setup kerberos client

[Henry B. Hotz]

On Apr 12, 2004, at 5:12 PM, kerberos-request at mit.edu wrote:
> Date: 12 Apr 2004 14:36:33 -0700
> From: wyl_lyf at yahoo.com (melissa_benkyo)
> To: kerberos at MIT.EDU
> Subject: setup kerberos client
> Message-ID: <304f3217.0404121336.5f9d0b67 at posting.google.com>
> Precedence: list
> Message: 5
>
> Hello all,
>
> its me againnn. :D
> I'm having trouble setting up a kerberos client on solaris 8. I'm
> running a kdc on a linux machine. and I want to use gss-server on the
> linux machine and run gss-client on the solaris machine. is this
> possible?
>
> steps that I did:
> 1) add_principal host/<solaris_machine_name>@<REALM.COM>
> 2) ktadd -k /etc/krb5.keytab host/<solaris_machine_name>@<REALM.COM>
> 3) ktadd -k </tmp/host.keytab> host/<solaris_machine_name>@<REALM.COM>
> [to the same thing for sample1/<solaris_machine_name>@REALM.COM>
> 4) ftp the host.keytab and sample1.keytab to the solaris machine
> 5) gss-server -port 44444 -verbose sample1
> output:
> GSS-API error acquiring credentials: Miscellaneous failure
> GSS-API error acquiring credentials: No principal in keytab matches
> desired name
> But if I use the sample/<linux_macine>
> output:
> GSS-API error acquiring credentials: Wrong rpincipal
>
> solaris client side
> 6) kinit <kerberos user> (OK!)
> 7) gss-client -port 44444 sample "hello world"
>
> can someone please tell me what I did wrong?
>
> thanks!

The solaris server error message is what you get if it can't use the  
keytab.  Solaris 8 only supports DES-CBC-CRC and DES-CBC-MD5.

1) Make sure those are the only encryption types for the server  
principal in on the KDC.

2) Re-create the keytab, making sure the kvno as well as the encryption  
types match.

I expect the client error is a result of the server error.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu