OK, I'm getting a little confused as to the differences we're talking about here. I've forwarded this to my co-worker who's working on the problem to add the line you suggest, but I don't understand how the Solaris 10 client can be assuming a realm other than that configured (which is the same as all of the other systems in the test lab).
Thanks. Rainer > -----Original Message----- > From: Douglas E. Engert [mailto:[EMAIL PROTECTED] > Sent: Friday, June 03, 2005 1:38 PM > To: Heilke, Rainer > Cc: [email protected] > Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind > > > > > Heilke, Rainer wrote: > > > So, if this issue is in a SINGLE realm, it IS a bug, correct? We are > > doing this in our test lab, in a single domain. There are no other > > domains involved. Both the Solaris 10 and the MIT Kerberos > > clients/servers are all in the same realm. > > No, I would bet that the client is somehow using a different krb5.conf > or is assuming the realm of the server is something other then the > the test realm. i.e. deriving the realm from the DNS domain name. > > Try and add to the krb5.conf on the client > [domain_realm] > > host.of.kdc.fqdn = TEST.REALM > > Using the FQDN of the test kadmin server, and the name of > your test realm. > > > > > > > > >>Heilke, Rainer wrote: > >> > >> > >>>A bug... Well, that makes us feel better in the sense that > we aren't > >>>losing our marbles. I guess now, we just have to wait for > >> > >>the bug to get > >> > >>>fixed. Unfortunately, this is now one of two issues that > >> > >>hold back any > >> > >>>Solaris 10 rollout for us. > >> > >>Well it may be a bug, but since our production KDCs and kadmind are > >>serving a single realm, and the server is in that realm its not > >>going to stop us. It was the test environment that was the problem. > >> > >>P.S. What is the other issue? > > > > > > Sun's lack of a ksu binary. The way we use ksu, RBAC and su > simply do > > not provide the same functionality. We have an RFE open on > this. BTW, if > > anyone else needs ksu, please add your names to the RFE. > > > > Rainer > > > > > >>>Thanks to everyone for your help on this. We'll keep our > >> > >>eyes open for > >> > >>>the bug fix from Sun in their weekly patch club report. > >>> > >>>Rainer Heilke > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: [EMAIL PROTECTED] > >>>>[mailto:[EMAIL PROTECTED] On Behalf Of Douglas E. Engert > >>>>Sent: Friday, June 03, 2005 12:48 PM > >>>>To: '[email protected]' > >>>>Cc: Nicolas Williams > >>>>Subject: Re: Using Solaris 10 kadmin with MIT 1.4.1 kadmind > >>>> > >>>> > >>>>I got it to work. It looks like the Solaris 10 is checking the > >>>>realm of the kadmind server host, but why? It already got > >>>>a ticket for it. It does not check that the host of the kdc is > >>>>in the realm so why check the kadmind? Is this some gss > >> > >>implementation > >> > >>>>imposed restriction? > >>>> > >>>>What this means is that a kadmind can only serve a single realm. > >>>> > >>>>This looks like a Solaris bug to me. > >>>> > >>>> > >>>>Sam Hartman wrote: > >>>> > >>>> > >>>> > >>>>>>>>>>"Nicolas" == Nicolas Williams > >> > >><[EMAIL PROTECTED]> writes: > >> > >>>>> > >>>>> Nicolas> Known bug. Our RPCSEC_GSS APIs force us to > >>>> > >>>>use hostbased > >>>> > >>>> > >>>>> Nicolas> princs for the server, and MIT krb5, though it now > >>>>> Nicolas> implements RPCSEC_GSS, did not match this behaviour. > >>>>> > >>>>>No. If you create the hostbased principal in your kdc > database it > >>>>>should work fine. The MIT code supports both kadmin/fqdn and > >>>>>kadmin/admin. > >>>>> > >>>> > >>>>I have the principal and the Solaris 10 kadmin gets a > ticket for the > >>>>service. The server is Solaris 7, with the krb5-1.4.1 > >>>> > >>>>Using ethereal on the Solaris 10 to watch the Solaris 10 show > >>>>shows the kadmin doing a tcp connetcion to the kadmind, then doing > >>>>a DNS lookup of the host name, then closing the > connection. No user > >>>>data was sent only SYN, ACK and FIN. See attachment. > >>>> > >>>>I am using a test realm and KDC on a seperate machine that is in > >>>>another realm. I was using the KRB5_CONFIG to point at my test > >>>>krb5.conf on both the client and server. Once I added > >>>>on the kadmin client <kdc.fqdn> = TEST.KRB5.ANL.GOV to the > >>>>[domain_realm] it started working! > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>>> > >>>>-- > >>>> > >>>> Douglas E. Engert <[EMAIL PROTECTED]> > >>>> Argonne National Laboratory > >>>> 9700 South Cass Avenue > >>>> Argonne, Illinois 60439 > >>>> (630) 252-5444 > >>>> > >>> > >>> > >>> > >>> > >>-- > >> > >> Douglas E. Engert <[EMAIL PROTECTED]> > >> Argonne National Laboratory > >> 9700 South Cass Avenue > >> Argonne, Illinois 60439 > >> (630) 252-5444 > >> > > > > > > ________________________________________________ > > Kerberos mailing list [email protected] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
