On Fri, 2014-07-25 at 11:00 +0100, Dameon Wagner wrote:
> Using an LDAP backend with multi-master replication _could_
> potentially allow for having more than one active krb5-admin-server in
> your realm, but I don't know if this is a supported configuration in
> MIT (IIRC Heimdal may allow this, b
On Sat, 2014-09-13 at 18:52 +0200, Rick van Rein wrote:
> I did find that the -E (MIT) or —enterprise (Heimdal) switch work to
> login to a principal u...@example.com@EXAMPLE.COM; without the flag, I
> need to escape the first @ with a backslash; the Ticket Viewer of Mac
> OS X also needs this back
On Fri, 2014-10-24 at 13:29 +0200, Lars Hanke wrote:
> During boot of my system (Debian Wheezy) k5start is invoked to supply a
> ticket for accessing the AD DC by nslcd. However, during boot it fails:
>
> k5start: error getting credentials: Cannot contact any KDC for realm
> 'MY.AD.REALM'
>
> I
On Tue, 2015-03-03 at 10:25 +0800, arun elango wrote:
> What is the root cause behind the error below:
>
> "Inappropriate I/O control operation getting initial ticket".
>
> The CIRCUMSTANCE is when I try to change password using kpassword , i try
> to pass the arguments to the console programati
On Fri, 2015-03-13 at 14:55 +0100, Robert Wehn wrote:
> There is a bug report/suggested patch which seems to make it possible
> but never seemed to get into the kernel:
> http://www.spinics.net/lists/linux-nfs/msg34236.html
>
> What is your opinion to this behavior?
> Do you think this is reasonab
On Thu, 2015-04-02 at 16:37 -0700, Paul B. Henson wrote:
> Does the ldap backend need a substring index on krbPrincipalName in
> addition to the equality index? What kdc or kadmin operation might
> result in a substring search?
Two operations come to mind, both kadmin requests: listprincs and ktad
On Fri, 2015-04-24 at 14:44 -0500, Ben H wrote:
> Some searching I did indicated the possible existence of a "profile"
> directive in kdc5.conf to point to a different krb5.conf, but that
> didn't
> seem to work.
It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
private directory
On Thu, 2015-05-07 at 17:08 +0200, Fabrice Bacchella wrote:
> I can always provide a keytab for both the server and the client, so I
> don't need to have a kdc running. But how can I have the service
> ticket (host/localhost@DOMAIN) ? To get it I need a running KDC. If I
> put it in the keytab, it
On Fri, 2015-05-29 at 11:45 -0400, Benjamin Kaduk wrote:
> I don't have a definite answer for you, but:
>
> 1.7 is very old.
>
> 4294967295 is 0x is -1 as a 32-bit twos-complement integer
For what it's worth, we just had a customer report this problem ---
after a Heimdal update. (I didn'
On Tue, 2015-06-02 at 11:13 -0700, Aravind Jerubandi wrote:
> Hello,
>
> Could you please answer my query?
Did you miss
http://mailman.mit.edu/pipermail/kerberos/2015-May/020765.html
?
--
brandon s allbery kf8nh sine nomine associates
allber...@gmail.com
On Tue, 2015-06-02 at 18:26 -0500, Nico Williams wrote:
> On Tue, Jun 02, 2015 at 10:57:59PM +0000, Brandon Allbery wrote:
> > On Tue, 2015-06-02 at 11:13 -0700, Aravind Jerubandi wrote:
> > > Hello,
> > >
> > > Could you please answer my query?
> >
&
On Wed, 2015-06-24 at 15:10 -0500, Ben H wrote:
> Why is not cached initialized on interactive login and an additional
> manual
> kinit is required?
This may have nothing to do with keyring ccache, but only with a
misconfigured PAM stack that is not creating a ccache with the ticket
from login.
A
>
> Would this indicate that it isn't the PAM stack not creating the cache
> or would it more likely be the PAM module not utilizing the keyring
> properly? Or perhaps the PAM module doesn't understand how to work
> with the keyring?
>
>
> thanks.
>
>
&
On Fri, 2015-07-10 at 08:37 +, Andrew Levin wrote:
> I have noticed that even after I delete my kerberos ticket cache, as
> below, I remain authenticated (eg I can open files in an area where
> kerberos authentication is required). How is this possible?
There is a procedure called "aklog" whic
On Wed, 2015-09-09 at 15:45 -0500, Ben Kim wrote:
> My worry about 10G is when data traffic gets jammed or network goes down
> KDC may not respond. 10G network cables are not redundant for budget reason.
> My worry about 1G network is network bandwidth. I'M pretty new to Kerberos,
> and as a servic
On Wed, 2015-09-23 at 13:44 +, Tim Alsop wrote:
> Does anybody know how the API: cache on Mac OS X 10.10 works.
> Is it stored in memory, and is there a daemon that owns the memory
> allocated for credentials caches ?
> Also, is it working same as the API cache in MIT and/or Heimdal code ?
App
Note that this can have strange interactions with NFS4; some implementations
will use the first ccache they find in what they believe to be the ccache
directory which is owned by the right uid, and when that ticket expires NFS
operations will fail. How you deal with this depends on the NFS4
imp
Kadmin requires additional setup, the error you got indicates that you did not
configure kadm5.acl to specify what principals have what access levels.
It also sounds like you did not configure the keytab on slaves properly.
You should review the exact configuration steps you followed vs. what th
Not sure what you are asking... Kerberos is an open source project. Integrators
may change for it or for commercial products based on it (including those with
integration with LDAP and management tools).
-Original Message-
From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu]
Kerberos picks a realm based on the hostname. When you use the
swir.private.ceb.private.dom hostname, it infers the realm
PRIVATE.CEB.PRIVATE.DOM from your [domain_realm] mapping; but Samba is not
using that realm for authentication and AD doesn’t know about that realm.
In general, trying to mi
On 7/14/16, 17:32, "kerberos-boun...@mit.edu on behalf of Mauro Cazzari"
wrote:
# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
I would turn these off; they refer t
Last time I looked at the openssh source code, turning them on could interfere
with the GSSAPI code: notably, it could cause the “old style” ticket forwarding
hack to be attempted instead of GSSAPI credential delegation, which will fail
with GSSAPI credentials.
On 7/15/16, 01:39, "kerberos-boun
You are going to have to describe what you are trying to do in more detail.
Keytabs are not normally used for this purpose, except in the case of automated
procedures (e.g. cron) that need to log in to a service as if they are a user.
Perhaps you have confused keytabs (“passwords” on disk) with
luster. So this is the main drawback. And as you say
logging using keytab files is not appropriate then how can we achieve this
objective?
Thanks
On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery
mailto:ballb...@sinenomine.net>> wrote:
You are going to have to describe what you are tryi
On Wed, 2014-04-02 at 12:57 -0700, Chris Hecker wrote:
> I use kadm5_get_privs as a ping for an admin perl script, see this thread:
>
> http://mailman.mit.edu/pipermail/kerberos/2012-February/017811.html
That does not test the KDC, it tests kadmind.
--
brandon s allbery kf8nh
On Fri, 2014-04-04 at 18:21 +0200, Wendy Lin wrote:
> On 24 March 2014 11:31, Wendy Lin wrote:
> Of course, I do not know why this suddenly works. Can someone explain
> this? Why didn't it work when pam_unix came first?
Because root will always have a local account (required for the system
to ope
On Fri, 2014-04-04 at 18:43 +0200, Wendy Lin wrote:
> On 4 April 2014 18:29, Brandon Allbery wrote:
> > On Fri, 2014-04-04 at 18:21 +0200, Wendy Lin wrote:
> >> On 24 March 2014 11:31, Wendy Lin wrote:
> >> Of course, I do not know why this suddenly works. Can som
On Fri, 2014-04-04 at 18:57 +0200, Wendy Lin wrote:
> On 4 April 2014 18:54, Brandon Allbery wrote:
> > On Fri, 2014-04-04 at 18:43 +0200, Wendy Lin wrote:
> >> But why did the other account (test001) had similar issues? Does it
> >> mean I always have to use pam
On Fri, 2014-04-25 at 15:05 +0100, Kenneth MacDonald wrote:
> Thinking aloud ... I wonder how difficult it would be to have krb5kdc
> optionally stop recording failures while the database is locked.
FWIW, Heimdal uses a transaction log, like a real database manager.
Changes go into the log and can
On Thu, 2014-05-01 at 15:34 +0200, steve wrote:
> On Wed, 2014-04-30 at 15:05 -0400, Tom Yu wrote:
> > A previous version of this announcement had inconsistent times listed
> > for this teleconference.
>
> OMG. Inconsistent times? On the Kerberos list? Brilliant!
Kerberos uses UTC; for some inco
On Fri, 2014-05-09 at 14:23 +0800, anuj gupta wrote:
> I am unable to generate keys after the step kinit. Before that i have
> completed evrything.
> I had created principals,edited,deleted, ,modified. But when i try to
> generate keys it
> say the princiapl not found on server. I am attaching
On Thu, 2014-05-29 at 13:35 -0400, squidmob...@fastmail.fm wrote:
> KRB5_CLIENT_KTNAME=./some.key.file kinit
> at this point, kinit did what it wanted and not what i expected.
I am not sure kinit will automatically use the keytab just because the
environment variable is there. I would expect the
On Sat, 2014-06-07 at 16:13 +0200, steve wrote:
> We have a Samba4 domain with some Linux clients joined under DHCP. We
> are updating their DNS records via the nsupdate facility in SSSD. All is
> fine, but the worrying issue is that the machines still function even
> with the wrong rr registered i
On Sat, 2014-06-07 at 17:11 +0200, steve wrote:
> Here is a login on a client at 192.168.1.22. Change the IP and it still
> works fine, even though it's not registered in the DNS db (maintained
> via bind9) on the DC.
>
> Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:55132 for
> kr
On Fri, 2014-06-13 at 17:21 +0530, Manish Gupta wrote:
> kerberos implementation in my platform take cares of secure storage of
> kerberos credential cache. it is protected from any unauthorized access.
>
> In this case is there any harm in using long term TGT, like TGT valid for a
> month?
>
> I
35 matches
Mail list logo
