Heilke, Rainer wrote:
You indicated below that you are using and MIT kerberos KDC on the Solaris 8 systems. So, the key to making things work with the S8 SEAM kerberos clients is to make sure that the host principals for those Solaris 8 systems are only issued DES keys. The rlogin servers in SEAM only support DES since that is all that was available when the S8 SEAM packages were created.
'kadmin -q 'addprinc -e des-cbc-md5:normal host/foo.bar.com"' 'kadmin -q 'ktadd -e des-cbc-md5:normal host/foo.bar.com"'
(Im not sure if the syntax for those commands is exactly correct, but you get the idea).
Solaris 10 systems can be issued AES keys (AES-128 if the encryption package is not installed, AES-256 otherwise) or RC4, 3DES, or DES.
Can we force the Sol10 box to only use DES, to be compatible with the Sol8/MIT systems (which is everything but the one Sol10 box)?
If you are using MIT Kerberos on the Solaris 8 systems (including pam_krb5 made for MIT, not the one that comes with SEAM), then you should not worry about the enctypes because MIT already supports all of the enctypes that S10 supports.
The only time you need to worry about enctypes is when you are using pre-S10 systems with SEAM apps. IN that situation, ONLY the pre-solaris 10 systems need to have the DES keys, it is perfectly acceptable for the S10 systems to have AES and S8/S9 to have DES. This should not affect interop if your keytabs are correctly populated on the pre-S10 boxes.
We have tested this and it does work, but you have to make sure that the S8 system has only DES keys.
All Solaris 8 systems are MIT, so if I understood your earlier comments, they already are DES; is that correct?
Not necessarily. If your S8 systems are MIT, then you don't really need to worry much about the enctype support because MIT has support for all enctypes (DES through AES-256).
You may run into problems if you try and mix/match the S8 SEAM apps with S8 MIT stuff. For example, the dtlogin problem you mentioned - if dtlogin is using the SEAM pam_krb5 library, then you must make sure that the host principals on that S8 system have only DES keys.
If you use a 3rd party pam_krb5 library that links with MIT Kerberos, then you should not have any enctype issues on Solaris 8.
You may be seeing problems on your S8 systems because you have a mixture of MIT Kerberos apps (with full enctype support) and S8/SEAM Kerberos apps (which only support DES).
-Wyllys ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
