It is a painful task. The document provided by MIT does not help at all. 
We need to use Solaris security services admin guide to get this working. Thanks to Kerberos team in Sun. 
The kdcmgr utility mentioned in the document is not available on Solaris-10 by default. For simplicity, use same password in all steps to get this thing working.
The step-by-step procedure that I had followed is documented below:
-----------------------------------------------------
bash-3.00# cat krb5.conf
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log
[libdefaults]
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_keytab_name = /etc/krb5/kadm5.keytab
        default_realm = RED.IPLANET.COM
        default_tkt_enctypes = des-cbc-md5
        default_tgs_enctypes = des-cbc-md5
        kdc_timesync = 0
        kdc_default_options = 0x40000010
        clockskew = 300
        check_delegate = 0
        ccache_type = 3
        kdc_timeout = 60000
[realms]
        RED.IPLANET.COM = {
        kdc = avatar.red.iplanet.com:88
        admin_server = avatar.red.iplanet.com:749
        default_domain = red.iplanet.com
        }
[domain_realm]
        .red.iplanet.com = RED.IPLANET.COM
        red.iplanet.com = RED.IPLANET.COM
[appdefaults]
        pam = {
        debug = true
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
        }
bash-3.00# cat kdc.conf
#
# Copyright 1998-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#ident  "@(#)kdc.conf   1.2     02/02/14 SMI"
[kdcdefaults]
        kdc_ports = 88,750
[realms]
        RED.IPLANET.COM = {
                profile = /etc/krb5/krb5.conf
                database_name = /var/krb5/principal
                admin_keytab = /etc/krb5/kadm5.keytab
                acl_file = /etc/krb5/kadm5.acl
                kadmind_port = 749
                max_life = 8h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                sunw_dbprop_enable = true
                sunw_dbprop_master_ulogsize = 1000
        }
bash-3.00# cat kadm5.acl
#
# Copyright (c) 1998-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident   "@(#)kadm5.acl  1.1     01/03/19 SMI"
*/admin@RED.IPLANET.COM *
bash-3.00# ./kdb5_util create -s
Initializing database '/var/krb5/principal' for realm 'RED.IPLANET.COM',
master key name 'K/M@RED.IPLANET.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local:  addprinc kws/admin
WARNING: no policy specified for kws/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "kws/admin@RED.IPLANET.COM":
Re-enter password for principal "kws/admin@RED.IPLANET.COM":
Principal "kws/admin@RED.IPLANET.COM" created.
kadmin.local:  addprinc -randkey kiprop/avatar.red.iplanet.com
WARNING: no policy specified for kiprop/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "kiprop/avatar.red.iplanet.com@RED.IPLANET.COM" created.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kadmin/avatar.red.iplanet.com
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab changepw/avatar.red.iplanet.com
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab kiprop/avatar.red.iplanet.com
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  quit
bash-3.00# svcadm enable -r network/security/krb5kdc
bash-3.00# svcadm enable -r network/security/kadmin
bash-3.00# /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
kadmin: Incorrect password while initializing kadmin interface
bash-3.00#
bash-3.00# cat /etc/resolv.conf
domain red.iplanet.com
search red.iplanet.com sfbay.sun.com sun.com
nameserver 129.145.155.55
nameserver 129.145.155.170
nameserver 192.18.120.21
nameserver 192.18.120.24
#nameserver 129.148.9.196
#nameserver 129.148.9.197
#nameserver 129.147.9.5
#nameserver 129.145.155.220
avatar# touch /var/log/kadmind.log /var/log/krb5kdc.log
> /var/log/krb5libs.log
> avatar# svcadm restart krb5kdc
> avatar# svcadm restart kadmin
> avatar# kadmin -p kws/admin
> Authenticating as principal kws/admin@RED.IPLANET.COM with password.
> Password for kws/admin@RED.IPLANET.COM:
> kadmin:  listprincs
> K/M@RED.IPLANET.COM
> changepw/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/admin@RED.IPLANET.COM
> kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/changepw@RED.IPLANET.COM
> kadmin/history@RED.IPLANET.COM
> kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
> krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
> kws/admin@RED.IPLANET.COM
> kadmin:
bash-3.00# ./kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin:  addprinc -randkey host/avatar.red.iplanet.com
WARNING: no policy specified for host/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "host/avatar.red.iplanet.com@RED.IPLANET.COM" created.
kadmin:  addprinc clntconfig/admin
WARNING: no policy specified for clntconfig/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Re-enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Principal "clntconfig/admin@RED.IPLANET.COM" created.
kadmin: quit
bash-3.00# kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin:  ktadd host/avatar.red.iplanet.com
kadmin: Cannot write to specified key table while adding key to keytab
kadmin:  quit
bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local:  ktadd -k /etc/krb5/kadm5.keytab host/avatar.red.iplanet.com
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local:  quit
bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local:  listprincs
      1 K/M@RED.IPLANET.COM
      2 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
      3 clntconfig/admin@RED.IPLANET.COM
      4 host/avatar.red.iplanet.com@RED.IPLANET.COM
      5 kadmin/admin@RED.IPLANET.COM
      6 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
      7 kadmin/changepw@RED.IPLANET.COM
      8 kadmin/history@RED.IPLANET.COM
      9 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
     10 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
     11 kws/admin@RED.IPLANET.COM
kadmin.local:  quit
bash-3.00# svcs -a | grep secur
disabled       20:24:27 svc:/network/security/krb5_prop:default
online         20:24:27 svc:/network/security/ktkt_warn:default
online         10:15:30 svc:/network/security/krb5kdc:default
online         10:15:32 svc:/network/security/kadmin:default
************ Configuration on AM ******************
kadmin.local: addprinc root
kinit root
klist
kadmin.local: addprinc -randkey HTTP/avatar.red.iplanet.com
kadmin.local: ktadd -k /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
kinit -k -t /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
klist -k /opt/SUNWam/avatar.HTTP.keytab
mv /opt/SUNWam/avatar.HTTP.keytab /etc/opt/SUNWam/config/
Service Principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
Keytab File Name: /etc/opt/SUNWam/config/avatar.HTTP.keytab
Kerberos Realm: RED.IPLANET.COM
Kerberos Server Name: avatar.red.iplanet.com
Return Principal with Domain Name: Disabled
Authentication Level: 0
- Restart AM WebServer
The debug file amAuthWindowsDesktopSSO should show the following debug messages if auth succeeded:
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
**********************************************
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO params:
principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
keytab file: /etc/opt/SUNWam/config/avatar.HTTP.keytab
realm : RED.IPLANET.COM
kdc server: avatar.red.iplanet.com
domain principal: false
auth level: 0
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
Init WindowsDesktopSSO. This should not happen often.
04/18/2009 11:56:39:945 PM PDT: Thread[service-j2ee-3,5,main]
New Service Login ...
04/18/2009 11:56:40:586 PM PDT: Thread[service-j2ee-3,5,main]
Service login succeeded.
04/18/2009 11:56:40:704 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO token:
60 82 02 79 06 06 2b 06 01 05 05 02 a0 82 02 6d
30 82 02 69 a0 0d 30 0b 06 09 2a 86 48 86 f7 12
01 02 02 a1 04 03 02 01 02 a2 82 02 50 04 82 02
4c 60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02
01 00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1
03 02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01
4b 61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11
1b 0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f
4d a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04
48 54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64
2e 69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30
81 fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04
81 ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c
bb ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e
b8 8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8
29 db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02
4a ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d
2c 3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d
14 42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13
e4 18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c
a3 89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1
c5 dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be
f6 ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48
40 38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e
09 d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b
92 ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64
1b b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30
81 cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58
86 db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0
6b 4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27
ac 34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb
e5 7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc
76 d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16
89 17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a
2a a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51
5f f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a
1a 70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88
69 7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc
86 2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c
2c e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
token tag:60
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO OID found in the Auth Token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: found init token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: 0x30 constructed token found
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
Kerberos token retrieved from SPNEGO token:
60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02 01
00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1 03
02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01 4b
61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11 1b
0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f 4d
a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04 48
54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64 2e
69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30 81
fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04 81
ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c bb
ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e b8
8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8 29
db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02 4a
ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d 2c
3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d 14
42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13 e4
18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c a3
89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1 c5
dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be f6
ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48 40
38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e 09
d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b 92
ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64 1b
b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30 81
cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58 86
db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0 6b
4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27 ac
34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb e5
7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc 76
d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16 89
17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a 2a
a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51 5f
f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a 1a
70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88 69
7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc 86
2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c 2c
e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
In authenticationToken ...
04/18/2009 11:56:40:724 PM PDT: Thread[service-j2ee-3,5,main]
Context created.
04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Token returned from acceptSecContext:
04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Context establised !
04/18/2009 11:56:41:125 PM PDT: Thread[service-j2ee-3,5,main]
User authenticated: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
04/18/2009 11:56:41:127 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO authentication succeeded.
***********************************************************************
bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal HTTP/admin@RED.IPLANET.COM with password.
kadmin.local:  listprincs
      1 HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
      2 K/M@RED.IPLANET.COM
      3 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
      4 clntconfig/admin@RED.IPLANET.COM
      5 demo1@RED.IPLANET.COM
      6 demouser1@RED.IPLANET.COM
      7 host/avatar.red.iplanet.com@RED.IPLANET.COM
      8 kadmin/admin@RED.IPLANET.COM
      9 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
     10 kadmin/changepw@RED.IPLANET.COM
     11 kadmin/history@RED.IPLANET.COM
     12 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
     13 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
     14 kws/admin@RED.IPLANET.COM
     15 root@RED.IPLANET.COM
kadmin.local:
Binary Search Tree
9 years ago
 
 
No comments:
Post a Comment