> We were unable to get Solaris 2.9 clients to authenticate with our MIT > kerberos server.
I don't know if this is relevant, but you have to do a couple of extra things in order to configure a Sun SEAM client into a realm that's served by an IBM Network Authentication Service KDC... maybe these steps apply to SEAM clients that want to work with other types of KDC's as well. (Network Authentication Service is IBM's Kerberos implementation, and SEAM is Sun's implementation.) First, Sun's docs say that if you're using a non-Sun KDC, then you must add a line like "kpasswd_protocol = SET_CHANGE" to the "realms" stanza of the client's krb5.conf. Second, IBM's docs say that if you want to configure a Sun SEAM client into a realm that's served by an IBM KDC, you must move the des3 entries to the ends of the lists in krb5.conf and kdc.conf on the server. If you don't do this, then the client's attempts to authenticate will result in preauthentication failures. Now, IBM's KDC understands des3, but evidently Sun's SEAM client does not. I suspect that the preauth failures may be related to the following from MIT's known-bugs list: ETYPE_INFO preauthentication data returned from the KDC are not sorted in the order requested by the client. This may result in preauthentication failure when encrypted timestamp preauthentication is required but the client doesn't understand some of the enctypes of the keys stored for it in the database. After doing this, I was able to configure a Solaris 9 SEAM client into a realm that's served by an IBM Network Authentication Service KDC. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
