It is
#sw_vers
ProductName:macOS
ProductVersion: 11.6
BuildVersion: 20G165
Markus
"Ken Hornstein" wrote in message
news:202110102213.19amdrlm030...@hedwig.cmf.nrl.navy.mil...
> I was trying to share a FILE ccache between different process/logins on
> a
>MAC but it seems
,
gss_mech_spnego,
0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
_token, NULL, _token,
NULL, NULL);
Thank you
Markus
"Markus Moeller" wrote
Hi
I was trying to share a FILE ccache between different process/logins on a
MAC but it seems gss_init_sec_context ignores KRB5CCNAME on a MAC. Is that
correct ? If so is there a way to share the API ccache ?
The case I have is a background job seems to use the API ccache of when
the
Is there anywhere a guide how to work with the Mac GSS Framework ? There
are many functions marked as deprecated, but I could not find any
instruction how to replace them. Example:
error: 'krb5_init_context' is deprecated: use GSS.framework
[-Werror,-Wdeprecated-declarations]
code =
Hi Greg,
Thank you very much for the explanation. I should read more often the
updates to the versions.
Markus
Greg Hudson wrote in message news:54a77db1.6090...@mit.edu...
On 01/02/2015 05:35 PM, Markus Moeller wrote:
I lately changed from krb5 1.10 on OpenSuse 12.3 to krb5 1.12
Hi,
I call krb5_get_init_creds_keytab in my application and valgrind tells me
about a leak ( see below ) . It seems to be the memory allocation for
mod-modreq_p, which I think I can't clear from my application, can I ?
for (i = 0; i context-preauth_context-n_modules; i++) {
Hi,
I wonder if someone can point me to a way to achieve an ldaps connection
to Active Directory with Kerberos (or GSSAPI ).
SASL/GSSAPI seems broken and nobody seems to mind.
ldapsearch -H ldaps://w2k3r2.win2003r2.home -Omaxssf=0 -s sub -b
DC=WIN2003R2,DC=HOME (samaccountname=mm)
-Original Message-
From: Simo Sorce
Sent: Saturday, March 08, 2014 9:01 PM
To: Russ Allbery
Cc: Markus Moeller ; kerberos@mit.edu
Subject: Re: Kerberos authentication to Active Directory with SSL enrcyption
On Sat, 2014-03-08 at 12:19 -0800, Russ Allbery wrote:
Markus Moeller hua
I have in my code the below section and get valgrind errors about lost
blocks
==25011== 136 (80 direct, 56 indirect) bytes in 1 blocks are definitely lost
in loss record 597 of 675
==25011==at 0x4C2A0B4: calloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==25011==by
Ah yes that solved it.
Thank you
Markus
Greg Hudson wrote in message news:529cf20b.8050...@mit.edu...
On 12/01/2013 06:59 PM, Markus Moeller wrote:
krb5_get_init_creds_opt_alloc(kparam.context, options))
krb5_get_init_creds_opt_init(options);
Don't call krb5_get_init_creds_opt_init
What is the right way to do channel binding for ipv6 ?
I see heimdal uses GSS_C_AF_INET6 whereas Solaris/MIT seem to use only
GSS_C_AF_INET.
Heimdal:
sockaddr_to_gss_address (struct sockaddr *sa,
OM_uint32 *addr_type,
gss_buffer_desc
Hi Ken,
I have a small patch for OpenSuSE
Markus
Ken Dreyer ktdre...@ktdreyer.com wrote in message
news:cad3fbmvufumgj4_c-mokbmwm4wsbfeccyazmw-m79ryujm3...@mail.gmail.com...
I'm pleased to announce release 0.4.1 of msktutil.
msktutil is a program for interoperability with Active
Does anybody know if a MIT client can work with a RODC ?
Looking at page 142 of
http://download.microsoft.com/download/e/e/0/ee04289a-02a7-45e9-86ce-e0ec41211c08/LHBOG_Plan.doc
I
wonder how a TGS could be received for example for SASL/GSSAPI
authentication to the RODC ldap port.
If
If I remember right when GSSAPIauthentication is used and the client has a
valid Kerberos ticket pam won't be called on the server, so the pam module
won't help in that case.
Markus
Booker Bense bbe...@slac.stanford.edu wrote in message
Try using the hostname of your AD server instead of the ip. The ldap library
might ask for ldap/server without reverse dns lookup of the ip to a name.
In the Wireshark trace you should see which service principal was requested.
So you should see ldap/137.99.15.89 which won't exist.
Markus
Hi
I have the following little program which seg faults when calling
krb5_free_cred_contents. The error seems to come from
krb5_free_keyblock_contents(context, val-keyblock); Shouldn't
krb5_free_keyblock_contents check if the content is not zero ?
Thank you
Markus
#include krb5.h
int
Greg Hudson ghud...@mit.edu wrote in message
news:1294358161.2456.336.ca...@ray...
On Thu, 2011-01-06 at 18:04 -0500, Markus Moeller wrote:
Shouldn't
krb5_free_keyblock_contents check if the content is not zero ?
It does.
int main() {
[...]
krb5_creds creds;
[...]
code
, output_token, NULL, NULL);
maj= gss_export_sec_context(min, gss_context_init, export_token);
}
Markus Moeller hua...@moeller.plus.com wrote in message
news:if7efi$4g...@dough.gmane.org...
When I try to export a security context it sometime crashes in:
gss_export_sec_context
When I try to export a security context it sometime crashes in:
gss_export_sec_context in g_exp_sec_context line 104
102 return (GSS_S_UNAVAILABLE);
103
104 status = mech-gss_export_sec_context(minor_status,
105 ctx-internal_ctx_id,
I know that IE does not canonicalise the hostname as firefox does (e.g.
gethostbyaddr(gethostbyname(hostname())) ). But how are CNAMEs handled ? It
looks like the CNAME is replaced with the real name. Can anybody confirm ?
Thank you
Markus
goto cleanup;
265 }
which I think does not relate to the new mech type. Any idea what to look
for ?
Thank you
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:iafjbr$so...@dough.gmane.org...
Simo Sorce sso...@redhat.com wrote in message
news:20101029175054.721e9
If I use RC4-hmac it works but AES 128/256 fail on Windows 2008 R2 although
AES 128/256 works on 2008. Can anybody confirm ? Has 2008 R2 changed
something compared to 2008 ?
Thank you
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:iah61u$ra...@dough.gmane.org...
Stepping
Hi
I try to use a Windows 2008 R2 server together with MIT libraries 1.8.1
for Negotiate authentication. It works fine with 2008 but 2008 R2 seems to
have implemented http://www.ietf.org/id/draft-zhu-negoex-02.txt which uses
a new mechtype 1.3.6.1.4.1.311.2.2.30. Is this supported/tested
Simo Sorce sso...@redhat.com wrote in message
news:20101029175054.721e9...@willson.li.ssimo.org...
On Fri, 29 Oct 2010 22:26:36 +0100
Markus Moeller hua...@moeller.plus.com wrote:
Hi
I try to use a Windows 2008 R2 server together with MIT libraries
1.8.1 for Negotiate authentication
John Washington jawas...@illinois.edu wrote in message
news:20100222022751.gb24...@kyoto.cites.uiuc.edu...
* Markus Moeller hua...@moeller.plus.com [2010-02-21 12:55]:
I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The
environment has 23 AD servers for the domain. Everything
I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The
environment has 23 AD servers for the domain. Everything is resiliently
setup with 3 DNS servers. I now observe that when the first DNS server
fails a kinit takes 80 seconds or more. Some application using Kerberos via
I filed it under http://defect.opensolaris.org/bz/show_bug.cgi?id=12384
Markus
- Original Message -
From: Will Fiveash william.five...@sun.com
To: Markus Moeller hua...@moeller.plus.com
Cc: kerberos@mit.edu
Sent: Monday, November 02, 2009 9:37 PM
Subject: Re: SEGV
in main (argc=143409904, argv=0x8047c64, envp=0x8047c70) at
sockd.c:371
(gdb)
Greg Hudson ghud...@mit.edu wrote in message
news:1256220048.23997.307.ca...@ray...
On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote:
I have an application which creates a cache, stores a ticket
) will
68* leak.
69*/
70 if (strcmp(MEMORY, krb5_cc_get_type(context, cred-ccache)) ==
0)
71 code1 = krb5_cc_destroy(context, cred-ccache);
72 else
73 code1 = krb5_cc_close(context, cred-ccache);
Markus
Markus Moeller hua
Greg Hudson ghud...@mit.edu wrote in message
news:1256220048.23997.307.ca...@ray...
On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote:
I have an application which creates a cache, stores a ticket and then
destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris
(but
I
Ezra Peisach epeis...@mit.edu wrote in message
news:4ae2f442.80...@mit.edu...
a) Is this a multithreaded application?
b) Are you sharing the same cache between threads? If so - destroying
one while in use can cause this.
It is not threaded.
c) Can you provide some sample code - if not -
Greg Hudson ghud...@mit.edu wrote in message
news:1256220048.23997.307.ca...@ray...
On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote:
I have an application which creates a cache, stores a ticket and then
destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris
(but
I
Did you check
http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_map_user/ ?
Markus
Chris Cowley chriscowleyso...@googlemail.com wrote in message
news:a804524e-f6d4-4b9d-93ca-a267ee356...@j19g2000yqk.googlegroups.com...
On 13 Oct, 17:28, Chris Cowley chriscowleyso...@googlemail.com
I don't think IE 6 supports Negotiate/Kerberos for proxy authentication.
Also you would have to use the FQDN not the IP-address of the proxy.
Markus
anandhi jay anu.pers...@gmail.com wrote in message
news:mailman.60.1254832099.18120.kerbe...@mit.edu...
Hi,
I have installed the kerberos5
John,
That is correct. msktutil updates the key of the computer account. So the
second msktutil call with the same computer-name will make the first entry
invalid. But you can have host and http asssigned to the same AD account if
you use other tools like net ads join with net ads keytab.
Is the AD account which you used for the HTTP principal used for samba too
or used in any other way ? (e.g. do you use net ads join and
msktutil --computer-name hostname ?) Is the kvno in AD still the same ?
Markus
Dan Searle dan.sea...@censornet.com wrote in message
...@linet.dk
IM:
mik...@linet.dk
(MSN)
Professional
Profile
Healthcare
Network
Consultant
tir, 22 09 2009 kl. 21:48 +0100, skrev Markus Moeller:
Do you look for something like ?
netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
This tells the w2k3 domain
...@motyka.org wrote in message
news:8072f979-c6b4-42d1-a5f8-f80f5dee5...@p15g2000vbl.googlegroups.com...
On Aug 27, 1:26 pm, Jeffrey Altman jalt...@secure-endpoints.com
wrote:
Markus Moeller wrote:
I am reading the MS article aboutIWAand extended protection
http://msdn.microsoft.com/en-us/library/dd639324
Do you look for something like ?
netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
This tells the w2k3 domain WINDOWS2003.HOME that hosts with in the domain
suse.home belong to the MIT domain SUSE.HOME
Markus
Mikkel Kruse Johnsen mik...@linet.dk wrote in message
I found the problem with msktutil. It uses the wrong salt. For a computer
name with uppercase parts (e.g. squid-HTTP) it uses
DOM.LOCALhostsquid-HTTP.dom.local as salt instead of
DOM.LOCALhostsquid-http.dom.local.
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:mailman
Douglas E. Engert deeng...@anl.gov wrote in message
news:mailman.48.1251902470.12456.kerbe...@mit.edu...
Markus Moeller wrote:
I found the problem with msktutil. It uses the wrong salt. For a computer
name with uppercase parts (e.g. squid-HTTP) it uses
DOM.LOCALhostsquid-HTTP.dom.local
What does Loopong detected ... mean ?
#/opt/krb5-1.7/bin/kinit -kt /opt/squid-3.0/etc/HTTP.keytab
HTTP/centos.dom.local
kinit: Looping detected inside krb5_get_in_tkt while getting initial
credentials
klist -ekKt /opt/squid-3.0/etc/HTTP.keytab
Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab
and spn - and a client
requests a HTTP/fqdn TGS or AS the key for host/fqdn is used)
Regards
Markus
Douglas E. Engert deeng...@anl.gov wrote in message
news:mailman.43.1251730131.12456.kerbe...@mit.edu...
Markus Moeller wrote:
I use the latest msktutil (0.3.16-7) and can add an entry
Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 2008
Howdy Markus
Sound to me that you're trying to use a kaytab without expoting the key to
your keytab file test.keytab
am I right ?
cheers
Wolf-Agathon
- Original Nachricht
Von: Markus Moeller hua
/centos.dom.local
kinit(v5): Preauthentication failed while getting initial credentials
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:cf5a795e7b16440fa314ed54d5645...@vaiolaptop...
Wolf-Agathon,
I did export the keytab, but I found out the Hotfix 951191 was not
installed
/fqdn ticket 2008 converts it in a
request for host/fqdn and ignores entries with a serviceprincipal set to
HTTP/fqdn.
Can anybody confirm that ? Oe what do I do wrong ?
Thank you
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:h7b5a5$tb...@ger.gmane.org...
I was too quick. I
I use the latest msktutil (0.3.16-7) and can add an entry to Windows 2008,
but when I run kinit -kt test.keytab HTTP/fqdn I get
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to be
changed ?
Thank you
Markus
Kerberos
I am reading the MS article about IWA and extended protection
http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this
affects GSSAPI based applications like Apache with mod_auth_kerb ? Does
this mean MS has added channel bindings to SSPI ?
Unfortunately I don't have Windows
Some more memory leaks in version 1.7
GSSAPI input token no error
gssapi_auth_test-mit-1.7.val:==12881==definitely lost: 21 bytes in 1
blocks.
gssapi_auth_test-mit-1.7.val:==12881==still reachable: 1,081 bytes in 5
blocks.
gssapi_auth_test-mit-1.7-2.val:==12883==definitely lost: 42
I am working on an application to do gssapi authentication and noticed
increased memory usage. I created the following test application:
/*
*/
#include string.h
#include stdio.h
#include stdlib.h
#include netdb.h
#include unistd.h
#include time.h
#include sys/time.h
#ifndef HEIMDAL
#define
I am working on an application to do gssapi authentication and noticed
increased memory usage. I created the following test application:
/*
*/
#include string.h
#include stdio.h
#include stdlib.h
#include netdb.h
#include unistd.h
#include time.h
#include sys/time.h
#ifndef HEIMDAL
#define
Greg Hudson ghud...@mit.edu wrote in message
news:1251133842.20047.106.ca...@ray...
It looks like your test program relies on base64.h and presumably some
source file, which you didn't include?
I'm also not seeing your valgrind output in the attachment, but that is
conceivably a problem on
Or do you use a cname ?
sonu aashish.jai...@gmail.com wrote in message
news:906787d4-02d4-4d41-9b6c-c665da6b8...@i28g2000prd.googlegroups.com...
Hi all,
I am getting this error while trying to ryn kerberos transaction on
IIS7 with AD as KDC:
SmKcc::getCredentials][Failed to validate
That looks like the client is sending a wrong token.
Markus
sonu aashish.jai...@gmail.com wrote in message
news:906787d4-02d4-4d41-9b6c-c665da6b8...@i28g2000prd.googlegroups.com...
Hi all,
I am getting this error while trying to ryn kerberos transaction on
IIS7 with AD as KDC:
.aspx
http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe
I don't know why they changed their mind.
Markus
- Original Message -
From: Ravi Channavajhala ravi.channavajh...@dciera.com
To: Douglas E. Engert deeng...@anl.gov
Cc: Markus Moeller hua
Ravi Channavajhala ravi.channavajh...@dciera.com wrote in message
news:mailman.20.1241667589.9729.kerbe...@mit.edu...
On Thu, May 7, 2009 at 1:19 AM, Markus Moeller hua...@moeller.plus.com
wrote:
You could add a copy to the keytab with ktutil which has an uppercase
HOST
e.g.
# ktutil
Douglas E. Engert deeng...@anl.gov wrote in message
news:mailman.17.1241638415.9729.kerbe...@mit.edu...
Windows treats principal names as case insensitive.
Kerberos treats them as case sensitive.
Normally Kerberos host/hostn...@realm has host in lower case.
So why is Samba net ADS join is
John Jasen jja...@realityfailure.org wrote in message
news:49d0ee12.2070...@realityfailure.org...
Please forgive me if this is not the right venue.
I seem to have not found the magic required to use kerberos service
principal names on unix systems against an Active Directory server.
In
Xu, Qiang (FXSGSC) qiang...@fujixerox.com wrote in message
news:d8c9bc7ffcf8154fb7141eb8db609c172905982...@sgpaphq-exscc01.dc01.fujixerox.net...
-Original Message-
From: kerberos-boun...@mit.edu
[mailto:kerberos-boun...@mit.edu] On Behalf Of Markus Moeller
Sent: Wednesday, March 25
...@mit.edu [mailto:kerberos-boun...@mit.edu]on
Behalf Of Markus Moeller
Sent: 25 March 2009 00:04
To: kerberos@mit.edu
Subject: Re: Kerberos authetication against multiple Windows Domains
Earl, Kevan C kevan.e...@astrazeneca.com wrote in message
news:3154febcfb92804da39a2560e17183760341f
Here is a small program which you could use to test to get a service ticket.
If you do
# kinit mar...@suse.home
Password for mar...@suse.home:
# klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: mar...@suse.home
Valid starting ExpiresService principal
03/25/09
Xu, Qiang (FXSGSC) qiang...@fujixerox.com wrote in message
news:d8c9bc7ffcf8154fb7141eb8db609c1729058b3...@sgpaphq-exscc01.dc01.fujixerox.net...
-Original Message-
From: kerberos-boun...@mit.edu
[mailto:kerberos-boun...@mit.edu] On Behalf Of Michael Str?der
Sent: Tuesday, March 24,
Earl, Kevan C kevan.e...@astrazeneca.com wrote in message
news:3154febcfb92804da39a2560e17183760341f...@ukaprdembx02.rd.astrazeneca.net...
Hello,
I'm after some advice on how to configure Kerberos v5 to authenticate
users from different Windows domains to the same Apache hosted
Can you get a network capture with wireshark on your 2003 server of all
traffic from your client when you do the following
On the client:
kinit q...@sesswin2003.com
ldapsearch -Y GSSAPI -H 'ldap://sesswin2003.sesswin2003.com' -b
'dc=sesswin2003,dc=com' -s sub -LLL '(cn=qxu)' mail
Make sure
Firstly you should use rc4-hmac as the first encryption method. Secondly
what is the AD domain name ? The error you see is usually means that you
connect with the wrong domain name to AD.
Markus
Nicolas Michel nicolas.mic...@lemail.be wrote in message
Victor,
I can also confirm that Thunderbird works with GSSAPI/SSPI on XP against the
Cyrus IMAP server. ( I just downloaded Thunderbird and did not modify any
settings other then adding the account details)
Markus
Markus Moeller [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I use
I use it against Cyrus IMAP v2.3.12p2 server (both client and server on
Linux) with AD as kdc.
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5
AUTH=PLAIN AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR] imap.server.home Cyrus IMAP
v2.3.12p2 server ready
1 capability
* CAPABILITY IMAP4
I can also confirm that outgoing SMTP with GSSAPI auth works with
Thunderbird against sendmail.
Markus
Luke Scharf [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Victor Sudakov wrote:
Is there anyone for whom Thunderbird with GSSAPI really works?
I hope it is not just theory,
PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus Moeller [EMAIL PROTECTED] writes:
I understand that you need to keep the sequencing and in my case it is
the
case. Child 2 will always start after child 1 has finished. So there is a
clear flow order which is just handled by different
it is an existing
application and not that easy to completely rewrite.
Thanks
Markus
Nicolas Williams [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On Sun, Oct 05, 2008 at 11:13:00PM +0100, Markus Moeller wrote:
Thank you for the replies.
I get an GSS: error: The token was a duplicate
will post back tomorrow with my results.. thanks for the replies so far
guys.
Regards
Richard
On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller [EMAIL PROTECTED]
wrote:
Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your
configuration
assuming you have a MIT Kerberos version
Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration
assuming you have a MIT Kerberos version 1.3 (is HPUX 11i still based on
MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES
only. Secondly did you change the password of the unix_client user
news:[EMAIL PROTECTED]
Markus Moeller wrote:
I tried to use my squid_kerb_auth on Solaris 10 and fail. My configure
determines it supports SPNEGO but when I use it I get
2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No
credentials were supplied, or the credentials
I tried to use my squid_kerb_auth on Solaris 10 and fail. My configure
determines it supports SPNEGO but when I use it I get
2008/07/20 16:11:37| squid_kerb_auth: gss_accept_sec_context() failed: No
credentials were supplied, or the credentials were unavailable or
inaccessible. No error
BH
in message
news:[EMAIL PROTECTED]
On Sun, Jul 20, 2008 at 11:33 AM, Markus Moeller
[EMAIL PROTECTED] wrote:
I tried to use my squid_kerb_auth on Solaris 10 and fail.
I don't know anything about squid_kerb_auth or Solaris 10 really but
how are libs linked together? There are enough GSSAPI
If you have Suse 9.3 it should contain MIT version 1.4 as part of the
distribution.
Markus
Tadoori (EXT), Vilas [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Any advice. I am looking for the MIT distribution of kerberos for SUSE
Linux version 9.
Regards
Vilas
_
From:
Michael,
what does the from/till timestamp in the AS_REQ say ?
Markus
Michael B Allen [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I'm trying to diagnose a Clock skew too great error between a CentOS
5.1 client and Windows 2003 R2 ADS.
If we date 'date' on the Linux the time
The problem is that Solaris uses another principal.
After checking the documentation I found that Solaris requires a kiprop/fqdn
principal whereas the default MIT kprop client sends a host/fqdn principal.
I created a patch for MIT (see below), but that would be for mandriva as
master and
]
renew until 04/05/08 22:06:41, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
Regards
Markus
- Original Message -
From: Sam Hartman [EMAIL PROTECTED]
To: Markus Moeller [EMAIL PROTECTED]
Cc
Speedo [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi All
On Windows, there's something called alternative UPN that you can
create [EMAIL PROTECTED] in that.realm. Here's a very nice explanation:
http://www.netometer.com/video/tutorials/upn/step1/step1.html
I've looked at
a) kinit [EMAIL PROTECTED]; ssh [EMAIL PROTECTED]
b) kinit [EMAIL PROTECTED]; ssh [EMAIL PROTECTED]
3) a klist -e after the attempted connection on both servers
Markus
- Original Message -
From: Andrea [EMAIL PROTECTED]
To: Markus Moeller [EMAIL PROTECTED]
Sent: Friday, March 21, 2008 9
Hi Andrea,
a user [EMAIL PROTECTED] in not the same as a user [EMAIL PROTECTED] You need
to
tell a server in domain SOLARIS that user [EMAIL PROTECTED] is the same as
[EMAIL PROTECTED] by either using .k5login or use auth_to_local in krb5.conf
e.g.
..
[realms]
SOLARIS = {
if this matters but the end result is to use
mod_auth_kerb to authenticate users. You are saying I need to
recompile it to use type 10 (enterprise name type)? I might be able
to figure that out. :)
On Tue, Mar 11, 2008 at 7:32 PM, Markus Moeller [EMAIL PROTECTED]
wrote:
You need
, this is a mess. Not sure I want to dig this deep into the problem.
On Wed, Mar 12, 2008 at 2:09 PM, Markus Moeller [EMAIL PROTECTED]
wrote:
Yes you need to modify mod_auth_kerb. One thing you need to aware of is
that the determination of the realm id more difficult as the email
address
uses
You need a modified kinit which sets the principal type to 10 (enterprise
name type). Windows will then use the UPN instead of the samaccountname to
authenticate. (See attached sample mkinit.c)
Markus.
BTW If your client support client canonicalisation you can authenticate as
[EMAIL
There might be one exception. If I remember right to login onto
OpenSolaris/Solaris 10 with a non kerberised client (e.g. console) using
pam_krb5 requires a root principal to login as root or at least have a dummy
root principal key in the keytab to pass to the next pam module.
Markus
Richard
Check the global flags. You should be able to set ASC_REQ_ALLOCATE_MEMORY
Markus
Manoj Mohan [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
Right now I am calling InitializeSecurityContext and AcceptSecurityContext
with fixed token size (4096)
and things are working. I was
I can only say that I downloaded the OpenSolaris sources and build a debug
library following their instructions. I got the following from a dmake:
/opt/onnv-gate/usr/src/tools/proto/opt/onbld/bin/i386/cw -_gcc -O -K
pic -xspace -Xa -xildoff -errtags=yes -errwarn=%all
with this error */
#endif
I think this would mean pam_krb5 needs to remember the state in
pam_authenticate (which need to return PAM_SUCCESS) and use it in
pam_acct_mgmt which will then prompt. So I guess an option like
login_library_used for pam_krb5 on Solaris is needed.
Markus
Markus
I think you have to call QueryContextAttribute like shown below for getting
the Username.
maj_stat = AcceptSecurityContext( server_creds,
context,
input_desc,
I see now the same message. I have to check again why my initial test looked
OK.
Markus
Coy Hile [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On Sat, 19 Jan 2008, Russ Allbery wrote:
I'm running Solaris 10 Update 4, and when using Russ' pam_krb5 on a
principal whose password
I did some work with Russ' module on OpenSolaris and Solaris 10 release 4
(which has Kerberos headers and libraries). I noted a small issue (crash of
pam_krb5 when calling pam_setcred in cache_init_from_cache since for some
reason the pointer to the old cache is NULL). There seems to be also a
Here is a sample kdc.conf which adds rc4-hmac.
Markus
[kdcdefaults]
kdc_ports = 750,88
[realms]
SUSE.HOME = {
database_name = /var/lib/kerberos/krb5kdc/principal
admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
acl_file =
When do you exactly get this error ? It might mean that you have two entries
with the same principalname in AD.
Markus
Ali, Saqib [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hello,
I need some help deciphering the error msg below:
The
module data. Thanks,
Markus Moeller.
When keytab is set, properly handle failure to create a keytab cursor
and don't assume that the cursor is valid. Thanks, Markus Moeller.
Define _ALL_SOURCE on AIX to get prototypes for snprintf.
Add additional portability glue and Autoconf
Jason,
BTW I tested with my Linux MIT kdc and used an RC4-HMAC key for nfs/fqdn in
the keytab only and it seems to work too.
I see: Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5
So I would expect to work with a Windows kdc and handling RC4 is easier as
you don't need to
of PAM that don't
provide pam_modutil_getpwnam, and compiler warnings when building
PKINIT support. Thanks, Martin von Gagern.
Fix parsing of the keytab PAM option. Thanks, Markus Moeller.
Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
resolve the Kerberos
of the keytab PAM option. Thanks, Markus Moeller.
Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
resolve the Kerberos realm. Thanks, Frank Cornelissen.
Add a new debugging section to the README.
You can download it from:
http://www.eyrie.org/~eagle/software/pam
Russ Allbery [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus Moeller [EMAIL PROTECTED] writes:
find attached a patch which allows to compile pam-krb5 against IBM's NAS
libraries (which are based on MIT 1.4.x) . Unfortunatly IBM doesn't seem
to
export the profile calls
Russ Allbery [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus Moeller [EMAIL PROTECTED] writes:
Russ Allbery [EMAIL PROTECTED] wrote:
Is there some specific function I should look for in ksvc to see whether
or not I need that library? (What function wasn't found without
1 - 100 of 336 matches
Mail list logo