On Fri, Feb 15, 2008 at 12:43 AM, Victor Sudakov <[EMAIL PROTECTED]> wrote: > Steven Miller wrote: > > > > > > What could be the reason that I cannot telnet from > > > FreeBSD to Solaris 10 > > > with the following error: > > > > > > Connected to oracle.sibptus.tomsk.ru. > > > Escape character is '^]'. > > > [ Trying mutual KERBEROS5 > > > (host/[EMAIL PROTECTED])... ] > > > [ Kerberos V5 refuses authentication because > > > Kerberos checksum verification failed: Bad > > > encryption type ] > > > [ Trying KERBEROS5 > > > (host/[EMAIL PROTECTED])... ] > > > [ Kerberos V5 refuses authentication because > > > Kerberos checksum verification failed: Bad > > > encryption type ] > > > Password: > > I believe that solaris (as as solaris 9) only supports > > des-cbc-crc encrypion. > > Actually, there *is* a des-cbc-crc key in the keytab, why wouldn't it just > use it? > > # klist -e -k /etc/krb5/krb5.keytab > Keytab name: FILE:/etc/krb5/krb5.keytab > KVNO Principal > ---- ----------------------------------------------------------------------- > 1 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) > 1 host/[EMAIL PROTECTED] (etype 2) > 1 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5) > 1 host/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1)
probably because your client is getting a Triple DES service ticket from the KDC, since that would be the strongest encryption type [that it thinks the service supports]. If the Solaris machine can only do DES, then re-issue the keytab with only a DES key: ktadd -e des-cbc-crc:normal ost/[EMAIL PROTECTED] K.C. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
