On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote: > I'm confused, then, Nicolas. > > As I read the output, there are 2 keys stored > for these principals: > > 1 using Triple DES cbc mode with HMAC/sha1 > > 1 using DES cbc mode with CRC-32 > > And the first matching enctype is supposed to be used, > which would be des-cbc-crc (and des3-hmac-sha1 would > not, as it is not common to the client and server.
What does kadmin -q "getprinc host/[EMAIL PROTECTED]" say? I bet the des3-hmac-sha1 key comes before the des-cbc-crc key. That means that when the stock pam_krb5/mech_krb5 do a TGS-REQ to get a service ticket [for the PAM_USER with host/[EMAIL PROTECTED] as the service principal name] with which to validate the user's TGT the ticket will come back encrypted in host/[EMAIL PROTECTED]'s 3DES key (because the KDC will select that long-term key because it's first in the KDB entry), which, sadly, the Solaris 9 mech_krb5 doesn't support. You could upgrade to Solaris 10 and get support for AES (in addition to 3DES and HMAC-RC4)... Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos