More Solaris 9 questions

Will Fiveash william.fiveash at sun.com
Wed Aug 7 12:58:32 EDT 2002 

On Wed, Aug 07, 2002 at 12:12:03PM -0400, Wyllys Ingersoll wrote:
> 
> Kerberos in Solaris 9 does not yet support 3-DES, use DES (cbc-md5 or 
> cbc-crc)
> keys for the Solaris host.

To be more explicit, when creating the keytab for the Solaris host
use: ktadd -e des-cbc-crc:normal host/foo.realm
when running kadmin.local on the NetBSD box.

This should create a keytab entry for host/foo.realm with only the DES
cbc mode with CRC-32, no salt keytype which should be compat with
Solaris (at this point in time).  Later, when Solaris does support
3DES, you can create a keytab with the 3DES key (so you don't have to
modify your host principal entry in the principal db).

Regards,
Will Fiveash

> -Wyllys
> 
> Joe Sunday wrote:
> >I've got a Solaris 9 client trying to authenticate against a NetBSD/Alpha
> >kdc running MIT 1.2.5.
> >
> >I've created a host entry for the Solaris 9 host and dumped it to a keytab
> >file with ktadd, then scp'd that file
> >over to the Solaris box to /etc/krb5/krb5.keytab
> >
> >Now when I try to telnet to the box, I get this:
> >
> >login: username
> >Password:
> >PAM-KRB5 (auth): Error verifying TGT with host/foo.realm at REALM: Program
> >lacks support for encryption type
> >
> >Here's the host and user principals (Machine names munged):
> >
> >kadmin:  getprinc host/foo.realm
> >Principal: host/foo.realm at REALM
> >Expiration date: [never]
> >Last password change: Wed Aug 07 10:58:50 EDT 2002
> >Password expiration date: [none]
> >Maximum ticket life: 0 days 10:00:00
> >Maximum renewable life: 7 days 00:00:00
> >Last modified: Wed Aug 07 10:58:50 EDT 2002 (user/admin at REALM)
> >Last successful authentication: [never]
> >Last failed authentication: [never]
> >Failed password attempts: 0
> >Number of keys: 2
> >Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt
> >Key: vno 3, DES cbc mode with CRC-32, no salt
> >Attributes:
> >Policy: [none]
> >
> >kadmin:  getprinc sunday
> >Principal: username at REALM
> >Expiration date: [never]
> >Last password change: Wed Aug 07 10:36:31 EDT 2002
> >Password expiration date: [none]
> >Maximum ticket life: 0 days 10:00:00
> >Maximum renewable life: 7 days 00:00:00
> >Last modified: Wed Aug 07 10:36:31 EDT 2002 (user/admin at REALM)
> >Last successful authentication: [never]
> >Last failed authentication: [never]
> >Failed password attempts: 0
> >Number of keys: 2
> >Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> >Key: vno 1, DES cbc mode with CRC-32, no salt
> >Attributes:
> >Policy: [none]
> >
> >And here's the log from the kdc
> >Aug  7 11:15:08 kerberos krb5kdc[11542]: AS_REQ (2 etypes {3 1})
> >129.21.60.192(88): ISSUE: authtime 1028733308, etypes {rep=3 tkt=1 ses=1},
> >username at REALM for krbtgt/REALM at REALM
> >Aug  7 11:15:08 kerberos krb5kdc[11542]: TGS_REQ (2 etypes {3 1})
> >129.21.60.192(88): ISSUE: authtime 1028733308, etypes {rep=1 tkt=16 ses=1},
> >username at REALM for host/foo.realm at REALM
> >
> >Can anyone tell me what I need to do now?
> >Thanks,
> >--Joe
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the Kerberos mailing list