[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal and solaris 10 gssapi troubles

Check the encryption types (klist -e) everywhere.

Solaris 8 is old enough it may not accept a ticket with data of a  
type it doesn't itself understand.  Newer Kerberos will accept such  
tickets as long as the portion it needs to decode itself is a known  
type.  I'm just guessing.

More of the Sun guys hang out on the MIT lists than here.

On Jun 18, 2007, at 12:25 PM, vadim wrote:

> Hi all,
> I have lots of solaris 8 boxes running heimdal 0.7.2 + openssh. As  
> use MS AD. Everything works fine in terms of SSO. Silly thing however
> happens when I login on solaris 8 box (again heimdal 0.7.2 + openssh)
> from solaris 10 with stock sun's ssh. Namely,
> first step: solaris 10 (stock gssapi+ssh) to solaris 8 (heimdal 
> +openssh)
> works
> second step: solaris 8 (heimdal+openssh) with delegated from  
> solaris 10
> creds to solaris 8 (heimdal+openssh) does not. I do not remember exact
> error message, but it sounds like "something went wrong with GSSAPI".
> I have compared creds, which I delegate to solaris 8 from another
> solaris 8 box with creds, which I delegate to solaris 8 box from  
> solaris
> 10 box. The difference is only in presence of "session key" in creds
> coming from solaris 10. Namely, "kinit -v" does not show any "session
> key" if I login on solaris 8 from solaris 8.
> Do you know if there are any interoperabilty issues between heimdal
> 0.7.2 and stock solaris 10 kerberos implementations?
> thanx a lot and best regards, vadim tarassov

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu