Prev: Jumpstarting a T2 based system
Next: (apparent) memory leak on Solaris 10x86
From: Chris Ridd on 24 Jan 2010 05:25
On 2010-01-24 10:14:28 +0000, Castor Nageur said:

> Hi all,
>
> I am trying to install a Kerberos server on a Solaris 10 computer as a
> standard user (I can not be "root" on my computer because my company
> policy absolutely forbid it for security reasons).

Have you asked them to allocate a security role that would enable use
of these privileged ports? You wouldn't need root then.

> Anyway, I have no choice but running this server for my current work.
> Kerberos 5 server are used to running on 88, 749, 750 and 464 system
> ports.
> If run as a standard user, these ports can not be opened.
> Consequently, I changed my configuration in order to start the server on
> ports 58088, 58749, 58750, 58464 (theses ports values are allowed for
> standard users) and it worked successfully (logs OK + netstat OK).
>
> So my problem is:
>
> When I run the "kadmin" Kerberos command, I get some connection refused
> erros whereas everything should be OK.
> If I do a netstat, I can see that "kadmin" try to connect on the standard
> Kerberos ports found in "/etc/services" which are 749 and 750 whereas all
> my Kerberos configuration is correctly set with no references to these
> values.

Are you sure you're editing the correct krb.conf files? Perhaps truss
your kadmin command and see which ones it is opening.

--
Chris

From: Castor Nageur on 24 Jan 2010 06:54
Chris Ridd <chrisridd(a)mac.com> �crivait
news:7s2lg1F57hU1(a)mid.individual.net:

> On 2010-01-24 10:14:28 +0000, Castor Nageur said:

> Have you asked them to allocate a security role that would enable use
> of these privileged ports? You wouldn't need root then.

Yes but they replied no.

> Are you sure you're editing the correct krb.conf files? Perhaps truss
> your kadmin command and see which ones it is opening.

Yes, I did.
My server is running the right files because it is listening on my ports.
But I do not know why kadmin try to connect on the default Kerberos ports.



From: Castor Nageur on 24 Jan 2010 06:56
Castor Nageur <castor.nageur(a)gmail.com> �crivait
news:XnF9D0A835AAFB8ANageur(a)212.27.60.37:

> Chris Ridd <chrisridd(a)mac.com> �crivait
> news:7s2lg1F57hU1(a)mid.individual.net:
>
>> On 2010-01-24 10:14:28 +0000, Castor Nageur said:
>
>> Have you asked them to allocate a security role that would enable use
>> of these privileged ports? You wouldn't need root then.
>
> Yes but they replied no.
>
>> Are you sure you're editing the correct krb.conf files? Perhaps truss
>> your kadmin command and see which ones it is opening.
>
> Yes, I did.
> My server is running the right files because it is listening on my
> ports. But I do not know why kadmin try to connect on the default
> Kerberos ports.

To complete my answer : truss on kadmin give me the address of a string
buffer containing the connection port. Because I did not know how to find
it but debugging, I decided to run the command and make a netstat on the
same time.
The netstat command told that kadmin was trying the default ports where no
Kerberos server runs and that's why it fails.

* Do you know a way to overide this ?

From: Castor Nageur on 24 Jan 2010 07:16
Chris Ridd <chrisridd(a)mac.com> �crivait
news:7s2lg1F57hU1(a)mid.individual.net:

> On 2010-01-24 10:14:28 +0000, Castor Nageur said:
>
>> Hi all,
>>
>> I am trying to install a Kerberos server on a Solaris 10 computer as
>> a standard user (I can not be "root" on my computer because my
>> company policy absolutely forbid it for security reasons).
>
> Have you asked them to allocate a security role that would enable use
> of these privileged ports? You wouldn't need root then.
>
>> Anyway, I have no choice but running this server for my current work.
>> Kerberos 5 server are used to running on 88, 749, 750 and 464 system
>> ports.
>> If run as a standard user, these ports can not be opened.
>> Consequently, I changed my configuration in order to start the server
>> on ports 58088, 58749, 58750, 58464 (theses ports values are allowed
>> for standard users) and it worked successfully (logs OK + netstat
>> OK).
>>
>> So my problem is:
>>
>> When I run the "kadmin" Kerberos command, I get some connection
>> refused erros whereas everything should be OK.
>> If I do a netstat, I can see that "kadmin" try to connect on the
>> standard Kerberos ports found in "/etc/services" which are 749 and
>> 750 whereas all my Kerberos configuration is correctly set with no
>> references to these values.
>
> Are you sure you're editing the correct krb.conf files? Perhaps truss
> your kadmin command and see which ones it is opening.
>

I finally found it.
This is not an "/etc/services" issue but a Kerberos one.
The default port are hard-coded in the osconf.h header of the Kerberos
source and can not be changed without rebuilding all.
I rebuilt Kerberos and kadmin now connect to my local server.
 | 
Pages: 1
Prev: Jumpstarting a T2 based system
Next: (apparent) memory leak on Solaris 10x86