I'm using Kerberos constrained delegation (s4u2proxy)
for a proxy server that is authenticating clients to a
Microsoft Active Domain server.
I'm using GSS-API because I want to end up with a SPNEGO
Authorization header, and SPNEGO is a GSS-API mechanism.
The user (client) principals I have to wor
Hi Nico,
> But mainly the appeal of this approach is that the pieces needed all exist.
Are you talking of http://www.citi.umich.edu/projects/kerb_pki/ as your kx509
implementation? It appears to be based on Kerberos4…
-Rick
Kerberos mailing list
Hi folks,
Recently I've been working on cross-realm support to give my own realm,
UMRK.NL, access to the services of a realm that I manage. All systems
involved run Debian wheezy. So far, SSH, OpenLDAP, OpenAFS and Dovecot
IMAP are all working properly this way, but NFSv4 with sec=krb5i is not;
On Wed, Jul 2, 2014 at 6:23 AM, Rick van Rein wrote:
> Hi Nico,
>
>> But mainly the appeal of this approach is that the pieces needed all exist.
>
> Are you talking of http://www.citi.umich.edu/projects/kerb_pki/ as your kx509
> implementation? It appears to be based on Kerberos4…
No. Heimdal
Hi.
After with some discussion with folk in the #openafs irc channel, I
wanted to send you some feedback on KfW 4.0.1 and the Ticket Manager
app.
Our environment is Windows 7 attached to a domain. With profiles/etc
living on the OpenAFS filesystem (currently at Openafs for Windows
1.7.29).
Thing
BTW, DANE stapling is not that hard. I have been pointed at AGL's
code for it. The RP side doesn't need a DNSSEC resolver to implement
it because all the records are stapled, and the RP doesn't need to
implement non-existence checking and so on -- just validate the
signature chain to the RP's DNS
On Wed, 25 Jun 2014, Giuseppe Mazza wrote:
> Is it the normal behaviour?
> I thought you should have a valid stash file on place to access the
> database on the slave. Maybe not?
> Or there is some kind of caching?
> Do you know how it works?
The master key is ~only used to encrypt the long-term
I'm pleased to announce release 3.9 of remctl.
remctl is a client/server application that supports remote execution of
specific commands, using Kerberos GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike
On 7/2/2014 12:11 PM, Nico Williams wrote:
> No. Heimdal has a kx509 server and client. And there are other
> implementations:
>
> https://secure-endpoints.com/kcacred/index.html
That is the link to the Network Identity Manager provider. The Active
Directory Service implementation is here
h
On 7/2/2014 1:03 PM, Dave Botsch wrote:
> Also, being able to auto obtain afs tokens as a side effect of getting
> kerberos tickets would be really useful. Users have a hard time
> distinguishing Kerberos Tickets from AFS Tokens, and so users need one
> app that does both at the click of a single b
Remi Ferrand writes:
> No problem at all, feel free to change the ACL scheme name. From my
> point of view "unixgroup" is more suited in this very case as
> "localgroup" could be confusing for people that would like to use some
> other "groups" backends (non local ones) also supported by libnss
11 matches
Mail list logo
