[no subject]

see this! <> Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos user management & J2EE question

27;ve had no luck finding information on doing this, all the Kerberos protocol information I've found deals with authentication of users, not with managing users. Could anyone point me in the right direction? Thanks! Chris Kerberos m

Establishing client credentials (TGT etc.) with GSSAPI

s_init_context) side? TIA - Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Establishing client credentials (TGT etc.) with GSSAPI

On Feb 20, 4:17 pm, Nicolas Williams wrote: > On Fri, Feb 20, 2009 at 01:24:06PM -0800, Chris wrote: > > ... > > Is it correct that, if you can't rely on default GSSAPI credentials > > (i.e. login identity and pre-cached TGT), then a client should use > > gss_ac

Re: Establishing client credentials (TGT etc.) with GSSAPI

On Feb 23, 3:08 pm, Nicolas Williams wrote: > On Mon, Feb 23, 2009 at 02:00:55PM -0800, Chris wrote: > > FWIW, I was slightly confused with the language in the GSSAPI RFC > > which seems to indicate that an implementation of a mechanism (e.g. > > Kerberos) is not necessarily

Java app as Windows Service w/JGSS+Kerberos - should it work?

work, did you ever see the above symptom & is there a likely cause? Or if not, could it be that this simply won't work - is there something about the Java GSS- API implementation that conflicts with running in a wrapping service process? TIA, Chris __

Re: FW: JBoss Negotiate

IIRC - there was a hotfix to earlier versions to make the KDC honor the requested encryption type). hth, Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Add second realm to existing KDC ?

dd new realm to krb5.conf & kdc.conf ? Create new master database? Or could the existing database be used? New tgt for the new domain? What else? Sorry for basic question, but could not find any info online. Thanks, chris Kerberos mailing list

Re: Add second realm to existing KDC ?

b5kdc to be run with "-r REALM" flags for each realm, > and similarly for kadmind. How you do this part is system-specific. Greg, thank you very much. I will give it a go. I'd rather have a single KDC with a slightly wonky setup than 2 separate

Re: Java app as Windows Service w/JGSS+Kerberos - should it work?

On Mar 11, 5:08 pm, Chris wrote: > I know this is a fairly specific configuration but I'm hoping someone > may have some experience to offer - have you been able to get a GSS- > API-enabled Java server application running as a Windows Service with > a local KeyTab file? If you ha

second keytab for similar service (but different SPN/IP) breaks the first

dr..." SPN's for multiple web servers on your network. Am I right in thinking what I'm trying should be possible, and if so is there some nuance of generating the keytab that I'm not following that causes the first keytab to stop working? Many thanks. - Chris __

Can I get more debug output from kadmin.local?

min.local interface) = 41 write(2, "\n", 1 ) = 1 exit_group(1) I can bind to ldap using the stashed passwords just fine, and read/write what I'm supposed to in the container and subtrees. Is there any way to get some more output out of the program, just a li

Re: Can I get more debug output from kadmin.local?

g wrong, but none of it prints. Still have to figure out why that isn't happening correctly... Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

ldap principal aliases

both krbcanonicalname and the KRB5_KDB_FLAG_CANONICALIZE flag. From what I think I read in the docs, this is supposed to be on for service principals by default. Any help in understanding what I'm not understanding here would be appreciated. Chris Kerber

Re: ldap principal aliases

Sorry, I just noticed that the list was dropped from the cc in last few replies. On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote: > On Fri, 2009-08-28 at 16:04 -0400, Chris wrote: > > [r...@wopr ~]# kvno host/sf9ca98.domain.com > > host/sf9ca98.domain@domain.com:

Re: ldap principal aliases

f you're going to disable to check, I'd do it in > libkdb_ldap rather than the KDC). > > -- Luke Thank you both for the input (and the patch). I apologize, I was out on vacation for several days, so I didn't mean to ignore you! I see that the patch made it

Re: ldap principal aliases

On Sat, Aug 29, 2009 at 11:01:19AM -0400, Chris wrote: > On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote: > > On Fri, 2009-08-28 at 16:04 -0400, Chris wrote: > > > [r...@wopr ~]# kvno host/sf9ca98.domain.com > > > host/sf9ca98.domain@domain.com: kvno =

Re: Server not found in Kerberos database

eally asking for. A lot of clients think they know what you really meant to ask for, and use whatever they get back from reverse DNS as the host name. If reverse DNS doesn't match what you tried to ssh into, it will fail. Chris

kadmin in different time zones

. Is this normal behavior for kadmin? Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

pkinit with passwords

cert key, and that works, but is unenforceable. I'd really like to avoid shunting some kind of preauth to yet another authentication system if possible. Is it possible to do what I described, or is there a better way? Cheers, Chris Kerberos ma

Redhat 7 and Kerberos

I am new to Kerberos. I just installed a fresh Redhat 7.1 on my machine. As I telnet to my machine normally with telnet localhost, I got login: Cannot contact any KDC for requested realm while getting initial credentials Is it because I am not running a Kerberos server process? How do I turn it

Strange flags with klist

2 Addresses: (none) Thanks! -Chris Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Authentication stopped working

I have a dozen RedHat machines that were set up to use kerberos for authentication aganst a M$ Active Directory server (managed by a central admin department), they get their User account details from a LDAP database that I manage (usernames are kept the same). All this was configured using the aut

Re: Authentication stopped working

Problem Solved... New Update to OpenSSH solved the problem, don't know what caused the issue ain the first place, but with the latest OpenSSH RPM all works fine. I can only assume that it was, therefore not a kerberos problem. Thanks Chris White wrote: > I have a dozen RedHat machi

Single ldap installation with users from multiple realms... or possibly failover from one realm to the next

I've got an interesting dilema. I've got users from two kerberos realms... one of them is under my control and the other is an active directory under control of central IT. They won't modify the AD to have any useful unix attributes, so I'm stuck building my own ldap solution. Is there a way I

Upgrading from Heimdal 0.4 to 0.6

ients (which will be the first to be upgraded) will still be able to authenticate against the 0.4e KDC during the transition period. Thanks, Chris Schadl Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

timeout period for failed kdc in /etc/krb5.conf

the first kdc? can i specify any more options or even some nice form of loadbalancing here? i should be able to at least!? and no i don't use DNS, for reasons out of my control. Chris Kerberos mailing list Kerberos@mit.edu https:

Macintosh OS 10.4 Tiger support

I wonder if Kerberos could be used on Windows 2003 network with Windows XP Pro and Macintosh OS 10.4 computers. We also use Exchange 2003 server for mail services and Entourage 2004 client for Mac. Thanks Chris Wspanialy __ Network Analyst Ontario Teachers

RE: Windows Clients Won't Do Kerberos

Turn off NTLM with Group Policy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 29, 2006 1:37 PM To: kerberos@mit.edu Subject: Windows Clients Won't Do Kerberos I'm testing a Windows -> Apache Kerberos SSO product

Incorrect Kerberos Auth Config File?

password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 # other auth sufficient pam_krb5.so use_first_pass other password required pam_authtok_store.

Re: Incorrect Kerberos Auth Config File?

Will, I use sol 10 + latest patches. I have followed your suggestions and I'm still in the dark. I'm also not able to ping KDC as you ask. At this point, I have no ideas where else to troubleshoot. Any helps are really appreciated. Thanks, -Chris > > I'd like my A

Re: Incorrect Kerberos Auth Config File?

Thanks a lot for some pointers & suggestions, guys. I finally get it to work. The problem was that I enter incorrect ip of my domain controller, doh!!! Cool, -Chris "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: Will Fiveash wrote: > On Tue, Nov 07, 2006 at 05:

Joining a multiple realm AD environment

user in LOC2 logs in I only see LOC1 being queried. I'm curious if I'm doing something wrong or if I simply need to get a computer account created for the box before trusts work. I was hopeing to not approach the AD staff until I was more or less certain I knew what needed

Re: Joining a multiple realm AD environment

On 5/11/07, Chris Penney <[EMAIL PROTECTED]> wrote: > Hello, > > At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM, > etc.) that all trust each other. There are users setup in each realm > that need to access the Linux systems I maintain. Today, w

Re: Joining a multiple realm AD environment

have to do this even if you add the system to AD via a "User" account? Thanks! Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Joining a multiple realm AD environment

On 5/18/07, Douglas E. Engert <[EMAIL PROTECTED]> wrote: > > Chris Penney wrote: > > > > Ah! I see. I used the pam_krb5 that Douglas noted and the pam config > > lines you noted and it works basically as intended. > > > > Do you still have to do t

Re: Joining a multiple realm AD environment

fy that you talk to the right kdc during user authentication. It has > nothing to do with the ability to login from LOC1.DOM.COM or LOC2.DOM.COM Ok, thanks! I appreciate your answering my questions. The multiple realm concept wasn't very clea

Kerberos on Windows

d for our Mac clients. At the moment it looks like it isn't actually possible to do this in Windows XP. PLEASE help! :-) --- Chris Lowe Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos on Windows

After some long and painful research, I've discovered the mit2ms command, which only works in Vista. Does anything implement this functionality in XP? -Chris On 07/03/2008, at 10:56 PM, Chris Lowe wrote: > Hi there, > > I'm having major problems with Kerberos on Window

Re: revocation feature in Kerberos

be it got fixed? Chris On Jul 31, 2014 3:15 PM, "Roland C. Dowdeswell" wrote: > On Thu, Jul 31, 2014 at 04:34:42PM -0500, Nico Williams wrote: > > > > > In general Kerberos doesn't need a revocation system because ticket > > lifetimes should be short enough. >

Re: Announcing mod_auth_gssapi

By being gss-only, do you mean the module, or clients must use gss as well? Chris On Aug 14, 2014 3:24 PM, "Russ Allbery" wrote: > Simo Sorce writes: > > > I have recently released a new module for Apache called mod_auth_gssapi > > to modernize a little bit on t

Re: upgrading kerberos 1.9.4 to 1.13 with LDAP backend

I am going to need to make the exact same update at some point, so a report back on how it went would be great! Thanks, Chris On Dec 3, 2014 2:28 PM, "Paul B. Henson" wrote: > We currently have three Kerberos servers running 1.9.4 using the LDAP > backend and are planning to

RE: LDAP searches for Kerberos entries

I use LDAP to store additional stuff about users, so the krb stuff is a subtype (can't remember what the real term is) of my main record type. I rarely search on the krb fields. Chris On Feb 4, 2015 12:09 PM, "Paul B. Henson" wrote: > > From: Michael Ströder > > S

Re: Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)

Yes, this piqued my interest as well... Chris On Feb 12, 2015 12:30 AM, "Gergely Czuczy" wrote: > > On 2015-02-11 15:25, Simo Sorce wrote: > > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote: > >> HI! > >> > >> Maybe some of you are us

Does this separate thread connection need another as_req/rep pair?

CE so I think the mk_priv/rd_priv pairs have to happen in order, which I can't guarantee with another thread. Am I missing something, or do I have to bite the bullet and do the full AS_REQ/AS_REP thing on the second connection? Let me know if that doesn't make sense. Thanks, Chris

Re: Does this separate thread connection need another as_req/rep pair?

d the mutex, it can be shared. I assume for the same reasons, with DO_SEQUENCE off you can also use it on a UDP (unreliable, ooo, etc.) connection? By the way, for replay attacks, do I need to worry about cross session replays (with the same TGT), or does every AP_REQ/AP_REP randomize so I on

Re: Does this separate thread connection need another as_req/rep pair?

> Hm, you might be able to speed this up by supplying the service key > to the auth context with krb5_auth_con_setuseruserkey() Cool, I'll check that out next time I'm optimizing, thanks! Chris On 2015-05-07 12:15, Greg Hudson wrote: > On 05/07/2015 02:44 PM, Chris Hecke

Re: Does this separate thread connection need another as_req/rep pair?

Hmm, thinking about this a bit more: if I turn off DO_SEQUENCE so I can share the auth_context, is there a way to dupe it so it can be used in both threads simultaneously? There shouldn't be any more mutable dependent state in there if there's no seq being used, right? Chris On May 7,

Re: Does this separate thread connection need another as_req/rep pair?

Yeah, my packet types are different for each direction. Out of curiosity, as discussed years ago, I also use "directional addressing" where I set a fake ip address for the local and remote that are the opposites for the two sides, so that would prevent reflections too, right? Chris

Re: Does this separate thread connection need another as_req/rep pair?

ked statically in my app... Chris On 2015-05-08 08:41, Greg Hudson wrote: > On 05/08/2015 04:57 AM, Chris Hecker wrote: >> Hmm, thinking about this a bit more: if I turn off DO_SEQUENCE so I can >> share the auth_context, is there a way to dupe it so it can be used in >> both t

Re: Does this separate thread connection need another as_req/rep pair?

got it sitting right there. I'm already using this API for u2u authn, it turns out (which is what it's for, I'm assuming :). Chris On 2015-05-07 12:15, Greg Hudson wrote: > On 05/07/2015 02:44 PM, Chris Hecker wrote: >> I found it slow under a loadtest, wh

returning krb5_rd_req error code to clients

Is it a problem to return the krb5_rd_req error code on failed authn to clients? Is that revealing information it shouldn't and I should just return success or failure? Or filter it down to a few safe ones, like clock skew, etc?

krb5_keyusage

use the usage at all... Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

first rd_priv/mk_priv and KRB5_AUTH_CONTEXT_DO_SEQUENCE

created without it for the first priv message. I assume this is because the seq is 0, but is this intended? I was surprised by it (something I expected to fail succeeded and I had to figure out why). Chris Kerberos mailing list Kerberos

Re: Does this separate thread connection need another as_req/rep pair?

ree the one from get because it's not used. There should be a version of set that takes ownership of the memory, I think. Make sense? Chris On Sat, Jun 20, 2015 at 12:52 PM, Benjamin Kaduk wrote: > On Sat, 13 Jun 2015, Chris Hecker wrote: > > > > > Finally getting to this..

Re: "revoking" a TGT?

I keep meaning to contribute my patch for this (not the kvno part, just the allow_tix check and ability for services to check for bans). It is completely rotted relative to the latest rev though. I need to update. Chris On Aug 7, 2016 10:40 PM, "Greg Hudson" wrote: > On 08/05/

temporarily granting a TGT for a client coming in with a 3rd party authn system

Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

temporarily granting a TGT for a client coming in with a 3rd party authn system

unless I implemented some kind of authz stuff that I'd like to avoid for now. Thoughts? Thanks! Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: temporarily granting a TGT for a client coming in with a 3rd party authn system

urity beyond that single client as far as I can tell. Should I bother creating send/recv subkeys, or just a single useruser key for this transmission? It's basically a one time thing, sending to the login service so it can send the key back over the enc

Re: temporarily granting a TGT for a client coming in with a 3rd party authn system

Oh, and to actually send the key back, I assume I can just pack up the keyblock and send that encrypted with mk_priv, there's no mk_1cred equivalent for sending a key it seems? Thanks, Chris On Sat, Nov 25, 2017 at 4:23 PM, Chris Hecker wrote: > > Okay, I think I have a handle on t

Re: upgrading kdc from 1.9 to 1.16, things to worry about?

Ok, moving this over to the main list... Anybody else have any thoughts on the update below? Thanks, Chris On Mon, Dec 11, 2017 at 11:11 Greg Hudson wrote: > kerberos@mit.edu is better for questions like this. Your plan seems > sound, with the proviso that I'm not an expert on O

Re: upgrading kdc from 1.9 to 1.16, things to worry about?

This is a centos5 x86 machine. I've got the schema that came with openldap and the new one in krb5-1.16 Chris On Mon, Dec 11, 2017 at 16:12 Todd Grayson wrote: > What OS distro are you working over for the KDC hosts., the schema is no > longer present in current distro specific pa

-allow_tgs_req

or mabye I'm misunderstanding how it works...? Thanks, Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: -allow_tgs_req

Ah. Is there any way to prevent a service princ from being able to get tickets? As in, if one of my service keytabs is compromised, can I prevent those princs from being used like a normal user princ? Chris On Mon, Jan 8, 2018 at 19:58 Russ Allbery wrote: > Chris Hecker writes: >

Re: -allow_tgs_req

Ah, I assumed that was symmetric for some reason. I obviously need to be able to get tickets for these services. Not sure why I thought that. I'll check it out, thanks! Chris On Mon, Jan 8, 2018 at 20:15 Russ Allbery wrote: > Chris Hecker writes: > > > Ah. Is there any

Re: -allow_tgs_req

Hmm, yeah, I can't get tickets to a service with -allow_tix on it. I'll have to look into why if that's supposed to work, I made a couple modifications to my KDC in this area a while back. Chris On Mon, Jan 8, 2018 at 20:24 Chris Hecker wrote: > > Ah, I assumed that w

Re: -allow_tgs_req

Right, I will disable the princ when I find out obviously, I just want the person to not be able to use it as a user princ to get tickets to other services in the meantime. Does that make sense or am I missing something? Chris On Mon, Jan 8, 2018 at 20:28 Russ Allbery wrote: > Ch

Re: How does the user principal know the service

You ask for a ticket for a specific service in the request. Chris On Sat, Jun 23, 2018 at 14:02 ZongtianHou wrote: > Hi, everyone: > I am a bit confused of the auth process of kerberos. The user principal > request the AS for a tgt, then use send the tgt to the TGS to get a tick

Any set of flags on a princ to allow an AS but no TGS request?

, and even setting -maxlife "1 second" still lets kvno get tickets for a while (I assume for the clock skew window, though the tickets have a start time after their expires time, so maybe they're not usable, I haven't tried using them).  Am I mis

Re: Error - Oracle database authentication with Kerberos

Not sure if this helps, but since it's late in the US, the last time I got a "generic error" is when my LDAP db went down underneath Kerberos and it couldn't connect. Probably not remotely related to your generic error, but maybe see if you can talk to the KDC at all. Chris

long running kadm5 program running into errors

hing added between 1.9 and 1.15 I should know about? Thanks, Chris Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: long running kadm5 program running into errors

es...I can see the client having a problem due to timeouts or paging or whatever, but why would the kadmind print that stuff in this case? Chris On 2018-08-16 17:47, Chris Hecker wrote: > > I have a long-running daemon that reads a kadm5 admin key from a file > keytab into a memory keytab be

Re: long running kadm5 program running into errors

I think this turned out to be an IP address that was attached to eth0 that had actually been moved. Those kadmind.log errors were correlated with the connection problems though (always were present when a failure like this occurred), if that is useful info. Chris On Wed, Aug 22, 2018 at 08:09

Re: Query: Need help for storing the krb5_creds(ticket) as blob format.

If you've got a krb5_creds* tkt then tkt->ticket is a krb5_data, which means tkt->ticket.data and tkt->ticket.length are available...you can just use them directly to store the ticket somewhere (or send it for u2u or whatever). Chris On 2018-08-25 01:43, Santosh Kumar wrote: &g

Re[2]: MIT Kerberos Master principal deletion

Maybe dump the core of the running process so you don't accidentally crash it while trying to debug it live? But that would make finding it in memory even harder... Chris -- Original Message -- From: "Nico Williams" To: "Harshawardhan Kulkarni" Cc: "

Re[2]: MIT Kerberos Master principal deletion

re it is executing when it's dumped). If I was doing this live, I'd set a breakpoint on some function that used the key to decrypt and then inspect there, but with a core file you'll need to make sure you can find all the structures first. Is realm_mkey in the kdc_realm_dat

Re[3]: MIT Kerberos Master principal deletion

Looks like it might also be in the global master_keyblock in the server_kdb.c file. Chris -- Original Message -- From: "Chris Hecker" To: "Nico Williams" Cc: "Harshawardhan Kulkarni" ; "kerberos@mit.edu" Sent: 2020-06-11 15:54:32 Subje

Re: Avoiding Pre-Auth/Auth Principal State Disclosure

There are actually a bunch of places that leak information about valid princs, I wonder if there’s a todo item to clean those up at some point? I can’t remember the one or two I found since it was a while ago but I posted it to the list as well. Chris On Tue, Jun 30, 2020 at 23:01 Eric

Re: Avoiding Pre-Auth/Auth Principal State Disclosure

be treated like a normal princ if we had this obscurity feature? I remember assuming vague errors would fix this but then discovering it didn’t, which was surprising. I build my KDC myself so I wasn’t worried about that part, I just was surprised it wasn’t possible. Chris On Wed, Jul 1, 2020 at 12

Re: Avoiding Pre-Auth/Auth Principal State Disclosure

Wow, thanks for taking the time for the detailed response! I will digest this and see if I still have questions. Chris On Thu, Jul 2, 2020 at 10:45 Greg Hudson wrote: > On 7/1/20 3:55 PM, Chris Hecker wrote: > >> For example, if we treated single-component principals as users

weak regex/glob in listprincs in kadmin (on ldap)?

debugging it yet, but is this because the ldap backend doesn't support them? Is there a recommended way of using the kadm5 interface to iterate through tons of principals? Thanks, Chris PS. The thing that started this is I'm trying figure out which princs

Re[2]: weak regex/glob in listprincs in kadmin (on ldap)?

It's not clear how you'd iterate them all with the current API in a remotely efficient manner. Maybe people don't want to do that very often though. Chris -- Original Message -- From: "Greg Hudson" To: "Chris Hecker" ; kerberos@mit.edu Sent: 2021-

Re: Kerberos Server Implementation

There are two samples in the Kerberos source that have both clients and servers, I’m not at my computer but they’re called something like sim_client and sample_client and server. Chris On Tue, Jan 11, 2022 at 14:44 Gupta, Divyansh via Kerberos wrote: > Hi Kerberos@MIT, > > I am atte

Re: Creating a principal using the kadmin C API

conf and I hacked an API in for using that because there didn't used to be a way to do that, I think there is now, but I don't do kadm5 stuff the same way. I'm happy to post my code for making princs and randkeying if you'd like. Chris -- Original Message --

Re: Creating a principal using the kadmin C API

my computer. Chris On Thu, Apr 7, 2022 at 22:42 Greg Hudson wrote: > On 4/7/22 16:19, Lars Francke wrote: > > We tried to use kadm5_create_principal_3 and kadm5_randkey_principal_3 > but > > we seem to be running into an issue. Ideally we'd like to call this > > function w

Re: how to stash KDC password in perl

I don’t see anything in the existing perl modules but it would probably be pretty easy to add to the KDB one: https://metacpan.org/pod/Authen::Krb5::KDB Chris On Thu, Oct 20, 2022 at 11:29 Jim Shi via Kerberos wrote: > Hi, is there way to stash password in perl or Java? I know it is in

Re: appl/simple/client/sim_client.c uses internal APIs

hope there isn’t some movement to deprecate the lowlevel public krb5 API, because it is very useful for me at least. Chris On Fri, Feb 24, 2023 at 08:55 Sam Hartman wrote: > >>>>> "Florian" == Florian Weimer writes: > > Florian> * Sam Hartman: >

Re: appl/simple/client/sim_client.c uses internal APIs

Yeah, by portable I meant I just compile the parts of krb5 client code I need when necessary. The krb5 client is very portable and fairly small. I strip out some stuff I don’t use, but not too much. Chris On Fri, Feb 24, 2023 at 11:51 Ken Hornstein wrote: > >I have said this before

Re: appl/simple/client/sim_client.c uses internal APIs

, they could just use a little love and organization and documentation. If they’re calling internal stuff that should be fixed too obvs, but they don’t need to be gutted. Chris On Fri, Feb 24, 2023 at 11:59 Chris Hecker wrote: > > Yeah, by portable I meant I just compile the parts of krb5

Re: appl/simple/client/sim_client.c uses internal APIs

assume some level of competence on their part, and comment appropriately. Chris On Fri, Feb 24, 2023 at 12:25 Ken Hornstein wrote: > >I guess if I’m on a tear saying forbidden things, sometimes identity is > all > >you need, you don’t want all the samples to encrypt everything,

Re: appl/simple/client/sim_client.c uses internal APIs

kadm. Chris On Fri, Feb 24, 2023 at 12:43 Nico Williams wrote: > On Fri, Feb 24, 2023 at 01:50:58PM -0500, Ken Hornstein via Kerberos wrote: > > >I have said this before on the list and it’s not a very popular thing to > > >say, but I program to the krb5 public API, and i

cannot mount nfs share -o sec=krb5p

at the logs and tell me if anything jumps out at you as my problem? Thanks in advance, Chris May 23 15:50:33 server kernel: nfsd4_exchange_id rqstp=e3fa7e31 exid=8c642416 clname.len=23 clname.data=401df9ce ip_addr=192.168.0.2 flags 103, spa_how 0 May 23 15:50:33 server

Re: cannot mount nfs share -o sec=krb5p

for your time. Chris On Tue, May 23, 2023 at 8:30 PM Chris Gorman wrote: > > Hello list, > > I am trying to build a linux from scratch system with nfs4 and > kerberos. Somewhere along the lines I have deviated from what distros > like arch linux have done as I can't

mod_auth_kerb realm stripping

Hello all I am trying to tweak my mod_auth_kerb setup. Currently it works nicely, I am able to authenticate to web pages on our intranet and everything is dandy. The problem I am having is the contents of Apache's REMOTE_USER variable. Currently it has my REALM on the end, which I do not want. I

Re: mod_auth_kerb realm stripping

On 13 Oct, 17:28, Chris Cowley wrote: > Hello all > > I am trying to tweak my mod_auth_kerb setup. Currently it works > nicely, I am able to authenticate to web pages on our intranet and > everything is dandy. > > The problem I am having is the contents of Apache

Re: override default credentials cache file location

I could be wrong, but I think what you want is this: KRB5CCNAME Used by the mechanism to specify the location of the credential cache. The variable can be set to the following value: [[:]] where can be FILE or MEMORY. is the location of the principal's credential cache.

Re: Slightly confused by user-to-user authentication...

ions? Or, am I misunderstanding? It would be awesome to only have to have my servers synced, and have the clients be, well, clients, with random bad clocks, but if I want to user-to-user authenticate does that force them to be synced? http://www.faqs.org/faqs/kerberos-faq/general/section-22.

Re: Slightly confused by user-to-user authentication...

t kind of cc to use. Chris On 2011/07/07 05:44, Greg Hudson wrote: > On Thu, 2011-07-07 at 01:59 -0400, Chris Hecker wrote: >> One more question about user-to-user: the FAQ says that the "Clocks >> Adrift" paper's solution for not forcing clients to have synced clo

Re: Slightly confused by user-to-user authentication...

s AP_REQs handles that correctly (has that ever been > tested?), but it will be interesting to find out. I will definitely be testing this thoroughly, because I'm assuming my customers will have clocks set to rand(). Chris On 2011/07/07 17:39, Greg Hudson wrote: > On Thu, 2011-07-07 a

what is magical about kadmin.local?

ause root/admin isn't a valid krb account, but if I enter a valid admin princ it prompts for a password, and kadmin.local doesn't prompt or error on a valid or invalid principal). I must be missing something stupid, but I can't figure out what it is, the calls seem ident

  1   2   3   >