I have two servers: one CentOS 5.8 & one Solaris 10. Both are joined to my workplace AD domain via PBIS-Open. A user will log into the linux server & run an application which issues commands over RSH to the solaris server. Some commands are also run on the linux server, so both are needed. Due to the application these servers are being used for (proprietary GE software), the software on the linux server needs to be able to issue rsh
commands to the solaris server on behalf of the user (the user just runs a script & the rest is automatic).
However, rsh is not working for the domain users. It does work for a local user, so I believe I have the necessary trust settings between the two servers correct. However, I can rlogin
as a domain user from the linux server to the solaris server. SSH works too (how I wish I could use it).
Some relevant info:
via rlogin:
[user@linux~]$ rlogin solaris
connect to address 192.168.1.2 port 543: Connection refused
Trying krb4 rlogin...
connect to address 192.168.1.2 port 543: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
solaris%
via rsh:
[user@linux ~]$ rsh solaris ls
connect to address 192.168.1.2 port 544: Connection refused
Trying krb4 rsh...
connect to address 192.168.1.2 port 544: Connection refused
trying normal rsh (/usr/bin/rsh)
permission denied.
[user@linux ~]$
relevant snippet from /etc/pam.conf on solaris:
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_lsass.so set_default_repository
rlogin auth requisite pam_lsass.so smartcard_prompt try_first_pass
rlogin auth requisite pam_authtok_get.so.1 try_first_pass
rlogin auth sufficient pam_lsass.so try_first_pass
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
I have not really seen anything useful in either system log that seem to be directly related to the failed login attempt. I've tail -f
'd /var/adm/messages
on solaris & /var/log/messages
on linux during the failed attempts & nothing shows up. Maybe I need to be doing something else?
I understand your pain with
rsh
. Our software at work connects to a database system using a terminal client over telnet (and it needs telnet as it has a specific terminal emulator and client software). The world is full of this sort of (stupid) thing.However, if all your app needs to do is run commands then you may be able to get away with
ssh
(with automatic login with keys). So with your examples,ssh solaris ls
will return to the user on the Linux machine, the result of runningls
on the home dir on the Solaris machine. I assume this is all you're trying to accomplish with rsh.