[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Heimdal with Solaris 8 clients, amonst other things
> -----Original Message-----
> From: Johan Danielsson [mailto:joda@pdc.kth.se]
> Sent: 16 April 2002 17:23
>
> "Tim Bishop" <tim-lists@bishnet.net> writes:
>
> > DES3 with MD5 did seem odd. In fact, we only got there by a bit
> of fiddling.
> > I've actually told the Solaris 8 client to use "des3-cbc-sha" (not
> > des3-cbc-sha1) but according to heimdal it's sending
> "des3-cbc-md5". I can't
> > seem to get it to send any other des3 types.
>
> Aha, oho. I think this is some non-standard DES3 using SHA1, but
> without the key-derivation stuff that's required for real
> des3-cbc-sha1. It might correspond to the "old-des3-cbc-sha1" enctype
> (that we have as 7).
>
> If you *really* want this to work, you could probably swap these two
> enctypes (in lib/asn1/k5.asn1), and recompile your kdc. Don't know if
> it's worth the trouble.
Well, I've had a good stab at this. The kdc logs now reveal:
(the lines starting with # are debugging lines I've added to the kdc)
2002-04-17T14:36:11 AS-REQ tdb@TEST.DOMAIN from IPv4:129.12.3.232 for
krbtgt/TEST.DOMAIN@TEST.DOMAIN
#2002-04-17T14:36:11 Request has 1 enctypes:
#2002-04-17T14:36:11 Request has old-des3-cbc-sha1 enctype (5)
#2002-04-17T14:36:11 Principle tdb has 2 keytypes:
#2002-04-17T14:36:11 Principle has des3-cbc-sha1 keytype (16)
#2002-04-17T14:36:11 Principle has old-des3-cbc-sha1 keytype (5)
#2002-04-17T14:36:11 Request has 1 enctypes:
#2002-04-17T14:36:11 Request has old-des3-cbc-sha1 enctype (5)
#2002-04-17T14:36:11 Principle krbtgt has 5 keytypes:
#2002-04-17T14:36:11 Principle has des-cbc-crc keytype (1)
#2002-04-17T14:36:11 Principle has des-cbc-md4 keytype (2)
#2002-04-17T14:36:11 Principle has des-cbc-md5 keytype (3)
#2002-04-17T14:36:11 Principle has des3-cbc-sha1 keytype (16)
#2002-04-17T14:36:11 Principle has old-des3-cbc-sha1 keytype (5)
2002-04-17T14:36:11 Using old-des3-cbc-sha1/old-des3-cbc-sha1
2002-04-17T14:36:11 Requested flags: renewable, forwardable
2002-04-17T14:36:11 sending 638 bytes to IPv4:129.12.3.232
So it claims it's going to use old-des3-cbc-sha1, but then the solaris 8
client returns:
tdb@vulture [~] % kinit
Password for tdb@TEST.DOMAIN:
kinit: Program lacks support for encryption type while getting initial
credentials
tdb@vulture [~] %
I'm getting a touch lost at this point to be honest :)
My diagnosis is that the Solaris 8 client doesn't properly support des3. We
could just use the heimdal client side stuff (that works fine!), but we want
to use the secure NFS stuff that the Solaris clients offer (part of SEAM). I
don't yet know if that will work with heimdal clients.
Has anyone got the SEAM NFS stuff going? (with or without heimdal)
Cheers,
Tim.
--
Tim Bishop (T.D.Bishop@ukc.ac.uk),
Computer Science Computing Officer,
University of Kent at Canterbury.
http://www.cs.ukc.ac.uk/people/staff/tdb/