[14638] in Kerberos
Re: How to configure a Kerberos 5 Linux client of a Solaris KDC server
daemon@ATHENA.MIT.EDU (Wyllys Ingersoll)
Mon Jul 9 08:59:34 2001
Message-Id: <200107091255.f69CtMU654968@jurassic.eng.sun.com>
Date: Mon, 9 Jul 2001 08:58:48 -0400 (EDT)
From: Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com>
Reply-To: Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com>
To: kenh@cmf.nrl.navy.mil
Cc: kerberos@MIT.EDU
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: Gq9NAj0oVN48fGzHkMRe8g==
>To: Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com>
>cc: kerberos@MIT.EDU
>Subject: Re: How to configure a Kerberos 5 Linux client of a Solaris KDC server
>X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW
#]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
>Date: Fri, 06 Jul 2001 10:30:58 -0400
>From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>
>>You cannot use an MIT-based 'kadmin' client with a SEAM based KDC because
>>the RPC protocol used by the MIT admin program is incompatible with the
>>RPC protocol used by SEAM. SEAM uses RPCSEC_GSS (RFC 2743) and MIT uses
>>an older, non-standard, secure RPC protocol.
>
>I always felt this was unfortunate, because this pretty much makes it
>manditory that you NOT use SEAM as a server if you want any sort of
>interoperability.
>
I agree that it is unfortunate, but it does not break interoperability
as bad as you think. Only kadmin/kpasswd is broken. The 'kpasswd'
interoperability problem is addressed in the next release of Solaris
leaving only kadmin non-interoperable.
The admin protocol was never standardized (unfortunately) and SEAM
diverged from the MIT version to replace OpenVisions RPC-based admin
protocol with RPCSEC_GSS.
RPCSEC_GSS was key to getting Kerberos protection for NFS with SEAM.
-Wyllys
