I'm confused, then, Nicolas. As I read the output, there are 2 keys stored for these principals:
1 using Triple DES cbc mode with HMAC/sha1 1 using DES cbc mode with CRC-32 And the first matching enctype is supposed to be used, which would be des-cbc-crc (and des3-hmac-sha1 would not, as it is not common to the client and server. Nicolas Williams wrote: > On Tue, May 16, 2006 at 03:10:04PM -0400, Jeff Blaine wrote: >> Nicolas Williams wrote: >>> What does "klist -ke /etc/krb5/krb5.keytab" say? >> bash-2.05# /export/home/krb5/bin/klist -ke /etc/krb5/krb5.keytab >> Keytab name: FILE:/etc/krb5/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 4 host/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) >> 4 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> 4 host/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) >> 4 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> 3 cvs/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) >> 3 cvs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> 3 cvs/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) >> 3 cvs/[EMAIL PROTECTED] (DES cbc mode with CRC-32) >> bash-2.05# >> >>> It's possible that your host principal has keys of enctypes other than >>> des-cbc-crc or des-cbc-md5 -- since those are the only enctypes that >>> Solaris 9 supports this would be a misconfiguration. > > That's exactly it then. Solaris 9 does not support the 3DES enctypes. > > Change your host principal's keys to be only des-cbc-crc. > > Nico ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
