Hi,
This is for MIT Kerberos with the KDC's using a ldap back end.
From the documentation, it states that a whitespace-separated list of ldap
servers can be specified for ldap_servers=. I'm assuming that is some type of
failover list? We have a F5 LTM setup with a single load balance dns name
Hi,
Just wondering if anyone can tell me if it's possible or reasonable to put
multiple kdc's behind a F5 BigIP for load balance purposes? We have tried a
simple configuration with port 88 UDP but it seems to causes some issues with
the kdc's. Getting a TGT with kinit seems to work just fine
Hi,
We are testing using a F5 BigIP load balancer for the kdc's. Setting the F5
for port 88 UDP works but the F5 probe produces the below kdc issue in the log
file. The response from F5 is to "paste a proper Kerberos UDP payload into the
health monitor". I think if F5 knew what that was the
Hi,
Going through krb5.conf for a kdc that will be using ldap as the back end, the
variable ldap_conns_per_server = 5 seems low. Consider a kdc for 30k+ users
will this setting be ok? What does this variable really limit? Having no
practical experience with a large deployment using ldap as
Hi,
We are working on setting up a very large Kerberos environment and recently
changed to 1.7.1 with a ldap back end for our testing. Since two things
changed from our previous test environment, I'm not sure what might be the
cause of user tickets not getting the requested max lifetime and m
"Re: Contents of Kerberos digest..."
>
>
> Today's Topics:
>
> 1. max ticket/renew appears to not work
> in 1.7.1? (Kevin Longfellow)
>
>
> ------
>
> Message: 1
> Date: Mon,
Hi,
We are testing a Kerberos version 1.7.1 environment on EL5u4 and the KDC
crashed with the below in /var/log/messages:
Mar 25 20:26:16 dadvil0122 kernel: krb5kdc[4124]: segfault at
rip 003eeea7bcb4 rsp 7fffe1f90c58 error 4
1.7.1 was built from source with ldap and
Hi,
After reading the Aims section at
http://www.kerberos.org/software/tutorial.html, it states the users password
must never travel over the network. Take for example using LDAP as the back
end for the principals. For a security review, I need to understand the path
of the clear text passw
I quickly looked at the manual and did not see a wildcard option so sorry if
it's in the manual. I'll continue to look.
Instead of
[domain_realm]
.foo.com = DEV.FOO.COM
foo.com = DEV.FOO.COM
.foo2.com = DEV.FOO.COM
foo2.com = DEV.FOO.COM
Can I simply put a wildcard there and map all domai
Hi,
I tried to find this in the documentation so if someone could point me in the
right direction, I would appreciate it. I am trying to list all the kerberos
principals created with a LDAP back end that are not in the realm container.
Using kadmin list_principals only shows what is in the r
Hi,
Three KDC's are running MIT Kerberos 1.7.1 on RHEL 5u4 x86_64
We use ldap as the back end for all Kerberos principals. This morning all the
KDC's (three of them) appear to have lost connection to the ldap server
resulting in a complete loss of service. At first I thought it was a SSL
ce
Hi,
We are using MIT Kerberos 1.7.1 on a linux server and have a lot of kdc log
entries (100k+ in a 9 hour span) in the kdc logfile krb5kdc.log. I figured it
can't hurt to ask but does anyone have or know of a tool/script to parse the
log
and summarize the activity?
Any help is appreciated!
Hi,
Configuration:
The KDC's running MIT Kerberos 1.7.2 (with patches)
LDAP back end
Running on RedHat Linux EL 5.4
I'm curious if there is a known issue that might be fixed with a patch or
particular release where the kvno from kinit is 2 but the kvno of the nfs
principal and what's in the
Hi,
Forgive me for being dense but when does log rotation happen using kdc_rotate
if period = 1d? I have tried using logrotate but it loses some data and now am
trying kdc_rotate and admin_server_rotate in krb5.conf. This is MIT Kerberos
version 1.7.2. Ideally I'd like the logs to always r
From: Benjamin Kaduk
To: Kevin Longfellow
Cc: "kerberos@mit.edu"
Sent: Thursday, August 23, 2012 10:26 AM
Subject: Re: kdc_rotate/good method to rotate kdc and admin_server logs
On Tue, 21 Aug 2012, Kevin Longfellow wrote:
>
>
>
Hi,
Any advice on possible/best solutions for the below scenario?
Two Kerberos REALM's:
REALM1.COM
REALM2.COM
Assume they are separate realms with no cross-realm authentication.
user logs in and runs kinit kbpr...@realm1.com
user accesses KerberizedNFS home areas in REALM1.COM
user now need
16 matches
Mail list logo
