On Tue, Mar 28, 2006 at 09:09:05PM -0800, Russ Allbery wrote: > Nicolas Williams <[EMAIL PROTECTED]> writes: > > > Just because your principals only have 1DES long-term keys doesn't mean > > that you need to set default_tgs_enctypes/default_tkt_enctypes; in fact, > > you shouldn't. > > Oh, I agree! I'm just saying that it's not going to help to change that. > > > Besides this you're almost certainly running into: > > > 6320871 kinit fails if default_tkt_enctypes = des-cbc-crc but princ has > > des-cbc-md5 and preauth required > > No, we're almost certainly not. :) Believe me, none of our principals > have any des-cbc-md5 keys and never will.
I've been talking to the Sun Support person who is handling this case. The krb-diag script run on the Solaris system shows that kinit is able to fetch a TGT using the host service princ. in the keytab so this aspect of login auth is working. After looking at the krb-diag output, I have made some of the same recommendations to the Support person as found in this thread. I suggest the Stanford folks continue to work with Sun Support and hopefully this problem will be resolved soon. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
