Henry B. Hotz wrote: > I admit my motivation is from Solaris 10 experiences. Hope I'm not too > off-topic.
Not sure if this is your problem, see: See: http://docs.sun.com/app/docs/doc/816-4557/egric?a=view says: "In releases prior to Solaris 10 8/07 release, the aes256-cts-hmac-sha1-96 encryption type can be used with the Kerberos service if the unbundled Strong Cryptographic packages are installed." That would be the SUNWcry package needs to be installed. We found this when creating a service account in W2008 AD. It would work to a W2003 DC that would use RC4, but the W2008 DC would select aes256. A simple test is to try the Solaris ktutil: ktutil addent -password -p testaes256 at YOUR.REALM -k 1 -e aes256-cts-hmac-sha1-96 quit If it says bad encryption type you have the problem. If cryptoadm list shows only aes and not aes256, and only the provider pkcs11_softtoken.so and not the pkcs11_softtoken_extra.so you have the problem. > > I have three "example" machines that interact with a Heimdal kdc very > differently. Two of them should be identical: Jumpstarted at the same > time, and have the same krb5.conf. No differences I've seen in the SMF > configuration, though I haven't done a global compare. They both > "work", but one of them always spits out e.g.: > > % kdestroy > localhost: RPC: Rpcbind failure - RPC: Success > > while the other is silent (as expected). > > A third machine won't do timestamp pre-auth. It sends an AS-REQ, gets > the pre-auth-required response, and just quits. (It works fine if I > point it at a KDC that doesn't require pre-auth.) > > So my question is: what sort of options could affect these kinds of > behavior? > ------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu > > > > _______________________________________________ > kerberos-discuss mailing list > kerberos-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss > > -- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
