On Fri, 2008-12-19 at 14:41 +, Fletcher Cocquyt wrote:
> How can we explicitly disable the krb524 communication attempt (campus does
> not
> run that service)
Ken's suggestions will work at a global level without requiring changes
to client configuration, which may be advantageous. But I rea
On 07/07/2014 12:26 PM, kannan rbk wrote:
> I tried 5 passwords, all are failed. Same error message "authentication
> error".
Is the client behind a NAT gateway? What version of krb5 is in use on
the master KDC?
Kerberos mailing list Ker
On 07/16/2014 10:08 AM, Giuseppe Mazza wrote:
[trying to kprop from krb5 1.4 to krb5 1.12 and it hangs]
> - I have read your archive. Apparently some people had a similar problem.
> It seems to me that they were using two versions of Kerberos that were
> too different... Well, it sounds familia
On 07/16/2014 06:34 PM, John Devitofranceschi wrote:
> host/*@MYREALM.COM x */*1...@myrealm.com
This works for me in 1.11, 1.12, and the master branch. So, your
expectation isn't unreasonable, but I'm not sure why it doesn't work for
you.
Note that kadmind will not reread its ACL file until it i
On 07/17/2014 08:59 AM, Giuseppe Mazza wrote:
> What do you think? Do you need more info?
I think I do need more info. This helps narrow things down, but there
are still questions:
* Is the process actually stuck within that krb5_db_put_principal call,
or is it somehow in a loop doing put_princi
We talked about this at our meeting today, and we think this is likely
issue #7860, which I had forgotten about:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7860
To summarize briefly: there is a compiler bug in the version of gcc used
in Ubuntu 14.04, which can trigger a libdb2 hang. We
On 07/29/2014 04:50 PM, Michael Osipov wrote:
> my application tries to acquire a GSS credential with a client keytab:
>
> $ KRB_CLIENT_KTNAME=$HOME/client.keytab app
The environment variable is KRB5_CLIENT_KTNAME, not KRB_CLIENT_KTNAME.
Did you use the correct variable name?
> No credential is
On 07/30/2014 02:34 AM, Michael Osipov wrote:
> If I understood you correctly, the API makes a difference here. By hand or by
> cient keytab. The problem is that one has sometimes no control over, even
> worse
> I cannot check how the credential was obtained because klist does not reveil
> that
>
On 07/30/2014 05:52 PM, Michael Osipov wrote:
> 1. I am used to work over SSH with Subversion and Git over a SPNEGO protected
> proxy and/or with our HTTP served repositories, protected by SPNEGO too.
> Sometimes I do a kinit with my password but sometimes I simply forget that
> and svn reminds
On 07/31/2014 03:24 AM, Michael Osipov wrote:
> That sounds reasonable and should solve the issue. Albeit, I do think that
> the detection
> algorithm could be better and pursue a best-effort/match/seldom-fail
> approach. It make the
> entire process idiot-proof.
I have opened a ticket for this:
On 08/02/2014 02:19 AM, Ben H wrote:
> The document is worded poorly as it can be interpreted that this salt is
> used for all enctypes, but I believe that only AES is salted in this way
> and based on my testing RC4 doesn't get salted.
The RC4 enctype completely ignores the salt, so it doesn't ma
On 08/08/2014 03:37 AM, jarek wrote:
> Is it possible to receive ticket for host principal and use this ticket
> for authentication ?
Yes. Normally this is done using a keytab, in one of three ways:
* krb5_get_init_creds_keytab from the application code.
* kinit -k from the command line.
On 08/11/2014 03:40 AM, Michael Osipov wrote:
> I have made several improvements to the build files, especially for HP-UX 11
> on IA64.
>
> Where is the best place to discuss then? This list or rather dev@?
I assume you mean to MIT krb5? The best thing to do is file a github
pull request at git
On 08/13/2014 05:14 AM, Petr Spacek wrote:
> - The application later uses krb5_cc_retrieve_cred() to get
> creds.times.endtime value and to check that the ticket is still valid.
You can set an endtimes value in mcreds.times and specify the
KRB5_TC_MATCH_TIMES flag, and only credentials which expi
On 08/13/2014 09:59 PM, Jaap Winius wrote:
> [...] while in krb5.conf I had:
It turns out that the only auth_to_local relations used from krb5.conf
are the ones in the realm subsection for the default realm. It would
make more sense if it were located in [libdefaults], but this is the
historical
On 08/14/2014 04:38 AM, jarek wrote:
> I'm almost sure that the problem is with buggy pkcs11
> lib, but I don't understand, why kadmin tries to access smart card when
> it should use keytab only:
My initial reading of the code is that it should only invoke the PKCS11
module when it is actually doi
On 08/18/2014 12:56 PM, Ben H wrote:
> We have an application that is experiencing some issues when tickets expire.
What Kerberos implementation and version, and on what platform?
Are you getting tickets with a password or with a keytab? If you are
using a password, is it possible that the clien
On 08/22/2014 11:35 AM, Stephen Carville (Kerberos List) wrote:
> Everything works as expected -- so far :). Is it necessary or even
> possible to re-key the database to use the default (aes256-cts?) in
> newer version?
It isn't necessary, but it is possible, using the instructions here:
http://
On 08/25/2014 03:05 PM, Markus Moeller wrote:
> I call krb5_get_init_creds_keytab in my application and valgrind tells me
> about a leak ( see below ) . It seems to be the memory allocation for
> mod-modreq_p, which I think I can't clear from my application, can I ?
I believe this is issue #779
On 08/28/2014 06:05 AM, ольга крыжановская wrote:
> How do I enable collections?
Set KRB5CCNAME to use a collection-enabled cache type, typically DIR.
For example:
mkdir /tmp/mydir
KRB5CCNAME=DIR:/tmp/mydir
export KRB5CCNAME
kinit princ1
klist# shows princ1 tickets in DIR::/tmp/
On 08/28/2014 10:17 AM, Cedric Blancher wrote:
>>> How do services like NFSv4, HTTP/spnego or GSSAPI know which of the
>>> entries is the one they want?
NFS is a special case, as the program making the decision doesn't have
access to the environment of the process which made the filesystem call.
On 09/02/2014 04:20 AM, bodik wrote:
> But I was thinking, if there would be something like "static_kdc.c" ? some
> very
> small implementation without all fancy features like PA, crossrealming, heavy
> encryption, something which would just send out session keys to everybody
> having
> some stat
On 09/04/2014 01:58 AM, Brett Randall wrote:
> I create a short-life, renewable ticket, then use klist -s to check
> before/after it has expired. Then kinit -R is able to renew the
> ticket.
>From your sequence of operations, you're just seeing the five-minute
grace period for expired tickets. T
On 09/10/2014 09:59 AM, Robert Levas wrote:
> It is possible to create the KDC database from an non-interactive (Linux,
> for now) script? I am trying to automate the installation of a KDC and am
> failing to get past the database creation phase since kdb5_util create [-s]
> appears to not have an
On 09/10/2014 01:44 PM, Hugh Cole-Baker wrote:
> What I'd like is to
> get the delegated credential to be the default principal in the ccache, so
> that the LDAP library uses it.
I agree that the current behavior (present since 1.8) is unhelpful, and
it's not consistent with other implementations
On 09/13/2014 12:52 PM, Rick van Rein wrote:
> But this leaves me a bit worried about the KRB5-NT-ENTERPRISE nametype — does
> it apply to what I am doing? Does my approach create a correct enterprise
> principal name, or am I so lucky to run into leniency by Kerberos?
As I understand the enter
On 09/24/2014 06:54 AM, Lionel Cons wrote:
> Has anyone considered switching the source format for the kerberos man
> pages from the current custom format over to Docbook/XML? It would
> make tasks like translation (our main issue) or generation of troff,
> PDF and PS output much easier and gives m
On 09/26/2014 03:28 PM, Prakash Narayanaswamy wrote:
> We're using MIT Kerberos v5-1.10.3 . Occasionally we're seeing
> authentication failures. The gss_display_status call on the minor status
> code returned by the gss_accept_sec_context (major status ==
> GSS_S_FAILURE) gives the following error
On 10/06/2014 04:49 PM, Xie, Hugh wrote:
> I created some printf to check verifier_cred_handle I passed into
> *gss_accept_sec_context()* are set back to GSS_C_NO_CREDENTIAL once it reach
> kg_accept_krb5(). That in turn cause one of the condition * cred->usage ==
> GSS_C_BOTH * to be false. I d
On 10/07/2014 08:43 AM, kannan rbk wrote:
> Is there any way to get the password hash & salt from the kerberos server?
The Kerberos protocol uses a very specific kind of "password hash" (the
RFC 3961 string-to-key operation), which may not be importable into
other applications. It might be import
On 10/08/2014 10:29 AM, Xie, Hugh wrote:
> We are using version 1.9.1. When I turn on backback in debugger, I see the
> gss_accept_sec_context was in turn called internally inside spnego_mech.c
> that pass a NULL verifier_cred_handle krb5_gss_accept_sec_context_ext. Anyway
> I can resolve this i
On 10/08/2014 03:41 PM, Xie, Hugh wrote:
> After switching version 1.12.2, as a follow up question to the next step of
> S4U2Proxy.
>
> I passed the delegated_cred_handle from *gss_accept_sec_context()* to
> *gss_init_sec_context*. I got a "No context has been established" error since
> the con
On 10/08/2014 05:45 PM, Xie, Hugh wrote:
> My mistake. The error is from * gss_inquire_context(&min_stat,
> state->context, &gssuser, NULL, NULL, NULL, NULL, NULL, NULL);* post call to
> * gss_init_sec_context*. Can I still call this function post
> gss_init_sec_context with delegate handle?
O
On 10/09/2014 07:12 AM, Xie, Hugh wrote:
> Perhaps this is a bug. Gss_init_sec_context did return GSS_S_COMPLETE
> for me.
I don't think we have a bug such that gss_inquire_context on an
established context would return GSS_S_NO_CONTEXT, no; that would show
up in our automated tests. Make sure yo
On 10/10/2014 09:50 AM, Rick van Rein wrote:
> I found GSS_C_SEQUENCE_FLAG defined in RFC 1509, as a general flag for
> GSS-API mechanisms. And, there is an alternative flag GSS_C_REPLAY_FLAG that
> is also available in the Kerberos mapping of GSS-API. So the answer appears
> to be “yes, you c
On 10/13/2014 06:45 AM, Giuseppe Mazza wrote:
> It seems to me that the tag kdc_supported_enctypes is not used in the
> file kdc.conf anymore:
[...]
> I had that tag in the configuration of my old kerberos server, but I
> have not added it in the new one.
>From a look at our version history, the
On 10/13/2014 07:57 AM, Rick van Rein wrote:
> I’m finishing a TLS-with-krb5-and-DH proposal which relies on this record.
> Without it, there is no chance of knowing how to crossover to other realms
> (the mechanics of that being unsettled). I may now have to introduce these
> TXT records in
On 10/23/2014 11:38 AM, Xie, Hugh wrote:
> When I pass GSS_C_NO_CREDENTIAL as cred_handle to gss_init_sec_context(), I
> got no error. But when I pass delegated_cred_handle (output from
> gss_accept_sec_context) as cred_handle to gss_init_sec_context(), I got
> 'Matching credential not found' er
On 10/29/2014 07:14 PM, Rufe Glick wrote:
> Kerberos 5 client side package supplied me with two similar utilities: ktutil
> and k5srvutil. I believe that there is no operation that k5srvutil script
> does that ktutil can't do. So why do package maintainers keep both of them?
There is no ktutil e
On 10/31/2014 01:52 PM, Benjamin Kaduk wrote:
> gssapi-keyex is not a way for the client to authenticate to the server; it
> replaces the normal key exchange step that uses the server's
> ssh_host_{ecdsa,rsa,dsa}_keys.
If memory serves, the gssapi-keyex key exchange actually authenticates
both par
On 11/04/2014 12:54 PM, Andreas Ntaflos wrote:
> Hi,
>
> I see that the "-history" option for "add_policy" (in kadmin) is not
> supported when using the LDAP backend for Kerberos [1].
We expect to have this implemented this for 1.14 (see
https://github.com/krb5/krb5/pull/132 ) but for now that is
On 11/14/2014 09:31 AM, Rémi Ferrand wrote:
> * How could I know which service principal was used to authenticate to
> the remctl server ? I need this information for
> gss_acquire_cred_impersonate_name() 3d argument and for
> gss_init_sec_context() 4th argument.
gss_acquire_cred_impersonate_name
On 11/27/2014 02:34 AM, Peter Mogensen wrote:
> I was looking at libkrb5 for the public API mirroring "in_data" in
> krb5_mk_req()
> http://web.mit.edu/kerberos/krb5-current/doc/appdev/refs/api/krb5_mk_req.html
I have noticed myself the asymmetry between mk_req taking application
data to checksum
On 12/01/2014 03:03 AM, Peter Mogensen wrote:
>> Be aware that integrity-protecting application data using the
>> authenticator checksum increases a protocol's dependency on the replay
>> cache, which is inherently imperfect.
> This seems counter-intuitive to me.
The more robust alternative is t
On 12/09/2014 12:32 AM, Todd Grayson wrote:
> What is the proper order for the [domain_realms] section of the krb5.conf
> with regard to rules being applied when there are mixed dns FQDN, domain
> names and REALMS.
The order of relations in a profile only matters for relations of the
same name (su
On 12/09/2014 12:20 AM, Todd Grayson wrote:
> Is there a configurable timeout value that can be set in the krb5.conf to
> tell a client how long to wait for a response from a KDC before failing
> over to the next listed kdc entry for a specific REALM in the [realms]
> section of the krb5.conf?
No,
On 12/08/2014 10:24 AM, Dave Botsch wrote:
> So, at renew time, MS Windows is sending back to the MIT KDC the
> original renewable TGT. In the Request Body section, the client requests
> a TGT with [only the Renew kdc-option set].
>
> The MIT KDC sends back a new TGT that is not renewable and with
On 12/16/2014 10:31 AM, Kenneth MacDonald wrote:
> I've been asked if it would be possible for the MIT krb5 KDC not to
> increment the failed authentication count (and presumably the time) when
> one of the older passwords was used. I know such behaviour is not
> documented.
[...]
> I'm wondering
On 12/18/2014 02:02 PM, Xie, Hugh wrote:
> I am getting "Wrong principal in request" error on gss_accept_sec_context()
> on one host but does not on another. I verified /etc/hosts, both host conform
> to this format
>
> # Default /etc/hosts file
> 127.0.0.1 localhost.localdomain localhost
without retaining the old keytab?
> (If so, run kinit again on the client to flush any old service
> tickets.)
> I did this multiple times already.
>
> -Original Message-
> From: Greg Hudson [mailto:ghud...@mit.edu]
> Sent: Friday, December 19, 2014 11:24 AM
> T
On 12/19/2014 01:33 PM, Xie, Hugh wrote:
> We are using the same account on both hosts the Principal in the keytab is
> "mya...@common.bankofamerica.com"
> The service ticket on the clients has the principal of:
> HTTP/host1.bankofamerica.com @ COMMON.BANKOFAMERICA.COM
> HTTP/host2.site123.baml.c
On 12/22/2014 05:49 AM, Tollef Fog Heen wrote:
> I'm trying to set up the MIT KDC with support for OTP tokens (yubikeys
> in my case, as a single factor, at least initially). I have the entire
> bit from the RADIUS server and backwards working correctly, but I can't
> get the KDC to see replies fr
On 12/23/2014 04:38 AM, Shuaijie Wang wrote:
> By default, kinit will generate TGT file under /tmp. Is there any way to
> specify other directory to put TGT in?
Gwenael already pointed out the KRB5CCNAME environment variable. In
addition, MIT krb5 1.11 adds the default_ccache_name krb5.conf varia
On 01/02/2015 05:35 PM, Markus Moeller wrote:
>I lately changed from krb5 1.10 on OpenSuse 12.3 to krb5 1.12 on OpenSuse
> 13.2 and wonder what is happening
The DIR ccache type was actually added in krb5 1.10, but presumably
OpenSUSE 12.3 wasn't using it by default, and OpenSUSE 13.2 is.
The
On 01/05/2015 03:24 AM, Siddharth Mathur wrote:
> Despite deploying the right kind of client certificates on my mobile
> devices (iOS) and using the right type of certificate on the KDC, I am
> not sure if they are talking certificates at all. How do I debug if
> the certificate matching rules are
On 01/05/2015 04:04 PM, Xie, Hugh wrote:
> Any follow up on this issue? Do you need any more information? Should I turn
> on debugger to see where this error occurred, if yes I need some pointer
> which files to set break points.
I'm a bit confused by the information given so far, and I think so
On 01/05/2015 09:36 PM, Xie, Hugh wrote:
> 1. /efs/dist/kerberos/mit/1.11.5/exec/bin/klist -k -t $KRB5_KTNAME
> Keytab name: FILE: /tmp/myacct.keytab
> KVNO Timestamp Principal
> ---
> --
>2 12/17/2014 15:30:08
On 01/15/2015 05:18 PM, Xie, Hugh wrote:
> I upgrade the version of krb5 lib to version 1.13. Got more specific error:
> Request ticket server HTTP/ host2.site123.baml@common.bankofamerica.com
> kvno 15 enctype rc4-hmac found in keytab but cannot decrypt ticket
>
> Any idea?
Whatever procedur
I don't think your image attachments made it through the mailing list
server.
Single-component KDC hostnames should not cause a problem as long as the
client can resolve them. If you are using an MIT krb5 client, the best
way to get more insight is to use "env KRB5_TRACE=filename kinit ..."
and l
I'm removing kfwdev from the CC list as there is nothing specific to
Kerberos for Windows about the question.
On 01/18/2015 08:10 PM, Zaid Arafeh wrote:
> Here's the scenario. I am trying to get krb5 to use an NT hash. NT hash is
> merely the MD4 computation of the UTC-16LE of the password string
On 01/19/2015 02:24 AM, Zaid Arafeh wrote:
> If I have the K/M key (which is in the database) and I have the password
> for the master key, would that make extracting hashes from the database
> easier?
It is possible but not convenient; you would have to write code to do
the decryption.
> I looke
On 01/20/2015 12:08 AM, Zaid Arafeh wrote:
> My questions are
> 1- are there structural differences between MS tickets and MIT tickets?
The tickets themselves are in the same format, defined by RFC 4120. But
they are stored in different ways. MIT krb5 generally stores tickets in
a FILE ccache, w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
MITKRB5-SA-2015-001
MIT krb5 Security Advisory 2015-001
Original release: 2015-02-03
Last update: 2015-02-03
Topic: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
VU#540092
CVE-2014-5352: gss_process_context_token() incorrectly fre
On 02/03/2015 08:09 AM, Rasmus Borup Hansen wrote:
> I'm trying to find all the steps necessary for successfully changing a
> username on our system, and it appears that when I try to rename the
> corresponding principal using kadmin, the principal just disappears (see the
> transcript below).
On 02/03/2015 10:00 PM, Paul B. Henson wrote:
> Hmm, that's a bummer, I was just about to avail of rename_principal
> functionality with an LDAP backend as part of a realm rename we have coming
> up :(. I was planning to rename everything and then rename it back in order
> to hardcode the correct s
On 02/10/2015 05:27 AM, Gergely Czuczy wrote:
> Anyone has any idea why I'm not getting a proper renew-until timestamp
> for the acquired tickets? I'm running out of ideas and googling what
> might be wrong here.
You didn't mention setting a maxrenewlife on krbtgt/REALM; that is also
necessary i
On 02/12/2015 03:28 AM, Gergely Czuczy wrote:
> A bit off the topic, but please allow me a question here. I've noticed
> that addprinc -x dn= only allows a single principal per entry, and -x
> linkdn= does not put the krbPrincipalName into the specified entry. With
> utilizing the LDAP backend,
On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
> the principal is created under the realm's tree in ldap, and afterwards
> adding a the principal to the ldap entry in question who it belongs to
> will make the KDC seeing it mu
On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
> So, this means, when adding an alias, addition work is not needed, just
> another value for krbPrincipalName?
> I had the impression that some additional stuff needs to be stored along
> with the alias, like, i don't know, keys, or whatever stuff. Thi
On 02/13/2015 12:55 PM, Michael Ströder wrote:
> So the alias name is not cryptographically bound to the principal's key?
Not inherently, no.
If a principal's long-term key is based on a password, a salt is used to
increase the cost of dictionary attacks against multiple principals
(except for th
On 02/14/2015 02:20 AM, Gergely Czuczy wrote:
> So, actually there's a difference between an alias, and the -x linkdn=
> option?
> The alias is technically the very same principal, and addprinc -x
> linkdn= is a new principal, linked to an already existing entry in LDAP?
linkdn is totally differen
On 02/04/2015 06:24 AM, Michael Ströder wrote:
> For some attribute types with IA5Syntax there's defined:
>
> SUBSTR caseExactSubstringsMatch
>
> IMHO this is wrong. It has to be:
>
> SUBSTR caseExactIA5SubstringsMatch
>
> Where to file a ticket?
Sorry for the slow response. Pleas
On 02/18/2015 05:49 PM, Charles Adams wrote:
> slave1# kdb5_util dump -ov -verbose ~/kerbmaster-ov K/m...@my.realm.org
> slave1# kdb5_util dump -verbose ~/kerbmaster K/m...@my.realm.org
I don't think there's ever much call to use dump -ov today, although the
documentation was unclear on that point
On 02/19/2015 10:16 AM, Marc Richter wrote:
> kinit: Invalid format of Kerberos lifetime or clock skew string while
> getting initial credentials
I believe that error results from these lines in krb5.conf:
ticket_lifetime = 10 hours
renew_lifetime = 7 days
These should be "10h" a
On 03/14/2015 05:10 AM, Rick van Rein wrote:
> I’ve been looking for ways of concealing principal names with Kerberos. I
> think this
> is of interest in relation to Internet-wide realm crossover with Kerberos.
> The only
> way I found are the anonymity mechanisms of RFC 6112, but that provides
On 03/21/2015 10:28 PM, HARMAN wrote:
> I started xinetd service, and tried propagating database (without starting
> kpropd, as I have not configured incremental propagation), and it gave me
> an error:
> kprop: Connection refused while connecting to server
I couldn't figure out what's wrong here.
On 03/31/2015 07:56 AM, Rainer Krienke wrote:
> I would like to achieve the following. A particular user say "john" logs
> in at a linux system or authenticates in apache against kerberos.
> Now I would like to allow this user "john" to run kadmin commands
> without entering any additional other pa
On 04/13/2015 05:13 PM, Neng Xue wrote:
> However, when I used 'kinit -r 20m', the klist -f output was:
The KDC won't issue a renewable ticket if you request a lifetime greater
than the renewable lifetime. You could try "kinit -l 10m -r 20m", or
"kinit -r 2d" or something.
Also make sure that kr
On 04/24/2015 03:37 PM, Ben H wrote:
> Why not simply use host/serverA.domain.com for both services?
At a protocol level, it's to support privilege separation on the server.
The CIFS server doesn't need access to the LDAP server key and vice versa.
Of course you only get this benefit if (a) the
On 04/24/2015 03:44 PM, Ben H wrote:
> From a client perspective, if I want to switch to using a different
> krb5.conf file, I just use:
>
> export KRB5_CONFIG=/etc/alternate-krb5.conf
>
> But the server will always try to use /etc/krb5.conf
The expected behavior is:
* Every process uses $KRB5_
On 04/24/2015 06:05 PM, Ben H wrote:
> So from a privilege separation perspective, are we talking more from a
> hardening perspective? E.g. if I can compromise serviceA that would
> give me the key to serviceB?
Yes.
> While that is a valid concern - if we were to guarantee (theoretically)
> that
This thread might be better suited for krb...@mit.edu, but I'll leave it
here.
On 05/02/2015 10:57 AM, John Hascall wrote:
> Is there a reason why the kadm5_hook interface does not seem to have any
> support for a principal "rename" operation?
An oversight, I think. The rename operation was adde
On 05/06/2015 10:45 AM, Meike Stone wrote:
> I like to use kpasswd, but the kpasswd_server is behind a firewall and
> only TCP port 464 is allowed.
> But as i see, kpasswd only uses UDP. Setting udp_preference_limit to 0
> (under libdefaults)
> didn't help.
The intent of the changepw.c code is to
On 05/07/2015 05:54 AM, Chris Hecker wrote:
> Okay, I have a client communicating with a server, and they've gone
> through the AS_REQ/AS_REP dance and that's all working fine.
I think you mean AP-REQ/AP-REP.
> Basically, in my tests I've found the initial AS_REQ authentication is
> pretty slow
On 05/06/2015 12:35 PM, Meike Stone wrote:
> The Client is KfW 4.0.1 32bit. The kpasswd Server is AD W2k8, udp and
> tcp (port 464) on the Server are open.
> On the firewall is a proxy firewall with a rule for port TCP 464.
>
> If I start kpasswd, I get at first a few port 88 (preauth) the I only
On 05/07/2015 02:21 PM, Brandon Allbery wrote:
> On Thu, 2015-05-07 at 17:08 +0200, Fabrice Bacchella wrote:
>> I can always provide a keytab for both the server and the client, so I
>> don't need to have a kdc running. But how can I have the service
>> ticket (host/localhost@DOMAIN) ? To get it I
On 05/07/2015 02:44 PM, Chris Hecker wrote:
> I found it slow under a loadtest, where 1000s of clients were trying to
> log in simultaneously. I can't find the profiles from before I
> timesliced it, but on the (slow) machine I'm using it's looking like
> it's taking 1ms for 6 krb5_rd_req calls, w
On 05/08/2015 04:57 AM, Chris Hecker wrote:
> Hmm, thinking about this a bit more: if I turn off DO_SEQUENCE so I can
> share the auth_context, is there a way to dupe it so it can be used in
> both threads simultaneously? There shouldn't be any more mutable
> dependent state in there if there's n
On 05/12/2015 04:44 PM, Leonard J. Peirce wrote:
> Authentication attempt failed: 172.30.110.46, GSS-API error strings are:
> Unspecified GSS failure. Minor code may provide more information
> Clock skew too great
I don't know of a reason why this would happen with synchronize
Vishal found issue #7092 (worked around in 1.10.1) which may provide
some clues:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7092
http://mailman.mit.edu/pipermail/krbdev/2012-February/010699.html
and also provided a little more information. Apparently the incoming
kvno (I assume from
On 05/29/2015 02:16 PM, vishal wrote:
> 1. Windows version is 2008r2 as domain controller.
>
> 2. We get the ticket in TGS-RESP with kvno 255, this TGS-REQ was sent
> for krbtgt for trusted domain from linux box.
I believe you are actually getting the ticket with kvno -1, not with
kvno 255. Whe
>
> It should be -1, wirehark shows as ff.
>
> What do you mean by not easily portable?
>
> I would do just do:
> + FIELDOF_OPT(krb5_enc_data, int32, kvno, 1, 1),
>
> Would it have any side effect?
>
> On Fri, May 29, 2
On 06/04/2015 09:45 PM, Ken Hornstein wrote:
> I haven't tried that combination, but from memory the issue is that
> the kpasswd protocol uses a KRB-PRIV message and the issue was that
> you can't omit an IP address from it (let me check ... yes, the sender's
> address is not optional in a KRB-PRIV
On 06/05/2015 07:24 AM, John Devitofranceschi wrote:
> How is ktadd *supposed* to figure out which enctype(s) to use?
In the absence of the optional keysaltlist parameter, it's supposed to
be determined by supported_enctypes on the KDC.
> But when we run ktadd the resulting keytab’s key has des-c
On 06/09/2015 10:49 AM, Matt Garman wrote:
> I just want to do a sanity check that I'm not overlooking any
> important step. I think I can basically follow the instructions
> provided here:
> http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/install.html
That's really old documentation.
On 06/10/2015 02:11 PM, Leonard J. Peirce wrote:
> This has been resolved. The problem was a lack of entropy that caused
> kadmind to block while reading /dev/random and of course refuse connections
> from kpropd. I installed/started haveged and kadmind now starts up fine.
Thanks for reporting b
On 06/13/2015 07:38 AM, Chris Hecker wrote:
> Is it a problem to return the krb5_rd_req error code on failed authn to
> clients? Is that revealing information it shouldn't and I should just
> return success or failure? Or filter it down to a few safe ones, like
> clock skew, etc?
The error co
On 06/14/2015 09:11 AM, Chris Hecker wrote:
> I'm calling krb5_k_encrypt with a random key that I'm going to use for
> miscellaneous stuff. I assume I want to use
> KRB5_KEYUSAGE_APP_DATA_ENCRYPT? I don't see much documentation on this,
> but it looks like the most obviously named one.
RFC 41
On 06/17/2015 09:26 AM, Leonard J. Peirce wrote:
> The cause of kprop hanging was the MTU setting on our CentOS VMs.
Thanks, that is good to know.
> Unrelated to this I did notice something interesting. After reloading
> the database with kdb5_util kadmind naturally forces a full resync of our
>
On 06/20/2015 11:15 AM, John Devitofranceschi wrote:
> echo “” | kinit princ 2>&1 | grep revoke => account is locked
>
> (this is done in a loop and each invocation uses a different krb5.conf with a
> different kdc)
>
> Is this too brittle? is the error message likely to change? Is there a bett
1 - 100 of 918 matches
Mail list logo
