Re: [Cosign-discuss] Couldn't identify an authenticator for 'username'
On May 30, 2014, at 9:48 AM, Liam Hoekenga li...@umich.edu wrote: Are there any characters that cosign would disallow, misinterpret, choke on? Not for krb5, no. It calls krb5_get_init_creds_password on the urldecoded bytes posted by the logging in user. andrew signature.asc Description: Message signed with OpenPGP using GPGMail -- Learn Graph Databases - Download FREE O'Reilly Book Graph Databases is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] Couldn't identify an authenticator for 'username'
On 29 May 2014, at 23:11, Andrew Mortensen and...@weblogin.org wrote: tl;dr: Couldn't identify an authenticator for 'username' almost always means username submitted a bad password. Well, that's not a handy error message, is it! :wes -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] Couldn't identify an authenticator for 'username'
On Thu, May 29, 2014 at 11:11 PM, Andrew Mortensen and...@weblogin.org wrote: tl;dr: Couldn't identify an authenticator for 'username' almost always means username submitted a bad password. Ok. That makes sense, and I think would explain why we see that error as frequently as we do. As the code currently stands, nothing is logged if cosign_login_krb5 doesn't succeed. Was that different in 3.0.x? I see the Couldn't identify authenticator error in our production logs when I mistype my password.. [Fri May 30 09:29:04 2014] [error] [client 35.2.14.100] Couldn't identify an authenticator for 'liamr', referer: https://weblogin.umich.edu/cosign-bin/cosign.cgi I don't see in our test environments, tho (v.3.2.0). I'm pursing this for a specific helpdesk incident. The helpdesk says that they've verified the password (though are not clear on what that means). Are there any characters that cosign would disallow, misinterpret, choke on? Liam -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] Couldn't identify an authenticator for 'username'
Hi Liam, Did this start recently? I wonder if the recent (local) DNS changes might have affected how Kerberos clients function. Similarly, are there any differences between the two data centers? (There were recent router changes to fix DNS problems on the one of the subnets involved.) --- Richard Conto DNA Sequencing Core Biomedical Research Core Facilities Medical School Administration Office of Research NCRC Bldg 14 room 168 -- (734) 764-7620 On Thu, May 29, 2014 at 2:18 PM, Liam Hoekenga li...@umich.edu wrote: Our cosign installation uses kerberos and friend as the primary authenticators. We're getting instances of this error in our logs: Couldn't identify an authenticator for /USERNAME/ I can find where this error occurs in the source code, but I can't really figure out what would trigger it. The problem usernames all seem to be valid, active kerberos principals, and our logs indicate that sometimes the problem usernames *are* able to authenticate. The failures are initiated by a wide variety of cosign service providers. They seem to happen in batches - we had ~360 between 14:00 - 14:15 today, though that might be a bad observation.. Splunk shows that we see ~5k-20k of these a day. Any ideas? Liam -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] Couldn't identify an authenticator for 'username'
On Thu, May 29, 2014 at 3:58 PM, Wesley Craig wescr...@gmail.com wrote: Do you have any passwd keywords configured? Nope. We're just using the compile-time defaults. Liam -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] Couldn't identify an authenticator for 'username'
On 29 May 2014, at 16:04, Liam Hoekenga li...@umich.edu wrote: Nope. We're just using the compile-time defaults. Well, the defaults are (.+@.+) and ([^@]+), i.e., if there's @ in the login, treat it as friend, if there's no @, use kerberos. A leading or trailing @ would cause neither to match, or if the strings are too short, but that's about it. :wes -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss