JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

Kerberos Error Messages

SEAM Tool Error Messages

Common Kerberos Error Messages (A-M)

Common Kerberos Error Messages (N-Z)

Kerberos Troubleshooting

How to Identify Problems With Key Version Numbers

Problems With the Format of the krb5.conf File

Problems Propagating the Kerberos Database

Problems Mounting a Kerberized NFS File System

Problems Authenticating as the root User

Observing Mapping From GSS Credentials to UNIX Credentials

Using DTrace With the Kerberos Service

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)



Using DTrace With the Kerberos Service

The Kerberos mechanism supports various DTrace probes for decoding various protocol messages. The probes include KRB_AP_*, KRB_KDC_*, KRB_CRED, KRB_ERROR, KRB_PRIV, KRB_SAFE, and general messaging information. This has the distinct advantage over other protocol inspectors, by allowing the privileged user to easily look at unencrypted Kerberos and application data.

The following example shows what pre-authentication is chosen by the client. The first step is to create a DTrace script, like the following:

cat krbtrace.d
    printf("<- krb message recved: %s\n", args[0]->krb_message_type);
    printf("<- krb message remote addr: %s\n", args[1]->kconn_remote);
    printf("<- krb message ports: local %d remote %d\n",
            args[1]->kconn_localport, args[1]->kconn_remoteport);
    printf("<- krb message protocol: %s transport: %s\n",
            args[1]->kconn_protocol, args[1]->kconn_type);

    printf("-> krb message sent: %s\n", args[0]->krb_message_type);
    printf("-> krb message remote addr: %s\n", args[1]->kconn_remote);
    printf("-> krb message ports: local %d remote %d\n",
            args[1]->kconn_localport, args[1]->kconn_remoteport);
    printf("-> krb message protocol: %s transport: %s\n",
            args[1]->kconn_protocol, args[1]->kconn_type);

    printf("-> krb kdc_req make msg type: %s\n", args[0]->krb_message_type);
    printf("-> krb kdc_req make pre-auths: %s\n", args[1]->kdcreq_padata_types);
    printf("-> krb kdc_req make auth data: %s\n", args[1]->kdcreq_authorization_data);
    printf("-> krb kdc_req make client: %s server: %s\n", args[1]->kdcreq_client,
           args[1]->kdcreq_server );

    /* printf("<- krb kdc_req msg type: %s\n", args[0]->krb_message_type); */
    printf("<- krb kdc_req client: %s server: %s\n", args[1]->kdcreq_client,
           args[1]->kdcreq_server );

    /* printf("<- krb kdc_rep msg type: %s\n", args[0]->krb_message_type); */
    printf("<- krb kdc_rep client: %s server: %s\n", args[1]->kdcrep_client,
           args[1]->kdcrep_enc_server );

    printf("-> krb ap_req make server: %s client: %s\n", args[2]->kticket_server,
           args[2]->kticket_enc_client );

    printf("<- krb error code: %s\n", args[1]->kerror_error_code);
    printf("<- krb error client: %s server: %s\n", args[1]->kerror_client,
    printf("<- krb error e-text: %s\n", args[1]->kerror_e_text);

Next, execute the krbtrace.d script as a privileged user on the Kerberos system by typing the following command:

# LD_BIND_NOW=1 dtrace -qs krbtrace.d -c "kinit -k"
-> krb kdc_req make pre-auths: FX_COOKIE(133) ENC_TIMESTAMP(2) REQ_ENC_PA_REP(149)

The pre-authentication types are displayed in the output. For more information about the various pre-authentication types see RFC 4120.