case), I would
> expect ktutil to use the correct salt. So I'm not sure why it isn't
> working for you.
Not fqdn but samaccountmane + domain_name. So if AD domain_name != DNS
domain name, the fqdn will not work.
--
Mark Pröhl
m...@mproehl.net
www.kerberos-buch.de
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ing for a way
to do this for client principals by analysing the client part of AS-REP.
--
Mark Pröhl
m...@mproehl.net
www.kerberos-buch.de
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
(James Knight, Doug Engert, Brian Elliott
Finley, Dan Perry).
- - Olaf Flebbe,
- - Mark Pröhl
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iF4EAREIAAYFAlVGGr4ACgkQcnTijk4OXrJWYwD8ClD39835Nr5r38vnIEdKOj70
PUa0OyVIaSLm1l6rE2gA/2CvOWLjdmZwueCgqSi
ep '^Last successful
authentication:|^Last failed authentication:|^Failed password attempts:'
Last successful authentication: Tue Sep 08 14:58:54 CEST 2015
Last failed authentication: Tue Sep 08 14:58:59 CEST 2015
Failed password attempts: 3
roo
On 09/09/2015 01:22 PM, Tom Yu wrote:
> Mark Pröhl writes:
>
>> according to http://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html,
>> the account lockout state is represented by the three account properties
>> "The time of last successful authenticati
On 07/15/2016 12:25 AM, Brandon Allbery wrote:
> On 7/14/16, 17:32, "kerberos-boun...@mit.edu on behalf of Mauro Cazzari"
> wrote:
>
> # Kerberos options
> KerberosAuthentication yes
> KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> #KerberosGetAFSToken no
> #Kerb
(Ken Dreyer, James Knight, Doug Engert, Brian
Elliott Finley, Dan Perry).
- - Olaf Flebbe,
- - Daniel Kobras
- - Mark Pröhl
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
iF4EAREIAAYFAlfhckwACgkQcnTijk4OXrJFmAEAqtG1mncs95pQqMjUwe6lAA6p
Sf+UpufuVpqsdTZMq0cA/0QI8ff+Nr7COPGp4Sy
On 06/02/2017 02:29 PM, Ashi1986 wrote:
> Hi All ,
>
> This is my setup .
>
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
>
> I generate keytab for SPN using this command :
>
> ktpass -princ host/@domain name -mapuser pass> pass -crypto RC4-HMAC-NT
On 04/16/2018 05:51 PM, Russ Allbery wrote:
> ... Clients
> aren't going to generally all try to get a ticket at the same time, due to
> ticket caching, so that scales to a lot of clients.
>
I have only seen JAVA/JAAS clients caching the TGT and not the service
tickets. Especially in Hadoop envi
On 2/5/19 9:30 PM, John Byrne wrote:
> I'm trying to test constrained
> delegation in a web application, and apparently that only works with the
> LDAP backend.
Hi all,
is this still true for 1.17?
- Mark
Kerberos mailing list Kerber
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
this works for me:
auth_to_local = RULE:[2:$1;$...@$0](root;@somerealm)s/;@somerealm//g
If
Mark Pröhl
miguel.sand...@arcelormittal.com wrote:
> Hi folks
>
> I'm struggling with the auth_to_local rule.
> I want t
MAIN.EXAMPLE
[realms]
MYDOMAIN.EXAMPLE = {
kdc = 10.10.10.26
}
Is there an option to prevent kinit from looping?
Regards,
Mark Pröhl
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I would appreciate it to have a workaround until 1.7.x is released.
Thanks,
Mark
Greg Hudson wrote:
> An update: this turns out to be a known bug in krb5 1.7, which simply
> hadn't percolated into my conscience from the bug data.
>
> I can't
-- Luke
>
> On 07/10/2009, at 4:04 PM, Mark Pröhl wrote:
>
> Hi,
>
> I noticed a problem with kinit form krb-1.7. In case of a wrong
> password, kinit tries up to 8 times to get initial credentials.
> This happens if the KDC is an active directory controller:
>
mething else (S4U).
>
> Do you know if it occurred with 1.6 or was a regression with 1.7?
>
> regards,
>
> -- Luke
>
> On 07/10/2009, at 9:03 PM, Mark Pröhl wrote:
>
> I just build trunk and did the same test again.
> The problem doesn't occur with kinit fr
Hi Bjoern,
I will do a one-day tutorial about "Active Directory Integration with
Kerberos and LDAP" on this year's Samba XP in Göttingen:
http://www.sambaxp.org/index.php?id=129
Tutorials for german iX magazine are planned as well for 2010. You could
take a look at the agenda from last year
Hi,
you probably want to use the parameter renew_lifetime in [libdefaults].
Mark
Guillaume Rousse wrote:
> Hello.
>
> I just realized than it was possible to force forwardable tickets
> through krb5.conf, but not renewable ones. Is it intentional ?
>
> For instance, the following doesn't work as
util
(KRB5_CONFIG=...kdc.conf) it becomes possible to do a strict separation
of the meaning of the two files: krb5.conf configures the Kerberos
library and kdc.conf is for KDC configuration. (Which is what I would
like to have.)
So my question is: is the configuration of KDC LDAP parameters in
kdc.
On 12/28/2010 06:02 PM, Victor Sudakov wrote:
> Russ Allbery wrote:
>
> [dd]
>
>>> But it still escapes me how on earth I will end up with
>>> krbtgt/unix.re...@windows.realm andkrbtgt/windows.re...@unix.realm
>>> having the same key. There is nothing in the above articles about
>>> exporting and
Hi,
what is the requested service principal name in the tgs request to
relam2 kdc?
Can you provide more information about the client that does the cross
realm request (Windows, MIT Kerberos, Java, ...)
Regards,
Mark Pröhl
On 01/05/2011 06:47 AM, krbmit siso wrote:
> Hi All,
>
> Ple
m1.com/>
>Server Name (Principal):
> krbtgt/realm2.com <http://realm2.com/>
>Kdc-Req-body->
> Realm: REALM2.COM <http://realm2.com/>
>Server Name (Principal):
>
On 01/06/2011 05:02 AM, krbmit siso wrote:
> Hi Mark,
>
> Please find the attached capture for cross realm setup . I did not
> understand why do you require
> 2 TGS-REQ going from client , please shed some light on the same .
the following sketch shows the principals involved in cross realm
auth
Hello,
create a service principal that contains the dns hostname of the virtual
IP (the name associated with 10.10.11.149): HTTP/
use ktpass.exe to create a keytab for that principal
copy that keytab to both nodes
Regards,
Mark Pröhl
On 01/21/2011 09:05 AM, Schreiber Martin wrote:
> He
On 03/15/2011 06:32 PM, Brian Candler wrote:
> On Tue, Mar 15, 2011 at 11:21:28AM -0400, Greg Hudson wrote:
>> There are two steps involved in changing a Kerberos password. First,
>> you request a kadmin/changepw ticket from the KDC using your old
>> password; then, you send your new password to t
Hi,
kdc.conf should be created before running kdb5_util
kadm5.acl needs to be created before starting kadmind
Regards,
Mark Pröhl
On 04/27/2011 11:12 PM, aydin wrote:
> Hi,
>
> I have a working mit kerberos installation on an red hat enterprise linux
> system
> with the domai
Hi,
DES is disabled by default in windows 2008 r2. So if you do not need
DES, then just create the keytab for stronger enryption types. If you
really need DES, you have to configure your windows KDC to issue DES
tickets. You should not disable preauthentication
Regards,
Mark Pröhl
On 04
:
# kvno -k my.keytab -e aes256-cts testprinc
testpr...@example.com: kvno = 1, keytab entry valid
#
The problem: there is no aes256-cts key in my.keytab. Therefore kvno's
"keytab entry valid" seems unreliable
--
Mark Pröhl
m...@mproehl.net
www.k
Greg Hudson wrote:
> On 12/11/2011 09:42 AM, Mark Pröhl wrote:
>> If there are more keytab entries with different encryption types, I
>> would like to use -k together with -e like in the following example:
>>
>> # kvno -k my.keytab -e aes256-cts testprinc
>>
tial question was how to separate those entries in
two. I think this can only be done directly by LDAP operations: create
new LDAP entries for each principal, delete the kerberos related
attributes from the existing user entries and add them to the newly
created ke
Am 08.05.2012 15:03, schrieb Berthold Cogel:
> Am 07.05.2012 18:16, schrieb Greg Hudson:
>> On 05/07/2012 11:38 AM, Berthold Cogel wrote:
>>> -rw--- 1 root root 128 May 7 16:09 service.keyfile
>>
>>> [root@hydra krb5kdc]# kadmin.local
>>> kadmin.local: unable to get default realm
>>
>> I'm no
Am 07.05.2012 17:38, schrieb Berthold Cogel:
> [dbmodules]
>openldap_ldapconf = {
> db_library = kldap
> ldap_kerberos_container_dn = "ou=Kerberos,dc=uni-koeln,dc=de"
> ldap_kdc_dn = "cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de"
> ldap_kadmin_dn = "cn=kadmind,ou=Kerberos,dc=uni-ko
ultiple _kpasswd._udp.YOUR.REALM SRV records in your DNS
service. However, admin_server can only be specified on time.
--
Mark Pröhl
m...@mproehl.net
www.kerberos-buch.de
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
rvlet:125] -
> kerberos idp servlet started
> 21:47:41.758 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:156] -
> Authentication process error.
>
> Any clue will be appreciated.
> Thanks
> xinyi
>
> Kerberos mailing list
big
security issue.
- can you post the kerberos part of your Shibboleth configuration?
On 18.06.2012 20:40, Mark Pröhl wrote:
> some hints:
>
> use the following commands to test your keytab file:
>
> kinit -k -t /etc/krb5.keytab HTTP/idp.aa.com
> kvno -k /etc/krb5.keytab HTTP/
e KDC cannot revoke that
ticket, even if the client is deleted or disabled. But if the client
needs to do a renew request from time to time, the KDC might not issue
new tickets if the client is deleted or disabled.
--
Mark Pröhl
m...@mproehl.net
www.kerberos-buch.de
___
krbmaxrenewableage krbmaxticketlife krbticketflags
> krbprincipalexpiration krbticketpolicyreference krbUpEnabled
> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock
> loginexpirationtime
Am 21.10.2012 00:21, schrieb Berthold Cogel:
> Am 19.10.2012 20:02, schrieb Mark Pröhl:
>> Hi,
>>
>> is there any difference in the output of the following two search requests?
>>
>> root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \
>>-b ou=People,dc=uni
Am 22.10.2012 10:34, schrieb Berthold Cogel:
> Am 21.10.2012 17:48, schrieb Berthold Cogel:
>> Am 21.10.2012 08:39, schrieb Mark Pröhl:
>>> Am 21.10.2012 00:21, schrieb Berthold Cogel:
>>>> Am 19.10.2012 20:02, schrieb Mark Pröhl:
>>>>> Hi,
>>>
Am 24.10.2012 11:25, schrieb Berthold Cogel:
> ...
> Master and slaves have different ACLs. The future IDM system is only
> allowed to write to the master and the master has additional ACLs for
> the consumer/slaves. Permissions for kadmin and kdc are all the same.
>
> access to dn.subtree="ou=Ker
specific
SRV records.
ktadd is part of the kadmin tool that is not compatible with AD. If you
need to manage keytabs on UNIX/Linux clients or servers in Active
Directory environments you should take a look at msktutil:
http://code.google.com/p/msktutil/
-
Am 08.02.2013 10:09, schrieb Tom_Krauss:
> Hi,
>
> I understood that a client sends two items in an AP-REQ to a service.
> The service ticket and an authenticator.
>
> The authenticator is encrypted with the session key known only to client and
> server and it contains
> a timestamp and principal o
t;mech_list: GSSAPI" in /etc/ldap/sasl2/slapd.conf restricts the list of
SASL mechanims supported by your openldap server to the GSSAPI
mechanism. Your LDAP client tries to use the EXTERNAL mechanism:
"ldapmodify -Y EXTERNAL ..."
You should include EXTERNAL to the mech_list in
the existing ticket expiry time.
Can you describe the login process a little bit more (e.g. do you have
to enter the password during login)?
Regards,
Mark
--
Mark Pröhl
m...@mproehl.net
www.kerberos-buch.de
Kerberos mailing list Kerb
>
>
>
> *
> When I am changing my password from my client machines using
> "kpasswd" , I am receiving request to kdc server from my client
> machine and the kpasswd command was successful too. But the
> password was not changed. I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 30.09.2013 19:16, Jaap wrote:
> All I want for now is to know how to have NFSv4 access its
> encryption key if it is stored in a keytab file other than
> /etc/krb5.keytab.
did you try to set KRB5_KTNAME environment variable to your favorite
nfs k
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 05.11.2013 13:48, Simo Sorce wrote:
> I am not sure about upstream but the version we distribute in
> Fedora and RHEL has Constrained delegation support (specifically
> S4U2Proxy).
Is the S4U support in Fedora mod_auth_kerb configurable? Can it be
46 matches
Mail list logo
