Received: from luminous.mit.edu (LUMINOUS.MIT.EDU [18.101.1.61]) by krbdev.mit.edu (8.9.3) with ESMTP id VAA15876; Thu, 14 Nov 2002 21:28:05 -0500 (EST)
Received: by luminous.mit.edu (Postfix, from userid 1000) id CDD2576869; Thu, 14 Nov 2002 21:28:03 -0500 (EST)
To: Richard Hanschu <richardh@examen.com>
Cc: 169014@bugs.debian.org, rt-comment@krbdev.mit.edu
Subject: [krbdev.mit.edu #1259]Re: Bug#169014: krb5-kdc no longer interops with Solaris SEAM
References: <1037232921.21044.27.camel@claudius>
From: Sam Hartman <hartmans@debian.org>
Date: Thu, 14 Nov 2002 21:28:03 -0500
In-Reply-To: <1037232921.21044.27.camel@claudius> (Richard Hanschu's message of "13 Nov 2002 16:15:21 -0800")
Message-Id: <87isyzbm8c.fsf@luminous.mit.edu>
Lines: 11
User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/21.1 (i386-debian-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 384


I b.believe you can work around this either by disabling
preauth_required on principals that need to log in from Solaris or
dropping des3-hmac-sha1 from supported_enctypes in your kdc.conf and
changing passwords.

Both of these work arounds have security implications unfortunately,
although not using des3 probably isn't that serious if you have a lot
of Solaris clients already.