[31018] in Kerberos
Re: KRB5 & Sun Solaris 9
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Apr 24 16:15:57 2009
X-Barracuda-Envelope-From: deengert@anl.gov
Message-ID: <49F21DC2.4010705@anl.gov>
Date: Fri, 24 Apr 2009 15:14:58 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "McGranahan, Jamen" <jamen.mcgranahan@Vanderbilt.Edu>
In-Reply-To: <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
McGranahan, Jamen wrote:
> Error:
> lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj@DS.VANDERBILT.EDU
> Kerberos initialization on lib240
> kinit: Can't send request (send_to_kdc) for principal
> mcgranj@DS.VANDERBILT.EDU
>
> Ldd command:
> lib240:/usr/local/krb5-1.6.3/bin#ldd kinit
> libkrb4.so.2 => /usr/local/krb5-1.6.3/lib/libkrb4.so.2
> libdes425.so.3 =>
> /usr/local/krb5-1.6.3/lib/libdes425.so.3
> libkrb5.so.3 => /usr/local/krb5-1.6.3/lib/libkrb5.so.3
> libk5crypto.so.3 =>
> /usr/local/krb5-1.6.3/lib/libk5crypto.so.3
> libcom_err.so.3 =>
> /usr/local/krb5-1.6.3/lib/libcom_err.so.3
> libkrb5support.so.0 =>
> /usr/local/krb5-1.6.3/lib/libkrb5support.so.0
> libresolv.so.2 => /lib/libresolv.so.2
> libsocket.so.1 => /lib/libsocket.so.1
> libnsl.so.1 => /lib/libnsl.so.1
> libdl.so.1 => /lib/libdl.so.1
> libc.so.1 => /lib/libc.so.1
> libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1
> libmp.so.2 => /lib/libmp.so.2
> /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1
>
Above looks OK.
So you have two realms? Which one is AD? Are both?
Do you have cross realm setup? (But should not effect
kinit if the user is in realm DS.VANDERBUILT.EDU
Why the IP number for the kdc in DS.VANDERBUILT.EDU?
Why are the admin_servers the same for both realms?
This can work if the KDC services both realms,
but you said you wanted to use AD!
I hope you are not trying to have two realms one AD and
the other based MIT both with the same realm name?
> Krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = DS.VANDERBILT.EDU
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
> default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> udp_preference_limit = 1
>
> [realms]
> DS.VANDERBILT.EDU = {
> kdc = 129.59.1.26
> admin_server = ds.vanderbilt.edu
> default_domain = vanderbilt.edu
> }
> VANDERBILT.EDU = {
> kdc = ds.vanderbilt.edu
> admin_server = ds.vanderbilt.edu
> default_domain = vanderbilt.edu
> }
>
> [domain_realm]
> .vanderbilt.edu = DS.VANDERBILT.EDU
> vanderbilt.edu = DS.VANDERBILT.EDU
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> kinit = {
> renewable = true
> forwardable = true
> }
>
> -------------------
>
> Jamen McGranahan
> Systems Services Librarian
> Vanderbilt University
>
>
> -----Original Message-----
> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
> Behalf Of Douglas E. Engert
> Sent: Friday, April 24, 2009 2:33 PM
> To: Jamen
> Cc: kerberos@mit.edu
> Subject: Re: KRB5 & Sun Solaris 9
>
>
>
> Jamen wrote:
>> In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's
>> will not work with Samba on Solaris 9. I've been told that there is a
>> version on 10 that does work, but I couldn't get it to work on our
>> box, but did with MIT's. Our goal is to create share drives on these
>> servers through Active Directory, and we're utilizing Samba, KRB, and
>> OpenLDAP for this purpose. I've installed Samba and Samba is seeing
>> all of the resources, but Keberos fails when I issue the kinit
>> command.
>
> The MIT kinit should work. What is the error again?
> What does
> ldd /usr/local/krb5-1.6.3/bin/kinit
> show?
>
> You have not sent a copy of the krb5.conf to the list,
> are you willing to do so? Or to selected individuals?
>
> As Will said below, it might be a UDP/TCP issue.
> Have you added a udp_preference_limit = 1
> to the [libdefaults] section? This says prefer UDP
> if the packet size is less then 1. In other words
> always use TCP.
>
> Wireshark (or other network trace program) can be is very handy
> yo see packets sent by kinit, and to where it is sending
> them. It will also show DNS activity trying to locate the KDCs.
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
