Re: appl/simple/client/sim_client.c uses internal APIs

On Fri, Feb 24, 2023 at 04:27:28PM -0800, Russ Allbery wrote: > > (There is the other problem that all of the effort, hardware support, and > optimization work is going into TLS now, and it feels like a huge waste of > energy to try to compete with TLS in the secure transport business. But >

Re: appl/simple/client/sim_client.c uses internal APIs

On Fri, Feb 24, 2023 at 02:50:35PM -0600, Nico Williams wrote: > On Fri, Feb 24, 2023 at 12:19:53PM -0800, Russ Allbery wrote: > > Nico Williams writes: > > > If you're just trying to set up a GSS context between a client and a > > > server, then GSS is really simple, and much simpler than the

Re: how to delete wrong username from suggestions

On Wed, Sep 29, 2021 at 02:02:57PM +, Jenei Péter wrote: > Dear Sir/Madam, > > I would like to know how to delete wrong data from the suggestions of the > Username field on the new credentials window. > [cid:image001.png@01D7B54B.779CD320][cid:image002.png@01D7B54B.779CD320] > I have already

Re: heimdal http proxy

On Sun, Sep 12, 2021 at 07:49:57AM -0400, Jeffrey Altman wrote: > On 9/11/2021 11:22 AM, Charles Hedrick (hedr...@rutgers.edu) wrote: > > We don’t currently explore our Kerberos servers to the Internet, but we do > > have an https proxy for MIT kerberos. Heimal apparently has its own HTTP > >

Re: Kerberos ksu not working with NFSv4 mount sec=krb5

On Sat, May 22, 2021 at 02:22:08PM -0400, Jason Keltz wrote: > Hi. > > I'm unable to get ksu working wth krb5 NFSv4, and can't quite figure out > why. > > I am logged into a RHEL7 system as a user "jas" (uid 1004) with working > Kerberos (Samba AD implementation). > > I want to switch from

Re: Kerberos KRB_AP_REQ message - Server name verification required ?

On Fri, Mar 19, 2021 at 11:47:49PM +0530, Vipul Mehta wrote: > Hi, > > Suppose there are two servers A and B running under different kerberos > service principals. > If both the service principals have same password and kvno then kerberos > long term encryption key will be same for both. Seems to

Re: kerberos and web authentication

eful inspection of response headers, request/response timing for exchanges that require server-side state, and the like, but it may require some expertise to interpret the results. -Ben > On Fri, Aug 21, 2020 at 7:30 PM Benjamin Kaduk wrote: > > > On Thu, Aug 13, 2020 at 07:10:42AM -0400,

Re: kerberos and web authentication

On Thu, Aug 13, 2020 at 07:10:42AM -0400, Rita wrote: > I created a user keytab. I use curl to authenticate against a web server. > `curl -u : --negotitate` it works randomly (about 33% accuracy). I am > trying to figure out if its a webserver issue or kerberos issue. Is there > anything else I

Re: A possible small bug in SPNEGO handling when dealing with NETAPP servers

On Mon, Jun 29, 2020 at 03:22:22PM -0700, Richard Sharpe wrote: > Hi folks, > > I have recently had to deal with a problem when calling > gss_init_sec_context after receiving an SPNEGO negTokenTarg from > NetApp C-Mode and 7-Mode servers. > > After some investigation, I tracked it down to >

Re: What form is the timestamp in the KRB5_TRACE log (and why)

e code, and a > whole bunch of spam advertising sites representing it and other source code > segments? > > On Thu, Apr 2, 2020 at 10:09 PM Benjamin Kaduk wrote: > > > On Thu, Apr 02, 2020 at 09:04:33PM -0600, Todd Grayson wrote: > > > Is this some form of

Re: What form is the timestamp in the KRB5_TRACE log (and why)

On Thu, Apr 02, 2020 at 09:04:33PM -0600, Todd Grayson wrote: > Is this some form of specialized unix epoch time timestamp or something? > And more importantly... why? How do I convert it, normal epoch time > conversion is yielding insane values. It looks to just be the seconds.microseconds

Re: Decrypt integrity check failed while getting initial ticket

Answering only the unimportant part for lack of insight on the other one... On Mon, Dec 09, 2019 at 10:04:17AM -0800, Stephen Carville (Kerberos List) wrote: > Recently I migrated the kerberos master and one slave to another > location using tool called "Zerto". Perhaps coincidentally,

Re: Installing SAP on Linux snckrb5.so unable to compile.

On Fri, Aug 02, 2019 at 01:49:15AM +0200, Nitin Salunkhe wrote: > Hello > > I am facing same error as per group question open by Vusa Moyo can you > please help me with solution Are you referring to the post from that individual back from 2006? Any insight gained at that time is unlikely to

Re: Master-master deployment?

On Sat, Feb 02, 2019 at 01:45:44PM -0500, Yegui Cai wrote: > Would it be possible to not leverage ldap for multiple-master deployment? > > On Sat, Feb 2, 2019 at 1:14 PM Benjamin Kaduk wrote: > > > Most of the instances I've heard about that use multi-master KDCs also use >

Re: Master-master deployment?

Most of the instances I've heard about that use multi-master KDCs also use multi-master LDAP replication, to avoid the SPOF. -Ben On Sat, Feb 02, 2019 at 11:12:33AM -0500, Yegui Cai wrote: > Hi Thor. > So you have a shared ldap? If so, could that ldap be a single point of > failure? > > Thanks,

Re: Confusion about delegation

On Fri, Feb 01, 2019 at 02:54:39PM -0500, John Byrne wrote: > Thanks, this helps a lot. > > I think the reason it appeared to be working for me when I used the wrong > name HTTP/www.example.com is because I incorrectly had that principal in > the keytab of the other service. An in the second

Re: reporting bugs

On Tue, Nov 13, 2018 at 03:29:08PM +, Toby Blake wrote: > Hi, > > Is mailing krb5-b...@mit.edu still the correct way to report bugs, as a > front-end into the RT system, as described here:? Yes. > https://web.mit.edu/kerberos/mail-lists.html > > I ask because I mailed krb5-bugs last

Re: Make Windows Firefox Use Ticket gained via OpenConnect VPN Connection

The description of current and desired behavior is a bit sparse, but it seems like the key question is whether/where openconnect stores the kerberos ticket obtained during VPN connection. If it's stored someplace accessible, the rest would just be a matter of getting the different tools plumbed

Re: MIT Kerberos client and default cache

On Tue, Oct 16, 2018 at 09:40:42AM +0200, Pierre Dehaen wrote: > Hello list, > > Configuration: > - Windows are clients of an AD > - Kfw 4.1 is used to acquire tickets from another realm > - Clients use tickets through Firefox to access apache applications > - All working well > > In the Kfw

Re: issue with k5start

ven multiple cell keys for multiple cells to do just that. We are > migrating to > kerberos principals so that the cell keys are not required on our backup > servers. > Mostly for security reasons. > > On Tue, Oct 9, 2018 at 7:07 PM Benjamin Kaduk wrote: > > > Hi

Re: issue with k5start

Hi Kristen, I think I missed some of the thread, but I'll note that the token used by 'vos dump -localauth' never expires. -Ben On Mon, Oct 08, 2018 at 02:15:11PM -0600, Kristen Webb wrote: > Hi Everyone, > > Thank you all for the online and offline responses. Unfortunately, as I > have

Re: compile KDC with KKDCP support

On Tue, Aug 28, 2018 at 05:16:40PM +, Jim Shi wrote: > Hi, Robbie, > I got trace after using a file. Looks the client is not recognizing kdc =  > https://... > Instead it thinks the host name is 'https'.   > I compile KDC client with recent code. > What could be missing in KDC client? Sorry

Re: MIT Kerberos for Windows failing with Windows 10 update 1803?

On Mon, Jun 18, 2018 at 05:31:33PM -0400, Greg Hudson wrote: > On 06/18/2018 12:25 PM, Ruurd Beerstra wrote: > > I probably should have mentioned I tried setting the ccache type to > > "FILE", and that didn't work either. > > Just "FILE"? You need to set it to "FILE:pathname" for some pathname.

Re: MIT Kerberos for Windows failing with Windows 10 update 1803?

On Sun, Jun 17, 2018 at 04:35:50PM -0400, Greg Hudson wrote: > On 06/17/2018 02:02 PM, Ruurd Beerstra wrote: > > The symptoms are that I can obtain a TGT from my KDC (which ends up in > > de LSA of Windows), but every attempt to use that TGT to obtain a > > service ticket yields an error: > >

Re: Question about TGT forwarding

On Wed, Jun 06, 2018 at 05:08:19PM -0400, Jason Edgecombe wrote: > > Running "klist" when logged on to Windows 10 with my domain account shows > the following flags for my krbtgt/DOMAIN entry: > > Ticket Flags 0x60a1 -> forwardable forwarded renewable pre_authent > name_canonicalize That's

Re: Question about TGT forwarding

On Thu, May 31, 2018 at 04:50:36PM -0400, Jason Edgecombe wrote: > Hi everyone, > > We're noticing some odd behaviour on our Windows clients where the Windows > clients are not forwarding the TGT to our Linux servers. People can login > to the Linux servers from windows clients, but "klist" shows

Re: kkdcp

On Thu, May 24, 2018 at 10:01:10PM +, Jim Shi wrote: > Does MIT KDC support kkdcp? Which version is required to support kkdcp? https://web.mit.edu/kerberos/krb5-latest/doc/mitK5features.html#feature-list Release 1.13 Add support for accessing KDCs via an HTTPS proxy server using the

Re: KRB5_TRACE does not work on csh

On Tue, May 15, 2018 at 06:30:20PM +0200, Meike Stone wrote: > Hello, > > maybe it is a stupid question and not a kerberos problem, but I can't > get KRB5_TRACE working in a csh. > > On Bash it works as expected: > export KRB5_TRACE=/dev/stdout > echo $KRB5_TRACE > /dev/stdout > > kinit

Re: /etc/default/krb5-admin-server: 'RUN_KADMIND=false' not possible anymore

On Fri, Apr 20, 2018 at 11:22:03AM +0100, Giuseppe Mazza wrote: > Dear All, > > I want to install a new kerberos slave running on Ubuntu16.04. > I would like to prevent the service krb5-admin-server running on the slave. > > It seems to me that is not possible to set the variable >

Re: krb5_verify_user

On Tue, Jan 09, 2018 at 08:23:41PM +, Imanuel Greenfeld wrote: > Thank you Ben. > > I managed to use krb5_init_creds_password(), krb_verify_init_creds() and > krb5_get_credetials() and each returned 0 so I'm assuming that's ok. > > How do I now send a message to the server ? I found

Re: krb5_verify_user

On Mon, Jan 08, 2018 at 09:49:06PM +, Imanuel Greenfeld wrote: > Hello, > > > > Hope you're well. > > > > Happy new year. > > > > I am looking for krb5_verify_user function under krb5/krb5.h and in fact > anywhere but cannot find it. > > > > I know it's not recommended to use

Re: Kerberos and REST

On Fri, Dec 08, 2017 at 06:39:56AM +, Imanuel Greenfeld wrote: > Thank you Ben for the information. > > I downloaded Kerberos .gz from your web site and built the libraries. > > I'm looking at sclient and sserver. > > When I run sclient with then I'm getting > Connected. > > But when I

Re: Kerberos and REST

It sounds like you are trying to come up with a scheme where the user credentials are transmitted to this REST server, and the REST server then uses the user's credentials to authenticate some backend requests made by the REST server while processing the body of the REST request. This is, in

Re: Linux ksu (kerberized super user) command fails to use cached service (host) tickets... how can I do this?

On Thu, Nov 09, 2017 at 11:10:12AM +0100, Fabiano Tarlao wrote: > >- is there a way to populate a Kerberos cache file with a service ticket >(for the host) that is compatible with *ksu*? >- I have read about *kvno* >

Re: PID file ... not readable (yet?)

On Sun, Nov 05, 2017 at 09:57:30AM -0500, Greg Hudson wrote: > On 11/05/2017 05:36 AM, Jaap Winius wrote: > >systemd[1]: krb5-kdc.service: PID file /run/krb5-kdc.pid \ > > not readable (yet?) after start: No such file or directory > > Does everything seem to work aside from this warning

Re: MIT Kerberos OTP with Windows

On Mon, Oct 30, 2017 at 09:05:10AM -0700, Pallissard, Matthew wrote: > > any ideas how to implement OTP for Windows with MIT kerberos client? > > possible? > > I don't know if KFW 4.1 supports OTP but what I do know is that in the past I > couldn't get PKINIT working with KFW. I had to

Re: How install / build mit-krb5?

On Thu, Oct 19, 2017 at 10:12:21PM +0200, Andy wrote: > I need directory /usr/lib/x86_64-linux-gnu/mit-krb5 with .so and > /usr/include/mit-krb5 with .h. > I have installed: > apt-get -y install krb5-user libcomerr2 > apt-get install krb5-kdc apt-get install libkrb5-dev

Re: krb5

On Tue, Oct 17, 2017 at 03:04:20PM -0700, Earl Killian wrote: > So obviously I removed the two new "security" lines from my krb5.conf to > restore things to a working situation. However, I would like to inquire > of the mailing list how things are supposed to work when those are set > to false as

Re: Kerberos OTP with FreeRadius

On Fri, Jul 07, 2017 at 11:04:47AM +0200, Felix Weissbeck wrote: > > The "problem" hereby is, that you can now obtain a kerberos ticket with your > second factor alone; so you could configure PAM to successfully authenticate > with password+token. Yes, the FAST/OTP preauthentication

Re: wrong key is generated by krb5_c_string_to_key

On Tue, Jun 06, 2017 at 11:55:23PM -0700, Ashi1986 wrote: > Thanks for your response. > > >>If so, you might try to apply manually the diff from the commit that > >>Robbie mentioned already. > I am new to open source, can you please share the link from where I can get > the commit sources.

Re: wrong key is generated by krb5_c_string_to_key

On Tue, Jun 06, 2017 at 01:48:58AM -0700, Ashi1986 wrote: > Thank you very much for the response. > > >manually since its just an md4 hash with no salt, something like: > ># echo -n password | iconv -t UTF-16LE | openssl dgst -md4 > >And compare with the key in the keytab: > ># klist -Kekt

Re: Doubts regarding Keytab file

On Wed, May 10, 2017 at 12:20:44AM +0530, Abhishek Kaushik wrote: > Thank you for replying. > > I understood that it is a symmetric key which is shared with the KDC. > So, is it in binary format or is there some other format which is used, > generally? The keytab file format is documented at

Re: Doubts regarding Keytab file

On Tue, May 09, 2017 at 01:02:08PM +0530, Abhishek Kaushik wrote: > Hello, > > I am trying to understand how Kerberos works and so came across this file > called Keytab which, I believe, is used for authentication to the KDC > server. > > Just like every user and service(say Hadoop) in a

Re: kerberos error setup on mac

irect to the latest link if you have it? > > > > > Thank you, > > > On 13 Apr 2017, at 8:02 AM, Benjamin Kaduk <ka...@mit.edu> wrote: > > > > Hi Ronald, > > > >> On Thu, Apr 13, 2017 at 12:47:36AM +0800, ronald rodriguez wrote: > &g

Re: Iterate over server credentials

On Wed, Mar 22, 2017 at 03:48:21PM -0400, Dylan Klomparens wrote: > Hello, > > I'm writing a program that accepts Kerberos authentication using the > GSSAPI. The program acquires credentials using gss_acquire_cred_from() with > a keytab specified, and this is working properly. The keytab has

Re: KKDCP with KDC

Maybe it's best to 'type kinit' to confirm that the expected binary is what is being run... -Ben On Tue, Mar 07, 2017 at 10:40:36PM -0500, Greg Hudson wrote: > I'm not sure why, but there aren't any trace logs in that output. Trace > log messages have timestamps and look like: > > [28206]

Re: A request

On Tue, Feb 28, 2017 at 06:09:44AM +, sima attar wrote: > Hello, > I'm student in college and I'm doing some research on Kerberos. I would love > to see and possibly modify the source code of its client, but I just can't > find it. would you please tell me where I can find the source code? >

Re: Session tickets - question

On Wed, Feb 01, 2017 at 03:10:31PM +, Michalewicz, Brian R (CTO Technology) wrote: > Good morning !! are session tickets forwardable ? The question could probably do with a more concrete statement. (I assume you mean service tickets, not session tickets, which are a TLS thing.) Taking a

Re: Documenting the kerberos KDC log file format

On Tue, Jan 31, 2017 at 12:44:20AM -0600, Benjamin Kaduk wrote: > On Mon, Jan 30, 2017 at 11:01:46PM -0700, Todd Grayson wrote: > > Has anyone seen a good writeup of the krb5kdc.log file output format? For > > the types of log file output statements that it writes out.

Re: Documenting the kerberos KDC log file format

On Mon, Jan 30, 2017 at 11:01:46PM -0700, Todd Grayson wrote: > Has anyone seen a good writeup of the krb5kdc.log file output format? For > the types of log file output statements that it writes out. So for example > the AS_REQ and TGS_REQ and follow up "closing down" lines representing a > full

Re: OTP and kadmin

On Sun, Jan 08, 2017 at 05:02:59PM +0100, Felix Weissbeck wrote: > Hello, > > i have recently reconfigured my MIT-Kerberos setup to use PKINIT / OTP and > RADIUS for my admins. In my setup administrators have two accounts: one > "username@REALM" for regular user-stuff like mail... and

Re: Can I automatically cache AD tickets into a file on windows?

On Fri, Nov 18, 2016 at 04:51:03PM +, Mauro Cazzari wrote: > One more thing: if MIT Kerberos is installed, is there a way to populate the > KRB5CCNAME cache file automatically when I log on to Windows without having > to use a keytab or having to run a kinit under the covers? MIT KfW does

Re: mit kdc windows client silent install

On Fri, Nov 11, 2016 at 03:25:03AM +, Edward Gleeck wrote: > Thanks Todd. I'll give this a shot. It'll be good from an automation > perspective to be able to pass in parameters such as krb5.conf file and the > cache locations, etc. But these all could be tied in to a power shell > script so it

Re: Multiple radius server in an otp configuration

On Wed, 21 Sep 2016, laurent.bas...@developpement-durable.gouv.fr wrote: > Hello all, > > I use Kerberos with the OTP plugin. It works fine except i don't know > how to put more than 1 server in the otp configuration in the 'kdc.conf' : > > Actually my otp section in 'kdc.conf' : > > [otp] >

Re: KEYRING:persistent and ssh

On Fri, 16 Sep 2016, t Seeger wrote: > Hello, > > i have a little problem with the 'KRB5CCNAME' environment variable. I set > the default_ccache_name to KEYRING:persistent:%{uid} but if i login it is > set to "file:/tmp/krb5cc_${uid}_XX" cause ssh sets the KRB5CCNAME > to

Re: GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?

On Thu, 25 Aug 2016, JSoet wrote: > Hi, I'm implementing SPNEGO & Kerberos authentication in our application's > webserver code and have it working fine when the KDC is Active Directory. > I'm now testing it with an MIT KDC instance and when I attempt to > authenticate a user who has a ticket

Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

On Thu, 25 Aug 2016, Rick van Rein wrote: > >>> Forwarding a TGT is bad because it is unbounded impersonation. > >> Only when the corresponding key is supplied alongside! [I hope I'm > >> not taking anything out of context by saying that, I'm not sure about > >> that but will probably be

Re: max_life problem

On Mon, 1 Aug 2016, Greg Hudson wrote: > On 08/01/2016 04:29 AM, Александр Баранин wrote: > > I use mit kerberos, version krb5-1.14.2, compiled from source. > > And I can't to force kdc to issue tickets for more than 10 hours. > > In addition to the realm setting, the client and server entries in

Re: Reversing 'make install' ?

On Mon, 25 Jul 2016, JSoet wrote: > I had a typo in my command and so I accidentally did a normal 'make install' > when I meant to do an install to a specific directory by specifying > DESTDIR=/path/to/dir... > > It doesn't seem that there's a 'make uninstall' included, is there another > command

Re: A way to automatically get a ticket through ssh for a local user

On Thu, 14 Jul 2016, Mauro Cazzari wrote: > I've been trying to figure out whether there is a way for a local user on > Unix to automatically get a ticket when logging onto a server using ssh. This terminology is sufficiently vague that I'm not entirely sure what behavior you actually want. By

Re: kdb5_util fails to load propagated database under heavy load

(This is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815677 , so krb5/1.12.1+dfsg-19+deb8u2) I had also attempted to suggest strace on irc, with the hypothesis that the database was already locked. (I think there have been some changes in database locking in the intervening period, but

Re: kprop with multiple or NATted IP address

On Wed, 23 Dec 2015, Jerry Shipman wrote: > I think that kpropd is trying to look up the hostname of the master in DNS, > and seeing the public IP, instead of the private IP which the connection is > coming from, and then aborting because of that mismatch (or something like > that). > On a

Re: krb5 + NFS rpc.svcgssd - GSS_S_FAILURE - Wrong principal in request

On Tue, 22 Dec 2015, 0xbabaf00l wrote: Thank you for the large quantity of data supplied; it contains most of the output that would usually be asked for upon a question like this. > I ran tcpdump, but there is no communication to the kdc when rpv.svcgssd > starts. It is expected for there to

Re: Windows

On Wed, 18 Nov 2015, Randolph Morgan wrote: > I found the answer to my question, so I thought I would share it with others > here on the list. To get Windows to acknowledge that a ticket has been issued Thank you for following up! > through MIT Kerberos KfW 4.0.1 you need to edit a registry

Re: Windows

On Mon, 16 Nov 2015, Randolph Morgan wrote: > I have installed MIT Kerberos 4.0.1 on a Windows 10 machine. Everything > I have read indicates that the identity manager is not integrated into > the new ticket manager. Ticket manager shows that I have received a I'm not sure what you mean by

Re: Cross-realm with AD trusting Kerberos

On Wed, 11 Nov 2015, Leonard J. Peirce wrote: > In an attempt to stop syncing passwords between Kerberos and AD and get to > a single password store we are currently testing cross-realm with Active > Directory trusting Kerberos. We have the trust configured and our Windows > admin here says that

Re: Incremental propagation when KDCs are clients of a different realm

On Thu, 5 Nov 2015, Toby Blake wrote: > To close off the thread I started... Thanks for doing so. > > On 2 Nov 2015, at 14:48, Toby Blake wrote: > > > > Hello, > > > > I'm trying to set up incremental propagation on a master-slave KDC > > configuration where the KDCs are

Re: end of key table reached error

On Fri, 30 Oct 2015, Rick van Rein wrote: > Hi Vishal, > > > I think there is some issue with keytab file , I see multiple kvno in > > keytab i.e 74 & 75. Is it practical?We have 1.7 release. > > This is not uncommon; these are key version numbers. They help to > distinguish various keys

Re: Working with Microsoft Premier Support RE MIT Kerberos for Windows 4.0.1

helpd...@mit.edu is not the correct support forum for this issue. On Thu, 15 Oct 2015, Binder, Dale wrote: > > Tickets are stored in the location specified > by environment variable Yes, the software is doing what you tell it to do. The "MSLSA:" cache type corresponds to the LSA integration;

Re: Optimizing gss_init_sec_context possible?

On Tue, 22 Sep 2015, Martin Gee wrote: > Version: 1.13.2 kerb lib > I'm using the GSS libs to impersonate a user via HTTP SPNEGO > (http://tools.ietf.org/html/rfc4559) > I use gss_init_sec_context to get a Token which is sent over to the HTTP > service (see spec) in an HTTP Header. This is

Re: Documentation Wish List

On Fri, 11 Sep 2015, Todd Grayson wrote: > Anchor tags for subject items on reference pages... for example to make a > URL like this to work to jump right to the default_tgs_enctypes > > http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#default_tgs_enctypes The

Re: Unable to create renewable ticket when we switched to a 1.12 KDC

Hi Ishaan, Russ's comments are almost certainly most relevant to your operational situation, but for completeness, a couple more answers inline. On Fri, 21 Aug 2015, Ishaan Joshi wrote: Thanks a bunch for the quick responses. Let me restate the problem we faced ( which is exactly what Ben

Re: Unable to create renewable ticket when we switched to a 1.12 KDC

On Thu, 20 Aug 2015, Ishaan Joshi wrote: Hi, We recently ran into a problem wherein the tickets for out service could not be renewed. After a lot of digging, we traced the change in behaviour Can you say more about the problematic behavior you were experiencing? My understanding is that

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

On Wed, 29 Jul 2015, Ken Hornstein wrote: Is there any general wisdom out there about mixed KDC/Client versions? Are there concerns around allowing environments drift to where a KDC would be on a later release than the clients? FWIW, we run a whole bunch of crazy versions of Kerberos, and

Re: Compiling on Solaris8

There are automated nightly builds on solaris 9, so it has a good chance of working. Try it and report back! -Ben Kaduk On Wed, 1 Jul 2015, Arewe There wrote: Hello, I'm trying to compile the latest release 1.13 on a Solaris 8 x86 box using gcc 4.2. Has anyone tried it? Is it even

Re: Kerberos SNC Shim and OSX Yosemite

On Wed, 1 Jul 2015, Jeffery Dowell wrote: Hello Everyone, I have a question for the community regarding the Kerberos SNC shim. I am currently trying to get authentication to SAP through Kerberos working on OSX 10.10 (Yosemite). In Yosemite, Apple has removed support for DES, which means

kfw-4.1-beta2 is available

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 MIT Kerberos for Windows 4.1-beta2 is now available for download from http://web.mit.edu/kerberos/dist/testing.html The main MIT Kerberos web page is http://web.mit.edu/kerberos/ Please send comments to the krbdev list. Major

Re: Kerberos Authentication question(s)

Just a couple additions and corrections (inline). On Wed, 24 Jun 2015, Michael B Allen wrote: On Wed, Jun 24, 2015 at 2:07 PM, Albert C. Baker III alb...@voltage.com wrote: I am using the Java class org.apache.hadoop.security. authentication.server.AuthenticationFilter from Apache

Re: pkinit makes application crash

On Wed, 24 Jun 2015, Osipov, Michael wrote: Hi folks, we are trying to perform some LDAP requests with Perl against Active Directory with Kerberos auth by MIT Kerberos. A core file is dumped and following written to stderr: $ ./ldap.pl Assertion failed: __thread_init == NULL, file

Re: Possible Windows Build Bug

On Mon, 22 Jun 2015, Zachary Greve wrote: In the echo_files method in the libecho utility there is a line that reads: ff = _findfirst(f, fdt); // line 64 which errors out with an access violation in ntdll.dll. Can you say a bit more about where this crash is observed? E.g., during a build

Re: Does this separate thread connection need another as_req/rep pair?

On Sat, 13 Jun 2015, Chris Hecker wrote: Finally getting to this... You might be able to make a new context and use krb5_auth_con_getsendsubkey(), krb5_auth_con_recvsubkey(), krb5_auth_con_setsendsubkey(), and krb5_auth_con_setrecvsubkey() to copy the keys. I don't think rd_priv and

Re: Does this separate thread connection need another as_req/rep pair?

On Sat, 20 Jun 2015, Chris Hecker wrote: I think was unclear. I don't think there's a way to avoid a wasted allocation here. I'm happy to have separate keys per thread, but there are three keyblocks allocated in this scenario: there's the original, get allocates a copy, set allocates a

Re: Issue with kvno

On Fri, 29 May 2015, vishal wrote: My question is that why kvno is not always present in ticket and this ticket is basically which comes in TGS-RESP(from home domain) and sname is krbtgt for trusted domain in TGS-REQ. I see kvno only when new trust is created between domain and we join to

Re: Issue with kvno

On Fri, 29 May 2015, vishal wrote: can someone please reply to this as well just for my understaning: why do i see kvno in ticket only when i create new trust and join domain..after 1-2 hour of trust creation I do not see kvno in ticket. I don't think there's sufficient detail there for me

Re: Migrating Krb5 realm

On Thu, 21 May 2015, Andreas Ladanyi wrote: Hi, i want to migrate my old Krb5 Realm. I have a Krb5 own DB and want to use LDAP to hold the principals in the future. Also i want to change the realm name. I read a lot about dumping the Krb5 DB with kdb5_util and restore them. I also read

RE: gssapi32.dll

Hi Jeffery, On Fri, 8 May 2015, Jeffery Dowell wrote: Just to close the loop on this one. We found that the conflicting DLL (Krb5_32.dl) was put into C:\windows\sysWOW64 by a Library program called ALEPH. Apparently it is a somewhat commonly used Library system so this knowledge might help

RE: gssapi32.dll

On Tue, 21 Apr 2015, Jeffery Dowell wrote: Thanks Ben, This is most helpful and I am trying multiple variations on my test systems. I haven't had any luck as of yet on a fix. I just joined the list yesterday and missed out on the prior conversation about this topic. I don't see a way to

Re: gssapi32.dll

On Tue, 21 Apr 2015, Meike Stone wrote: Hello Jeffery, 2015-04-20 19:38 GMT+02:00 Jeffery Dowell jeffery.dow...@duke.edu: Hello, I am currently deploying the MIT Kerberos for Windows 4.01 client (32bit) for use in our Kerberos environment. Specifically, The Kerberos client is used

Re: MIT Kerberos Client and MSLSA Cache

On Tue, 21 Apr 2015, Meike Stone wrote: 2015-04-20 21:29 GMT+02:00 Benjamin Kaduk ka...@mit.edu: On Mon, 20 Apr 2015, Meike Stone wrote: Hello Benjamin, 2015-04-17 22:18 GMT+02:00 Benjamin Kaduk ka...@mit.edu: However, with the currently released versions, if you have UAC

Re: gssapi32.dll

On Mon, 20 Apr 2015, Jeffery Dowell wrote: Hello, I am currently deploying the MIT Kerberos for Windows 4.01 client (32bit) for use in our Kerberos environment. Specifically, The Kerberos client is used to provide credentials to SAP software. While the installation is going well on many

Re: MIT Kerberos Client and MSLSA Cache

On Mon, 20 Apr 2015, Meike Stone wrote: Hello Benjamin, 2015-04-17 22:18 GMT+02:00 Benjamin Kaduk ka...@mit.edu: However, with the currently released versions, if you have UAC enabled, the non-SSPI clients will not work. If you do not have UAC enabled, they will not work very well

Re: MIT Kerberos Client and MSLSA Cache

On Fri, 17 Apr 2015, Meike Stone wrote: Hello dear list, I have Windows 7 workstations, not joined to a AD Domain. I like to use MIT Kerberos client to authenticate to a Kerberos server and run several programs using Kerberos to authenticate. The MIT client is installed and running, I get a

Re: Kerberos delegation on Windows

On Fri, 3 Apr 2015, Jade Koskela wrote: Hello all, I would like to use gss_store_cred_into, or some similar method, to store a delegated TGT into the Windows LSA cache. I tried this using Kerberos API, GSSAPI, but wasn't successful. I also just tried kinit -c MSLSA:. In all cases, when the

Re: kadmin remote as a regular user

On Wed, 1 Apr 2015, Rainer Krienke wrote: The ACL file /var/lib/kerberos/krb5kdc/kadm5.acl on the server looks like this: # admin/admin * kadmin/admin* kadmin/ad...@myrealm.de * john/admin* john/ad...@myrealm.de* Did you restart kadmind after changing the kadm5.acl?

Re: Switching identity using kinit/kdestroy for NFSv4 mounts doesn't work

On Fri, 13 Mar 2015, Robert Wehn wrote: - - klist - TGT for jane@REALM BUT! - localuser can still access alice's files - localuser can never access jane's files - no new NFS service ticket fetched or needed till the end of the ticket lifetime What doesn't help: - - logout

Re: Kerberos for Windows MSLSA Cache

On Fri, 6 Mar 2015, Christopher Penney wrote: On Fri, Mar 6, 2015 at 12:44 PM, Benjamin Kaduk ka...@mit.edu wrote: I believe I have fixed these bugs in the krb5 development branch, but they have not made it into a new KfW release yet. If you are interested in building KfW from

Re: Kerberos for Windows MSLSA Cache

Hi Chris, On Fri, 6 Mar 2015, Christopher Penney wrote: I run a Linux environment that's setup in an MIT Kerberos Realm. That realm has a one way trust setup that allows tickets for Active Directory principals (from Windows 7 clients) to be accepted as authentication (for SSH and ODBC for

Re: kerberos - Kadmin does not work

On Wed, 4 Mar 2015, arun elango wrote: Hi Ben, Thanks. Yes , Kpasswd can be used . But it requires users interaction in the console , I am looking for other methods wherein users dont need to enter their passwords in the console. i.e pass the parameters to the kpasswd console

Re: kerberos - Kadmin does not work

On Wed, 4 Mar 2015, Mauricio Tavares wrote: On Wed, Mar 4, 2015 at 3:02 AM, arun elango arunelang...@gmail.com wrote: Hi All, I would like to work with Kerberos in Windows. I have installed MIT Kerberos and found it to work fine. However *kadmin* , 'kadmin.local' does not work. I

Re: Mac OS X Kerberos

On Wed, 4 Mar 2015, Markus Moeller wrote: Is there anywhere a guide how to work with the Mac GSS Framework ? There are many functions marked as deprecated, but I could not find any instruction how to replace them. Example: error: 'krb5_init_context' is deprecated: use GSS.framework

  1   2   >