for this reason.
Nothing against LDAP, if you have data to publish it's the way
to go and we do plenty of it here, but for replicating the KDC?
talk about a cure that's worse than the disease ...
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list
of context, that's true, but conversations
like this can be awfully tedious if we have to drag
around explicit context. Give us a break, OK? How
would you explain the relation between LDAP vs. Kerberos?
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list
realm/domain maps,
and Kerberos realm information can be published in special
DNS SRV and TXT records. If you have tried this and were
not able to make it work, check that the [domain_realm]
section of your configuration file includes the new domain.
Donn Cave, [EMAIL PROTECTED
this for ca 8 years.
As for an LDAP solution, we've talked about this here before
(cf. LDAP KDB.) If you need an LDAP backend for some other
reason, that's one thing, but just for replication, I don't
think so.
Donn Cave, [EMAIL PROTECTED]
Kerberos
In article [EMAIL PROTECTED],
Jeremy Allison [EMAIL PROTECTED] wrote:
On Thu, 31 Aug 2006 12:22:47 -0700, Donn Cave wrote:
Custom krb5.conf isn't very elegant, but apart from that, would you agree
that this fits in the general area of configuration data from alternate
sources?
I
is common enough to warrant library support
for some default file convention, like /etc/krb5.keytab if root,
otherwise ~/krb5.keytab.
Not to say a configurable parameter isn't a good thing, too.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list
be worth listening to, even if the service appears
to work without it.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
In article [EMAIL PROTECTED],
Scott Lowe [EMAIL PROTECTED] wrote:
On 2006-05-04 12:29:53 -0400, Donn Cave [EMAIL PROTECTED] said:
True, though there is a sort of grey area inhabited by services
that use Kerberos to perform password authentication. This is
functionally like kinit
to a service port number.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
.
You must therefore enter some command, in each window, to get
them to do that.
The command can be a simple one, if you use an alias or shell
procedure. Your shell startup can save the value of KRB5CCNAME
somewhere so the old screen shell can find it.
Donn Cave, [EMAIL PROTECTED
application won't use those, and
instead will send and receive authentication data according
to the ESMTP AUTH protocol. That's probably explained in
an ESMTP RFC.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https
from Ken Raeburn, but as far
as I see it is fixed in 1.4.2.
I don't know what's in that patch. Does it look like you
already have applied something like this?
Donn Cave, [EMAIL PROTECTED]
---
*** include/fake-addrinfo.h.distWed Jun 1 12:24:32 2005
, maybe missed a configure file.
IBM's implementation of some DNS functions uses a different size
state struct than the include files define, which guarantees memory
corruption when you try to use these functions. The configure
script forestalls this on AIX 5, should also do so on AIX 4.
Donn Cave
(or maybe
where there is no master KDC, though such sites may as well
configure a value anyway.)
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
__res_state. I don't know if this would be true
for everyone, or if it's a patch my hosts happen to have.
SRV lookups work better if the configure scripts don't find
res_nsearch.
Also, AIX 5 defines AI_NUMERICSERV, which has implications
for MIT's getaddrinfo wrapper.
Donn Cave, [EMAIL
of DNS. So the fully qualified name must be listed first, not
second after the short name.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
on this in the
KDC syslog.
The kadmin function that populates a keytab does create
a new key version, so the old one is no longer valid for
new ticket requests. That's normally a feature. If you
want to store the key for a typeable password in a keytab,
I believe you can use ktutil for this.
Donn Cave
this
information from whatever configuration option initially
determines the virtual host, or dig it up via getsockname()
on the service port socket. Instead they probably did
the easiest thing and used gethostname().
Donn Cave, [EMAIL PROTECTED]
Kerberos
this.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
, anyway, so I
can't answer this one.
3. Does anyone have experience making MIT Kerberos work with a Cisco
VPN 3000? I've looked through the Cisco documentation and it doesn't
mention preauth or really much of anything except how to format your
@ signs.
Sorry!
Donn Cave, [EMAIL
.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
names
are in fact in there, in the first field as user IDs.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
for
that, an enviroment variable KRB5_KTNAME, is the only way
that comes to mind.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
checking.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
source for this than the author
of imapd.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
, the
server should support GSSAPI authentication. Apple Mail,
Pine are a couple of clients that come to mind that support
GSSAPI authentication. imapd logs to the mail syslog log.
There is a comp.mail.imap newsgroup, where people know more
about this software.
Donn Cave, [EMAIL PROTECTED
filesystem, but I don't know that can of worms/garden of
delights by experience.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
service ticket. If you could, as root, try
$ klist -k -e
does the ftp key's encryption type match your service ticket?
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
for GSS Fetch users behind NATs, for
example.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
by the system administrator.
Or left in there, doesn't make any difference.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
something like that here with
FTP, for the sake of web development tools that use it, and it
seems to have worked out fairly well. You'd have to know something
about the telnet protocol and how Kerberos fits in, which I guess
you could get from the MIT source.
Donn Cave, [EMAIL PROTECTED
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Jeffrey Hutzelman) wrote:
On Monday, April 12, 2004 16:52:23 -0700 Donn Cave [EMAIL PROTECTED]
wrote:
I believe we're more or less always asking for this trouble.
If you don't get a canonical, reverse looked-up name back
out of MIT
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Jeffrey Hutzelman) wrote:
On Saturday, April 10, 2004 16:47:21 + Donn Cave [EMAIL PROTECTED]
wrote:
It depends on your client software. All you need to do is resolve the
addresses to canonical host name first, and use the resolved
host, on all server hosts - ldap/server1 + ldap/server2 + ...
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
. This
approach has been very successful, in my opinion, and if anyone
is thinking about developing a more general solution in this
area, it's a model to consider. Useful in a heterogeneous
authentication environment.
Donn Cave, [EMAIL PROTECTED
' into a directory. Everything
else is done with external programs and scripts. I've posted
more details which should be in the list archives someplace.
That sounds similar to our setup. Same hooks, but of course
different external software.
Donn Cave, [EMAIL PROTECTED
.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
local credentials to get a service ticket
for the remote sshd. Rather, it is password authentication - your
password goes across the wire to the remote sshd - where the Kerberos
module acts as a proxy client+server to validate the password.
Donn Cave, [EMAIL PROTECTED
in that log. You might
try the full [EMAIL PROTECTED] principal name with kinit.)
The KDC syslog is really essential for troubleshooting configuration
problems and things like that.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list
DNS address of the host computer
realm is the Kerberos realm, exact case (rarely needed.)
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
apply to the master
only if the master is also taking all the authentication requests.
I would get that information from logs, instead.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman
16 23 1 3 2})
192.168.10.170: PREAUTH_FAILED: krink/[EMAIL PROTECTED] for
krbtgt/[EMAIL PROTECTED], Decrypt integrity check
failed
When I've seen that `preauth (timestamp)' error, it has
indeed meant that there is a substantial time discrepancy
between the KDC and client.
Donn Cave, [EMAIL
the latter problem, but
of course they are not very useful where the actual host
names have to be cloaked in mystery.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
goes down.
It's done with select() on the socket file descriptor in conjunction
with the connect() function.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
rate, you have to use
whatever name the host uses for itself.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (Matthijs Mohlmann) wrote:
On Tue, 2003-09-02 at 05:12, Donn Cave wrote:
Quoth [EMAIL PROTECTED] (Matthijs Mohlmann):
...
| Now when i try to login to my ssh service with the following command:
| [EMAIL PROTECTED]:~$ ssh -A -K active2
might add, what host
name shows up in klist afterwards, if any. GSS ftp does have
some host name issues. On the bright side, at least you're not
running krb5-1.3 yet, so telnet probably works.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list
want a keytab entry and a known password, you
have to use ktutil to create it. I think ideally this would very
rarely be necessary.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman
check the status by running 'grep -i gssapi
| Makefile' and seeing if you've got the GSSAPI stuff being linked into
| the OpenSSH build or not.
You have to run autoreconfig after applying the patch. That's the
part that's easiest to forget to do, at least it was for me.
Donn Cave, [EMAIL
there
isn't a bullet in the password file, but at any rate there
must be some mapping from [EMAIL PROTECTED] to user.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
-
# Host *
# ForwardAgent no
# ForwardX11 no
# PasswordAuthentication yes
GssapiAuthentication yes
GSSAPIDelegateCredentials yes
KerberosAuthentication yes alone, in both, should be enough,
something you can easily try if you have further difficulties.
Donn Cave
- they reside on the host that acquired them, as
sshd did that. When used to authenticate to some service from there,
that's just simple basic Kerberos authentication, no forwarding needed.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list
comes before the full name in /etc/hosts. The same is
true of alias names in the DNS CNAME sense, that they should just
work in current implementations (though perhaps not forever, if I
read the draft right.)
Donn Cave, [EMAIL PROTECTED
else either, they're just gone, along with the kinit
process that owned that storage, but that would be what you wanted.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo
ftpd, right? Or does the GSS ftpd from
the current MIT release now support clients from behind a NAT?
Donn Cave, [EMAIL PROTECTED]
| In article [EMAIL PROTECTED],
| Protima Chhabra [EMAIL PROTECTED] wrote:
| : Hi,
| :
| : I have a Kerberos client
, once implementation of all this new
stuff is nailed down? Am I right that the classic krb524d AFS
support depends on V4 keys in the V5 KDC?
Thanks,
Donn Cave, [EMAIL PROTECTED]
An alternate conversion is provided for AFS servers that support
Kerberos
| implementation, though ... I could give you mine, but if you're using
| a newer Kerberos release, it probably won't work. I think we got ours
| from Donn Cave, originally.
I don't think so! It doesn't come with the MIT Kerberos5 distribution
for Windows, you're saying?
As for Eudora, I
credentials cache after you run the client, so try klist. In
either case, it may be helpful to clear the cache first.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo
be misconfigured, like
someone installed a IPv6 option but some include files were
not updated. It's going to bite you every time you try to
compile just about anything.
Donn Cave, [EMAIL PROTECTED]
| (Error message below)
...
| cc: Error: /usr
any fairly recent compiler. But it doesn't define __STDC__, and
that's really what -std is usually about -- it's just there to get
that macro.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
http
getpseudotty),
if building an application that uses ptys.
It's some work, but not like rewriting to TLI - and that might
not work anyway, if the actual problem is no better understood
than sockets are bad!
Donn Cave, [EMAIL PROTECTED]
Kerberos
-cbc-crc
default_tgs_enctypes = des-cbc-crc
and I added these for the Heimdal applications -
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL
want to use existing software, you might want
to specify the platform. I know pine and recent Windows versions of Eudora
will do that, undoubtedly a few others.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED
.
Donn Cave, [EMAIL PROTECTED]
| The logs show:
| Apr 10 08:11:00 kerb1 krb5kdc[715]: TGS_REQ 123.123.123.2(88):
| ISSUE:authtime 1018447267, [EMAIL PROTECTED] for [EMAIL PROTECTED]
| pr 10 08:11:48 kerb1 krb5kdc[715]: TGS_REQ 123.123.123.2(88):
| ISSUE:authtime 1018447267, [EMAIL
, in krb5_sname_to_principal().
This is probably not the problem our nameless correspondent Someone
is having, but I believe he is using Heimdal too.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
http
$HOME/.k5login
Just a guess.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
and build it, and find out what it's doing
in lib/krb5/os/kuserok.c. (Or find out that the source you build
works, where the stuff you're now using doesn't.)
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED
Kerberos 4, but
I wouldn't expect that to do you much good.
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
program creates
| a pseudo-random filename for the cache (such as
| /tmp/krb5cc_XYZPDQ). Why is this?
You could have several sessions concurrently on the same host.
This way you don't lose your credentials from one session when
another one starts or exits (they're deleted on exit.)
Donn
(as well as wrong.)
Donn Cave, [EMAIL PROTECTED]
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
the server runs with.
Donn Cave, [EMAIL PROTECTED]
not a sarcastic question - I think
the point could be argued, at least for services that all run as root
or have enough common privilege.
Donn Cave, [EMAIL PROTECTED]
Quoth [EMAIL PROTECTED] (Sam Hartman):
| Donn == Donn Cave [EMAIL PROTECTED] writes:
|
|Donn An LDAP service certainly should have its own key, but in my
|Donn opinion this should actually be a run time option. LDAP
|Donn services aren't really a distinct category. You might run
there are implementations that do exactly that.)
Donn Cave, [EMAIL PROTECTED]
for security reasons.
(Since then I have seen the light, Kerberos libraries are static.)
Donn Cave, [EMAIL PROTECTED]
of applications, which can be kerberized and then use
| encryption in the same manner as it can be done with telnet? Would it be
| possible for openafs, as well?
I would think so, but not necessarily with the current version of Kerberos,
Kerberos 5. Haven't tried it myself.
Donn Cave, [EMAIL PROTECTED]
, then ticket forwarding will give you
that extended single signon as an extra benefit for those users.
Donn Cave, [EMAIL PROTECTED]
Quoth [EMAIL PROTECTED] (Sam Hartman):
| Donn == Donn Cave [EMAIL PROTECTED] writes:
|
| Donn What you describe is kind of a perversion of single signon.
| Donn The real thing happens on the local computer, not some
| Donn remote computer.
|
| UH, no, this is single signon. Single
78 matches
Mail list logo