Ok, this one has me a bit stumped... We have a functioning production kerberos environment that I'm trying to add a Solaris 11 (beta 79) client to.
The kdc in my immediate realm where the host principals are located is a Solaris 9 host, and we have several working Solaris 10 client machines within the same realm. The kdc in the parent university realm is an older Heimdal kdc (version 0.6.3) and limited to only speak des-cbc-crc. All of the student user principals are located in the parent realm. If I stay strictly within the local Sun/MIT realm everything works fine and I can ssh into the Solaris 11 client machine using my local realm credentials. The krb5.keytab file on the client machine matches the host principal stored on the Solaris 9 kdc, etc. And, if I log into the Solaris 11 client machine using a local account, do a "kinit [EMAIL PROTECTED]", type in my university password, and then a "klist", that works fine too and shows me what I would normally see if I simply ssh into the other Solaris 10 client machines using my university account and type klist. The problem comes in when I try to ssh into the new Solaris 11 client machine. The logs on the university's Heimdal kdc look fine, but on the local Solaris 9 kdc where the host principal is located, the following shows up in the kdc log: krb5kdc[617]: TGS_REQ sol11client (88): PROCESS_TGS: authtime -1765328353, <unknown client> for host/[EMAIL PROTECTED], Decrypt integrity check failed The clocks on all of the machines involved are in sync via ntp, so it shouldn't be a clock issue. Any tips on what I might be able to look at next would be greatly appreciated. Thanks, Brian ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
