Re: elliptic curve pkinit?

On Sun, 2017-04-02 at 21:51 -0400, Greg Hudson wrote: > On 04/02/2017 04:59 PM, k...@pallissard.net wrote: > > Has MIT kerberos implemented pkinit with elliptic curve certs/keys? Some > > initial searching points me to an informational ietf RFC posted out there, > > but nothing official. > > We

Re: KDC 1.15 startup error: Invalid credentials - while initializing database

What does your olcSyncrepl line for dc=example,dc=com look like? Matt Pallissard On Thu, 2017-04-13 at 12:57 +0200, Jaap Winius wrote: > Hi folks, > > My plan is to migrate away from three older Debian wheezy systems   > running MIT Kerberos 1.10.1+dfsg-5+deb7u7 with an OpenLDAP   > 2.4.31-2+de

Re: KDC 1.15 startup error: Invalid credentials - while initializing database

Hmm, Do your cn=config databases match? Do you know what that hashed password actually is? Can you manually bind with that username/pw and ldapsearch? Matt Pallissard On Thu, 2017-04-13 at 14:02 +0200, Jaap Winius wrote: > Quoting "Pallissard, Matthew" : > > > What does

Re: KDC 1.15 startup error: Invalid credentials - while initializing database

= 88 kdc_tcp_ports = 88 [logging] kdc = SYSLOG:debug:local1 admin-server = SYSLOG:debug:local2 default = SYSLOG:debug:auth Matt Pallissard

Re: KDC 1.15 startup error: Invalid credentials - while initializing database

Is it slapd reading its key tab incorrectly or is the hostname being derived incorrectly.  Is this a host file issue? Matt Pallissard Original Message From: Jaap Winius Sent: Thu Apr 13 18:20:33 CDT 2017 To: Jaap Winius Cc: "Pallissard, Matthew" , kerberos@mit.e

Re: MIT Kerberos OTP with Windows

> any ideas how to implement OTP for Windows with MIT kerberos client? possible? I don't know if KFW 4.1 supports OTP but what I do know is that in the past I couldn't get PKINIT working with KFW. I had to implement heimdal on the client end. https://www.mail-archive.com/kfwdev@mit.edu/msg00822

set_string/pkinit_cert_match

I'm having issues when trying to use set_string with pkinit_cert_match. PKINIT does work when the SAN matches the user's principal explicitly. It does not work when I try to map it to a user where the principal does not match the SAN. I'm using MIT kerberos 1.16 on both clients and servers.

Re: set_string/pkinit_cert_match

On Thu, Dec 28, 2017 at 02:56:00PM -0500, Greg Hudson wrote: > On 12/28/2017 02:05 PM, Pallissard, Matthew wrote: > > I'm having issues when trying to use set_string with pkinit_cert_match. > > PKINIT does work when the SAN matches the user's principal explicitly. It

Re: KDC with openldap backend, ldap replication, can it chase referrals?

On 2020-04-15T08:22:59 -0700, Dan Mahoney (Gushi) wrote: > On Wed, 15 Apr 2020, Andreas Hasenack wrote: > > > Hello, > > > > On Wed, Apr 15, 2020 at 1:54 AM Greg Hudson wrote: > >> > >> On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for > >> the purpose of this conversation)