Re: logging stanza in krb5.conf?

>All, > >Maybe this is a docbug, but we had the following stanza in our krb5.conf, >on our KDC's running MIT krb5 1.21.3 (FreeBSD pkg). > >[logging] >kdc = FILE:/var/log/krb5kdc >admin_server = FILE:/var/log/kadmin >default = FILE:/var/log/k

logging stanza in krb5.conf?

All, Maybe this is a docbug, but we had the following stanza in our krb5.conf, on our KDC's running MIT krb5 1.21.3 (FreeBSD pkg). [logging] kdc = FILE:/var/log/krb5kdc admin_server = FILE:/var/log/kadmin default = FILE:/var/log/krb5 And I recently discovered tha

Re: Inquiry Regarding CVE-2024-26461 Fix in Upcoming krb5 Release

On 11/8/24 01:43, Zhang, Shawn via Kerberos wrote: I can see that commit c5f9c816107f70139de11b38aa02db2f1774ee0d <https://github.com/krb5/krb5/commit/c5f9c816107f70139de11b38aa02db2f1774ee0d> includes the fix for CVE NVD - CVE-2024-26461<https://nvd.nist.gov/vuln/detail/CVE-2

Inquiry Regarding CVE-2024-26461 Fix in Upcoming krb5 Release

Dear Greg Hudson， I hope this message finds you well. I am writing to inquire about the current status and expected timeline for addressing the CVE identified in the krb5 software. Our team needs to understand when a fix for this vulnerability will be available in an upcoming release to plan

krb5-1.21.3 is released

. Retrieving krb5-1.21.3 == You may retrieve the krb5-1.21.3 sources from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.21.3 release is: https://web.mit.edu/kerberos/krb5-1.21/ Further information about Kerberos 5 may be found at the

krb5-strength 3.3 released

I'm pleased to announce release 3.3 of krb5-strength. krb5-strength provides a password quality plugin for the MIT Kerberos KDC (specifically the kadmind server) and Heimdal KDC, an external password quality program for use with Heimdal, and a per-principal password history implementatio

krb5-1.21.2 is released

. Retrieving krb5-1.21.2 == You may retrieve the krb5-1.21.2 sources from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.21.2 release is: https://web.mit.edu/kerberos/krb5-1.21/ Further information about Kerberos 5 may be found at the

krb5-1.21.1 and krb5-1.20.2 are released

. Retrieving krb5-1.21.1 and krb5-1.20.2 == You may retrieve the krb5-1.21.1 and krb5-1.20.2 sources from the following URL: https://kerberos.org/dist/ The homepages for the krb5-1.21.1 and krb5-1.20.2 releases are: https://web.mit.edu

krb5-1.21 is released

KERBEROS 5 RELEASE 1.21 == You may retrieve the Kerberos 5 Release 1.21 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.21 release is: https://web.mit.edu/kerberos/krb5-1.21/ Further information about Kerberos

Re: Using a stub krb5.conf with "include"

CONFIG=/etc/file1:/etc/file2, a finalized section in file1 >suppresses the same section in file2. But it doesn't work if it's all >within file1. > > 2) An include statement in a krb5.conf file does NOT count as a new file for >the purposes of finalization. >

Re: Using a stub krb5.conf with "include"

if it's all within file1. 2) An include statement in a krb5.conf file does NOT count as a new file for the purposes of finalization. If I am wrong about these things, I'd sure love a correction. Honestly, I can't see a reason why a finalized section in a file just doesn't

Re: Using a stub krb5.conf with "include"

> On Dec 12, 2022, at 3:24 PM, Greg Hudson wrote: > > On 12/12/22 14:04, John Devitofranceschi wrote: >> % cat mykrb5.conf >> [libdefaults] >> default_ccache_name = FILE:/my_ccache_location/krbcc_%{uid} >> include /etc/krb5.conf > >> I cannot find a de

Re: Using a stub krb5.conf with "include"

On 12/12/22 14:04, John Devitofranceschi wrote: % cat mykrb5.conf [libdefaults] default_ccache_name = FILE:/my_ccache_location/krbcc_%{uid} include /etc/krb5.conf I cannot find a description of the behaviour of the ‘include’ directive with respect to this kind of thing. https

Using a stub krb5.conf with "include"

Greetings! I would like to create an application specific krb5.conf where I can override some system-wide settings while still taking advantage of the rest. As an example would something like this work if I wanted to define my own ccache location and name format? % cat mykrb5.conf

krb5-1.20.1 and krb5-1.19.4 are released

. Retrieving krb5-1.20.1 and krb5-1.19.4 == You may retrieve the krb5-1.20.1 and krb5-1.19.4 sources from the following URL: https://kerberos.org/dist/ The homepages for the krb5-1.20.1 and krb5-1.19.4 releases are: https://web.mit.edu

MIT krb5 security release on 2022-11-15

There will be an MIT krb5 security advisory on November 15, 2022, with corresponding patch releases 1.20.1 and 1.19.4. The KDC, kadmind, and GSS and Kerberos application servers are affected. The impact is significantly reduced on 64-bit platforms

krb5-1.20 is released

KERBEROS 5 RELEASE 1.20 == You may retrieve the Kerberos 5 Release 1.20 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.20 release is: https://web.mit.edu/kerberos/krb5-1.20/ Further information about Kerberos

Re: Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

On Sat, 14.May.22 08:47:32 -0400, John Devitofranceschi wrote: > > > > On May 9, 2022, at 3:03 PM, Andrej Mikus wrote: > > I am pointing KRB5_CONFIG to a file with correct KDC address/name, but > > kinit always refers to the IP specified in /etc/krb5.conf. > > &

Re: Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

> On May 9, 2022, at 3:03 PM, Andrej Mikus wrote: > I am pointing KRB5_CONFIG to a file with correct KDC address/name, but > kinit always refers to the IP specified in /etc/krb5.conf. > > It is my understanding that setting environment variable overrides any > use of files

Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

Hi, I would like to request comment/suggestion for a problem that resembles https://stackoverflow.com/questions/33132768/kerberos-still-using-default-etc-krb5-conf-file-even-after-setting-krb5-config As a linux user, I am trying to access IIS website protected by Kerberos. Linux is managed by

krb5-1.19.3 and krb5-1.18.5 are released

. Retrieving krb5-1.19.3 and krb5-1.18.5 == You may retrieve the krb5-1.19.3 and krb5-1.18.5 sources from the following URL: https://kerberos.org/dist/ The homepages for the krb5-1.19.3 and krb5-1.18.5 releases are: https://web.mit.edu

Re: 2FA with krb5

>We use TOTP. That allows us to tack the token on the end of the >password. That makes it easy to fix programs that expect a simple >password prompt. > >In fact I have a wrapper that can be interposed around pretty much >anything use LD_PRELOAD. >[...] Well, that answers PART of my question. And

Re: 2FA with krb5

I’m not using that code now. When using it for real I would generate a special key tab with a user that had no permissions to do anything or use the host key tab depending upon the application. Our staff and a few users have TOTP set for their account, so it has to work for everything. Logins u

Re: 2FA with krb5

We use TOTP. That allows us to tack the token on the end of the password. That makes it easy to fix programs that expect a simple password prompt. In fact I have a wrapper that can be interposed around pretty much anything use LD_PRELOAD. https://github.com/clhedrick/kerberos/blob/master/radius

Re: KRB5 ccache on MACOS

s "No credentials found". I submitted a pullup request to add support for that, and it is here: https://github.com/krb5/krb5/pull/1221 If you apply that patch to MIT Kerberos, it might work better for you. --Ken Kerberos mailing

Re: KRB5 ccache on MACOS

> I was trying to share a FILE ccache between different process/logins on a >MAC but it seems gss_init_sec_context ignores KRB5CCNAME on a MAC. Is that >correct ? If so is there a way to share the API ccache ? Which version of MacOS X are you on? --Ken

Re: KRB5 ccache on MACOS

It is #sw_vers ProductName:macOS ProductVersion: 11.6 BuildVersion: 20G165 Markus "Ken Hornstein" wrote in message news:202110102213.19amdrlm030...@hedwig.cmf.nrl.navy.mil... > I was trying to share a FILE ccache between different process/logins on > a >MAC but it seems gss_init_sec

Re: KRB5 ccache on MACOS

Hi, I tried to use the MIT version 1-19 instead on my MAC but run into a different issue. The same code works on Linux but on MAC I get this SPNEGO error. Any hint why this might be the case ? gss_init_sec_context()failed: Unspecified GSS failure. Minor code may provide more information. SPN

KRB5 ccache on MACOS

Hi I was trying to share a FILE ccache between different process/logins on a MAC but it seems gss_init_sec_context ignores KRB5CCNAME on a MAC. Is that correct ? If so is there a way to share the API ccache ? The case I have is a background job seems to use the API ccache of when the use

Re: 2FA with krb5

On 10/8/21 7:45 AM, Ken Hornstein wrote: >> I mean, this might be dumb, but why not have the kdc able to speak to >> pam modules directly? > Kerberos is "I am going to take your password which I already know, > convert it into an encryption key, and use it to verify your Kerberos > request". Kerb

Re: 2FA with krb5

>I mean, this might be dumb, but why not have the kdc able to speak to >pam modules directly? All of those things are "send me a 2FA token and I will verify it". (Also, the pam API really really wants to talk to a person, that's the whole point of the "pam conversation" functions; I don't see how

Re: 2FA with krb5

radius server is not >> exceedingly hard either. > > Yeah, for the record it was just the RADIUS bit that I didn't already have > working. If anyone is curious: > >https://github.com/rra/pam-krb5/tree/master/ci > > contains scripts that will set up either

Re: 2FA with krb5

>Ken Hornstein writes: > >> I am not sure of the client coverage of the OTP FAST factor, though. > >For what it's worth, although my pam-krb5 module implements FAST including >both keyed and anonymous FAST, it does not implement FAST OTP. This is >because (a) I did

Re: 2FA with krb5

>I've been running Privacyidea (https://www.privacyidea.org/) for some >time to manage the tokens. Exposed the Application with RADIUS and told >FreeIPA to authenticate against RADIUS. Had some rough edges, but was >usable for me and is able to manage many kinds of tokens. So what's the _client_

Re: 2FA with krb5

Ken Hornstein writes: >>I've been running Privacyidea (https://www.privacyidea.org/) for some >>time to manage the tokens. Exposed the Application with RADIUS and told >>FreeIPA to authenticate against RADIUS. Had some rough edges, but was >>usable for me and is able to manage many kinds of token

Re: 2FA with krb5

ecord it was just the RADIUS bit that I didn't already have working. If anyone is curious: https://github.com/rra/pam-krb5/tree/master/ci contains scripts that will set up either an MIT Kerberos KDC or a Heimdal KDC with PKINIT configured and a variety of keytabs and whatnot premade. Th

Re: 2FA with krb5

On Thu, 2021-10-07 at 15:14 -0400, Ken Hornstein wrote: > > Ken Hornstein writes: > > > > > I am not sure of the client coverage of the OTP FAST factor, > > > though. > > > > For what it's worth, although my pam-krb5 module implements FAST >

Re: 2FA with krb5

Ken Hornstein writes: > Huh, I _kinda_ thought that if you had FAST going, you got FAST OTP (on > the client at least) for free! Which shows what I know. Maybe it works > already and you never tested it? The bit that I suspect doesn't work is all the interactions between the prompting and the

Re: 2FA with krb5

On Thu, 2021-10-07 at 11:50 -0700, Russ Allbery wrote: > Ken Hornstein writes: > > > I am not sure of the client coverage of the OTP FAST factor, though. > > For what it's worth, although my pam-krb5 module implements FAST including > both keyed and anonymous FAST,

Re: 2FA with krb5

Ken Hornstein writes: > I am not sure of the client coverage of the OTP FAST factor, though. For what it's worth, although my pam-krb5 module implements FAST including both keyed and anonymous FAST, it does not implement FAST OTP. This is because (a) I didn't find any documentat

Re: 2FA with krb5

Hi, [I'm running Kerberos inside FreeIPA, so plain Kerberos might be different...] Ken Hornstein writes: >>We'd like to be able to leverage 2fa for some services (admins) and some >>services (ssh logins) but not have to pump a 2fa code into, say, our mail >>applications. Is there a way to

Re: 2FA with krb5

2021 at 23:18:51 To: "kerberos@mit.edu" mailto:kerberos@mit.edu>> Subject: 2FA with krb5 All, We use Kerberos but NOT LDAP at the day job. We'd like to be able to leverage 2fa for some services (admins) and some services (ssh logins) but not have to pump a 2fa code into, say, our m

Re: 2FA with krb5

hose requires a bit of magic at kinit time, which I haven't completely sussed out all yet. I'm not actually sure if FAST OTP has been deployed anywhere; it may be! If so, no one talks about it. One advantage of SAM2 is that it "just works" when you enable it (assuming everything els

2FA with krb5

All, We use Kerberos but NOT LDAP at the day job. We'd like to be able to leverage 2fa for some services (admins) and some services (ssh logins) but not have to pump a 2fa code into, say, our mail applications. Is there a way to make the acquisition of a TGT (for GSSAPI authentication) vs Pas

Compiling krb5-1.18.4 on Linux

Hi, when I run ./configure, I got the following error: checking for time_t... yes checking size of time_t... configure: error: in `/ngs/app/dsservd/krb5-1.18.4/src': configure: error: cannot compute sizeof (time_t) See `config.log' for more details Any idea? How to fix it? BTW I w

Re: Compiling krb5-1.18.4 on Linux

On 10/5/21 3:24 PM, Jim Shi wrote: > configure: error: cannot compute sizeof (time_t) > See `config.log' for more details This error typically means the compiler configuration isn't working at that point in the autoconf script, and you have to (as suggested) look at config.log for more details to

krb5-1.19.2 fails compilation in src/tests/gssapi/common.c with HP aCC on HP-UX

Folks, my compiler tells me: > /opt/aCC/bin/aCC -Ae -DHAVE_CONFIG_H -DUSE_AUTOCONF_H -I../../include > -I../../include -I./../../lib/gssapi/mechglue -I./../../lib/gssapi/krb5 > -I./../../lib/gssapi/generic -I../../lib/gssapi/krb5 > -I../../lib/gssapi/generic -DKRB5_DEPRECATED=1 -D

krb5-1.19.2 and krb5-1.18.4 are released

. Retrieving krb5-1.19.2 and krb5-1.18.4 == You may retrieve the krb5-1.19.2 and krb5-1.18.4 sources from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.19.2 and krb5-1.18.4 releases are: https://web.mit.edu/kerberos

Kerberos: Loading libgssapi krb5.a

Hi ! I get a problem with the gss-api libgssapi_krb5.a. When we put the libgssapi_krb5.a in a SAP kernel directory ( .../exe/run) and activating the SNC parameters in the instance profile, the sap systems starts but it does not allow any connection to the system. I have noticed that the w

/etc/krb5.conf

/etc/krb5.conf Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos ksu not working with NFSv4 mount sec=krb5

On Sat, May 22, 2021 at 02:22:08PM -0400, Jason Keltz wrote: > Hi. > > I'm unable to get ksu working wth krb5 NFSv4, and can't quite figure out > why. > > I am logged into a RHEL7 system as a user "jas" (uid 1004) with working > Kerberos (Samba AD im

Kerberos ksu not working with NFSv4 mount sec=krb5

Hi. I'm unable to get ksu working wth krb5 NFSv4, and can't quite figure out why. I am logged into a RHEL7 system as a user "jas" (uid 1004) with working Kerberos (Samba AD implementation). I want to switch from user jas to user tdb (uid 1011) using ksu. I set up a

pam-krb5 4.10 released

I'm pleased to announce release 4.10 of pam-krb5. This is a small bug-fix release with a possible security fix, although I don't see a path to exploit the bug. But better safe than sorry. pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It supports ticket ref

krb5-1.19.1 is released

homepage for the krb5-1.19.1 release is: https://web.mit.edu/kerberos/krb5-1.19/ Further information about Kerberos 5 may be found at the following URL: https://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: https://www.kerberos.org/ Triple-DES transition

krb5-1.19 is released

the krb5-1.19 release is: https://web.mit.edu/kerberos/krb5-1.19/ Further information about Kerberos 5 may be found at the following URL: https://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: https://www.kerberos.org/ DES no longer supported

krb5-1.17.2 is released

homepage for the krb5-1.17.2 release is: https://web.mit.edu/kerberos/krb5-1.17/ Further information about Kerberos 5 may be found at the following URL: https://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: https://www.kerberos.org/ Feedback based on

krb5-1.18.3 is released

. RETRIEVING KERBEROS 5 RELEASE 1.18.3 You may retrieve the Kerberos 5 Release 1.18.3 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.18.3 release is: https://web.mit.edu/kerberos/krb5-1.18/ Further information

Re: krb5-18.2: MDB_BAD_RSLOT: Invalid reuse of reader locktable slot

other processes and can be reclaimed, because both daemons open the DB before daemonizing. I have filed a ticket and a pull request: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8918 https://github.com/krb5/krb5/pull/1088 Kerberos mailin

krb5-18.2: MDB_BAD_RSLOT: Invalid reuse of reader locktable slot

Hello, I was trying out the latest release hoping to reap the benefits of LMDB for our systems. However each time I start krb5kdc and kadmin processes separately (one after another/at a different point in time) I see below in krb5kdc logs. *LMDB read failure (path: /var/kerberos/krb5kdc/principal.

krb5-1.18.2 is released

. RETRIEVING KERBEROS 5 RELEASE 1.18.2 You may retrieve the Kerberos 5 Release 1.18.2 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.18.2 release is: https://web.mit.edu/kerberos/krb5-1.18/ Further information

krb5-strength 3.2 released

I'm pleased to announce release 3.2 of krb5-strength. krb5-strength provides a password quality plugin for the MIT Kerberos KDC (specifically the kadmind server) and Heimdal KDC, an external password quality program for use with Heimdal, and a per-principal password history implementatio

krb5-1.18.1 is released

KERBEROS 5 RELEASE 1.18.1 You may retrieve the Kerberos 5 Release 1.18.1 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.18.1 release is: https://web.mit.edu/kerberos/krb5-1.18/ Further information about

pam-krb5 security advisory (4.9 and earlier)

Vulnerability type: Buffer overflow Versions affected: All versions prior to 4.8 Versions fixed: 4.9 and later Discovered: 2020-03-02 Public announcement: 2009-03-30 CVE ID: CVE-2020-10595 During a refactor of my pam-krb5 Kerberos PAM module, I discovered a single

Re: [oss-security] pam-krb5 security advisory (4.9 and earlier)

Russ Allbery writes: > Public announcement: 2009-03-30 Mutter. Obviously, this should be 2020-03-20. -- Russ Allbery (ea...@eyrie.org) Kerberos mailing list Kerberos@mit.edu https://mailman.

Re: [oss-security] pam-krb5 security advisory (4.9 and earlier)

Russ Allbery writes: > Russ Allbery writes: >> Public announcement: 2009-03-30 > Mutter. Obviously, this should be 2020-03-20. Or even 2020-03-30, a mistake that I have made every time I have written that date. -- Russ Allbery (ea...@eyrie.org) __

pam-krb5 release 4.9

I'm pleased to announce release 4.9 of pam-krb5. pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and pas

krb5-1.18 is released

krb5-1.18 release is: https://web.mit.edu/kerberos/krb5-1.18/ Further information about Kerberos 5 may be found at the following URL: https://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: https://www.kerberos.org/ DES no longer supported

krb5-1.17.1 is released

for the krb5-1.17.1 release is: https://web.mit.edu/kerberos/krb5-1.17/ Further information about Kerberos 5 may be found at the following URL: https://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: https://www.kerberos.org/ Feedback based on

krb5-1.16.4 is released

KERBEROS 5 RELEASE 1.16.4 You may retrieve the Kerberos 5 Release 1.16.4 source from the following URL: https://kerberos.org/dist/ The homepage for the krb5-1.16.4 release is: http://web.mit.edu/kerberos/krb5-1.16/ Further information about

Re: Kerberos / krb5.conf / CentOS7

ts REALM B, but A and B do not trust each other) you will need > to read up on using CAPATH maps as well. > > Glad to help. > > On Wed, Dec 11, 2019 at 7:05 PM GemNEye wrote: > >> On 2019-12-11 18:52, Todd Grayson wrote: >> >> The domain_realm section of the krb5.

Re: Kerberos / krb5.conf / CentOS7

trusts REALM B, and REALM C trusts REALM B, but A and B do not trust each other) you will need to read up on using CAPATH maps as well. Glad to help. On Wed, Dec 11, 2019 at 7:05 PM GemNEye wrote: > On 2019-12-11 18:52, Todd Grayson wrote: > > The domain_realm section of the krb5.conf is

Re: Kerberos / krb5.conf / CentOS7

On 2019-12-11 18:52, Todd Grayson wrote: > The domain_realm section of the krb5.conf is used to map DNS domain names to > kerberos realms. So lets say you had an active directory domain (dns domain > and AD domain) of ad.example.com [1], its kerberos realm would be > AD.EXAMPLE.

Re: Kerberos / krb5.conf / CentOS7

The domain_realm section of the krb5.conf is used to map DNS domain names to kerberos realms. So lets say you had an active directory domain (dns domain and AD domain) of ad.example.com, its kerberos realm would be AD.EXAMPLE.COM, but lets say your environment had linux servers in dev.example.com

Kerberos / krb5.conf / CentOS7

I am trying to configure Kerberos, SSSD, SAMBA, SSSD on CentOS7 servers (without using winbind). I have had some success in getting everything to work, but after reviewing different docs found on the web my understanding of all the configurations is weak. In the /etc/krb5.conf file, what is

Re: /etc/krb5.conf for IPV6

Ok, thanks! On Wed, Nov 6, 2019 at 4:04 PM Greg Hudson wrote: > On 11/6/19 2:57 PM, Yegui Cai wrote: > > It looks like we need to have brackets around IPV6 addresses inside > > /etc/krb5.conf. Am I right? It is, why would that be the case? > > Yes, you do need b

Re: /etc/krb5.conf for IPV6

On 11/6/19 2:57 PM, Yegui Cai wrote: > It looks like we need to have brackets around IPV6 addresses inside > /etc/krb5.conf. Am I right? It is, why would that be the case? Yes, you do need brackets; see http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#realms wher

/etc/krb5.conf for IPV6

Hi, It looks like we need to have brackets around IPV6 addresses inside /etc/krb5.conf. Am I right? It is, why would that be the case? Thanks, Yegui Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5 library missing functions for collections

On 8/15/19 10:01 AM, Charles Hedrick wrote: > I can actually do the combination of MIT libkrb5 and Heimdal KCM. I’m > assuming that the Mac has a normal Heimdal KCM. It appears they differ in this regard. The kcm_access() function determines which clients see which caches, and the implementation

FW: krb5 library missing functions for collections

Please remove me from this list. Thanks! -Original Message- From: kerberos-boun...@mit.edu On Behalf Of Charles Hedrick Sent: Thursday, August 15, 2019 9:01 AM To: Jakub Hrozek Cc: kerberos@mit.edu Subject: Re: krb5 library missing functions for collections On Jul 30, 2019, at 4:17

Re: krb5 library missing functions for collections

;t >>> visible in the collection as presented to that client. Clients can >>> only create ccaches with names beginning with their ":" prefix. >>> >>> In practice, users other than root will typically see disjoint >>> collections, where each cach

Re: krb5 library missing functions for collections

hes with names beginning with their ":" prefix. > > > > In practice, users other than root will typically see disjoint > > collections, where each cache name begins with the client's euid. But > > that's not a fundamental property of the daemon

Re: krb5 library missing functions for collections

ons, where each cache name begins with the client's euid. But > that's not a fundamental property of the daemon, and therefore not an > assumption of either the MIT krb5 or Heimdal client code. > > One could conceivably build this namespace assumption into the client, > retrof

Re: krb5 library missing functions for collections

I think you can actually do that now. But I’m not convinced it’s worth it. You can tell rpc.gssd to look in a specific directory. The default is /tmp then /run/user/%U. You’d probably want to reverse the order. But these are used after GSSAPI, so in practice they probably wouldn’t get used. But

Re: krb5 library missing functions for collections

On 7/26/19 9:09 AM, Charles Hedrick wrote: > I’ve submitted a feature request to fix the default ccselect plugin so > it reads /etc/k5identity if the user doesn’t have one or it doesn’t > apply. Also, you’d need to recognize ${username}. That would let me > specify a policy for NFS credentials, whi

Re: krb5 library missing functions for collections

>I think a real solution involves a separate kernel attribute >for the principal to use for NFS. Indeed it might need to be >filesystem-specific, though in practical cases maybe not. (You’d also >need to consider how to do idmap in that case.) That already exists; the keyring functionality is used

Re: krb5 library missing functions for collections

on UID, the only sane choice for rpc.gssd is the principal associated with my username. That means current behavior is broken. I now have a ccselect plugin to fix that. It has to be configured in /etc/krb5.conf. You can’t do it in ~/.k5identity. rpc.gssd ignores that, for good reason. If my home dir

Re: krb5 library missing functions for collections

sane choice for rpc.gssd is the principal associated with my username. That means current behavior is broken. I now have a ccselect plugin to fix that. It has to be configured in /etc/krb5.conf. You can’t do it in ~/.k5identity. rpc.gssd ignores that, for good reason. If my home directory is on

Re: krb5 library missing functions for collections

where. I haven’t checked this in the code, but I’d > expect it in a krb5.conf mapping, .k5identity, and/or idmap. I doubt you want > NFS to use whatever random ticket may be in the default cache for the uid > making the access. As far as I can tell it doesn’t actually do that now. > &

Re: krb5 library missing functions for collections

t; > I think if you want a local user joe to access NFS as jdoe@REALM, > you’d want to set up that mapping somewhere. I haven’t checked this > in the code, but I’d expect it in a krb5.conf mapping, .k5identity, > and/or idmap. I doubt you want NFS to use whatever random ticket may >

Re: krb5 library missing functions for collections

; don’t see why it couldn't specify that in the first place. > > I think if you want a local user joe to access NFS as jdoe@REALM, you’d want > to set up that mapping somewhere. I haven’t checked this in the code, but I’d > expect it in a krb5.conf mapping, .k5identity, and/or i

Re: krb5 library missing functions for collections

set up that mapping somewhere. I haven’t checked this in the code, but I’d expect it in a krb5.conf mapping, .k5identity, and/or idmap. I doubt you want NFS to use whatever random ticket may be in the default cache for the uid making the access. As far as I can tell it doesn’t actually do tha

Re: krb5 library missing functions for collections

as presented to that client. Clients can only > create ccaches with names beginning with their ":" prefix. > > In practice, users other than root will typically see disjoint > collections, where each cache name begins with the client's euid. But > that's not a

Re: krb5 library missing functions for collections

On Mon, 2019-07-22 at 20:10 +, Charles Hedrick wrote: > The problem is that the code in rpc.gssd works as followers: > > * get the default credential from the collection > * fail unless it’s username@DOMAIN > > If you replace the initial step by code telling it explicitly to get > username@D

Re: krb5 library missing functions for collections

In my opinion NFS actually works fine for realistic cases, once a couple of bugs are fixed and some other tools are put in place. In real cases, the user logins in with a principal username@DOMAIN. That is always placed in the default collection defined in /etc/krb5.conf. At least for us, they

Re: krb5 library missing functions for collections

y of the daemon, and therefore not an assumption of either the MIT krb5 or Heimdal client code. One could conceivably build this namespace assumption into the client, retrofitting it to treat "KCM:uid" as a collection by filtering out caches whose names don't begin with the uid prefi

Re: krb5 library missing functions for collections

Some more testing on MacOS. With the native Mac utilities, it uses credential type API: It appears that if you set KRB5CCNAME to API or API:uid, it behaves the same way: If creates new unique names like API:027B19DC-01E6-4610-9300-7E3E1DFF706A. Even if I set KRB5CCNAME to a specific cache, if I

Re: krb5 library missing functions for collections

On Jul 22, 2019, at 1:00 PM, Greg Hudson mailto:ghud...@mit.edu>> wrote: By my reading, KEYRING also doesn't generally include the uid in the name. Again, I can only speak for what I see in Redhat and Ubuntu. The default for KRB5CCNAME is KEYRING:persistent:UID. Something (I think a combination

Re: krb5 library missing functions for collections

Please be aware that I’m using Redhat’s KCM implementation in sssd. It’s supposed to be compatible with Heimdal’s, but based on documentation it appears that it may not be. The default value of KRB5CCNAME is simply KCM: It had better be user-specific, or everybody shares a collection. geneva:

Re: krb5 library missing functions for collections

On 7/22/19 11:16 AM, Charles Hedrick wrote: > I was surprised to find the methods to do these things aren’t present. Here’s > what I’ve defined: Some of this is covered in https://k5wiki.kerberos.org/wiki/Projects/Credential_cache_collection_improvements (which unfortunately has not been worked o

krb5 library missing functions for collections

I have code to deal with a number of difficulties in implementing kerberos transparently to users. Some of this code needs to know whether a KRB5CCNAME is a collection or a specific cache, and to be able to find the collection if it’s a cache. I was surprised to find the methods to do these thi

  1   2   3   4   5   6   7   8   9   10   >