had originally planned to run two realms in parallel and
tell them to trust each other. Unfortunately, MIT Kerberos doesn't
appear to allow you to run two KDC's on the same server.
Anyone have ideas?
Regards
Edward Murrell
[EMAIL PROTECTED]
__
Ken Raeburn wrote:
> You can, but you have to write the config files to specify different
> port numbers for them. (The code doesn't currently support using only
> some of a machine's IP addresses, if you wanted to put one on one
> address and one on another.) The code theoretically supports servin
Hmm, yes, diagnostics would be helpful wouldn't they. :P
OK, so things have progressed slightly.
First mistake was finding EXAMPLE.COM in one of my addprincs, and
following your advice, and someone else noting that quite possible two
different encryption types were in use here, I've deleted the tw
Marcus Watts wrote:
> Edward Murrell <[EMAIL PROTECTED]> writes
> ...
>
>> [EMAIL PROTECTED] ~ $ kadmin -s becks -p edward/[EMAIL PROTECTED]
>> Authenticating as principal edward/[EMAIL PROTECTED] with password.
>> Password for edward/[EMAIL PROTECTED]:
>&
Ken Hornstein wrote:
>> Now I get a string of errors like this;
>> Nov 22 14:57:55 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
>> 23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, for
>> host/[EMAIL PROTECTED], Key table entry not found
>>
>
> So, here's what would be illuminating:
Paco Pelma wrote:
> Hi.
> In my work I do this for put a windows machine into the domain
>
> 1. Assign a valid name, for example w000
>
> 2. My pc/properties
>
> 3. Change name
>
> 4. Domain: my_domain
>
> Then it prompts for a user an a password:
>
> my_domain\my_user
> my_password
>
> I want
I thought I'd post back here how I got on.
So it turned out to be a funky combination of my earlier silliness in
having single names as hostnames (apollo, instead of apollo.office),
returning the single hostname in the reverse DNS, and having a single
name set in the /etc/hostname (which I'm sure
Hi Scotty,
The problem sounds like the Kerberos realms are different on each
machine, rather than the hosts name.
What is the default realm for the kdc and the client machine? Also, if
you do a klist before running kadmin, what realm does it list?
Regards
Edward Murrell
[EMAIL PROTECTED
This is a really fast response, since I'm about to disappear out the
door for Xmas.
Probably cause.
a) krb5.conf doesn't have kdc address
b) DNS doesn't have kdc address
c) address specified for kdc is internal address (eg kdc.local.lan.only)
d) address specified for kdc no longer exists for some
Hi all,
I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
work out.
I have a machine called 'hobbes' with a common user account that I'm to
get working with SSH and Kerberos.
Normal SSH + Kerberos works perfectly.
However, the specs call for anyone with a valid Kerberos accou
ide me with the set of command to accomplish that.
>
> Thanks,
> Scotty
>
> */Edward Murrell <[EMAIL PROTECTED]>/* wrote:
>
> Hi Scotty,
>
> The problem sounds like the Kerberos realms are different on each
> machine, rather than the hosts name.
>
>
n to the system with them.
I guess I'll have to get LDAP updates working. I guess I'm going to have
to kick OpenLDAP around a bit again. *sigh* (I've not had great success
with OpenLDAP replicas).
Cheers,
Edward
Edward Murrell wrote:
> Hi all,
>
> I've got an issue wit
ething with stuffing
authentication data (ie LDAP) inside Kerberos. In cases like this, it
would be quite handy.
- Edward
Bjoern Tore Sund wrote:
> The solution is to have nscd running. At least that solved the issue
> for me.
>
> -BT
>
> Edward Murrell wrote:
>
>> I
I think screeds of information could be added on Troubleshooting, as
well as Installation notes and use with various other products (SSH,
PAM, and Windows probably being the main three).
I could probably get permission from my boss to copy/paste most of the
notes in our wiki about Kerberos.
Jeff
ample.com
However, this gives me the following output;
[EMAIL PROTECTED] ~ $ ssh foogazzi.office.example.com
Address 10.0.0.1 maps to foogazzi.example.com but this does not map
back to the address - POSSIBLE BREAKIN ATTEMPT!
Password:
D'oh.
An
Nicolas Williams wrote:
> Give your server host/f.q.d.n principals and keytab entries for all its
> interfaces' canonical names.
>
Did that. SSH ignores them.
> And get a client that know how to decode the SSH_MSG_KEXGSS_ERROR
> message :)
>
> Nico
>
That's really not an option. In most cases
es forward and back DNS checks, everything correctly
checks out, but still allowing the forward DNS from the internal LAN to
work properly.
I hope this helps someone in the future. :)
Regards
Edward Murrell
Edward Murrell wrote:
> Hi there,
>
> I've currently fighting issues with a coup
ollowing order;
DNS
Kerberos
LDAP (using Kerberos for authentication of replicas).
Regards
Edward Murrell
Ken Raeburn wrote:
> On Jan 22, 2007, at 4:39, Enrico M. V. Fasanelli wrote:
>
>> Dear Kerberos/LDAP gurus
>>
>> I've seen that the 1.6 MIT release includes su
TED]
Hope this helps! Let us know how you get on.
Regards
Edward Murrell
Jeff Blaine wrote:
> This doesn't look too promising. Any help, again, would
> be greatly appreciated.
>
> Solaris 10 6/06 release. Sett
[EMAIL PROTECTED] wrote:
>
> Sorry, I guess I wasn't very clear. The servers aren't KDCs, they are
> CVS/Subversion servers accessed via OpenSSH using GSSAPI Authentication
> and GSSAPI Key Exchange.
>
> In the very simplest case we would have 2 hosts -- one for CVS and one
> for Subversion. I
ials yes
Hope this helps you some!
Regards,
Edward Murrell
Luca Petrini wrote:
> Hello, I'm italian user and my name is Luca.
>
> I'm working with Kerberos on my Ubuntu 6.10.
>
> I have installed the krb5 packages and configurated the kdc.conf and
> krb5.c
Hi all,
I've run into some problems with a KDC slave that's started giving me
grief out of the blue.
System (bender) is Debian testing, x86. Krb5 packages are all 1.4.4-6.
The master KDC (becks) is Ubuntu 6.06 (LTS) running KRB5, with Krb5
packages 1.4.3-5ubuntu0.2. The master KDC also feeds ano
cause the old realm understood the new realm.
Anyway, this fix was to have the correct realm in krb5.conf.
Regards
Edward
Edward Murrell wrote:
> Hi all,
>
> I've run into some problems with a KDC slave that's started giving me
> grief out of the blue.
>
> System (ben
Would anyone else find this useful? I've got authorization from my boss
to share this under the GPL if anyone would care.
Regards
Edward Murrell
[EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
A list of useful links is here;
http://swik.net/kerberos+LDAP+Java
Shigeru Ishida wrote:
> Hi,
>
> When I use the style of combination with Kerberos and OpenLDAP,
> I try to write java-codes with Novell LDAP Classes for Java to
> entry LDAP data needed for Kerberos authentication.
>
> Please tell
Jeff Blaine wrote:
> Jeffrey Altman wrote:
>
>>> tkt=1 ses=1}, [EMAIL PROTECTED] for [EMAIL PROTECTED]
>>>
>> Do you really have a lowercased realm?
>>
>
> Yes. No good?
>
Not for the best. Active Directory assumes upper case everything for
example.
The FAQ at
http://www.cmf.nrl
perimenting.
Hope this helps!
Cheers,
Edward Murrell
Luca Lauretta wrote:
> hi i'm struggling in configuring nfsv4 working with mit kerberos v5
>
>
> /etc/exports on server (sequoia)
>
> #/home/condivisa sughero.reti.dist.unige.it(rw,sync)
> /home/condivisa gss
Your DNS looks like it's working correctly then.
I would guess that client is trying to connect using NFSv3, and the
server is correctly complaining that the client is not listed for NFSv3
in /etc/exports.
Although it will generate huge amounts of text, try running the
following as root to help y
Erm, dunno if this will help you any. This is a straight copy/paste from
my Wiki, which may only apply to my domain, but it sounds about right;
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
This occurs when kadmin is attempting to talk to the KDC with the wrong
realm. Us
rgument in kadmin, like so;
ktadd -k /home/jyho/bar.keytab host/bar.intra.foobar.com
These days, I've got a very simple Kerberos setup, so I can't really
shed much light I'm afraid...
Cheers,
~Edward Murrell
On Tue, 2007-06-26 at 09:31 +0800, Anthony Ho wrote:
> Hi Guys,
>
Sounds like something that would be better served using LDAP groups,
that way it could hook into existing infrastructure.
However, the current PADL pam implementation (last I looked anyway)
wasn't especially brilliant at providing control for lots of hosts with
lots of users. It was possible to co
No to try and rain on your parade but...
Wouldn't it be easier to use the standard mod_auth_kerb lib and write an
apple only directory service apache module (if it doesn't already
exist), and set up the auth kerb as non-authoritative?
Cheers
Edward
On Mon, 2008-01-21 at 10:55 -0700, Nathan Mell
Howdy...
Something like remctl (I personally have not touched it) would be a good
start, since it's essentially a remote execution engine. If you did a
sandboxed remctl server to get this started, you could (hopefully)
replace the remctl server with a C server running on a dedicated port.
I harp
Well, I own a couple of webservers, so I'm sure something could be
arranged.
This week though, I'm swamped with work, and have the flu. Next week I
could look at stick something up somewhere and/or providing you an
account?
-Edward
On Tue, 2008-02-05 at 20:49 -0500, Ken Hornstein wrote:
> >Ken,
On Tue, 2008-02-05 at 21:44 -0500, Ken Hornstein wrote:
> Sure. However, somehow I am still ignorant of the mechanics of
> actually creating any kind of useful web content. I can write text,
> I can provide you the actual files, but I would rather just hand
> it all to you and you can make it web
Hi,
NSS doesn't configure the order of authentication, it does (among other
things, the order of look up for user is in what group and owns what
files (or more accurately, which UID/GIDs map to which user/groups).
Authentication is performed by PAM. (see /etc/pam.d/). Authconfig is a
Redhat utili
ross major UNIX versions please let us know.
>
> Thanks,
>
> On Feb 7, 2008 9:57 AM, Edward Murrell <[EMAIL PROTECTED]> wrote:
> Hi,
>
> NSS doesn't configure the order of authentication, it does
> (among other
> things, the
> Can anyone explain to me whats the relation between LDAP vs Kerberos
(The longer explanation)
Authentication is the process of proving who you are. But, just because I
can prove I'm who I say I am via a drivers licence, doesn't mean I'm
getting into the club. "Your name isn't on the list."
Ker
Hi there,
At the risk of sounding officious, you should use should use ssh (secure
shell) instead of telnet, since telnet is insecure (even with Kerberos
authentication).
>
> I am trying to setup Kerberos on my Mandriva 2008.1 server. I think it is
> correctly configured but when I login with t
Yep, also confirmed to work with Dovecot IMAP server.
> Victor Sudakov wrote:
> Is there anyone for whom Thunderbird with GSSAPI really works?
> I hope it is not just theory, someone is using it or has tested it?
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> 2:5005/[EMAIL PROTECTED] http://vas
Assuming your DNS is set up properly, you'll need to set the host tab's
to have the principal fully qualified domain name, ie
host/[EMAIL PROTECTED] instead of host/[EMAIL PROTECTED]
You can check if it is by running host against the IP of the hostname.
So assuming rofe.one.com has the IP 10.1.1.1
Hi,
>From my notes for 10.4 for doing this a few years ago (at a company that
I no longer work for, so my memory may be fuzzy and/or out of date) you
need to run through the instructions here;
http://support.apple.com/kb/TA20987?viewlocale=en_US
AND you need modify the pam files in /etc/pam.d/
H
x/NIS)
compliant LDAP schemas. Other people have already written (and to be
fair, support much better) php libraries for handling active directory
LDAP lookups.
Cheers,
Edward Murrell
On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote:
> Hi everyone I have a noob question for ya.
>
>
that simplifies this somewhat, if you are using RFC 2307 (posix/NIS)
> > compliant LDAP schemas. Other people have already written (and to be
> > fair, support much better) php libraries for handling active
> directory
> > LDAP lookups.
> >
> > Cheers,
> >
I've been wondering about this problem for a while. My current solution
on my laptop is to use a normal /etc/passwd login, and run kinit once
I'm logged in.
What I would like is to allow some method of transparently caching
passwords, then creating a TGT once network connectivity if
established.
On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote:
> Edward Murrell writes:
>
> > I've been wondering about this problem for a while. My current solution
> > on my laptop is to use a normal /etc/passwd login, and run kinit once
> > I'm logged in.
> >
You can either add service principles for the other domains to the
keytab, or establish cross realm trusts between the realms. The latter
is probably better if you expect to have lots of places where you need
interoperate.
Cheers,
Edward
On Thu, 2009-08-13 at 17:50 -0400, Farzad Kohantorabi wrote
You will need to specify the principle you wish to use when running
kinit. This is because keytabs can contain multiple principles.
ie;
kinit -kt /etc/krb5/krb5.keytab host/uk0108.bxc@bxc.com
Hope this helps!
Cheers,
Edward
On Tue, 2009-08-18 at 13:04 -0700, dxtans wrote:
> Hello,
> I have i
There's a bunch of things there that are a bit messed up.
Firstly, if you aren't sure what the hostname is, run;
hostname -s
If this tells you it's 'localhost', you should edit the /etc/hostname to
be something more descriptive (and the same as whatever you pick for
myserverhostname below) and th
Openfire, MIT Kerberos (I've done it elsewhere with Heimdal) and
OpenLDAP, with the Cyrus saslauthd daemon to allow plain text logins.
This link was incredibly helpful for getting saslauthd to comply;
http://www.semicomplete.com/articles/openldap-with-saslauthd/
GSSAPI and plain text logins work
As far as I know, MIT kerberos can run multiple KDC's from the same
machine, but each realm needs to have it's own IP or set of ports.
On Fri, 2010-01-01 at 13:19 +0100, BOUCHER, Flavien wrote:
> Hi,
>
> I need to setup kerberos for six distinct domain, there is no trust
> relationship between
You probably do not have reverse DNS set up properly, or the reverse DNS
name does not match the keytab installed on the application server.
In any case, you should ditch telnet and rlogin in favour of SSH.
On Tue, 2010-01-19 at 18:19 +0530, vinay kumar wrote:
>
>
>I want to capture
Hi,
Kerberos isn't specifically built into SVN, it's handled by the carrier
protocol, which is usually SSH or HTTP. Depending on what you're using,
you'll need to setup Kerberos in OpenSSH or your webserver.
OpenSSH already has Kerberos/GSSAPI support. In most cases, it's a
matter of turning it o
53 matches
Mail list logo
