I have used this as a guide, but I think MIT Kerberos version 1.10 is
the latest available:
https://www.cisecurity.org/benchmark/mit_kerberos
Not sure if this is what you are looking for or not.
<
Preferably something smaller and more focused than nmap or OpenSCAP.
From: Brent Kimberley
For Active Directory:
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
< I did not get a response from anybody. Does anybody have instructions for
> setting up Constraint Delegation on any platform?
>
> Thanks,
> Joseph
>
>
Try checking the Account is sensitive and cannot be delegated option
in the user properties and see if that does what you want. (I'm not
sure if it will or not, but I believe this is the option actually
intended to prevent Kerberos delegation.)
CDC
Vipul Mehta wrote, On 2/10/2014 12:50 AM:
I'm not using this myself (I create keytabs as needed manually using
ktpass.exe against AD) but this may be of interest to some of you:
http://www.eyrie.org/~eagle/software/wallet/
One of the object types it supports is Kerberos keytabs, making it
suitable as a user-accessible front-end to
Ken Dreyer ktdre...@ktdreyer.com wrote:
On Thu, Oct 21, 2010 at 1:10 PM, eric krb.h...@hopevaleufsd.org wrote:
I just want to know any differences that MIT and Heimdal have with each
other:
I think someone at the 2010 Kerberos Conference summarized it this way:
MIT is likely to be what your
That blog doesn't say what you think it says, and I suspect it is referning
to domain joined Windows computers, not pure Kerberos non-Windows ones.
You'll note that when the CLIENT initiates a password change, the kvno is
incremented. This happens with any flavor of Kerberos. The (client)
Brian Candler b.cand...@pobox.com wrote:
The error message from /var/log/http/ssl_error_log was unhelpful:
[Mon Oct 11 11:20:17 2010] [error] [client 172.31.131.185]
krb5_verify_init_creds() failed: Key table entry not found
What was even more odd, if I did a 'su' to the apache user, I was
Russ Allbery r...@stanford.edu wrote:
Brian Candler b.cand...@pobox.com writes:
(1) create separate principals for each user who should have root access,
e.g.
candl...@foo.example.com
candlerb/ad...@foo.example.com
Then map */admin to the root account using auth_to_local, and
Jean-Yves Avenard jyaven...@gmail.com wrote:
Am I to understand that it is not currently possible to authenticate
on a windows machine using a MIT kerberos KDC ? It would be a good
windows domain replacement
I sort-of have this working, although this is probably different than your
setup.
Jean-Yves Avenard jyaven...@gmail.com wrote:
I have now identified the cause of the issue.
When using mod_auth_kerb with MIT krb5 v1.6.x it works perfectly
with krb5 1.7 and 1.7.1 same.
However, I get this GSS-API major_status:000d,
minor_status:000186a3 error whenever I use MIT 1.8.x
Russ Allbery r...@stanford.edu wrote:
Simo Sorce sso...@redhat.com writes:
Ah sorry, I thought he wanted to use them as completely alternative
users. If you do map each MIT principal to an existing Windows user then
it does work, although it seem to make sense only as a transition tool
to me.
John Jasen jja...@realityfailure.org wrote:
Michael B Allen wrote:
Actually I would not be surprised if that hot fix is never made
public. DES is being phased out. If you have any Windows accounts that
use DES, you should update them to AES-256, AES-128 or RC4 in that
order of preference.
Jeremy Hunt jere...@optimation.com.au wrote:
On 23/03/2010 3:18 PM, Sayali Patankar wrote:
I require some help in understanding Kerberos. I am very new to this
concept and hence required help in some basic commands.
My application uses Kerberos and I wanted to know whether there is some
unix
Jason Edgecombe ja...@rampaginggeek.com wrote:
We want to have a tool for our help desk students to list and kill
processes for other users on workstations along with being able to
trigger a remote shutdown or reboot.
Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows
systems
Jason Edgecombe ja...@rampaginggeek.com wrote:
Christopher D. Clausen wrote:
Jason Edgecombe ja...@rampaginggeek.com wrote:
We want to have a tool for our help desk students to list and kill
processes for other users on workstations along with being able to
trigger a remote shutdown or reboot
if any other information is required.
From: raj esh L rrcrajesh2...@yahoo.com
To: Christopher D. Clausen cclau...@acm.org
Cc: kerberos@mit.edu
Sent: Wed, 20 January, 2010 3:47:11
Subject: Re: Windows event id 4 (kerberos)
Than Q very much for your information
it.
It's my humble request to verify those and make me understand.
From: Christopher D. Clausen cclau...@acm.org
To: raj esh L rrcrajesh2...@yahoo.com
Cc: kerberos@mit.edu
Sent: Wed, 20 January, 2010 21:15:13
Subject: Re: Windows event id 4 (kerberos
Is this for an actual Windows computer? Or a non-Windows machine
running something like Samba?
-
I see these all the time. I believe these occur on occation when a
computer account automatically updates its machine account password in
Active Directory. (This is a normal function of a
Nikolay Shopik sho...@inblock.ru wrote:
Hello,
Does 64bit version of KfW work with 32bit version app? Because for me
looks like 64bit version doesn't work with 32bit apps.
No. Just install both the 32-bit and 64-bit versions to support both
32-bit and 64-bit apps.
And last I tried it, the
Marcello Mezzanotti marcello.mezzano...@gmail.com wrote:
On Wed, Jan 6, 2010 at 12:30 PM, Bob Rasmussen r...@anzio.com wrote:
1) What version(s) of PuTTY work in your environment? Did you try the
developer's build from the official PuTTY site?
Marcello,
Can you show us the output of klist -kte (as root) on the machine
running sshd? You need to have a proper keytab for ssh to use GSSAPI
authentication.
Against AD, you can generate a keytab using ktpass.exe. Make sure you
are using the 2003 SP2 version (or newer) of ktpass as some
Jeff Blaine jbla...@stage-infinity.com wrote:
Thanks Doug
The which PuTTY has GSSAPI:
Quest has one that uses SSPI. http://rc.quest.com/topics/putty/
Hmm, I can't see to get this to work at all (ignoring CVS).
I have KfW creds for jblaine, afs, and krbtgt on this Windows
box.
I believe
Lloyd ll...@cdactvm.in wrote:
Hi,
I am new to kerberos and trying to set up in a sample scenario as
part of learning. I have downloaded and installed Kerberos 5 on a
Linux system. As per the install guide I have successfully configured
KDC and Application server. in the application server
Windows AD accounts require allow this account to be trusted for
delegation to have Internet Explore actually delegate credentials to
the web server (which you are requesting via the KrbSaveCredentials On
parameter.) Try turning this off and see if it does what you want.
Also, (and this is
Hubert Chomette hubert.chome...@unilim.fr wrote:
I try to add a windows XP home edition on my realm and I've got issue.
Same setup works with windows XP pro.
Is there an incompatiblity with XP home or do I miss something with
the configuration?
thank's for your help
I know that Windows XP
Bjørn Tore Sund bjorn.s...@it.uib.no wrote:
I'd like to thank Douglas Engert, Christopher Clausen and Guillaume
Rosse for the help with this matter. Netdom.exe was indeed the
answer, and as I was pestering our main AD honcho on the matter he
started to remember (I still don't...) that I'd
pete...@bigfoot.com wrote:
Main reason for not setting NOPASSWD is because I don't have control
over the sudoers file on most of the systems I have access to. And
the SA's are very reluctant to use NOPASSWD.
Do you know about the ksu command?
Or using a ~root/.k5login and ssh -o
kerbie_newbie zarafi...@sky.com wrote:
At least in Apache 2.0, it is extremely difficult in Apache to get two
authentication modules to co-exist; Apache by and large considers any
particular portion of the URL space to be protected by only one
authentication scheme (possibly combined with IP
Brett Delle Grazie bdellegra...@hotmail.com wrote:
Is there an open-source product that is secure and will permit
password changes to kerberos via the web (e.g. .cgi program or
similar). I am expecting the user to have already authenticated with
their existing username / password - this is so
Ken Raeburn raeb...@mit.edu wrote:
On Mar 6, 2009, at 13:43, pete...@bigfoot.com wrote:
Is there any way to determine the version of kinit or klist?
I'm afraid not, aside from the krb5-config option you noted.
It's still in our bug database, but hasn't gotten any attention yet.
:-( (I
Michael B Allen iop...@gmail.com wrote:
In general, both the MIT and Heimdal clients are not optimized for a
Windows environment. We have an AD integration product that uses
Heimdal that we made a lot of changes to try to better emulate Windows
behavior.
Please just stop trying to sell folks
Edward Irvine [EMAIL PROTECTED] wrote:
Has anyone else had trouble changing passwords from a Solaris client?
I'm using the Solaris 10 version of kpasswd:
/bin/kpasswd unsername
kpasswd: Changing password for [EMAIL PROTECTED]
Old password: secrret
kpasswd: Cannot establis a session with
Christian,
I recomend that you read through this email and follow its instructions:
http://mailman.mit.edu/pipermail/kerberos/2008-January/012978.html
That should solve the problem permanently.
I personally like having my own per-user krb5.ini. I can fix
configuration problems on machines
I bet the problem is that KfW is switching to a per-user krb5.ini
instead of using the one you likely have in C:\Windows. Try to copy
your system krb5.ini to c:\documents and settings\user\windows and see
if that helps any when in Terminal Services mode.
CDC
Christian Weiß [EMAIL PROTECTED]
Michael B Allen [EMAIL PROTECTED] wrote:
On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED]
wrote:
And that is the scenario where direct SPNEGO / NTLMSSP solutions are
going to perform better.
If by better you mean pretty much the same, yes, modulo the
configuration note that I
Zhiguo Huang [EMAIL PROTECTED] wrote:
Could any person who has experience on using Active Directory as KDC
give any pointer and helpful instruction?
Regarding what? You just use it as a KDC and it works.
CDC
Kerberos mailing list
Can you post and compare your krb5.conf files? Are they identical?
Have you asked someone at Stanford? This might be a specific
configuration problem for that realm.
If you join the #kerberos IRC on Freenode, various people may be able to
help you out interactively.
CDC
Mukarram Syed
Matthew Loar [EMAIL PROTECTED] wrote:
Vladimir Konrad [EMAIL PROTECTED] wrote:
Hello,
Is there a way to increase allowed number of requests per second on
KDC? I have several different CRON jobs (using the same keytab in
kinit), which run at the same time, and I get:
DISPATCH: repeated
sylvain cortes [EMAIL PROTECTED] wrote:
So, for example, a windows computer which use Putty can present a
kerberos ticket to a Unix machine with the Centrofy client, without
any re-authentication. And Unix to Windows, or Unix to Unix works
also in the same way.
You can do that without paying
Jeff Blaine [EMAIL PROTECTED] wrote:
% /usr/rcf-krb5/bin/kinit -p admin/admin
Password for admin/[EMAIL PROTECTED]:
% /usr/rcf-krb5/sbin/kadmin -c /tmp/krb5cc_26560
Authenticating as principal admin/[EMAIL PROTECTED] with existing
credentials.
kadmin: Matching credential not found while
Russ Allbery [EMAIL PROTECTED] wrote:
We took an end-run around this problem and instead use:
http://www.eyrie.org/~eagle/software/kadmin-remctl/
to provide a remctl interface to kadmin calls. This still requires
that you get remctl working on Windows, though. It may or may not be
Victor Sudakov [EMAIL PROTECTED] wrote:
I have configured Windows XP to use a Heimdal KDC for user
authentication. All existing Windows users can authenticate against
the KDC, user
mapping is ksetup /mapuser * *.
However, Windows does not create a new local user with the same name
as the
Colin Simpson [EMAIL PROTECTED] wrote:
I'm looking at finding a new solution to syncing password between AD
and
Kerberos. We had been using CEDAR for this and it's great but the
passwdHK dll on windows hates it if you pass in 8 bit ascii passsword.
AD already is Kerberos. Why don't you just
our servers :-)
Colin
On Wed, 2008-01-09 at 17:13 +, Christopher D. Clausen wrote:
Colin Simpson [EMAIL PROTECTED] wrote:
I'm looking at finding a new solution to syncing password between AD
and
Kerberos. We had been using CEDAR for this and it's great but the
passwdHK dll on windows
Coy Hile [EMAIL PROTECTED] wrote:
If we need to test, for example, that a user is actually getting a
TGT, we need to inform the user that we're changing their password
temporarily, change it, authenticate as them directly, and then have
them change it back. We've all been wondering aloud
Ranga Samudrala [EMAIL PROTECTED] wrote:
On a Mac OS X machine, is there a way to force the SSH client to use
a Kerberos TGT from a cache on the file system instead of the
default - in the memory?
Change what the KRB5CCNAME variable points to.
CDC
Jeff Blaine [EMAIL PROTECTED] wrote:
I'm failing to find/get 1.3.0 for a specific need.
http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.tar
from:
http://web.mit.edu/kerberos/dist/historic.html#krb5-1.3-src
CDC
Kerberos mailing list
[EMAIL PROTECTED] wrote:
How can I list all the servers that I have mapped with the Ktpass
command?
We are using Kerberos for SSO from our Middle Tier application that we
develop. To make this work I must map the middle Tier's servername
with an account in the domain. Here's a sample
Douglas E. Engert [EMAIL PROTECTED] wrote:
Markus Moeller wrote:
TGS-REP error_code: KRB5KDC_ERR_PATH_NOT_ACCEPTED (28)
This looks like AD is checking the transited path, and does not like
it. RFC4120 section 2.7 does not require the KDC to check the
transited field, and the client may even
[EMAIL PROTECTED] wrote:
On Oct 1, 11:27 am, Christopher D. Clausen [EMAIL PROTECTED] wrote:
from a cmd.exe prompt (on a computer joined to this domain,) you can
run net group domain computers /domain to get a list all every
computer account. (Assuming you are indeed using computer accounts
Anthony Brock [EMAIL PROTECTED] wrote:
No, the entire network is on a single, private IP address range. In
fact, I'm trying these particular commands on the same host that
kadmind is running on. However, the behavior is identical from a
remote host.
Does kpasswd work on the KDC itself for
Michael B Allen [EMAIL PROTECTED] wrote:
On 9/4/07, Roman S [EMAIL PROTECTED] wrote:
I've configured a Microsoft Active Directory with LDAP and Kerberos,
and some Linux (Redhat) clients who authenticate to it.
I'm able to get some tickets for the users who are in the Active
Directory, but SSH
Anthony Brock [EMAIL PROTECTED] wrote:
I have created several cross-realm trusts on a test server. At this
point, nearly everything is working properly. However, users are
unable to change their passwords unless their account is in the
initial domain. Users see the following when attempting it
Markus Moeller [EMAIL PROTECTED] wrote:
I am trying to use a keytab on Windows with KfW 3.2, but get always
an error Key table entry not found while getting initial
credentials. The account works interactively and if I use the keytab
on Unix it works fine too.
Is this a known problem ?
Danny Mayer [EMAIL PROTECTED] wrote:
Peter Losher wrote:
Yup, I had fatfingered the hostname during the initial OS install;
what you said above reminded me to check the one place I hadn't
updated - /etc/hosts. :)
/etc/hosts??? That doesn't sound like a place ISC would use! Does the
install
Kevin Koch [EMAIL PROTECTED] wrote:
It is too hot to work upstairs where the wired connection is. The
wireless on this laptop stops connecting randomly. I can't debug NIM
timing issues without being able to connect to a KDC. I can't ship a
product without those fixes.
Where can I find out
[EMAIL PROTECTED] wrote:
On Windows the two browsers can only acquire credentials
from the LSA which means the workstation needs to be joined to a
domain, I believe.
That isn't true. You can configure FireFox on Windows to use
credentials from Kerberos for Windows ccaches instead of using
John Hascall [EMAIL PROTECTED] wrote:
One of these days I'm going to request (for HCOOP) crossrealm trusts
with the top 10 computer science universities in the USA [*] and
document (a) my success rate, (b) how many emails it took, and (c)
how many months from first request to working trust
Russ Allbery [EMAIL PROTECTED] wrote:
Adam Megacz [EMAIL PROTECTED] writes:
Christopher D. Clausen [EMAIL PROTECTED] writes:
UIUC has AFS? Is there some other UIUC that I don't know about?
Hrm, I was going by the fact that ncsa.uiuc.edu and acm.uiuc.edu are
both in the CellServDB that comes
Adam Megacz [EMAIL PROTECTED] wrote:
John Hascall [EMAIL PROTECTED] writes:
How many of the top-10 use Kerberos?
And what exactly is the top-10 (which list?)(
For the sale of argument lets say they are:
Well, based on AFS usage (which requires Kerberos right now), all of
the schools on your
Adam Megacz [EMAIL PROTECTED] wrote:
Our (hcoop.net) users love their new AFS homedirs, but are complaining
a lot about ssh public keys not working the way they're accustomed to.
Telling them to kinit after logging in doesn't quite cut it either.
We're aware that this goes against the grain
Adam Megacz [EMAIL PROTECTED] wrote:
Christopher D. Clausen [EMAIL PROTECTED] writes:
How exactly is having a private key password different from simply
telling the user to kinit ONCE on their local machine before
attempting to SSH to your Kerberized machines?
Because you have to kinit once
Wilson, Michael [EMAIL PROTECTED] wrote:
***KLIST -kte***
[abc]:/var/adm/syslog # klist -kte
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
-
6 05/08/07 16:12:33 host/[EMAIL PROTECTED] (DES
Michael B Allen [EMAIL PROTECTED] wrote:
On Thu, 3 May 2007 23:33:29 +0100
Markus Moeller [EMAIL PROTECTED] wrote:
What does sshd -ddde show when you connect ? Do you use a .k5login
or auth_to_local ?
Hi Markus,
I'm not familiar with .k5login or auth_to_local. The only thing I
changed
Michael B Allen [EMAIL PROTECTED] wrote:
On Thu, 3 May 2007 20:31:55 -0500
Christopher D. Clausen [EMAIL PROTECTED] wrote:
Try creating a ~/.k5login file in the home directory of
the user you are logging in as listing authorized Kerberos
principals, one per line.
That was it! SSH now works
Warren Coykendall [EMAIL PROTECTED] wrote:
Hello, I was wondering we have a NT 4.0 domain which we cannot
migrate to Windows 2003. Is there a way to have the NT 4.0 domain
work with Kerberos so we can get single sign-on w/out the pain of
upgrading to active directory?
I do not think there is
M [EMAIL PROTECTED] wrote:
We use Active Directory to create User accounts and make the person
change his/her password the first time he/she logs on to any of our
machines (linux or windows). Changing password on the Windows machines
works just fine but no one can change their passwords on a
M [EMAIL PROTECTED] wrote:
Yep. Tried that. Same behavior. Its not just one linux machine, its
all linux machines that do this. So its something thats set
environment wide...I've ruled out the firewall...not sure what else it
could be.
What does your krb5.conf file look like?
Do you have an
Gayal [EMAIL PROTECTED] wrote:
On 2/8/07, Christopher D. Clausen [EMAIL PROTECTED] wrote:
Gayal [EMAIL PROTECTED] wrote:
Hi,
I want to implement SSO with Win2003 Server for Linux Clients.
But I dont have access to Win2003 Server. ex:creating keytab files
are not possible.
So i installed MIT
[EMAIL PROTECTED] wrote:
On Tue, 20 Feb 2007, Jeffrey Altman wrote:
[EMAIL PROTECTED] wrote:
Is there a way to redirect stderr from kinit/klist to a file?
stdin and stderr cannot be redirected. they are used for password
prompting
Hmmm but I'm not trying to redirect the password
[EMAIL PROTECTED] wrote:
On Tue, 20 Feb 2007, Jeffrey Altman wrote:
[EMAIL PROTECTED] wrote:
Is there a way to redirect stderr from kinit/klist to a file?
stdin and stderr cannot be redirected. they are used for password
prompting
Hmmm but I'm not trying to redirect the password
LukePet [EMAIL PROTECTED] wrote:
I tray and I have this:
[EMAIL PROTECTED]:~$ kinit -k host/[EMAIL PROTECTED]
kinit(v5): Permission denied while getting initial credentials
[EMAIL PROTECTED]:~$ sudo kinit -k host/[EMAIL PROTECTED]
[EMAIL PROTECTED]:~$
This is expected. The /etc/krb5.keytab
Mohamad Nurhafiza [EMAIL PROTECTED] wrote:
I did the single sign on working, but now Im trying to do aix
authenticate using kerberos to a 2003 AD without ticket verification
(non single sign on)
Now..the password changes in AD is immediately noticed by cleint(AIX).
But I still have problem
scotty adams [EMAIL PROTECTED] wrote:
This is what i am getting after all
bash-2.05# kadmin scotty
Enter Password:
Enter Password:
kadmin: Preauthentication failed while initializing kadmin interface
Preauth failed is usally a wrong password message.
Can you kinit scotty ?
CDC
LukePet [EMAIL PROTECTED] wrote:
Ok and about telnet...waht can you tell me?
[EMAIL PROTECTED]:~$ kinit pippo
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~$ telnet -a -l pippo lukesky.epiluke.it
Trying 192.168.182.185...
Connected to lukesky.epiluke.it (192.168.182.185).
Escape
Mohamad Nurhafiza [EMAIL PROTECTED] wrote:
Yes it's part from krb.client.rte fileset (AIX CD)
bash-3.00# /usr/krb5/bin/klist -k
Keytab name: FILE:/etc/krb5/krb5.keytab
Unable to start keytab scan.
Status 0x96c73ad5 - Unsupported key table format version
number.
bash-3.00#
Luca Petrini [EMAIL PROTECTED] wrote:
Hello, I'm italian user and my name is Luca.
I'm working with Kerberos on my Ubuntu 6.10.
1) Configure the /etc/hosts file:
127.0.1.1 laptop
192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it
127.0.0.1 localhost localhost.localdomain
LukePet [EMAIL PROTECTED] wrote:
So,
What does klist -kte (as root) show?
[EMAIL PROTECTED]:~$ sudo klist -kte
2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (Triple DES
cbc mode with HMAC/sha1)
2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (DES cbc
mode with CRC-32)
Can you kinit -kt
[EMAIL PROTECTED] wrote:
Am I correct in concluding that there isn't a KDC binary for
DOS/Windows (or kadmin, KDB5_Util etc)?
Yes.
CDC
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
just as any other kerberos commands found in the
solaris environment. How can I proceed?
Thanks,
Scotty
Christopher D. Clausen [EMAIL PROTECTED] wrote: scotty adams
wrote:
Cause: The host that was entered for the admin server, also
called the master KDC, did not have the kadmind
scotty adams [EMAIL PROTECTED] wrote:
Cause: The host that was entered for the admin server, also
called the master KDC, did not have the kadmind daemon running.
Solution: Make sure that you specified the correct host name for the
master KDC. If you specified the correct host name, make
Lars Schimmer [EMAIL PROTECTED] wrote:
Christopher D. Clausen wrote:
Lars Schimmer [EMAIL PROTECTED] wrote:
Christopher D. Clausen wrote:
So you have an Active Directory domain that the Windows machines
are on?
Yes, there is a AD domain in which the PCs are.
And a seperate Kerberos Realm
Peger, Daniel Heinrich [EMAIL PROTECTED] wrote:
How do I tell a C/C++ (using GSSAPI) app what my current kerberos
environment is? For testing purposes I don't want to use the standard
environment but authenticate against a test kerberos setup, which
needs to be specified somwhere.
Edit the
scotty adams [EMAIL PROTECTED] wrote:
Hi Christopher,
Actually i need the SEAM
Can you also pass me a full KDC configuration?
No, I cannot. I suggest that you read the Sun Docs on SEAM:
http://docs.sun.com/app/docs/doc/816-5164
And please reply to the list, not to me directly.
CDC
Bharat Thakur [EMAIL PROTECTED] wrote:
Dear Sir,
Thanks for your reply. There are three linux server and one windows
2003 AD(R2) in same network with 180 linux thin clients and 400
windows clients. KDC installed in first linux server other two are
application server for sun clients. I want to
[EMAIL PROTECTED] wrote:
On Mon, 29 Jan 2007, Christopher D. Clausen wrote:
Can you simply fail-over using the same IP on both interfaces? (I
believe there is a bonding module in Linux that can do this.)
The point of the virt interface is so it can be moved to a different
host. If the virt
[EMAIL PROTECTED] wrote:
On Mon, 29 Jan 2007, Christopher D. Clausen wrote:
[EMAIL PROTECTED] wrote:
I'm moving the server to a new cluster of RHE hosts that use virtual
interfaces (eg. eth0:1) to allow for failover to a new host while
still maintaining the original IP address. On this new
there a
Kerberos FAQ? (I thought Ken Hornstein was maintaining it.) Perhaps
said FAQ could be moved to the wiki:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
That being said, I'd be willing to contribute to a wiki, provided its
NOT running mediawiki.
CDC
--
Christopher D
From the manual page:
http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
realm=realm
If the obtained credentials are supposed to allow access to a shell
account, the user will need an appropriate .k5login file entry or the
system will have to have a custom aname_to_localname mapping.
On debian you'd want to look in /var/log/auth.log
Can you kinit as root on this system?
Also, try running a debug sshd vis:
sshd -ddd -D -p 222
and connect with putty using:
putty -P 222 [EMAIL PROTECTED]
Read through the debug output and see if there is anything useful in
there.
CDC
Mike
and requiring
at least 2 different character classes in Kerberos passwords. Using
longer passwords and more characters classes would of course be better,
but might annoy some users. This should make offline cracking harder.
CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
+on+Debian
might be of use to you for the SSH setup.
The MIT docs on setting up a KDC were easy enough for me to follow
whenever I've needed to do it. If you say what Linux distribution you
are using, someone might be able to help you out with more specific
info.
CDC
--
Christopher D. Clausen
Russ Allbery [EMAIL PROTECTED] wrote:
Rohit Kumar Mehta [EMAIL PROTECTED] writes:
debug1: Miscellaneous failure
No principal in keytab matches desired name.
My krb5.keytab looks like this:
nfsv4etch:~# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
128.174.251.6 clortho.acm.uiuc.educlortho
128.174.251.37 enzo.acm.uiuc.edu enzo
CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
can beta test any patches.
I can tell you that I had similar problems and simply reverted to 1.4.4
instead of trying to fight 1.5.1. I was using IBM's Visual Age
compiler.
CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
Kerberos
are using MIT. It gets very confusing.
CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
be appreciated.
CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Luke Davis [EMAIL PROTECTED] wrote:
I just took an MCSE course and the instructor mentioned that there was
some type of 3 act play about kerberos, and that sounds like an
interesting read. Do you know where I can find it?
http://web.mit.edu/Kerberos/dialogue.html
CDC
--
Christopher D. Clausen
Is there an MSI for KfW 3.1 beta1?
http://web.mit.edu/kerberos/dist/testing.html#kfw-3.1
doesn't seem to have a MSI listed.
CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
Kerberos mailing list Kerberos@mit.edu
https
or computer accounts.
2. I am trying to measure the response time of windows login. For a
windows login, can I assume the time taken from AS-REQ/REP to the
first TGS-REQ/REP ?
seems reasonable to me.
CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
1 - 100 of 107 matches
Mail list logo
