Key history with LDAP backend?

Hi, I see that the "-history" option for "add_policy" (in kadmin) is not supported when using the LDAP backend for Kerberos [1]. Is there *any* other way to ensure a user doesn't use one of his previous four keys when changing passwords and the Kerberos database is in LDAP? I ask because this is

Creating principal with +needchange and -pwexpire?

unt. Minimising that risk is just good security policy although in reality that particular scenario is not very likely to really occur. Thanks in advance! Andreas -- Andreas Ntaflos Vienna, Austria GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4 -- Andreas Ntaflos Vienna, A

Re: Creating principal with +needchange and -pwexpire?

On Tuesday 09 November 2010 17:53:04 Russ Allbery wrote: > Andreas Ntaflos writes: > > I would have thought that the following command does what I want: > > > > kadmin.local -q "addprinc +needchange +requires_preauth \ > > > > -pwexpire '15 minutes&#

Creating principal with +needchange and -pwexpire?

rever if a user is too lazy to log in and change it in time. If it were anyone who manages to get hold of the email message containing the credentials could use the account. Minimising that risk is just good security policy although in reality that particular scenario is not very likely to really

Re: mod_auth_kerb roblem

On Thursday 25 November 2010 09:03:49 Ben Kwint wrote: > After that I installed apache on the same machine to test > mod_auth_kerb. Installed mod_auth_kerb module on the apache machine > and set up the following .htaccess file > > AuthType Kerberos > AuthName "Kerberos Login" > KrbVerifyKDC off

Strange klist output, missing realm in service principal name

Hi all, I am wondering what (if anything) is wrong with the following output from klist. This is after authenticating against a kerberized Apache server with Firefox and negotiation enabled: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: d...@example.com Valid starting Exp

Re: Strange klist output, missing realm in service principal name

On Friday 17 December 2010 06:36:45 Greg Hudson wrote: > On Fri, 2010-12-17 at 00:01 -0500, Andreas Ntaflos wrote: > > Notice the first HTTP entry, the realm part after the "@" is > > missing. I don't know for sure but this looks wrong to me. > > This is an art

Migrating database to LDAP (kldap)

Hello all, we have Kerberos 1.8.1 (Ubuntu 10.04) using the default database configuration (i.e. db2, /var/lib/kerberos) working fine alongside OpenLDAP, saslauthd (so that authentication against LDAP seamlessly goes against Kerberos) and PAM (and other things). I was now wondering if it is possib

Re: Migrating database to LDAP (kldap)

On 28/08/11 17:49, Simo Sorce wrote: > On Sun, 2011-08-28 at 01:08 +0200, Andreas Ntaflos wrote: >> I was now wondering if it is possible to migrate the current Kerberos >> database to LDAP (with the kldap driver), without having to recreate the >> whole realm and every prin

pam-krb5 error when called from Samba

Hello again, I hope this list is not inappropriate for questions about pam-krb5. I am trying to set up a standalone Samba server that integrates (as well as possible) with our LDAP and Kerberos infrastructure. Obviously this is cumbersome and difficult with the current state of affairs in Samba (a

Re: pam-krb5 error when called from Samba

Russ, thank you for your reply! On 2011-08-30 05:39, Russ Allbery wrote: > "Conversation error" means that when pam-krb5 tried to prompt for the > password, it was unable to do so, usually because the application didn't > provide a conversation callback. How does smbpasswd -r provide the > passwo

SSH, REQUIRES_PWCHANGE and policies problem

Hi list, I am currently experimenting a bit with Kerberos policies and have run into a a small usability problem regarding SSH, pam-krb5 and REQUIRES_PWCHANGE. Using Kerberos 1.8.1, OpenSSH "5.3p1 Debian-3ubuntu6" on Ubuntu 10.04.3. Without a policy applied, a user with REQUIRES_PWCHANGE gets pro

Re: SSH, REQUIRES_PWCHANGE and policies problem

On 2011-09-02 00:42, Russ Allbery wrote: > Andreas Ntaflos writes: > >> However, when a policy is set, and the user's new password does not >> conform to that policy, SSH does not inform the user of the problem, it >> simply re-prompts for the original pas

Re: pam-krb5 error when called from Samba

On 2011-09-02 00:49, Russ Allbery wrote: > Andreas Ntaflos writes: > >> Russ, thank you for your reply! > > Sorry about not following up again; it looks like the mailing list ate the > list copy of the message, so it got misfiled. No problem, thanks for following up! &g

Re: SSH, REQUIRES_PWCHANGE and policies problem

On 2011-09-02 01:11, Russ Allbery wrote: > The problem from SSH's perspective is that since it's doing an > authentication, not a password change, it doesn't know that the password > change failed. All that PAM can tell it is that the authentication > failed, not why (in this case a forced and fai

Re: pam-krb5 error when called from Samba

On 2011-09-02 01:32, Russ Allbery wrote: > Andreas Ntaflos writes: > >> I am trying to "protect" our users from dealing with more than one >> password which is why I try to make password changes to different >> applications as seamless as possible. It seems howe

Re: Help: Samba and Kerberos integration

On 15/10/11 15:59, Lee Eric wrote: > Thanks mate. So could users under Linux to use Kerberos to log in the > Samba server? Any docs here? Have a look at this to get you started: Andreas Kerberos ma

Wallet/remctld: Wrong principal in request

Hi, I am trying to set up Wallet for streamlining keytab distribution, following Jan-Piet's interesting and insightful blog post [1] but I am somehow stumbling early on. Using Ubuntu 12.04 and MIT Kerberos 1.10 (1.10+dfsg~beta1-2ubuntu0.3, FWIW). Wallet I built from the latest git://git.eyrie.org/

Re: Wallet/remctld: Wrong principal in request

On 2012-10-27 03:41, Russ Allbery wrote: > When you do a klist after you run wallet, what principal shows up in your > local ticket cache? It's not the same principal as is in /etc/krb5.keytab > on the remote system. > > Usually this means that there's something wrong with your DNS resolution. >

Re: Wallet/remctld: Wrong principal in request

On 2012-10-27 04:47, Russ Allbery wrote: > Andreas Ntaflos writes: > >> But do I have to fear any negative consequences after adding more than >> one host principal to /etc/krb5.keytab? Will this break anything? Is it >> even "legal" to do? > > Nope, that

Leverage Kerberos/Wallet for non-interactive SSH and script execution

Hi, I'd like to leverage our Kerberos (and Wallet) infrastructure to enable non-interactive SSH/SCP between two servers for a given user. Is this possible? Using MIT Kerberos 1.10 on Ubuntu 12.04 everywhere, currently still with Wallet from prior to 1.0 (but after 0.12). The scenario is this:

Re: Leverage Kerberos/Wallet for non-interactive SSH and script execution

On 2013-05-22 21:20, Russ Allbery wrote: > Andreas Ntaflos writes: > >> The scenario is this: We have a Jenkins build server (build01) and an >> APT repo server (apt01, using Freight [1]). Jenkins does what it does >> and in the end creates DEB packages. Those DEB packag

Re: Leverage Kerberos/Wallet for non-interactive SSH and script execution

On 2013-05-22 21:37, Ken Dreyer wrote: > On Wed, May 22, 2013 at 1:20 PM, Russ Allbery wrote: >> Then, use wallet to create that keytab on the build server, and then have >> your Jenkins server end its tasks by running: >> >> k5start -qUf /path/to/keytab/file -- /path/to/upload/script > > I r

Re: Puppet remctl module

On 2014-04-11 09:59, Remi Ferrand wrote: > Hi everyone, > > At CC-IN2P3, we've released a puppet module for remctl deployment. Very cool, thanks! > It is available from the puppet forge: > http://www.puppetforge.com/ccin2p3/remctl. For the sake of completeness I'd like to mention that there is