Norbert is correct. In Solaris 9, the default behavior for PAM-KRB5 is to require a host key in the keytab file (/etc/krb5/krb5.keytab) in order to properly authenticate that the ticket issued came from the correct KDC.
-Wyllys
Norbert Klasen wrote:
I do not actually. I never had to do that with Solaris 8, so I was wondering. I'm in the process of gettign user IDs created in AD for the system.
The Solaris 9 module verifies the tgt. See <http://docs.sun.com/db/doc/817-3946/6mjgmt4nd?q=pam_krb5&a=view>. Probably Solaris 8 didn't do this.
Norbert ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos