Warren,
you can try the latest proftpd 1.2.8rc1 with my mod_gss module from
http://ourworld.compuserve.com/homepages/Markus_Moeller/
Proftp is very flexible and with the mod_gss module you will have a very
flexible gss ftp daemon.
Regards
Markus
Apologies if this is a FAQ I cannot
I wrote a mod_gss module for proftpd verison 1.2.8. You can get it from
http://ourworld.compuserve.com/homepages/Markus_Moeller/
This should give a more flexible gss ftp daemon than gssftpd. If
GSS/Kerberos5 features or functions are missing please contact me at
[EMAIL PROTECTED] Does anybody
tests and I see it as stable.
Regards
Markus
- Original Message -
From: Sam Hartman [EMAIL PROTECTED]
To: Markus Moeller [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, January 05, 2003 1:16 AM
Subject: Re: GSS module for proftpd
Do you happen to know of any ftp clients for Unix
I would like to encrypt a kerberised telnet session stronger then with DES.
I assume that this has been done in the past, but I haven't found any
example. But I found the below telnet client/server source from the srp
project which has 3DES/CAST128 encryption and modified the kerberos5.c file
to
Jeffrey,
What must I change to handle the session keys correctly ?
Thank you
Markus
- Original Message -
From: Jeffrey Altman [EMAIL PROTECTED]
To: Markus Moeller [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Sunday, September 21, 2003 6:44 AM
Subject: Re: 3DES or equivalent telnet
Jeffrey
Markus:
Your patch is close to the correct way to do this. The primary issue is
the question of the encryption key to use. You want to use the 3DES
session key if it is available.
However, there is a bigger problem. The existing Kerberos 5 telnet code
base always takes the
Here is a patch on top of Simons gssapi patch for openssh 3.6.1p2 to support
multihomed systems.
Markus
openssh-3.6.1p-mm.patch
Description: Binary data
Kerberos mailing list [EMAIL PROTECTED]
I am working with keytabs for HTTP server authentication with Kerberos and
noticed that when writing a keytab the key version number is converted into
krb5_octet (see below code extract) although rfc1510 says it is an unsigned
32 bit integer.
EncryptedData ::= SEQUENCE {
etype [0]
You might want to look at www.vintela.com
Markus
James Hunt [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
We are looking to integrate Kerberos with LDAP and PAM (facilitating
communication between Kerberos and LDAP using Cyrus-SASL) on Linux. On
our own, and using documentation
I noticed that from MIT version 1.2.4 to 1.3.1 the gss_accept_sec_context call
has changed in ftpd.c. It is now set to use always GSS_C_NO_CHANNEL_BINDINGS.
I also noticed that changing the channel bindings in gss_init_sec_context on
the client doesn't create an error I would expect.
I also
Markus
Markus Moeller [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I noticed that from MIT version 1.2.4 to 1.3.1 the gss_accept_sec_context
call
has changed in ftpd.c. It is now set to use always
GSS_C_NO_CHANNEL_BINDINGS.
I also noticed that changing the channel bindings
GSS_C_NO_CHANNEL_BINDINGS.
Markus
Donn Cave [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Markus Moeller) wrote:
I noticed that from MIT version 1.2.4 to 1.3.1 the
gss_accept_sec_context
call
has changed in ftpd.c. It is now set to use always
PROTECTED]
Markus == Markus Moeller [EMAIL PROTECTED] writes:
Markus I noticed that from MIT version 1.2.4 to 1.3.1 the
Markus gss_accept_sec_context call has changed in ftpd.c. It is
Markus now set to use always GSS_C_NO_CHANNEL_BINDINGS. I also
Markus noticed that changing
Sam,
So should I raise it as a bug ?
Thanks
Markus
Sam Hartman [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus == Markus Moeller [EMAIL PROTECTED] writes:
Markus What is the value of channel bindings if either
Markus side(client and/or server) can ignore
Pierre,
The server tries to import [EMAIL PROTECTED] whereas the keytab I assume has
ftp/ultra.mtlw2ktest.montreal.hcl.com.
Check /etc/hosts and replacae ultra for ultra.mtlw2ktest.montreal.hcl.com
Regards
Markus
Pierre Goyette [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have a
I agree as far that the server should be able to enforce channel binding or
not. If the server uses NO_C_CHANNEL_BINDINGS, the server should accept
clients sending channel bindings and clients who don't. In this case NAT
should work. But if the server requires channel bindings the client has to
I think the problem is the trust you have to the owner of the device you use
to authenticate yourself. If it is not your own you have lost as the owner
can put any type of keystroke logger on to it to catch your password in
clear. This might be less of an issue if you use a smartcard and pkinit to
I am thinking of having Kerberos cross realm authentication on my Unix
server ldap authorisation. What happens if I have the same username for
different users in the two domains (e.g. [EMAIL PROTECTED] and [EMAIL PROTECTED]) ?
Does
pam_ldap sent the domain details to the ldap server or only the
I intoduced a TELNET_BUFSIZ to increase several buffers to be able to handle tickets
received by a MS kdc and a big pac field (e.g. more than 200 group memberships). I
also increased the FTP_BUFSIZ fro the same reason.
Regards
Markus
diff -r -c
I have created a new netjoin version (based on MS code) with
openldap/cyrus-sasl/Kerberos 1.3.x which can extract rc4-hmac and kvno from
2003.Please contact me if you need details, sources.
Regards
Markus
Liqiang(Larry) Zhu [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Bala
Dietmar,
I think as you mention, that you have to change ones the password and then
extract the keytab. Windows default is rc4-hmac and aftere setting the DES
flag you have to change the password so that Windows can create a DES key.
Regards
Markus
BERG Dietmar [EMAIL PROTECTED] wrote in
Keshav,
Windows determines the kdc vi dns srv records. You can find some details
below.
http://www.mcmcse.com/win2k/guides/kerberos.shtml
http://www.ietf.org/rfc/rfc2782.txt
Has anybody tried to use the PAC field with MIT Kerberos ? I tried after a
kinit against a w2k kdc to look at the details in the credential cache, but
all pointers to authorisation data (cred-authdata and
decode(cred-ticket)-enc_part2-authorization_data) are 0.
Thank you
Markus
to a server.
Thanks
Markus
Sam Hartman [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus == Markus Moeller [EMAIL PROTECTED] writes:
Markus Has anybody tried to use the PAC field with MIT Kerberos ?
Markus I tried after a kinit against a w2k kdc to look at the
Markus
Has anybody tried to use the PAC field with MIT Kerberos ? I tried after a kinit
against a w2k kdc to look at the details in the
credential cache, but all pointers to authorisation data are 0.
Thank you
Markus
--
Markus Moeller [EMAIL PROTECTED
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
, contained directly in the authorization data, is as follows. The
top-level structure is the PACTYPE structure:
Sam Hartman [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus == Markus Moeller [EMAIL PROTECTED] writes:
Markus Sam the document
Markus
http
Bill,
have a look at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=144f7b82-65cf-4105-b60c-44515299797dDisplayLang=en
Regards
Markus
Bill Pappas [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On Thu, 2004-07-22 at 13:59, Bill Pappas wrote:
Hello. Is there a complete
Matt,
Have a look at http://sourceforge.net/projects/modauthkerb/ I think they
have now same handling of replays.
My module http://sourceforge.net/projects/modgssapache work normally but can
have sometimes problems with replays as Microsoft does reuse tickets.
Regards
Markus
matt cocker [EMAIL
Mulberry might do it. http://www.cyrusoft.com/mulberry/
Regards
Markus
Ryan M Bergmann [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Are there any alternatives to Eudora for reading email?
Thanks,
Ryan Bergmann
Kerberos mailing
Mike,
have a look at http://www.cybersafe.ltd.uk/menu_partners/partners.htm
Under its Software Partner Program, SAP certifies security partners for the
SNC (Secure Network Communications) and SSF (Secure Store and Forward)
interfaces. The CyberSafe TrustBrokerT products have successfully
I get from time to time in my application which uses the gssapi the below
error:
GSSAPI error major: The token's validity period has expired
GSSAPI error minor: No error
What does it mean and how can I avoid it ?
Thanks
Markus
Kerberos mailing
Is there a parameter to increase the time ? What is a context ticket ? Is it
a session ticket ?
Thanks
Markus
Sam Hartman [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus == Markus Moeller [EMAIL PROTECTED] writes:
Markus I get from time to time in my application which
is protected, but not the
sequence of the blocks.
Does this mean gssapi encryption on connections is flawed ?
Thanks
Markus
--
Markus Moeller [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman
Timo,
you might need to change the password after setting the account to DES-ONLY
( a ktpass option) and extract the keytab again.Microsoft usually uses
RC4-hmac keys and the des key will be only created after changing once the
password (I think).
Regards
Markus
Timo Fuchs [EMAIL PROTECTED]
will Sequence protection (GSS_C_SEQUENCE_FLAG)cover replay protection
(GSS_C_REPLAY_FLAG) as well or are there cases were I need both ?
Thanks
Markus
On Wed, 18 Aug 2004 15:42 , Ken Raeburn [EMAIL PROTECTED] sent:
On Aug 18, 2004, at 06:52, Markus Moeller wrote:
If I want to secure
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Timo,
the Apache server will never talk to ADS. The keytab contains all the
information to verify the tickets. Snoop the IE traffic as Jeffrey
suggested.
Regards
Markus
Timo Fuchs [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi Markus,
Markus Moeller [EMAIL PROTECTED] wrote
is not necessarily given ?
Thanks
Markus
Sam Hartman [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus == Markus Moeller [EMAIL PROTECTED] writes:
Markus will Sequence protection (GSS_C_SEQUENCE_FLAG)cover replay
Markus protection (GSS_C_REPLAY_FLAG) as well or are there cases
Bill,
You need a valid keytab to use pam_krb5 or set verify_ap_req_nofail = false.
See http://docs.sun.com/db/doc/816-5175/6mbba7f1m?a=view
pam_sm_authenticate() authenticates a user principal through the Kerberos
authentication service. If the authentication request is successful, the
Norbert Klasen wrote:
--On Freitag, 17. September 2004 20:35 + Jeffrey Altman
[EMAIL PROTECTED] wrote:
Jacques Lebastard wrote:
How can I check this and, second question, how can I generate a keytab
with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
crypto type:
[- /]
Norbert Klasen wrote:
--On Freitag, 17. September 2004 20:35 + Jeffrey Altman
[EMAIL PROTECTED] wrote:
Jacques Lebastard wrote:
How can I check this and, second question, how can I generate a keytab
with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
crypto type:
[- /]
Norbert Klasen wrote:
--On Freitag, 17. September 2004 20:35 + Jeffrey Altman
[EMAIL PROTECTED] wrote:
Jacques Lebastard wrote:
How can I check this and, second question, how can I generate a keytab
with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
crypto type:
[- /]
Norbert Klasen wrote:
--On Freitag, 17. September 2004 20:35 + Jeffrey Altman
[EMAIL PROTECTED] wrote:
Jacques Lebastard wrote:
How can I check this and, second question, how can I generate a keytab
with RC4-HMAC encryption ? The ktpass tool does not accept the RC4-HMAC
crypto type:
[- /]
Nathan Neulinger wrote:
(Reposted from [EMAIL PROTECTED])
I've got a problem with keytabs related to an upgrade from W2K to W2K3 when
authenticating
from a unix client w/ mit krb5.
Principal: host/[EMAIL PROTECTED]
Password: (example) fred
A) W2K DC
create princ via ssl-ldap on w2k domain
Matt,
why do you use SSL and put extra load on the client/server if you already
use Kerberos ? SASL/GSSAPI does authentication AND encryption !!
Cyrus-sasl may show only a SSF of 56, but this is only because is hardcoded
in cyrus, it should be calculated from the kerberos key type .e.g. with
Matt,
why do you use SSL and put extra load on the client/server if you already
use Kerberos ? SASL/GSSAPI does authentication AND encryption !!
Cyrus-sasl may show only a SSF of 56, but this is only because is hardcoded
in cyrus, it should be calculated from the kerberos key type .e.g. with
Can I determine with gssapi calls the underlying Kerberos encryption types
or strength ? If so how would it work ? Is there a table of QOP against
Kerberos encryption types ?
Thanks
Markus
Kerberos mailing list [EMAIL PROTECTED]
Sam Hartman [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus == Markus Moeller [EMAIL PROTECTED] writes:
Markus Can I determine with gssapi calls the underlying Kerberos
Markus encryption types or strength ? If so how would it work ?
Markus Is there a table of QOP
Phil,
do you have a pointer where I can find the plugin. It sounds interesting to
me.
Thanks
Markus
Phil Dibowitz [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
I experience problems with Hotfix KB833708 on a w2k3 kdc and MIT 1.2.4 (yes
I know its old). The fix works fine when I use MIT 1.3.1 which supports RC4.
When I extract a keytab which is associated with a computer account in AD I
get decrypt integrity check failed errors. It is the same error as
the error message.
Useful tools: Ethereal and dumpasn1.
-- Luke
From: Markus Moeller [EMAIL PROTECTED]
Subject: Re: W2k3 and Hotfix KB833708
To: [EMAIL PROTECTED]
Date: Sat, 6 Nov 2004 14:48:04 -
Organization: Customer of PlusNet plc (http://www.plus.net)
It seems to be related to how MS
Have a look at http://www.hut.fi/~autikkan/kerberos/ It is not the same but
has a good summary of attacks.
Gilad Evrony [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
Anyone know where to find (or has a copy of) the paper released two years
ago about the feasibility of
Luke
you can use setspn to assign a SPN to a user or computer account.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp
Regards
Markus
Luke Howard [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Unfortunately it looks like 3.0.9, while providing the
I do have a system which can't run on GMT time because of an old application
which we can't move off. Is it possible to define in Kerberos a fix time
offset in addition of a time skew ?
Thanks
Markus
Kerberos mailing list [EMAIL
Willis,
you could try my mod_gss module for proftpd
http://sourceforge.net/projects/gssmod/. I am working on the release for
proftpd 1.2.10 which will include support for OS native Kerberos packages
like SEAM(Solaris) and NAS(AIX). For the moment you could use the source
from cvs.
Regards
Tyson,
you might need to add -desonly to your ktpass line.
Regards
Markus
Tyson Oswald [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I created a keytab with ktpass on Win 2003 for my SEAM client. I importd it
into the /etc/krb5/krb5.conf and when I try and authentication through
Maybe this helps
http://bugzilla.mindrot.org/show_bug.cgi?id=928
Markus
Matthew Willis [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have a question on how folks are dealing with using Kerberos on
multi-homed servers, where each NIC has a different hostname.
For example,
Maybe this helps
http://bugzilla.mindrot.org/show_bug.cgi?id=928
Markus
Matthew Willis [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have a question on how folks are dealing with using Kerberos on
multi-homed servers, where each NIC has a different hostname.
For example,
Matthew
If I remember right you need DCE installed AIX 5.1. Only from AIX 5.2 you
can use client/server without DCE. I think you also need to run
chauthent -krb5 -std.
Regards
Markus
Matthew B. Brookover [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have MIT Kerberos 1.4 KDC on
://forums.proftpd.org/phpBB2/). I tested my module with SEAM on Solaris
8 and 10 as well. As client I used yafc from http://yafc.sourceforge.net/
which supports files 2GB.
Regards
Markus
- Original Message -
From: Vladimir Terziev [EMAIL PROTECTED]
To: Markus Moeller [EMAIL PROTECTED]
Cc
to what you
described below. The difference was /etc/security/user set
SYSTEM=KRB5files OR compat and /usr/lib/security/methods.cfg did not
have the options=authonly. I made both changes and kerberos still fails
to work on login.
Markus Moeller also suggested chauthent -k5. The response
Or use commercial products from Wedgetail/Vintela.
Markus
Seema Malkani [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
For Java application to authenticate against Windows KDC, you will need
configure the Windows 2000 KDC to use DES. Select use DES encryption
in the Active
Rahul,
I am started testing the IBM native support from z/OS 1.2 upwards. I did
get ftp to work, only RACF didn't want to let me login without a password.
Regards
Markus
[EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Does anyone use MIT KRB5 (preferably via GSS-API) on IBM
You can try proftpd http://www.proftpd.org with
http://gssmod.sourceforge.net/.
Regards
Markus
Vladimir Terziev [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
I need to use the Kerberos implementation of the ftpd on Solaris SPARC
64bit platform for transfer of large files
BTW. The MIT kdc is 1.2.x with no rc4 support.
Markus
Markus Moeller [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I do have a setup with two kdcs ( A windows and non-windows kdc ). I'd
like to
use the highest encryption type available. The krb5.conf on my client
looks like
Tim,
in our setup we use computer accounts instead of user accounts, and don't
have experienced this issue. I think the latest ktpass can do this with
mapuser having a $ at the end.
See ktpass for 2003 SP1
, Markus Moeller wrote:
Tim,
in our setup we use computer accounts instead of user accounts, and don't
have experienced this issue. I think the latest ktpass can do this with
mapuser having a $ at the end.
I don't know about computer accounts, but this DoS is not possible if
you are using
Shih-Chieh
You can use it behind a firewall if you switch off the channel binding. If I
remember right the latest MIT sources don't use channel bindings anymore,
Heimdal and proftpd with mod_gss have an option for the daemon to switch it
off.
The other problem you may have is that the FW
You can lok at the client kdc traffic (port 88) and you should see which
kvno you get for the HTTP service from the kdc. If you have several kdcs it
might be a sync problem between the kdcs.
Markus
Timo Fuchs [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
I am using
You might use a commercial java package from Vintela/Wedgetail which I think
is now part of Quest, which as far as I remember work with Tomcat.
Markus
Richard Gundersen [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi Nikola
Thanks for your quick and detailed reply. While it
When I read lately about setspn on w2k/w2k3 I noticed that the SPN can be
service/host:port
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/name_formats_for_unique_spns.asp)
with a comment that :port can be used to differentiate between multiple
instances of the same
Jose,
If I understand you right you are using Apache2 with mod_auth_gssapi_krb5
or similar and receive a NTLM token from IE, which can't be handled by the
underlying Kerberos libraries.
You should make sure that:
1) You have IE configured to use windows integrated authentication (see
Will Mustang finally include arcfour-hmac Kerberos ciphers to et more then
DES encryption when used with MS ?
Thanks
Markus
Seema Malkani [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Sun's implementation of Java Kerberos has been updated to include support
for the new
Can you try to set the enctypes to rc4-hmac des-cbc-md5 des-cbc-md5, the
only supported ones by AD. If I remember right the err is sometimes
misleading. Can you capture the traffic on port 88 ?
Regards
Markus
Claus Lund [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have
Jakob,
if I understand right you have created a new HTTP/server principal with RC4
encryption and merged it with DES only principals. Are the DES only
principals also for HTTP/server ? Do you have the DES only flag set on the
account ?
Did you use a password with the keytab tool, which would
Have you created a HTTP/server principal and configured IE with integrated
windows authentication and FF as follows ?
select URL about:config
in the filter write nego
You should see two entries double click on them and and the domains for
which you want to have SPNEGO e.g. test.com
I hope
Also can you do a kinit -k -t keytab HTTP/server successfully ?
Markus
Julien ALLANOS [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Quoting Jeffrey Altman [EMAIL PROTECTED]:
Julien ALLANOS wrote:
Quoting Jeffrey Altman [EMAIL PROTECTED]:
Neither Internet Explorer nor FireFox
Julian,
I think creating a keytab with HTTP/[EMAIL PROTECTED] should be
enough.
Regards
Markus
Julien ALLANOS wrote:
Quoting Markus [EMAIL PROTECTED]:
Julien,
as far as I am aware you can not use cnames. Normally the
client/server uses a call to gss_import_name which canonicalises the
Craig,
you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption
too. What was the reason not to use SASL/GSSAPI with encryption. And example
is AD, which can be accessed via SASL/GSSAPI with encryption.
Thanks
Markus
Craig Huckabee [EMAIL PROTECTED] wrote in message
AD while
doing kerberos authentication in my C program but failed. Did you really
enable the encryption successfully in the program? If so then I must
have missing something then
Thanks.
-Kent
On Thu, 2005-09-01 at 20:24 +0100, Markus Moeller wrote:
Craig,
you say you use SASL + SSL
.
But, yes, in most cases we could just use one or the other.
--Craig
Markus Moeller wrote:
Craig,
you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
encryption too. What was the reason not to use SASL/GSSAPI with
encryption. And example is AD, which can be accessed via SASL
it would
pass requests to trusted domains like the password functions do I'd be
happy.
Thanks,
Craig
Markus Moeller wrote:
To point 2) I would do the password change through Kerberos kpasswd or if
you need to do it as an admin I think there is also a function in the MIT
library to do so
Did you map your principal to a user or computer account ? If I remember
right some salt calculation changed for DES keys if assigned to a computer
account. So an old keytab may not work.
Markus
Srinivas Cheruku [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
I am using
Does the Unix version work with Heimdal, MIT and others ?
Thanks
Markus
Simon Wilkinson [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
The Thunderbird beta (1.5b1) that was released yesterday contains new
support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP
Simon,
is there also somewhere a documentation of how to enable it ? I didn't see
any option when setting up an account nor for an outgoing smtp server.
Thank you
Markus
Simon Wilkinson [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
The Thunderbird beta (1.5b1) that was released
Srini,
capture the traffic on port 88 with ethereal and look at the kdc error
reply. If it is a salt issue it will tell you. The other ktpass option you
might want to try is /ptype KRB5_NT_SRV_HST
Regards
Markus
Srini [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
I have
You have to do add ajay/[EMAIL PROTECTED] to .k5login of user ajay
on engr-167.company.com, then a kinit as ajay/[EMAIL PROTECTED] and
a telnet -F -l ajay engr-167.company.com 545
Markus
vj [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
[EMAIL PROTECTED] ajay]$ telnet -F -l
Can you look at the error message ? I think there was a change in
calculating the salt for DES keys.
Regards
Markus
amol dixit [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hi,
I have Windows 2k and 2k3 (SP1) AD servers in a
domain, and if I set the 2k server as the
Check also the kvno (key version number). 2000 doesn't increment it, whereas
2003 does, so you can get different kvnos from 2000 and 2003 kdcs. But there
is a patch form MS which allows to configure 2003 to act like a 2000 kdc wrt
to kvnos.
Regards
Markus
amol dixit [EMAIL PROTECTED] wrote in
Maybe this helps (from
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/4a1daa3e-b45c-44ea-a0b6-fe8910f92f28.mspx
)
Markus
KRB_AS_REP Message Contents
The message includes:
. A TGS session key for the user to use with the TGS, encrypted with
the user key
In your krb5 config you use
sx86qa2.hyd.de.com = DE.COM
but the server wants deshaw.com not de.com !
HTTP/[EMAIL PROTECTED]
You need an entry for hyd.deshaw.com in your config file or change your
hostname to hyd.de.com. Also which key is in your keytab ?
Can you do a kinit -k -t
Can you describe what you have done ? When you always get a NTLM token it
normally means that there is no key for this service in your kdc. Check
that you don't use CNAMEs. Use kerbtray on your Windows machine to see
which tickets are available for IE.
Regards
Markus
Siarhei Baidun [EMAIL
I have a problem on OpenSolaris with the GSSAPI. When I use the MIT
gss-sample program (with minor changes e.g. included gssapi header file)
I don't get all the context flags transfered to the server. It looks like a
bug
somewhere in the gssapi. Has anybody seen this issue or know what is
wrong
I think I found the issue. It is bug 6310540
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6310540
Markus
Markus Moeller [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have a problem on OpenSolaris with the GSSAPI. When I use the MIT
gss-sample program (with minor
I have a problem on OpenSolaris with the GSSAPI. When I use the MIT
gss-sample program (with minor changes see attachment) I don't get all the
context flags transfered to the server. It looks like a bug somewhere in the
gssapi. Has anybody seen this issue or know what is wrong in the sample
I have a Kerberos setup with a w2k3 AD and MIT Kerberos 1.3.1 on my Unix
platform (rc4-hmac(23) is the default encrypton type). I have many Unix
hosts successfully integrated into Kerberos. But now I see from time to time
an error message stream modified in the AP_REP when using mutual
Example errors are:
#ssh vshellserver.domain.com
debug3: input_userauth_banner
Unauthorised Access Warning:
Access to this computer is prohibited unless authorised.
Accessing programs or data unrelated to your job is prohibited.
debug1: Authentications that can continue: gssapi-with-mic
Sandy,
there are tools available for this like ads net join which is part of samba,
or use Dan Perry's tool at
http://www.pppl.gov/~dperry/msktutil/ . I have also an updated ktpass tool
for Unix on sourceforge
based on MS open source.
Markus
[EMAIL PROTECTED] wrote in message
news:[EMAIL
You can use ldapsearch -H ldap://server -b base -s sub
(serviceprincipalname=*)
serviceprincipalname from a unix box or use ldp or ADSIEdit or any other
ldap tool searching for serviceprincipalname.
The other option is setspn -L name, but this means looping over every AD
entry.
Markus
Celia
1 - 100 of 336 matches
Mail list logo