Hi, we have a required to detect if a client is using same incorrect password
in in authentication against KDC.
Is it possible the KDC server can determine if client is using same incorrect
password?
Thanks
Jim
Kerberos mailing list Kerb
Hi, We can generate a TGS with GSS API in Java.
But is there a way to get TGT in java, assuming I have account/password?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
11:29 Jim Shi via Kerberos wrote:
Hi, is there way to stash password in perl or Java? I know it is in KDC
source.
Thank you.
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, is there way to stash password in perl or Java? I know it is in KDC
source.
Thank you.
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, when I run ./configure, I got the following error:
checking for time_t... yes
checking size of time_t... configure: error: in
`/ngs/app/dsservd/krb5-1.18.4/src':
configure: error: cannot compute sizeof (time_t)
See `config.log' for more details
Any idea?
How to fix it?
BTW I was able to com
> On Jan 4, 2019, at 6:55 AM, Yegui Cai wrote:
>
> Hi all.
>
> This can be two threads but I have the following two questions at the same
> time.
> 1. Can we run KDC as a non-root user? Meaning is it required to run KDC as
> root?
yes root user is not required.
> 2. Is there any official do
Benjamin,
Right on. Had LD_LIBRARY_PATH pointing to old lib.
Thank you so much!
Jim On Tuesday, August 28, 2018, 5:52:39 PM PDT, Benjamin Kaduk
wrote:
On Tue, Aug 28, 2018 at 05:16:40PM +, Jim Shi wrote:
> Hi, Robbie,
> I got trace after using a file. Looks the client
5:0
[8585] 1535476186.386213: Sending retry UDP request to dgram 17.212.195.105:0
[8585] 1535476191.391403: Sending retry UDP request to dgram 17.212.195.105:0
On Tuesday, August 28, 2018, 9:46:38 AM PDT, Robbie Harwood
wrote:
Jim Shi writes:
> Hi, Greg,
> I undestood kkdcp supprt is in clien
Hi, Greg,
I undestood kkdcp supprt is in client lib.
But in my test (kinit), it seems the client is not making https request to the
proxy server.
Do you have any idea?
Thanks.
Jim
On Monday, August 27, 2018, 11:08:31 PM PDT, Greg Hudson
wrote:
On 08/27/2018 07:47 PM, Jim Shi wrote
I have another questions.
to compile KDC with kkdcp support, do I need pass in any special flag(s)?
Or kkdcp is supported by default in recent code?
The reason I ask this question, is that when I run a test: (I do have kdc =
https:// configured for the realm). It does not seem to make https
Does MIT KDC support kkdcp? Which version is required to support kkdcp?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Greg:
I thought ocsp was supported. Good to know it is not.
Thorsten:
Thanks for the info.
Jim
> On Aug 10, 2017, at 3:53 AM, tseegerkrb wrote:
>
> On 10.08.2017 06:55, Greg Hudson wrote:
>> On 08/08/2017 02:11 PM, Jim Shi wrote:
>>> Is there any document how
Hi,
Is there any document how to configure certificate revocation check for PKINIT
in KDC?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I have question regarding client IP address checking in KDC.
Is that true that by default tickets issued by KDC is not bound to any client
IP address.
Also KDC server does not check IP if the ticket does not have any client IP
address in it.
Do we have to explicitly turn on the client IP
ch 7, 2017, 4:24:20 PM PST, Greg Hudson
wrote:On 03/07/2017 05:26 PM, Jim Shi wrote:
> I have krb5-1.15 client and have kkdcp server set up running.
> I verify that my kkdcp end point is reachable. (ie.
> https://my_server.com/kkdcp is reachable)
> However when run:
> KRB5_T
I have krb5-1.15 client and have kkdcp server set up running.
I verify that my kkdcp end point is reachable. (ie.
https://my_server.com/kkdcp is reachable)
However when run:
KRB5_TRACE=/dev/stdout kinit -V my_test_account
I got
kinit: Cannot contact any KDC for realm '' while getting initial
c
Hi, does KDC support IPv6? which versions of KDC have the support?
Thank you very much.
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I would get advice on using AppacheDS kerberos server, which is a java
implementation of krb5.
Is that production ready? Anyone has use it in prod? Is it 100% compatible with
KDC servers. That is, existing KDC clients will continue to work?
Thanks a lot.
Jim
___
Hi, when using PIV card for PKINT, I got this error right after enter the
PIN:(The PIN I entered is correct)
PIV_II (PIV Card Holder pin) PIN: [66321] 1449793336.332997: Preauth module
pkinit (16) (flags=1) returned: 12/Cannot allocate memory[66321]
1449793336.333267: Preauth module pkinit (15)
Never mind.
Thanks
Jim
> On Nov 5, 2015, at 8:13 PM, Jim Shi wrote:
>
> Hi, I add debug statements like this to the source code
>
> krb5_klog_syslog(LOG_INFO, _(“my debug here!!"));
>
> After compiling and deployment, none of the debug statements is printing a
Hi, I add debug statements like this to the source code
krb5_klog_syslog(LOG_INFO, _(“my debug here!!"));
After compiling and deployment, none of the debug statements is printing any
thing to the kdc.log.
I am a bit puzzled. Can some one please shed some light on this?
Thanks
Jim
___
Hi, I try to find out what is the default ldap connection timeout in KDC.
I looked at the kdc source code and could not find out.
Is there a way to override the default timeout?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https:/
HI,
Is it possible to check if a certificate is revoked against a URL in MIT KDC?
I looked at the KDC code. It seems using a static file, not a web URL?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mail
ilman lets me include a URL):
>
> https://community.oracle.com/community/java/java_security/kerberos_%26_java_gss
>
> <https://community.oracle.com/community/java/java_security/kerberos_%26_java_gss>
>
> On Mon, Jun 29, 2015 at 4:20 PM, Jim Shi <mailto:hanmao_...
Hi, I am try to find if a particular ticket flag in a kerberos ticket is set
in Java, I was suggested to use the following code:
boolean[] flags = (boolean[])((ExtendedGSSContext) context).inquireSecContext(
InquireType.KRB5_GET_TKT_FLAGS);
Say
Hi, I need to build KDC with a static openssl lib.
How to compile KDC that uses a static openssl lib?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I have MIT kdc 1.10.6 running on linux server.
the client is heimdal kinit on OS X.
on OS X:
./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem
testuser@REALM
on KDC server, I saw this error:
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18
Never mind. I assume the flags is inside the ticket.
Thanks
Jim
> On Jun 3, 2015, at 3:52 PM, Jim Shi wrote:
>
> Hi, Ken,
> The TGS ticket flag is set on KDC server. When the client get TGS back from
> the server, he/she is able to see the flag set by the KDC. Looks kl
Hi, Ken,
The TGS ticket flag is set on KDC server. When the client get TGS back from
the server, he/she is able to see the flag set by the KDC. Looks klist commands
will show flags.
However if the client passes the ticket to some service for verification, , the
service will not be able see t
>> We sort-of do this, but it may not directly be applicable.
>>
>> Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
>> policy OID is found in the client certificate (in our case, the policy
>> OID we check for is if the certificate comes from a smartcard, so the
>> u
Hi, I need some advice. I have multiple realms and have LDAP backend.
Should I have one KDC instance serving multiple realms, or should I create
multiple KDC instances, each severing a single realm?
Which one method is correct way?
Thanks for your advice.
Jim
__
You can use BouncyCastle lib to get principals from the ticket, if this is what
you are looking for.
Jim
On Tue, 9/30/14, Rick van Rein wrote:
Subject: Re: Kerberos5 ticket to ascii converter?
To: "Wendy Lin"
Cc: ""
Date: Tuesday, September 30,
Given a kinit request (binary data), is there easy way to extract the principal
in the request without knowing how the request is construct?
in vi I saw something like this:
account_user¢^X^[^VREALM.TEST.COM
What is the thing between account_user and REALM.TEST.COM?
Thanks
Jim
Hi, if a client's system clock is one hour ahead of KDC system clock, should I
get a valid TGT?, or
should I get clock skewed error?
We have clients that are able to get TGT when system clock is ahead of server
clock. Any idea if this is client issue? a KDC server issue?
Thanks
Jim
_
Where to find information about iOS's support for kerberos authentication?
I google internet and can not find any.
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I checked the KDC source code, it seems to have code to support
database-based mapping of principal names to unix account names.
But I can not any document to configure KDC to use it. Where can I find the
information? Can someone please tell me how to configure KDC to use database
mapping
Hi, where can I find the detailed specification of UDP request packets, like
which bytes stands for what?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I have a question.
When you start ssh, ssh will use TGT ticket in the cache that matches the
current unix login account.
Is my understanding correct? Is there way you can override this to use a
different TGT in the cache?
Thanks
Jim
Kerberos
still log at debug level.
(should follow whatever specified in [logging])
Jim
On Sep 24, 2012, at 12:15 PM, Greg Hudson wrote:
> On 09/19/2012 02:32 PM, Jim Shi wrote:
>> It seems when KDC is running with multiple workers, the syslog level for
>> workers is aways 'DEBUG'
It seems when KDC is running with multiple workers, the syslog level for
workers is aways 'DEBUG'. No matter what syslog level you set in kdc.conf.
Just wonder others have same issues.
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
Can I just post a patch here?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I have a question. Does KDC cache anything from ldap?
That is, if I update ldap, KDC will see the results immediately?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
The timestamp saved to ldap has a 'Z' at the end. For example:
krbLastPwdChange: 20120719221721Z
What does 'Z' stand for here?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
43 matches
Mail list logo