Re: SEAM krb API

Of course the initial krb cred will have to be retrieved external to the client program if you decide to use GSS. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SEAM krb API

Solaris... > I think he looked into Simon's code and then went a different way > for various reasons. Yes, there are no direct dependencies on the krb5 API in Nico's SSH/GSS implementation. There are dependencies in sshd on libpam.so so I assume PAM is involv

Re: SEAM krb API

On Tue, Apr 20, 2004 at 01:36:41PM -0500, Will Fiveash wrote: > On Tue, Apr 20, 2004 at 01:58:31PM -0400, Wyllys Ingersoll wrote: > > Ken Hornstein wrote: > > > > >For example, I was trying to help someone once who was trying to get > > >Simon Wilkinson's G

Re: kinit sending clear text password

uggy. If that isn't the case try pkgchk to see if your binaries have been modified. If that isn't the case, file a bug with Sun. BTW, how did you "see" the password? -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) _

Re: kinit sending clear text password

that bug has been fixed recently, but I don't have the patchid > available right now. See: <http://sunsolve6.sun.com/search/document.do?assetkey=1-1-5004688-1&searchclause=> -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT)

Re: kinit sending clear text password

xt password, send me the snoop (use a test principal for which you don't care if I see the password). And also send 'uname -a' output and the path where you are getting kinit from. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) _

Re: kinit sending clear text password

On Wed, Apr 21, 2004 at 01:35:57PM -0500, Will Fiveash wrote: > On Wed, Apr 21, 2004 at 11:49:48AM -0400, Wyllys Ingersoll wrote: > > Douglas E. Engert wrote: > > > > > >As a side comment, the Sun pam_krb5 when passed the debug option writes > > >the pa

Re: Kerberos on Solaris 9

am not sure where kdb5_util is getting this > >information. > > > > > > Do you have a [domain_realm] section that maps > .ultra.hcl.com to MONTREAL.HCL.COM ? > > > [domain_realm] > montreal.hcl.com = MONTREAL.HCL.COM >ultra.hcl

Re: want kerberos 1.3.x for Solaris

rberos and use their kerberos utilities or 3. contact your Sun service provider and request this support in Solaris 9. > Does anyone know, if solaris 10 will have an 1.3 based kerberos > integrated? I assume you want Kerberos TCP support. This is in Solaris 10 (amongst a variety of e

Re: Using non kerberized services on Solaris9 client

g the password in the clear. Look for the SEAM 1.0.2 download on: http://wwws.sun.com/software/download/security.html -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Error using GSS-API on Solaris 9 Platform

on the KDC with a shared > key (which needs be the same key at application server), is there a > way to create a key tab entry on my service host without using kadmin? You'll have to ask your KDC vendor that question. It sounds like you'll ha

Re: gss_acquire_cred with specific keytab

riable KRB5_KTNAME with the full path to the keytab file. No modification of your code is necessary. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Solaris 10 kadmin client

laris Kerberos is based on MIT). You can test this by (running as root) doing a kinit -k and then klist to make sure you successfully got a credential for one of the principals in the keytab. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) _

Re: Solaris 10 kadmin client

On Tue, Mar 01, 2005 at 02:36:19PM -0500, Sam Hartman wrote: > >>>>> "Will" == Will Fiveash <[EMAIL PROTECTED]> writes: > > Will> Note, Solaris kadmin uses secure RPC and does not > Will> interoperate with MIT's kadmind. I&#x

Re: Solaris 10 kadmin client

On Tue, Mar 01, 2005 at 02:36:19PM -0500, Sam Hartman wrote: > >>>>> "Will" == Will Fiveash <[EMAIL PROTECTED]> writes: > > Will> Note, Solaris kadmin uses secure RPC and does not > Will> interoperate with MIT's kadmind. I&#x

question about modifying master_key_type

? -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: question about modifying master_key_type

nger enctype and allow migration of the princ. DB (and deal with any propagation issues). -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kprop fails on multihomed KDCs set up according to FAQ (solved)

iew (look for the Kerberos Enhancements in the Solaris 10 Release section) -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

krb enctype presentation available

entry=everything_you_wanted_to_know Hope it helps (and let me know if there are any problems with the presentation), -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/lis

Re: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

808 auth.debug] PAM-KRB5: sm_auth: > returning 9 > Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5: > krb5_cleanup pam_sm_auth_status(9) > > Any ideas would be greatly appreciated. > > Russ... > > > Kerb

Re: krb enctype presentation available

that > the ticket in the AS_REP is double-encrypted, and of course it's not; > only the session key and a few other bits are encrypted by the user's > long-term key. A minor nit, but I only wanted to point it out for > accuracy's sa

Re: krb enctype presentation available

On Thu, Jun 30, 2005 at 06:25:08PM -0500, Will Fiveash wrote: > On Thu, Jun 30, 2005 at 05:21:40PM -0400, Ken Hornstein wrote: > > >I created a presentation PDF a while back that I've placed on the Web > > >which goes into detail on Kerberos enctypes in terms of how they

Re: Updating encryption types

size | ++ | aes128-cts-hmac-sha1-96 17 128 | | aes256-cts-hmac-sha1-96 18 256 | +-

Re: SSH and Kerberos in Solaris 9

http://docs.sun.com/app/docs/doc/817-0365/6mg5vpmh2?a=view This is the Chapter 15 Configuring SEAM (Tasks) section. You must follow this carefully when modifing the /etc/krb5/krb5.conf. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) _

Re: OT: Re: Solaris telnetd failure with Heimdal client

t telnetd was spawned by inetd so I don't see the DoS. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Solaris telnetd failure with Heimdal client

oes > anyone know if the Heimdal client is at fault somehow, as others must > have tried this combination? (It works with the MIT daemon, giving > similar authdebug output, and the Solaris client works with the same > tickets/keytab/krb5.conf.) Can you use rlogin -x instead of telnet? -

Re: Solaris 10 Kerberos broken?

you don't have the proper entries in the /etc/krb5/kadm5.keytab. Either you are missing an entry or the principal name isn't specified correctly. Go back through the S10 docs very carefully and make sure to use fully qualified hostnames where a hostname is specified as a prin

Re: Solaris 10 + pam_krbs + Active Directory.. What am I doing wrong?

s executable is not pre-w2k3, there is a known issue with it that always sets the key version numbers (kvno) to 1, while the w2k3+ AD server now enforces correct kvnos. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Ke

Re: Solaris ssh pam_krb

kinit is able to fetch a TGT using the host service princ. in the keytab so this aspect of login auth is working. After looking at the krb-diag output, I have made some of the same recommendations to the Support person as found in this thread. I suggest the Stanford folks continue to work with Sun Supp

Re: Solaris ssh pam_krb

t this is unsupported on Solaris at this time. One of the main reasons that Sun exposed the libgss API and not the krb API is API stability. Sun tries hard to provide stable programming interfaces to protect customer investment in software. Note though that Sun is working on exposing the Krb5 AP

Re: Kerberos Client - Solaris 9 (Step-by-Step Guide to Kerberos 5 interop)

erberos authentication in remote applications like telnet, rlogin, rsh and so on. For that you need SEAM 1.0.2 which can be downloaded via: http://onesearch.sun.com/search/onesearch/index.jsp?col=downloads-products&qt=SEAM+1.0.2 -- Will Fiveash Sun Microsystems Inc

Re: NFSv4 with sec=krb5 mounts not working under Solaris

.keytab. Make sure the keytab is only readable by root. In addition there are online docs for configuring S10 NFS to use krb auth. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NFSv4 with sec=krb5 mounts not working under Solaris

laris packages. Does "pkginfo -l" show SUNWkrbr, SUNWkrbu (these are for krb client support). There are also SUNWkdcr, SUNWkdcu packages which provide KDC support. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerbe

Re: kadmin.local works but kadmin doesn't. kpasswd 'insufficient access to lock data base'

problem. As an aside, Solaris 10 has a nice utility called ppriv which shows information about the privileges that a running program is missing. I used this to determine which priv. to grant to gpg instead of just allowing it to run setuid root. -- Will Fiveash Sun Microsystems Inc. Austi

Re: Kerberized NFSv4 problems

that the KDC is using. If you can just use kadmin on the NFS server and do: ktadd nfs/somehost.foo.bar.com which should get the kvno's in sync. You should also read the Solaris 10 Kerberos documentation on docs.sun.com very carefully as it goes step by step o

Re: Apache error log

_cred() failed: Unspecified GSS failure. Minor code may > > provide more information (No principal in keytab matches desired name) I bet the Kerberos service key for HTTP/testsd.vsaa.lv@ is missing in the keytab however. The admin needs to create this kerberos principal then d

Re: Openssh, kerberos and Solaris 10

you can't link an app directly to the Solaris Kerberos lib. Your options are to either get the MIT krb lib and link against that or use the native Solaris ssh which supports GSS/krb auth quite well (I'm using now). Note you can search docs.sun.com for

Re: Openssh, kerberos and Solaris 10

e. To fix this properly in Solaris is non-trivial and there is much on our plates so it remains an issue. More on this later... -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Transferring a secure context

ays returns null. The Kerberos GSS mechanism on Solaris supports gss_export_sec_context() (just so people aren't confused). -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.

Re: kinit: Key table entry not found while getting initial credentials

he kinit command has to be put in the startup script of an > > application. > > So the application is going to act as a user, and initiate sessions > to some other service? > > So I tried this: > > > > appadm 99% kinit -k kerberos/[EMAIL PROTECTED] > > kini

Re: Incorrect Kerberos Auth Config File?

t; # Used when service name is not explicitly mentioned for password > management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 &g

Re: Incorrect Kerberos Auth Config File?

you read the Solaris 10 Security Administration guide at docs.sun.com very carefully. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kinit problem

Solaris support kerberos natively. You can read about Kerberos configuration here: http://docs.sun.com/app/docs/doc/816-4557/6maosrjk5?a=view Or go to docs.sun.com and find this path: Solaris 10 System Administrator Collection >> System Administration Guide: Security Services >> Kerbero

Re: KfW 3.1: Re-directed stderr of kinit/klist displays dialog

hat piping a password to kinit no longer works! In the intervening > years they must have fixed this. I politely retract my statement. :) Works for me using native kinit on Solaris 10 and up. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) _

Re: kinit: KRB5 error code 52 while getting initial credentials

is no guarantee that Sun will do this as there are costs to doing this and this support is available in Solaris 10. In fact Solaris 10 has a number of Kerberos improvements that make interop with a MS AD easier. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) _

Re: kinit: KRB5 error code 52 while getting initial credentials

On Wed, Jul 11, 2007 at 01:10:19AM +, Ron Bass II wrote: > > Thanks for the update Will. I'll look into Solaris 10... Note that there have been a number of updates (some security related) released for Solaris 10 so make sure you get the latest bits. -- Will Fiveash Sun Micro

Re: Solaris K5, MIT K5 compatibility issues

ty. > > Any clarification would be appreciated. This is a long standing issue between MIT and Sun regarding the kadmin related principals. For more read: http://krbdev.mit.edu/rt/Ticket/Display.html?id=3064 The workaround on Solaris 10 is to set: kpasswd_protoco

Re: SSO from Windows to Solaris using Kerberos: A How-To

g GSS-API auth via the Kerberos GSS mech all the time. What you may be running into is that Solaris has a limitation that Unix usernames be no more than 8 characters (see man passwd.4). This is not a limitation of Solaris sshd. -- Will Fiveash Sun Microsystems Inc. Austin, T

Re: SSO from Windows to Solaris using Kerberos: A How-To

On Wed, Sep 19, 2007 at 10:55:51AM -0500, Douglas E. Engert wrote: > > > Will Fiveash wrote: > > On Sun, Sep 02, 2007 at 07:21:52PM +1000, Edward Irvine wrote: > >> Hi Folks, > >> > >> I eventually gave up trying to coax the default sshd on Solaris 10

NFSsec/krb/AES interop issue with Solaris 10/11

the patch/update is release, rename the renamed kmech_krb5(s) back to their original name before applying the patch/update. The bug can be viewed here: http://bugs.opensolaris.org/view_bug.do?bug_id=6548599 Please follow-up to [EMAIL PROTECTED] -- Will Fiveash Sun Microsystems Inc. Austin,

Re: kerberos and LDAP on Solaris9

at the client's key is more susceptible to off-line dictionary attacks. -- Will Fiveash Sun Microsystems Inc. Austin, TX, USA (TZ=CST6CDT) Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Solaris 10, secure nfs, permission denied

oc/816-4557 with care? I suggest you check your config carefully. Or try using the kclient command which can do a number of these steps for you. If things are still not working, please post. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/ke

Re: Solaris 10, secure nfs, permission denied

foo.com' Note this issue does not affect Solaris systems < S10 since they do not support the AES enctype. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Kerberos mailing list Kerberos@mit.edu ht

Re: Solaris 10, secure nfs, permission denied

aril.mitre.org krb5kdc[11077](info): AS_REQ (5 > etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes > {rep=3 tkt=16 ses=16}, host/[EMAIL PROTECTED] for > krbtgt/[EMAIL PROTECTED] > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): TGS_REQ (5 > etypes {17 16

Re: Solaris 10, secure nfs, permission denied

t is determined that a krb cred is needed by root as is the case when doing a mount of a NFS sec=krb5* share. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Solaris 10, secure nfs, permission denied

ong here, please > chime in. > -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Solaris 10, secure nfs, permission denied

On Tue, May 20, 2008 at 05:17:11PM -0500, Will Fiveash wrote: > Second, the nodename/hostname associated with a Solaris system should > be short form. For example when running the /usr/bin/hostname command > the output should be something like: > > $ /usr/bin/hostname > foo &g

Re: Solaris 10, secure nfs, permission denied

isconfigured in that several directories created by installing the Solaris Kerberos packages did not exist. Those directories can only be removed with root privilege. In addition, /usr/bin/kpassswd was deleted. In general, it is not advisable to make such changes to a Solaris system an

Re: Solaris 10, secure nfs, permission denied

On Wed, May 21, 2008 at 12:46:34PM -0500, Will Fiveash wrote: > On Tue, May 20, 2008 at 05:17:11PM -0500, Will Fiveash wrote: > > Second, the nodename/hostname associated with a Solaris system should > > be short form. For example when running the /usr/bin/hostname command > &

Re: Encryption Type wrong

max_renewable_life = 7d 0h 0m 0s > > >> default_principal_flags = +preauth > > >> supported_enctypes = des-cbc-crc:normal > > >> } > > >> > > > > > > Thi

Re: Problem with SPNEGO on Solaris 10 build 4

olaris I get: > > client: > ./gss-client -port 11000 -mech 1.3.6.1.5.5.2 opensolaris.solaris.home HTTP > test > Sending init_sec_context token (size=606)...continue needed... -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ __

MIT e-mail phish attempt

e. Thanks for using mit.edu The MIT Webmail Copyright \251 2004-2008 The Massachusetts Institute Of Technology. = Note the Reply-to: is webace...@ymail.com. Just letting y'all know. -- Will Fiveash Sun Microsystems Inc. http:/

question about MIT kpasswd and RPCSEC_GSS

When talking to a older Solaris KDC that only supports the RPCSEC_GSS protocol for change password request, will the current MIT kpasswd command just work or does it require some non-default configuration (some parameter set in krb5.conf)? -- Will Fiveash Oracle Solaris Software Engineer

Re: question about MIT kpasswd and RPCSEC_GSS

On Wed, Jan 21, 2015 at 05:22:43PM -0500, Tom Yu wrote: > Will Fiveash writes: > > > When talking to a older Solaris KDC that only supports the RPCSEC_GSS > > protocol for change password request, will the current MIT kpasswd > > command just work or does it

A thank you to Tom Yu

h the years. I wish you well in your future endeavors. -- Will Fiveash Oracle Solaris Software Engineer Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KRB5 & Sun Solaris 9

with a number of krb related enhancements. The 1.6 MIT krb also supports this so I can understand why one may want to use MIT krb in this situation but you may want to consider upgrading Solaris. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/

Re: KRB5 & Sun Solaris 9

#x27;s my impression samba for Solaris 10 has been enhanced and supports krb auth. When I get more info on this I'll pass it on. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KRB5 & Sun Solaris 9

edu > admin_server = ds.vanderbilt.edu > default_domain = vanderbilt.edu > } > > [domain_realm] > .vanderbilt.edu = DS.VANDERBILT.EDU > vanderbilt.edu = DS.VANDERBILT.EDU > -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ __

Re: KRB5 & Sun Solaris 9

change. As for why > we have 2 realms, etc., this was all pre-configured and found to work on > our other 2 Sun boxes. I really don't know the reasoning behind it. > Sorry. > > Jamen McGranahan > Systems Services Librarian > Vanderbilt University -- Will Fiveash Sun Micr

Re: kadmind: Stored master key is corrupted while initializing, aborting

at truss reports some random return code for functions that return void i.e. have no return value. 'man truss' has more info. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SEGV in krb5_free_cred_contents on Opensolaris

eros-disc...@opensolaris.org. If it really is a bug we can open a bug. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA Kerberos mailing list Kerberos@mit.edu https://mailma

Re: unable to get default realm for solaris 10

On Wed, Jan 13, 2010 at 11:37:45AM +0530, Mohammad, Meraj wrote: > Hi Andrea > > i'm trying to setup Kerberos(krb5-1.7)with Solaris 10. While Why not just use native Solaris 10 Kerberos ? -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from

Re: unable to get default realm for solaris 10

10 and apache. I am not sure how apache accesses Kerberos but you can verify what library a binary is accessing via the ldd command. Run that on the binary that apache uses to access libkrb5. If it isn't using /usr/lib/libkrb5.so then you'll need to recompile that module to use the native

Re: unable to get default realm for solaris 10

alled > properly. In above link it is not mentioned how to install Kerberos on > solaris10. It have only configuration details of Kerberos. > > Can you refer any site from where I can properly install Kerberos from > Solaris10 OS DVD? Try asking that on the Oracle BigAd

Re: Kerberos help required.

in Solaris 9 the native Kerberos support is based on MIT krb5 v1.2.1. -- Will Fiveash Oracle (note my new work e-mail address: will.five...@oracle.com) http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet text MUA. Kerberos mailing list

Re: bug report: "too many SRV records" becomes "no SRV records"

may want to edit) to make this easier. For debugging MIT binaries I do something like: truss_krb -mit -o /tmp/krb-truss.out /usr/local/bin/kinit For Solaris krb stuff I do: truss_krb -o /tmp/krb-truss.out /usr/bin/kinit etc... -- Will Fiveash Oracle Note my new work e-mail address: will.five..

Re: kerberos, pre_auth, and smartcards

from the admin, and we don't have that kind of configuration. I started a thread on this earlier, search for the following in the archives: Date: Tue, 9 Feb 2010 19:05:32 -0600 From: Will Fiveash To: MIT Kerberos Dev List Subject: HW-AUTHENT flag question Message-ID: <2

Re: GSSAPI Issue

gateCredentials=yes. > > ssh -K is a shortcut for the latter and lets you choose for each ssh > command whether you want to forward tickets. I usually only use the ssh > setting for specific hosts I use a lot and explicitly add the -K when I > want to forward tickets to other

Re: RFC: Turning off reverse hostname resolution by default in 1.10

ot > sure there's likely to be much impact. > > Does anyone on this list intentionally rely on PTR lookups for > Kerberos hostname canonicalization? Solaris has never supported rdns hostname lookups by default. I am not aware of any complaints. -- Will Fiveash Oracle http://

kdb5_util stash question

Does the kdb5_util stash require the admin running it know the master key password or should it be able to extract it from the K/M princ? -- Will Fiveash Oracle Solaris Software Engineer http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet, text based e-mail app <h

Re: kdb5_util stash question

On Fri, Jan 20, 2012 at 07:35:23PM -0500, Greg Hudson wrote: > On 01/20/2012 06:54 PM, Will Fiveash wrote: > > Does the kdb5_util stash require the admin running it know the master > > key password or should it be able to extract it from the K/M princ? > > By design, it

Re: Best (or recommended) practices for updating and modifying encryption types supported on all principals?

e_princ_encryption, etc... sub-commands. But to reiterate, this will not change the enctype of the princ's keys. -- Will Fiveash Oracle Solaris Software Engineer http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/> ___

Re: longer ticket life vs auto renew

as > hoping some of the list members might weigh in with their thoughts. As an aside, Solaris provides a krb warning daemon, ktkt_warnd, that both warns users when their TGT cred is about to expire and cannot be renewed and auto-renews it depending on the configuration. -- Will Fiveash Oracle Sol

Re: Using PREAUTH on the initial AS_REQ

his the hard way when I modified pam_krb5 to do optimistic preauth (I had to remove that logic). -- Will Fiveash Oracle Solaris Software Engineer http://opensolaris.org/os/project/kerberos/ Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>

Re: Reason for removing sname check?

e GSS_C_ACCEPT, &creds, &acquired, NULL); the krb code will use any service princ keys found in the keytab, as long as the hostname component matches, for accepting the AP_REQ? -- Will Fiveash Oracle Solaris Software Engineer http://opensolaris.org/os/project/kerberos/ Se

Re: Inconsistencies in KDC status messages formats

tring status messages more > consistent ("All english words without underscores" or, > alternatively, ALL_UPPER_CASE_WITH_UNDERSCORE ) and document the update. > > Any thoughts on the matter? All correctly spelled English words without underscores. -- Will Fiveash Oracle Solaris Sof

Re: Inconsistencies in KDC status messages formats

ng > backwards incompatible changes to log messages. Perhaps the log formats should include both a stable identifier for the log scraper/scanners and a user friendly string? If so, thought needs to be given to identifier stability. -- Will Fiveash Oracle Solaris Software Engineer http://opensolar

Re: Kerberos behavior in the presence of multiple PTR records

he remote_host variable after the getnameinfo call. Note that Solaris krb has never used reverse lookup in krb5_sname_to_principal() and in the current source: #if !defined(DEFAULT_RDNS_LOOKUP) /* Solaris Kerberos */ #define DEFAULT_RDNS_LOOKUP 0 #endif -- Will Fiveash Oracle Solaris Software Engi

Re: Issue with Kerberos setting in Sun Solaris 10

Solaris 10. Also the native Solaris krb expects the default system keytab to be /etc/krb5/krb5.keytab and to be read/write only by root. If you are using MIT krb then you need to refer to their documentation as the paths to various krb related config files and keytab differ from Solaris

Re: [EXTERNAL] Re: Issue with Kerberos setting in Sun Solaris 10

will show you what krb5.conf and what krb5.keytab kinit is trying to open. See the truss man page for more details on truss. -- Will Fiveash Oracle Solaris Software Engineer Kerberos mailing list Kerberos@mit.edu https://mailman.mit.e

Re: Problems with Kerberos authentication over internet

understand that some reasons are vulnerability if >KDC over port 88, address in tickets etc. But is there any other technical >reason for which Kerberos should not be used over public network ? Kerberos could be used over the Internet but whose going to admin that KDC? -- Will Fiveash Oracl

Re: Fwd: Kerberos5 ticket auto renewal

es renewable tickets. Renewable Kerberos tickets can be > renewed up to the renewable lifetime, which is often configured to be > longer than the regular ticket lifetime. Yes, think of ktkt_warnd as a daemon that periodically does "kinit -R" to keep a user's initial TGT cre

Re: Accessing Kerberos NFS via /net automounter with kinit only (no /etc/krb5.conf access)

o acquire a krb cred for root. On the client system "nfsstat -m" will show what version of NFS is being used. -- Will Fiveash Oracle Solaris Software Engineer Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Accessing Kerberos NFS via /net automounter with kinit only (no /etc/krb5.conf access)

On Sat, Apr 12, 2014 at 09:50:25AM +0200, Wang Shouhua wrote: > On 11 April 2014 22:14, Will Fiveash wrote: > > On Tue, Apr 01, 2014 at 06:00:45PM +0200, Wang Shouhua wrote: > >> I am on Solaris 10U4 - can I access a NFS filesystem with (mandatory) > >> krb5p authenti

Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)

rver side in /etc/krb5/krb5.conf. You may want to ask for more info on this on the Oracle OTN discussion forums, read the Solaris 10 online documentation or check with your Oracle support person. -- Will Fiveash Oracle Solaris Software Engineer

Re: Accessing Kerberos NFS via /net automounter with kinit only (no /etc/krb5.conf access)

On Mon, Apr 14, 2014 at 08:55:10PM +0200, Wang Shouhua wrote: > On 13 April 2014 21:59, Will Fiveash wrote: > > On Sat, Apr 12, 2014 at 09:50:25AM +0200, Wang Shouhua wrote: > >> On 11 April 2014 22:14, Will Fiveash wrote: > >> > On Tue, Apr 01, 2014 at 06:00:

Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)

client meant it had a keytab containing host service princ keys which could then be leveraged to protect the lease renewal traffic. My opinion is that unless there is a very good reason to protect that traffic, krb protection for lease renewal traffic should be optional, depending on configuration. -

Re: Accessing Kerberos NFS via /net automounter with kinit only (no /etc/krb5.conf access)

access) > To: Wang Shouhua,Kerberos@mit.edu, Will > Fiveash > Message-ID: > > On 13 April 2014 21:59, Will Fiveash wrote: >> On Sat, Apr 12, 2014 at 09:50:25AM +0200, Wang Shouhua wrote: >>> We are talking about NFS version 4 (NFSv4) on Solaris only. Why does >>&

Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)

On Tue, Apr 15, 2014 at 03:13:09PM -0400, Simo Sorce wrote: > On Tue, 2014-04-15 at 13:48 -0500, Will Fiveash wrote: > > On Tue, Apr 15, 2014 at 11:36:34AM -0500, Nico Williams wrote: > > > Will, > > > > > > Mobile devices don't really have stable hostname

Re: Accessing Kerberos NFS version 4 (not 2, 3) via /net automounter with kinit only (no /etc/krb5.conf access)

On Tue, Apr 15, 2014 at 02:34:11PM -0500, Nico Williams wrote: > On Tue, Apr 15, 2014 at 2:22 PM, Will Fiveash wrote: > > But if this is a work laptop, which is typically a single user system > > and operates as a client in various contexts, requiring IT provision it > >

  1   2   >