Heimdal with Solaris 8 clients, amonst other things

["Tim Bishop" <tim-lists@bishnet.net>]

Sorry, this is how the mail should have be formatted. Apologies for the mess
:)

Tim.

-----Original Message-----
Hi all,

We've been trying, rather unsuccesfully, to use a Heimdal KDC with a Solaris
8 client. After a lot of debugging work we eventually sussed out what was
wrong. I might add here that more debugging output from the KDC would have
been handy - for example what etypes were being used/offered by both sides.

The problem we had was that we wanted to use DES3. The Solaris 8 client only
wanted to offer des3-cbc-md5, whilst heimdal seemed to want des3-cbc-sha1.
Eventually we noticed that heimdal only insisted on the sha1 type because
that was the only des3 one available on the principle.

Next we decided to try and get a des3-cbc-md5 key onto the principle. This
should have been straightforward, but the only way we could find to do it
was to add "default_keys = des3-cbc-md5:pw-salt" to the kadmin section of
our config file, and then create a new principle. This seemed to work, but
then we had problems with the krbtgt principle not having that key. We tried
everything we could think of to add it, but to no avail.

At that point we've pretty much given up. The documentation doesn't seem to
offer an hints as to a solution. I guess the Solaris 8 client side stuff is
probably not being overly friendly, but we can't seem to change it's
behaviour either.

Has anyone else had experience in this area? And are there any changes
planned to the KDC to allow adding of key types more easily?


As a seperate issue, we've had trouble with the master key business. We
thought we'd set one up, but when we moved the m-key file out of the way the
KDC still started. What's the correct way to make sure our database is
secured with a key?


Thanks for your time,
Tim.

--
Tim Bishop,
Computer Science Computing Officer,
University of Kent at Canterbury.
http://www.cs.ukc.ac.uk/people/staff/tdb/