[24087] in Kerberos
Win2k3 and Solaris 9 SEAM
daemon@ATHENA.MIT.EDU (Thomas Schweizer)
Wed Jun 15 16:35:11 2005
Date: Wed, 15 Jun 2005 14:33:41 +0200
From: Thomas Schweizer <thomas.schweizer@stat.unibe.ch>
Message-ID: <42b02025$1@news.unibe.ch>
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Hi
I'v been trying to authenticate to a Win2k3 AD (w/SP1) realm with the
Solaris 9 SEAM tools. Clocks are synchronized. As I do a 'kinit'
everything seems to work fine, but a 'klist -e' shows:
Wed Jun 15 13:52:08 2005 Thu Jan 01 01:00:00 1970
krbtgt/AD.REALM@AD.REALM
Etype(skey, tkt): DES-CBC-MD5, etype 23
the expiration date and etype 23 are somewhat strange since in
/etc/krb5/krb5.conf I set
[libdefaults]
default_realm = AD.REALM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
As I wanted to use the SEAM Krb5-PAM module I created a hostkey with
C:\>ktpass -princ host/athena.ad.realm@AD.REALM -pass * -mapuser athena
-desonly -crypto des-cbc-md5 -kvno 1 -out athena.k5
and imported it to the Solaris machine with ktutil.
Upon trying to login I get the following message (I guess because the
hostkey is DES-only, as the SEAM client only supports this, but it
should be of etype 23):
"authentication failed: Matching credential not found"
With Win2000 I never had a similar problem... In a posting from
29.01.2004 to this newsgroup I remarked someone had a similar problem
and the author argued Microsoft is currently working on it and they plan
to allow changes via registry tweaks and a hotfix (scheduled for SP1)...
Has anyone a hint how to make Solaris 9 SEAM work with Win2k3 or know
more about such a hotfix/registry tweak?
Gruess,
Thömu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
