On Tue, 22 Jul 2003 [EMAIL PROTECTED] wrote:
> Are you sure Heimdal is thread-safe? Like a month ago I checked with
> them and theirs is not thread-safe either.
- Rumor has it that while heimdal is not guaranteed to be
thread-safe, in practice it works well enough. (i.e. there
are a lot of people
_ I'm being lazy this morning and am looking for
a pointer to either a Hiemdal or MIT compatible
deamon that supports the MS Set Password protocol.
_ It's my understanding that the RFC is still
in draft form, I'm just looking for something
that interoperates with the unix compatiblity
code that M
On Thu, 11 Mar 2004, Digant Kasundra wrote:
> Is anyone aware of any product that can sync passwords between an MIT
> Kerberos KDC and MS Active Directory?
>
> Is it even possible to "hook into" a password change event in Kerberos? Can
> that trigger an event or something of that sort? I know th
In article <[EMAIL PROTECTED]>,
Jonathan Javier Cordoba Gonzalez <[EMAIL PROTECTED]> wrote:
>Thanks to all of you I actually got that it works...
>
>According to Russ the LDAP Back End doesn't improve the performance... there
>are some performance tests??
>
I find hard to imagine anything goi
On Mon, 8 Oct 2007, [EMAIL PROTECTED] wrote:
>
> The main issue is an LDAP scheme to implement. There are some bits
> and pieces floating around but nothing I would consider definitive
> beyond what Novell implemented for the back-end project. Group
> consensus on a suitable schema would be an i
In article <[EMAIL PROTECTED]>,
Mr J.A. Gilbertson <[EMAIL PROTECTED]> wrote:
>On Thu, 8 Nov 2007, Ken Raeburn wrote:
>
>Do you know of any other method whereby we would be able to effectively
>let Kerberos delegate the authentication step to LDAP, and then carry on
>as if that part had been done
In article <[EMAIL PROTECTED]>,
Mr J.A. Gilbertson <[EMAIL PROTECTED]> wrote:
>
>And we had hoped this could be achieved without having to create a
>duplication of all our user data into a Kerberos specific database, or
>for Kerberos to require to add any data to our LDAP server since it's
>bas
In article <[EMAIL PROTECTED]>,
Jeff Blaine <[EMAIL PROTECTED]> wrote:
>I lied. RHELv4 krb5 works fine. Anyway, back to
>RHELv3...
>
>I updated the krb5 RPMs on the box which brought me to
>a whopping -67 1.2.7 release.
>
I've had lots of problems using 3des enctypes in that very old
version of
In article <[EMAIL PROTECTED]>,
Victor Sudakov <[EMAIL PROTECTED]> wrote:
>Colleagues,
>
>Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>
It's whatever both sides of the connection argee that it should
be BEFORE the connection is made. DNS names are used by default
sin
In article <[EMAIL PROTECTED]>,
Victor Sudakov <[EMAIL PROTECTED]> wrote:
>Booker Bense wrote:
>> >
>> >Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>> >
>
>> It's whatever both sides of the connection argee
In article <[EMAIL PROTECTED]>,
Victor Sudakov <[EMAIL PROTECTED]> wrote:
>Douglas E. Engert wrote:
>> >
>> > Is a Kerberos principal always a DNS name? Can't an IP literal be used?
>
>> I think they must be names, but don't have to be in DNS. The name could
>> be in /etc/hosts. The client and se
In article <[EMAIL PROTECTED]>,
Mukarram Syed <[EMAIL PROTECTED]> wrote:
In theory there should be no problem with a lower case realm...
In practice you run into all kinds of problems. I'm not sure
what the status is these days, but when I worked on the main
campus, part of my job was tweaking ke
This whole conversation seems misguided to me. Kerberos is an
authentication system, not an authorization one. Access to a service is an
authorization issue. Since there is no universal authorization scheme for
kerberos applications, any workable revocation system will have to
build that first. Tha
FWIW, I ran a realm in the early nineties ( in kerberos 4 no less ) in
which all the user names were
email addresses, some of which were quoted Full names with spaces and
punctuations. It was exactly the
nightmare you might expect. It did shake out a lot of parsing bugs in the
principal escaping co
I realize this will probably just muddy the waters, but they are waters you
have to muddy at some point to
effectively use kerberos.
One of the key things to realize about kerberos is that the fundamental
unit of "membership" in a realm is the
process, not the machine or user. A process is in the
In poking around on the web, I've found that MIT has some duo integration
for
the kinit program.
Is there any docmentation available on how this was implemented?
thanks,
- Booker C. Bense
Kerberos mailing list Kerberos@mit.edu
https://ma
I'm trying to build Openssh with mit krb5 1.7 on Solaris 5.10 machines
and am getting sigkill's when the
child ssh client attempts to start up a session.
Does anyone else have this combo of software working on any platform?
thanks,
_ Booker C. Bense
___
Any experience with
USGCB (US Gov Computer Baseline) settings for windows systems?
Our windows admins recently applied these settings for windows systems and the
cross realm trust with our unix based KDC has broken in the direction of
getting
unix KDC service tickets with windows credentials. T
For various reasons[1] I've found that the pam solution doesn't
cover all bases and I've resorted to putting aklog in
/etc/ssh/sshrc
If you have an sshrc it needs to deal with the xauth stuff as
well.
#
# Evil workaround for pam sshd stupidity.
if [ -n "$KRB5CCNAME" ] && [ -x /usr/bin/aklog ]
On Jun 5, 2012, at 12:10 AM, Jan-Piet Mens wrote:
> Ross,
>
> On Tue Jun 05 2012 at 08:54:11 CEST, Russ Allbery wrote:
>
>> Our KDCs have always been open to the Internet.
>
> Oh, I've always thought KDCs need to be particularly protected from the
> elements...
The weakness of a KDC is read
On Fri, Aug 10, 2012 at 8:26 PM, Darek M wrote:
> Hi there, I'm sorry that this won't be strictly limited to Kerberos.
>
> I have an MIT/OpenLDAP set up running in a FreeBSD environment where
> nss_ldap provides user data and kerberos the authentication.
>
> The problem is that when the system goe
On Fri, Aug 17, 2012 at 11:21 AM, Matt Garman wrote:
> We have a simple, home-grown Perl-based job dispatching system. It's
> basically a per-user daemon that listens on a socket for job requests.
> When it gets a request, it calls fork() to dispatch the job.
>
> What we've found is that the for
On Wed, Sep 5, 2012 at 7:33 AM, Michael-O <1983-01...@gmx.net> wrote:
> For now, I do not see an alternative to a forward and reverse lookup at
> them moment. Well, isn't Kerberos used in managed environments only
> where only a few have control over DNS entries? In my case I am in an
> huge compa
On Wed, Sep 5, 2012 at 8:50 AM, Michael-O <1983-01...@gmx.net> wrote:
> Am 2012-09-05 17:41, schrieb Booker Bense:
>
> Agreed but this does not solve understanding the contradiction in the RFCs.
> I can't tell whether DNSSEC is deployed in our company.
Unless your company i
On Tue, Sep 11, 2012 at 12:32 PM, Russ Allbery wrote:
> Either NFS doesn't understand matt/cron as a user, or the local daemon
> that handles user credentials can't find the tickets. I believe you do
> have to be careful about how you name the ticket cache for NFS to pick it
> up.
>
Look into t
On Fri, Sep 14, 2012 at 10:58 AM, Matt Garman wrote:
> On Tue, Sep 11, 2012 at 9:21 PM, Booker Bense wrote:
>> On Tue, Sep 11, 2012 at 12:32 PM, Russ Allbery wrote:
>>
>>> Either NFS doesn't understand matt/cron as a user, or the local daemon
>>> that h
On Mon, Oct 8, 2012 at 5:21 AM, miten mehta wrote:
> Hi,
>
> I have attempted kerberos for SSO for web app using spring-security and have
> doubts. would appreciate if one can take look at my post here and advise.
>
> http://forum.springsource.org/showthread.php?130775-spring-security-spnego-ker
Java has it's own version of GSSAPI based kerberos libraries built in.
This article explains how to set up an server that uses them to
authenticated SSHD.
http://alblue.bandlem.com/2011/11/sshd-server-in-java-with-kerberos.html
It might give a more java-centric view of the process of setting up
On Mon, Oct 22, 2012 at 5:51 PM, Jaap Winius wrote:
> On Mon, 22 Oct 2012 12:07:11 -0700, Russ Allbery wrote:
>
>> remctl doesn't, as yet, have support for anonymous PKINIT, although it's
>> something that I want to add.
>
> Then perhaps remctl is currently not part of a solution to this problem.
On Tue, Oct 23, 2012 at 11:19 AM, Booker Bense wrote:
> At SLAC we use a special ssh keypair to bootstrap the keytab
> installation process.
> I gave a talk about it a few years back.
>
> http://workshop.openafs.org/afsbpw07/talks/bbense.pdf
>
Looking back at those slides, I s
> There are additional attributes for the ou=People.
>
> At the moment we're still using NIS and AFS on our linux systems. I want
> the LDAP to provide a NIS replacement and authenticate via AFS and/or
> KRB5 so I can gradually move our systems to KRB5. AFS, KRB5 and LDAP
> will be provisioned from
On Tue, Oct 30, 2012 at 11:57 AM, Rainer Laatsch wrote:
>
>
>
> On Fri, 26 Oct 2012, Booker Bense wrote:
>
>> Do yourself a big favor and put kerberos entities in ou=Accounts.
>> There is not a one to one
>> relationship between accounts and people and you will
On Sun, Nov 11, 2012 at 8:50 PM, Greg Hudson wrote:
> On 11/11/2012 04:40 PM, Danny Thomas wrote:
> > kadmind hits 100% CPU when load-testing with <100 simulated clients.
>
> For password changes, kadmind has to run the string-to-key algorithm on
> the new password for each enctype in supported_e
Remctl is also a great solution to the "kerberized" inetd problem.
http://www.eyrie.org/~eagle/software/remctl/
On Sat, Dec 1, 2012 at 2:40 PM, Oliver Loch wrote:
> Hello,
>
> while playing around with some ideas on sending notifies from/to a
> machine, I started playing with inetd and ended u
I'm working with mod_auth_kerb and from a linux box, it works fine with
tickets from both of our realms, WIN.SLAC.STANFORD.EDU and SLAC.STANFORD.EDU
.
Browsers running on windows boxes (IE and Firefox ) fail with this error in
the
apache server logs.
Warning: received token seems to be NTLM, whic
I'm attempting to use remctl on Solaris 5.10 x86, using the vendor provided
gssapi libraries and I am getting this error.
GSS-API error while accepting context: Unspecified GSS failure. Minor code
may provide more information, Bad encryption type
I've tried trimming the enctypes on the server pr
On Tue, Jul 1, 2014 at 9:34 AM, Matt Garman
wrote:
> As far as I can tell, re-creating the keytab
> file causes the key version number (“KVNO”) to be incremented.
>
>
The "standard" way to deal with this problem is to keep both key version
numbers in the keytab file on the machine. The KDC only
On Thu, 14 Nov 2002, Ken Hornstein wrote:
> >Oops, no I hadn't! So, I just restarted krb5kdc and that seems to do it.
> >Of course, I still can't get a TGT with a lifetime greater than 21:15:00,
> >which is the max life set for my krbtgt principal. But at least I know
> >that 'kinit -l' isn't br
On Fri, 15 Nov 2002, Ken Hornstein wrote:
> > - Unless you are using the server principals to get tickets, I
> > don't see any reason to reset those values. Yes, you will get
> > service tickets with a shorter lifetime, but so what? As long
> > as you have a krbtgt you can get all the service tick
On Fri, 6 Jun 2003 [EMAIL PROTECTED] wrote:
> Hi:
>
> I've written a program to get TGT then do the Kerberos
> authentication by using GSS-API afterwards but I also want to
> do it in a smarter way. What I tried to achieve is I want to
> check if it expires or not, if so then I issue a real
On Fri, 23 May 2003 [EMAIL PROTECTED] wrote:
> I have been searching for a Kerberos-enabled email notification
> program (Linux or Windows). Something similar to Unix's "You have 10
> new messages" or a Windows system tray application. There are many
> available, but none seem to support Kerberos
41 matches
Mail list logo
