0

I have two servers: one CentOS 5.8 & one Solaris 10. Both are joined to my workplace AD domain via PBIS-Open. A user will log into the linux server & run an application which issues commands over RSH to the solaris server. Some commands are also run on the linux server, so both are needed. Due to the application these servers are being used for (proprietary GE software), the software on the linux server needs to be able to issue rsh commands to the solaris server on behalf of the user (the user just runs a script & the rest is automatic).

However, rsh is not working for the domain users. It does work for a local user, so I believe I have the necessary trust settings between the two servers correct. However, I can rlogin as a domain user from the linux server to the solaris server. SSH works too (how I wish I could use it).

Some relevant info:

via rlogin:

[user@linux~]$ rlogin solaris
connect to address 192.168.1.2 port 543: Connection refused
Trying krb4 rlogin...
connect to address 192.168.1.2 port 543: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Sun Microsystems Inc.    SunOS 5.10    Generic    January 2005
solaris%

via rsh:

[user@linux ~]$ rsh solaris ls
connect to address 192.168.1.2 port 544: Connection refused
Trying krb4 rsh...
connect to address 192.168.1.2 port 544: Connection refused
trying normal rsh (/usr/bin/rsh)
permission denied.
[user@linux ~]$ 

relevant snippet from /etc/pam.conf on solaris:

#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_lsass.so            set_default_repository
rlogin  auth requisite          pam_lsass.so            smartcard_prompt                try_first_pass
rlogin  auth requisite          pam_authtok_get.so.1            try_first_pass
rlogin  auth sufficient         pam_lsass.so            try_first_pass
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
# 

I have not really seen anything useful in either system log that seem to be directly related to the failed login attempt. I've tail -f'd /var/adm/messages on solaris & /var/log/messages on linux during the failed attempts & nothing shows up. Maybe I need to be doing something else?

churnd
  • 3,977
  • 5
  • 33
  • 41
  • 2
    `rm /usr/bin/rsh ; ln -s /usr/bin/ssh /usr/bin/rsh ; happy admin` – Kyle Smith Mar 29 '12 at 11:20
  • 1
    rsh? KILL IT WITH FIRE! BEAT THE DEAD HORSE! Wouldn't it be time to consider `ssh`? Last time I checked my calendar it was 2012 ... – Janne Pikkarainen Mar 29 '12 at 11:28
  • I really wish I could. This legacy app from GE requires it. Is there any truth behind symlinking ssh to rsh or is that a joke? – churnd Mar 29 '12 at 12:30
  • 1
    It's only sort of a joke. You could probably get away with writing a wrapper for ssh and calling it rsh. :) – Kyle Smith Mar 29 '12 at 17:47
  • Hold the phone... moving `/usr/bin/rsh` to `/usr/bin/rsh_old` then symlinking `/usr/bin/ssh` to `/usr/bin/rsh` actually seems to be working... – churnd Mar 29 '12 at 19:03

1 Answers1

1

I understand your pain with rsh. Our software at work connects to a database system using a terminal client over telnet (and it needs telnet as it has a specific terminal emulator and client software). The world is full of this sort of (stupid) thing.

However, if all your app needs to do is run commands then you may be able to get away with ssh (with automatic login with keys). So with your examples, ssh solaris ls will return to the user on the Linux machine, the result of running ls on the home dir on the Solaris machine. I assume this is all you're trying to accomplish with rsh.

webtoe
  • 1,946
  • 11
  • 12
  • FINALLY!! Someone who understands! I can't change the commands being issued, they're hardwired into the program's binary executables. As a test, yes `rsh solaris ls` should work. I don't know which commands are actually being issued. It doesn't matter because other people have to use this & they're not going to want to use it in any way other than how it was designed. – churnd Mar 29 '12 at 17:24
  • As you are using the Active Directory thingy, could it be possible that you need to specify the username to login as? Something along the lines of `rsh -l 'EXAMPLEDOMAIN\user' solaris ls`. Otherwise it will use the username you're logged in as (which may only be being picked up as `user` by rsh). I assume you have the AD plugin thing installed on the Solaris box. – webtoe Mar 29 '12 at 18:33
  • The default domain is already assumed, so using `user` by itself works fine. Yes, both boxes are AD clients. – churnd Mar 29 '12 at 18:43
  • Ah, my quick skim of the docs [here](http://www.beyondtrust.com/Technical-Support/Downloads/files/pbiso/Manuals/likewise-open-guide.html#idp4619232) implied to me you still needed it. Have you tried the troubleshooting tips in Chapter 5 of that doc? I'm out of helpful suggestions I'm afraid as I haven't used PBIS myself (though looks great; thanks for pointing it out!) – webtoe Mar 29 '12 at 18:59