[23995] in Kerberos
Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Jun 3 14:52:04 2005
Message-ID: <42A0A5CC.4070809@anl.gov>
Date: Fri, 03 Jun 2005 13:47:40 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "'kerberos@mit.edu'" <kerberos@mit.edu>
In-Reply-To: <tsl64ww4kby.fsf@cz.mit.edu>
Content-Type: multipart/mixed;
boundary="------------060306010704000103040701"
cc: Nicolas Williams <nicolas.williams@sun.com>
Errors-To: kerberos-bounces@mit.edu
This is a multi-part message in MIME format.
--------------060306010704000103040701
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I got it to work. It looks like the Solaris 10 is checking the
realm of the kadmind server host, but why? It already got
a ticket for it. It does not check that the host of the kdc is
in the realm so why check the kadmind? Is this some gss implementation
imposed restriction?
What this means is that a kadmind can only serve a single realm.
This looks like a Solaris bug to me.
Sam Hartman wrote:
>>>>>>"Nicolas" == Nicolas Williams <Nicolas.Williams@sun.com> writes:
>
>
> Nicolas> Known bug. Our RPCSEC_GSS APIs force us to use hostbased
> Nicolas> princs for the server, and MIT krb5, though it now
> Nicolas> implements RPCSEC_GSS, did not match this behaviour.
>
> No. If you create the hostbased principal in your kdc database it
> should work fine. The MIT code supports both kadmin/fqdn and
> kadmin/admin.
>
I have the principal and the Solaris 10 kadmin gets a ticket for the
service. The server is Solaris 7, with the krb5-1.4.1
Using ethereal on the Solaris 10 to watch the Solaris 10 show
shows the kadmin doing a tcp connetcion to the kadmind, then doing
a DNS lookup of the host name, then closing the connection. No user
data was sent only SYN, ACK and FIN. See attachment.
I am using a test realm and KDC on a seperate machine that is in
another realm. I was using the KRB5_CONFIG to point at my test
krb5.conf on both the client and server. Once I added
on the kadmin client <kdc.fqdn> = TEST.KRB5.ANL.GOV to the
[domain_realm] it started working!
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--------------060306010704000103040701
Content-Type: text/plain;
name="kadmin.out"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="kadmin.out"
No. Time Source Destination Protocol Info
92 9.412518 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [SYN] Seq=0 Ack=0 Win=49640 [CHECKSUM INCORRECT] Len=0 MSS=1460 WS=0
93 9.412968 146.137.180.13 146.137.238.151 TCP kerberos-adm > 32936 [SYN, ACK] Seq=0 Ack=1 Win=33580 Len=0 WS=0 MSS=1460
94 9.413022 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [ACK] Seq=1 Ack=1 Win=49640 [CHECKSUM INCORRECT] Len=0
97 10.425515 146.137.238.151 130.202.20.3 DNS Standard query A mercutio.ctd.anl.gov
98 10.426194 130.202.20.3 146.137.238.151 DNS Standard query response A 146.137.180.13
99 10.429928 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [FIN, ACK] Seq=1 Ack=1 Win=49640 [CHECKSUM INCORRECT] Len=0
100 10.430183 146.137.180.13 146.137.238.151 TCP kerberos-adm > 32936 [ACK] Seq=1 Ack=2 Win=33580 Len=0
101 10.430555 146.137.180.13 146.137.238.151 TCP kerberos-adm > 32936 [FIN, ACK] Seq=1 Ack=2 Win=33580 Len=0
102 10.430601 146.137.238.151 146.137.180.13 TCP 32936 > kerberos-adm [ACK] Seq=2 Ack=2 Win=49640 [CHECKSUM INCORRECT] Len=0
--------------060306010704000103040701
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--------------060306010704000103040701--
