Re: What form is the timestamp in the KRB5_TRACE log (and why)

[Todd Grayson]

Cool, thanks!

On Fri, Apr 3, 2020 at 8:59 AM Greg Hudson  wrote:

> On 4/3/20 10:21 AM, Todd Grayson wrote:
> > Ok but does that mean Unix Epoch time conversion should be working, or is
> > there some other form of secret decoder ring that is used to translate to
> > system time?
>
> It's just system time.
>
> $ date; KRB5_TRACE=/dev/stdout kvno user
> Fri Apr  3 10:58:03 EDT 2020
> [...]
> [12194] 1585925883.499498: Retrieving u...@krbtest.com [...]
> [...]
> $ date -d '@1585925883'
>     Fri Apr  3 10:58:03 EDT 2020
>


-- 
Todd Grayson
Principal Customer Operations Engineer
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: What form is the timestamp in the KRB5_TRACE log (and why)

[Todd Grayson]

Ok but does that mean Unix Epoch time conversion should be working, or is
there some other form of secret decoder ring that is used to translate to
system time?  In troubleshooting/debugging scenarios, being able to
associate the timestamps from the KRB5_TRACE that has been running over an
extended period with external services integrating with kerberos would
be... handy?  I can find no real references on krb5_crypto_us_timeofday()
other than a select set of developer comments within the source code, and a
whole bunch of spam advertising sites representing it and other source code
segments?

On Thu, Apr 2, 2020 at 10:09 PM Benjamin Kaduk  wrote:

> On Thu, Apr 02, 2020 at 09:04:33PM -0600, Todd Grayson wrote:
> > Is this some form of specialized unix epoch time timestamp or something?
> > And more importantly... why?  How do I convert it, normal epoch time
> > conversion is yielding insane values.
>
> It looks to just be the seconds.microseconds output from
> krb5_crypto_us_timeofday().
>
> -Ben
>


-- 
Todd Grayson
Principal Customer Operations Engineer
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

What form is the timestamp in the KRB5_TRACE log (and why)

[Todd Grayson]

Is this some form of specialized unix epoch time timestamp or something?
And more importantly... why?  How do I convert it, normal epoch time
conversion is yielding insane values.


Thanks in advance...

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Failed to verify CMS message: bad signature

[Todd Grayson]

The discussions I've seen where this is done successfully use tar to grab
all the files (do an ls -la in the kdc path to see what you missed) along
with the krb5.conf.  I believe you are missing important file(s) based on
what you listed.

On Wed, Feb 26, 2020, 7:31 AM jarek  wrote:

> Hello!
>
> I've tried to migrate KDC (Debian 7) to new hardware with
> Debian 9.
> We are using KDC with pkinit and smartcards.
> After fresh installation, I have copied /etc/krb5.conf,
> /etc/krb5.keytab, /etc/krb5kdc and /var/lib/krb5kdc.
> All certificates are in /etc/krb5kdc.
> The new machine has the same name as old, only IP is different.
> kadmin lists all pricinpals, kdc and admin server are working.
>
> kinit from remote machine fails, on KDC in authlog we have
> message:
>
> PREAUTH_FAILED: Failed to verify CMS message: bad signature
>
> What can be wrong ?
>
> Best regards
> Jarek
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos / krb5.conf / CentOS7

[Todd Grayson]

oops mistyped on the CAPATH example, it SHOULD read:

(e.g. REALM A trusts REALM B, and REALM C trusts REALM B, but REALM A and
REALM C do not trust each other)

On Wed, Dec 11, 2019 at 7:16 PM Todd Grayson  wrote:

> Cross realm trust would involve setting up specific krbtgt principals that
> represent the trusting realm and trusted realm, having proper realm entries
> present as well as proper domain_realm declarations in place.  We cover the
> cross realm trust concept and command line steps between MIT realms as well
> as between and AD realm and MIT realm in our product documentation (google
> "kerberos cross realm trust cloudera" to find it)  For AD to AD realm
> trust, the domains & trusts management tool is used to configure this via a
> GUI.
>
> If you have indirect trust scenarios (e.g. REALM A trusts REALM B, and
> REALM C trusts REALM B, but A and B do not trust each other) you will need
> to read up on using CAPATH maps as well.
>
> Glad to help.
>
> On Wed, Dec 11, 2019 at 7:05 PM GemNEye  wrote:
>
>> On 2019-12-11 18:52, Todd Grayson wrote:
>>
>> The domain_realm section of the krb5.conf is used to map DNS domain names
>> to kerberos realms.  So lets say you had an active directory domain (dns
>> domain and AD domain) of ad.example.com, its kerberos realm would be
>> AD.EXAMPLE.COM, but lets say your environment had linux servers in
>> dev.example.com, but you still wanted them to be recognized as systems
>> that are have services that have kerberos principals in the
>> AD.EXAMPLE.COM kerberos realm.  You would use the [domain_realms]
>> section of the krb5.conf to map this dns domain to the kerberos realm with
>> the entry
>>
>> [domain_realm]
>> dev.example.com = AD.EXAMPLE.COM
>>
>> The need for this kind of configuration comes up in hadoop as the
>> kerberos principals for the linux hosts will need to understand what realm
>> and KDC they need to resolve to, as the default behavior of kerberos to
>> resolve the lowercase dns name to the uppercase REALM name, but in the
>> scenario where dns names are host.dev.example.com, and there is no
>> kerberos realm of DEV.EXAMPLE.COM, for java applications things will
>> fail with a GSS error of "host not found in the kerberos database" type of
>> message, unless there is a [domain_realm] mapping like above in place.
>>
>> This is NOT cross realm trust when you use this kind of [domain_realm]
>> mapping, that is a completely different thing and would involve multiple
>> kerberos realms trusting each other for authenticating users and services
>> (just in case you were going to ask).
>>
>>
>> --
>> Todd Grayson
>> Principal Customer Operations Engineer
>> Security SME
>>
>> Yep, that is exactly what I was going to ask.  Our current config has
>> entries for other AD DNS domains being mapped to the realm that is
>> configured in the [realms] stanza.  I was trying to figure out why that was
>> being done and what purpose it was serving.  I was not able to get an
>> answer from my co-workers which is why I posted here.  From your
>> description is sounds like this configuration is probably erroneous.
>>
>> Thank you for your response.
>>
>
>
> --
> Todd Grayson
> Principal Customer Operations Engineer
> Security SME
>
>

-- 
Todd Grayson
Principal Customer Operations Engineer
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos / krb5.conf / CentOS7

[Todd Grayson]

Cross realm trust would involve setting up specific krbtgt principals that
represent the trusting realm and trusted realm, having proper realm entries
present as well as proper domain_realm declarations in place.  We cover the
cross realm trust concept and command line steps between MIT realms as well
as between and AD realm and MIT realm in our product documentation (google
"kerberos cross realm trust cloudera" to find it)  For AD to AD realm
trust, the domains & trusts management tool is used to configure this via a
GUI.

If you have indirect trust scenarios (e.g. REALM A trusts REALM B, and
REALM C trusts REALM B, but A and B do not trust each other) you will need
to read up on using CAPATH maps as well.

Glad to help.

On Wed, Dec 11, 2019 at 7:05 PM GemNEye  wrote:

> On 2019-12-11 18:52, Todd Grayson wrote:
>
> The domain_realm section of the krb5.conf is used to map DNS domain names
> to kerberos realms.  So lets say you had an active directory domain (dns
> domain and AD domain) of ad.example.com, its kerberos realm would be
> AD.EXAMPLE.COM, but lets say your environment had linux servers in
> dev.example.com, but you still wanted them to be recognized as systems
> that are have services that have kerberos principals in the AD.EXAMPLE.COM
> kerberos realm.  You would use the [domain_realms] section of the krb5.conf
> to map this dns domain to the kerberos realm with the entry
>
> [domain_realm]
> dev.example.com = AD.EXAMPLE.COM
>
> The need for this kind of configuration comes up in hadoop as the kerberos
> principals for the linux hosts will need to understand what realm and KDC
> they need to resolve to, as the default behavior of kerberos to resolve the
> lowercase dns name to the uppercase REALM name, but in the scenario where
> dns names are host.dev.example.com, and there is no kerberos realm of
> DEV.EXAMPLE.COM, for java applications things will fail with a GSS error
> of "host not found in the kerberos database" type of message, unless there
> is a [domain_realm] mapping like above in place.
>
> This is NOT cross realm trust when you use this kind of [domain_realm]
> mapping, that is a completely different thing and would involve multiple
> kerberos realms trusting each other for authenticating users and services
> (just in case you were going to ask).
>
>
> --
> Todd Grayson
> Principal Customer Operations Engineer
> Security SME
>
> Yep, that is exactly what I was going to ask.  Our current config has
> entries for other AD DNS domains being mapped to the realm that is
> configured in the [realms] stanza.  I was trying to figure out why that was
> being done and what purpose it was serving.  I was not able to get an
> answer from my co-workers which is why I posted here.  From your
> description is sounds like this configuration is probably erroneous.
>
> Thank you for your response.
>


-- 
Todd Grayson
Principal Customer Operations Engineer
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos / krb5.conf / CentOS7

[Todd Grayson]

The domain_realm section of the krb5.conf is used to map DNS domain names
to kerberos realms.  So lets say you had an active directory domain (dns
domain and AD domain) of ad.example.com, its kerberos realm would be
AD.EXAMPLE.COM, but lets say your environment had linux servers in
dev.example.com, but you still wanted them to be recognized as systems that
are have services that have kerberos principals in the AD.EXAMPLE.COM
kerberos realm.  You would use the [domain_realms] section of the krb5.conf
to map this dns domain to the kerberos realm with the entry

[domain_realm]
dev.example.com = AD.EXAMPLE.COM

The need for this kind of configuration comes up in hadoop as the kerberos
principals for the linux hosts will need to understand what realm and KDC
they need to resolve to, as the default behavior of kerberos to resolve the
lowercase dns name to the uppercase REALM name, but in the scenario where
dns names are host.dev.example.com, and there is no kerberos realm of
DEV.EXAMPLE.COM, for java applications things will fail with a GSS error of
"host not found in the kerberos database" type of message, unless there is
a [domain_realm] mapping like above in place.

This is NOT cross realm trust when you use this kind of [domain_realm]
mapping, that is a completely different thing and would involve multiple
kerberos realms trusting each other for authenticating users and services
(just in case you were going to ask).

On Wed, Dec 11, 2019 at 9:54 AM GemNEye  wrote:

> I am trying to configure Kerberos, SSSD, SAMBA, SSSD on CentOS7 servers
> (without using winbind).
>
> I have had some success in getting everything to work, but after
> reviewing different docs found on the web my understanding of all the
> configurations is weak.
>
> In the /etc/krb5.conf file, what is the purpose of the [domain_realm]
> stanza?  I can see its usage for REALMS that have been defined in the
> [realms] stanza, but what other realms and mapping would be configured
> in the [domain_realm] stanza?  If I could understand how the mappings in
> the [domain_realm] stanza are used along with an explanation (outside of
> what is available on the MIT doc page), it would be extremely useful.
>
> Plus, I am curious about the files that get created in this location:
> /var/lib/sss/pubconf/krb5.include.d/ .  The files in this directory get
> dynamically created, and when I look at some of the values that are
> being configured it appears like values which have been configured in
> /etc/krb5.conf get overwritten.  For example the value of
> udp_preference_limit seems to get set in the dynamic files regardless of
> how it is configured in /etc/krb5.conf.
>
> Thank You.
> GemNEye
>
> 
> Kerberos mailing list       Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


-- 
Todd Grayson
Principal Customer Operations Engineer
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: What is the proper way to force kerberos to TCP?

[Todd Grayson]

thanks!

On Thu, Oct 3, 2019 at 9:41 AM Greg Hudson  wrote:

> On 10/3/19 11:11 AM, Todd Grayson wrote:
> > We are seeing a number of conflicting information sets on how to properly
> > force TCP by kerberos clients in CentOS/RH OS distributions.
> >
> > udp_preference_limit =0? 1?
>
> By my reading of the code, either should work (0 is not treated as a
> special value, but of course no messages will be a single byte, so 1
> should work as well).  I don't believe there are any other ways to force
> a TCP preference (or to disable UDP) using krb5.conf alone.
>


-- 
Todd Grayson
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

What is the proper way to force kerberos to TCP?

[Todd Grayson]

Hi,

We are seeing a number of conflicting information sets on how to properly
force TCP by kerberos clients in CentOS/RH OS distributions.

udp_preference_limit =0? 1?

Or is there some other flag that is reliable to be setting here?

-- 
Todd Grayson
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Setting up the KDC ldap backend

[Todd Grayson]

I'm not sure whats going on with the error message you are seeing.

AS far as how to info: The hortonworks community has a walkthrough of MIT
KDC with LDAP backend on CentOS7, here:

https://community.hortonworks.com/articles/199542/configuring-kerberos-with-openldap-back-end.html

On Tue, Feb 5, 2019 at 1:33 PM John Byrne  wrote:

> Hi,
>
> I'm trying to set up the KDC with the LDAP plugin. I've been using:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
> and
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu
>
> as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the
> info on the Ubuntu page above seems to be fairly generic).
>
> When I run the command to create the database, it challenges me for a
> password. I didn't set one up, and if I just hit enter, I get this:
>
> $ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
> Password for "cn=admin,dc=example,dc=com":
> kdb5_ldap_util: Cannot allocate memory while retrieving ldap configuration
>
> Now, I don't really know much about LDAP, so I could be missing something.
> Do I have to create "cn=admin,dc=example,dc=com" as a user somehow before I
> run this?
>
> I've tried reading up on LDAP, but I haven't found anything that explains
> what I need to do here. I'm looking for a shortcut to the quickest possible
> setup - I don't really need LDAP except that I'm trying to test constrained
> delegation in a web application, and apparently that only works with the
> LDAP backend.
>
> Can anyone explain what's the bare minimum I need to do to get this
> working?
>
> Thanks,
> John
> ________
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


-- 
Todd Grayson
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

[Todd Grayson]

oops, typo by me:

You are hard forcing AES for initial ticket granting ticket with the
settings you are using for enctypes.

Should read

You are hard forcing AES for initial session key and ticket granting ticket
with the settings you are using for enctypes.

On Thu, Nov 8, 2018 at 9:35 AM Todd Grayson  wrote:

> You are hard forcing AES for initial ticket granting ticket with the
> settings you are using for enctypes.   Unset (comment out) the 3 enctype
> lines for one of your tests.  How to comment out lines in the krb5.conf is
> covered in the second paragraph here:
>
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
>
> Use klist -ef after you successfully authenticate and inspect the ticket
> encryption types used.  It will look something like this after commenting
> out those lines I mentioned and then retrying your kinit:
>
> dude@host:~$ kinit administra...@ad.sec.example.com
> Password for administra...@ad.sec.example.com:
> dude@host:~$ klist -ef
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: administra...@ad.sec.example.com
>
> Valid starting   Expires  Service principal
> 11/08/2018 09:16:00  11/08/2018 19:16:00  krbtgt/
> ad.sec.example@ad.sec.example.com
> renew until 11/15/2018 09:15:53, Flags: FRIA
> Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
>
> You can see on the Etype line, by default the inital session key is
> actualy rc4-hmac  (arcfour-hmac is same thing, just different names) But
> the actual ticket granting ticket. The above example is against a windows
> 2008 KDC, but 2016 is probably doing the same thing for backward
> comparability.
>
>
> Kerberos will negotiate strongest encryption types by default within the
> available configuration.
>
> AD exposes per user account settings in the properties dialog, under
> account details, that allow you to set using AES encryption types.  Doing
> it for all accounts would be a global policy in AD.  This mail list does
> not really cover how to manage active directory as a KDC at that level,
> microsoft discussion boards would be best there.
>
> Given you are new to kerberos, I would suggest starting here, reading this
> will help you understand your terminology, what to search/google for, how
> things work in kerberos, etc.
>
> http://www.kerberos.org/software/tutorial.html
>
> The administration guide would be next step.
>
> Microsoft AD kerberos info is here, I would start with this AFTER going
> through the kerberos tutorial.
>
>
> https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos
>
>
>
> On Thu, Nov 8, 2018 at 9:03 AM Silambarasan Madhappan <
> silambarasa...@gmail.com> wrote:
>
>> Hi,
>>
>> I am new to Kerberos.  I am not able to obtain Kerberos
>> ticket-granting tickets with strong encryption types from "Windows
>> Server 2016 AD"
>>
>> My client kerberos configuration as below
>> 
>>
>> $ cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = CIFS.COM
>> default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>> default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>> preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>> ccache_type = 2
>>
>> [realms]
>> CIFS.COM = {
>> kdc = WIN.cifs.com:88
>> }
>>
>> [domain_realm]
>> .cifs.com = CIFS.COM
>>
>> [logging]
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>> default = FILE:/var/log/krb5lib.log
>> [bash4.2]$
>>
>> Issue :
>> =
>> $ kinit Administrator
>> kinit(v5): KDC has no support for encryption type while getting
>> initial credentials
>> $
>>
>> Please let me know  where can I find the kdc configuration types in
>> Active Directory (Windows Server 2016) ?
>> Do I have to change any configuration on Kerberos Client or Server ?
>> Please help me on this.
>>
>> Thanks,
>> Silambarasan M
>> 
>> Kerberos mailing list   Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
> Security SME
>
>

-- 
Todd Grayson
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

[Todd Grayson]

You are hard forcing AES for initial ticket granting ticket with the
settings you are using for enctypes.   Unset (comment out) the 3 enctype
lines for one of your tests.  How to comment out lines in the krb5.conf is
covered in the second paragraph here:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html

Use klist -ef after you successfully authenticate and inspect the ticket
encryption types used.  It will look something like this after commenting
out those lines I mentioned and then retrying your kinit:

dude@host:~$ kinit administra...@ad.sec.example.com
Password for administra...@ad.sec.example.com:
dude@host:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administra...@ad.sec.example.com

Valid starting   Expires  Service principal
11/08/2018 09:16:00  11/08/2018 19:16:00  krbtgt/
ad.sec.example@ad.sec.example.com
renew until 11/15/2018 09:15:53, Flags: FRIA
Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96

You can see on the Etype line, by default the inital session key is actualy
rc4-hmac  (arcfour-hmac is same thing, just different names) But the actual
ticket granting ticket. The above example is against a windows 2008 KDC,
but 2016 is probably doing the same thing for backward comparability.


Kerberos will negotiate strongest encryption types by default within the
available configuration.

AD exposes per user account settings in the properties dialog, under
account details, that allow you to set using AES encryption types.  Doing
it for all accounts would be a global policy in AD.  This mail list does
not really cover how to manage active directory as a KDC at that level,
microsoft discussion boards would be best there.

Given you are new to kerberos, I would suggest starting here, reading this
will help you understand your terminology, what to search/google for, how
things work in kerberos, etc.

http://www.kerberos.org/software/tutorial.html

The administration guide would be next step.

Microsoft AD kerberos info is here, I would start with this AFTER going
through the kerberos tutorial.

https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos



On Thu, Nov 8, 2018 at 9:03 AM Silambarasan Madhappan <
silambarasa...@gmail.com> wrote:

> Hi,
>
> I am new to Kerberos.  I am not able to obtain Kerberos
> ticket-granting tickets with strong encryption types from "Windows
> Server 2016 AD"
>
> My client kerberos configuration as below
> 
>
> $ cat /etc/krb5.conf
> [libdefaults]
> default_realm = CIFS.COM
> default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
> default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
> preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
> ccache_type = 2
>
> [realms]
> CIFS.COM = {
> kdc = WIN.cifs.com:88
> }
>
> [domain_realm]
> .cifs.com = CIFS.COM
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> [bash4.2]$
>
> Issue :
> =
> $ kinit Administrator
> kinit(v5): KDC has no support for encryption type while getting
> initial credentials
> $
>
> Please let me know  where can I find the kdc configuration types in
> Active Directory (Windows Server 2016) ?
> Do I have to change any configuration on Kerberos Client or Server ?
> Please help me on this.
>
> Thanks,
> Silambarasan M
> ________
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


-- 
Todd Grayson
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos Digest, Vol 190, Issue 10

[Todd Grayson]

Sanjay this is confusing for you to reply to the kerberos digest email with
your own issue.  Create a new email with its own subject for your question.

Please send an email directly to the kerbe...@mit.wsu list.

On Mon, Oct 22, 2018, 7:52 AM Sanjay Kumar Sahu 
wrote:

> HI !
>
> Currently we are facing Kerberos authentication issue in our RHEL7 server
> running with Apache/2.4 upon changing Keytab Cypto type=AES256. Previously
> it's Crypto type=all. Please check following with the details.
>
> We are using mod_auth_kerb on Red Hat Enterprise Linux  for our application
> MediaWiki 1.30.0 running in Apache/2.4
> And we never face any issue related to kerberos authentication till then we
> used the keytab with following cipher algorithm in the encryption method.
> (des-cbc-crc)
> (des-cbc-md5)
> (aes256-cts-hmac-sha1-96)
> (aes128-cts-hmac-sha1-96)
>
> Later, the DES crypto type is catagoried in weak crypto type and it's
> denied to use in Produciton for security reason.
>
> And we are asked to use the keytab using Advanced Encryption Standard (AES)
> Cryptography with either of types (AES128 or AES265) for following cipher
> algorithm.
>
> (aes256-cts-hmac-sha1-96)
> (aes128-cts-hmac-sha1-96)
>
> But, unfortunately neither of the keytab encrypted with AES Crypto (AES128
> or AES265) are working under Apache/2.4 and throws following error in HTTPD
> server Error_log.
>
>
> Error_log
> -
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
> provide more information (, No key table entry found for the SPN)
>
> Please let us know if there is any solution to resolve the issue for
> kerberos.
>
> On Sun, Oct 21, 2018 at 9:32 PM  wrote:
>
> > Send Kerberos mailing list submissions to
> > kerberos@mit.edu
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > or, via email, send a message with subject or body 'help' to
> > kerberos-requ...@mit.edu
> >
> > You can reach the person managing the list at
> > kerberos-ow...@mit.edu
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Kerberos digest..."
> >
> >
> > Today's Topics:
> >
> >1. Make Windows Firefox Use Ticket gained via OpenConnect VPN
> >   Connection (chiasa.men)
> >
> >
> > --
> >
> > Message: 1
> > Date: Sat, 20 Oct 2018 22:09:57 +0200
> > From: "chiasa.men" 
> > Subject: Make Windows Firefox Use Ticket gained via OpenConnect VPN
> > Connection
> > To: kerberos@mit.edu
> > Message-ID: <25678829.3fpAYYNG7q@march>
> > Content-Type: text/plain; charset="utf-8"
> >
> > I have an openconnect server where I can login with kerberos credentials
> > (the
> > vpn server basically also works as proxy to the kdc within said vpn -
> more
> > detailed description:
> https://access.redhat.com/blogs/766093/posts/1976663
> > )
> >
> > Now I can connect with a windows machine (using openconnect-gui) with my
> > kerberos credentials. Which works.
> >
> > The next step shall be to use the gained ticket further for webservices
> > within
> > that vpn. How can I tell the browser (e.g. Firefox) to use the ticket
> > gained
> > by openconnect? Is there any way to achieve this?
> >
> > I also installed the MIT Kerberos Ticket Manager for Windows. Here
> > (https://
> >
> community.hortonworks.com/content/kbentry/28537/user-authentication-from-
> > windows-workstation-to-hd.html
> > <
> http://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation-to-hd.html
> >)
> > is desribed that it is possible to use that
> > Manager with firefox in order to authenticate to webservices. Although I
> > haven't been able to accomplish that, would it be possible to tell MIT
> > Kerberos Ticket Manager to use the Ticket of the vpn login?
> >
> > Is there already a 'usual way' to achieve something like sso via vpn with
> > kerberos with windows clients?
> >
> >
> >
> >
> >
> >
> > --
> >
> > ___
> > Kerberos mailing list
> > Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> > End of Kerberos Digest, Vol 190, Issue 10
> > *
> >
>
>
> --
> *Thanks & Regards,*
>
>
> *Sanjay Kumar Sahu*
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Different realms

[Todd Grayson]

dhat.com>
> Subject: RE: Different realms
>
> "Imanuel Greenfeld" <imanuel.greenfe...@ntlworld.com> writes:
>
> > Robbie Harwood <rharw...@redhat.com> writes:
> >> "Imanuel Greenfeld" <imanuel.greenfe...@ntlworld.com> writes:
> >>
> >>> I have 2 domains which there is no trust between them.
> >>
> >> Do you have two realms (A and B), with two machines (machine_a in A,
> >> and machine_b in B), and two services (service_a on machine_a, and
> >> service_b on machine_b)?
> >
> > Yes
> >
> >> I'm not overly familiar with the Java bindings, but this isn't
> >> something one really wants to be doing in Kerberos.
> >
> > So how can I pass the Kerberos authentication is there is no trust
> > between the realms ?
>
> Without a trust, service_a has no way to *prove* to service_b the identity
> of the user who is connecting to service_a.
>
> Now, depending on what you're doing, this may not matter - maybe whatever
> service_b is doing doesn't care about that.  If that's the case, then
> service_a just needs a credential to authenticate against service_b with.
> (This will come from realm B.)
>
> For making Kerberized HTTP requests, the best approach is, as Simo says, to
> use something like mod_auth_gssapi on the server.  You're in Java, not
> Python, on the client, so you won't be able to use requests-gssapi; I'm not
> sure if there is a SPNEGO module for Java.
>
> You can, however, look at how the token is generated by requests-gssapi and
> make similar GSSAPI calls from Java - the function is
> generate_request_header()
> https://github.com/pythongssapi/requests-gssapi/
> blob/master/requests_gssapi/
> gssapi_.py#L139-L150
> https://github.com/pythongssapi/requests-gssapi/
> blob/master/requests_gssapi/
> gssapi_.py#L63
>
> >> What is the actual, higher level thing you are trying to accomplish?
> >
> > As explained, I'm sending HTTP rest JSON request from machine_a to
> > machine_b endpoint but I'm getting Unauthorised 401 error, so I'm
> > trying to incorporate into the HTTP JSON request the keytab which is
> > on machine_a to pass the authentication.
>
> Let me ask a different way.  Why are you doing this at all?
>
> On another note: your email replies are very difficult to read.  At the
> very
> least, please use blank lines to separate your replies from the text you
> are
> replying to, and make your quoting levels work correctly.
>
> Thanks,
> --Robbie
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: freeipa and kerberos failures

[Todd Grayson]

Didn't see the original thread... but guessing as to the issue;

IPA w. ipaclient uses aes256-cts-sha-96 with random salt to encrypt session
keys and principals keytabs.

Things that generate a keytab using ktutil for example will fail, it does
not take the random salt string as part of the 'addent' call so this
creates issues.

 If IPAclient is in use then the ipa-getkeytab must be used.



On Tue, Jan 16, 2018 at 9:20 AM, Greg Hudson <ghud...@mit.edu> wrote:

> On 01/10/2018 11:03 AM, lejeczek wrote:> krb5kdc[606061](info): preauth
> (encrypted_timestamp) verify
> > failure: Preauthentication failed
>
> One would normally see this error if the wrong key or password was used
> to authenticate.  So there might be a mismatch between the keytab file
> on the initiating host and the KDC.  As I am not familiar with FreeIPA
> (only Kerberos), I don't know how that might have come about.
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Can not access HDFS with keytab file （Resend）

[Todd Grayson]

Feng your best option is actually u...@hadoop.apache.org as the errors you
are seeing are over the hadoop classes within the JDK, which the team at
MIT does not produce.  The openJDK as well as OracleJDK development teams
provide a kerberos implementation based on the standards established and
maintained by the MIT Kerberos team.

So literally the reason you are not getting response from this list... is
because it is the wrong list to be approaching (at this point at least).

The java implementation of kerberos is presented here, but the hadoop user
mail list might be best.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html

You are also wrapping in the complexity of docker over os with kerberos
(picking a hard place to start) in what you are doing and that you must
manage changes to config accordingly.  This is education you should be
self-managing because its going to become an obstacle to what you are
trying to achieve

https://www.twistlock.com/2017/08/07/kerberos-work-docker/



On Sun, Jan 14, 2018 at 12:37 PM, feng wang 
wrote:

> Hello,  I am  using Hadoop2.8 with Kerberos5 in the Docker, However I can
> not access HDFS thought Kerberos ..The Docker image is
> https://hub.docker.com/r/nlesc/xenon-hdfs-kerberos/
> In the Docker container I have checked the `hdfs.keytab` by
>
> > ```bash
> > $ kinit -V  -kt /opt/hadoop/hdfs.keytab hdfs/localh...@esciencecenter.nl
> > Using default cache: /tmp/krb5cc_0
> > Using principal: hdfs/localh...@esciencecenter.nl
> > Using keytab: /opt/hadoop/hdfs.keytab
> > Authenticated to Kerberos v5
> > ```
>
> and here is the DEBUG info for command `hdfs dfs -ls /`
>
> ```
> > hdfs dfs -ls /
> > WARNING: An illegal reflective access operation has occurred
> > WARNING: Illegal reflective access by
> > org.apache.hadoop.security.authentication.util.KerberosUtil
> > (file:/opt/hadoop/share/hadoop/common/lib/hadoop-auth-2.8.1.jar) to
> method
> > sun.security.krb5.Config.getInstance()
> > WARNING: Please consider reporting this to the maintainers of
> > org.apache.hadoop.security.authentication.util.KerberosUtil
> > WARNING: Use --illegal-access=warn to enable warnings of further illegal
> > reflective access operations
> > WARNING: All illegal access operations will be denied in a future release
> > Java config name: null
> > Native config name: /etc/krb5.conf
> > Loading krb5 profile at /etc/krb5.conf
> > Loaded from native config
> > >>>KinitOptions cache name is /tmp/krb5cc_0
> > >>>DEBUG   client principal is hdfs/
> > localh...@esciencecenter.nl
> > >>>DEBUG  server principal is krbtgt/
> > esciencecenter...@esciencecenter.nl
> > >>>DEBUG  key type: 17
> > >>>DEBUG  auth time: Sat Jan 13 03:31:02 GMT 2018
> > >>>DEBUG  start time: Sat Jan 13 03:31:02 GMT 2018
> > >>>DEBUG  end time: Sun Jan 14 03:31:02 GMT 2018
> > >>>DEBUG  renew_till time: null
> > >>> CCacheInputStream: readFlags()  FORWARDABLE; INITIAL;
> > >>>DEBUG   client principal is hdfs/
> > localh...@esciencecenter.nl
> > >>>DEBUG  server principal is
> > X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/escienc
> ecenter...@esciencecenter.nl
> > @esciencecenter.nl
> > >>>DEBUG  key type: 0
> > >>>DEBUG  auth time: Thu Jan 01 00:00:00 GMT 1970
> > >>>DEBUG  start time: null
> > >>>DEBUG  end time: Thu Jan 01 00:00:00 GMT 1970
> > >>>DEBUG  renew_till time: null
> > >>> CCacheInputStream: readFlags()
> > Found ticket for hdfs/localh...@esciencecenter.nl to go to krbtgt/
> > esciencecenter...@esciencecenter.nl expiring on Sun Jan 14 03:31:02 GMT
> > 2018
> > Entered Krb5Context.initSecContext with state=STATE_NEW
> > Found ticket for hdfs/localh...@esciencecenter.nl to go to krbtgt/
> > esciencecenter...@esciencecenter.nl expiring on Sun Jan 14 03:31:02 GMT
> > 2018
> > Service ticket not found in the subject
> > >>> Credentials acquireServiceCreds: same realm
> > default etypes for default_tgs_enctypes: 17.
> > >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
> > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> > >>> KdcAccessibility: reset
> > >>> KrbKdcReq send: kdc=localhost UDP:88, timeout=3, number of
> retries
> > =3, #bytes=663
> > >>> KDCCommunication: kdc=localhost UDP:88, timeout=3,Attempt =1,
> > #bytes=663
> > >>> KrbKdcReq send: #bytes read=651
> > >>> KdcAccessibility: remove localhost
> > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> > >>> KrbApReq: APOptions are 0010   
> > >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> > Krb5Context setting mySeqNumber to: 481871376
> > ...
> > drwxr-xr-x   - xenon supergroup  0 2018-01-13 02:15
> > /filesystem-test-fixture
> > drwxr-xr-x   - hdfs  supergroup  0 2018-01-13 04:39 /tmp
> > ```
>
> I use Scala to list the HDFS file with following code:
>
> > ```scala
> > import org.apache.hadoop.conf.Configuration
> > import 

Re: upgrading kdc from 1.9 to 1.16, things to worry about?

[Todd Grayson]

What OS distro are you working over for the KDC hosts., the schema is no
longer present in current distro specific packaging for openLDAP (that I
can find).

On Mon, Dec 11, 2017 at 12:50 PM, Chris Hecker <chec...@d6.com> wrote:

> Ok, moving this over to the main list...
>
> Anybody else have any thoughts on the update below?
>
> Thanks,
> Chris
>
>
> On Mon, Dec 11, 2017 at 11:11 Greg Hudson <ghud...@mit.edu> wrote:
>
> > kerberos@mit.edu is better for questions like this.  Your plan seems
> > sound, with the proviso that I'm not an expert on OpenLDAP (or whatever
> > LDAP server you're using; 389ds also works with krb5, and likely
> > others).  So if there are potential issues with updating the schema, I
> > wouldn't know about them.  The new schema is indeed a superset of the
> > old one, with optional attributes added.
> >
> > On 12/09/2017 10:57 PM, Chris Hecker wrote:
> > > I need to update my kdc finally to get access to a couple new features,
> > and
> > > because duh.
> > >
> > > My KDC uses the LDAP backend.
> > >
> > > - I was not planning on updating slapd.
> > > - I was going to back up and everything, of course.
> > > - I assume I need to copy the latest kerberos.schema over. It looks
> like
> > > it's just a superset of the old one.
> > >
> > > Is there anything else I need to look out for you guys can think of
> when
> > > doing this update?
> > >
> > > I have some patches that add minor features I'll have to port once
> things
> > > are up and running smoothly, and I'll finally contribute them back like
> > > promised to this list and Greg 5 years ago.  Oops.
> > >
> > > Chris
> > > ___
> > > krbdev mailing list krb...@mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/krbdev
> > >
> >
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Local realm referral failed; trying fallback realm HADOOP.COM

[Todd Grayson]

You need to make sure you have a [domain_realm] mapping for each DNS domain
name to REALM.  When the dns to REALM maping is not present, kerberos falls
back to attempting to map the KERBEROS REALM in question to the lowercase
form of its name as a DNS domain.  This is described in detail, here.

https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#domain-realm

1) Cross realm ticket request
2) (see explanation & link above)
3) (see explanation above)

You also need to make sure that within your HDFS configuration you are
configuring any additional "Trusted Kerberos REALMS) so that the
auth_to_local rules are constructed properly.


On Sat, Jun 17, 2017 at 12:26 PM, pratyush parimal <
pratyush.pari...@gmail.com> wrote:

> Hi everyone,
>
> I'm trying to set up cross-realm authentication so that a user in realm
> EXAMPLE.COM can access a service in HADOOP.COM. I've added a capaths
> section to my krb5.conf for the same:
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = EXAMPLE.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>
> [realms]
>  EXAMPLE.COM = {
>   kdc = examplekdc.example.com
>   admin_server = examplekdc.example.com
>  }
>
>  HADOOP.COM = {
>   kdc = hadoopkdc.hadoop.com
>   admin_server = hadoopkdc.hadoop.com
>  }
>
> [domain_realm]
>  .example.com = EXAMPLE.COM
>  example.com = EXAMPLE.COM
>
> [capaths]
>  HADOOP.COM = {
>   EXAMPLE.COM = .
>  }
>
>
> I've also added the required principal krbtgt/hadoop@example.com to
> both the KDC's. So far, everything is working and my application is able to
> do what it needs to.
>
> What I'm concerned about is the following line in my trace log on
> EXAMPLE.COM:
>
> [158447] 1497720267.441664: TGS request result: -1765328377/Server
> myservice/hadoopkdc.hadoop@example.com not found in Kerberos database
> [158447] 1497720267.441680: Local realm referral failed; trying fallback
> realm HADOOP.COM
>
> My questions are the following:
> (1) what exactly is this local realm referral? Is this kerberos jargon for
> cross realm requests?
> (2) why would the local realm referral fail ? How do I explicitly specify
> how I want the local realm referral to occur?
> (3) What is the meaning of a fallback realm? And how do I specify one?
>
> As you can see from my krb5.conf, I haven't specified the fallback realm or
> referrals explicitly, so I think kerberos is picking up default values for
> them. I want to know how I can specify them explicitly.
>
> Thanks in advance !
> Pratyush
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos on Mac

[Todd Grayson]

I would work to get forward/reverse DNS consistent rather than attempting
to configure around this.

But for reference's sake, the JGSS catalogs its supported settings is here:
"Supported krb5.conf Settings"
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html

rdns is not available, there is a "noaddresses" but that seems to be more
for NAT handling.


On Mon, May 15, 2017 at 10:56 AM, Greg Hudson <ghud...@mit.edu> wrote:

> On 05/15/2017 06:43 AM, Matt Darwin wrote:
> > So it looks like the client is sending
> >
> > oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com
> >
> > as the SnameString (presumably the SPN), when it should be sending:
> >
> > d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
>
> I don't appear to have access to your DNS information from here.  My
> guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the
> result of a PTR query on the IP address of the server, while
> d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record
> name.
>
> If I'm right about that, what you're looking for is a way to get the JVM
> Kerberos implementation to suppress the reverse DNS lookup when
> canonicalizing the server name.  In MIT krb5, that would be accomplished
> with the "rdns" setting in krb5.conf; for details, see:
>
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html
>
> It's possible that the same setting might work for the Java
> implementation, but I'm not certain.
>
> ________
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos documentation website down?

[Todd Grayson]

Just generated now (Monday March 13 7:18 PM eastern)

http://web.mit.edu/kerberos/krb5-latest/doc/admin/install.html

An error occurred while processing your request.
Reference #97.9055434d.1489447060.25086296

On Mon, Mar 13, 2017 at 12:39 PM, Tom Yu <t...@mit.edu> wrote:

> "Earl A. Killian" <kerbe...@lists.killian.com> writes:
>
> > Reference #97.9355434d.1489429031.113b6c49
>
> I believe this is an error from the Akamai CDN.  How recently did you
> receive this error?  I know there was a possible connectivity issue at
> MIT that caused errors such as that, but I thought it was resolved.
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Studying kerberos interaction patterns through krb5kdc log file (and client log) analysis

[Todd Grayson]

Howdy,

Has anyone seen or worked on pulling together tools for analyzing kerberos
krb5kdc.log files in a way that allows for the analysis (graphing even) of
service and user AS and TGS interactions over a window of time.

I found the historical MIT mail list discussion "krb5kdc log analysis
tool/script" but the package discussed would need to be re-written from
what I'm seeing for what I'm thinking of.

For the hadoop community its a point of understanding the concert of
interaction over time for a cluster.  Inspection of the various workload
patterns that emerge for the symphony of components in the suite.  The
platform is a web of kerberos authentication that extends to users
submitting jobs and interacting with the services over CLI and HTTP.

Before re-inventing something thats already sitting around the next corner
of the internet, I thought I might check here as well

Thanks in advance.



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Documenting the kerberos KDC log file format

[Todd Grayson]

Yeah I'm looking for the REQ layout, the other message types are variable
to the point where they are being filtered out (altho I pause dropping FD
closing down messages...)

so something like the following, note authtime field is a mystery (or
something is really really broken in the logs I'm looking at)  its not
clear if ISSUE is variable, I see only the same output but that might not
cover error conditions...

[date] [time] [kdc fqdn?] [process-name][[pid]]([level]): [REQ-TYPE of
AS_REQ or TGS_REQ] ([enc-types output]}) [REQ-IP] [??ISSUE:??] authtime
[auth time in? epoc time? what is this], etypes [selected enctypes across
rep,tkt and ses]}, [requesting_principal] for [requested_principal]

If anything in the future keeping the default log format but allowing a log
file format expression string for defining custom output format for
request/response entries would be interesting

On Mon, Jan 30, 2017 at 11:44 PM, Benjamin Kaduk <ka...@mit.edu> wrote:

> On Mon, Jan 30, 2017 at 11:01:46PM -0700, Todd Grayson wrote:
> > Has anyone seen a good writeup of the krb5kdc.log file output format?
> For
> > the types of log file output statements that it writes out. So for
> example
> > the AS_REQ and TGS_REQ and follow up "closing down" lines representing a
> > full connection span.
> >
> > More specifically does anyone have any content or pointers to
> constructing
> > good parsers for turning this log data into record data?  Parser tools
> for
> > the default MIT KDC log format?
>
> Unfortunately, the idea of a unified format was not in mind when things
> were originally written, so a programmatic parse will be somewhat
> difficult.
> We've tried to be more careful with more recent additions, but feel rather
> constrained to not change the historical behavior and break existing
> log-parsing scripts.
>
> Maybe someone else on the list has some prior art that you could start
> from, though.
>
> -Ben
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Documenting the kerberos KDC log file format

[Todd Grayson]

Has anyone seen a good writeup of the krb5kdc.log file output format?  For
the types of log file output statements that it writes out. So for example
the AS_REQ and TGS_REQ and follow up "closing down" lines representing a
full connection span.

More specifically does anyone have any content or pointers to constructing
good parsers for turning this log data into record data?  Parser tools for
the default MIT KDC log format?

I'm guessing that having it in syslog format would be better... but thats
out of my control...

-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Can I automatically cache AD tickets into a file on windows?

[Todd Grayson]

You might be able to do some sort of powershell script?  I don't think the
KFW has a startup context to it.  The thin is you would need to pass
credentials in somehow which starts to weaken the integrity of the security
model once you start caching passwords/keytabs.  We should know, Hadoop is
the poster child of poor credential handling (and a ton of work is going
into cleaning that all up).

On Friday, November 18, 2016, Mauro Cazzari <mauro.cazz...@sas.com> wrote:

> One more thing: if MIT Kerberos is installed, is there a way to populate
> the KRB5CCNAME cache file automatically when I log on to Windows without
> having to use a keytab or having to run a kinit under the covers?
>
>
>
> *From:* Todd Grayson [mailto:tgray...@cloudera.com
> <javascript:_e(%7B%7D,'cvml','tgray...@cloudera.com');>]
> *Sent:* Friday, November 18, 2016 11:34 AM
> *To:* Mauro Cazzari <mauro.cazz...@sas.com
> <javascript:_e(%7B%7D,'cvml','mauro.cazz...@sas.com');>>
> *Cc:* Kerberos@mit.edu <javascript:_e(%7B%7D,'cvml','Kerberos@mit.edu');>
> *Subject:* Re: Can I automatically cache AD tickets into a file on
> windows?
>
>
>
> From what I understand, the windows SSPI implementation does not provide a
> facility to hold the credentials in a file.  You would use the MIT KFW to
> be able to do that.
>
> On Friday, November 18, 2016, Mauro Cazzari <mauro.cazz...@sas.com
> <javascript:_e(%7B%7D,'cvml','mauro.cazz...@sas.com');>> wrote:
>
> Kerberos experts,
> Is there a way to automatically cache AD-generated tickets to the file
> provided through the KRB5CCNAME environment variable on Windows without
> having to run a kinit? My understanding is that Windows caches tickets in
> memory (whereas Unix does the same on file). Do I need to install MIT
> Kerberos, or (ideally) can I just use the copy of Kerberos that comes with
> Windows to achieve my goal?
> Thanks!
> Mauro.
> ________
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> --
>
> Todd Grayson
>
> Business Operations Manager
>
> Customer Operations Engineering
>
> Security SME
>
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Can I automatically cache AD tickets into a file on windows?

[Todd Grayson]

>From what I understand, the windows SSPI implementation does not provide a
facility to hold the credentials in a file.  You would use the MIT KFW to
be able to do that.

On Friday, November 18, 2016, Mauro Cazzari <mauro.cazz...@sas.com> wrote:

> Kerberos experts,
> Is there a way to automatically cache AD-generated tickets to the file
> provided through the KRB5CCNAME environment variable on Windows without
> having to run a kinit? My understanding is that Windows caches tickets in
> memory (whereas Unix does the same on file). Do I need to install MIT
> Kerberos, or (ideally) can I just use the copy of Kerberos that comes with
> Windows to achieve my goal?
> Thanks!
> Mauro.
> 
> Kerberos mailing list   Kerberos@mit.edu <javascript:;>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: mit kdc windows client silent install

[Todd Grayson]

I've used this in the past (not with kfw tho)...  given its an MSI
installer this should work...

http://stackoverflow.com/questions/8560166/silent-installation-of-a-msi-package

(assuming the kfw install package from here)

http://web.mit.edu/kerberos/dist/#krb5-1.14

On Thu, Nov 10, 2016 at 7:53 PM, Edward Gleeck <edr...@gmail.com> wrote:

> Does windows mit kdc client support silent/unattended install?
>
> On the release notes there are some documentation on building an installer
> which is quite involved, so I was wondering if the currently installer
> supports any install parameters.
>
> Thanks,
> Ed
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kdb5_ldap_util fails, no idea why

[Todd Grayson]

>From that error message you need to provide the schema file for the
kerebros ldap objects to your directory instance. Can we assume you
followed top down the instructions from here?

https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html



On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <deb...@lhanke.de> wrote:

> I'm currently setting up a new KDC for a new domain. I also have a shiny
> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is
> fine, there is no specific data in it yet.
>
> Trying to create the Kerberos container, I get the following error:
>
> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees
> dc=microsult,dc=de -r UAC.MICROSULT.DE -s -H ldap:///
> Password for "cn=admin,dc=microsult,dc=de":
> Initializing database for realm 'UAC.MICROSULT.DE'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: Object class violation
> while creating realm 'UAC.MICROSULT.DE'
>
> I read somewhere that this may be due to the kerberos container not
> being a CN attribute. Actually I see in the debug trace of OpenLDAP that
> it denies dc=microsult,dc=de since it's not a CN.
>
> Am I supposed to create a CN node under my TLD and use this? I don't
> quite understand how the final layout in LDAP is supposed to be and how
> to put that into arguments for kdb5_ldap_util.
>
> Any closer explanation is appreciated. Thanks for your help,
>
>   - lars.
>
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: .kinit: Preauthentication failed while getting initial credentials

[Todd Grayson]

Interesting Tom, We'll review that as well, I've added one of our team
members working with this in field to the discussion as well.

Thomas, what version of Active directory directory are you working with in
your attempts to get this functioning with AES?

On Thu, Oct 27, 2016 at 10:53 AM, Tom Yu <t...@mit.edu> wrote:

> Thomas Beaudry <thomas.beau...@concordia.ca> writes:
>
> > So i got it to work by switch the encryption type.  In case anyone is
> wondering i used:  addent -password -p ${user} -k 1 -e rc4-hmac
>
> It's possible that the problem is related to password salting.  (The RC4
> enctype has no salt, but the AES ones do.)  We've observed that the salt
> for an Active Directory principal is related to the account name rather
> than the principal name, e.g., HOSTNAME$ for a computer account.  (An AD
> account can have multiple Kerberos principal names.)  Without the
> correct salt, the client can't produce the correct password-derived key.
>
> -Tom
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: .kinit: Preauthentication failed while getting initial credentials

[Todd Grayson]

Perfect Good to hear, strange you can't get AES working... if you ended up
needing to troubleshoot that at some point, those links are the toolkits
for digging deeper into whats failing.  There should be an updated version
of that KB for the diff windows AD KDC releases as well.

On Thu, Oct 27, 2016 at 9:59 AM, Thomas Beaudry <thomas.beau...@concordia.ca
> wrote:

> Hi Todd,
>
>
> So i got it to work by switch the encryption type.  In case anyone is
> wondering i used:  addent -password -p ${user} -k 1 -e rc4-hmac
>
>
> ​Thank you so much for your help - I really didn't know where to look to
> start off with.
>
>
> Have a great day!
>
> Thomas
> --
> *From:* Thomas Beaudry
> *Sent:* Thursday, October 27, 2016 11:37 AM
> *To:* Todd Grayson
>
> *Cc:* kerberos@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
>
> Hi Todd,
>
>
> Yes i changed the password.  Still the same problem.
>
>
> thanks!
>
> Thomas
> --
> *From:* Todd Grayson <tgray...@cloudera.com>
> *Sent:* Thursday, October 27, 2016 11:25 AM
> *To:* Thomas Beaudry
> *Cc:* kerberos@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> you have to change the password after setting the checkbox was that
> done?
>
> On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry <
> thomas.beau...@concordia.ca> wrote:
>
>> Hi Todd,
>>
>>
>> Thanks I tried enabling the AES256​ checkbox but that didn't fix the
>> problem. Also, I checked other users and they don't have that checkbox
>> clicked - so it isn't the issue.
>>
>>
>> Any more thoughts as to what could be causing this 1 user to not be able
>> to use a keytab?
>>
>>
>> Thanks,
>>
>> Thomas
>> --
>> *From:* Todd Grayson <tgray...@cloudera.com>
>> *Sent:* Wednesday, October 26, 2016 4:20 PM
>>
>> *To:* Thomas Beaudry
>> *Cc:* kerberos@mit.edu
>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>> credentials
>>
>> No, in that case, forget the kvno, it is not going to come out correctly
>> that way.
>>
>> Its for when you export the keytab from the KDC, in AD contexts like you
>> are describing it becomes a invalid data point.
>>
>> On AD, verify the entry in the ad users and computers gui, set the user
>> entry to allow AES-256 and change the password for the user so you have a
>> valid representation of the password on the AD side for your keytab's
>> AES256.  if you right click on the users and go into properties its a
>> selection list of checkboxes in one of the tabs in the gui for the user
>> entry edit.
>>
>> That or dont pick aes256 for what you are setting up on the keytab,
>> depending on the AD version you might have issues (e.g. if ad 2003 was in
>> use)
>>
>>
>>
>> On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
>> thomas.beau...@concordia.ca> wrote:
>>
>>> Hi Todd,
>>>
>>>
>>> ​Thanks for answering.   It's a windows AD.  I'm using ktutil to create
>>> the keytab:  ​
>>>
>>>
>>> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>>>
>>>
>>> I'll look into the kvno.
>>>
>>>
>>> Thomas
>>>
>>>
>>> --
>>> *From:* Todd Grayson <tgray...@cloudera.com>
>>> *Sent:* Wednesday, October 26, 2016 2:48 PM
>>> *To:* Thomas Beaudry
>>> *Cc:* kerberos@mit.edu
>>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>>> credentials
>>>
>>> Is the KDC MIT? AD?  Assuming MIT KDC:
>>>
>>> use the kvno command to evaluate what the KDC thinks is current, vs
>>> klist -kte .perform-admin.keytab
>>>
>>> Verify the kvno (key version number) matches up from the keytab to what
>>> the kdc states is the current version.  Kinit as a working user first from
>>> the cli, then attempt the kvno against the principal associated with the
>>> keytab that is failing.
>>>
>>> what is the command line you are using to export keytabs, the default
>>> behavior is to randomize the key each export unless you specifically tell
>>> it not to with -norandkey
>>>
>>> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>>>
>>> use -norandkey when exporting a keytab to prevent the 

Re: .kinit: Preauthentication failed while getting initial credentials

[Todd Grayson]

Generally that is indicating the password is wrong or the key type is
failing from my experience, perhaps other folks can comment.To
troubleshoot this you would review and apply the content from these things.

So be clear. You have
1) set the 256 Permit AES-256 key type checkbox on that entry
2) CHANGED (not set the same value) the password on AD
3) re-run your ktutil to set the new password and enctype to your keytab
you are creating

If that is true then I would test with adding additional weaker encryption
types to the keytab as well (RC4-HMAC/arcfour-hmac-md5), avoid using des.

If that is what has been done then you'll need to start troubleshooting on
the client and AD side, these discuss how to troubleshoot what is failing
when you attempt kerberos auth.


MIT Kerberos Documentation: Troubleshooting
https://web.mit.edu/kerberos/krb5-1.13/doc/admin/troubleshoot.html


How to enable Kerberos event logging
https://support.microsoft.com/en-us/kb/262177

On Thu, Oct 27, 2016 at 9:37 AM, Thomas Beaudry <thomas.beau...@concordia.ca
> wrote:

> Hi Todd,
>
>
> Yes i changed the password.  Still the same problem.
>
>
> thanks!
>
> Thomas
> ------
> *From:* Todd Grayson <tgray...@cloudera.com>
> *Sent:* Thursday, October 27, 2016 11:25 AM
>
> *To:* Thomas Beaudry
> *Cc:* kerberos@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> you have to change the password after setting the checkbox was that
> done?
>
> On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry <
> thomas.beau...@concordia.ca> wrote:
>
>> Hi Todd,
>>
>>
>> Thanks I tried enabling the AES256​ checkbox but that didn't fix the
>> problem. Also, I checked other users and they don't have that checkbox
>> clicked - so it isn't the issue.
>>
>>
>> Any more thoughts as to what could be causing this 1 user to not be able
>> to use a keytab?
>>
>>
>> Thanks,
>>
>> Thomas
>> --
>> *From:* Todd Grayson <tgray...@cloudera.com>
>> *Sent:* Wednesday, October 26, 2016 4:20 PM
>>
>> *To:* Thomas Beaudry
>> *Cc:* kerberos@mit.edu
>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>> credentials
>>
>> No, in that case, forget the kvno, it is not going to come out correctly
>> that way.
>>
>> Its for when you export the keytab from the KDC, in AD contexts like you
>> are describing it becomes a invalid data point.
>>
>> On AD, verify the entry in the ad users and computers gui, set the user
>> entry to allow AES-256 and change the password for the user so you have a
>> valid representation of the password on the AD side for your keytab's
>> AES256.  if you right click on the users and go into properties its a
>> selection list of checkboxes in one of the tabs in the gui for the user
>> entry edit.
>>
>> That or dont pick aes256 for what you are setting up on the keytab,
>> depending on the AD version you might have issues (e.g. if ad 2003 was in
>> use)
>>
>>
>>
>> On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
>> thomas.beau...@concordia.ca> wrote:
>>
>>> Hi Todd,
>>>
>>>
>>> ​Thanks for answering.   It's a windows AD.  I'm using ktutil to create
>>> the keytab:  ​
>>>
>>>
>>> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>>>
>>>
>>> I'll look into the kvno.
>>>
>>>
>>> Thomas
>>>
>>>
>>> --
>>> *From:* Todd Grayson <tgray...@cloudera.com>
>>> *Sent:* Wednesday, October 26, 2016 2:48 PM
>>> *To:* Thomas Beaudry
>>> *Cc:* kerberos@mit.edu
>>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>>> credentials
>>>
>>> Is the KDC MIT? AD?  Assuming MIT KDC:
>>>
>>> use the kvno command to evaluate what the KDC thinks is current, vs
>>> klist -kte .perform-admin.keytab
>>>
>>> Verify the kvno (key version number) matches up from the keytab to what
>>> the kdc states is the current version.  Kinit as a working user first from
>>> the cli, then attempt the kvno against the principal associated with the
>>> keytab that is failing.
>>>
>>> what is the command line you are using to export keytabs, the default
>>> behavior is to randomize the key each export unless you specifically tell
>>> it not to with -norandkey
>>>
>>> http://krbdev.mit.edu/rt/Ticket/Hi

Re: .kinit: Preauthentication failed while getting initial credentials

[Todd Grayson]

you have to change the password after setting the checkbox was that
done?

On Thu, Oct 27, 2016 at 9:23 AM, Thomas Beaudry <thomas.beau...@concordia.ca
> wrote:

> Hi Todd,
>
>
> Thanks I tried enabling the AES256​ checkbox but that didn't fix the
> problem. Also, I checked other users and they don't have that checkbox
> clicked - so it isn't the issue.
>
>
> Any more thoughts as to what could be causing this 1 user to not be able
> to use a keytab?
>
>
> Thanks,
>
> Thomas
> --
> *From:* Todd Grayson <tgray...@cloudera.com>
> *Sent:* Wednesday, October 26, 2016 4:20 PM
>
> *To:* Thomas Beaudry
> *Cc:* kerberos@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> No, in that case, forget the kvno, it is not going to come out correctly
> that way.
>
> Its for when you export the keytab from the KDC, in AD contexts like you
> are describing it becomes a invalid data point.
>
> On AD, verify the entry in the ad users and computers gui, set the user
> entry to allow AES-256 and change the password for the user so you have a
> valid representation of the password on the AD side for your keytab's
> AES256.  if you right click on the users and go into properties its a
> selection list of checkboxes in one of the tabs in the gui for the user
> entry edit.
>
> That or dont pick aes256 for what you are setting up on the keytab,
> depending on the AD version you might have issues (e.g. if ad 2003 was in
> use)
>
>
>
> On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
> thomas.beau...@concordia.ca> wrote:
>
>> Hi Todd,
>>
>>
>> ​Thanks for answering.   It's a windows AD.  I'm using ktutil to create
>> the keytab:  ​
>>
>>
>> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>>
>>
>> I'll look into the kvno.
>>
>>
>> Thomas
>>
>>
>> --
>> *From:* Todd Grayson <tgray...@cloudera.com>
>> *Sent:* Wednesday, October 26, 2016 2:48 PM
>> *To:* Thomas Beaudry
>> *Cc:* kerberos@mit.edu
>> *Subject:* Re: .kinit: Preauthentication failed while getting initial
>> credentials
>>
>> Is the KDC MIT? AD?  Assuming MIT KDC:
>>
>> use the kvno command to evaluate what the KDC thinks is current, vs klist
>> -kte .perform-admin.keytab
>>
>> Verify the kvno (key version number) matches up from the keytab to what
>> the kdc states is the current version.  Kinit as a working user first from
>> the cli, then attempt the kvno against the principal associated with the
>> keytab that is failing.
>>
>> what is the command line you are using to export keytabs, the default
>> behavior is to randomize the key each export unless you specifically tell
>> it not to with -norandkey
>>
>> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>>
>> use -norandkey when exporting a keytab to prevent the key from being
>> changed...
>>
>> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
>> thomas.beau...@concordia.ca> wrote:
>>
>>> Hi Everyone,
>>>
>>>
>>> I am running into a strange problem.  I can not get a kerberos ticket
>>> when using a keytab, but for 1 specific user only:
>>>
>>>
>>> This is the command i use:
>>>
>>>
>>> > kinit perform-admin -kt .perform-admin.keytab
>>>
>>> kinit: Preauthentication failed while getting initial credentials
>>>
>>>
>>> Now if I do:
>>>
>>> ?kinit
>>>
>>> then i get prompted for a password, and then a ticket is created.
>>>
>>>
>>> Like i said i can use a keytab for every other user and it does work, it
>>> is only for this 1 specific user that it fails.  I have also tried creating
>>> new keytabs for this user but it still fails.  I don't know if I have this
>>> problem because it's the same user that I used to join the REALM in the
>>> first place..
>>>
>>> Any thoughts?
>>>
>>> Thanks!
>>> Thomas Beaudry
>>> 
>>> Kerberos mailing list   Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>> --
>> Todd Grayson
>> Business Operations Manager
>> Customer Operations Engineering
>> Security SME
>>
>>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: .kinit: Preauthentication failed while getting initial credentials

[Todd Grayson]

No, in that case, forget the kvno, it is not going to come out correctly
that way.

Its for when you export the keytab from the KDC, in AD contexts like you
are describing it becomes a invalid data point.

On AD, verify the entry in the ad users and computers gui, set the user
entry to allow AES-256 and change the password for the user so you have a
valid representation of the password on the AD side for your keytab's
AES256.  if you right click on the users and go into properties its a
selection list of checkboxes in one of the tabs in the gui for the user
entry edit.

That or dont pick aes256 for what you are setting up on the keytab,
depending on the AD version you might have issues (e.g. if ad 2003 was in
use)



On Wed, Oct 26, 2016 at 12:52 PM, Thomas Beaudry <
thomas.beau...@concordia.ca> wrote:

> Hi Todd,
>
>
> ​Thanks for answering.   It's a windows AD.  I'm using ktutil to create
> the keytab:  ​
>
>
> addent -password -p perform-admin -k 1 -e aes256-cts-hmac-sha1-96​
>
>
> I'll look into the kvno.
>
>
> Thomas
>
>
> --
> *From:* Todd Grayson <tgray...@cloudera.com>
> *Sent:* Wednesday, October 26, 2016 2:48 PM
> *To:* Thomas Beaudry
> *Cc:* kerberos@mit.edu
> *Subject:* Re: .kinit: Preauthentication failed while getting initial
> credentials
>
> Is the KDC MIT? AD?  Assuming MIT KDC:
>
> use the kvno command to evaluate what the KDC thinks is current, vs klist
> -kte .perform-admin.keytab
>
> Verify the kvno (key version number) matches up from the keytab to what
> the kdc states is the current version.  Kinit as a working user first from
> the cli, then attempt the kvno against the principal associated with the
> keytab that is failing.
>
> what is the command line you are using to export keytabs, the default
> behavior is to randomize the key each export unless you specifically tell
> it not to with -norandkey
>
> http://krbdev.mit.edu/rt/Ticket/History.html?id=914
>
> use -norandkey when exporting a keytab to prevent the key from being
> changed...
>
> On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
> thomas.beau...@concordia.ca> wrote:
>
>> Hi Everyone,
>>
>>
>> I am running into a strange problem.  I can not get a kerberos ticket
>> when using a keytab, but for 1 specific user only:
>>
>>
>> This is the command i use:
>>
>>
>> > kinit perform-admin -kt .perform-admin.keytab
>>
>> kinit: Preauthentication failed while getting initial credentials
>>
>>
>> Now if I do:
>>
>> ?kinit
>>
>> then i get prompted for a password, and then a ticket is created.
>>
>>
>> Like i said i can use a keytab for every other user and it does work, it
>> is only for this 1 specific user that it fails.  I have also tried creating
>> new keytabs for this user but it still fails.  I don't know if I have this
>> problem because it's the same user that I used to join the REALM in the
>> first place..
>>
>> Any thoughts?
>>
>> Thanks!
>> Thomas Beaudry
>> 
>> Kerberos mailing list   Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: .kinit: Preauthentication failed while getting initial credentials

[Todd Grayson]

Is the KDC MIT? AD?  Assuming MIT KDC:

use the kvno command to evaluate what the KDC thinks is current, vs klist
-kte .perform-admin.keytab

Verify the kvno (key version number) matches up from the keytab to what the
kdc states is the current version.  Kinit as a working user first from the
cli, then attempt the kvno against the principal associated with the keytab
that is failing.

what is the command line you are using to export keytabs, the default
behavior is to randomize the key each export unless you specifically tell
it not to with -norandkey

http://krbdev.mit.edu/rt/Ticket/History.html?id=914

use -norandkey when exporting a keytab to prevent the key from being
changed...

On Wed, Oct 26, 2016 at 12:20 PM, Thomas Beaudry <
thomas.beau...@concordia.ca> wrote:

> Hi Everyone,
>
>
> I am running into a strange problem.  I can not get a kerberos ticket when
> using a keytab, but for 1 specific user only:
>
>
> This is the command i use:
>
>
> > kinit perform-admin -kt .perform-admin.keytab
>
> kinit: Preauthentication failed while getting initial credentials
>
>
> Now if I do:
>
> ?kinit
>
> then i get prompted for a password, and then a ticket is created.
>
>
> Like i said i can use a keytab for every other user and it does work, it
> is only for this 1 specific user that it fails.  I have also tried creating
> new keytabs for this user but it still fails.  I don't know if I have this
> problem because it's the same user that I used to join the REALM in the
> first place..
>
> Any thoughts?
>
> Thanks!
> Thomas Beaudry
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos Authentication Support help

[Todd Grayson]

Anil

You are not using MIT Kerberos, it appears your organization installed this
product listed below at some point

https://en.wikipedia.org/wiki/FoxT_ServerControl

It would be best to be contacting their support organization for assistance
with their BOKS product suite.

The Open source implementation allows that command, it might be that a
policy is missing or needs to be updated to allow this in the FoxT software?

http://www.foxt.com/boks-servercontrol/

On Fri, Oct 7, 2016 at 8:44 AM, <anilkumar.palahanumanth...@wellsfargo.com>
wrote:

> Please see below.
>
>
>
> Also echo "password" | /opt/boksm/bin/kinit userid is prompting for
> password, which I is not expected. I want the command to take  password and
> login directly. Can you help ?
>
>
>
> $ which kinit
>
> /opt/boksm/bin/kinit
>
> $
>
> $ which klist
>
> /opt/boksm/bin/klist
>
> $ cd /opt/boksm/bin/
>
> $ clear
>
> $ ls -lrt
>
> total 29092
>
> -rwxr-xr-x 1 root root 785 May  7  2013 telnet
>
> drwxr-xr-x 2 root root4096 May  7  2013 X11
>
> -rwsr-xr-x 1 root root 2100256 May  7  2013 ssh-keysign
>
> -rwxr-xr-x 1 root root 1961056 May  7  2013 ssh-keygen
>
> -rwxr-xr-x 1 root root 1873440 May  7  2013 ssh-agent
>
> -rwxr-xr-x 1 root root 1903552 May  7  2013 ssh-add
>
> -rwxr-xr-x 1 root root  144536 May  7  2013 sftp
>
> -rwxr-xr-x 1 root root  128192 May  7  2013 scp
>
> -rwsr-xr-x 1 root root 2048416 May  7  2013 sshpkadm
>
> -rwsr-xr-x 1 root root 1191160 May  7  2013 swrole
>
> -rwsr-xr-x 1 root root  102624 May  7  2013 rolelist
>
> -rwsr-xr-x 1 root root  32 May  7  2013 pvi
>
> -rwxr-xr-x 1 root root 2764040 May  7  2013 klist
>
> -rwxr-xr-x 1 root root 2729160 May  7  2013 kinit
>
> -rwxr-xr-x 1 root root 2603176 May  7  2013 kgetcred
>
> -rwxr-xr-x 1 root root 2570184 May  7  2013 kdestroy
>
> -rwxr-xr-x 1 root root 4215848 Oct 16  2013 ssh
>
> -rwsr-xr-x 1 root root 3071992 Mar  5  2014 suexec
>
> -rwxr-xr-x 1 root root4035 Jul 29  2015 sudo
>
> -rwxr-xr-x 1 root root5726 Jul 29  2015 pbrun
>
> -rwxr-xr-x 1 root root5522 Jul 29  2015 bksu
>
>
>
> *From:* Todd Grayson [mailto:tgray...@cloudera.com]
> *Sent:* Thursday, October 06, 2016 3:55 PM
> *To:* Robbie Harwood
> *Cc:* Pala hanumanth rao, Anil kumar; kerberos@MIT.EDU
> *Subject:* Re: Kerberos Authentication Support help
>
>
>
> Anil,
>
>
>
> This is not really "support" more than a community discussion list (for
> your information).
>
>
>
> Do a 'which kinit' to verify your proper path to the kinit command on the
> distro you are on...
>
>
>
> This works, but realize the path /opt/boksm/bin/kinit is not valid (by
> default) on linux...
>
>
>
> for example:
>
>
>
> [12:50 root@admin1 ~] > which kinit
>
> kinit is /usr/bin/kinit
>
> [12:50 root@admin1 ~] > kdestroy
>
> [12:50 root@admin1 ~] > klist
>
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>
> [12:50 root@admin1 ~] > echo "Password1" | /usr/bin/kinit
> tgray...@ad.example.com
>
> Password for tgray...@ad.example.com:
>
> [12:50 root@admin1 ~] > klist -ef
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> Default principal: tgray...@ad.example.com
>
>
>
> Valid starting ExpiresService principal
>
> 10/06/16 12:50:40  10/06/16 22:51:32  krbtgt/ad.example@ad.example.com
>
> renew until 10/13/16 12:50:40, Flags: FRIA
>
> Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> aes256-cts-hmac-sha1-96
>
>
>
> On Thu, Oct 6, 2016 at 1:39 PM, Robbie Harwood <rharw...@redhat.com>
> wrote:
>
> anilkumar.palahanumanth...@wellsfargo.com writes:
>
> > Dear Support,
> >
> > We are using Kerberos Authentication in the past on AIX with the below
> command and it worked fine.
> > echo "password" | /opt/boksm/bin/kinit userid
> >
> > We recently migrated from AIX to Linux, and when we gave the above
> > commands,it is asking for password in interactive mode.
> >
> > userid 's Password:
> >
> > We would like to pass the password dynamically, please help.
>
> Is this MIT's krb5 or Heimdal's?  What version?
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
>
>
> --
>
> Todd Grayson
>
> Business Operations Manager
>
> Customer Operations Engineering
>
> Security SME
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Get Kerberized services information from Kerberos KDC

[Todd Grayson]

So the principal names will be visible in the kerberos KDC logging with a
format of service/host.fqdn.name@REALM

You can grep the significant principal name patterns you need (hdfs/*
yarn/* etc) out of that log and see your as_req and as_rep as
authentication events.

Oct 06 15:53:09 nightly58-1 krb5kdc[17178](info): AS_REQ (7 etypes {16 23 1
3 18 17 2}) 10.11.13.120: ISSUE: authtime 1475794389, etypes {rep=16 tkt=16
ses=16}, impala/c58-3.fun.example@fun.example.com for krbtgt/
fun.example@fun.example.com

Inter service will be visible for TGS_REQ type log events.  A perl script
or grep/awk could give a pretty good summary of service to service
interactions being set up in the TGS_REQ events...

Oct 06 15:52:49 nightly58-1 krb5kdc[17178](info): TGS_REQ (6 etypes {18 17
16 23 1 3}) 10.11.13.118: ISSUE: authtime 1475757403, etypes {rep=16 tkt=16
ses=16}, hdfs/c58-1.fun.example@fun.example.com for HTTP/
c58-2.fun.example@fun.example.com



On Thu, Oct 6, 2016 at 4:25 PM, chen dong <chendong...@gmail.com> wrote:

> Hi ,
>
> Can I query Kerberos KDC database to know how many services have been
> Kerberized in KDC? How many service tickets have been given to clients? How
> many sessions are been built for clients?
>
> I am using Kerberos on Hadoop Security. It makes much easier to do it using
> a management system - Cloudera. After a few clicks which follow the
> instructions, it is done. But is it done? I am not sure and I need to prove
> it. I think the only way to make me confident about it has been done is
> Kerberos tells me. If I get this information from Kerberos, I will be happy
> to tell my boss. My job has finished.
>
> Anyone knows about this, much appreciate for this.
>
> Regards,
>
> Dong
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos Authentication Support help

[Todd Grayson]

Anil,

This is not really "support" more than a community discussion list (for
your information).

Do a 'which kinit' to verify your proper path to the kinit command on the
distro you are on...

This works, but realize the path /opt/boksm/bin/kinit is not valid (by
default) on linux...

for example:

[12:50 root@admin1 ~] > which kinit
kinit is /usr/bin/kinit
[12:50 root@admin1 ~] > kdestroy
[12:50 root@admin1 ~] > klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[12:50 root@admin1 ~] > echo "Password1" | /usr/bin/kinit
tgray...@ad.example.com
Password for tgray...@ad.example.com:
[12:50 root@admin1 ~] > klist -ef
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tgray...@ad.example.com

Valid starting ExpiresService principal
10/06/16 12:50:40  10/06/16 22:51:32  krbtgt/ad.example@ad.example.com
renew until 10/13/16 12:50:40, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

On Thu, Oct 6, 2016 at 1:39 PM, Robbie Harwood <rharw...@redhat.com> wrote:

> anilkumar.palahanumanth...@wellsfargo.com writes:
>
> > Dear Support,
> >
> > We are using Kerberos Authentication in the past on AIX with the below
> command and it worked fine.
> > echo "password" | /opt/boksm/bin/kinit userid
> >
> > We recently migrated from AIX to Linux, and when we gave the above
> > commands,it is asking for password in interactive mode.
> >
> > userid 's Password:
> >
> > We would like to pass the password dynamically, please help.
>
> Is this MIT's krb5 or Heimdal's?  What version?
>
> ____
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Avoiding "KDC has no support for encryption type while getting initial credentials" by pinning selected KDC

[Todd Grayson]

Michael,

This does not fix your issue, its more for clarification of discussion.

The "domain functional level" should be dictating the behavior of the
aggregate AD environment. You can control the preference for encryption
type in the krb5.conf's [libdefaults] enctype
settings (default_tgs_enctypes,  permitted_enctypes, default_tkt_enctypes).

Consider the following might offer some possible workarounds?

As I understand it; kerberos will use the provided encryption types based
on order presented from the config so if you have a subset of services
and users that need everything negotiated with rc4-hmac as the preferred
encryption type, you would make sure that was listed first in the client
config.

The important thing to remember is use the naming presented in the enctypes
reference table from the krb5.conf / kdc.conf MIT docs (or enctype groups)
or the settings are ignored.

http://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/krb5_conf.html#libdefaults
http://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/kdc_conf.html#encryption-types

*If Java is in the mix you have to limit enctypes to whats supported under
the JGSS as well.

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html


On Wed, Aug 17, 2016 at 9:19 AM, Greg Hudson <ghud...@mit.edu> wrote:

> On 08/17/2016 08:51 AM, Osipov, Michael wrote:
> > The keytab contains three keys for one principal: RC4, AES128, AES256.
> > Our home realm is backed up by 80 to 100 KDCs of various Windows Server
> > versions, not all support AES. KDC lookups rely on DNS only and we do
> > not intend to hardcode them in krb5.conf.
>
> I do not know a lot about administering Active Directory, but I thought
> the usual practice here was to configure the newer AD servers to behave
> as if they were of the least common denominator version.
>
> > I would expect MIT Kerberos to pin the first working KDC because some
> > Information has been negotiated already but send to a completely
> different
> > KDC. This is annoying because I would expect the communication between
> client
> > and server is predictable.
>
> The Kerberos authentication protocol is intended to be stateless; if
> different requests during an AS exchange go to different KDCs, that is
> supposed to work.  We have talked about preferring the previously chosen
> KDC during an AS exchange (mostly for the sake of marginal preauth
> mechanism implementations), but I think the code changes necessary to
> implement that properly would be extensive.
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Login usecase

[Todd Grayson]

Neela,

depending on distribution in use, much of the discussion is here

https://hadoop.apache.org/docs/r2.6.0/hadoop-auth/Configuration.html

The service (in this case Hadoop core across a subset of the services) gets
its ticket granting ticket as it starts up.  The user or client application
as well.  Each one independently gets its own service ticket to act with
the service.  They do not over-write each other, each client maintains its
context, the one that directly interacts with the hadoop sevice must be
presenting its own credentials, not the end users (in most cases, but there
are variances for older/simpler components).

When you are using a structure like the one you are presenting, generally
the authentication starts with the user having kerberos authentication into
"my application" via SPNEGO if http, or otherwise if CLI context your using
tools such as the hadoop security client classes.

When front ending the application interaction with a web application that
is java based, you extend your implementation through the jaas layer to
handle web based kerberos authentication "SPNEGO" be the interface to your
app.

The app on the backend then would be authenticating as a service against
hadoop, and depending on the components, present their session as "doing
as" a realm authenticated user.

I would suggest reviewing this blog for context and what to consider as you
attempt to use whats called "kerberos impersonation" to have the chain of
authentication you are indicating in your diagram.

http://dewoods.com/blog/hadoop-kerberos-guide

The better mail list to continue on would probably be based on the
component you are using as you are getting into application development
through a specific toolkit (hadoop) over kerberos... as the MIT kerberos
core list team might not appreciate us going down the Hadoop path so
specifically within the list.

A great content set to start with so you get a deeper understanding of the
underlying kerberos concepts you need to understand in general is here:

http://web.mit.edu/kerberos/krb5-latest/doc/

with some handy considerations to keep in mind here when creating apps
based on kerberos.

http://web.mit.edu/kerberos/krb5-latest/doc/admin/appl_servers.html



On Mon, Jul 18, 2016 at 2:46 PM, Aneela Saleem <ane...@platalytics.com>
wrote:

> Thanks Brandon and Todd,
>
> I still have some confusions. Please guide me I'm just a beginner.
>
> At the current stage I'm not implementing single-sign on. Here is the flow
> of our application
>
> Screenshotfrom2016-07-12171018.jpg
>
> <https://drive.google.com/a/platalytics.com/file/d/0BytQ11DT_A8HUjhIcUU2bm1PSlU/view?usp=drivesdk>
>
>
> User1 logged into our application through password based authentication.
> After that when the user tries to access the Kerberized Hadoop cluster
> it gets the authentication token from KDC, and the credential cache for
> this user is stored on the client machine where the application is
> running and user1 accesses the cluster.  Meanwhile another user (I.e.,
> user2 ) logs into the application and tries to accesses the kerberized
> cluster. Now when it gets the token from KDC, will the credentials of user1
> be override by the user2's credentials? If so, then how to solve this
> particular scenario? I'm not getting the clear idea
>
> Thanks
>
> On Monday, 18 July 2016, Todd Grayson <tgray...@cloudera.com> wrote:
>
>> (and I realize kerberos doesn't do groups)
>>
>> On Mon, Jul 18, 2016 at 12:05 PM, Todd Grayson <tgray...@cloudera.com>
>> wrote:
>>
>>> Aneela,
>>>
>>> HDFS supports the use of the \L lowercase "macro".  This is implemented
>>> through the HDFS auth_to_local rules, it can be applied using the
>>> additional rules if within the CDH.   The relationship for kebreros from
>>> hadoop (for a major portion of the platform) traverses the java JGSS
>>> implementation + hadoop security core classes. (Might be the better thread
>>> to shift to if you need deeper discussion?)
>>>
>>> This is described in the apache hadoop upstream Jira HADOOP-10556
>>>
>>> But I agree discussion the approach on getting agreement on the
>>> structure of username, uppercase/lowercase and group name in general is
>>> something to be having.
>>>
>>>
>>> On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <
>>> ballb...@sinenomine.net> wrote:
>>>
>>>> While I can’t give you details, it sounds like you want to change the
>>>> web application to use SPNEGO to do Kerberos authentication with a user;
>>>> this gives you a credential that you can then use to authenticate to 
>>>> Hadoop.
>>>>
>>>

Re: Login usecase

[Todd Grayson]

(and I realize kerberos doesn't do groups)

On Mon, Jul 18, 2016 at 12:05 PM, Todd Grayson <tgray...@cloudera.com>
wrote:

> Aneela,
>
> HDFS supports the use of the \L lowercase "macro".  This is implemented
> through the HDFS auth_to_local rules, it can be applied using the
> additional rules if within the CDH.   The relationship for kebreros from
> hadoop (for a major portion of the platform) traverses the java JGSS
> implementation + hadoop security core classes. (Might be the better thread
> to shift to if you need deeper discussion?)
>
> This is described in the apache hadoop upstream Jira HADOOP-10556
>
> But I agree discussion the approach on getting agreement on the structure
> of username, uppercase/lowercase and group name in general is something to
> be having.
>
>
> On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <ballb...@sinenomine.net>
> wrote:
>
>> While I can’t give you details, it sounds like you want to change the web
>> application to use SPNEGO to do Kerberos authentication with a user; this
>> gives you a credential that you can then use to authenticate to Hadoop.
>>
>> From: Aneela Saleem <ane...@platalytics.com>
>> Date: Monday, July 18, 2016 at 11:13
>> To: Brandon Allbery <ballb...@sinenomine.net>
>> Cc: "kerberos@mit.edu" <kerberos@mit.edu>
>> Subject: Re: Login usecase
>>
>> Thanks Brandon for your response.
>>
>> Actually, My use-case is that I have a web application that authenticates
>> a user. Then user calls my backend services written in java to interact
>> with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to
>> authenticate this user using my java code. I am able to login using keytab
>> files, but i did not get someway to login using password. For logging in
>> using keytab files, we need to place keytab files for all the system users
>> on all the hosts from where we can access our hadoop cluster. So this is
>> the main drawback. And as you say logging using keytab files is not
>> appropriate then how can we achieve this objective?
>>
>> Thanks
>>
>> On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <ballb...@sinenomine.net
>> <mailto:ballb...@sinenomine.net>> wrote:
>> You are going to have to describe what you are trying to do in more
>> detail. Keytabs are not normally used for this purpose, except in the case
>> of automated procedures (e.g. cron) that need to log in to a service as if
>> they are a user. Perhaps you have confused keytabs (“passwords” on disk)
>> with ccaches (ephemeral service credentials, which may or may not be on
>> disk and typically expire in a relatively short time)?
>>
>> On 7/17/16, 16:04, "kerberos-boun...@mit.edu> kerberos-boun...@mit.edu> on behalf of Aneela Saleem" <
>> kerberos-boun...@mit.edu<mailto:kerberos-boun...@mit.edu> on behalf of
>> ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote:
>>
>> Hi all,
>>
>> If a user logs into any kerberized Application, using Krb5LoginModule,
>> there is a function loginFromKeyTab. Client should have the key tab
>> file to
>> login to application. But I think this is very insecure way of login.
>> Anyone who cloud access your key tab file then login to application.
>> Is
>> there any appropriate way to login to system. I don't understand How
>> to do
>> this. I'm stuck
>>
>> Thanks
>> ________
>> Kerberos mailing list   Kerberos@mit.edu> Kerberos@mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>> 
>> Kerberos mailing list   Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Login usecase

[Todd Grayson]

Aneela,

HDFS supports the use of the \L lowercase "macro".  This is implemented
through the HDFS auth_to_local rules, it can be applied using the
additional rules if within the CDH.   The relationship for kebreros from
hadoop (for a major portion of the platform) traverses the java JGSS
implementation + hadoop security core classes. (Might be the better thread
to shift to if you need deeper discussion?)

This is described in the apache hadoop upstream Jira HADOOP-10556

But I agree discussion the approach on getting agreement on the structure
of username, uppercase/lowercase and group name in general is something to
be having.


On Mon, Jul 18, 2016 at 9:41 AM, Brandon Allbery <ballb...@sinenomine.net>
wrote:

> While I can’t give you details, it sounds like you want to change the web
> application to use SPNEGO to do Kerberos authentication with a user; this
> gives you a credential that you can then use to authenticate to Hadoop.
>
> From: Aneela Saleem <ane...@platalytics.com>
> Date: Monday, July 18, 2016 at 11:13
> To: Brandon Allbery <ballb...@sinenomine.net>
> Cc: "kerberos@mit.edu" <kerberos@mit.edu>
> Subject: Re: Login usecase
>
> Thanks Brandon for your response.
>
> Actually, My use-case is that I have a web application that authenticates
> a user. Then user calls my backend services written in java to interact
> with hadoop cluster. My hadoop cluster is kerberos-enabled. I need to
> authenticate this user using my java code. I am able to login using keytab
> files, but i did not get someway to login using password. For logging in
> using keytab files, we need to place keytab files for all the system users
> on all the hosts from where we can access our hadoop cluster. So this is
> the main drawback. And as you say logging using keytab files is not
> appropriate then how can we achieve this objective?
>
> Thanks
>
> On Mon, Jul 18, 2016 at 7:45 PM, Brandon Allbery <ballb...@sinenomine.net
> <mailto:ballb...@sinenomine.net>> wrote:
> You are going to have to describe what you are trying to do in more
> detail. Keytabs are not normally used for this purpose, except in the case
> of automated procedures (e.g. cron) that need to log in to a service as if
> they are a user. Perhaps you have confused keytabs (“passwords” on disk)
> with ccaches (ephemeral service credentials, which may or may not be on
> disk and typically expire in a relatively short time)?
>
> On 7/17/16, 16:04, "kerberos-boun...@mit.edu kerberos-boun...@mit.edu> on behalf of Aneela Saleem" <
> kerberos-boun...@mit.edu<mailto:kerberos-boun...@mit.edu> on behalf of
> ane...@platalytics.com<mailto:ane...@platalytics.com>> wrote:
>
> Hi all,
>
> If a user logs into any kerberized Application, using Krb5LoginModule,
> there is a function loginFromKeyTab. Client should have the key tab
> file to
> login to application. But I think this is very insecure way of login.
> Anyone who cloud access your key tab file then login to application. Is
> there any appropriate way to login to system. I don't understand How
> to do
> this. I'm stuck
>
> Thanks
> 
> Kerberos mailing list   Kerberos@mit.edu Kerberos@mit.edu>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: ldap database error when creating initial stash

[Todd Grayson]

Is the file supposed to be schema.ldif once its converted that way?

On Thu, Jun 30, 2016 at 9:58 AM, Todd Grayson <tgray...@cloudera.com> wrote:

> The discussion in the mail list I sent, the error emerged as it was
> parsing broken schema information in the file...
>
> On Thu, Jun 30, 2016 at 9:55 AM, Michael Aldridge <
> michael.aldri...@utdallas.edu> wrote:
>
>> Todd,
>>
>> You are correct that that is in ldif format.  The ldap server gets built
>> up by using the bare minimum to get it online and then all the other
>> schemata and associated files are loaded in with the server online.
>>
>> The distro is Void Linux, with kerberos version 1.14.2.
>>
>> I must admit I'm struggling to see what you are seeing.  The error text
>> to me sounds like it can't even find the ldap backend, much less try to
>> actually talk to it.  Can you explain why you think this might be a
>> schema error?
>>
>> --Michael
>>
>> On 06/30/2016 09:06 AM, Todd Grayson wrote:
>> > Michael, I apologize but I'm not familiar with that kind of formatting
>> > for the kerberos.schema file... the one I'm looking at looks like this
>> > (segment).
>> >
>> > What linux distro/versions are you working over?
>> >
>> > That almost looks like the kind of format you would see converting the
>> > .schema to .ldif or something?
>> >
>> > Not being able to parse the schema file is what I was pointing out for
>> > that error...
>> >
>> > --- snip of kerberos.schema as provided in ubuntu ---
>> >
>> > attributetype ( 2.16.840.1.113719.1.301.4.1.1
>> > NAME 'krbPrincipalName'
>> > EQUALITY caseExactIA5Match
>> > SUBSTR caseExactSubstringsMatch
>> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
>> >
>> > ...
>> > ...
>> >
>> > objectclass ( 2.16.840.1.113719.1.301.6.16.1
>> > NAME 'krbTicketPolicyAux'
>> > SUP top
>> > AUXILIARY
>> > MAY ( krbTicketFlags $ krbMaxTicketLife $
>> > krbMaxRenewableAge ) )
>> >
>> >
>> > On Thu, Jun 30, 2016 at 12:48 AM, Michael Aldridge
>> > <michael.aldri...@utdallas.edu <mailto:michael.aldri...@utdallas.edu>>
>> > wrote:
>> >
>> > While I have not done an in depth comparison, my schema would
>> appear to
>> > just be a re-formatted version of the schema provided in the source
>> > tree.  I believe I originally obtained it from an ubuntu release
>> > slightly more than a year ago.  What is striking here is that this
>> all
>> > worked less than a month ago on my test platform.
>> >
>> > For the curious, here is the schema I'm using:
>> >
>> https://raw.githubusercontent.com/collegiumv/cv_config/master/roles/slapd/files/cn%3D%7B4%7Dkerberos.ldif
>> >
>> > --Michael
>> >
>> > On 06/30/2016 01:25 AM, Todd Grayson wrote:
>> > > Got schema issues?  Perhaps?
>> > >
>> > >
>> http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201
>> > >
>> > > Magic google phrase:
>> > >
>> > > openldap kerberos schema "Unable to find requested database type"
>> > >
>> > > On Thu, Jun 30, 2016 at 12:18 AM, Michael Aldridge
>> > > <michael.aldri...@utdallas.edu
>> > <mailto:michael.aldri...@utdallas.edu>
>> > <mailto:michael.aldri...@utdallas.edu
>> > <mailto:michael.aldri...@utdallas.edu>>>
>> > > wrote:
>> > >
>> > > Greetings,
>> > >
>> > > I hope I am emailing the correct list and if I am not then
>> please accept
>> > > my apology.  I am in the process of standing up a pair of
>> KDCs and I am
>> > > encountering this error when attempting to create the initial
>> password
>> > > stash for accessing the ldap server that backs the kerberos
>> database:
>> > >
>> > > kdb5_ldap_util: Unable to find requested database type while
>> setting up
>> > > lib handle
>> > >
>> > > The command I ran to get that error message is:
>> > >
>> > > sudo kdb5_ldap_util -D "cn=krbAdmService,dc=colle

Re: ldap database error when creating initial stash

[Todd Grayson]

sorry "kerberos.ldif" not "schema.ldif"

On Thu, Jun 30, 2016 at 10:00 AM, Todd Grayson <tgray...@cloudera.com>
wrote:

> Is the file supposed to be schema.ldif once its converted that way?
>
> On Thu, Jun 30, 2016 at 9:58 AM, Todd Grayson <tgray...@cloudera.com>
> wrote:
>
>> The discussion in the mail list I sent, the error emerged as it was
>> parsing broken schema information in the file...
>>
>> On Thu, Jun 30, 2016 at 9:55 AM, Michael Aldridge <
>> michael.aldri...@utdallas.edu> wrote:
>>
>>> Todd,
>>>
>>> You are correct that that is in ldif format.  The ldap server gets built
>>> up by using the bare minimum to get it online and then all the other
>>> schemata and associated files are loaded in with the server online.
>>>
>>> The distro is Void Linux, with kerberos version 1.14.2.
>>>
>>> I must admit I'm struggling to see what you are seeing.  The error text
>>> to me sounds like it can't even find the ldap backend, much less try to
>>> actually talk to it.  Can you explain why you think this might be a
>>> schema error?
>>>
>>> --Michael
>>>
>>> On 06/30/2016 09:06 AM, Todd Grayson wrote:
>>> > Michael, I apologize but I'm not familiar with that kind of formatting
>>> > for the kerberos.schema file... the one I'm looking at looks like this
>>> > (segment).
>>> >
>>> > What linux distro/versions are you working over?
>>> >
>>> > That almost looks like the kind of format you would see converting the
>>> > .schema to .ldif or something?
>>> >
>>> > Not being able to parse the schema file is what I was pointing out for
>>> > that error...
>>> >
>>> > --- snip of kerberos.schema as provided in ubuntu ---
>>> >
>>> > attributetype ( 2.16.840.1.113719.1.301.4.1.1
>>> > NAME 'krbPrincipalName'
>>> > EQUALITY caseExactIA5Match
>>> > SUBSTR caseExactSubstringsMatch
>>> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
>>> >
>>> > ...
>>> > ...
>>> >
>>> > objectclass ( 2.16.840.1.113719.1.301.6.16.1
>>> > NAME 'krbTicketPolicyAux'
>>> > SUP top
>>> > AUXILIARY
>>> > MAY ( krbTicketFlags $ krbMaxTicketLife $
>>> > krbMaxRenewableAge ) )
>>> >
>>> >
>>> > On Thu, Jun 30, 2016 at 12:48 AM, Michael Aldridge
>>> > <michael.aldri...@utdallas.edu <mailto:michael.aldri...@utdallas.edu>>
>>> > wrote:
>>> >
>>> > While I have not done an in depth comparison, my schema would
>>> appear to
>>> > just be a re-formatted version of the schema provided in the source
>>> > tree.  I believe I originally obtained it from an ubuntu release
>>> > slightly more than a year ago.  What is striking here is that this
>>> all
>>> > worked less than a month ago on my test platform.
>>> >
>>> > For the curious, here is the schema I'm using:
>>> >
>>> https://raw.githubusercontent.com/collegiumv/cv_config/master/roles/slapd/files/cn%3D%7B4%7Dkerberos.ldif
>>> >
>>> > --Michael
>>> >
>>> > On 06/30/2016 01:25 AM, Todd Grayson wrote:
>>> > > Got schema issues?  Perhaps?
>>> > >
>>> > >
>>> http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201
>>> > >
>>> > > Magic google phrase:
>>> > >
>>> > > openldap kerberos schema "Unable to find requested database type"
>>> > >
>>> > > On Thu, Jun 30, 2016 at 12:18 AM, Michael Aldridge
>>> > > <michael.aldri...@utdallas.edu
>>> > <mailto:michael.aldri...@utdallas.edu>
>>> > <mailto:michael.aldri...@utdallas.edu
>>> > <mailto:michael.aldri...@utdallas.edu>>>
>>> > > wrote:
>>> > >
>>> > > Greetings,
>>> > >
>>> > > I hope I am emailing the correct list and if I am not then
>>> please accept
>>> > > my apology.  I am in the process of standing up a pair of
>>> KDCs and I am
>>> > > en

Re: ldap database error when creating initial stash

[Todd Grayson]

The discussion in the mail list I sent, the error emerged as it was parsing
broken schema information in the file...

On Thu, Jun 30, 2016 at 9:55 AM, Michael Aldridge <
michael.aldri...@utdallas.edu> wrote:

> Todd,
>
> You are correct that that is in ldif format.  The ldap server gets built
> up by using the bare minimum to get it online and then all the other
> schemata and associated files are loaded in with the server online.
>
> The distro is Void Linux, with kerberos version 1.14.2.
>
> I must admit I'm struggling to see what you are seeing.  The error text
> to me sounds like it can't even find the ldap backend, much less try to
> actually talk to it.  Can you explain why you think this might be a
> schema error?
>
> --Michael
>
> On 06/30/2016 09:06 AM, Todd Grayson wrote:
> > Michael, I apologize but I'm not familiar with that kind of formatting
> > for the kerberos.schema file... the one I'm looking at looks like this
> > (segment).
> >
> > What linux distro/versions are you working over?
> >
> > That almost looks like the kind of format you would see converting the
> > .schema to .ldif or something?
> >
> > Not being able to parse the schema file is what I was pointing out for
> > that error...
> >
> > --- snip of kerberos.schema as provided in ubuntu ---
> >
> > attributetype ( 2.16.840.1.113719.1.301.4.1.1
> > NAME 'krbPrincipalName'
> > EQUALITY caseExactIA5Match
> > SUBSTR caseExactSubstringsMatch
> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
> >
> > ...
> > ...
> >
> > objectclass ( 2.16.840.1.113719.1.301.6.16.1
> > NAME 'krbTicketPolicyAux'
> > SUP top
> > AUXILIARY
> > MAY ( krbTicketFlags $ krbMaxTicketLife $
> > krbMaxRenewableAge ) )
> >
> >
> > On Thu, Jun 30, 2016 at 12:48 AM, Michael Aldridge
> > <michael.aldri...@utdallas.edu <mailto:michael.aldri...@utdallas.edu>>
> > wrote:
> >
> > While I have not done an in depth comparison, my schema would appear
> to
> > just be a re-formatted version of the schema provided in the source
> > tree.  I believe I originally obtained it from an ubuntu release
> > slightly more than a year ago.  What is striking here is that this
> all
> > worked less than a month ago on my test platform.
> >
> > For the curious, here is the schema I'm using:
> >
> https://raw.githubusercontent.com/collegiumv/cv_config/master/roles/slapd/files/cn%3D%7B4%7Dkerberos.ldif
> >
> > --Michael
> >
> > On 06/30/2016 01:25 AM, Todd Grayson wrote:
> > > Got schema issues?  Perhaps?
> > >
> > >
> http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201
> > >
> > > Magic google phrase:
> > >
> > > openldap kerberos schema "Unable to find requested database type"
> > >
> > > On Thu, Jun 30, 2016 at 12:18 AM, Michael Aldridge
> > > <michael.aldri...@utdallas.edu
> > <mailto:michael.aldri...@utdallas.edu>
> > <mailto:michael.aldri...@utdallas.edu
> > <mailto:michael.aldri...@utdallas.edu>>>
> > > wrote:
> > >
> > > Greetings,
> > >
> > > I hope I am emailing the correct list and if I am not then
> please accept
> > > my apology.  I am in the process of standing up a pair of KDCs
> and I am
> > > encountering this error when attempting to create the initial
> password
> > > stash for accessing the ldap server that backs the kerberos
> database:
> > >
> > > kdb5_ldap_util: Unable to find requested database type while
> setting up
> > > lib handle
> > >
> > > The command I ran to get that error message is:
> > >
> > > sudo kdb5_ldap_util -D "cn=krbAdmService,dc=collegiumv,dc=org"
> > > stashsrvpw -f /var/krb5kdc/ldap.keyfile
> > > "cn=krbAdmService,dc=collegiumv,dc=org"
> > >
> > > I have used my best google-fu but still come up empty.  I can
> see
> > > several people who seem to have had the same issue, but I
> cannot find a
> > > solution.  I appreciate any insight to this error.
> > >
> > > --Michael
> > >
> > > --
> > > Michael Aldridge

Re: ldap database error when creating initial stash

[Todd Grayson]

Michael, I apologize but I'm not familiar with that kind of formatting for
the kerberos.schema file... the one I'm looking at looks like this
(segment).

What linux distro/versions are you working over?

That almost looks like the kind of format you would see converting the
.schema to .ldif or something?

Not being able to parse the schema file is what I was pointing out for that
error...

--- snip of kerberos.schema as provided in ubuntu ---

attributetype ( 2.16.840.1.113719.1.301.4.1.1
NAME 'krbPrincipalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)

...
...

objectclass ( 2.16.840.1.113719.1.301.6.16.1
NAME 'krbTicketPolicyAux'
SUP top
AUXILIARY
MAY ( krbTicketFlags $ krbMaxTicketLife $
krbMaxRenewableAge ) )


On Thu, Jun 30, 2016 at 12:48 AM, Michael Aldridge <
michael.aldri...@utdallas.edu> wrote:

> While I have not done an in depth comparison, my schema would appear to
> just be a re-formatted version of the schema provided in the source
> tree.  I believe I originally obtained it from an ubuntu release
> slightly more than a year ago.  What is striking here is that this all
> worked less than a month ago on my test platform.
>
> For the curious, here is the schema I'm using:
>
> https://raw.githubusercontent.com/collegiumv/cv_config/master/roles/slapd/files/cn%3D%7B4%7Dkerberos.ldif
>
> --Michael
>
> On 06/30/2016 01:25 AM, Todd Grayson wrote:
> > Got schema issues?  Perhaps?
> >
> > http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201
> >
> > Magic google phrase:
> >
> > openldap kerberos schema "Unable to find requested database type"
> >
> > On Thu, Jun 30, 2016 at 12:18 AM, Michael Aldridge
> > <michael.aldri...@utdallas.edu <mailto:michael.aldri...@utdallas.edu>>
> > wrote:
> >
> > Greetings,
> >
> > I hope I am emailing the correct list and if I am not then please
> accept
> > my apology.  I am in the process of standing up a pair of KDCs and I
> am
> > encountering this error when attempting to create the initial
> password
> > stash for accessing the ldap server that backs the kerberos database:
> >
> > kdb5_ldap_util: Unable to find requested database type while setting
> up
> > lib handle
> >
> > The command I ran to get that error message is:
> >
> > sudo kdb5_ldap_util -D "cn=krbAdmService,dc=collegiumv,dc=org"
> > stashsrvpw -f /var/krb5kdc/ldap.keyfile
> > "cn=krbAdmService,dc=collegiumv,dc=org"
> >
> > I have used my best google-fu but still come up empty.  I can see
> > several people who seem to have had the same issue, but I cannot
> find a
> > solution.  I appreciate any insight to this error.
> >
> > --Michael
> >
> > --
> > Michael Aldridge
> > Network Administrator
> > Collegium V Honors College
> > The University of Texas at Dallas
> > 
> > Kerberos mailing list   Kerberos@mit.edu
> > <mailto:Kerberos@mit.edu>
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
> >
> > --
> > Todd Grayson
> > Business Operations Manager
> > Customer Operations Engineering
> > Security SME
> >
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: ldap database error when creating initial stash

[Todd Grayson]

Got schema issues?  Perhaps?

http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201

Magic google phrase:

openldap kerberos schema "Unable to find requested database type"

On Thu, Jun 30, 2016 at 12:18 AM, Michael Aldridge <
michael.aldri...@utdallas.edu> wrote:

> Greetings,
>
> I hope I am emailing the correct list and if I am not then please accept
> my apology.  I am in the process of standing up a pair of KDCs and I am
> encountering this error when attempting to create the initial password
> stash for accessing the ldap server that backs the kerberos database:
>
> kdb5_ldap_util: Unable to find requested database type while setting up
> lib handle
>
> The command I ran to get that error message is:
>
> sudo kdb5_ldap_util -D "cn=krbAdmService,dc=collegiumv,dc=org"
> stashsrvpw -f /var/krb5kdc/ldap.keyfile
> "cn=krbAdmService,dc=collegiumv,dc=org"
>
> I have used my best google-fu but still come up empty.  I can see
> several people who seem to have had the same issue, but I cannot find a
> solution.  I appreciate any insight to this error.
>
> --Michael
>
> --
> Michael Aldridge
> Network Administrator
> Collegium V Honors College
> The University of Texas at Dallas
> ____
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kinit from java

[Todd Grayson]

This discusses how its implemented from the java application perspective,
through the JAAS/JGSS layers.

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html

On Thu, Jun 23, 2016 at 3:09 AM, Dameon Wagner <dameon.wag...@it.ox.ac.uk>
wrote:

> On Wed, Jun 22 2016 at 06:37:31 +, Ghosh, Parthapratim  scribbled
>  in "kinit from java":
> > Hi Kerberos team,
> >
> > I have the following question -
> >
> > How can one simulate kinit call with userid and password from java.
> > I have a java process running and want to kinit from that process.
>
> That can depend on the reason why you want to kinit.
>
> If you're looking to have Kerberos credentials available for the java
> process so that it can authenticate it self to other services, then
> you may find it better to run the java process from k5start.  As I'm
> lazy I won't try to explain how it all works here, but will rather
> just quote the first paragraph of the manpage:
>
> #---8<-
> k5start obtains and caches an initial Kerberos ticket-granting ticket
> for a principal.  k5start can be used as an alternative to kinit, but
> it is primarily intended to be used by programs that want to use a
> keytab to obtain Kerberos credentials, such as a web server that needs
> to authenticate to another service such as an LDAP server.
> #---8<-
>
> If that sounds like the sort of solution you're after, I can highly
> recommend k5start (and krenew from the same package).
>
> Cheers.
>
> Dameon.
>
> --
> ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
> Dr. Dameon Wagner, Systems Development and Support
> IT Services, University of Oxford
> ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kinit from java

[Todd Grayson]

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/single-signon.html



On Wednesday, June 22, 2016, Ghosh, Parthapratim <
parthapratim.gh...@citi.com> wrote:

> Hi Kerberos team,
>
> I have the following question -
>
> How can one simulate kinit call with userid and password from java. I have
> a java process running and want to kinit from that process.
>
> Thanks and Regards
> Partha Pratim Ghosh
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: ubuntu16.04 and /etc/krb5.conf

[Todd Grayson]

082089.898865: Retrieving gma...@ic.ac.uk ->
> host/futurama.doc.ic.ac...@doc.ic.ac.uk from FILE:/tmp/krb5cc_868_TQFkWp
> with result: 0/Success
> [375] 1466082089.898946: Creating authenticator for gma...@ic.ac.uk ->
> host/futurama.doc.ic.ac...@doc.ic.ac.uk, seqnum 1071734415, subkey
> aes256-cts/0F2B, session key aes256-cts/4216
> gmazza2@futurama's password:
>
>
> BUT...
> - there are gmazza's tickets now:
> gmazza2@futurama:~$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_868_TQFkWp
> Default principal: gma...@ic.ac.uk
>
> Valid starting ExpiresService principal
> 16/06/16 14:00:04  17/06/16 00:00:04  krbtgt/ic.ac...@ic.ac.uk
> renew until 17/06/16 00:00:04, Etype (skey, tkt):
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 16/06/16 14:01:29  17/06/16 00:00:04  krbtgt/doc.ic.ac...@ic.ac.uk
> renew until 17/06/16 00:00:04, Etype (skey, tkt): des-cbc-crc,
> des-cbc-md5
> 16/06/16 14:01:29  17/06/16 00:00:04
> host/futurama.doc.ic.ac...@doc.ic.ac.uk
> Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
>
> - it works the second time with the same command "ssh gmazza@futurama"
> gmazza2@futurama:~$ export KRB5_TRACE=
> gmazza2@futurama:~$ ssh gmazza@futurama uptime
>   14:02:58 up 21:31,  2 users,  load average: 0.01, 0.05, 0.07
>
>
> Sorry for my long email.
> Hope my description makes sense.
>
> Cheers,
> Giuseppe
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Deleting and re-creating the default krbtgt principal?

[Todd Grayson]

Thanks Greg! I also found this procedure, we'll use modprinc on the other
actual user/service principals, and then follow this for modifying the
krbtgt.

http://web.mit.edu/kerberos/krb5-1.13/doc/admin/database.html#changing-krbtgt-key

On Wed, Jun 1, 2016 at 12:25 PM, Greg Hudson <ghud...@mit.edu> wrote:

> On 06/01/2016 02:13 PM, Todd Grayson wrote:
> > Is there any kind of guidance or rules of thumb around deleting and
> > re-creating the default krbtgt principal for a KDC?  I've not been able
> to
> > find specific discussion on doing this, or what the requirements would be
> > for properly re-creating the entry.
> >
> > The issue has to do with wanting to reset a number of values in the entry
> > rather than using modprinc so many times over the entry.
> >
> > Or is this a "don't do it" kind of thing?
>
> I would recommend against it.  At best you would be invalidating all
> existing TGTs; at worst you could get stuck in an uncoverable state,
> with no way to access the KDC host or connect to kadmin.
>
> You can make multiple modifications to an entry in a single modprinc
> operation.  Even if you make the modifications one at a time, I wouldn't
> expect any problems from performing a dozen or so modprinc operations on
> the same entry in quick succession.
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Deleting and re-creating the default krbtgt principal?

[Todd Grayson]

Is there any kind of guidance or rules of thumb around deleting and
re-creating the default krbtgt principal for a KDC?  I've not been able to
find specific discussion on doing this, or what the requirements would be
for properly re-creating the entry.

The issue has to do with wanting to reset a number of values in the entry
rather than using modprinc so many times over the entry.

Or is this a "don't do it" kind of thing?

-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re-authentication vs Renewal of credentials by a service and the impact to clients

[Todd Grayson]

Hello,

When a service re-authenticates to the KDC, effectively getting a new TGT,
are the service tickets related to previous instance of the TGT for that
service, no longer valid?

That is, does a service re-authenticating to a KDC, rather than renewing,
cause all the current related service tickets to no longer be valid and in
turn trigger all those clients holding the previous generation of tickets,
to re-request a service ticket at that point from the KDC?

Or is that service ticket durable, and will it survive replacement (not
renewal) of the underlying TGT?

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos trust

[Todd Grayson]

There are a couple of approaches for establishing trust on the AD side.
You have command line for ksetup that can be used, or the AD gui works as
well (the domains and trusts management console).  kadmin side on the mit
kdc you have to update your krb5.conf to provide the AD realm in the
[realms] section, and within [domain_realm] if there are special fqdn to
REALM mappings that need to exist.

Generally for Hadoop the optimal implementation is one way cross realm
trust where the cluster MIT KDC trusts that users from the AD domain/REALM
have been properly authenticated by the trusted realm, and that the
representation of their user (principal name) is valid for access.

Effectively on the AD side its netdom trust, then ksetup to describe the
realm and if necessary DNS mapping to the kerberos realm (much like the
domain_realm section of the krb5.conf, but the windows registry version of
it).

then on the MIT side its a kadmin addprinc and setting the proper
encryption types that are common with AD and setting the same password
defined on AD.

netdom trust and ksetup examples that are correct for AD / MIT kerberos
http://blog.godatadriven.com/cross-realm-trust-kerberos.html

Microsoft ksetup docs
ksetup addkdc
https://technet.microsoft.com/en-us/library/hh240197.aspx
ksetup addhosttorealmmap (!) for smoothing domain / realm mappings from
windows desktop client side.

the netdom trust is a global command, the ksetup commands are machine
specific, I think microsoft documents using global policy to establish
things in a uniform way for a large set of windows desktops if needed...

There are some pretty good examples online;  The google machine comes back
with some write-ups on this with the string:

kerberos one way cross-realm trust MIT AD

our cloudera writeup that is specific to MIT / AD cross realm trust is
generic enough to apply to your open source hadoop deployment as well.

On Wed, Apr 13, 2016 at 2:02 PM, Russ Allbery <ea...@eyrie.org> wrote:

> Mauro Cazzari <mymagi...@gmail.com> writes:
>
> > I'm relatively new to Kerberos, so please forgive me if my question
> > might sound dumb.
>
> > I'm trying to access a secured Hadoop environment from a Windows
> > machine.  The Hadoop cluster uses its own realm. I installed MIT
> > Kerberos on the Windows box and configured it so that I can successfully
> > obtain tickets, but I'd like to see if there is a way to instead use the
> > tickets that are generated through AD when I log on to Windows. My
> > understanding is that a one-way trust between the AD and the cluster's
> > KDC could solve the issue.  What's not clear is whether I need to define
> > anything at all at the AD level. I'm thinking that since I'm trying to
> > gain access to the realm associated with the Hadoop cluster, all I need
> > to do is to add a principal to it for the AD realm, the one I want to
> > trust. After that, I would change the krb5.conf file to make sure the AD
> > realm is seen.
>
> Even one-way trust requires making changes to both KDCs, since for any
> type of trust you need to have a shared key between AD and the remote KDC.
> The only difference between one-way trust and two-way trust is that you
> have only one shared key instead of two shared keys.
>
> In theory, one-way trust where you have a krbtgt/@
> principal in both KDCs should be sufficient.  In practice, I have run into
> no end of weird trouble with one-way trust, and strongly prefer to set up
> two-way trust whenever I set up cross-realm trust just to avoid having my
> head hurt later.
>
> Note that you'll also have to configure the Windows side to know to do
> cross-realm to the Hadoop realm when accessing those resources.  There are
> probably ways to do this with local configuration, but I think
> domain_realm mappings on Windows are usually also done with AD
> configuration.  (Disclaimer: I've never done the AD side of this setup
> myself.)
>
> --
> Russ Allbery (ea...@eyrie.org)  <http://www.eyrie.org/~eagle/>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Quick question related to Kerberos + AES256 + SHA2

[Todd Grayson]

Apologies everyone - this was a mixed up response by me.

Please disregard my discussion on download and compile, I'm discussing a
behavior by our install base, not the MIT user community.

On Thu, Feb 25, 2016 at 9:13 AM, Todd Grayson <tgray...@cloudera.com> wrote:

> The supported ecnryption types are tied to the kerberos release, which is
> tied to the OS release level by our distribution vendors.  It is extremely
> rare for customers to be compiling / building kerberos on their own.
>
>
> http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
> *permitted_enctypes*
>
> Note that permitted encyption types for the MIT libraries, REQUIRES the
> proper encryption type name be used, abbreviated names are not supported,
> whats in that link is the form of the name that will be parsed, invalid
> encryption types are ignored and the defaults are applied instead (all the
> types)
>
> Encryption types that are newer in the MIT/AD space are limited by the
> support of the JDK, detailed by the JGSS listing:
>
>
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html
>
> Note arcfour-hmac-md5 is also supported (rc4-hmac)
>
> The JDK can not support the newer CAMELLA encryption types in the RHEL 7.1
>
> On Thu, Feb 25, 2016 at 8:39 AM, Simo Sorce <s...@redhat.com> wrote:
>
>> Not that the Kitten WG is working on standardizing new enctypes for AES
>> +HMAC-SHA2, this is the latest draft:
>> https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-09
>>
>> Although it will take a while before all the most common implementations
>> will have support for it, and it may never land on older OSs.
>>
>> Simo.
>>
>> On Thu, 2016-02-25 at 14:22 +, Prashanth Marampally wrote:
>> > Yep. Got it!
>> >
>> > Thanks,
>> > Prashanth
>> >
>> > -Original Message-
>> > From: Rick van Rein [mailto:r...@openfortress.nl]
>> > Sent: Thursday, February 25, 2016 7:50 PM
>> > To: Prashanth Marampally
>> > Cc: kerberos@mit.edu
>> > Subject: Re: Quick question related to Kerberos + AES256 + SHA2
>> >
>> > OK,
>> >
>> > Also note that the hash is not SHA1 but HMAC-SHA1, which is much
>> stronger.  I didn't make that clear before.
>> >
>> > -Rick
>> >
>> > 
>> > Kerberos mailing list   Kerberos@mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>> 
>> Kerberos mailing list   Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>


-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Quick question related to Kerberos + AES256 + SHA2

[Todd Grayson]

The supported ecnryption types are tied to the kerberos release, which is
tied to the OS release level by our distribution vendors.  It is extremely
rare for customers to be compiling / building kerberos on their own.

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
*permitted_enctypes*

Note that permitted encyption types for the MIT libraries, REQUIRES the
proper encryption type name be used, abbreviated names are not supported,
whats in that link is the form of the name that will be parsed, invalid
encryption types are ignored and the defaults are applied instead (all the
types)

Encryption types that are newer in the MIT/AD space are limited by the
support of the JDK, detailed by the JGSS listing:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html

Note arcfour-hmac-md5 is also supported (rc4-hmac)

The JDK can not support the newer CAMELLA encryption types in the RHEL 7.1

On Thu, Feb 25, 2016 at 8:39 AM, Simo Sorce <s...@redhat.com> wrote:

> Not that the Kitten WG is working on standardizing new enctypes for AES
> +HMAC-SHA2, this is the latest draft:
> https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-09
>
> Although it will take a while before all the most common implementations
> will have support for it, and it may never land on older OSs.
>
> Simo.
>
> On Thu, 2016-02-25 at 14:22 +, Prashanth Marampally wrote:
> > Yep. Got it!
> >
> > Thanks,
> > Prashanth
> >
> > -Original Message-
> > From: Rick van Rein [mailto:r...@openfortress.nl]
> > Sent: Thursday, February 25, 2016 7:50 PM
> > To: Prashanth Marampally
> > Cc: kerberos@mit.edu
> > Subject: Re: Quick question related to Kerberos + AES256 + SHA2
> >
> > OK,
> >
> > Also note that the hash is not SHA1 but HMAC-SHA1, which is much
> stronger.  I didn't make that clear before.
> >
> > -Rick
> >
> > 
> > Kerberos mailing list   Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SPNEGO question

[Todd Grayson]

No, the path failing is something application side within your setup.

The configuration of the FQDN really just the domain and tld) is all you
need, that is host.domain.tld  adding the path should not break things in
the browser configs for example in environments where many hosts use
Negotiated auth (SPNEGO) the domain.tld should be a viable configuration
setting too.

There are a number of reference documentation sets from commercial vendors
on enabling SPNEGO, including ours

http://www.cloudera.com/content/www/en-us/documentation/enterprise/latest/topics/cdh_sg_browser_access_kerberos_protected_url.html

Weblogic

http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html

IBM

http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/csec_SPNEGO_explain.html

These can help in building your understanding of it, setting it up, and
troubleshooting things.


On Mon, Nov 9, 2015 at 3:07 PM, Pascal Jakobi <pascal.jak...@gmail.com>
wrote:

>
>
> I am still testing kerberos pretty thoroughly. Now I am at SPNEGO.
>
> I was able to have it to work (with firefox) when calling simple URI
> such as http://host.domain.tld but not when calling
> http://host.domain.tld/test_dir.
> I did change the negotiate URI field in firefox configuration, but did
> not touch the service keytab (HTTP/). My guess is that the problem
> is there...
>
> Does this mean that in reality SPNEGO is limited to vrtual hosts ?
>
> If someone could clarify, this would be more than useful...
>
> Thanks in advance
> --
> Pascal Jakobi <mailto:pascal.jak...@gmail.com>
> 116 rue de Stalingrad
> 93100 Montreuil, France
> Tel : +33 6 87 47 58 19
>
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Customer Operations Engineering, Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Documentation Wish List

[Todd Grayson]

Anchor tags for subject items on reference pages... for example to make a
URL like this to work to jump right to the default_tgs_enctypes

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#default_tgs_enctypes

-- 
Todd Grayson
Customer Operations Engineering, Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos authentication ntetwork

[Todd Grayson]

by cluster do you mean hadoop?

Hadoop can (based on version, workload, and service usage pattern) get very
very chatty with a KDC.  Depends on what you are doing on the 10GB network;
but I would say you can definitely handle the krb on the 1GB interface, but
consider your principal to hostname mapping issues if you are multihoming
(forward and reverse need to map to your fqdn's).

On Wed, Sep 9, 2015 at 3:09 PM, Brandon Allbery <ballb...@sinenomine.net>
wrote:

> On Wed, 2015-09-09 at 15:45 -0500, Ben Kim wrote:
> > My worry about 10G is when data traffic gets jammed or network goes down
> > KDC may not respond. 10G network cables are not redundant for budget
> reason.
> > My worry about 1G network is network bandwidth. I'M pretty new to
> Kerberos,
> > and as a service expands Im not sure how much of bandwidth will Kerberos
> > network consume.
>
> Kerberos itself is very low bandwidth; you would have difficulty
> saturating even an old 10MB network with it, unless something is
> severely misconfigured.
>
> --
> brandon s allbery kf8nh   sine nomine associates
> allber...@gmail.com  ballb...@sinenomine.net
> unix openafs kerberos infrastructure xmonadhttp://sinenomine.net
>
> 
> Kerberos mailing list   Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Customer Operations Engineering, Security SME

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

[Todd Grayson]

Ah good to know about, thanks!

On Mon, Aug 3, 2015 at 5:18 AM, John Devitofranceschi j...@optonline.net
wrote:


  On Jul 29, 2015, at 5:46 PM, Todd Grayson tgray...@cloudera.com wrote:
 
  Hi,
 
  Is there any general wisdom out there about mixed KDC/Client versions?
 Are
  there concerns around allowing environments drift to where a KDC would be
  on a later release than the clients?
 

 There was this one:

 http://krbdev.mit.edu/rt/Ticket/Display.html?id=7714

 That concerns an issue with older Solaris clients using MIT KDCs = 1.11

 Greg helped me come up with a patch for this that works with 1.13, but the
 real answer is to patch your old Solaris systems!

 jd




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

[Todd Grayson]

Hi,

Is there any general wisdom out there about mixed KDC/Client versions?  Are
there concerns around allowing environments drift to where a KDC would be
on a later release than the clients?

There seems to be a change in default behavior in the 1.12+ where renewable
tickets must be specifically requested (RHEL 7 is including the 1.12 as the
tested krb release in platform).

Have there been any other gotcha's that folks have run into that are worthy
of note?

For example a mixed OS environment where centOS 7 is the KDC, at 1.12, and
the clients are all centOS 6.x land locked at the 1.10x release?

Thanks in advance!



-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Cannot authenticate with client keytab and AES128/256 against Active Directory

[Todd Grayson]

Have you enabled AES Encryption for the account in AD?

http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx

This can, I believe, be achieved as well with group policy, as well...

On Wed, Jul 29, 2015 at 5:43 AM, Osipov, Michael michael.osi...@siemens.com
 wrote:

 Hi,

 I have created a client keytab with ktutil:

 add_entry -password -p osipo...@comapny.net -k 1 -e
 aes256-cts-hmac-sha1-96
 add_entry -password -p osipo...@comapny.net -k 1 -e
 aes128-cts-hmac-sha1-96
 add_entry -password -p osipo...@comapny.net -k 1 -e arcfour-hmac

 then trying to obtain a TGT with 'kinit -k -i' but all I get is:
 kinit: Invalid argument while getting initial credentials

 Turning on KRB5_TRACE and Wireshark, I see that the server is rejecting
 both AES ciphers from my client.

 If I reduce the keytab down to arcfour-hmac, all works fine.

 I am on FreeBSD 9.x, MIT Kerberos 1.13.2 from ports system and multiple
 Windows Server 2008 R2.

 How can I locate this issue? Any advises? KRB5_TRACE and pcap file can
 be provided privately.

 Regards,

 Michael Osipov

 PS: I triple-checked the password, so the issue is not with that.


 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

[Todd Grayson]

Actually the krbtgt got generated without a renewable life value (was at
0), missed this during the troubleshooting, so nothing other than the need
to express renew lifetime properly in the configuration.  Thanks tho for
the feedback.

On Wed, Jul 29, 2015 at 8:06 PM, Ken Hornstein k...@cmf.nrl.navy.mil
wrote:

 Is there any general wisdom out there about mixed KDC/Client versions?
 Are
 there concerns around allowing environments drift to where a KDC would be
 on a later release than the clients?

 FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
 there is not an interoperability problem; the protocol is pretty well
 specified and in general everything works fine at that level.

 There seems to be a change in default behavior in the 1.12+ where
 renewable
 tickets must be specifically requested (RHEL 7 is including the 1.12 as
 the
 tested krb release in platform).

 This is more of a problem, but I don't consider this an interoperability
 issue.

 --Ken
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

[Todd Grayson]

Interesting, I'll take a look, thanks!

On Wed, Jul 29, 2015 at 8:12 PM, Benjamin Kaduk ka...@mit.edu wrote:

 On Wed, 29 Jul 2015, Ken Hornstein wrote:

  Is there any general wisdom out there about mixed KDC/Client versions?
 Are
  there concerns around allowing environments drift to where a KDC would
 be
  on a later release than the clients?
 
  FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
  there is not an interoperability problem; the protocol is pretty well
  specified and in general everything works fine at that level.

 Yes; it is expected that any implementation of the kerberos protocol can
 successfully talk to a peer running a different implementation, including
 the case where the peers differ only by software version and have a common
 lineage.

  There seems to be a change in default behavior in the 1.12+ where
 renewable
  tickets must be specifically requested (RHEL 7 is including the 1.12 as
 the
  tested krb release in platform).
 
  This is more of a problem, but I don't consider this an interoperability
  issue.

 That sort-of calls to mind

 https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd
 ,
 and makes me wonder what the actual lifetimes in the request are (and the
 max permitted by the KDC).

 -Ben
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Encryption type settings in kdc.conf and krb5.conf

[Todd Grayson]

The question is; how much variation can be tolerated on the configuration
of encryption type settings within the krb5.conf / kdc.conf

Generally speaking I'm using this as the reference for proper values to set;
(krb5.conf)
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

(kdc.conf)
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html

I constantly see clipped values being used and I wonder, is kerberos
using those, or is it just discarding and going to default behavior at that
point, and the settings are worthless.

Examples of this are:

aes-256 for aes256-cts-hmac-sha1-96
rc4-hmac for arcfour-hmac-md5

Are these actually being parsed properly, (the first value, obviously being
the questioned abbreviation...)






-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: how to retrieve ticket flags in JAVA

[Todd Grayson]

This is more within the Oracle JDK's JGSS layer, you might want to post
questions to the community discussion for it.

The URL For that forum is (if the mailman lets me include a URL):

https://community.oracle.com/community/java/java_security/kerberos_%26_java_gss

On Mon, Jun 29, 2015 at 4:20 PM, Jim Shi hanmao_...@apple.com wrote:


 Hi, I am try to find if a particular  ticket flag in a kerberos ticket  is
 set in Java, I was suggested to use the following code:

 boolean[] flags = (boolean[])((ExtendedGSSContext)
 context).inquireSecContext(

 InquireType.KRB5_GET_TKT_FLAGS);

 Say I want to check if TKT_FLG_HW_AUTH is set, at what index should I
 check the boolean value?

 Is there mapping from indexies of array to ticket flags?

 Thanks

 Jim


 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: forwarded kpasswd changes

[Todd Grayson]

I'm not 100% on the mechanics at the AD side on how your change is still
going through, but to avoid the error; Have you tested with setting within
the realms definition of the AD realm, along with kdc entry, provide
a kpasswd_server value pointing to the proper host you want the kpasswd
exchange to take place with?

On Thu, Jun 4, 2015 at 5:02 PM, Ben H bhen...@gmail.com wrote:

 When utilizing Microsoft AD as a KDC against MIT clients,  I am seeing the
 following error/warning when changing passwords via kpasswd:

 kpasswd: Incorrect net address changing password

 The password *is* properly changed, but this message displays.

 Here's the rub:

 The KDC being used for the password change is a microsoft RODC (read only
 domain controller).
 The MS specs for this state that when a password change request is received
 by the RODC, it forwards this on the clients behalf to a writable domain
 controller (WDC).

 So we see the as-req/rep pair for cname:username sname:kadmin/changepw pass
 from the client to the RODC followed by the actual kpasswd exchange.
 Looking at just this exchange you would think that the RODC is servicing
 this request...

 As stated however, the RODC actually forwards each of these requests to a
 WDC which is actually providing the answer back to the RODC to be proxied
 back to the client.
 So we see these 4 exchange packets also pass between the RODC and the WDC -
 the only apparent difference is the source and destination IP addresses.

 I'm not sure if this forwarding of requests is based upon a standard
 Kerberos protocol, or if it something designed specifically as a MS
 extension.

 I'm also not sure what is contained within the exchange that would cause
 the client to provide the Incorrect net address error as I see no IP
 addresses or server names within the exchanges.

 I know that this forwarding is causing the error, because it does not
 exhibit itself when changing directly on the WDC.

 Can someone provide any insight into this?

 Thanks very much.
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: A client name with an '@'

[Todd Grayson]

Bryce

Its either 12001000550...@fedidcard.gov fedidcard@fedidcard.gov or
its 12001000550...@fedidcard.gov fedidcard@fedidcard.gov

as far as your shell escaping with a \, in a command line you will not
escape the @, if you are scripting it, you might.

to the left of the @ is the principal name, traditionally lowercase.  To
the right is the REALM, traditionally uppercase.  AD userPrincipalName
entries should be able to handle the uppercase value being presented at
authentication for the user.

The userPrincipalName is the kerberos principal name, within AD.  You do
not have to nest the lowercase instance into the uppercase realm (in other
words, dont use 12001000550281\@fedidcard@fedidcard.gov ).  You should
be able to get it to work presenting consistent case and based on the
example I give above.



On Mon, Jun 1, 2015 at 5:02 PM, Nordgren, Bryce L -FS bnordg...@fs.fed.us
wrote:

  $ kinit '12001000550281\@fedidcard@fedidcard.gov'

 Thanks! Making progress!

 It now prints a single backslash when describing the principal, both in
 errors emitted from kinit and the listprincs command in kadmin.local.
 However, I'm back to client name mismatch out of kinit, presumably
 because the MS User Principal Name in the certificate lacks the backslash.

 Bryce




 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Multi-tenancy in MIT KDC

[Todd Grayson]

I would suggest reading this:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/realm_config.html

A ream is a namespace that defines a database containing principals.
 logically REALM its separated from domain.  In AD environments by default
the domain and the realm are the same value with uppercase being the
notation for REALM.  In MIT implementations they are logically separate.
Unique rules and policies can be applied to a REALM and the principals it
contains, which can be members of multiple domains, in support of
authentication to the REALM.

When a user authenticates, generally its in the form username@REALM. In the
case of hosts and services you can also have names like
host/some.fqdn.name@REALM or service/some.fqdn.name@REALM, where fqdn is
Fully qualified domain name of the relevant host.

These types of things are completely arbitrary as naming designs however,
you can structure things to the left of the @ sign based upon what you are
doing, to the right of the @ is the REALM, best practice defines its in
UPPERCASE.  It does not matter what domain the user or service is a part of.

Domains (dns domain) can relate to realms on a one to one or many to one
relationship.  That is, many domains can be associated with a kerberos
realm.

A realm defines its relationship to DNS domains in the [libdefaults]
default_realm value, as well as having [domain_realms] mapping entries
within the /etc/krb5.conf to provide domain, subdomain, or host FQDN values
to specifically map a domain name to a REALM.


On Fri, May 29, 2015 at 7:03 PM, Firouzeh Jalilian fjalil...@vmware.com
wrote:

 What is the definition of realm in MIT KDC?  Is it just different
 domains?

 By definition of tenant I am referring to a categorization above the
 domains.  For example a tenant could have multiple domains, and when a a
 user logs in there has to be an indicator of the tenant it belongs to
 besides its the domain. As the domain may not be sufficient to find the
 tenant the user belongs to.

 Is that something that is supported?

 Firouzeh
 
 From: kerberos-boun...@mit.edu kerberos-boun...@mit.edu on behalf of
 Tim Mooney tim.moo...@ndsu.edu
 Sent: Friday, May 29, 2015 4:00 PM
 To: kerberos@mit.edu
 Subject: Re: Multi-tenancy in MIT KDC

 In regard to: Multi-tenancy in MIT KDC, Firouzeh Jalilian said (at
 10:24pm...:

  I would like to know if there is any support currently for multi-tenancy
  in MIT KDC?

 What do you mean by multi-tenancy?  Do you mean one krb5kdc process
 serving multiple distinct realms?  If so, then yes, that's possible.
 We've served 11 different realms from one krb5kdc process.

 You have to run separate kadmind processes, each on a separate port,
 because those can't serve multiple realms.  On your secondary kdcs,
 you also need to run a separate kpropd per realm, each on its own
 port.

 We've done it for years and it works, but if we were starting over,
 these days I'm not certain I would choose the same path.  Depending on
 your realms, it might be better to use separate VMs or containers,
 depending on what you're comfortable with.

 Tim
 --
 Tim Mooney tim.moo...@ndsu.edu
 Enterprise Computing  Infrastructure  701-231-1076
 (Voice)
 Room 242-J6, Quentin Burdick Building  701-231-8541 (Fax)
 North Dakota State University, Fargo, ND 58105-5164
 
 Kerberos mailing list   Kerberos@mit.edu

 https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_mailman_listinfo_kerberosd=BQICAgc=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEsr=0wthfOXikoIWE5NfoxCN7_R8HXNMORzBYVlqWqEvHTAm=cFGgJrkPqfqEYmJsN7r0JuFhaVYzEPudc6FqJZTIsOYs=v1DCbxUsVmfHZ-t2_DpLZ2F1nh1TJ-HN_bBPrlQ6Hkse=

 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: upgrade the inter-realm trust key to AES

[Todd Grayson]

You delete and re-establish the trust from the AD side, which will apply
domain defaults to the trust.  You can use the /remove switch in the netdom
trust command, instead of /add, see the docs from the technet link below.

The following config will render one way cross realm trust where the MIT
ream will trust users authenticated by AD for access to kerberos protected
apps.

On a AD Domain Controller, set TrustPassword to the shared password you
will use on both the AD and MIT side for the cross realm krbtgt/ principal.

c:\Users\Administrator netdom trust MIT.EXAMPLE.COM /Domain:AD.EXAMPLE.COM
/add /realm /passwordt:TrustPassword

https://technet.microsoft.com/en-us/library/cc771580.aspx

ksetup /SetEncTypeAttr MIT.EXAMPLE.COM enc_type

https://technet.microsoft.com/en-us/library/hh240207.aspx

For AES encryption, replace enc_type with AES256-CTS-HMAC-SHA1-96 or
AES128-CTS-HMAC-SHA1-96 and for RC4 encryption, replace with RC4-HMAC-MD5.
You can list multiple enc types through space delimited list on the command
line, see the technet link above for details.

Then on your MIT kdc side you need to create a proper cross realm principal
(delete the current and replace with a known correct one)

(from within kadmin or kadmin.local as an administrator)

kadmin: addprinc -e aes256-cts:normal aes128-cts:normal rc4-hmac:normal
krbtgt/mit.example@ad.example.com

When prompted for the password provide the same TrustPassword you set
in the netdom trust command.

On Fri, Apr 10, 2015 at 8:28 AM, Giuseppe Mazza g.ma...@imperial.ac.uk
wrote:

 Dear All,

 I would like to upgrade my inter-realm trust key from DES to AES.

 My current situation is
 i] Domain IC.AC.UK (Windows Server 2012): I have no access to it. People
 from College manage it.

 Users in IC.AC.UK (Windows) can login and use services in DOC.IC.AC.UK
 (Linux).

 ii] Realm DOC.IC.AC.UK (Ubuntu14.04): I have got full control on it

 I have got the keys below:
 kadmin:  get_principal krbtgt/doc.ic.ac...@ic.ac.uk
 Principal: krbtgt/doc.ic.ac...@ic.ac.uk
 ...
 Number of keys: 5
 Key: vno 1, des3-cbc-sha1, no salt
 Key: vno 1, des-cbc-crc, no salt
 Key: vno 1, des-cbc-crc, Version 4
 Key: vno 1, des-cbc-crc, AFS version 3
 Key: vno 1, arcfour-hmac, no salt
 MKey: vno 1
 Attributes:
 Policy: default


 Here are my questions:
 1]
 do you know any utility - kind of get_principal - in Windows?

 2]
 My College counterpart, i.e. the Windows person from College, tells me
 that it will be enough to enable (via GP) the AES enctype for the
 inter-realm trust key on the Windows side.

 However I am a bit concerned: our inter-realm trust is very old and was
 created when no AES support existed in Windows.
 They have upgraded through the different versions of Windows Server upto
 the 2012 one, but the inter-realm trust has remained the same since it
 was created.
 My naive understanding is that the AES inter-realm trust key will works
 only if
 - the actual AES key exists
 - the AES enctype is enabled

 Is it plausible there is no AES key on their Windows DCs?

 ( In principal I could use the command below (on the linux side):
 kadmin change_password -e aes256-cts-hmac-sha1-96:normal -keepold
 krbtgt/doc.ic.ac...@ic.ac.uk )

 All the best,
 Giuseppe

 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: specifying an alternate realm/krb5.conf configuration for kdc5.conf

[Todd Grayson]

Interesting, yeah I think you self resolved with what you did with
KRB5REALM.

On Fri, Apr 24, 2015 at 4:13 PM, Ben H bhen...@gmail.com wrote:

 Not exactly, though the answer to that use case might be the same.

 My use case is that my system was (is) a client of REALMA.COM.
 Now, I want to run a KDC on this same system to serve out REALMB.COM

 So, I can't change my /etc/krb5.conf file or else I would loose access to
 REALMA.COM

 I configure my kdc.conf file for REALMB, but when I start up krb5kdc I
 get:

 Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm REALMA.COM -
 see log file for details

 I can get it working by doing two things:
 1) modify my krb5.conf file for REALMB instead - if I do this, then my
 client functionality to REALMA breaks
 2) Set KRB5REALM=REALMB in /etc/sysconfig/krb5kdc

 #2 is working for me, and is maybe the correct answer to this question.
 I was just surprised that the krb5kdc service would look to read data
 from krb5.conf instead of kdc.conf and, if it needs to do so, I would
 expect there is a better way to tell it to use an alternate file.

 I realize this isn't a common use scenario.



 On Fri, Apr 24, 2015 at 4:07 PM, Todd Grayson tgray...@cloudera.com
 wrote:

 Are you trying to run multiple realms (and db's) on the same KDC?

 On Fri, Apr 24, 2015 at 2:59 PM, Ben H bhen...@gmail.com wrote:

 Sorry, I did mean kdc.conf - and on my implementation it is
 in /var/kerberos/krb5kdc.

 I do understand:
 kdc.conf = server config
 krb5.conf = client config

 But apparently when krb5kdc starts it also queries some data from
 /etc/krb5.conf (the default realm at least).

 I want it to look to a location other than /etc/krb5.conf for realm
 information (or anything else it might need from that file).

 thanks!


 On Fri, Apr 24, 2015 at 2:55 PM, Brandon Allbery 
 ballb...@sinenomine.net
 wrote:

  On Fri, 2015-04-24 at 14:44 -0500, Ben H wrote:
   Some searching I did indicated the possible existence of a profile
   directive in kdc5.conf to point to a different krb5.conf, but that
   didn't
   seem to work.
 
  It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
  private directory (/var/krb5kdc is common).
 
  --
  brandon s allbery kf8nh   sine nomine
 associates
  allber...@gmail.com
 ballb...@sinenomine.net
  unix openafs kerberos infrastructure xmonad
 http://sinenomine.net
 
  
  Kerberos mailing list   Kerberos@mit.edu
  https://mailman.mit.edu/mailman/listinfo/kerberos
 
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




 --
 Todd Grayson
 Customer Operations Engineering





-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: specifying an alternate realm/krb5.conf configuration for kdc5.conf

[Todd Grayson]

I'm trying to follow the client need for default_realm vs having additional
kerberos REALM entries present in your [realms] section of your krb5.conf.
If there was no default_realm defined, what does the client do
(see default_realm at
web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html ).

Are the clients keying of off default_realm because they are java based? Or
is there some form of forced short principal name configuration that is
causing this? If java; provide the krb5.conf you want java clients to use
in the [JAVA_HOME]/jre/lib/security path.  The JGSS checks there first.


On Fri, Apr 24, 2015 at 5:16 PM, Ben H bhen...@gmail.com wrote:

 So it sounds like you're still saying that the contents of my krb5.conf
 file will be read by krb5kdc and there is a good chance that something
 specified in my krb5.conf (for my client implementation) may override or
 merge with my server config *possibly* disrupt my KDC?

 This is probably unlikely though since the setting normally set on the two
 files (apart from default realm) tend to be either a client or server
 setting, no?

 I'm testing everything on one box right now, and when I want to use my
 local KDC I do:

 export KRB5_CONFIG=/etc/localmit_krb5.conf

 and things seem to work.  To switch back using my external KDC (AD), I
 simply unset the variable.

 Realizing this is an edge case, does this sound the best way, or would
 there be a more supported way?





 On Fri, Apr 24, 2015 at 5:45 PM, Greg Hudson ghud...@mit.edu wrote:

  On 04/24/2015 03:44 PM, Ben H wrote:
   From a client perspective, if I want to switch to using a different
   krb5.conf file, I just use:
  
   export KRB5_CONFIG=/etc/alternate-krb5.conf
  
   But the server will always try to use /etc/krb5.conf
 
  The expected behavior is:
 
  * Every process uses $KRB5_CONFIG, defaulting to /etc/krb5.conf.
 
  * KDC-ish processes (krb5kdc, kadmind, kdb5_util, etc.) also use
  $KRB5_KDC_PROFILE, defaulting to something like /var/krb5kdc/kdc.conf.
  If both files exist, the contents are merged, with the values from
  krb5.conf usually taking precedence (but we're not 100% consistent about
  that).
 
  krb5kdc accepts a -r flag telling it what realm(s) to serve, so you may
  not need to point it at a config file giving a different default_realm
  value.
 
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: specifying an alternate realm/krb5.conf configuration for kdc5.conf

[Todd Grayson]

Are you trying to run multiple realms (and db's) on the same KDC?

On Fri, Apr 24, 2015 at 2:59 PM, Ben H bhen...@gmail.com wrote:

 Sorry, I did mean kdc.conf - and on my implementation it is
 in /var/kerberos/krb5kdc.

 I do understand:
 kdc.conf = server config
 krb5.conf = client config

 But apparently when krb5kdc starts it also queries some data from
 /etc/krb5.conf (the default realm at least).

 I want it to look to a location other than /etc/krb5.conf for realm
 information (or anything else it might need from that file).

 thanks!


 On Fri, Apr 24, 2015 at 2:55 PM, Brandon Allbery ballb...@sinenomine.net
 wrote:

  On Fri, 2015-04-24 at 14:44 -0500, Ben H wrote:
   Some searching I did indicated the possible existence of a profile
   directive in kdc5.conf to point to a different krb5.conf, but that
   didn't
   seem to work.
 
  It's just kdc.conf (not kdc5.conf) and it's usually kept in the KDC
  private directory (/var/krb5kdc is common).
 
  --
  brandon s allbery kf8nh   sine nomine associates
  allber...@gmail.com  ballb...@sinenomine.net
  unix openafs kerberos infrastructure xmonadhttp://sinenomine.net
 
  
  Kerberos mailing list   Kerberos@mit.edu
  https://mailman.mit.edu/mailman/listinfo/kerberos
 
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Is there a CApath concept in AD/DC?

[Todd Grayson]

We have seen, however, in limited testing and in field implementations,
that CApath can express to a MIT kerberos client the inherent domain trusts
on the AD side within a Forest.  We're planning on doing more testing with
it, but the discussion here applied to what we observed.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html

On Fri, Apr 17, 2015 at 8:09 AM, Simo Sorce s...@redhat.com wrote:

 On Fri, 2015-04-17 at 15:52 +0200, Rick van Rein wrote:
  Hello,
 
  MIT krb5 features a CApath setting through which an external party can
  help to find a path to realms that are not locally configured /
  crossed-over.  Does Windows AD/DC have a similar feature, and how is it
  setup?
 
  For MIT krb5 I believe it's not possible to relay anything unknown
  through CApath (but an option may be the . realm) -- but would this work
  on AD/DC?
 
  With this, crossover based on DNSSEC/DANE could be implemented in a
  component external to the binaries of AD/DC, making the chances of
  acceptance quite a bit higher.
 

 Search for AD name routing, you will find articles about how AD can do
 routing among trusted domains/forests, and how to set up exceptions.

 Afaik it is not nearly as open ended as MIT's CApath, and works only
 with established (And 'verified') trusts relationships.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York

 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kadmin remote as a regular user

[Todd Grayson]

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html

On Wed, Apr 1, 2015 at 8:27 PM, Todd Grayson tgray...@cloudera.com wrote:

 Rainer,

 Consider that you do not want obfuscate keeping track of users modifying
 the KDC database through generic service accounts like admin/admin.  As the
 later discussion in this thread positions; using the kadm5.acl file to name
 users (they dont have to be named with a */admin convention, if you need
 specific users to have access with their normal account... but you might
 want to consider doing it anyway, so they have to actually enable their
 admin access before attempting to modify the KDC.

 The kadm5.acl file also supports defining users limits to who and what can
 be modified...


 On Tue, Mar 31, 2015 at 5:56 AM, Rainer Krienke krie...@uni-koblenz.de
 wrote:

 Hello,

 I would like to achieve the following. A particular user say john logs
 in at a linux system or authenticates in apache against kerberos.
 Now I would like to allow this user john to run kadmin commands
 without entering any additional other password.

 I first thought that kadmin is like a service and exported the principal
 admin/admin to a keytab file which I copied to a remote system. On this
 system I was then able to call

 $ kadmin -k -t /etc/krb5.keytab -p admin/admin
 Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
 kadmin: getprincs
 ...

 However this does not work the way I expected. Now I can even destroy
 the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
 when logging into the system and kadmin still works.

 What I wanted is that kadmin only works when a particular user has
 logged in and has authenticated against kerberos. Now any user that
 could log in into the system would be able to run kadmin if he has acces
 to the keytab file.

 So after all what I want is kerberos based single sign on for kadmin
 usage.

 Any idea how to configure this?

 Thanks
 Rainer
 --
 Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
 1312
 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
 1001312


 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




 --
 Todd Grayson
 Customer Operations Engineering




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kadmin remote as a regular user

[Todd Grayson]

Rainer,

Consider that you do not want obfuscate keeping track of users modifying
the KDC database through generic service accounts like admin/admin.  As the
later discussion in this thread positions; using the kadm5.acl file to name
users (they dont have to be named with a */admin convention, if you need
specific users to have access with their normal account... but you might
want to consider doing it anyway, so they have to actually enable their
admin access before attempting to modify the KDC.

The kadm5.acl file also supports defining users limits to who and what can
be modified...


On Tue, Mar 31, 2015 at 5:56 AM, Rainer Krienke krie...@uni-koblenz.de
wrote:

 Hello,

 I would like to achieve the following. A particular user say john logs
 in at a linux system or authenticates in apache against kerberos.
 Now I would like to allow this user john to run kadmin commands
 without entering any additional other password.

 I first thought that kadmin is like a service and exported the principal
 admin/admin to a keytab file which I copied to a remote system. On this
 system I was then able to call

 $ kadmin -k -t /etc/krb5.keytab -p admin/admin
 Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
 kadmin: getprincs
 ...

 However this does not work the way I expected. Now I can even destroy
 the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
 when logging into the system and kadmin still works.

 What I wanted is that kadmin only works when a particular user has
 logged in and has authenticated against kerberos. Now any user that
 could log in into the system would be able to run kadmin if he has acces
 to the keytab file.

 So after all what I want is kerberos based single sign on for kadmin usage.

 Any idea how to configure this?

 Thanks
 Rainer
 --
 Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
 1312
 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
 1001312


 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: LDAP searches for Kerberos entries

[Todd Grayson]

ldapsearch -x -H [ ldap://host.fqdn.name:389 | ldaps://host.fqdn.name:636 ]
-D bind account from your config -w [that account's password] -b [search
base like ou=People,dc=example,dc=com from your conf]
((objectclass=person)(uid=[your username]))

You can add -LLL after the -x to enable console debugging output to help
fine tune.

Review your configuration for ldap target information per discussion at
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html

The dump will be the full entry, including objectClasses which are the
definition of what attributes are available to an entry and their search
and indexing syntax.  Your this will frame what you need to know as far as
coding over the target ldap entry... zytrax.org having one of the better
tutorials I've found for ldap in general.


On Wed, Feb 4, 2015 at 1:17 PM, Chris Hecker chec...@d6.com wrote:

 I use LDAP to store additional stuff about users, so the krb stuff is a
 subtype (can't remember what the real term is) of my main record type.  I
 rarely search on the krb fields.

 Chris
  On Feb 4, 2015 12:09 PM, Paul B. Henson hen...@acm.org wrote:

   From: Michael Ströder
   Sent: Wednesday, February 04, 2015 3:25 AM
  
   Maybe some of you are using MIT Kerberos with LDAP backend.
  
   For creating a decent web2ldap search form template for the Kerberos
  schema
   I'd like to know which kind of searches you usually do when looking
 into
  your
   backend via LDAP.
 
  We have been using the LDAP backend for kerberos for a few years now,
 but I
  must confess I've never really considered accessing LDAP directly, it's
  always been just an opaque backend storage engine for kerberos itself...
 
 
  
  Kerberos mailing list   Kerberos@mit.edu
  https://mailman.mit.edu/mailman/listinfo/kerberos
 
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Fail over in krb5.conf to next listed KDC entry?

[Todd Grayson]

Is there a configurable timeout value that can be set in the krb5.conf to
tell a client how long to wait for a response from a KDC before failing
over to the next listed kdc entry for a specific REALM in the [realms]
section of the krb5.conf?

When looking at
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
there is no reference to kdc_timeout which I've seen previously mentioned
in oracle threads.

Is that kdc_timeout parameter only for sun/oracle's solaris SEAM
implementation of kerberos?

Or is only the java JGSS implementation recognizing this kdc_timeout value?

Or is kdc_timeout a missing parameter within the current (and previous)
krb5.conf documentation for the [libdefaults], and it is supported in the
1.10+ MIT kerberos releases?

Thanks in advance.


-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Fail over in krb5.conf to next listed KDC entry?

[Todd Grayson]

... one more question - if this is a supported parameter today
(kdc_timeout) what is its default value?

Thanks

On Mon, Dec 8, 2014 at 10:20 PM, Todd Grayson tgray...@cloudera.com wrote:

 Is there a configurable timeout value that can be set in the krb5.conf to
 tell a client how long to wait for a response from a KDC before failing
 over to the next listed kdc entry for a specific REALM in the [realms]
 section of the krb5.conf?

 When looking at
 http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
 there is no reference to kdc_timeout which I've seen previously mentioned
 in oracle threads.

 Is that kdc_timeout parameter only for sun/oracle's solaris SEAM
 implementation of kerberos?

 Or is only the java JGSS implementation recognizing this kdc_timeout value?

 Or is kdc_timeout a missing parameter within the current (and previous)
 krb5.conf documentation for the [libdefaults], and it is supported in the
 1.10+ MIT kerberos releases?

 Thanks in advance.


 --
 Todd Grayson
 Customer Operations Engineering




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Proper ordering of mapping entries in [domain_realms] section of krb5.conf

[Todd Grayson]

What is the proper order for the [domain_realms] section of the krb5.conf
with regard to rules being applied when there are mixed dns FQDN, domain
names and REALMS.

Should the [domain_realms] section be listed from most specific to least
specific

for example
[domain_realm]
specific-host.domain.name = REALM.NAME
domain.name = OTHER.REALM.NAME
.domain.name = OTHER.REALM.NAME

or is it least specific to most specific?

[domain_realm]
domain.name = OTHER.REALM.NAME
.domain.name = OTHER.REALM.NAME
specific-host.domain.name = REALM.NAME

Thanks in advance!

-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: upgrading kerberos 1.9.4 to 1.13 with LDAP backend

[Todd Grayson]

From a pure LDAP perspective;  You should be able to update schema in an
unobtrusive way as long as none of the attributes are mandatory for the
objectClass. If upon examination of the schema any of those new attributes
are mandatory as opposed to optional, then you have a requirement to update
entries with the mandatory attribute as you extend the schema.  That or
turn schema checking off for the window of migration until you can populate
the mandatory entry values... but that is less optimal if you have
provisioning going on still in the background.

As far as the rest of the plan - I've not performed this migration so there
might be folks who have that have wisdom to share (but it looks sound to
me).  Obviously have a clean back-out plan...



On Wed, Dec 3, 2014 at 3:25 PM, Paul B. Henson hen...@acm.org wrote:

 We currently have three Kerberos servers running 1.9.4 using the LDAP
 backend and are planning to upgrade to 1.13. Historically we have always
 upgraded servers one at a time, slaves first, then the master, and done the
 upgrade in place with the temporary existence of different versions.

 This is the first upgrade we have done since switching to the LDAP backend.
 We have account lockout enabled (shakes angry fist at ridiculous ISO audit
 checkbox), and our LDAP backend is multi master, so technically even though
 we have a load balancer in front directing kadmin load at any given time to
 only one of the three servers, they are all masters and updating the local
 database simultaneously.

 I see that four new attributes (krbPwdAttributes, krbPwdMaxLife,
 krbPwdMaxRenewableLife, and krbPwdAllowedKeysalts) have been added to the
 krbPwdPolicy object class in the schema. openldap gets quite unhappy if one
 server tries replicating anattribute to another which does not have it
 defined 8-/, so I want to be sure to avoid that scenario.

 I am tentatively thinking of updating the openldap schema on the existing
 systems prior to the update, and then updating Kerberos itself one system
 at
 a time as we have historically done. Does this seem reasonable, and will
 hopefully succeed without any interoperability issues?

 Thanks much for any thoughts or suggestions.


 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




-- 
Todd Grayson
Customer Operations Engineering

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

How to get kfw 4.0.1 to log on windows?

[Todd Grayson]

Hi,

I've been searching around looking for clear discussion around how to
enable (debug) logging on windows, for the MIT Kerberos for Windows.  I
found the following discussion in the release notes for the kfw 3.2.2,
which stated the following:

http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/relnotes.html

Under Release History  3.2.0  Integrated Logon Improvements


   - Add a debugging mode which when activated logs to the Windows
   Application Event Log.   [HKLM\System\CurrentControlSet\Services\MIT
   Kerberos\NetworkProvider]
   DWORD Debug



To clarify, is this the proper detailed description for what is being
stated there:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MIT
Kerberos\NetworkProvider
Registry Value: Debug
Value Type: REG_DWORD
Value Data: 0x1
(e.g. set to 1 to enable debug)

If so; Does this registry setting to enable debug hold true for kfw 4.0.1
as well?

Thanks in advance

Todd

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos