[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal and solaris 10 gssapi troubles

To: heimdal-discuss@sics.se, vadim <vadim.tarassov@swissonline.ch>
Subject: Re: heimdal and solaris 10 gssapi troubles
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 18 Jun 2007 16:16:39 -0700
In-Reply-To: <1182194725.5575.12.camel@vadim.localdomain>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1182194725.5575.12.camel@vadim.localdomain>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

Check the encryption types (klist -e) everywhere.

Solaris 8 is old enough it may not accept a ticket with data of a  
type it doesn't itself understand.  Newer Kerberos will accept such  
tickets as long as the portion it needs to decode itself is a known  
type.  I'm just guessing.

More of the Sun guys hang out on the MIT lists than here.

On Jun 18, 2007, at 12:25 PM, vadim wrote:

> Hi all,
>
> I have lots of solaris 8 boxes running heimdal 0.7.2 + openssh. As  
> KDC I
> use MS AD. Everything works fine in terms of SSO. Silly thing however
> happens when I login on solaris 8 box (again heimdal 0.7.2 + openssh)
> from solaris 10 with stock sun's ssh. Namely,
>
> first step: solaris 10 (stock gssapi+ssh) to solaris 8 (heimdal 
> +openssh)
> works
> second step: solaris 8 (heimdal+openssh) with delegated from  
> solaris 10
> creds to solaris 8 (heimdal+openssh) does not. I do not remember exact
> error message, but it sounds like "something went wrong with GSSAPI".
>
> I have compared creds, which I delegate to solaris 8 from another
> solaris 8 box with creds, which I delegate to solaris 8 box from  
> solaris
> 10 box. The difference is only in presence of "session key" in creds
> coming from solaris 10. Namely, "kinit -v" does not show any "session
> key" if I login on solaris 8 from solaris 8.
>
> Do you know if there are any interoperabilty issues between heimdal
> 0.7.2 and stock solaris 10 kerberos implementations?
>
> thanx a lot and best regards, vadim tarassov

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: heimdal and solaris 10 gssapi troubles
  - From: vadim <vadim.tarassov@swissonline.ch>

References:
- heimdal and solaris 10 gssapi troubles
  - From: vadim <vadim.tarassov@swissonline.ch>

Prev by Date: KRB5KRB_AP_ERR_MODIFIED during protocol transition
Next by Date: Re: heimdal and solaris 10 gssapi troubles
Prev by thread: heimdal and solaris 10 gssapi troubles
Next by thread: Re: heimdal and solaris 10 gssapi troubles
Index(es):
- Date
- Thread