Hi Kostas,
I haven't found the perfect solution for the problem,
but I'll surely post some notes in the mailing list
when I find one.
That is: active directory users computers- view
- advanced features,
then right click on a user - name mappings -
kerberos names - add -
[EMAIL PROTECTED]
I cannot think of anything that Kerberos applications need other than
network and urandom.
The KDC does not need write access to the database, although of course
kadmind does.
You probably want to make it difficult for either the KDC or the
kadmind to execute other programs or switch domains to
Hi, folks
I'm trying to figure out how the load balancing with kerberos works, and I
simply don't get it. From what I've learned so far, I figure that MIT
kerberos is meant to be used as a single server, with one failback slave
server that usually doesn't answer any requests. This doesn't make
So, logical consequence is that master must answer all TGT requests.
There are two things missing here.
The user's password is only required for AS requests. You don't need the
user's password for TGS requests, which are the vast majority of Kerberos
requests.
At least one major Kerberos
Ken Hornstein [EMAIL PROTECTED] writes:
So, logical consequence is that master must answer all TGT requests.
Two more things:
- A hour a long time to wait for password updates between KDCs. Mine is
set to 5 minutes.
If you are a big site (tens of thousands of principals),
this is
Hello!!! thanks for all the inputs. :) okay here's the thing.
I have the following:
iplanet C-sdk
SEAM
solaris 8 machine
active directory ldap server
All of them are already built. How do I use the cyrus sasl in this
case? Do I need to recompile anything from the above list or just
compile sasl
melissa benkyo [EMAIL PROTECTED] writes:
Hello!!! thanks for all the inputs. :) okay here's the thing.
I have the following:
iplanet C-sdk
SEAM
solaris 8 machine
active directory ldap server
All of them are already built. How do I use the cyrus sasl in this
case? Do I need to recompile
All,
Unfortunately SUN SEAM kerberos does *not*
seem to do that. Users have to wait upto one hour
when the *full* prop occurs.
(SUN Support indicated that the krb5 propagation cannot
do delta...instead it does a full transfer each time...
it is sooo clunky...)
-subu
email: [EMAIL
Hi, I noticed somewhere that you could set the system property
sun.security.krb5.debug=true
to get additional Kerberos debugging information. Does anyone know of
a guide to decipher this information, particularly the output provided
by the new 1.5 JDK. Documentation on it seems to be very
On Tue, Apr 13, 2004 at 06:46:09PM -0400, Sonny Zambrana wrote:
# GSSAPI options
GSSAPIAuthentication yes
Have you enabled this for the client as well? Try:
ssh -o gssapiauthentication=yes server
Kerberos mailing list [EMAIL
Note that in general, Kerberos tools and libraries which expect to be
able
to access /dev/urandom probably won't just work differently without it;
they may refuse to operate at all, generating errors instead.
I have reasons to believe that my kerberos server accesses /dev/random,
rather than
Yep it takes the option but still doesn't work.
Sonny J Zambrana
Systems Administrator - University Of Pennsylvania
[EMAIL PROTECTED]
On Apr 14, 2004, at 5:43 PM, Andreas wrote:
On Tue, Apr 13, 2004 at 06:46:09PM -0400, Sonny Zambrana wrote:
# GSSAPI options
GSSAPIAuthentication yes
Have you
Hi all,
I tested cross-realm awhile back and it seemed to work fine, not sure why I'm running
into issues now, maybe I'm forgetting something obvious. Scenario: KDC is Active
Directory, clients are running Solaris and HP-UX with Kerberos and appropriate
patches. I tried going Sun to Sun and
Inger, Slav (.) wrote:
Hi all,
I tested cross-realm awhile back and it seemed to work fine, not sure why I'm
running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is
Active Directory, clients are running Solaris and HP-UX with Kerberos and
appropriate patches.
-BEGIN PGP SIGNED MESSAGE-
The MIT Kerberos Team announces the availability of MIT Kerberos for
Windows 2.6.1.
The distribution packages and Release Notes are available from the
download link on the MIT Kerberos distribution page,
http://web.mit.edu/kerberos/dist/
The main MIT
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Jeffrey Altman
Sent: Wednesday, April 14, 2004 7:00 PM
To: [EMAIL PROTECTED]
Subject: Re: Cross-realm issue - what am I missing?
Cross-realm implies two different KDCs one for each realm which
are
the iPlanet directory server does not support GSSAPI authentication at
all. This probably means that their client libraries don't support it
either. You probably want better client libraries; the OpenLDAP client
libraries are excellent. I could be wrong on this, though.
I expect that Sun will
Howdy folks,
I've run across a situation where a nice solution would involve using
~/.k5users rather than .k5login to limit remote rsh abilities. ~/.k5users
is a tool that I've read about but never used before.
It's always struck me as odd that .k5login has it's own man page while
.k5users is
On Wed, Apr 14, 2004 at 12:02:46PM -0400, Sam Hartman wrote:
I cannot think of anything that Kerberos applications need other than
network and urandom.
That's perfect.
You probably want to make it difficult for either the KDC or the
kadmind to execute other programs or switch domains to
Inger, Slav (.) wrote:
Hi all,
I tested cross-realm awhile back and it seemed to work fine, not sure why I'm
running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is
Active Directory, clients are running Solaris and HP-UX with Kerberos and
appropriate
20 matches
Mail list logo