This is a discussion on Win2k3 and Solaris 9 SEAM - Kerberos ; Hi I'v been trying to authenticate to a Win2k3 AD (w/SP1) realm with the Solaris 9 SEAM tools. Clocks are synchronized. As I do a 'kinit' everything seems to work fine, but a 'klist -e' shows: Wed Jun 15 13:52:08 ...
I'v been trying to authenticate to a Win2k3 AD (w/SP1) realm with the
Solaris 9 SEAM tools. Clocks are synchronized. As I do a 'kinit'
everything seems to work fine, but a 'klist -e' shows:
Wed Jun 15 13:52:08 2005 Thu Jan 01 01:00:00 1970
Etype(skey, tkt): DES-CBC-MD5, etype 23
the expiration date and etype 23 are somewhat strange since in
/etc/krb5/krb5.conf I set
default_realm = AD.REALM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
As I wanted to use the SEAM Krb5-PAM module I created a hostkey with
C:\>ktpass -princ host/athena.ad.realm@AD.REALM -pass * -mapuser athena
-desonly -crypto des-cbc-md5 -kvno 1 -out athena.k5
and imported it to the Solaris machine with ktutil.
Upon trying to login I get the following message (I guess because the
hostkey is DES-only, as the SEAM client only supports this, but it
should be of etype 23):
"authentication failed: Matching credential not found"
With Win2000 I never had a similar problem... In a posting from
29.01.2004 to this newsgroup I remarked someone had a similar problem
and the author argued Microsoft is currently working on it and they plan
to allow changes via registry tweaks and a hotfix (scheduled for SP1)...
Has anyone a hint how to make Solaris 9 SEAM work with Win2k3 or know
more about such a hotfix/registry tweak?