Hi all.
Is there a way to configure KDC so that the admin session will expire if it
keeps inactive for a period of time?
Thanks,
YC
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Thanks for the info.
On Wed, Jan 2, 2019 at 11:30 AM Greg Hudson wrote:
> On 12/28/18 12:07 PM, Yegui Cai wrote:
> > Is there a way to configure KDC so that the admin session will expire if
> it
> > keeps inactive for a period of time?
>
> There is not. However, if more
Hi all.
This can be two threads but I have the following two questions at the same
time.
1. Can we run KDC as a non-root user? Meaning is it required to run KDC as
root?
2. Is there any official docker images for KDC? or any plan to have one?
Thanks!
Yegui
Hi.
I built kdc from source code. When I run kadmind it complains the missing
dependency of libverto.so.0. My machine has libverto.so.1. Would it work if
i create a softlink to libverto.so.1?
Thanks!
YC
Kerberos mailing list Kerberos@mit.e
Yes. I did run "make install"
In fact, by default, at the configuration stage, system libverto will be
used based on the output.
How can I not to use the system verto?
Thanks for your help!
On Mon, Jan 7, 2019 at 10:55 AM Greg Hudson wrote:
> On 1/7/19 10:29 AM, Yegui Cai wrote
Hi Robbie.
I ran into the case where the privileged ports are not allowed to be
bindded. Do you know how I can work around this?
Thanks,
YC
On Fri, Jan 4, 2019 at 11:14 AM Robbie Harwood wrote:
> Yegui Cai writes:
>
> > Hi all.
> >
> > This can be two threads but
Hi.
I build KDC from source code and deploy it in a customized directory. When
i run kadmin.local, it errors with a message:
kadmin.local: Unknown credential cache type while opening default
credentials cache
Can you please provide some hints on troubleshooting?
Thanks a lot!
Yegui
Hi Greg.
Any plan to add the capability of expiring admin sessions into a future
release?
Thanks!
Yegui
On Wed, Jan 2, 2019 at 11:30 AM Greg Hudson wrote:
> On 12/28/18 12:07 PM, Yegui Cai wrote:
> > Is there a way to configure KDC so that the admin session will expire if
>
any idea on what is going on?
Thanks a lot!
Yegui Cai
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
I figured out it by using strace. It turned out to be a directory was
missing. The error message is really confusing.
On Thu, Jan 24, 2019 at 12:05 PM Yegui Cai wrote:
> Hi all.
>
> I ran into an issue when I tried to run kadmind. The version of KDC is
> 1.16.3.
> I did have k
Sure!
I built 1.16.3 under a non-default directory and configure ccache in a
subdirectory. But I did not create that ccache directory. So a misleading
error message was generated.
On Fri, Jan 25, 2019 at 1:40 PM Robbie Harwood wrote:
> Yegui Cai writes:
>
> > On Thu, Jan 24, 2019
Hi all.
I run KDC 1.15.1. At the host, I use kadmin.local to add a principle. Very
strange that my first attempt failed silently while the second attempt
succeeded. Here are the steps:
[root@gamma-hactive ~]# kadmin.local
Authenticating as principal hdfs/ad...@example.com with password.
kadmin.lo
Hi all.
I just found out that the issue was caused by some race conditions when I
experiment with master-master deployment. Please ignore this thread.
Cheers,
Yegui
On Fri, Feb 1, 2019 at 11:20 AM Yegui Cai wrote:
> Hi all.
>
> I run KDC 1.15.1. At the host, I use kadmin.local
Hi all.
I know the official document recommend master-slave deployment for
production environment.
Wonder if any try to do a master-master deployment? If yes, how could you
sync between two masters?
Thanks,
Yegui
Kerberos mailing list Kerbe
Hi Thor.
So you have a shared ldap? If so, could that ldap be a single point of
failure?
Thanks,
Yegui
On Sat, Feb 2, 2019 at 11:10 AM t Seeger wrote:
> Hey Yegui,
>
> I use a mutli master setup. For the sync I use openldap.
>
> Greeting Thor
>
> On 2. Feb 2019, at 15
Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote:
> > Hi Thor.
> > So you have a shared ldap? If so, could that ldap be a single point of
> > failure?
> >
> > Thanks,
> > Yegui
> >
> > On Sat, Feb 2, 2019 at 11:10 AM t Seeger wrote:
> >
Awesome, thanks!
On Wed, Feb 6, 2019 at 2:32 AM t Seeger wrote:
> Hey Yegui,
>
> You can find the script here https://wp.tntnet.eu/?p=112
> There is a very short instruction too. Keep in mind that I m not a ldap or
> Kerberos expert. ^^
>
> Thor
>
> On 6. Feb 2019,
different realms?
3. If I use the default data storage (Berkeley DB if my understanding is
correct), how data is encrypted at rest?
Thanks a lot!
Yegui Cai
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo
Hi Greg.
Thanks a lot for your reply.
A further question regarding 3. The database files (principle,
principal.kadm5) are not encrypted, am I right?
Best,
Yegui
On Mon, Mar 4, 2019 at 12:16 PM Greg Hudson wrote:
> On 3/4/19 11:45 AM, Yegui Cai wrote:
> > 1. If I have multiple tenant
du
> Subject: Re: Admin session expiry
>
> On Jan 13, 2019, at 1:49 AM, Greg Hudson wrote:
> >
> > On 1/11/19 11:08 AM, Yegui Cai wrote:
> >> Any plan to add the capability of expiring admin sessions into a future
> >> release?
> >
> > We can con
5 11:53:27 ygc-kdc-master05.example.com kadmind[18654](Notice):
GSS-API error strings complete.
Mar 25 11:53:27 ygc-kdc-master05.example.com kadmind[18654](Error):
Authentication attempt failed: 10.76.50.109, RPC authentication flavor 6
---
Do I miss something here?
Thanks for an
min, for which purpose it generally needs to prompt you for a
> password. The ticket it obtains is kept in memory and not ever written to a
> file where you can see it, but it does exist. And, like all tickets, it
> has a lifetime.
>
>
>
> ------
> *F
requests), the expiration time of the existing TGT.
>
>
> Examine the database entries for both kadmin/admin and your admin user.
>
> ----------
> *From:* Yegui Cai
> *Sent:* Tuesday, March 26, 2019 1:17 PM
> *To:* Jeffrey Hutzelman
> *Cc:* John Devit
Hi community.
Does KDC generate audit logs by any chance? If not, would there be any plan
to do so?
Thanks,
Yegui
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
In my opinion, audit logging can be a subset of the loggings KDC has. But
sometimes, software can have audit loggings separately.
On Thu, Jun 20, 2019 at 1:40 PM Greg Hudson wrote:
> On 6/20/19 1:16 PM, Yegui Cai wrote:
> > Does KDC generate audit logs by any chance? If not, would the
Hi community.
I am trying to deploy a master and a slave KDC. Due to regulations, I need
to run everything on unpriviledged ports. I have done everything except for
kpropd which by default runs on 754. When I launched kpropd on port, say,
3754. Database propagation did not happen. I did try running
Hi,
It looks like we need to have brackets around IPV6 addresses inside
/etc/krb5.conf. Am I right? It is, why would that be the case?
Thanks,
Yegui
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Ok, thanks!
On Wed, Nov 6, 2019 at 4:04 PM Greg Hudson wrote:
> On 11/6/19 2:57 PM, Yegui Cai wrote:
> > It looks like we need to have brackets around IPV6 addresses inside
> > /etc/krb5.conf. Am I right? It is, why would that be the case?
>
> Yes, you do need b
Hi,
Is there some performance bench marking done against KDC. For instance, if
I want to deploy a KDC server and suppose some peak traffic volume, what
kind of memory/cpu resource I should provision for the server?
Thanks!
Yegui
Kerberos mailing lis
Hi,
May I ask a quick question? Is there any rate-limited mechanism in KDC? I
am asking for two reasons. First, if there is a DoS attack, I think KDC
needs to have some kind of rate-limiting to eliminate the attack. Am I
right? Secondly, for performance banch marking, if there is a rate-limiting
in
Hi,
I am running KDC inside a docker container. It seems there is an issue with
iprop. The 2122 port on the master kdc for some reason is not open. I am
guessing maybe some library needed by iprop is missing in my docker
container. Can someone please point me in the right direction?
Thank you ver
the right direction?
Thanks in advance and best regards!
Yegui Cai
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
32 matches
Mail list logo
