[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal with Solaris 8 clients, amonst other things

To: Tim Bishop <tim-lists@bishnet.net>
Subject: Re: Heimdal with Solaris 8 clients, amonst other things
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
Date: Wed, 17 Apr 2002 11:18:57 -0400
Cc: Johan Danielsson <joda@pdc.kth.se>, heimdal-discuss@sics.se, T.D.Bishop@ukc.ac.uk
In-Reply-To: <DGEDIOGMPBACEENPJDPOCEDODHAA.tim-lists@bishnet.net>; from tim-lists@bishnet.net on Wed, Apr 17, 2002 at 02:52:59PM +0100
Mail-Followup-To: Tim Bishop <tim-lists@bishnet.net>,Johan Danielsson <joda@pdc.kth.se>, heimdal-discuss@sics.se,T.D.Bishop@ukc.ac.uk
References: <xofofgjobp0.fsf@blubb.pdc.kth.se> <DGEDIOGMPBACEENPJDPOCEDODHAA.tim-lists@bishnet.net>
Sender: owner-heimdal-discuss@sics.se

On Wed, Apr 17, 2002 at 02:52:59PM +0100, Tim Bishop wrote:
> Well, I've had a good stab at this. The kdc logs now reveal:

[...]

> So it claims it's going to use old-des3-cbc-sha1, but then the solaris 8
> client returns:
> 
> tdb@vulture [~] % kinit
> Password for tdb@TEST.DOMAIN:
> kinit: Program lacks support for encryption type while getting initial
> credentials
> tdb@vulture [~] %
> 
> I'm getting a touch lost at this point to be honest :)

I know this one. I've seen this with MIT krb5.

Try removing requires_preauth on the principal in question or try
forcing the client to always do pre-auth. If that works then the problem
is this: the KDC lists des3-cbc-sha1 first in the ETYPE-INFO in the
requires-preauth error response to the initial AS-REQ even though the
AS-REQ did not list des3-cbc-sha1 in the requested enctypes list.

> My diagnosis is that the Solaris 8 client doesn't properly support des3. We
> could just use the heimdal client side stuff (that works fine!), but we want
> to use the secure NFS stuff that the Solaris clients offer (part of SEAM). I
> don't yet know if that will work with heimdal clients.
> 
> Has anyone got the SEAM NFS stuff going? (with or without heimdal)

I. I did patch my MIT krb5 KDC to deal with the ETYPE-INFO issue I
reference above.

> Cheers,
> Tim.

Cheers,

Nico
-- 
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

Follow-Ups:
- Re: Heimdal with Solaris 8 clients, amonst other things
  - From: Nicolas Williams <Nicolas.Williams@ubsw.com>

References:
- Re: Heimdal with Solaris 8 clients, amonst other things
  - From: joda@pdc.kth.se (Johan Danielsson)
- RE: Heimdal with Solaris 8 clients, amonst other things
  - From: "Tim Bishop" <tim-lists@bishnet.net>

Prev by Date: RE: Heimdal with Solaris 8 clients, amonst other things
Next by Date: Re: Heimdal with Solaris 8 clients, amonst other things
Prev by thread: RE: Heimdal with Solaris 8 clients, amonst other things
Next by thread: Re: Heimdal with Solaris 8 clients, amonst other things
Index(es):
- Date
- Thread