g the system in a couple
weeks anyway, I thought I would see if there's a clear favorite krb5
PAM module out there.
Thanks!
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building
. That means that I wouldn't be losing any functionality over
what I currently have if I do go the route of SEAM for authentication and
homegrown for authorization, but it would be best if I could find a way
of fully integrating our Solaris boxes into the IAA system we're currently
using.
I
y 40% of its `make check' tests. I haven't
seen that problem with bison 1.30, so that's the version we're sticking
with. I recommend the original poster try that version, and see if he
or she has better luck.
Tim
--
Tim Mooney [EMAIL PROTECTED]
I
Kerberos fits in, which I guess
you could get from the MIT source.
If "the field" machines are Windows boxes, I would think that
https://sourceforge.net/projects/kerberizer/
would be worth a look.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technolog
hing like
strip foo || true
so a "success" is always returned, even when strip fails.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
N
efault_realm
Perhaps if you called
$kp=Authen::Krb5::get_default_realm();
(notice the K in Krb5) instead, you would have better results.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building
n I updated from krb5 1.2.8 to 1.4, I encountered a
problem with krb5_init_ets not being part of the libkrb shared library,
even though the ABI of the library had not changed from what 1.2.8 used.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services
's krb5-install.html is a little vague about
whether a separate dump/load step is still needed for policy information.
It was needed with earlier KDC upgrades, but the docs imply (without
really saying) that it's no longer needed.
Can anyone clarify whether it's still requir
n.es ?
Note: I also recommend you don't have your two hosts share principals in
their keytab. The keytab on shinobi shouldn't have host/shogun entries,
and the keytab on shogun shouldn't have host/shinobi entries.
Tim
--
Tim Mooney [EMAIL PROTECTED]
In
th the forward (A)
and reverse (PTR) records for your primary server (shogun)?
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota Sta
un on distinct ports), but it too is possible.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
__
he shared object, but what happens if you modify the build
line so that instead of
-h libkrb5support.so.0
it tries
-Wl,-h,libkrb5support.so.0
or uses gcc's -Xlinker equivalent.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services
#x27;ve suggested has worked for us for multiple years.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
___
om the primary KDC.
That's a problem, but it's not what's causing your current issue.
It will definitely be an issue down the road.
> To
> get around this I added an /etc/hosts entry for my machine.
That's enough, as long as nsswitch.conf on the KDC is right.
Tim
--
Ti
u likely have some other issue.
Use strace on the client to verify that the client is actually trying
the right server and port, and make sure you don't have a firewall or
SELinux messing things up for you.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technolo
l, and note the kvno. It
should have incremented by one.
- Examine the keytab with ktutil. It should have only entries for
host/[EMAIL PROTECTED]
and the kvno should match the kvno that you found with getprinc.
Once the keytab is correct on the KDC, the services that you've set up
on
should
provideservice;bydefaulttherealmreturned by
krb5_default_local_realm(3) is used.
It's krb5_default_local_realm() that's reading krb5.conf.
Tim
--
Tim Mooney tim.moo...@ndsu.edu
Enterprise Computing & In
t.
We've done it for years and it works, but if we were starting over,
these days I'm not certain I would choose the same path. Depending on
your realms, it might be better to use separate VMs or containers,
depending on what you're comfortable with.
Tim
--
Tim Mooney
27;kadmin -p user/admin' command we get, GSS-API (or
> Kerberos) error while initializing kadmin interface.
This may not be related, but have you tried setting
allow_weak_crypto=1
in the libdefaults section of your /etc/krb5.conf on the RHEL6 client?
Tim
--
Tim Mooney
o things might be different
there. Instead, we only do propagation when the dump file has changed
from the checksum from the previous dump file.
Tim
--
Tim Mooney moo...@dogbert.cc.nrealm2.nodak.edu
Enterprise Computing & Infrastructure 701-231-1076 (Vo
d object via `dump -Lv'.
For augmenting the system-wide runtime loader paths, look at the man page
for `crle'.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 2
y need to tweak your sshd_config (search for Gssapi
in the sshd_config on the Solaris host).
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota Sta
kerberos option. Can this "--with-kerberos" option
>be used after krb5 patch?
That's the idea, yes. Actually, the option is
`--with=kerberos5=/path/to/krb5/root'.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701)
t it's never actually been implmented in the code). It's the
rare case of docs preceeding code, AFAICT.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
is included, then
#define alloca(x) __builtin_alloca(x)
should be in place, and the linker should therefore be looking for
__builtin_alloca
Make sure that everything that needs alloca is including alloca.h, and
once you've done that, try the +Olibcalls option to the compil
older bison), though, because of an odd coincidence that I
won't go into, but your best bet is to make sure that your bison is
recent (or deleted in favor of yacc).
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076
my case (and apparently in yours) I *can* guarantee that usernames
on machines always exactly match the principal, no matter what realm
they're in (so bob@REALM2 should be able to log into the `bob' account
on a machine that's in REALM1).
Ken Hornstein suggested looking into the k5us
;ll have to find where they're supposed to
>come from - not sys/types.h, evidently, but no doubt something
>like it.
sys/bitypes.h
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (70
o identify anything else that's
generating them (^ov makes me think of HP's OpenView, yuck, but that's not
installed on any of the boxes that have these files).
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701) 231-1076 (V
should
>just use MEMORY type ccaches. In any case, when kadmin exits
>it should destroy those FILE ccaches.
Thanks for the info Nico. One less mystery for me to wonder about.
;-)
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services (701)
so that it should build and work
with both Heimdal and MIT. I didn't do any of the real work, though,
as the project already included (Heimdal) Kerberos support before I ever
tried building it.
Tim
--
Tim Mooney [EMAIL PROTECTED]
Information Technology Services
31 matches
Mail list logo
