Operating Systems & Kerbros

[Phil Hirsch]

> We were unable to get Solaris 2.9 clients to authenticate with our MIT
> kerberos server.

I don't know if this is relevant, but you have to do a couple of
extra things in order to configure a Sun SEAM client into a realm
that's served by an IBM Network Authentication Service KDC... maybe
these steps apply to SEAM clients that want to work with other types
of KDC's as well. (Network Authentication Service is IBM's Kerberos
implementation, and SEAM is Sun's implementation.)

First, Sun's docs say that if you're using a non-Sun KDC, then you
must add a line like "kpasswd_protocol = SET_CHANGE" to the "realms"
stanza of the client's krb5.conf.

Second, IBM's docs say that if you want to configure a Sun SEAM client
into a realm that's served by an IBM KDC, you must move the des3 entries
to the ends of the lists in krb5.conf and kdc.conf on the server. If you
don't do this, then the client's attempts to authenticate will result in
preauthentication failures. Now, IBM's KDC understands des3, but
evidently
Sun's SEAM client does not. I suspect that the preauth failures may be
related to the following from MIT's known-bugs list:

  ETYPE_INFO preauthentication data returned from the KDC are not sorted
in
  the order requested by the client. This may result in
preauthentication
  failure when encrypted timestamp preauthentication is required but the
  client doesn't understand some of the enctypes of the keys stored for
it
  in the database.

After doing this, I was able to configure a Solaris 9 SEAM client into a
realm that's served by an IBM Network Authentication Service KDC.