Clock skew too great status code

Hi, What is the difference between these two minor status codes ? -1765328373 KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is negative or too short and -1765328347 KRB5KRB_AP_ERR_SKEW Clock skew too great Because both of them seem to be getting generated when time on the client-side is

Re: Kind of Tickets Granting Control List

On 05/02/2014 06:40, Greg Hudson wrote: On 02/04/2014 11:39 PM, Damien Touraine wrote: I am looking for a method to filter ticket granting. For instance, I have two NFS servers (nfs/server1@REALM and nfs/server2@REALM) and one computer client (nfs/client@REALM). I want kerberos to grant nfs/clie

RE: Forwarded credentials are cached and reused on Mac - is it acceptable?

I have filed the bug #15988717 with apple if anyone is interested in this fix. -Original Message- From: Srinivas Cheruku [mailto:srinivas.cher...@gmail.com] Sent: 05 February 2014 10:38 To: 'Greg Hudson'; 'kerberos@mit.edu' Subject: RE: Forwarded credentials are cached and reused on Mac

Re: Clock skew too great status code

On 02/05/2014 03:36 AM, Arpit Srivastava wrote: > -1765328373 KRB5KDC_ERR_NEVER_VALID Requested effective lifetime is > negative or too short This means the KDC responded with protocol error 11 (KDC_ERR_NEVER_VALID), which means that based on the requested end time, the ticket would be immediatel

Re: Clock skew too great status code

On Wed, Feb 5, 2014 at 11:05 AM, Greg Hudson wrote: > This could all work better if krb5 had used a ticket lifetime instead of > an end time (like krb4 did, but without the crazy 8-bit representation > of the lifetime). But the protocol was designed under the assumption > that clients, servers, a

On getting the subkey from EncAPRepPart

Hi everyone, Working towards kerberizing a SMB server (running on Linux), we've progressed past mutual authentication and are now working on providing security services using the GSS API. In particular, we are currently focusing on generating and validating the MACs -- I mean on signing the SMB me

Re: Challenging clients, why another ping-pong?

On Tue, Feb 4, 2014 at 5:58 AM, Rick van Rein wrote: > Hello Greg, > >> What are you looking at specifically? GSSAPI exchanges begin with the >> client. > > I thought you might say that. I was looking at SPNEGO, which embeds GSSAPI > but where the initiative is (usually) taken by the server. I

Re: On getting the subkey from EncAPRepPart

On 02/05/2014 07:12 PM, Prakash Narayanaswamy wrote: > We got the session key using the GSS API gss_inquire_sec_context_by_ > oid(GSS_C_INQ_SSPI_SESSION_*KEY)* [...] > Now for the question: Does the aforementioned API return the subkey from > EncAPRepPart of the KRB_AP_REP message Yes, it does ret