Sun/MIT <-> Heimdal version compatibility issue?

Brian Thompson brian at eng.wayne.edu
Sat Mar 8 23:18:12 EST 2008 

Brian Thompson wrote:

>
> Ok, this one has me a bit stumped...
>
> We have a functioning production kerberos environment
> that I'm trying to add a Solaris 11 (beta 79) client to.
>
> The kdc in my immediate realm where the host principals
> are located is a Solaris 9 host, and we have several working
> Solaris 10 client machines within the same realm. The kdc
> in the parent university realm is an older Heimdal kdc
> (version 0.6.3) and limited to only speak des-cbc-crc. All
> of the student user principals are located in the parent realm.
>
> If I stay strictly within the local Sun/MIT realm everything
> works fine and I can ssh into the Solaris 11 client machine
> using my local realm credentials. The krb5.keytab file on
> the client machine matches the host principal stored on
> the Solaris 9 kdc, etc.
>
> And, if I log into the Solaris 11 client machine using a local
> account, do a "kinit studentusername at WAYNE.EDU",
> type in my university password, and then a "klist", that works
> fine too and shows me what I would normally see if I simply
> ssh into the other Solaris 10 client machines using my
> university account and type klist.
>
> The problem comes in when I try to ssh into the new
> Solaris 11 client machine. The logs on the university's
> Heimdal kdc look fine, but on the local Solaris 9 kdc where
> the host principal is located, the following shows up in the
> kdc log:
>
> krb5kdc[617]: TGS_REQ sol11client (88): PROCESS_TGS: authtime 
> -1765328353, <unknown client> for 
> host/sol11client.eng.wayne.edu at ENG.WAYNE.EDU, Decrypt integrity check 
> failed
>
> The clocks on all of the machines involved are in sync
> via ntp, so it shouldn't be a clock issue. Any tips on what
> I might be able to look at next would be greatly appreciated.
>
> Thanks,
> Brian
>
>

I still haven't been able to make any progress on the above...

I did notice though that what I stated above about it working fine
if I stay strictly within the local Sun/MIT realm isn't completely
correct. Although everything "appears" to work correctly when
logging into the Solaris 11 client machine using my local realm
credentials, an error does get written to the Solaris 9 kdc logs.

krb5kdc[617]: TGS_REQ sol11client(88): INVALID TGS OPTIONS: authtime 
1205035040, testuser at ENG.WAYNE.EDU for 
host/sol11client.eng.wayne.edu at ENG.WAYNE.EDU, KDC can't fulfill 
requested option

No such error occurs when logging into the other Solaris 10
client machines.

Any hints on what I might be able to check next would be
greatly appreciated.

Thanks,
Brian

More information about the Kerberos mailing list