>gotcha, thank you very much for all the help.
>I guess just out of curiosity:
>- for windows: there are other tools such as heimdall and microsoft
>kerberos. with those I don't know if you ever played around with them or
>know if they support smartcard and pin authentication to get a ticket
>manua
gotcha, thank you very much for all the help.
I guess just out of curiosity:
- for windows: there are other tools such as heimdall and microsoft
kerberos. with those I don't know if you ever played around with them or
know if they support smartcard and pin authentication to get a ticket
manually.
m
Hi,
for more information on this"
- People I work with have adapted the stock MIT Kerberos PKINIT plugin
to work on Windows.
Do you have any sort of documentation that you can point me to on how to
make this work with windows. And also Mac as, we also have Mac users.
Currently, my main focus i
>for more information on this"
>- People I work with have adapted the stock MIT Kerberos PKINIT plugin
> to work on Windows.
>
>Do you have any sort of documentation that you can point me to on how to
>make this work with windows. And also Mac as, we also have Mac users.
Unfortunately, no (at lea
>i was wondering if the question listed in the link below was ever answered
>and if not, i was hoping you could provide please.
>https://mailman.mit.edu/pipermail/kerberos/2010-September/016423.html
I can provide a quick summary:
- Current stock MIT Kerberos for Windows does not support pkinit (t
I just verified that OTP does work. Thanks.
> On Jan 16, 2019, at 12:01 PM, Greg Hudson wrote:
>
> On 1/16/19 11:23 AM, Charles Hedrick wrote:
>> We’re starting to use Windows Kerberos, with a 3rd party login screen that
>> calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell
Thanks. We’ll try to OTP. If there’s no PKINIT, I guess that means the armor
will have to come from the machine credentials. That should be workable.
A couple of us do kinit from home on the Mac. I don’t have a long list of
people asking for it for Windows, but if a couple of people do it for Ma
On 1/16/19 11:23 AM, Charles Hedrick wrote:
> We’re starting to use Windows Kerberos, with a 3rd party login screen that
> calls Kerberos. Some of our staff use FreeOTP 2FA. As far as I can tell, the
> most recent KfW doesn’t support 2FA or the https: proxy.
KfW 4.1 is based on krb5 1.13, which
Thank you, Todd Grayson for detailed information.
On Thu, Nov 8, 2018 at 10:07 PM Todd Grayson wrote:
>
> oops, typo by me:
>
> You are hard forcing AES for initial ticket granting ticket with the settings
> you are using for enctypes.
>
> Should read
>
> You are hard forcing AES for initial sess
oops, typo by me:
You are hard forcing AES for initial ticket granting ticket with the
settings you are using for enctypes.
Should read
You are hard forcing AES for initial session key and ticket granting ticket
with the settings you are using for enctypes.
On Thu, Nov 8, 2018 at 9:35 AM Todd G
You are hard forcing AES for initial ticket granting ticket with the
settings you are using for enctypes. Unset (comment out) the 3 enctype
lines for one of your tests. How to comment out lines in the krb5.conf is
covered in the second paragraph here:
https://web.mit.edu/kerberos/krb5-latest/do
There are ways to sync the AD server with the KDC, so in effect they are
separate but equal.
On Aug 20, 2016 12:14 PM, "Darren Terry" wrote:
List,
I am currently working on a project where I am required to integrate a
Windows 2012R2 domain with an existing Kerberos realm. The domain has not
bee
I noticed that I made a minor mistake when I typed the key, it should read:
HKEY_CURRENT_USER\SOFTWARE\MIT\MIT Kerberos\Settings
Randy
Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100
On 11/18/2015 7:14 PM, Benjamin Kaduk wrote:
> On Wed, 18 Nov 201
On Wed, 18 Nov 2015, Randolph Morgan wrote:
> I found the answer to my question, so I thought I would share it with others
> here on the list. To get Windows to acknowledge that a ticket has been issued
Thank you for following up!
> through MIT Kerberos KfW 4.0.1 you need to edit a registry key
I found the answer to my question, so I thought I would share it with
others here on the list. To get Windows to acknowledge that a ticket
has been issued through MIT Kerberos KfW 4.0.1 you need to edit a
registry key. The key is located at: HKEY_CURRENT_USER\SOFTWARE\MIT
Kerberos\Settings.
On Mon, 16 Nov 2015, Randolph Morgan wrote:
> I have installed MIT Kerberos 4.0.1 on a Windows 10 machine. Everything
> I have read indicates that the identity manager is not integrated into
> the new ticket manager. Ticket manager shows that I have received a
I'm not sure what you mean by these
Yes, the TGT is passed directly by the host.
Please read the section "Messages in the Forwarding Process" here :
http://technet.microsoft.com/en-us/library/4a1daa3e-b45c-44ea-a0b6-fe8910f92f28
It explains the steps clearly with the diagram.
On Sat, Apr 26, 2014 at 3:34 AM, Ben H wrote:
> That
Hi Ben,
On Fri, 25 Apr 2014, Ben H wrote:
> That's interesting - thank you. I was able to actually validate what you
> stated by installing MIT Kerberos on my Window system and then configuring
> Putty's GSSAPI option to use the MIT GSSAPI libraries as preference.
> My first attempt with kfw-4.0
On 04/25/2014 11:49 PM, Ben H wrote:
> Based on your prior explanation I can't help but infer this means that
> although the new forwardable TGT session key may be different than my
> original TGT, it is still shared between all hosts that I delegate to,
> leading to a possible attack against all s
Ben H writes:
> Based on your prior explanation I can't help but infer this means that
> although the new forwardable TGT session key may be different than my
> original TGT, it is still shared between all hosts that I delegate to,
> leading to a possible attack against all systems should one be
Thanks again. I confirmed that the [domain_realm] entry worked both on a
unix host and on my kfw-3.2.2 install.
Once added, no referral was needed and only one entry shows in the cache.
Interestingly, in respect to your information on the forwarded ticket TGS
request, I found that Windows impleme
On 04/25/2014 07:16 PM, Ben H wrote:
> Is there some way to show a mapping that these two tickets are really
> identical?
In theory it would be possible to checksum the tickets and tell that
they are the same, but list doesn't know how to do this.
> Is the empty realm display really necessary onc
Great - thanks Greg - beginning to be much clearer.
So the TGT from B is actually a full request for the forwardable ticket
(not just a notification) and it gets sent right to the remote machine and
not cached locally.
I can confirm this with the issued time stamp not changing on the host, but
sho
On 04/25/2014 06:04 PM, Ben H wrote:
> 04/25/14 16:34:02 04/26/14 02:31:06 host/centos64-01.mydomain.local@
> Flags: FA
> 04/25/14 16:34:02 04/26/14 02:31:06
> host/centos64-01.mydomain.local@MYDOMAIN.LOCAL
> Flags: FA
These are the same ticket cached under two diffe
That's interesting - thank you. I was able to actually validate what you
stated by installing MIT Kerberos on my Window system and then configuring
Putty's GSSAPI option to use the MIT GSSAPI libraries as preference.
My first attempt with kfw-4.0.1 was unsuccessful and I suspect it has to do
with
Your understanding is correct but credential delegation requirements are
API dependent instead of platform.
For Unix :
Putty uses MIT Kerberos - GSS API. When you enable delegation in putty it
requests GSS_C_DELEG_FLAG instead of GSS_C_DELEG_POLICY_FLAG which doesn't
check ok_as_delegate_flag, hen
Sorry to trudge up a thread a couple of months old - but I believe that the
behavior I'm seeing is directly related to this and instead of coming in
grasping at straws, I decided it would be best to use this as context.
I have a heterogeneous environment with a windows KDC which both my user
and c
@Christopher : I know about that option. I don't want to disable delegation
but i want to know the correct behaviour of MIT Kerberos with KDC Option i
specified.
@Greg, now it's clear to me.
Checked the code also. So, if initiator has requested GSS_C_DELEG_FLAG,
then delegation will always be done
On 02/10/2014 01:50 AM, Vipul Mehta wrote:
> In windows KDC there is delegation option associated with user properties.
> I've set it to "Do not trust this user for delegation" for User B i.e. User
> B will not be able to use delegated credentials.
I believe this option affects the ok-as-delegate
Try checking the "Account is sensitive and cannot be delegated" option
in the user properties and see if that does what you want. (I'm not
sure if it will or not, but I believe this is the option actually
intended to prevent Kerberos delegation.)
< Hi,
>
> Scenario : User A forwards his creden
On 9/26/13 3:55 PM, David Thompson wrote:
>
> I have a working kerberos environment, with Windows 2008R2 acting as
> KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
>
> I am trying to add ksu ability, with principals of the form USER/root,
> and cannot authenticate those principals.
J
On 9/26/13 9:45 PM, Benjamin Kaduk wrote:
>> I have a working kerberos environment, with Windows 2008R2 acting as
>> KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
>>
>> I am trying to add ksu ability, with principals of the form USER/root,
>> and cannot authenticate those principals.
On Thu, 26 Sep 2013, David Thompson wrote:
>
> I have a working kerberos environment, with Windows 2008R2 acting as
> KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
>
> I am trying to add ksu ability, with principals of the form USER/root,
> and cannot authenticate those principals.
Hello.
On 05/02/2013 10:33 AM, Jagan kona wrote:
I have installed MIT kerberos on Linux machine, and i want to authenticate
windows machine user( when user logon to the workstation) with MIT kerberos
on Linux (Authentication server). please provide me the steps i need to
follow. i have created u
Reinhard Kugler writes:
> There definitely is interest. We are keen to implement Kerberos with
> smartcards in our network, because it pretty fits the needs.
> Your support in this issue would be great!
New bug report:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7596
I'm not sure exact
Hello Chris
On 26.03.2013 20:58, c.ra...@t-online.de wrote:
> My Issue is now:
> If I try as MIT authenticated (mapped) user "usera" on system "windc"
> to access an published CIFS shared
> on server" memberhost" this works great via UNC. e.g.
> \memberhostpublishedFolder [2]
> But if I use
> I think we've seen this before; sometimes Windows omits the required
> "q" value in the Diffie-Hellman parameters (even though it can be
> trivially computed for certain well-known groups).
sounds familiar. During our tests we spotted this behavior in
pkinit_decode_dh_params
(plugins/preauth/pki
Reinhard Kugler writes:
> (continued...) - I accidentally sent the message while composing - sorry
>
> the pkinit authentication with the same certificates works fine with
> ubuntu 12.04 as a client.
> It seems Windows and Linux use different authentication schemes.
> It read in the RFC 4556 abou
(continued...) - I accidentally sent the message while composing - sorry
the pkinit authentication with the same certificates works fine with
ubuntu 12.04 as a client.
It seems Windows and Linux use different authentication schemes.
It read in the RFC 4556 about a diffie-hellman and public key - k
On 11/5/2012 2:49 PM, Dyer, Rodney wrote:
> Hi,
>
> I need some advice. I need to verify that an MIT/Windows trust option we've
> wanted to work, in fact cannot work. Can someone here maybe provide some
> insightful comments on our setup?
>
Have you looked at cross-forest trust between MOSAI
You can access more AD brainpower by posting this to
active...@mail.activedir.org or windows-h...@lists.stanford.edu
-
You are correct. The member server can only be a member of a single Kerberos
realm (Active Directory domain) at any time.
My first thought is that you need to add Top
On 5/4/2012 4:14 AM, Robert Wehn wrote:
> Hi Tiago,
>
> start here:
> http://technet.microsoft.com/en-us/library/bb742433.aspx#EDAA
> Section "Using an MIT KDC with a Standalone Windows 2000 Workstation"
>
> Since Vista/Server 2008 Windows supports the following Eccryption Types:
> AES256-CTS-HMA
Hi Tiago,
start here:
http://technet.microsoft.com/en-us/library/bb742433.aspx#EDAA
Section "Using an MIT KDC with a Standalone Windows 2000 Workstation"
Since Vista/Server 2008 Windows supports the following Eccryption Types:
AES256-CTS-HMAC-SHA1-96 (new since Vista/2008)
AES128-CTS-HMAC-SHA1-9
It looks like I had not cleared my windows cache. It works all fine with
2008 R2.
Markus
"Markus Moeller" wrote in message
news:iahs8a$ig...@dough.gmane.org...
> If I use RC4-hmac it works but AES 128/256 fail on Windows 2008 R2
> although
> AES 128/256 works on 2008. Can anybody confirm ? H
If I use RC4-hmac it works but AES 128/256 fail on Windows 2008 R2 although
AES 128/256 works on 2008. Can anybody confirm ? Has 2008 R2 changed
something compared to 2008 ?
Thank you
Markus
"Markus Moeller" wrote in message
news:iah61u$ra...@dough.gmane.org...
> Stepping through the debugger
Stepping through the debugger. I get an error here:
in krb5int_dk_decrypt from dk_aead.c using MIT 1.8.3
260
261 /* Compare only the possibly truncated length. */
262 if (memcmp(cksum, trailer->data.data, hmacsize) != 0) {
263 ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
264
"Simo Sorce" wrote in message
news:20101029175054.721e9...@willson.li.ssimo.org...
> On Fri, 29 Oct 2010 22:26:36 +0100
> "Markus Moeller" wrote:
>
>> Hi
>>
>> I try to use a Windows 2008 R2 server together with MIT libraries
>> 1.8.1 for Negotiate authentication. It works fine with 2008 but
On Fri, 29 Oct 2010 22:26:36 +0100
"Markus Moeller" wrote:
> Hi
>
> I try to use a Windows 2008 R2 server together with MIT libraries
> 1.8.1 for Negotiate authentication. It works fine with 2008 but 2008
> R2 seems to have implemented
> http://www.ietf.org/id/draft-zhu-negoex-02.txt which us
On 09/09/2010 12:21 PM, Bram Cymet wrote:
>Hi,
>
> I am using MIT Kerberos for windows and I am able to get a ticket using
> a password just fine but I would like to use a smartcard.
>
> I tried setting up my krb5.ini file the same way I have it in linux
> (which works great with the smart ca
Tom Medhurst wrote:
> Thanks Douglas,
>
> I removed the policy host/wdesk3.tnet.loc using kadmin.local and added
> it back in again with a known password. (ank -policy hosts
> host/wdesk3.tnet.loc).
>
> I then used ksetup on the windows 7 machine (wdesk3) to set the
> machine's password (ks
Tom Medhurst wrote:
> Hi Guys,
> I'm trying to get 2 Windows Clients (1x Windows XP Pro SP3, 1x Windows
> 7 Enterprise) configured so they logon via Kerberos 5-1.8 (Arch Linux
> Server, Kerberos 5 build from source), and I'm s close I can smell
> it! but...
>
> When I login I get the error m
. Clausen
To: raj esh L
Cc: kerberos@mit.edu
Sent: Wed, 20 January, 2010 22:53:11
Subject: Re: Windows event id 4 (kerberos)
I have no other suggestions. I'd say to try re-joining all three
computers, one at a time, and see if the errors go away.
The error basically means that the Ker
@mit.edu
Sent: Thu, 21 January, 2010 0:57:26
Subject: Re: Windows event id 4 (kerberos)
raj esh L wrote:
> We have observed Kerberos event id4 on one member server (Print server
> )BRAPRINT001 (10.1.37.167). Please find the description below about the event
> id. Can some one please help
raj esh L wrote:
> We have observed Kerberos event id4 on one member server (Print server
> )BRAPRINT001 (10.1.37.167). Please find the description below about the event
> id. Can some one please help me on it ?
>
> Event Type:Error
> Event Source: Kerberos
> Event Catego
ng over there. But I could not understand it.
>
> It's my humble request to verify those and make me understand.
>
>
>
>
>
> From: Christopher D. Clausen
> To: raj esh L
> Cc: kerberos@mit.edu
> Sent: Wed, 20 January, 2010 21:15:
ames are
appearing over there. But I could not understand it.
It's my humble request to verify those and make me understand.
From: Christopher D. Clausen
To: raj esh L
Cc: kerberos@mit.edu
Sent: Wed, 20 January, 2010 21:15:13
Subject: Re: Windows e
Please let me know if any other information is required.
From: raj esh L
To: Christopher D. Clausen
Cc: kerberos@mit.edu
Sent: Wed, 20 January, 2010 3:47:11
Subject: Re: Windows event id 4 (kerberos)
Than Q very much for your information and would appreciate.
3
> TCP Statistics for IPv4
> Failed Connection Attempts = 4275
> Segments Retransmitted = 24512
> UDP Statistics for IPv4
> Receive Errors = 22753
>
>
> Please let me know if any other information is required.
>
>
>
>
>
>
understand clearly about the description. if you would
explain what is going here with examples of server names based on description
that would be great.
From: Christopher D. Clausen
To: raj esh L
Cc: kerberos@mit.edu
Sent: Wed, 20 January, 2010 3:01:30
S
Is this for an actual Windows computer? Or a non-Windows machine
running something like Samba?
-
I see these all the time. I believe these occur on occation when a
computer account automatically updates its machine account password in
Active Directory. (This is a normal function of a co
Windows AD accounts require "allow this account to be trusted for
delegation" to have Internet Explore actually delegate credentials to
the web server (which you are requesting via the KrbSaveCredentials On
parameter.) Try turning this off and see if it does what you want.
Also, (and this is p
And you are enabled "Integrated windows authentication" option in IE6,
don't you?
On 10.07.2009 19:20, Ahmar Nauman wrote:
>
> Hi,
>
> I'm using windows server 2003 as domain controller,
> i've succesfully followed all the necessary steps required for setting up
> an SSO, generated keytab
> "VVN" == Viji V Nair writes:
VVN> Hi, I am trying to authenticate windows xp clients to an MIT
VVN> kerberos server. The Server is on a Linux machine and I have
VVN> both windows and Linux clients on my network. I have followed the
VVN> below steps, but no success.
VVN
rcial product that is much easier
than doing it manually with ktpass etc)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Douglas E. Engert
Sent: Wednesday, July 02, 2008 7:02 AM
To: Shambhulal R. Sharma
Cc: kerberos@mit.edu
Subject: Re: windows 2003 AD and k
Shambhulal R. Sharma wrote:
> Hi All
>
> I am trying to use Active Directory installed on Windows Server 2003 as
> KDC. I followed the Microsoft step-by-step guide
> http://technet.microsoft.com/en-us/library/bb742433.aspx to create a
> windows user account, ktpass command to map a service prin
kul gupta <[EMAIL PROTECTED]> wrote:
> Hi
> I am trying to build a kerberos client on windows os and KDC (MIT
> kerberos) lying on a linux server.
> I am trying to use the kerberos krb5_get_init_creds_password() but i am not
> able to find the lib files for the with the MIT kerberos windows
> ins
Following up: a support call to Microsoft revealed magic, undocumented
bits to get this working. Specifically:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\\RealmFlags =
REG_DWORD
#define KERB_MIT_REALM_KDC_LOOKUP 0x0001
Frank Siebenlist <[EMAIL PROTECTED]> writes:
> Ahhh, pkinit history... actually, pkinit originates from the good old
> DCE efforts at OSF from the 90's.
>
> The DCE-RFC's 68.3/4 show the evolution that Lynn talked about, where
> the last 68.4 was used for the current IETF pkinit incarnation after
>
Ahhh, pkinit history... actually, pkinit originates from the good old
DCE efforts at OSF from the 90's.
The DCE-RFC's 68.3/4 show the evolution that Lynn talked about, where
the last 68.4 was used for the current IETF pkinit incarnation after
some heated ietf-workgroup sessions...
http://www.openg
royend <[EMAIL PROTECTED]> writes:
> Can someone tell me differences between Windows Live and Kerberos?
> Is it possible for instance to sat that Windows Live uses as its basis
> the Needham-Schroeder protocol, the same way as Kerberos does?
>
> I believe that Kerberos is a more general protocol wh
> "EN" == Newman, Edward (GTI) <[EMAIL PROTECTED]> writes:
EN> Markus I have a request out to Microsoft to get more information
EN> on this. Microsoft apparently are not following the draft IETF
EN> standard as yet but have something similar (pre-draft spec)
EN> implemented in
Markus
I have a request out to Microsoft to get more information on this.
Microsoft apparently are not following the draft IETF standard as yet
but have something similar (pre-draft spec) implemented in 2000/2003. 09
spec shows differences in Appendix.
I would check both DNS and AD:
- For DNS ch
Markus Moeller wrote:
> Thomas,
>
> thank you for the pointer. I found my problem and it was related to having a
> duplicated entry in another domain (uat.example.com) which I forgot about. I
> had
>
>
>EXAMPLE.COM
> /| \
>
draft.
Thank you
Markus
- Original Message -
From: Thomas Maslen
To: [EMAIL PROTECTED]
Sent: Saturday, September 01, 2007 7:43 PM
Subject: Re: Windows Server Referral Problem
My understanding is that AD searches the entire forest (presumably by
doing a search in the G
Quanah Gibson-Mount wrote:
>
> --On Thursday, February 08, 2007 7:32 AM -0500 Sam Hartman
> <[EMAIL PROTECTED]> wrote:
>
>>> "Quanah" == Quanah Gibson-Mount <[EMAIL PROTECTED]> writes:
>> Quanah> --On Wednesday, February 07, 2007 5:07 PM -0500 Sam
>> Quanah> Hartman
>> Quanah>
> "Quanah" == Quanah Gibson-Mount <[EMAIL PROTECTED]> writes:
Quanah> --On Thursday, February 08, 2007 7:32 AM -0500 Sam Hartman
Quanah> <[EMAIL PROTECTED]> wrote:
>>> "Quanah" == Quanah Gibson-Mount <[EMAIL PROTECTED]>
>>> writes:
>>
Quanah> --On Wednesday, Fe
--On Thursday, February 08, 2007 7:32 AM -0500 Sam Hartman
<[EMAIL PROTECTED]> wrote:
>> "Quanah" == Quanah Gibson-Mount <[EMAIL PROTECTED]> writes:
>
> Quanah> --On Wednesday, February 07, 2007 5:07 PM -0500 Sam
> Quanah> Hartman
> Quanah> <[EMAIL PROTECTED]> wrote:
>
> >>
> "Quanah" == Quanah Gibson-Mount <[EMAIL PROTECTED]> writes:
Quanah> --On Wednesday, February 07, 2007 5:07 PM -0500 Sam
Quanah> Hartman
Quanah> <[EMAIL PROTECTED]> wrote:
>> I would be suspicious of whether you had properly managed to
>> set your machine password.
Q
--On Wednesday, February 07, 2007 5:07 PM -0500 Sam Hartman
<[EMAIL PROTECTED]> wrote:
> I would be suspicious of whether you had properly managed to set your
> machine password.
Define "machine password". You mean the password used between the machine
and the KDC for the keytab that was cre
I would be suspicious of whether you had properly managed to set your
machine password.
--Sam
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--On February 2, 2007 5:38:37 PM -0500 Michael B Allen <[EMAIL PROTECTED]>
wrote:
> On Fri, 02 Feb 2007 12:03:24 -0800
> Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>
>> "The system could not log you on. Make sure your User name and domain
>> are correct, then type your password again."
>>
On Fri, 02 Feb 2007 12:03:24 -0800
Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
> "The system could not log you on. Make sure your User name and domain
> are correct, then type your password again."
>
> Well, I'm sure both are correct, and I'm sure my password is correct,
> too, because the KD
On 2/2/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>
> Principal: host/[EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Thu Jun 29 11:16:19 PDT 2006
> Password expiration date: [none]
> Maximum ticket life: 1 day 01:00:00
> Maximum renewable life: 7 days 00:00:00
> Last m
Kevin Coffman <[EMAIL PROTECTED]> writes:
> On 2/2/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>> Any thoughts on why identical setups aren't working much appreciated.
>> One other detail since I first sent this out -- My home system will now
>> not allow me to become the member of a domai
--On February 2, 2007 4:41:23 PM -0500 Kevin Coffman <[EMAIL PROTECTED]>
wrote:
> On 2/2/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>>
>> Any thoughts on why identical setups aren't working much appreciated.
>>
>>
>> One other detail since I first sent this out -- My home system will no
On 2/2/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>
> Any thoughts on why identical setups aren't working much appreciated.
>
>
> One other detail since I first sent this out -- My home system will now not
> allow me to become the member of a domain, either.
Have you ruled out a firewall
On Aug 21, 5:36pm, "Douglas E. Engert" wrote:
} Subject: Re: Windows GSSAPI ssh connection via cross-realm authentication
Good day to everyone, hope the end of the week is going well.
> Jason Mogavero wrote:
>
> > Ok, I should note that adding a .k5login file to the
Jason:
I think you misunderstand the role of Kerberos here. Kerberos is being
using to authenticate the user by name. If the SSH service is in realm
"A.EXAMPLE.COM" and the user is in realm "B.EXAMPLE.COM", the after
successful authentication the SSH service knows the name as something
like "[EM
Ok, I should note that adding a .k5login file to the home directory of the
user I want to log in as did work. However, this setup won't work for us in
the long run.
The ultimate goal is to have tech support reps be able to ssh into our
multitude of hosted web servers to perform basic troubleshoot
Jason Mogavero wrote:
> There is no .k5login file in the home directory...though the user account
> does exist on the machine, eventually the user database is going be stored
> on LDAP and there will not be individual user accounts on the ssh servers.
>
>
> Shouldn't the ACL take precedence an
Jason Mogavero wrote:
> Ok, I should note that adding a .k5login file to the home directory of the
> user I want to log in as did work. However, this setup won't work for
> us in
> the long run.
Good.
>
> The ultimate goal is to have tech support reps be able to ssh into our
> multitude of
There is no .k5login file in the home directory...though the user account
does exist on the machine, eventually the user database is going be stored
on LDAP and there will not be individual user accounts on the ssh servers.
Shouldn't the ACL take precedence anyway? I don't have a .k5login in the
Do you have a .k5login file in the home directory on the
machine with the sshd? It should list the principals that
are allowed to access this unix account.
Note the return codes from the mm_answer_gss_userok is 1 when it
worked, 0 when it did not. So it looks like the gss authenticated you
but the
Ok, I found part one of my problem, in that on the non-windows KDC I had not
specified an encryption type and whatever is the default was not working
with the windows DC. I've fixed that and I can now get issued tickets by
the non-windows KDC. Here is the kdc.log entry for my ticket generation:
Jason Mogavero wrote:
> Hello all,
>
>I am implementing a Kerberos/GSSAPI solution in a test environment and I
> am experiencing some issues with allowed windows ssh clients to be granted
> acess to the ssh server.
>
> The background:
>
> Windows AD is primary kdc with realm name KDCTEST.
We have actually made mods to FileZilla to support the CCC command to
allow use through a firewall (firewall could not follow state and port
commands while in 'private' or 'safe' mode. It wouldn't take too much
effort to have it set the xfer channel to 'C'lear.
If you still need it, email me dir
On Thursday 03 August 2006 04:28, Daniel B. Bailey wrote:
> hello, i have a situation where SSO (Single Sign On) for Oracle Portal uses
> Kerberos tokens ( Windows Authentacation) to "sign on" to an Oracle system.
What Webbrowsers do you use?
What KDC-Software do you use?
What GSSAPI-implementatio
Yes, we do. :) But they were written in 1998 and I can't get them to
build in Windows against KfW.
-Mike
> NCSA had mods to the MIT ftp to run under Windows a few years ago, that
> worked
> with We used to use them. Goole for: ncsa ftp kerberos
>
> http://www.ncsa.uiuc.edu/UserInfo/Resourc
Mike Dopheide wrote:
> Please don't laugh.
NCSA had mods to the MIT ftp to run under Windows a few years ago, that worked
with We used to use them. Goole for: ncsa ftp kerberos
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/ncsa_faq.html
>
> Some of my users have a need for
The mentioned is hotfix is http://support.microsoft.com/?kbid=906524 and
will be available in SP3. It updates the Kerberos dll and solved for us the
issue. Could you let me know if this solved your problem ?
Regards
Markus
""Markus Moeller"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL
1 - 100 of 222 matches
Mail list logo
