Hi

I'v been trying to authenticate to a Win2k3 AD (w/SP1) realm with the
Solaris 9 SEAM tools. Clocks are synchronized. As I do a 'kinit'
everything seems to work fine, but a 'klist -e' shows:

Wed Jun 15 13:52:08 2005 Thu Jan 01 01:00:00 1970
krbtgt/AD.REALM@AD.REALM
Etype(skey, tkt): DES-CBC-MD5, etype 23

the expiration date and etype 23 are somewhat strange since in
/etc/krb5/krb5.conf I set

[libdefaults]
default_realm = AD.REALM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5

As I wanted to use the SEAM Krb5-PAM module I created a hostkey with

C:\>ktpass -princ host/athena.ad.realm@AD.REALM -pass * -mapuser athena
-desonly -crypto des-cbc-md5 -kvno 1 -out athena.k5

and imported it to the Solaris machine with ktutil.

Upon trying to login I get the following message (I guess because the
hostkey is DES-only, as the SEAM client only supports this, but it
should be of etype 23):

"authentication failed: Matching credential not found"


With Win2000 I never had a similar problem... In a posting from
29.01.2004 to this newsgroup I remarked someone had a similar problem
and the author argued Microsoft is currently working on it and they plan
to allow changes via registry tweaks and a hotfix (scheduled for SP1)...

Has anyone a hint how to make Solaris 9 SEAM work with Win2k3 or know
more about such a hotfix/registry tweak?

Gruess,
Thömu