[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal and solaris 10 gssapi troubles

To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: heimdal and solaris 10 gssapi troubles
From: vadim <vadim.tarassov@swissonline.ch>
Date: Tue, 19 Jun 2007 08:20:49 +0200
In-Reply-To: <03B3B18B-C81E-4B1C-A951-8D18F73026EF@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1182194725.5575.12.camel@vadim.localdomain> <03B3B18B-C81E-4B1C-A951-8D18F73026EF@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, vadim <vadim.tarassov@swissonline.ch>

Hi Henry,

I do not think, that it is solaris issue. I rather think it is Heimdal
issue. I think so, because Heimdal happily accepts forwardable tickets
from solaris 10 kerberos:

step1: solaris10-ssh -----> heimdal-0.7.2+openssh works

but Heimdal is somehow having problems afterwords with these
credentials:

step2: heimdal-0.7.2+openssh -----> heimdal-0.7.2+openssh fails

I just wonder if someone on the list has some experience with mixed
heimdal / solaris10 kerberos environments

Best regards, vadim tarassov

On Mon, 2007-06-18 at 16:16 -0700, Henry B. Hotz wrote:
> Check the encryption types (klist -e) everywhere.
> 
> Solaris 8 is old enough it may not accept a ticket with data of a  
> type it doesn't itself understand.  Newer Kerberos will accept such  
> tickets as long as the portion it needs to decode itself is a known  
> type.  I'm just guessing.
> 
> More of the Sun guys hang out on the MIT lists than here.
> 
> On Jun 18, 2007, at 12:25 PM, vadim wrote:
> 
> > Hi all,
> >
> > I have lots of solaris 8 boxes running heimdal 0.7.2 + openssh. As  
> > KDC I
> > use MS AD. Everything works fine in terms of SSO. Silly thing however
> > happens when I login on solaris 8 box (again heimdal 0.7.2 + openssh)
> > from solaris 10 with stock sun's ssh. Namely,
> >
> > first step: solaris 10 (stock gssapi+ssh) to solaris 8 (heimdal 
> > +openssh)
> > works
> > second step: solaris 8 (heimdal+openssh) with delegated from  
> > solaris 10
> > creds to solaris 8 (heimdal+openssh) does not. I do not remember exact
> > error message, but it sounds like "something went wrong with GSSAPI".
> >
> > I have compared creds, which I delegate to solaris 8 from another
> > solaris 8 box with creds, which I delegate to solaris 8 box from  
> > solaris
> > 10 box. The difference is only in presence of "session key" in creds
> > coming from solaris 10. Namely, "kinit -v" does not show any "session
> > key" if I login on solaris 8 from solaris 8.
> >
> > Do you know if there are any interoperabilty issues between heimdal
> > 0.7.2 and stock solaris 10 kerberos implementations?
> >
> > thanx a lot and best regards, vadim tarassov
> 
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
>

References:
- heimdal and solaris 10 gssapi troubles
  - From: vadim <vadim.tarassov@swissonline.ch>
- Re: heimdal and solaris 10 gssapi troubles
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: heimdal and solaris 10 gssapi troubles
Next by Date: Re: KRB5KRB_AP_ERR_MODIFIED during protocol transition
Prev by thread: Re: heimdal and solaris 10 gssapi troubles
Next by thread: Our designers, from Colorado, Tennessee and Michigan, have created beautiful designs with different looks, color .
Index(es):
- Date
- Thread