[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heimdal and solaris 10 gssapi troubles
I do not think, that it is solaris issue. I rather think it is Heimdal
issue. I think so, because Heimdal happily accepts forwardable tickets
from solaris 10 kerberos:
step1: solaris10-ssh -----> heimdal-0.7.2+openssh works
but Heimdal is somehow having problems afterwords with these
step2: heimdal-0.7.2+openssh -----> heimdal-0.7.2+openssh fails
I just wonder if someone on the list has some experience with mixed
heimdal / solaris10 kerberos environments
Best regards, vadim tarassov
On Mon, 2007-06-18 at 16:16 -0700, Henry B. Hotz wrote:
> Check the encryption types (klist -e) everywhere.
> Solaris 8 is old enough it may not accept a ticket with data of a
> type it doesn't itself understand. Newer Kerberos will accept such
> tickets as long as the portion it needs to decode itself is a known
> type. I'm just guessing.
> More of the Sun guys hang out on the MIT lists than here.
> On Jun 18, 2007, at 12:25 PM, vadim wrote:
> > Hi all,
> > I have lots of solaris 8 boxes running heimdal 0.7.2 + openssh. As
> > KDC I
> > use MS AD. Everything works fine in terms of SSO. Silly thing however
> > happens when I login on solaris 8 box (again heimdal 0.7.2 + openssh)
> > from solaris 10 with stock sun's ssh. Namely,
> > first step: solaris 10 (stock gssapi+ssh) to solaris 8 (heimdal
> > +openssh)
> > works
> > second step: solaris 8 (heimdal+openssh) with delegated from
> > solaris 10
> > creds to solaris 8 (heimdal+openssh) does not. I do not remember exact
> > error message, but it sounds like "something went wrong with GSSAPI".
> > I have compared creds, which I delegate to solaris 8 from another
> > solaris 8 box with creds, which I delegate to solaris 8 box from
> > solaris
> > 10 box. The difference is only in presence of "session key" in creds
> > coming from solaris 10. Namely, "kinit -v" does not show any "session
> > key" if I login on solaris 8 from solaris 8.
> > Do you know if there are any interoperabilty issues between heimdal
> > 0.7.2 and stock solaris 10 kerberos implementations?
> > thanx a lot and best regards, vadim tarassov
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or firstname.lastname@example.org