Re: Kerberos configuration file

2004-02-27 Thread Nalin Dahyabhai 
On Thu, Feb 26, 2004 at 12:45:36AM -0800, Matthias Haslbeck wrote:
> [libdefaults]
> default_realm=MYCOMPANY.LOCAL
> [realms]
> nkk-1gje43lrh5h.mycompany.local={kdc=mycompany.local}
[snip]
> "mycompany.local" is the domain of my network and should be the realm
> of the KDC. "nkk-1gje43lrh5h" is the name of my server which hosts the
> Active Directory.
> 
> Please tell me what's wrong!

In addition to what Thomas suggests, you've got the name of the realm
(capitalization is important) and the host name of your KDC swapped.
Your [realms] section should probably read:
 [realms]
  MYCOMPANY.LOCAL = { kdc = nkk-1gje43lrh5h.mycompany.local }

HTH,

Nalin

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: Browser authentication

2004-02-27 Thread Tim Alsop 
Andreas,

The SASL/GSS/HTTP approach is considered by some (including myself) to be better than 
the SPNEGO based solution that Microsoft have included in IE and IIS. The MS solution 
is based on an individual IETF draft and didn't progress to a standard, but is widely 
used.

We (CyberSafe) have implemented our own GSS based web browser authentication solution 
works with any browser (without any updates to the browser that is installed on each 
workstation) and can be ported to any web server, but we currently only support 
Apache. Our solution has the advantage that it will work with web server clusters as 
well as offering replay attack detection and the ability to work with proxy servers. 
The MS solution does not work with a proxy server and hence MS ISA Server is not 
supported (for example).

I agree, that this is better discussed within the SASL IETF WG instead of Kerberos WG.

Regards, Tim.

-Original Message-
From: Andreas [mailto:[EMAIL PROTECTED] 
Sent: 27 February 2004 13:05
To: [EMAIL PROTECTED]
Subject: Re: Browser authentication

On Mon, Feb 23, 2004 at 09:20:26AM -0500, Wyllys Ingersoll wrote:
> The correct way to do this is with GSSAPI, Microsoft implemented

Couldn't SASL be used instead (and then gssapi)? Maybe a question for another forum, 
though.


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Browser authentication

2004-02-27 Thread Andreas 
On Mon, Feb 23, 2004 at 09:20:26AM -0500, Wyllys Ingersoll wrote:
> The correct way to do this is with GSSAPI, Microsoft implemented

Couldn't SASL be used instead (and then gssapi)? Maybe a question
for another forum, though.


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Thread-safe libraries

2004-02-27 Thread Lukas Kubin 
Sam Hartman wrote:
"Lukas" == Lukas Kubin <[EMAIL PROTECTED]> writes:


Lukas> How complicated is it to move to Heimdal from MIT?  I need
Lukas> a solution to enable users' authentication to LDAP in our
Lukas> network which uses MIT Kerberos 5. What do you use?
On a Debian system using the native LDAP, install
libsasl2-modules-gssapi-heimdal not libsasl2-gssapi-mit.  That should
be all you need.  You can continue using MIT for everything else.
Thank you, that's what I was looking for! I wouldn't expect it is 
suitable to use heimdal libraries wit MIT K5.

If I'm misremembering that you are using Debian, then you just need to build libsasl against LDAP.

If you are also using PAM, you might want libpam-heimdal not
libpam-krb5.
Why. Is it related to the threading support too?

Lukas> Originally I (after I've found I can't use MIT's kerberos
Lukas> with OpenLDAP) wished to try to use the krb5kdc LDAP schema
Lukas> and let LDAP server to verify the password itself. However,
Lukas> I found the latest versions of OpenLDAP don't support this
Lukas> feature.  Is there any other way?  I need to resolve this
Lukas> soon. But I don't know about Heimdal K5 support on
I strongly recommend against the KDC LDAP schema.
Again, thank you really much for the help. It was too painful for me to 
solve the problem of "falling LDAP server". And the solution is so 
simple ...

lukas

--
Lukas Kubin
phone: +420596398275
email: [EMAIL PROTECTED]
Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz


smime.p7s
Description: S/MIME Cryptographic Signature

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos