Re: WebISO: the killer kerberos app?

On Thursday, March 04, 2004 7:43p <[EMAIL PROTECTED]> wrote: > This is exactly the design of Stanford's WebAuth v3. :) See: > Is there a similar solution that will work with apache 1.3?

Re: problem setting up ssh-krb5 from Debian Sarge

y just the session PAM config for pam_openafs_session. < Christopher D. Clausen [EMAIL PROTECTED] SysAdmin Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: problem setting up ssh-krb5 from Debian Sarge

hd_config file? as having this set to yes seems to cause the behaviour that you describe with not getting AFS tokens at login. < Christopher D. Clausen [EMAIL PROTECTED] SysAdmin Kerberos mailing list [EMAIL PROTECTED] https://mailm

Re: AIX 5.1 and Network Authentication Service 1.3

Matthew B. Brookover <[EMAIL PROTECTED]> wrote: I have MIT Kerberos 1.4 KDC on a Linux (Fedora Core 3) server. The server works with Linux, Windows, and open LDAP. I am trying to get an RS/6000 running AIX 5.1 with IBM's kerberos client (Network Authentication Service 1.3) to work with the KDC on

Re: Windows SSH client that uses tickets not obtained from AD login

jay alvarez <[EMAIL PROTECTED]> wrote: > Hi, > Do you know any windows ssh client that can use > gssapi authentication and not using SSPI(used by > vintela and CSS putty versions)wherein it uses tickets > that were obtained from an Active Directory login? I > have downloaded KFW from MIT and I hav

Re: Win 2003 Server cross-realm authentication

[EMAIL PROTECTED] wrote: > I've set up a windows 2003 AD, a two-way transitive trust with an MIT > Kerberos server, run ksetup to add the realm of the kerb5 server, and > have created accounts on both the kerberos server and in the active > directory that allow me to successfully log in individuall

Re: KFW 3.0, XP SP2, VMWare, and Principals with digits

Matthew J. Smith <[EMAIL PROTECTED]> wrote: > Douglas E. Engert wrote: >>> I *cannot* authenticate when using a principal containing one or >>> more digits, such as "[EMAIL PROTECTED]". As a matter of fact, when >>> using such a principal, all I see in the "Credentials" text area is >>> "(No ide

Re: How to get sshd w/ Kerberos on Mac OSX working

Michael B Allen <[EMAIL PROTECTED]> wrote: > No. Where is that button exactly? This is just a mini with 10.3 BTW. Mac OS 10.3 only supports the "gssapi" method that is in Openssh 3.6. Its probably not working b/c newer clients use the "gssapi-with-mic" method (OpenSSH 3.8 and newer.) You either

Re: Kerberized NFSv4 problems

Erich Weiler <[EMAIL PROTECTED]> wrote: > I can do this: > > kinit -kt /etc/krb5/krb5.keytab nfs/solarisclient.domain.com > kinit -kt /etc/krb5/krb5.keytab host/solarisclient.domain.com > > with no errors. When I do a klist then I get: > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: hos

Re: Questions on Kerberos

Joseph Kuan <[EMAIL PROTECTED]> wrote: > 1. I notice that some of the kerberos (windows authentication) packets > have principal with dollar sign character at the end. Also the > principal > is not the user name, it is actually the hostname. What does it mean? Those are the principals for machine

KfW 3.1 beta1 MSI installer?

Is there an MSI for KfW 3.1 beta1? http://web.mit.edu/kerberos/dist/testing.html#kfw-3.1 doesn't seem to have a MSI listed.

Re: question about a kerberos play

Luke Davis <[EMAIL PROTECTED]> wrote: >I just took an MCSE course and the instructor mentioned that there was >some type of 3 act play about kerberos, and that sounds like an >interesting read. Do you know where I can find it? http://web.mit.edu/Kerberos/dialogue.html

.k5login and krb5.conf syntax errors

Last night I found out the hard way that if a user creates a .k5login file that isn't correct, (has Windows linebreaks or has multiple pricipal names on the same line) that they cannot login at all to systems using pam-krb5 for authentication. (This is on Ubuntu 6.06 on x86.) Further, no erro

Re: Starting kpropd as a service in Solaris 10

Mike Friedman <[EMAIL PROTECTED]> wrote: > I'm putting up a KDC (krb5-1.4.2) on a Solaris 10 system, an OS that > new to me (I've installed MIT K5 on Solaris 8 and 9 and other > systems). > It seems that kpropd won't start correctly from inetd.conf, though if > I run it standalone (-S option) it wo

Re: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3

[EMAIL PROTECTED] wrote: > Any one had any success compiling KRB5 1.5.1 on AIX 5.2 or 5.3 ? I am > experiencing the same errors as a previous poster; but have not seen > any solutions. Configure is successful with the following flags: > > export CC=cc > export CFLAGS='-D_LARGE_FILES -DLANL -DLANL

Re: help with Active Directory Kerberos authentication

Russ Allbery <[EMAIL PROTECTED]> wrote: > Rohit Kumar Mehta <[EMAIL PROTECTED]> writes: > >> Kerberized telnet does not seem to work. >> >> nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch >> Trying 127.0.1.1... >> Connected to nfsv4etch (127.0.1.1). 127.0.1.1 ? Uhh, that doesn't look

Re: OpenSSH and Kerberos

Ian <[EMAIL PROTECTED]> wrote: > Hello, > > I am new to Kerberos. I want to set up passwordless logon from Linux > workstation clients to a Linux server using SSH via Kerberos. I have > designated one of the secure Linux workstation as the KDC. Kerberos > and OpenSSH were installed on all my Linux

Re: help with Active Directory Kerberos authentication

Russ Allbery <[EMAIL PROTECTED]> wrote: > Rohit Kumar Mehta <[EMAIL PROTECTED]> writes: >> debug1: Miscellaneous failure >> No principal in keytab matches desired name. >> >> My krb5.keytab looks like this: >> nfsv4etch:~# ktutil >> ktutil: rkt /etc/krb5.keytab >> ktutil: l >> slot KVNO Principal

Re: Security pointers about Kerberos5 realms open to a WAN

Daniel Kahn Gillmor <[EMAIL PROTECTED]> wrote: > I think i understand the basic K5 protocol, but i don't have my head > wrapped around the different possible attack vectors well enough to > know if opening up a KDC to the internet is really asking for trouble > (e.g. how much krb5 traffic needs to

Re: root login not possible

On debian you'd want to look in /var/log/auth.log Can you kinit as root on this system? Also, try running a debug sshd vis: sshd -ddd -D -p 222 and connect with putty using: putty -P 222 [EMAIL PROTECTED] Read through the debug output and see if there is anything useful in there. < wrote: > Un

Re: pam-krb5 2.6 released

>From the manual page: http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html realm= "If the obtained credentials are supposed to allow access to a shell account, the user will need an appropriate .k5login file entry or the system will have to have a custom aname_to_localname mapping. " Do

Re: Wiki?

Jeff Blaine <[EMAIL PROTECTED]> wrote: > It just seemed to me that there's a LOT of information > that is incredibly scattered. If nobody else is likely > to contribute, then the hell with it. I'm not going to > spend the hours to share my notes if nobody else will > offer some of their time. IM

Re: putty/winscp with gssapi/krb5 ticket forwarding

Lars Schimmer <[EMAIL PROTECTED]> wrote: > After some testing I got a few test PCs with debians "etch" system do > ticket forwarding and obtaining afs tokens. > Now I want to use putty and winscp from windows to login without a > password on that machines. > WinSCP can use gssapi login per default.

Re: putty/winscp with gssapi/krb5 ticket forwarding

Lars Schimmer <[EMAIL PROTECTED]> wrote: > Thanks for the link. > Maybe I don´t get it right on my thoughts. > Setup here: > AD with 1 server and x clients > krb5 server on debian on extra machine So you have an Active Directory domain that the Windows machines are on? And a seperate Kerberos Rea

Re: kerberos configuration

scotty adams <[EMAIL PROTECTED]> wrote: > Can anyone provide me with step by step kerberos configuration for a > solaris 9 machine. You'll likely need to ask a more specific question than that. Do you want just a client? A full KDC? Using MIT Kerberos? Or the SEAM stuff from Sun?

Re: Re.How to configure kerberos with windows 2000 AD

Bharat Thakur <[EMAIL PROTECTED]> wrote: > I have installed krb5 in linux AS4 . There is already running windows > 2000 Advance Server. in the same network. I want to integrate > kerberos with windows AD. So that AD user also can logon through > linux client. Kindly help me to do this. Please don

Re: Wrong principal in request using virt interface

[EMAIL PROTECTED] wrote: > I'm moving the server to a new cluster of RHE hosts that use virtual > interfaces (eg. eth0:1) to allow for failover to a new host while > still maintaining the original IP address. On this new system I'm > getting the following error when I run sshd in debug (-ddd) mode

Re: Wrong principal in request using virt interface

[EMAIL PROTECTED] wrote: > On Mon, 29 Jan 2007, Christopher D. Clausen wrote: >> Can you simply fail-over using the same IP on both interfaces? (I >> believe there is a bonding module in Linux that can do this.) > > The point of the virt interface is so it can be moved to a

Re: Wrong principal in request using virt interface

[EMAIL PROTECTED] wrote: > On Mon, 29 Jan 2007, Christopher D. Clausen wrote: >> [EMAIL PROTECTED] wrote: >> >>> I'm moving the server to a new cluster of RHE hosts that use virtual >>> interfaces (eg. eth0:1) to allow for failover to a new host while >>

Re: No Kerberos environment found

Gayal <[EMAIL PROTECTED]> wrote: > Greetings, > > I installed MIT krb5-kdc, krb5-admin-server, krb5-user using apt-get > install on my Debian Etch box. Use the Debian package libapache2-mod-auth-kerb instead of trying to compile from source.

Re: kerberos configuration

scotty adams <[EMAIL PROTECTED]> wrote: > Hi Christopher, > > Actually i need the SEAM > Can you also pass me a full KDC configuration? No, I cannot. I suggest that you read the Sun Docs on SEAM: http://docs.sun.com/app/docs/doc/816-5164 And please reply to the list, not to me directly.

Re: putty/winscp with gssapi/krb5 ticket forwarding

Lars Schimmer <[EMAIL PROTECTED]> wrote: > Christopher D. Clausen wrote: >> Lars Schimmer <[EMAIL PROTECTED]> wrote: >>> Thanks for the link. >>> Maybe I don4t get it right on my thoughts. >>> Setup here: >>> AD with 1 server and x client

Re: Re.How to configure kerberos with windows 2000 AD

Bharat Thakur <[EMAIL PROTECTED]> wrote: > Dear Sir, > Thanks for your reply. There are three linux server and one windows > 2003 AD(R2) in same network with 180 linux thin clients and 400 > windows clients. KDC installed in first linux server other two are > application server for sun clients. I w

Re: klist problem

scotty adams <[EMAIL PROTECTED]> wrote: > bash-2.05# klist -k > Keytab name: FILE:/etc/krb5/krb5.keytab > klist: Unknown code 2 while starting keytab scan > > etc/krb5/krb5.keytab doesnt exists can anyone assist me Why are you running klist -k if you do not have a valid keytab file? (Error code 2

Re: kinit problem

scotty adams <[EMAIL PROTECTED]> wrote: > i am getting the following error: We need more details. > kinit: Cannot contact any KDC for requested realm while getting > initial credentials Which realm are you requesting tickets in? (E.g. what principal are you passing to kinit.) What does your k

Re: Cache location in KFW

Diego Lima <[EMAIL PROTECTED]> wrote: > Is there any way I can point the default cache location to > FILE:c:\path\ticket so that upon log on the ticket will be available > there? Setting the KRB5CCNAME environment variable seems to work for me. > And where can I find some detailed documentation o

Re: Kerberos environment under windows

Peger, Daniel Heinrich <[EMAIL PROTECTED]> wrote: > How do I tell a C/C++ (using GSSAPI) app what my current kerberos > environment is? For testing purposes I don't want to use the standard > environment but authenticate against a test kerberos setup, which > needs to be specified somwhere. Edit t

Re: putty/winscp with gssapi/krb5 ticket forwarding

Lars Schimmer <[EMAIL PROTECTED]> wrote: > Christopher D. Clausen wrote: >> Lars Schimmer <[EMAIL PROTECTED]> wrote: >>> Christopher D. Clausen wrote: >>>> So you have an Active Directory domain that the Windows machines >>>> are on?

Re: Kerberos environment under windows

I don't know to do this from C code, but I generally kinit -kt \path\to\keytab principal/[EMAIL PROTECTED] and then run the app as needed. No need to additionaly code in keytab support into the app. < wrote: > Hi, > > actually I'm trying to write a C app (similar to the sample gss-client > and g

Re: kinit problem

scotty adams <[EMAIL PROTECTED]> wrote: >Cause: The host that was entered for the admin server, also > called the master KDC, did not have the kadmind daemon running. > Solution: Make sure that you specified the correct host name for the > master KDC. If you specified the correct host name,

Re: kinit problem

s any other kerberos commands found in the > solaris environment. How can I proceed? > > Thanks, > Scotty > > "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: scotty adams > wrote: >>Cause: The host that was entered for the admin server, also >

Re: KDC not included with Kerberos V5 for Windows?

[EMAIL PROTECTED] wrote: > Am I correct in concluding that there isn't a KDC binary for > DOS/Windows (or kadmin, KDB5_Util etc)? Yes.

Re: Problem with Kerberos Service

Luca Petrini <[EMAIL PROTECTED]> wrote: > Hello, I'm italian user and my name is Luca. > > I'm working with Kerberos on my Ubuntu 6.10. > > 1) Configure the /etc/hosts file: > 127.0.1.1 laptop > 192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it > 127.0.0.1 localhost localhost.local

Re: Win Kerb Server

Gayal <[EMAIL PROTECTED]> wrote: > Hi, > I want to implement SSO with Win2003 Server for Linux Clients. > But I dont have access to Win2003 Server. ex:creating keytab files > are not possible. > So i installed MIT Kerberos KDC server to a Debian Etch and try to > implement SSO for Linux Client. > >

Re: Problem with Kerberos Service

LukePet <[EMAIL PROTECTED]> wrote: > So, >> What does klist -kte (as root) show? > > [EMAIL PROTECTED]:~$ sudo klist -kte > 2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (Triple DES > cbc mode with HMAC/sha1) > 2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (DES cbc > mode with CRC-32) > >> Can you ki

Re: Problem with Kerberos Service

LukePet <[EMAIL PROTECTED]> wrote: > I tray and I have this: > > [EMAIL PROTECTED]:~$ kinit -k host/[EMAIL PROTECTED] > kinit(v5): Permission denied while getting initial credentials > [EMAIL PROTECTED]:~$ sudo kinit -k host/[EMAIL PROTECTED] > [EMAIL PROTECTED]:~$ This is expected. The /etc/krb5

Re: Authentication using the KRB5A method issues (AIX-AD)

Mohamad Nurhafiza <[EMAIL PROTECTED]> wrote: > I did the single sign on working, but now Im trying to do aix > authenticate using kerberos to a 2003 AD without ticket verification > (non single sign on) > > Now..the password changes in AD is immediately noticed by cleint(AIX). > > But I still have

Re: kadmin problem

scotty adams <[EMAIL PROTECTED]> wrote: > This is what i am getting after all > > bash-2.05# kadmin scotty > Enter Password: > Enter Password: > kadmin: Preauthentication failed while initializing kadmin interface Preauth failed is usally a "wrong password" message. Can you kinit scotty ?

Re: Problem with Kerberos Service

LukePet <[EMAIL PROTECTED]> wrote: > Ok and about telnet...waht can you tell me? > > "[EMAIL PROTECTED]:~$ kinit pippo > Password for [EMAIL PROTECTED]: > [EMAIL PROTECTED]:~$ telnet -a -l pippo lukesky.epiluke.it > Trying 192.168.182.185... > Connected to lukesky.epiluke.it (192.168.182.185). > Es

Re: Authentication using the KRB5A method issues (AIX-AD)

Mohamad Nurhafiza <[EMAIL PROTECTED]> wrote: > Yes it's part from krb.client.rte fileset (AIX CD) > > bash-3.00# /usr/krb5/bin/klist -k > Keytab name: FILE:/etc/krb5/krb5.keytab > Unable to start keytab scan. > Status 0x96c73ad5 - Unsupported key table format version > number. > bash-3.00#

Re: KfW 3.1: Re-directed stderr of kinit/klist displays dialog

[EMAIL PROTECTED] wrote: > On Tue, 20 Feb 2007, Jeffrey Altman wrote: >> [EMAIL PROTECTED] wrote: >> >>> Is there a way to redirect stderr from kinit/klist to a file? >> >> stdin and stderr cannot be redirected. they are used for password >> prompting > > Hmmm but I'm not trying to redirect th

Re: KfW 3.1: Re-directed stderr of kinit/klist displays dialog

[EMAIL PROTECTED] wrote: > On Tue, 20 Feb 2007, Jeffrey Altman wrote: > >> [EMAIL PROTECTED] wrote: >> >>> Is there a way to redirect stderr from kinit/klist to a file? >> >> stdin and stderr cannot be redirected. they are used for password >> prompting > > Hmmm but I'm not trying to redirect

Re: Win Kerb Server

Gayal <[EMAIL PROTECTED]> wrote: > On 2/8/07, Christopher D. Clausen <[EMAIL PROTECTED]> wrote: >> Gayal <[EMAIL PROTECTED]> wrote: >>> Hi, >>> I want to implement SSO with Win2003 Server for Linux Clients. >>> But I dont have access to Win2003

Re: Changing password on linux machine hangs

M <[EMAIL PROTECTED]> wrote: > We use Active Directory to create User accounts and make the person > change his/her password the first time he/she logs on to any of our > machines (linux or windows). Changing password on the Windows machines > works just fine but no one can change their passwords o

Re: Changing password on linux machine hangs

M <[EMAIL PROTECTED]> wrote: > Yep. Tried that. Same behavior. Its not just one linux machine, its > all linux machines that do this. So its something thats set > environment wide...I've ruled out the firewall...not sure what else it > could be. What does your krb5.conf file look like? Do you hav

Re: Kerberos for Windows NT 4.0

Warren Coykendall <[EMAIL PROTECTED]> wrote: > Hello, I was wondering we have a NT 4.0 domain which we cannot > migrate to Windows 2003. Is there a way to have the NT 4.0 domain > work with Kerberos so we can get single sign-on w/out the pain of > upgrading to active directory? I do not think the

Re: Cross Realm MIT <-> Windows Close But No Cigar

Michael B Allen <[EMAIL PROTECTED]> wrote: > On Thu, 3 May 2007 23:33:29 +0100 > "Markus Moeller" <[EMAIL PROTECTED]> wrote: > >> What does sshd -ddde show when you connect ? Do you use a .k5login >> or auth_to_local ? > > Hi Markus, > > I'm not familiar with .k5login or auth_to_local. The only th

Re: Cross Realm MIT <-> Windows Close But No Cigar

Michael B Allen <[EMAIL PROTECTED]> wrote: > On Thu, 3 May 2007 20:31:55 -0500 > "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: >> Try creating a ~/.k5login file in the home directory of >> the user you are logging in as listing authorized Kerberos >

Re: kerberos, hpux 11.11, ssh

Wilson, Michael <[EMAIL PROTECTED]> wrote: > Hello, > > We are running into problems with the installation of Kerberos V5 on > and hpux 11.11 machine. > > When we try to login using Active Directory Authentication we get the > following in our debug.log file: > > May 8 09:59:21 PAM: load_function:

Re: kerberos, hpux 11.11, ssh

Wilson, Michael <[EMAIL PROTECTED]> wrote: > ***KLIST -kte*** > [abc]:/var/adm/syslog # klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > - > >6 05/08/07 16:12:33 host/[EMAIL PROTECT

Re: Use ssh key to acquire TGT?

Adam Megacz <[EMAIL PROTECTED]> wrote: > Our (hcoop.net) users love their new AFS homedirs, but are complaining > a lot about ssh public keys not working the way they're accustomed to. > Telling them to "kinit" after logging in doesn't quite cut it either. > > We're aware that this goes against the

Re: Use ssh key to acquire TGT?

Adam Megacz <[EMAIL PROTECTED]> wrote: > "Christopher D. Clausen" <[EMAIL PROTECTED]> writes: >> How exactly is having a private key password different from simply >> telling the user to kinit ONCE on their local machine before >> attempting to SSH to you

Re: Use ssh key to acquire TGT?

Adam Megacz <[EMAIL PROTECTED]> wrote: > John Hascall <[EMAIL PROTECTED]> writes: >> How many of the top-10 use Kerberos? >> And what exactly is the top-10 (which list?)( >> For the sale of argument lets say they are: > > Well, based on AFS usage (which requires Kerberos right now), all of > the sc

Re: Use ssh key to acquire TGT?

Russ Allbery <[EMAIL PROTECTED]> wrote: > Adam Megacz <[EMAIL PROTECTED]> writes: >> "Christopher D. Clausen" <[EMAIL PROTECTED]> writes: >>> UIUC has AFS? Is there some other UIUC that I don't know about? > >> Hrm, I was going by the

Re: Use ssh key to acquire TGT?

John Hascall <[EMAIL PROTECTED]> wrote: >> One of these days I'm going to request (for HCOOP) crossrealm trusts >> with the top 10 computer science universities in the USA [*] and >> document (a) my success rate, (b) how many emails it took, and (c) >> how many months from first request to working

Re: Kerberos for authentication, php for authorization

[EMAIL PROTECTED] wrote: > On Windows the two browsers can only acquire credentials > from the LSA which means the workstation needs to be joined to a > domain, I believe. That isn't true. You can configure FireFox on Windows to use credentials from Kerberos for Windows ccaches instead of using

Re: Where can I find how-to advice on setting up a local KDC?

Kevin Koch <[EMAIL PROTECTED]> wrote: > It is too hot to work upstairs where the wired connection is. The > wireless on this laptop stops connecting randomly. I can't debug NIM > timing issues without being able to connect to a KDC. I can't ship a > product without those fixes. > > Where can I f

Re: "Key table entry not found while verifying ticket for server"

Danny Mayer <[EMAIL PROTECTED]> wrote: > Peter Losher wrote: >> Yup, I had fatfingered the hostname during the initial OS install; >> what you said above reminded me to check the one place I hadn't >> updated - /etc/hosts. :) > > /etc/hosts??? That doesn't sound like a place ISC would use! Does the

Re: Using keytab on Windows with KfW

Markus Moeller <[EMAIL PROTECTED]> wrote: > I am trying to use a keytab on Windows with KfW 3.2, but get always > an error "Key table entry not found while getting initial > credentials". The account works interactively and if I use the keytab > on Unix it works fine too. > Is this a known problem

Re: Using keytab on Windows with KfW

Markus Moeller <[EMAIL PROTECTED]> wrote: > Thanks for the pointer. I thought I fixed the enctypes in krb5.ini > too, but copied it under the domain_realm section instead of > libdefaults. (The default krb5.ini didn't have the same order as my > krb5.conf ) I'd strongly suggest NOT specifying enc

Re: Active Directory LDAP SSH

Michael B Allen <[EMAIL PROTECTED]> wrote: > On 9/4/07, Roman S <[EMAIL PROTECTED]> wrote: >> I've configured a Microsoft Active Directory with LDAP and Kerberos, >> and some Linux (Redhat) clients who authenticate to it. >> I'm able to get some tickets for the users who are in the Active >> Direct

Re: Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock <[EMAIL PROTECTED]> wrote: > I have created several cross-realm trusts on a test server. At this > point, nearly everything is working properly. However, users are > unable to change their passwords unless their account is in the > initial domain. Users see the following when attempti

Re: Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock <[EMAIL PROTECTED]> wrote: > No, the entire network is on a single, private IP address range. In > fact, I'm trying these particular commands on the same host that > kadmind is running on. However, the behavior is identical from a > remote host. Does kpasswd work on the KDC itself fo

Re: Listing what's already mapped

[EMAIL PROTECTED] wrote: > How can I list all the servers that I have mapped with the Ktpass > command? > > We are using Kerberos for SSO from our Middle Tier application that we > develop. To make this work I must map the middle Tier's servername > with an account in the domain. Here's a sample

Re: cross realm and capaths question

Douglas E. Engert <[EMAIL PROTECTED]> wrote: > Markus Moeller wrote: >>> TGS-REP error_code: KRB5KDC_ERR_PATH_NOT_ACCEPTED (28) > > This looks like AD is checking the transited path, and does not like > it. RFC4120 section 2.7 does not require the KDC to check the > transited field, and the client

Re: Listing what's already mapped

[EMAIL PROTECTED] wrote: > On Oct 1, 11:27 am, "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: >> >> from a cmd.exe prompt (on a computer joined to this domain,) you can >> run net group "domain computers" /domain to get a list all every >&

Re: Need an old MIT Kerberos distribution

Jeff Blaine <[EMAIL PROTECTED]> wrote: > I'm failing to find/get 1.3.0 for a specific need. http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.tar from: http://web.mit.edu/kerberos/dist/historic.html#krb5-1.3-src

Re: mac os x ticket cache

Ranga Samudrala <[EMAIL PROTECTED]> wrote: > On a Mac OS X machine, is there a way to force the SSH client to use > a Kerberos TGT from a cache on the file system instead of the > default - in the memory? Change what the KRB5CCNAME variable points to.

Re: Query about an admin testing a user's creds

Coy Hile <[EMAIL PROTECTED]> wrote: > If we need to test, for example, that a user is actually getting a > TGT, we need to inform the user that we're changing their password > temporarily, change it, authenticate as them directly, and then have > them change it back. We've all been wondering aloud

Re: Heimdal KDC, Windows XP and local users

Victor Sudakov <[EMAIL PROTECTED]> wrote: > I have configured Windows XP to use a Heimdal KDC for user > authentication. All existing Windows users can authenticate against > the KDC, user > mapping is "ksetup /mapuser * *". > > However, Windows does not create a new local user with the same name >

Re: Password Syncing to Kerberos using SFU's ssod

Colin Simpson <[EMAIL PROTECTED]> wrote: > I'm looking at finding a new solution to syncing password between AD > and > Kerberos. We had been using CEDAR for this and it's great but the > passwdHK dll on windows hates it if you pass in 8 bit ascii passsword. AD already is Kerberos. Why don't you

Re: Password Syncing to Kerberos using SFU's ssod

-) > > Colin > > On Wed, 2008-01-09 at 17:13 +, Christopher D. Clausen wrote: >> Colin Simpson <[EMAIL PROTECTED]> wrote: >>> I'm looking at finding a new solution to syncing password between AD >>> and >>> Kerberos. We had been using CEDAR

Re: [lib]kadm on Windows?

Russ Allbery <[EMAIL PROTECTED]> wrote: > We took an end-run around this problem and instead use: > >http://www.eyrie.org/~eagle/software/kadmin-remctl/ > > to provide a remctl interface to kadmin calls. This still requires > that you get remctl working on Windows, though. It may or may not b

Re: kadmin -c : shouldn't this work?

Jeff Blaine <[EMAIL PROTECTED]> wrote: > % /usr/rcf-krb5/bin/kinit -p admin/admin > Password for admin/[EMAIL PROTECTED]: > % /usr/rcf-krb5/sbin/kadmin -c /tmp/krb5cc_26560 > Authenticating as principal admin/[EMAIL PROTECTED] with existing > credentials. > kadmin: Matching credential not found whi

Re: support SSO in Windows with Keberos TGT

sylvain cortes <[EMAIL PROTECTED]> wrote: > So, for example, a windows computer which use Putty can present a > kerberos ticket to a Unix machine with the Centrofy client, without > any re-authentication. And Unix to Windows, or Unix to Unix works > also in the same way. You can do that without pa

Re: max number of requests/sec (on KDC)

Matthew Loar <[EMAIL PROTECTED]> wrote: > Vladimir Konrad <[EMAIL PROTECTED]> wrote: >> Hello, >> >> Is there a way to increase allowed number of requests per second on >> KDC? I have several different CRON jobs (using the same keytab in >> kinit), which run at the same time, and I get: >> >> DISPA

Re: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.

Can you post and compare your krb5.conf files? Are they identical? Have you asked someone at Stanford? This might be a specific configuration problem for that realm. If you join the #kerberos IRC on Freenode, various people may be able to help you out interactively. < wrote: > Hi Again, > >

Re: Help on using AD as KDC

Zhiguo Huang <[EMAIL PROTECTED]> wrote: > Could any person who has experience on using Active Directory as KDC > give any pointer and helpful instruction? Regarding what? You just use it as a KDC and it works.

Re: SSO

Michael B Allen <[EMAIL PROTECTED]> wrote: > On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <[EMAIL PROTECTED]> > wrote: >>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are >>> going to perform better. >> >> If by "better" you mean "pretty much the same," yes, modulo the >> conf

Re: WTS and KfW for SPNEGO

I bet the problem is that KfW is switching to a per-user krb5.ini instead of using the one you likely have in C:\Windows. Try to copy your system krb5.ini to c:\documents and settings\user\windows and see if that helps any when in Terminal Services mode. < wrote: > Hi, > > we use Kerberos for

Re: WTS and KfW for SPNEGO

Christian, I recomend that you read through this email and follow its instructions: http://mailman.mit.edu/pipermail/kerberos/2008-January/012978.html That should solve the problem permanently. I personally like having my own per-user krb5.ini. I can fix configuration problems on machines wher

Re: Solaris 10 client, MIT 1.6 server, kpasswd command

Edward Irvine <[EMAIL PROTECTED]> wrote: > Has anyone else had trouble changing passwords from a Solaris client? > > I'm using the Solaris 10 version of kpasswd: > > /bin/kpasswd unsername > kpasswd: Changing password for [EMAIL PROTECTED] > Old password: > kpasswd: Cannot establis a session with

Re: Kerberos <-> Microsoft Active Directory & DNS

Michael B Allen wrote: > In general, both the MIT and Heimdal clients are not optimized for a > Windows environment. We have an AD integration product that uses > Heimdal that we made a lot of changes to try to better emulate Windows > behavior. Please just stop trying to sell folks your product

Re: Finding the version of kinit/klist

Ken Raeburn wrote: > On Mar 6, 2009, at 13:43, pete...@bigfoot.com wrote: >> Is there any way to determine the version of kinit or klist? > > I'm afraid not, aside from the krb5-config option you noted. > > It's still in our bug database, but hasn't gotten any attention yet. > :-( (I knew it had

Re: Constraint Delegation with MIT Kerberos

For Active Directory: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview < I did not get a response from anybody. Does anybody have instructions for > setting up Constraint Delegation on any platform? > > Thanks, > Joseph > > -Origin

Re: Constraint Delegation with MIT Kerberos

It would be helpful to understand more of your environment. Can you provide more details of what you are trying to accomplish? Are multiple Kerberos realms involved or just a single Active Directory domain? Is an MIT KDC involved? Or just MIT Kerberos clients? What errors are you seeing with M

Re: Protocol benchmarking / auditing inquiry

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available: https://www.cisecurity.org/benchmark/mit_kerberos Not sure if this is what you are looking for or not. < Preferably something smaller and more focused than nmap or OpenSCAP. 😉 From: Brent Kimberley Sent

Fw: Kerberos Password change over WWW

Brett Delle Grazie wrote: > Is there an open-source product that is secure and will permit > password changes to kerberos via the web (e.g. .cgi program or > similar). I am expecting the user to have already authenticated with > their existing username / password - this is so they can then change

Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not tobe???

kerbie_newbie wrote: > At least in Apache 2.0, it is extremely difficult in Apache to get two > authentication modules to co-exist; Apache by and large considers any > particular portion of the URL space to be protected by only one > authentication scheme (possibly combined with IP address > restr

Re: Sudo w/Ticket Support

pete...@bigfoot.com wrote: > Main reason for not setting NOPASSWD is because I don't have control > over the sudoers file on most of the systems I have access to. And > the SA's are very reluctant to use "NOPASSWD". Do you know about the ksu command? Or using a ~root/.k5login and ssh -o "GssapiA

  1   2   >