[kerberos-discuss] Problem with U4 and SUNWcry

[Peter Shoults]

Are you sure that all the players in these scenarios below have AES 256 
setup correctly
in their (kdc krb5).conf files, and that if you look at their keys, you 
can see the aes-256 key?
Although I thought all this stuff would negotiate down if it could not 
deal with aes-256 to perhaps
aes-128.

Just an idea.

pete


Anthony Scarpino wrote:
> I am not aware of any problems on the crypto side that would cause 
> this.. There maybe some assumptions that Kerberos is making about 
> configurations so I'll add the kerberos alias to see if they have any 
> input..
>
> Tony
>
> Brian Kolaci wrote:
>   
>> With the U4 release, it appears the SUNWcry package is now installed
>> with the base system.
>>
>> My customer has some Kerberos KDC's that are using an earlier version
>> of Solaris 10 (U1 or U3 I believe), however when you try to build a
>> new slave KDC with U4, it fails to communicate with the master due
>> to an incompatible (albeit stronger) encryption mechanism.  If you
>> remove the SUNWcry package, then it seems to work.
>>
>> Another test performed was building a client with U4 using a PAM
>> stack that authenticates against Kerberos and when this client tries
>> to contact the KDC's from earlier versions, it too fails to communicate
>> due to incompatible encryption.  Again removing SUNWcry seems to resolve
>> the problem.
>>
>> Are these known issues?  Are there configuration settings that will
>> resolve these?  Is there already a bug filed?  (This should work out of
>> the box).
>>
>> Thanks,
>>
>> Brian
>> _______________________________________________
>> crypto-discuss mailing list
>> crypto-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss
>>     
>
> _______________________________________________
> kerberos-discuss mailing list
> kerberos-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss
>