On Tue, May 16, 2006 at 06:40:29PM -0400, Jeff Blaine wrote: > Yes, MIT k5 1.4.3 > > The only Solaris piece I ever expect to use is pam_krb5.so
And secure NFS? (kgssapi/kmech_krb5, gssd/mech_krb5) > I've yet to touch/test Linux + K5, but it will be promptly > after I find most of the hiccups with Solaris + MIT for > now. Then it's on to Cyrus IMAP integration and other > fun stuff. Would you consider running a Solaris 10 KDC? > Maybe I'm just sore about it, but perhaps something should > be mentioned about this in the docs? Which part? That Solaris 9 only supports the Kerberos V 1DES enctypes should be clear from the krb5.conf man page. As for the Solaris 10 kadmind heuristic I described, I'm not sure where that's documented. I'll find out. > I can't really wrap > my head around how this bit me and there wasn't a pile of > of mailing list archive chatter by other people being > bitten (when I searched before posting...). That is, I > don't see that I am doing anything rare here. You're mixing two Kerberos V implementations on the same host. This is not so rare for Solaris 8 and 9 systems, actually, but when one does this one should be careful about possibly disjoint feature sets of the two implementations. > I'm trying > to use MIT K5 as a KDC in a homogenous environment. Out > of the box, I got bit the first time I touched anything > that didn't come from MIT. If nobody finds that bad, > so be it -- I'm not going to drag it out further. See above. > And now, I cannot get kadmin.local to NOT make 3DES > keys. I have tried: The MIT and Solaris 10 kadmin/kadmin.local have a -e option to ktadd that you should use. The enctype names include a salt type (for your purposes always ":normal"). That the salt type is not optional is just awful, IMO. > No dice. It appears to be blindly ignoring everything > EXCEPT '-e des-crc-cbc:normal' as part of ktadd (which I > should not have to do when set up this way). > > Here's a bug, too :) > > kadmin.local: ktadd -e des-cbc-crc host/noodle.foo.com > ktadd: Invalid argument while parsing keysalts de > > ^^ ???? > > This is about the time I start getting really worried. As has been pointed out you didn't include the ":normal" (though you included it in your e-mail). > Worried that either I am *really* stupid, or... wow :( No, the interface isn't very friendly. > > Perhaps we need to get this behaviour into MIT krb5, since you're using > > it alongside Solaris' krb5 support. I assume you're using MIT's KDC > > software. > > Above - and I think that's a great idea. I'll file a report in the MIT krb5 RT. Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos