Communication failure with server while initializing kadmin interface
> > 
> > According to the sun documentation, this means that kadmind isn't running
> > on the master server, or that the host name for the master server is wrong.
> > 
> > sarah at avatar init.d$ ps -ef | grep kadmind
> >     root  1423     1  0 09:30:21 ?        0:00 /usr/krb5/lib/kadmind
> >    sarah  1425  1358  0 09:30:25 pts/5    0:00 grep kadmind
> > 
> > [realms]
> >         UOW.EDU.AU = {
> >                 kdc = avatar.its.uow.edu.au
> > #                kdc = phoenix.its.uow.edu.au
> >                 admin_server = avatar.its.uow.edu.au
> >         }
> 
> Hi Sarah,
> are you still having problems with kerberos? I found a bug filed against the
> error message you mention - 4304154 - which is closed as "not a bug." I hate
> it when the developers do that!
> 
> Anyway, the gist of it is that you need to have the "domestic" kerberos security
> package installed, and 
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-
> The entry for kerberos_v5 in /etc/gss/mech is as follows...
> 
> kerberos_v5     1.2.840.113554.1.2.2    gl/mech_krb5.so gl_kmech_krb5
> #SUNWkrggl
> 
> Changing the mechanism file to use the corresponding entry for the 'domestic'
> kerberos_v5 mechanism (from SUNWkrgdo), kadmin works without problems.
> -=-=-=-=-=-=-=-=-=-=-=-=-
> 
> 
> so if you can get your hands on the SUNWkrgdo package then you should install that
> and if necessary modify your /etc/gss/mech file as above. Alternatively, you
> could use the installer script that comes with the SEAS cdrom because that is 
> supposed to organise things correctly for you. The responsible engineer for this
> bug mentioned that this issue you mention occurs if you use pkgadd and don't
> install SUNWkrgdo.
> 
> Let me know if you have any more questions about this.

Actually, since the change in the US export laws we have not needed the
different authentication modules. I have it working. I reinstalled 
all the packages (using the GUI instead of pkgadd) and it's working fine
now. Might I add at this point that I hate the GUI? Give me command line
options any day. I have the servers working the way they should now, but
cannot use rlogin. I did a truss, and it turns out that the kerberised
rlogin tries to change to the user's home directory before setting UID to
be that user. And since the machines I am testing on are not root trusted
by our filer, it spits the dummy big time. Sun's normal rlogin had this 
bug fixed years ago, apparently. I believe we're filing a bug report with
Sun over this one.

My next step will be to get a Win2k box to authenticate against our new
Kerberos server. We don't trust the Windows box to be secure so we're
not about to put passwords there. 

By the end of all this I'm going to be an interoperability specialist I 
think!

-- 
Ms Sarah Kelly						sarah at uow.edu.au
Information Technology Services				Bld 17 Level 2
The University of Wollongong				Ph: +61 2 4221 3775

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.



More information about the General mailing list