> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes.
Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because > you have a mixture of MIT Kerberos apps (with full enctype > support) and S8/SEAM Kerberos apps (which only support DES). We're only having problems talking to the Sol10 box (and back). I suspect your other comments about the service being the issue. The only "odd" box is a Linux critter, but since it uses the MIT distro as well, I suspect that issue will get resolved at the same time. Rainer ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
