As far as I am aware that symbol is not being exported by the
gssapi32.dll. In my previous GSSAPI projects the OIDs table must be
defined by the application on Windows.
[EMAIL PROTECTED] wrote:
> Hi,
>
> I tried to build a sample windows program by using kerberos 1.3 win version,
> in
Sam Hartman wrote:
"Jeffrey" == Jeffrey Altman <[EMAIL PROTECTED]> writes:
Jeffrey> As far as I am aware that symbol is not being exported by
Jeffrey> the gssapi32.dll. In my previous GSSAPI projects the
Jeffrey> OIDs table must be defined by the
were used, the
truncation applied in the current code would make the communication
between the client and server incompatible if single DES were ever
negotiated.
- Jeffrey Altman
Markus Moeller wrote:
I would like to encrypt a kerberised telnet session stronger then with DES.
I assume that
encryption provided you are willing to compile out the
support for DES support. This of course disables compatibility with
existing clients.
Jeffrey Altman
Markus Moeller wrote:
Jeffrey
Markus:
Your patch is close to the correct way to do this. The primary issue is
the question of the
Download the source code to Kerberos for Windows by following the links
from http://web.mit.edu/kerberos/. Then read the README file.
Pratibha Gupta wrote:
Where can I get instructions to compile the kerberos code on Windows
using MS VC ?
Thanks
_
Do not download the source for krb5-1.3.1; download the source for
Kerberos for Windows 2.5.
Jeffrey Altman
Pratibha Gupta wrote:
I downloaded the source code for krb5-1.3.1 and followed the
instructions in the README file under krb5-1.3.1/src/windows. Now when I
run nmake on windows, I get
Not supported by MIT.
Pratibha Gupta wrote:
Hi,
Thanks for all the help so far. Using the makefile that ships with
kerberos for windows 2.5, I was able to build the dll krb5_32.dll (along
with some other dlls and exes). Is there a way to build a static library
version of krb5_32.dll?
Thx
the only valid characters which may be used in RFC1510 implementations
of Kerberos within GeneralString fields are those contained in US-ASCII.
The following text is quoted from:
draft-ietf-krb-wg-kerberos-clarifications-04.txt
5.2.1. KerberosString
The original specification of the Ker
regarding which tools are required:
MS VC++ 6 SP5
MS Platform SDK (August 2001 or later)
ActiveState Perl
Cygwin
as well as the commands needed to build both debug and release versions.
Jeffrey Altman
Peter Ju wrote:
Hello...
I've got the leash32 sdk in MIT to build and debug ker
You do not have a REALM entry in your krb5.conf file for the realm
you are attempting to contact, so DNS is being used. But the local
DNS server does not have the data and must propagate a query. The
network has a long propagation delay and therefore the Kerberos
client times out before the respo
principals to your KDC for the
-AFS extended host names if you want to avoid the error messages.
Remember that all of the principals for a given host have to use the
same password.
Jeffrey Altman
Jason C. Wells wrote:
The OpenAFS client for windows uses an additional netbios name such that
the
of afscreds. Simply place
leash32.exe -autoinit
into a Startup shortcut. (You can even minimize it). Microsoft
Kerberos LSA
credentials will be auto-imported and afs tickets will be requested
using Kerberos
5 and krb524d. The tickets will be auto-renewed as approach expiration
as well.
Jeffrey
You will need to provide a bit more context as the location of the
initial error. You do not need to include the CRT source files in
your INCLUDE path.
Jeffrey Altman
shivakeshav santi wrote:
Hi,
I was successfull in building kfw-2.2-beta2. on Windows XP professional. I am trying to build
Download Kerberos for Windows 2.5 from http://web.mit.edu/kerberos/
sam wrote:
Thanks for the reply, do you know how to test Kerberos connection from a
remote host eg. Windows?
I have configured Kerberos V server in OpenBSD 3.4, but don't know how to
test it, the infor hermeil does not tell.
than
Kerberos for Windows does not include the KDC or any server management
tools. The MIT KDC is not supported on the Windows platform at the
present time.
Jeffrey Altman
mourchid fatima wrote:
Hello,
Does the binary distribution of KFW 2.5 contain The server side of
Kerberos (KDC, Kadmin
ve no idea about Secure CRT.
Jeffrey Altman
junaid bhimani wrote:
I am trying to authenticate through secure crt using gssapi provided by
kerberos. Kerberos 5 server is unix based. Client is windows xp. I can
run kinit, klist and kdestroy successfully. But when connecting to
server through sec
main then you do not have a Kerberos
realm yet.
Jeffrey Altman
KFW Maintainer
Kevin Burton wrote:
I am using the SSPI workbench (Keith Brown) in "server" mode listening at
port 4242. I am using the MIT distribution of Kerberos and compiled the
source for Windows. There is a program in th
I believe KFW 2.5 is not supported under .NET 2003. (KFW 2.6 will be)
Why do you need to build from source?
Jeffrey Altman
KFW Maintainer
Kevin Burton wrote:
I installed perl and followed all of the instructions but during the build
of kfw 2.5 I get the following error. I am using Visual Studio
The "Uppercase Realm" option only affects the ticket getting ticket
and change password dialogs. It does not affect the Kerberos
Properties dialogs.
You may submit bug reports to "kfw-bugs at mit.edu"
Jeffrey Altman
KFW Maintainer
Eli Breder wrote:
Hi,
I apologize if thi
be
used by applications to cause ticket retrieval to be performed via
the MS Kerberos LSA cache for the current logon session user instead
of the default MIT credentials cache.
KfW 2.6 is currently in beta. Downloads are available from the MIT
web site.
Jeffrey Altman
KFW Maintainer
Kevin Wang wro
ol\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x1 (DWORD)
if you want to allow KfW to import Windows LSA credentials into the
MIT ccache via either ms2mit or Leash.
Jeffrey Altman
Ryan Odgers wrote:
> Hi Doug,
>
> still on win2000
> I can authenticate and get tgt ticket wit
. If you have a system which is consistently
producing bad data
at a known point it would be good to see if we can trace it down.
Jeffrey Altman
John Hascall wrote:
6303373b766d61124537494153544154452e4544550067710e403f616673
c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U
software should do the
rest.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
mpile time.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
LDAP is not an authentication infrastructure.
All you are doing with LDAP is providing a database of usernames
and passwords which is accessible over the network. Your users
must then transmit said usernames and passwords across the network
to a potentially compromised machine in order for them to
GSSAPI Kerberos V5 is being used for authentication
LDAP is being used for authorization. This is not the same
as using LDAP for authentication.
Jeffrey Altman
Harry Le wrote:
> Not entirely true.
>
> Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerb
What are the service principal and session key keytypes for the
host/[EMAIL PROTECTED] ticket?
If they are not DES-CBC-CRC then you will not be able to
negotiate DES encryption in Telnet protocol.
Ryan Odgers wrote:
> I get the following error when trying to connect with kermit telnet:
> key
What does Kermit list for the output of
AUTH K5 LIST /E
after attempting to connect to the Telnet Service?
Ryan Odgers wrote:
> I created them with ktpass using the defaults of which DES-CBC-CRC should be
> the default. I also tried switching my server to use MD5 type encryption and
> using
David Magda wrote:
>
> And what prevents a Kerberos server from being compromised? Any
> system can have a root-kit installed on it.
Simple. You don't run any other services on your KDC.
All access is via physical connections. Small network footprint
results in extremely low chance of hacking.
Version 1.3.1 distribution
to install and configure a KDC on Unix/Linux. Or you can use on of the
Kerberos distributions which comes with a variety of major commercial
operating systems from Windows Server to HP-UX to Mac OS X to AIX to
Solaris to
Jeffrey Altman
Prabodh Achyutha M wrote:
>
None of these items are supported by the MIT Kerberos Development team.
The only one that you would want to use is (3) so that the resulting
program can access the in memory credentials cache.
You will most likely have to modify the build for openssh to make this
work.
Jeffrey Altman
KfW
If you need to use ms2mit to gain access to your credentials then you
must use KfW because only KfW has the support for the CCAPI based memory
cache. This support is not available when krb5 is built under cygwin or
when krb5 is built outside of the KfW framework.
Jeffrey Altman
KfW Maintainer
> Also, this uses a windows 2000 server for KDC. It had done that for
> over a year with no problems. This problem happened when we migrated
> the server from redhat 7.3 to Redhat enterprise linux (RHEL) 3 over
> the holidays.
Is the KDC being found via DNS or via entries in a krb5.
I should mention that the krb5_locate_kdc() function is one that has
undergone a major re-write between 1.2.7 and 1.3.1. Any findings
that the error is in krb5_locate_kdc() can only be responded to with
a request that you upgrade to the current release of the distribution.
Jeffrey Altman
Ken Weaverling wrote:
> In article <[EMAIL PROTECTED]>,
> Jeffrey Altman <[EMAIL PROTECTED]> wrote:
>>Is the KDC being found via DNS or via entries in a krb5.conf file?
>
>
> krb5.conf I believe -- does windows DNS on active directory stash the
> kerberos lo
Does the VMS KerberosAdmin tool recognize the keytab file? What does
list keytab
report?
Juha Nieminen wrote:
> We are testing Kerberos on OpenVMS.
> We are running VMS 7.3-2 and
> Kerberos for OpenVMS v2.0-6, client setup.
>
> Realm and KDC are in windows2003 server.
> W2K workstations
If you want to provide separate mappings of hosts to domains, then
you will have to provide domain to realm mappings for each individual
machine name
Sam Hartman wrote:
>>"Inger," == Inger, Slav (S B ) <[EMAIL PROTECTED]> writes:
>
>
> Inger,> Final question for today: is it explicitl
You don't need to install a KDC but you do need to ensure
that the keytab file you created is in the proper format
expected by Kerberos on VMS. If KerberosAdmin is the
only tool available to read/write keytab files then you
will need to install whatever is necessary to obtain access
to that tool
().
Jeffrey Altman
Kevin Burton wrote:
> Do you have any suggestions as to how to do that?
>
> "Sam Hartman" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>
>>Are you using krb5_prompter_posix? If so, this does not really work
>>on Windows
What operating system are you running on?
If it is Windows 2003 or Windows 2000 Server or Windows XP SP2 then the
problem is that you need to set a registry value to enable the
exportation of TGTs from the Kerberos LSA with the session key intact.
Jeffrey Altman
King Lung Chiu wrote:
>
The session key type is 0 (or NULL). What operating system are you using?
King Lung Chiu wrote:
> OK, here's a bit more info:
>
> $ export KRB5CCNAME=FILE:C:/cygwin/tmp/krb5ccwin;leash32 -m;klist -5 -e
> Ticket cache: FILE:C:/cygwin/tmp/krb5ccwin
> Default principal: [EMAIL PROTECTED]
>
>
For Windows 2000 Server the key is:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
King Lung Chiu wrote:
Hi Jeffrey,
thanks for the reply.
The session key type is 0 (or NULL). What operating system are you using?
I'm running cygwin unde
Microsoft Security Bulletin MS04-007:
ASN.1 Vulnerability Could Allow Code Execution (828028)
Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
Summary:
Version Number: V1.0
Revision Date: 02-10-2004
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating:
--- Begin Message ---
Microsoft ASN.1 Library Bit String Heap Corruption
Release Date:
February 10, 2004
Date Reported:
September 25, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
--- Begin Message ---
Microsoft ASN.1 Library Bit String Heap Corruption
Release Date:
February 10, 2004
Date Reported:
September 25, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
--- Begin Message ---
Microsoft ASN.1 Library Length Overflow Heap Corruption
Release Date:
February 10, 2004
Date Reported:
July 25, 2003
Severity:
High (Remote Code Execution)
Systems Affected:
Microsoft Windows NT 4.0 (all versions)
Microsoft Windows 2000 (SP3 and earlier)
Microsoft Windows
Which version of MIT Kerberos is the KDC?
And more importantly, does the user principal in the MIT KDC have a key
of type RC4-HMAC associated with it?
Jeffrey Altman
rousset wrote:
> Hello,
>
> I have established a trust relationship between Active Directory and MIT
> Kerberos r
machine hosting
the KDC, then you can securely move it to Windows and place it somewhere
that your KfW based application can find it.
Jeffrey Altman
KfW Maintainer
Colin Caughie wrote:
> Hi,
>
> I'm looking into using Kerberos (probably MIT) to add secure authentication
> to a
The kadm5 library is currently not supported on Windows as part of KfW.
It would certainly be a worth while feature to request. Why don't you
send a feature request to krb5-bugs (at) mit.edu.
Jeffrey Altman
Colin Caughie wrote:
>>"kadmin" is a KDC administration tool.
Digant Kasundra wrote:
> I think that's one of the ways you can do it, but that setup isn't
> considered "pass-through authentication," which is what we are going for.
That is the only way to do it. There is no term called "pass-through"
authentication within Kerberos. The authentication betwe
registered as the prompter and it is called as a result of
krb5_get_init_creds_password() without a password being provided as an
argument. Hence, the password is only prompted for once.
Jeffrey Altman
KfW Maintainer
Beata A. Pruski wrote:
> I have hard time to get the posix prompter to run under
Is kadmind running?
Marcel Lehner wrote:
> Does anyone can help me?
>
> When I try to start kadmin I always get the following message after entering
> my password:
>
> "kadmin: Communication failure with server while initializing kadmin interface"
>
> KDC is running fine and I also get tickets
ation to construct a tool to enable
RC4-HMAC support for MIT KDC Trust relationships and will endeavor to
build one in the next day or two for inclusion within the final release
of KfW 2.6. At the very least this tool will allow you to specify a
MIT Realm Name and allow the RC4-HMAC
Beata A. Pruski wrote:
I must say I don't understand why within krb5_get_init_creds_password, after
the first call to krb5_get_init_creds (with use_master being 0) returns
KRB5KDC_ERR_KEY_EXP, there is still another call made to the same function
with use_master set to 1. Shouldn't there be some
Examine the Kerberos 5 1.3.2 Admin Docs on the MIT Kerberos web site.
Beata A. Pruski wrote:
I did some more search within the source code (kfw-2.5) and found out that
there are two entries in the realms section of the configuration file which
are used for locating kdc(s). They are called "kd
Alberto Patino wrote:
On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote:
I have verified with Microsoft that the default configuration of Windows
2003 does not allow the use of RC4-HMAC with MIT KDC Trust
relationships. There is functionality to support this mode of operation
unfortunately
Jeffrey Altman wrote:
As the tool affects the Windows 2003 Server LSA configuration, it should
allow RC4-HMAC cross realm trusts to be configured with any non-MS KDC.
(Assuming I can get it to work.)
RC4-HMAC support for cross realm trusts will not be available in Win2003
Server until SP1.
Jeffrey
Workstation using KSETUP?
Jeffrey Altman
Tyson Oswald wrote:
> Hello all,
>
> I read the white paper on the MS site
> (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
> to setup AD authentication on Unix. It is based on MIT KDC, but I am
> using SE
The [EMAIL PROTECTED] mailing list is an inappropriate place for this
discussion.
Please hold this discussion on [EMAIL PROTECTED] OR open a bug report in the
Request Tracker by sending e-mail to [EMAIL PROTECTED]
Thank you.
John Hascall wrote:
Beata A. Pruski wrote:
I must say I don't underst
the in memory credential cache is distributed as part of the
MIT Kerberos for Windows distribution. Version 2.5 is the
last official release; 2.6 is currently in beta.
http://web.mit.edu/kerberos
Jeffrey Altman
KfW Maintainer
Marcel Lehner wrote:
> I had read somewhere that it is possi
ndows maschine.
no
> i'm asking, because my test-suite is on a windows xp maschine and the final version
> has to
> run on a vxworks system.
there is no in memory credentials cache for vxworks.
Jeffrey Altman
Kerbero
Doug:
KfW requires Aug 2001. There is nothing in the newer SDKs that is
required. Using newer SDKs is advised but not required.
- Jeff
Douglas E. Engert wrote:
> Have se this before. You need a the Microsoft SDK.
> See [krbdev.mit.edu #1675] Windows build needs Feb 2003 Platform SDK
>
___
KFW is only a Kerberos client library.
The MIT KDC is not supported on Windows.
Jeffrey Altman
KFW Maintainer
Gerard Murphy wrote:
> Is it possible to set up a KDC, using KfW 2.5, on a Windows 2000
> Professional or XP machine, so that I can us the LeashManager to get
> tickets?
>
TELNET only supports DES encryption types.
However, that warning means that the telnet client does not
include support for encryption. Which client are you using?
Jeffrey Altman
Neelima Adusumilli wrote:
> Hi!
> When I'm running telnet with -ax option it is giving th
defective
and really needs to be upgraded to correct not only security
problems but a programming error which can result in system
crashes from correct use by applications.
Jeffrey Altman
KFW Maintainer
steve hauser wrote:
> Hello, I'd like to use your kerberos for my Win98 system but it w
If you are an MSDN subscriber I suggest you download Virtual PC for
Windows and install Linux within a virtual machine to use for testing.
If you are not an MSDN subscriber, I suggest you purchase a license to
VMWare.
Ish-Lev Avshalom wrote:
> I have downloaded kfw-2.5 and it compiled fine on
efore starting your application and the credentials from the MS LSA
cache will automatically and transparently be used.
Jeffrey Altman
KFW Maintainer
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Vikas:
I answered the question that I could answer. I do not know the
answer to whether anyone has written a program that uses both
the netscape-sdk and MIT KfW 2.5. I certainly have not.
Jeffrey Altman
Vikas Gandhi wrote:
> Hi Jeffrey
> I am asking a basec fundamental question. Has s
What is KFW 1.2.6 ?
KFW version numbers are 2.5 and 2.6. Krb5 version numbers are 1.2.x and
1.3.x.
KFW 2.5 ships with Krb5 1.3.1
KFW 2.6 ships with Krb5 1.3.2
Jeffrey Altman
KFW Maintainer
Marcel wrote:
> hello,
>
> just wanted to ask if there is possibility or a howto to force
who has authenticated
has the necessary privileges or not to access the service.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Yes. Set the environment variable
KRB5CCNAME=MSLSA:
before initializing the GSSAPI32.DLL
Vikas Gandhi wrote:
> Hi ALL
> As MSLSA is supported by current distribution of the kfw 2.6. Can
> this be used to authenticate against the Active Directory of windows
> 2003.
>
> i.e. Can I wr
The current version is Kerberos for Windows 2.6 and it is
available from http://web.mit.edu/kerberos/
Christopher T Vogan wrote:
>
>
>
> Hi,
>
> I am a test for IBM NFS for z/OS product.
> I am trying to test NFS with auth_GSS authentication. This method requires
> the use of Kerberos v5.
>
What are you testing gss.exe against?
The version of the GSS-SSPI server which is shipped
as part of the MS SDK is incompatible with the GSS.EXE
as shipped in KFW 2.6. We are working with Microsoft
to release updated versions of the example code.
Jeffrey Altman
Vikas Gandhi wrote:
> Hi
hipping.
Not to say that forcing the use of des-cbc-crc is a good idea, its not.
Just pointing out that there are still interop problems based entirely
in the implemented set of enctypes.
Jeffrey Altman
Kerberos mailing list
the KRB5.INI file should go in %WINDIR%. Where are you placing the
keytab file containing the server keys for the service principal?
Vikas Gandhi wrote:
> Hi
> Also I tried to run the gss-server that comes along where I am
> getting
> C:\OSBA\kfw-2.6-final\src\athena\auth\krb5\src\appl\g
You did not answer the most important question I asked you.
Where is your krb5kt file? and is there a service key in the file?
As for kinit, you cannot use 'kinit' with MSLSA: ccaches since the
MSLSA: ccache is read-only. MSLSA: only works if you have already
performed a login via Windows and th
You need a keytab file for the gss-server.exe because the service
must know its key. If it does not know its key, then it cannot
decode the service ticket presented to it by the gss client.
Jeffrey Altman
Vikas Gandhi wrote:
> Why do need krb5kt for It is no where.
> I understan
Vikas Gandhi wrote:
> Now I reversed the entry
>HKLM\Software\MIT\Kerberos5\
> PreserveInitialTicketIdentity = 0x0 (DWORD)
>HKCU\Software\MIT\Kerberos5\
> PreserveInitialTicketIdentity = 0x0 (DWORD)
> and introduced new entry
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerbe
Vikas Gandhi wrote:
> Finally I found my mistake. I put a variable set KRB5_KTNAME=.\\krb5kt
> Then I started running the server and this was successful
> Now the client part It cribs
> C:\gss>gss-client.exe -port beetle mittest hello
> GSS-API error initializing context: Miscellaneous f
I have no idea why you can't find the MSLSA: credential cache.
Since you have built from source why don't you trace it in the
debugger. You should be able to figure it out quite easily.
src/athena/auth/krb5/src/lib/krb5/ccache/cc_mslsa.c
Ker
Vikas Gandhi wrote:
> In function IsKerberosLogon()
> if ( !lstrcmp(L"Kerberos",buffer) )
> Success = TRUE;
> The value of buffer in NTLM so success is false.
>
If you logon session is not authenticated with Kerberos
but with NTLM, how are you obtaining tickets for display
by microsoft's "k
Vikas Gandhi wrote:
> Jeffrey
> Even I am trying hard to understand the meaning of this. I also run
> the sspi samples and they ran fine. So I am more than confused ???
>
> Can u guide me what next should I try to debug How can I cange
> NTLM to Kerberos
> Any hind to proceed
>
>
In speaking with contacts at Microsoft, they have assured me that this
situation, Logon Session Authenticated by NTLM and yet having Kerberos
tickets in the LSA Cache can only happen if the KDC on the PDC was not
functioning at the time you logged in. If this is the case, there will
be records in
enctypes other than DES-CBC-CRC or DES-CBC-MD5. Java cannot
handle them.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Sleepy wrote:
> Hello all,
>
> I have some questions that I would appreciate getting some expert
> Kerberos assistance with.
>
> 1) Is SQL Server limited to DES encryption only?
>
> The reason I ask is that I have discovered empirically that the
> SQL Server service startup account needs
GSS-API Kerberos authentication is embedded within application
specific protocols. In this case, you need to write a test application
which implements the SQL query protocol as implemented by the ODBC
drivers.
the Java-ODBC driver interface provides very poor performance and is
usually regarded a
contain the user's profile and Documents and Settings folders.
I do not know how you would use OpenLDAP in place of the Windows
Active Directory. I suggest you ask that question on an OpenLDAP
mailing list.
Jeffrey Altman
Sensei wrote:
> Hi.
>
> I've built an afs cell, a kerber
Sensei wrote:
>
> AFS, Kerberos and LDAP are currently on the same server... and I'll keep
> it so...
Many folks on this list will consider running any services on the same
machine as the Kerberos KDC to be a security weakness. You increase the
attack surface of the machine when you do so. If
In Panther you can
#define KERBEROSLOGIN_NEVER_PROMPT 1
I'm not sure that this works with earlier releases.
Nebergall, Christopher wrote:
> Is there a way to programmatically or in a configuration file to disable Mac
> OS X auto-prompting for the user's kerberos password?
>
> I'm interested in
[EMAIL PROTECTED] wrote:
>>Make sure that the service principals in the KDC do not contain
>>any enctypes other than DES-CBC-CRC or DES-CBC-MD5. Java cannot
>>handle them.
>
>
> Don't understand this. Aren't client programs supposed to choose the
> encryption types they do understand out of th
ft LSA
credentials into a new MIT Kerberos credentials cache or access the
MS LSA credentials in read-only mode via the MIT krb5_ccache "MSLSA:"
ccache interface.
Jeffrey Altman
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
on must see the same name
for the machine as the client machine does from DNS. The GSSAPI
Service does not look for a keytab entry matching the client request,
it attempts to load the keytab entry when it starts.
I agree there are few good ways to debug this other then trac
this list.
Jeffrey Altman
Frank Wu wrote:
> Hello All,
>
> I dowloaded and installed krb5-1.3.3-i686-pc-linux-gnu.tar on RedHat 9,
> and tried to set it up to work with MS Active Directory for
> cross-platform authentication, but without success. Has anyone tried
> thi
[EMAIL PROTECTED] wrote:
> Hi, folks
>
> 2) Users wouldn't be happy if they were unable to login one hour every
> time they change password.
>
> So, logical consequence is that master must answer all TGT requests.
> Having a slave around in case master dies is better than nothing, but
> slave
Inger, Slav (.) wrote:
> Hi all,
>
> I tested cross-realm awhile back and it seemed to work fine, not sure why I'm
> running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is
> Active Directory, clients are running Solaris and HP-UX with Kerberos and
> appropriate patc
The warning does not say all that much to me without providing a list
of the function names it thinks are the same.
Jeffrey Altman
Thomas Huang wrote:
> Hi,
>
> I am trying to build a custom Kerberos client application under Sun
> Solaris 9 using CC WorkShop 6 Update 2. The build
credential
cache files. MIT Kerberos is certainly a choice for this.
Jeffrey Altman
melissa_benkyo wrote:
> I'm looking it up. and I'm using SEAM kerberos. I don't think it
> supports the kerberos API calls. Has anyone done kinit with SEAM
> kerberos?
>
> thank
Via e-mail? :-)
I do not understand this question. Kerberos is an authentication
protocol not a messaging protocol.
Milos Djukic wrote:
> How do Kerberos users communicate with non-kerberos users?
>
>
> -
> Yahoo! Messenger - Communicate insta
What does "hostname" say the machine name is?
[EMAIL PROTECTED] wrote:
> Thanks for the suggestions ... I thought it might be the kvno - but I
> checked:
> ---
> kadmin.local: getprinc host/kas.ruz.lat
> Principal: host/[EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Sat Ap
Milos Djukic wrote:
> How can Kerberos authenticate a user who isn't communicating through a Kerberized
> server? Will the request be automatically rejected as the user is trying to gain a
> service from an un-trusted server. If so, can the administrators of the Kerberos and
> the non-kerberos s
1 - 100 of 676 matches
Mail list logo
