Solaris ssh pam_krb
Will Fiveash
William.Fiveash at sun.com
Wed Mar 29 15:52:05 EST 2006
On Tue, Mar 28, 2006 at 09:09:05PM -0800, Russ Allbery wrote:
> Nicolas Williams <Nicolas.Williams at sun.com> writes:
>
> > Just because your principals only have 1DES long-term keys doesn't mean
> > that you need to set default_tgs_enctypes/default_tkt_enctypes; in fact,
> > you shouldn't.
>
> Oh, I agree! I'm just saying that it's not going to help to change that.
>
> > Besides this you're almost certainly running into:
>
> > 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has des-cbc-md5 and preauth required
>
> No, we're almost certainly not. :) Believe me, none of our principals
> have any des-cbc-md5 keys and never will.
I've been talking to the Sun Support person who is handling this case.
The krb-diag script run on the Solaris system shows that kinit is able
to fetch a TGT using the host service princ. in the keytab so this
aspect of login auth is working. After looking at the krb-diag output,
I have made some of the same recommendations to the Support person as
found in this thread. I suggest the Stanford folks continue to work
with Sun Support and hopefully this problem will be resolved soon.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the Kerberos
mailing list