Hi,
I've been searching around looking for clear discussion around how to
enable (debug) logging on windows, for the MIT Kerberos for Windows. I
found the following discussion in the release notes for the kfw 3.2.2,
which stated the following:
http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/relnot
s itself one system
> at
> a time as we have historically done. Does this seem reasonable, and will
> hopefully succeed without any interoperability issues?
>
> Thanks much for any thoughts or suggestions.
>
>
>
> Kerberos
ing this kdc_timeout value?
Or is kdc_timeout a missing parameter within the current (and previous)
krb5.conf documentation for the [libdefaults], and it is supported in the
1.10+ MIT kerberos releases?
Thanks in advance.
--
Todd Grayson
Customer Op
... one more question - if this is a supported parameter today
(kdc_timeout) what is its default value?
Thanks
On Mon, Dec 8, 2014 at 10:20 PM, Todd Grayson wrote:
> Is there a configurable timeout value that can be set in the krb5.conf to
> tell a client how long to wait for a response
-host.domain.name = REALM.NAME
domain.name = OTHER.REALM.NAME
.domain.name = OTHER.REALM.NAME
or is it least specific to most specific?
[domain_realm]
domain.name = OTHER.REALM.NAME
.domain.name = OTHER.REALM.NAME
specific-host.domain.name = REALM.NAME
Thanks in advance!
--
Todd Grayson
Customer Operations
LDAP directly, it's
> > always been just an opaque backend storage engine for kerberos itself...
> >
> >
> >
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listi
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html
On Wed, Apr 1, 2015 at 8:27 PM, Todd Grayson wrote:
> Rainer,
>
> Consider that you do not want obfuscate keeping track of users modifying
> the KDC database through generic service accounts like admin/ad
enz.de/~krienke, Tel: +49261287
> 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
>
>
> ________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
s open ended as MIT's CApath, and works only
> with established (And 'verified') trusts relationships.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
> Kerberos mailing list Kerberos@mit.edu
> http
Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ealize this isn't a common use scenario.
>
>
>
> On Fri, Apr 24, 2015 at 4:07 PM, Todd Grayson
> wrote:
>
>> Are you trying to run multiple realms (and db's) on the same KDC?
>>
>> On Fri, Apr 24, 2015 at 2:59 PM, Ben H wrote:
>>
>>> So
we're not 100% consistent about
> > that).
> >
> > krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may
> > not need to point it at a config file giving a different default_realm
> > value.
> >
>
> Kerberos mailing list
n principal I could use the command below (on the linux side):
> kadmin> change_password -e aes256-cts-hmac-sha1-96:normal -keepold
> krbtgt/doc.ic.ac...@ic.ac.uk )
>
> All the best,
> Giuseppe
>
>
> Kerberos mailing list Kerber
eM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=0wthfOXikoIWE5NfoxCN7_R8HXNMORzBYVlqWqEvHTA&m=cFGgJrkPqfqEYmJsN7r0JuFhaVYzEPudc6FqJZTIsOY&s=v1DCbxUsVmfHZ-t2_DpLZ2F1nh1TJ-HN_bBPrlQ6Hks&e=
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
bly
> because the MS User Principal Name in the certificate lacks the backslash.
>
> Bryce
>
>
>
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailma
"forwarding" is causing the error, because it does not
> exhibit itself when changing directly on the WDC.
>
> Can someone provide any insight into this?
>
> Thanks very much.
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/
ng list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
sso authenticate with an
> application that works with MIT kerberos?
>
> Best regards
> Ben
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
this are:
aes-256 for aes256-cts-hmac-sha1-96
rc4-hmac for arcfour-hmac-md5
Are these actually being parsed properly, (the first value, obviously being
the questioned abbreviation...)
--
Todd Grayson
Customer Operations Engineering
Kerber
egards,
>
> Michael Osipov
>
> PS: I triple-checked the password, so the issue is not with that.
>
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
1.10x release?
Thanks in advance!
--
Todd Grayson
Customer Operations Engineering
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
the 1.12 as
> the
> >tested krb release in platform).
>
> This is more of a problem, but I don't consider this an interoperability
> issue.
>
> --Ken
>
> Kerberos mailing list Kerberos@mit.edu
> ht
>
> -Ben
> ____
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Ah good to know about, thanks!
On Mon, Aug 3, 2015 at 5:18 AM, John Devitofranceschi
wrote:
>
> > On Jul 29, 2015, at 5:46 PM, Todd Grayson wrote:
> >
> > Hi,
> >
> > Is there any general wisdom out there about mixed KDC/Client versions?
> Are
> > t
ballb...@sinenomine.net
> unix openafs kerberos infrastructure xmonadhttp://sinenomine.net
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailm
Anchor tags for subject items on reference pages... for example to make a
URL like this to work to jump right to the default_tgs_enctypes
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#default_tgs_enctypes
--
Todd Grayson
Customer Operations Engineering, Security SME
_
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering, Security SME
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
t; > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailma
Apologies everyone - this was a mixed up response by me.
Please disregard my discussion on download and compile, I'm discussing a
behavior by our install base, not the MIT user community.
On Thu, Feb 25, 2016 at 9:13 AM, Todd Grayson wrote:
> The supported ecnryption types are tie
I think
> domain_realm mappings on Windows are usually also done with AD
> configuration. (Disclaimer: I've never done the AD side of this setup
> myself.)
>
> --
> Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
> ___
Hello,
When a service re-authenticates to the KDC, effectively getting a new TGT,
are the service tickets related to previous instance of the TGT for that
service, no longer valid?
That is, does a service re-authenticating to a KDC, rather than renewing,
cause all the current related service tick
set a number of values in the entry
rather than using modprinc so many times over the entry.
Or is this a "don't do it" kind of thing?
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
K
t; On 06/01/2016 02:13 PM, Todd Grayson wrote:
> > Is there any kind of guidance or rules of thumb around deleting and
> > re-creating the default krbtgt principal for a KDC? I've not been able
> to
> > find specific discussion on doing this, or what the requirements wou
; Valid starting ExpiresService principal
> 16/06/16 14:00:04 17/06/16 00:00:04 krbtgt/ic.ac...@ic.ac.uk
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 16/06/16 14:01:29 17/06/16 00:00:04 krbtgt/doc.ic.ac...@ic.ac.uk
> renew until 17/06/16 00:00:04, Etype (skey, tkt): des-cbc-crc,
> des-cbc-md5
> 16/06/16 14:01:29 17/06/16 00:00:04
> host/futurama.doc.ic.ac...@doc.ic.ac.uk
> Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>
> - it works the second time with the same command "ssh gmazza@futurama"
> gmazza2@futurama:~$ export KRB5_TRACE=
> gmazza2@futurama:~$ ssh gmazza@futurama uptime
> 14:02:58 up 21:31, 2 users, load average: 0.01, 0.05, 0.07
>
>
> Sorry for my long email.
> Hope my description makes sense.
>
> Cheers,
> Giuseppe
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
h userid and password from java. I have
> a java process running and want to kinit from that process.
>
> Thanks and Regards
> Partha Pratim Ghosh
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/m
lt;> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
> Dr. Dameon Wagner, Systems Development and Support
> IT Services, University of Oxford
> ><> ><> >&
>
> --
> Michael Aldridge
> Network Administrator
> Collegium V Honors College
> The University of Texas at Dallas
> ____
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mi
fig/master/roles/slapd/files/cn%3D%7B4%7Dkerberos.ldif
>
> --Michael
>
> On 06/30/2016 01:25 AM, Todd Grayson wrote:
> > Got schema issues? Perhaps?
> >
> > http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201
> >
> > Magic google phrase:
&
The error text
> to me sounds like it can't even find the ldap backend, much less try to
> actually talk to it. Can you explain why you think this might be a
> schema error?
>
> --Michael
>
> On 06/30/2016 09:06 AM, Todd Grayson wrote:
> > Michael, I apologize but I&#
sorry "kerberos.ldif" not "schema.ldif"
On Thu, Jun 30, 2016 at 10:00 AM, Todd Grayson
wrote:
> Is the file supposed to be schema.ldif once its converted that way?
>
> On Thu, Jun 30, 2016 at 9:58 AM, Todd Grayson
> wrote:
>
>> The discussion in the
Is the file supposed to be schema.ldif once its converted that way?
On Thu, Jun 30, 2016 at 9:58 AM, Todd Grayson wrote:
> The discussion in the mail list I sent, the error emerged as it was
> parsing broken schema information in the file...
>
> On Thu, Jun 30, 2016 at 9:55 AM, Mich
list Kerberos@mit.edu Kerberos@mit.edu>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
(and I realize kerberos doesn't do groups)
On Mon, Jul 18, 2016 at 12:05 PM, Todd Grayson
wrote:
> Aneela,
>
> HDFS supports the use of the \L lowercase "macro". This is implemented
> through the HDFS auth_to_local rules, it can be applied using the
> additional
#x27;s credentials? If so, then how to solve this
> particular scenario? I'm not getting the clear idea
>
> Thanks
>
> On Monday, 18 July 2016, Todd Grayson wrote:
>
>> (and I realize kerberos doesn't do groups)
>>
>> On Mon, Jul 18, 2016 at 12:05 PM, Tod
about preferring the previously chosen
> KDC during an AS exchange (mostly for the sake of marginal preauth
> mechanism implementations), but I think the code changes necessary to
> implement that properly would be extensive.
>
>
t; >
> > userid 's Password:
> >
> > We would like to pass the password dynamically, please help.
>
> Is this MIT's krb5 or Heimdal's? What version?
>
> ________
> Kerberos mailing list Kerb
_
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Kerberos maili
ot root 2729160 May 7 2013 kinit
>
> -rwxr-xr-x 1 root root 2603176 May 7 2013 kgetcred
>
> -rwxr-xr-x 1 root root 2570184 May 7 2013 kdestroy
>
> -rwxr-xr-x 1 root root 4215848 Oct 16 2013 ssh
>
> -rwsr-xr-x 1 root root 3071992 Mar 5 2014 suexec
>
> -rwxr-xr-
ve this
> problem because it's the same user that I used to join the REALM in the
> first place..
>
> Any thoughts?
>
> Thanks!
> Thomas Beaudry
> ____
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.
ows AD. I'm using ktutil to create
> the keytab:
>
>
> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96
>
>
> I'll look into the kvno.
>
>
> Thomas
>
>
> --
> *From:* Todd Grayson
> *Sent:*
#x27;t have that checkbox
> clicked - so it isn't the issue.
>
>
> Any more thoughts as to what could be causing this 1 user to not be able
> to use a keytab?
>
>
> Thanks,
>
> Thomas
> --
> *From:* Todd Grayson
> *Sent:* Wednesda
ow to enable Kerberos event logging
https://support.microsoft.com/en-us/kb/262177
On Thu, Oct 27, 2016 at 9:37 AM, Thomas Beaudry wrote:
> Hi Todd,
>
>
> Yes i changed the password. Still the same problem.
>
>
> thanks!
>
> Thomas
> -------
ok to
> start off with.
>
>
> Have a great day!
>
> Thomas
> --
> *From:* Thomas Beaudry
> *Sent:* Thursday, October 27, 2016 11:37 AM
> *To:* Todd Grayson
>
> *Cc:* kerberos@mit.edu
> *Subject:* Re: .kinit: Preauthentication fail
> correct salt, the client can't produce the correct password-derived key.
>
> -Tom
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
stand how the final layout in LDAP is supposed to be and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
> - lars.
>
>
> ____
> Kerberos mailing list
rs.
>
> Thanks,
> Ed
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Cus
just use the copy of Kerberos that comes with
> Windows to achieve my goal?
> Thanks!
> Mauro.
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Busin
to Windows without
> having to use a keytab or having to run a kinit under the covers?
>
>
>
> *From:* Todd Grayson [mailto:tgray...@cloudera.com
> ]
> *Sent:* Friday, November 18, 2016 11:34 AM
> *To:* Mauro Cazzari >
> *Cc:* Kerberos@mit.edu
> *Subject:* Re: Can I a
e received this message in error, please notify the sender and delete
> the email immediately.
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operation
content or pointers to constructing
good parsers for turning this log data into record data? Parser tools for
the default MIT KDC log format?
I'm guessing that having it in syslog format would be better... but thats
out of my control...
--
Todd Grayson
Business Operations Manager
Cust
esting
On Mon, Jan 30, 2017 at 11:44 PM, Benjamin Kaduk wrote:
> On Mon, Jan 30, 2017 at 11:01:46PM -0700, Todd Grayson wrote:
> > Has anyone seen a good writeup of the krb5kdc.log file output format?
> For
> > the types of log file output statements that it writes out. So for
as well
Thanks in advance.
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
hat, but I thought it was resolved.
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
___
-latest/doc/admin/princ_dns.html
>
> It's possible that the same setting might work for the Java
> implementation, but I'm not certain.
>
> ________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Gr
b5.conf, I haven't specified the fallback realm or
> referrals explicitly, so I think kerberos is picking up default values for
> them. I want to know how I can specify them explicitly.
>
> Thanks in advance !
> Pratyush
>
> Kerbero
tribute them back like
> > > promised to this list and Greg 5 years ago. Oops.
> > >
> > > Chris
> > > _______
> > > krbdev mailing list krb...@mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/krbdev
> > >
> >
> __
Feng your best option is actually u...@hadoop.apache.org as the errors you
are seeing are over the hadoop classes within the JDK, which the team at
MIT does not produce. The openJDK as well as OracleJDK development teams
provide a kerberos implementation based on the standards established and
main
, I don't know how that might have come about.
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
>
> >> What is the actual, higher level thing you are trying to accomplish?
> >
> > As explained, I'm sending HTTP rest JSON request from machine_a to
> > machine_b endpoint but I'm getting Unauthorised 401 error, so I'm
> > trying to incorporate into
Sanjay this is confusing for you to reply to the kerberos digest email with
your own issue. Create a new email with its own subject for your question.
Please send an email directly to the kerbe...@mit.wsu list.
On Mon, Oct 22, 2018, 7:52 AM Sanjay Kumar Sahu
wrote:
> HI !
>
> Currently we are
l credentials
> $
>
> Please let me know where can I find the kdc configuration types in
> Active Directory (Windows Server 2016) ?
> Do I have to change any configuration on Kerberos Client or Server ?
> Please help me on this.
>
> Thanks,
> Silambarasan M
> __
Issue :
>> =
>> $ kinit Administrator
>> kinit(v5): KDC has no support for encryption type while getting
>> initial credentials
>> $
>>
>> Please let me know where can I find the kdc configuration types in
>> Active Directory (Windows Server 2016)
get this
> working?
>
> Thanks,
> John
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
Security SME
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi,
We are seeing a number of conflicting information sets on how to properly
force TCP by kerberos clients in CentOS/RH OS distributions.
udp_preference_limit =0? 1?
Or is there some other flag that is reliable to be setting here?
--
Todd Grayson
Customer Operations Engineering
Security SME
thanks!
On Thu, Oct 3, 2019 at 9:41 AM Greg Hudson wrote:
> On 10/3/19 11:11 AM, Todd Grayson wrote:
> > We are seeing a number of conflicting information sets on how to properly
> > force TCP by kerberos clients in CentOS/RH OS distributions.
> >
> > udp_prefer
of
> how it is configured in /etc/krb5.conf.
>
> Thank You.
> GemNEye
>
>
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Principal Customer Operat
trusts REALM B, and
REALM C trusts REALM B, but A and B do not trust each other) you will need
to read up on using CAPATH maps as well.
Glad to help.
On Wed, Dec 11, 2019 at 7:05 PM GemNEye wrote:
> On 2019-12-11 18:52, Todd Grayson wrote:
>
> The domain_realm section of the krb5.conf is
oops mistyped on the CAPATH example, it SHOULD read:
(e.g. REALM A trusts REALM B, and REALM C trusts REALM B, but REALM A and
REALM C do not trust each other)
On Wed, Dec 11, 2019 at 7:16 PM Todd Grayson wrote:
> Cross realm trust would involve setting up specific krbtgt principals t
The discussions I've seen where this is done successfully use tar to grab
all the files (do an ls -la in the kdc path to see what you missed) along
with the krb5.conf. I believe you are missing important file(s) based on
what you listed.
On Wed, Feb 26, 2020, 7:31 AM jarek wrote:
> Hello!
>
>
Is this some form of specialized unix epoch time timestamp or something?
And more importantly... why? How do I convert it, normal epoch time
conversion is yielding insane values.
Thanks in advance...
Kerberos mailing list Kerberos@mit.ed
?
On Thu, Apr 2, 2020 at 10:09 PM Benjamin Kaduk wrote:
> On Thu, Apr 02, 2020 at 09:04:33PM -0600, Todd Grayson wrote:
> > Is this some form of specialized unix epoch time timestamp or something?
> > And more importantly... why? How do I convert it, normal epoch time
> > c
Cool, thanks!
On Fri, Apr 3, 2020 at 8:59 AM Greg Hudson wrote:
> On 4/3/20 10:21 AM, Todd Grayson wrote:
> > Ok but does that mean Unix Epoch time conversion should be working, or is
> > there some other form of secret decoder ring that is used to translate to
> > syste
82 matches
Mail list logo
