Heimdal with Solaris 8 clients, amonst other things

["Tim Bishop" <tim-lists@bishnet.net>]

Hi all,

We've been trying, rather unsuccesfully, to use a Heimdal KDC with a
Solaris
8 client. After a lot of debugging work we eventually sussed out what
was
wrong. I might add here that more debugging output from the KDC would
have
been handy - for example what etypes were being used/offered by both
sides.

The problem we had was that we wanted to use DES3. The Solaris 8 client
only
wanted to offer des3-cbc-md5, whilst heimdal seemed to want
des3-cbc-sha1.
Eventually we noticed that heimdal only insisted on the sha1 type
because
that was the only des3 one available on the principle.

>From there we decided to try and get a des3-cbc-md5 key onto the
principle.
This should have been straightforward, but the only way we could find to
do
it was to add "default_keys = des3-cbc-md5:pw-salt" to the kadmin
section of
our config file, and then create a new principle. This seemed to work,
but
then we had problems with the krbtgt principle not having that key. We
tried
everything we could think of to add it, but to no avail.

At that point we've pretty much given up. The documentation doesn't seem
to
offer an hints as to a solution. I guess the Solaris 8 client side stuff
is
probably not being overly friendly, but we can't seem to change it's
behaviour either.

Has anyone else had experience in this area? And are there any changes
planned to the KDC to allow adding of key types more easily?


As a seperate issue, we've had trouble with the master key business. We
thought we'd set one up, but when we moved the m-key file out of the way
the
KDC still started. What's the correct way to make sure our database is
secured with a key?


Thanks for your time,
Tim.

-- 
Tim Bishop,
Computer Science Computing Officer,
University of Kent at Canterbury.
http://www.cs.ukc.ac.uk/people/staff/tdb/