The timestamp saved to ldap has a 'Z' at the end. For example:
krbLastPwdChange: 20120719221721Z
What does 'Z' stand for here?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I have a question. Does KDC cache anything from ldap?
That is, if I update ldap, KDC will see the results immediately?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Can I just post a patch here?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
It seems when KDC is running with multiple workers, the syslog level for
workers is aways 'DEBUG'. No matter what syslog level you set in kdc.conf.
Just wonder others have same issues.
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
.
(should follow whatever specified in [logging])
Jim
On Sep 24, 2012, at 12:15 PM, Greg Hudson wrote:
On 09/19/2012 02:32 PM, Jim Shi wrote:
It seems when KDC is running with multiple workers, the syslog level for
workers is aways 'DEBUG'. No matter what syslog level you set in kdc.conf.
Just
Hi, I have a question.
When you start ssh, ssh will use TGT ticket in the cache that matches the
current unix login account.
Is my understanding correct? Is there way you can override this to use a
different TGT in the cache?
Thanks
Jim
Hi, I checked the KDC source code, it seems to have code to support
database-based mapping of principal names to unix account names.
But I can not any document to configure KDC to use it. Where can I find the
information? Can someone please tell me how to configure KDC to use database
mapping
Where to find information about iOS's support for kerberos authentication?
I google internet and can not find any.
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, if a client's system clock is one hour ahead of KDC system clock, should I
get a valid TGT?, or
should I get clock skewed error?
We have clients that are able to get TGT when system clock is ahead of server
clock. Any idea if this is client issue? a KDC server issue?
Thanks
Jim
Given a kinit request (binary data), is there easy way to extract the principal
in the request without knowing how the request is construct?
in vi I saw something like this:
account_user¢^X^[^VREALM.TEST.COM
What is the thing between account_user and REALM.TEST.COM?
Thanks
Jim
You can use BouncyCastle lib to get principals from the ticket, if this is what
you are looking for.
Jim
On Tue, 9/30/14, Rick van Rein r...@openfortress.nl wrote:
Subject: Re: Kerberos5 ticket to ascii converter?
To: Wendy Lin
Never mind. I assume the flags is inside the ticket.
Thanks
Jim
On Jun 3, 2015, at 3:52 PM, Jim Shi hanmao_...@apple.com wrote:
Hi, Ken,
The TGS ticket flag is set on KDC server. When the client get TGS back from
the server, he/she is able to see the flag set by the KDC. Looks
Hi, Ken,
The TGS ticket flag is set on KDC server. When the client get TGS back from
the server, he/she is able to see the flag set by the KDC. Looks klist commands
will show flags.
However if the client passes the ticket to some service for verification, , the
service will not be able see
Hi, I need to build KDC with a static openssl lib.
How to compile KDC that uses a static openssl lib?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, I have MIT kdc 1.10.6 running on linux server.
the client is heimdal kinit on OS X.
on OS X:
./kinit -C FILE:client.pem,clientkey.pem --x509-anchors=FILE:cacert.pem
testuser@REALM
on KDC server, I saw this error:
Jun 09 14:50:20 MacBook-Pro.local krb5kdc[17663](info): AS_REQ (4 etypes {18
We sort-of do this, but it may not directly be applicable.
Our KDC-side PKINIT module will set HW-AUTH flag on the TGT _if_ a particular
policy OID is found in the client certificate (in our case, the policy
OID we check for is if the certificate comes from a smartcard, so the
use of
Hi, I am try to find if a particular ticket flag in a kerberos ticket is set
in Java, I was suggested to use the following code:
boolean[] flags = (boolean[])((ExtendedGSSContext) context).inquireSecContext(
InquireType.KRB5_GET_TKT_FLAGS);
Say
me include a URL):
https://community.oracle.com/community/java/java_security/kerberos_%26_java_gss
https://community.oracle.com/community/java/java_security/kerberos_%26_java_gss
On Mon, Jun 29, 2015 at 4:20 PM, Jim Shi hanmao_...@apple.com
mailto:hanmao_...@apple.com wrote:
Hi, I am
HI,
Is it possible to check if a certificate is revoked against a URL in MIT KDC?
I looked at the KDC code. It seems using a static file, not a web URL?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
Hi, I try to find out what is the default ldap connection timeout in KDC.
I looked at the kdc source code and could not find out.
Is there a way to override the default timeout?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
Never mind.
Thanks
Jim
> On Nov 5, 2015, at 8:13 PM, Jim Shi <hanmao_...@apple.com> wrote:
>
> Hi, I add debug statements like this to the source code
>
> krb5_klog_syslog(LOG_INFO, _(“my debug here!!"));
>
> After compiling and deployment, none of the
Hi, I add debug statements like this to the source code
krb5_klog_syslog(LOG_INFO, _(“my debug here!!"));
After compiling and deployment, none of the debug statements is printing any
thing to the kdc.log.
I am a bit puzzled. Can some one please shed some light on this?
Thanks
Jim
Hi, when using PIV card for PKINT, I got this error right after enter the
PIN:(The PIN I entered is correct)
PIV_II (PIV Card Holder pin) PIN: [66321] 1449793336.332997: Preauth module
pkinit (16) (flags=1) returned: 12/Cannot allocate memory[66321]
1449793336.333267: Preauth module pkinit
Hi, I would get advice on using AppacheDS kerberos server, which is a java
implementation of krb5.
Is that production ready? Anyone has use it in prod? Is it 100% compatible with
KDC servers. That is, existing KDC clients will continue to work?
Thanks a lot.
Jim
Hi, does KDC support IPv6? which versions of KDC have the support?
Thank you very much.
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
, 4:24:20 PM PST, Greg Hudson <ghud...@mit.edu>
wrote:On 03/07/2017 05:26 PM, Jim Shi wrote:
> I have krb5-1.15 client and have kkdcp server set up running.
> I verify that my kkdcp end point is reachable. (ie.
> https://my_server.com/kkdcp is reachable)
> However when run:
I have krb5-1.15 client and have kkdcp server set up running.
I verify that my kkdcp end point is reachable. (ie.
https://my_server.com/kkdcp is reachable)
However when run:
KRB5_TRACE=/dev/stdout kinit -V my_test_account
I got
kinit: Cannot contact any KDC for realm '' while getting initial
Greg:
I thought ocsp was supported. Good to know it is not.
Thorsten:
Thanks for the info.
Jim
> On Aug 10, 2017, at 3:53 AM, tseegerkrb <tseeger...@gmail.com> wrote:
>
> On 10.08.2017 06:55, Greg Hudson wrote:
>> On 08/08/2017 02:11 PM, Jim Shi wrote:
>>
Hi, I have question regarding client IP address checking in KDC.
Is that true that by default tickets issued by KDC is not bound to any client
IP address.
Also KDC server does not check IP if the ticket does not have any client IP
address in it.
Do we have to explicitly turn on the client
Hi,
Is there any document how to configure certificate revocation check for PKINIT
in KDC?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Does MIT KDC support kkdcp? Which version is required to support kkdcp?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, Greg,
I undestood kkdcp supprt is in client lib.
But in my test (kinit), it seems the client is not making https request to the
proxy server.
Do you have any idea?
Thanks.
Jim
On Monday, August 27, 2018, 11:08:31 PM PDT, Greg Hudson
wrote:
On 08/27/2018 07:47 PM, Jim Shi wrote
] 1535476186.386213: Sending retry UDP request to dgram 17.212.195.105:0
[8585] 1535476191.391403: Sending retry UDP request to dgram 17.212.195.105:0
On Tuesday, August 28, 2018, 9:46:38 AM PDT, Robbie Harwood
wrote:
Jim Shi writes:
> Hi, Greg,
> I undestood kkdcp supprt is in clie
Benjamin,
Right on. Had LD_LIBRARY_PATH pointing to old lib.
Thank you so much!
Jim On Tuesday, August 28, 2018, 5:52:39 PM PDT, Benjamin Kaduk
wrote:
On Tue, Aug 28, 2018 at 05:16:40PM +, Jim Shi wrote:
> Hi, Robbie,
> I got trace after using a file. Looks the
I have another questions.
to compile KDC with kkdcp support, do I need pass in any special flag(s)?
Or kkdcp is supported by default in recent code?
The reason I ask this question, is that when I run a test: (I do have kdc =
https:// configured for the realm). It does not seem to make https
> On Jan 4, 2019, at 6:55 AM, Yegui Cai wrote:
>
> Hi all.
>
> This can be two threads but I have the following two questions at the same
> time.
> 1. Can we run KDC as a non-root user? Meaning is it required to run KDC as
> root?
yes root user is not required.
> 2. Is there any official
Hi, when I run ./configure, I got the following error:
checking for time_t... yes
checking size of time_t... configure: error: in
`/ngs/app/dsservd/krb5-1.18.4/src':
configure: error: cannot compute sizeof (time_t)
See `config.log' for more details
Any idea?
How to fix it?
BTW I was able to
Hi, is there way to stash password in perl or Java? I know it is in KDC
source.
Thank you.
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
at 11:29 Jim Shi via Kerberos wrote:
Hi, is there way to stash password in perl or Java? I know it is in KDC
source.
Thank you.
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi, We can generate a TGS with GSS API in Java.
But is there a way to get TGT in java, assuming I have account/password?
Thanks
Jim
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
40 matches
Mail list logo
