MIT Kerberos and Solaris 10 Kerberos
Heilke, Rainer
Rainer.Heilke at atcoitek.com
Tue Jan 11 14:19:00 EST 2005
> > Can we force the Sol10 box to only use DES, to be
> compatible with the
> > Sol8/MIT systems (which is everything but the one Sol10 box)?
>
> If you are using MIT Kerberos on the Solaris 8 systems (including
> pam_krb5 made for MIT, not the one that comes with SEAM), then
> you should not worry about the enctypes because MIT already
> supports all of the enctypes that S10 supports.
>
> The only time you need to worry about enctypes is when you
> are using pre-S10 systems with SEAM apps. IN that situation,
> ONLY the pre-solaris 10 systems need to have the DES keys,
> it is perfectly acceptable for the S10 systems to have AES
> and S8/S9 to have DES. This should not affect interop if
> your keytabs are correctly populated on the pre-S10 boxes.
Excellent, thanks. That makes life significantly easier.
> earlier comments,
> > they already are DES; is that correct?
> >
>
> Not necessarily. If your S8 systems are MIT, then you don't
> really need to worry much about the enctype support because
> MIT has support for all enctypes (DES through AES-256).
Right, as per your comments above. :-)
> If you use a 3rd party pam_krb5 library that links with MIT
> Kerberos, then you should not have any enctype issues on
> Solaris 8.
We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box),
using the MIT libs.
> You may be seeing problems on your S8 systems because
> you have a mixture of MIT Kerberos apps (with full enctype
> support) and S8/SEAM Kerberos apps (which only support DES).
We're only having problems talking to the Sol10 box (and back). I
suspect your other comments about the service being the issue. The only
"odd" box is a Linux critter, but since it uses the MIT distro as well,
I suspect that issue will get resolved at the same time.
Rainer
More information about the Kerberos
mailing list