Can some one reply my query ? 3. Windows event id 4 (kerberos) (raj esh L)
________________________________ From: "[email protected]" <[email protected]> To: [email protected] Sent: Tue, 19 January, 2010 22:33:46 Subject: Kerberos Digest, Vol 85, Issue 25 Send Kerberos mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://mailman.mit.edu/mailman/listinfo/kerberos or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Kerberos digest..." Today's Topics: 1. Re: URG: Details abt Kerberos (Jason Edgecombe) 2. Re: guidance (Naveen BN) 3. Windows event id 4 (kerberos) (raj esh L) 4. Cannot run rlogind, telnetd (vinay kumar) ---------------------------------------------------------------------- Message: 1 Date: Mon, 18 Jan 2010 19:52:28 -0500 From: Jason Edgecombe <[email protected]> Subject: Re: URG: Details abt Kerberos To: "Max (Weijun) Wang" <[email protected]> Cc: vinay kumar <[email protected]>, [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Max (Weijun) Wang wrote: >> What's the difference between hosts and usernames, seriously? > > I guess Vinay is talking about the different type of principal names. > > A username, say, [email protected], is used on the client side. The > client gets an initial TGT for it at the kinit time. > > A host, prepended with a service name, say, > ftp/[email protected], is used on the server side. Normally, > you create a keytab file holding secret keys for this name and it's > readable by the server process. > > Both names are created using the kadmin tool. > > --Max > > On Jan 19, 2010, at 4:28 AM, Jason Edgecombe wrote: > >> vinay kumar wrote: >>> *Hi,* >>> >>> I am new to kerberos, I have been asked to setup KDC, kerberos >>> client >>> and application server. Using these i have to capture AP_REQ, >>> AP_REP, AS_REQ >>> and AS_REP in wireshark. I have two systems both are working on Red Hat >>> Linux. I downloaded Kerberos from MIT version 5. I went through >>> installation >>> and user guide of kerberos. I successfully constructed KDC server >>> and able >>> to capture AS_REQ and AS_REP, but i was not able to setup kerberos >>> client >>> and application server. *I have few doubts like can application >>> server and >>> client can be on the same system? >>> How client machine differs from application server? >>> Is client recognized by IP address or Principal by the KDC? >>> For configuration setting we need to modify /etc/inetd.conf but this >>> file is >>> not there in Red Hat, so which file to edit? >>> What exactly client means (I have understood it as a system on which >>> u can >>> get ticket for any principal in that realm)? >>> What exactly application server means(I have confusion like ftp, >>> telnet ... >>> etc are available on client system only, then what is the function of >>> application server)? >>> What is the difference between host and usernames? >>> *Plz help me by showing how to configure client and application >>> server.*Kindly help me out. Waiting for ur reply. >>> >>> Regards, >>> Vinay >>> >> It's time to read the fine manual. >> >> Kerberos comes with RedHat Enterprise Linux, although it's not the >> latest version, it is kept patched for security vulnerabilities. >> >> Read this: >> http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/ch-kerberos.html >> >> >> The "next" link explains some of the kerberos terms. >> >> Kerberos is normally run as it's own service, not through inetd. Redhat >> uses xinetd instead of inetd. Please read the manual page if you aren't >> familiar with xinetd, especially the part about the HUP signal. >> >> What's the difference between hosts and usernames, seriously? Hello Vinay and everyone, I'm sorry for my grumpy response. I'm not normally that grouchy. Sorry, Jason ------------------------------ Message: 2 Date: Tue, 19 Jan 2010 11:53:45 +0530 From: Naveen BN <[email protected]> Subject: Re: guidance To: Kevin Coffman <[email protected]> Cc: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Dear Kevin, I am using only on cache file called tkt for storing the credentials received, I found that there was no support in kerberos source for removing the credentials from a cache file. ( where the structure krb5_cc_file_ops holds the file operation for credentials ). Please let me know if there is a way to achieve the same. Thanks and Regards Naveen ------------------------------ Message: 3 Date: Mon, 18 Jan 2010 23:52:13 -0800 (PST) From: raj esh L <[email protected]> Subject: Windows event id 4 (kerberos) To: [email protected] Cc: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=utf-8 We have observed Kerberos event id4 on one member server (Print server )BRAPRINT001 (10.1.37.167). Please find the description below about the event id. Can some one please help me on it ? Event Type: Error Event Source: Kerberos Event Category: None Event ID: 4 Date: 1/13/2010 Time: 6:16:35 PM User: N/A Computer: BRAPRINT001 Description: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server SLH-001155$. The target name used was cifs/ATL017784.dir.ucb-group.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DIR.UCB-GROUP.COM), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ATL017784.dir.ucb-group.com [10.70.11.107] We captured network for it. Can you please help here what is going on? captured file is available at http://www.megaupload.com/?d=WDIG1CAT ------------------------------ Message: 4 Date: Tue, 19 Jan 2010 18:19:33 +0530 From: vinay kumar <[email protected]> Subject: Cannot run rlogind, telnetd To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1 Hi, I want to capture AP_REQ and AP_REP, for that i want to run telnetd, rlogind daemons on my application server. When i run rlogind i will get the following error: * rlogind: Can't get peer name of remote host: Socket operation on non-socket * when i run rsh i get* host unknown *error My krb5.conf is as follows: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = GLOBAL.COM dns_lookup_realm = false dns_lookup_kdc = false preferred_preauth_types = 16 [realms] GLOBAL.COM = { kdc = 172.16.10.211 admin_server = 172.16.10.211 default_domain = global.com } [domain_realm] .globaledgesoft.com = GLOBAL.COM globaledgesoft.com = GLOBAL.COM [kdc] profile = /etc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } My kdc.conf is as follows [kdcdefaults] kdc_ports = 750,88 [realms] GLOBAL.COM = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/.k5.GLOBAL.COM kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } Plz guide me. Regards, Vinay ------------------------------ _______________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos End of Kerberos Digest, Vol 85, Issue 25 **************************************** ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
