More Solaris 9 questions

Wyllys Ingersoll wyllys.ingersoll at sun.com
Wed Aug 7 12:12:03 EDT 2002 

Kerberos in Solaris 9 does not yet support 3-DES, use DES (cbc-md5 or cbc-crc)
keys for the Solaris host.

-Wyllys

Joe Sunday wrote:
> I've got a Solaris 9 client trying to authenticate against a NetBSD/Alpha
> kdc running MIT 1.2.5.
> 
> I've created a host entry for the Solaris 9 host and dumped it to a keytab
> file with ktadd, then scp'd that file
> over to the Solaris box to /etc/krb5/krb5.keytab
> 
> Now when I try to telnet to the box, I get this:
> 
> login: username
> Password:
> PAM-KRB5 (auth): Error verifying TGT with host/foo.realm at REALM: Program
> lacks support for encryption type
> 
> Here's the host and user principals (Machine names munged):
> 
> kadmin:  getprinc host/foo.realm
> Principal: host/foo.realm at REALM
> Expiration date: [never]
> Last password change: Wed Aug 07 10:58:50 EDT 2002
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Wed Aug 07 10:58:50 EDT 2002 (user/admin at REALM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 3, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
> 
> kadmin:  getprinc sunday
> Principal: username at REALM
> Expiration date: [never]
> Last password change: Wed Aug 07 10:36:31 EDT 2002
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Wed Aug 07 10:36:31 EDT 2002 (user/admin at REALM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
> 
> And here's the log from the kdc
> Aug  7 11:15:08 kerberos krb5kdc[11542]: AS_REQ (2 etypes {3 1})
> 129.21.60.192(88): ISSUE: authtime 1028733308, etypes {rep=3 tkt=1 ses=1},
> username at REALM for krbtgt/REALM at REALM
> Aug  7 11:15:08 kerberos krb5kdc[11542]: TGS_REQ (2 etypes {3 1})
> 129.21.60.192(88): ISSUE: authtime 1028733308, etypes {rep=1 tkt=16 ses=1},
> username at REALM for host/foo.realm at REALM
> 
> Can anyone tell me what I need to do now?
> Thanks,
> --Joe

More information about the Kerberos mailing list