Re: Kerberos configuration file
On Thu, Feb 26, 2004 at 12:45:36AM -0800, Matthias Haslbeck wrote: > [libdefaults] > default_realm=MYCOMPANY.LOCAL > [realms] > nkk-1gje43lrh5h.mycompany.local={kdc=mycompany.local} [snip] > "mycompany.local" is the domain of my network and should be the realm > of the KDC. "nkk-1gje43lrh5h" is the name of my server which hosts the > Active Directory. > > Please tell me what's wrong! In addition to what Thomas suggests, you've got the name of the realm (capitalization is important) and the host name of your KDC swapped. Your [realms] section should probably read: [realms] MYCOMPANY.LOCAL = { kdc = nkk-1gje43lrh5h.mycompany.local } HTH, Nalin Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Browser authentication
Andreas, The SASL/GSS/HTTP approach is considered by some (including myself) to be better than the SPNEGO based solution that Microsoft have included in IE and IIS. The MS solution is based on an individual IETF draft and didn't progress to a standard, but is widely used. We (CyberSafe) have implemented our own GSS based web browser authentication solution works with any browser (without any updates to the browser that is installed on each workstation) and can be ported to any web server, but we currently only support Apache. Our solution has the advantage that it will work with web server clusters as well as offering replay attack detection and the ability to work with proxy servers. The MS solution does not work with a proxy server and hence MS ISA Server is not supported (for example). I agree, that this is better discussed within the SASL IETF WG instead of Kerberos WG. Regards, Tim. -Original Message- From: Andreas [mailto:[EMAIL PROTECTED] Sent: 27 February 2004 13:05 To: [EMAIL PROTECTED] Subject: Re: Browser authentication On Mon, Feb 23, 2004 at 09:20:26AM -0500, Wyllys Ingersoll wrote: > The correct way to do this is with GSSAPI, Microsoft implemented Couldn't SASL be used instead (and then gssapi)? Maybe a question for another forum, though. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Browser authentication
On Mon, Feb 23, 2004 at 09:20:26AM -0500, Wyllys Ingersoll wrote: > The correct way to do this is with GSSAPI, Microsoft implemented Couldn't SASL be used instead (and then gssapi)? Maybe a question for another forum, though. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Thread-safe libraries
Sam Hartman wrote: "Lukas" == Lukas Kubin <[EMAIL PROTECTED]> writes: Lukas> How complicated is it to move to Heimdal from MIT? I need Lukas> a solution to enable users' authentication to LDAP in our Lukas> network which uses MIT Kerberos 5. What do you use? On a Debian system using the native LDAP, install libsasl2-modules-gssapi-heimdal not libsasl2-gssapi-mit. That should be all you need. You can continue using MIT for everything else. Thank you, that's what I was looking for! I wouldn't expect it is suitable to use heimdal libraries wit MIT K5. If I'm misremembering that you are using Debian, then you just need to build libsasl against LDAP. If you are also using PAM, you might want libpam-heimdal not libpam-krb5. Why. Is it related to the threading support too? Lukas> Originally I (after I've found I can't use MIT's kerberos Lukas> with OpenLDAP) wished to try to use the krb5kdc LDAP schema Lukas> and let LDAP server to verify the password itself. However, Lukas> I found the latest versions of OpenLDAP don't support this Lukas> feature. Is there any other way? I need to resolve this Lukas> soon. But I don't know about Heimdal K5 support on I strongly recommend against the KDC LDAP schema. Again, thank you really much for the help. It was too painful for me to solve the problem of "falling LDAP server". And the solution is so simple ... lukas -- Lukas Kubin phone: +420596398275 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos