On Tue, Aug 07, 2007 at 04:12:59PM -0700, Mike Friedman wrote: > I know this has been discussed here a lot over the years, but until now it > hasn't been an issue for me. My question is, what are the compatibility > issues between Solaris (in particular Solaris 10) clients and an MIT K5 > KDC? > > More specifically, I've just put up a test KDC using MIT's 1.6.2 (with no > mods). I'm also working in a test Solaris 10 environment in which MIT K5 > hasn't yet been installed. We're trying, for some application testing > that needs to be done before we can set up a production environment, to > run the Solaris 10 supplied kadmin (and API code derived from kadmin) > against the MIT 1.6.2 KDC. > > My initial expectation was that kadmin wouldn't work, because of the > discussion I've seen here about incompatible RPCs. So I was surprised, > last week, when Solaris (/usr/sbin/) kadmin appeared to work just fine, > against our production KDC: MIT 1.4.2. > > Today, however, I tried Solaris kadmin against my test 1.6.2 KDC and got > this message, after authenticating: > > GSS-API (or Kerberos) error while initializing kadmin interface > > As no error was logged in the (MIT) KDC, I figured this meant the problem > was on the client side, or else at a lower layer that the KDC daemons > wouldn't log. > > It happens that I built my 1.4.2 statically linked, on a Solaris 8 system, > so I copied over the kadmin binary to the Solaris 10 system and used it > against the 1.6.2 KDC, with success. > > So, it appears that Solaris 10 kadmin libraries are more compatible with a > 1.4.2 KDC than with 1.6.2, which seems counter-intuitive. (I would have > expected compatibility to be improved with later versions of both Kerberos > implementations). > > I've probably missed some recent discussion on this, but now I want to > find out what the actual story is on Solaris/MIT kadmin compatibility. > > Any clarification would be appreciated.
This is a long standing issue between MIT and Sun regarding the kadmin related principals. For more read: http://krbdev.mit.edu/rt/Ticket/Display.html?id=3064 The workaround on Solaris 10 is to set: kpasswd_protocol = SET_CHANGE in krb5.conf. Other than this Solaris 10 should be very compatible with a MIT KDC. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
