Hi again Wyllys, thanks for helping us. You were right, we hadn't installed the Solaris Encryption Pack, but it's done now. And the problem is still here. :-(((( So we read carefully your hints :
- the Solaris Encryption Pack didn't solve the problem (one difference now : the error message doesn't appear any more ! the connection simply breaks) - we made sure that the keys generated by Windows 2000 are single DES compliant. By running the ktpass command described in your URL (on microsoft.com), the output says Keytab version: 0x502 keysize 54 [EMAIL PROTECTED] ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8 (0xb02f4a611515f1a1) Account has been set for DES-only encryption. That doesn't look like DES3... - and finally, the keytab file : here is a ktutil set of commands : ktutil: rkt /etc/krb5/krb5.keytab ktutil: list slot KVNO Principal ---- ---- ------------------------------------------------------------------ -------- 1 1 [EMAIL PROTECTED] So I'd say the principal is correctly installed on the server (whose name is thot.mds, as you may have guessed). Did you see anything incorrect here ? Thanks a lot for your help Philippe Francois "Wyllys Ingersoll" <[EMAIL PROTECTED]> a �crit dans le message de news: [EMAIL PROTECTED] > > Philippe - > Verify that you have the Solaris Encryption Pack software > installed. SEAM by default does not include support for > encryption for export reasons. > http://www.sun.com/solaris/encryption > > Also, note that SEAM for Solaris 8 only supports single DES, > so if your Win2K KDC is issuing keys with stronger crypto > (e.g. 3DES), your SEAM clients and servers wont work. You can > request specific encryption types when you create your principals > in Win2K, I dont know the exact syntax of the commands but I'm > pretty sure it can be done. > > Microsoft has a white paper on Win2K and Kerberos interoperability, > check it out if you havent already: > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.as p > > Finally, verify that the keytab on the server side contains > the correct host principal key so telnetd can properly > authenticate the client (host/f.q.d.n @REALM). > > -Wyllys > > > > > Philippe Perrin wrote: > > > Hi all > > > > We're trying to make SEAM (Solaris 8) work with a Windows 2000 KDC. Here are > > the settings : > > KDC : Windows 2000 > > SEAM Kerberized Telnet Server : Solaris (/usr/krb5/lib/telnetd) > > SEAM Kerberized Telnet Client : Solaris (/usr/krb5/bin/telnet) > > > > Acquiring the TGT works fine (kinit). But when running the telnet client, we > > get the following error : > > Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: > > Unknown code 2 > > > > Any idea of what the problem might be ? > > > > Thanx a lot > > > > Philippe P > > Francois L > > > > >
