Login or Register to Ask a Question and Join Our Community


Solaris

Heimdal kerberos and Solaris 8 Client

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris Heimdal kerberos and Solaris 8 Client
# 1  
Old 06-30-2005
Heimdal kerberos and Solaris 8 Client
Hi,

I have been trying to have a solaris 8 client authenticate to a Suse Linux KDC (heimdal) via SEAM. Everything works fine, I can login with a principal using kinit or via PAM and get tgt. However I can't use kadmin or kpasswd from the solaris client. The error received is Client/Server real mismatch.......
I read on old postings (2002) that seam's kadmin and kpassword are only compatible with SEAM KDCs, is that still a valid statement??? I have been troubleshooting this problem for the las 2 weeks....PLEASE HELP!!

I have attached my krb5.conf file. I noticed on the kdc.log file that when I get authenticated on the solaris client des3-cbc-md5 is used, but when I get authenticated on the linux server des3-cbc-sha1 is used, I wonder if that has something to do with the problem??? Nothing is logged when I try to run kadmin or kpasswd from the solaris client.


Thanks in advance for your help....

Ivette
MYREALM.txt (894 Bytes) 
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Solaris

How to add new Solaris client IP into Solaris 10 DNS server?

Hi, We just built a new Solaris 10 zone. And would like to add it to our DNS server. Its also Solaris 10. Please let me know how can I get the IP resolved using this DNS server. I added entry into zone config file but not working. I did restarted the DNS services. And also added nameserver name... (5 Replies)
Discussion started by: snchaudhari2
5 Replies

2. Solaris

Solaris Patch Updates (Kerberos)

Hi, I have a Solaris 10 device which has quite a dated version of Kerberos 5 installed. I'd like to upgrade the version of Kerberos to a more recent version, but was unsure whether updates to Kerberos are provided by applying a Solaris patch - or whether I would need to go to the MIT website... (0 Replies)
Discussion started by: James1011
0 Replies

3. Solaris

Solaris ssh client hangs when connecting to another Solaris machine

Got a strange problem. I have 4 Solaris servers all configured the same, Solaris 10 x86 update 10. When I try to ssh from one Solaris 10 server to another server ssh hangs. I have an identical server and when I try this everything works fine. The weird thing is if I am root on the server... (1 Reply)
Discussion started by: ccj4467
1 Replies

4. Solaris

Is there a VPN client that can be used on solaris 10 ?

I need to install VPN client on Solaris 10 server. I searched but only Cisco client was available which requires a service agreement. Please suggest some free ware for this and the steps to do that too as i am net to Solaris Admin tasks. (1 Reply)
Discussion started by: kukretiabhi13
1 Replies

5. Fedora

Solaris NTP client

Hello All I have a problem about ntp, I am install a ntp server on a fedora 11 machine and I have 8 ntp client (solaris 10) everything working fine but just a server can not sync time . I have receive this error message -bash-3.00# ntptime ntp_gettime() returns code 5 (ERROR) time... (1 Reply)
Discussion started by: bogacd
1 Replies

6. Solaris

Solaris 10 NIS Client

Hi all, Recently i have implemented NIS functionality in solaris 10 and i have created server and client with user in server side by giving useradd -d /export/home/user1 -m -s /bin/sh user1 after that I went to /var/yp dir and give /usr/ccs/bin/make so that it will refelect to client... (2 Replies)
Discussion started by: esungoe
2 Replies

7. Solaris

Solaris 10 Kerberos with local account locking

Hello Gurus, I desperately need help to replicate the functionality that I had with Solaris 8 and SEAM into Solaris 10. Our application needs a few users which are created with the application install. One of our customer requires Kerberos as single sign-on because of their IT department... (0 Replies)
Discussion started by: rmaavnii
0 Replies

8. UNIX for Dummies Questions & Answers

Kerberos Solaris 10 x86

Hello, I started to install Solaris 10 on my x86 box and am not sure if I need to set up Kerberos and/or DNS if my box is a standalone workstation connected to the internet using a cable modem and router. Specifically, I know kerberos is good for security, but I'm not sure what to enter in... (2 Replies)
Discussion started by: SAUnterC
2 Replies
Login or Register to Ask a Question

LEARN ABOUT PLAN9

seam

SEAM(5)                                                 Standards, Environments, and Macros                                                SEAM(5)

NAME

       SEAM - overview of Sun Enterprise Authentication Mechanism

DESCRIPTION

       SEAM  (Sun Enterprise Authentication Mechanism) authenticates clients in a network environment, allowing for secure transactions. (A client
       may be a user or a network service) SEAM validates the identity of a client and the authenticity of transferred data.  SEAM  is  a  single-
       sign-on  system, meaning that a user needs to provice a password only at the beginning of a session. SEAM is based on the Kerberostm system
       developed at MIT, and is compatible with Kerberos V5 systems over heterogeneous networks.

       SEAM works by granting clients tickets, which uniquely identify a client, and which have a finite lifetime. A client possessing a ticket is
       automatically validated for network services for which it is entitled; for example, a user with a valid SEAM ticket may rlogin into another
       machine running SEAM without having to identify itself. Because each client has a unique ticket, its identity is guaranteed.

       To obtain tickets, a client must first initialize the SEAM  session,  either  by  using  the  kinit(1)  command  or  a  PAM  module.   (See
       pam_krb5(5)).  kinit  prompts for a password, and then communicates with a Key Distribution Center (KDC). The KDC returns a Ticket-Granting
       Ticket (TGT) and prompts for a confirmation password. If the client confirms the password, it can use the Ticket-Granting Ticket to  obtain
       tickets  for  specific network services. Because tickets are granted transparently, the user need not worry about their management. Current
       tickets may be viewed by using the klist(1) command.

       Tickets are valid according to the system policy set up at installation time. For example, tickets have a default lifetime for  which  they
       are  valid.  A policy may further dictate that privileged tickets, such as those belonging to root, have very short lifetimes. Policies may
       allow some defaults to be overruled; for example, a client may request a ticket with a lifetime greater or less than the default.

       Tickets can be renewed using kinit. Tickets are also forwardable, allowing you to use a ticket granted on one machine on a different  host.
       Tickets can be destroyed by using kdestroy(1). It is a good idea to include a call to kdestroy in your .logout file.

       Under SEAM, a client is referred to as a principal. A principal takes the following form:

       primary/instance@REALM

       primary                 A user, a host, or a service.

       instance                A  qualification  of  the primary. If the primary is a host -- indicated by the keyword host-- then the instance is
                               the fully-qualified domain name of that host. If the primary is a user or service, then the instance  is  optional.
                               Some instances, such as admin or root, are privileged.

       realm                   The Kerberos equivalent of a domain; in fact, in most cases the realm is directly mapped to a DNS domain name. SEAM
                               realms are given in upper-case only. For examples of principal names, see the EXAMPLES.

       By taking advantage of the General Security Services API (GSS-API), SEAM offers, besides user authentication, two other types  of  security
       service: integrity, which authenticates the validity of transmitted data, and privacy, which encrypts transmitted data. Developers can take
       advantage of the GSS-API through the use of the RPCSEC_GSS API interface (see rpcsec_gss(3NSL)).

EXAMPLES

       Example 1: Examples of valid principal names

       The following are examples of valid principal names:

            joe
            joe/admin
            joe@ENG.ACME.COM
            joe/admin@ENG.ACME.COM
            rlogin/bigmachine.eng.acme.com@ENG.ACME.COM
            host/bigmachine.eng.acme.com@ENG.ACME.COM

       The first four cases are user principals. In the first two cases, it is assumed that the user joe is in the same realm as the client, so no
       realm  is  specified.  Note that joeand joe/admin are different principals, even if the same user uses them; joe/admin has different privi-
       leges from joe. The fifth case is a service principal, while the final case is a host principal. The word host is required for host princi-
       pals. With host principals, the instance is the fully qualified hostname. Note that the words admin and host are reserved keywords.

SEE ALSO

       kdestroy(1), kinit(1), klist(1), kpasswd(1), krb5.conf(4), krb5envvar(5)

       Sun Enterprise Authentication Mechanism Guide

NOTES

       If you enter your username and kinit responds with this message:

       Principal unknown (kerberos)

       you haven't been registered as a SEAM user. See your system administrator or the Sun Enterprise Authentication Mechanism Guide.

SunOS 5.10                                                          17 Nov 1999                                                            SEAM(5)