Sun/MIT <-> Heimdal version compatibility issue?

[Brian Thompson]

Ok, this one has me a bit stumped...

We have a functioning production kerberos environment
that I'm trying to add a Solaris 11 (beta 79) client to.

The kdc in my immediate realm where the host principals
are located is a Solaris 9 host, and we have several working
Solaris 10 client machines within the same realm. The kdc
in the parent university realm is an older Heimdal kdc
(version 0.6.3) and limited to only speak des-cbc-crc. All
of the student user principals are located in the parent realm.

If I stay strictly within the local Sun/MIT realm everything
works fine and I can ssh into the Solaris 11 client machine
using my local realm credentials. The krb5.keytab file on
the client machine matches the host principal stored on
the Solaris 9 kdc, etc.

And, if I log into the Solaris 11 client machine using a local
account, do a "kinit studentusername at WAYNE.EDU",
type in my university password, and then a "klist", that works
fine too and shows me what I would normally see if I simply
ssh into the other Solaris 10 client machines using my
university account and type klist.

The problem comes in when I try to ssh into the new
Solaris 11 client machine. The logs on the university's
Heimdal kdc look fine, but on the local Solaris 9 kdc where
the host principal is located, the following shows up in the
kdc log:

krb5kdc[617]: TGS_REQ sol11client (88): PROCESS_TGS: authtime 
-1765328353, <unknown client> for 
host/sol11client.eng.wayne.edu at ENG.WAYNE.EDU, Decrypt integrity check failed

The clocks on all of the machines involved are in sync
via ntp, so it shouldn't be a clock issue. Any tips on what
I might be able to look at next would be greatly appreciated.

Thanks,
Brian