RSH between servers not working

I have two servers: one CentOS 5.8 & one Solaris 10. Both are joined to my workplace AD domain via PBIS-Open. A user will log into the linux server & run an application which issues commands over RSH to the solaris server. Some commands are also run on the linux server, so both are needed. Due to the application these servers are being used for (proprietary GE software), the software on the linux server needs to be able to issue rsh commands to the solaris server on behalf of the user (the user just runs a script & the rest is automatic).

However, rsh is not working for the domain users. It does work for a local user, so I believe I have the necessary trust settings between the two servers correct. However, I can rlogin as a domain user from the linux server to the solaris server. SSH works too (how I wish I could use it).

Some relevant info:

via rlogin:

[user@linux~]$ rlogin solaris
connect to address 192.168.1.2 port 543: Connection refused
Trying krb4 rlogin...
connect to address 192.168.1.2 port 543: Connection refused
trying normal rlogin (/usr/bin/rlogin)
Sun Microsystems Inc.    SunOS 5.10    Generic    January 2005
solaris%

via rsh:

[user@linux ~]$ rsh solaris ls
connect to address 192.168.1.2 port 544: Connection refused
Trying krb4 rsh...
connect to address 192.168.1.2 port 544: Connection refused
trying normal rsh (/usr/bin/rsh)
permission denied.
[user@linux ~]$ 

relevant snippet from /etc/pam.conf on solaris:

#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_lsass.so            set_default_repository
rlogin  auth requisite          pam_lsass.so            smartcard_prompt                try_first_pass
rlogin  auth requisite          pam_authtok_get.so.1            try_first_pass
rlogin  auth sufficient         pam_lsass.so            try_first_pass
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
# 

I have not really seen anything useful in either system log that seem to be directly related to the failed login attempt. I've tail -f'd /var/adm/messages on solaris & /var/log/messages on linux during the failed attempts & nothing shows up. Maybe I need to be doing something else?

FINALLY!! Someone who understands! I can't change the commands being issued, they're hardwired into the program's binary executables. As a test, yes rsh solaris ls should work. I don't know which commands are actually being issued. It doesn't matter because other people have to use this & they're not going to want to use it in any way other than how it was designed.

As you are using the Active Directory thingy, could it be possible that you need to specify the username to login as? Something along the lines of rsh -l 'EXAMPLEDOMAIN\user' solaris ls. Otherwise it will use the username you're logged in as (which may only be being picked up as user by rsh). I assume you have the AD plugin thing installed on the Solaris box.

The default domain is already assumed, so using user by itself works fine. Yes, both boxes are AD clients.

Ah, my quick skim of the docs here implied to me you still needed it. Have you tried the troubleshooting tips in Chapter 5 of that doc? I'm out of helpful suggestions I'm afraid as I haven't used PBIS myself (though looks great; thanks for pointing it out!)