On Thu, 5 Jul 2012, Omar Barrera wrote:
We just downloaded and installed Kerberos on a Debian Linux environment.
When we attempt to run the the regression tests via Make check we receive
the following error: GSS- API error acquiring credentials: Unspecified GSS
failure. Minor code may
On Tue, 21 Aug 2012, Kevin Longfellow wrote:
Hi,
Forgive me for being dense but when does log rotation happen using
kdc_rotate if period = 1d? I have tried using logrotate but it loses
some data and now am trying kdc_rotate and admin_server_rotate in
krb5.conf. This is MIT Kerberos
On Sat, 15 Sep 2012, 1983-01...@gmx.net wrote:
Hi,
I have a Kerberos-based SSO system. The Kerberos realm is
CORP.EXAMPLE.COM. Every service has its own domain name, such as
imap.corp.example.com, wiki.corp.example.com and so on.
Now I can login these services on Debian sid. But it
On Mon, 8 Oct 2012, miten mehta wrote:
Hi Booker,
I am using Internet Explorer 9 and assume it should be configured
already for spnego. The webapp as such has to do some auth prompting so
I guess it starts out dong jaas based basic auth. I am just following
pretty much the article at
On Wed, 10 Oct 2012, miten mehta wrote:
Hi Benjamin,
I configured firefox for no sspi and also added domain primesystems.com
I do not remember seeing you specify what kerberos implementation you are
using. SSPI should only be disabled in some situations, and I don't know
which situation
On Wed, 10 Oct 2012, miten mehta wrote:
Hi,
I am using MIT kerberos both on debian and windows downloaded from
http://www.kerberos.org/software/index.html.
If you are using MIT Kerberos and want to do SPNEGO from Firefox on
windows, you must set network.auth.use-sspi to false, *and* set
On Mon, 22 Oct 2012, Nico Williams wrote:
I agree that consistency would be nice, but note that people do scrape
the logs, and though log message formats are generally not considered
stable by many projects, it's something to consider before making
backwards incompatible changes to log
On Mon, 10 Dec 2012, Abdelrahman Almahmoud wrote:
Hi
I am trying to get my Java code access to the database that stores the
principal names and passwords but I can't seem to find the file anywhere. Can
someone kindly give me more information about this?
Thanks,
Hello,
The MIT KDC does
On Sun, 27 Jan 2013, Fabian von Romberg wrote:
Hi All,
is it possible to integrate Kerberos 5 with Mysql as backend?
Many things are possible, with varying amounts of effort. I don't know of
anyone who has done so, and it would probably require substantial
engineering time to do so. There
On Wed, 13 Mar 2013, Tiago Elvas wrote:
Hi all,
I am having a problem in my system which I do not understand why it's
happening.
Firstly, I have a KDC running on a RedHat 5.7 machine. I have the parameter
maximum_renewable_life as 5000days in kdc.conf and krb5.conf. For each user
I have
On Sat, 23 Mar 2013, Alfonso Von wrote:
i'm new using cups and that app use you system for security i'm from mexico
i don have any idea how to use it, i get acces to cups once whe i want to
add a new printer, wich is a matrix dot, then i want to disable that couse
i don't have any knowledge
On Wed, 3 Apr 2013, 王剑 wrote:
Hi,
I have setup a MIT kerberos environment. But I meet a problem with numeric host
address support.
1. The kdc runs on linux server, debian testing latest, openssh 6.0p1, mit
kerberos 1.10.1.
2. A DNS A RR points to linux server, as kdc = xxx
3. Windows
On Wed, 3 Apr 2013, 王剑 wrote:
I have tried Greg Hudson's glibc patch and built glibc package, per
http://sourceware.org/bugzilla/show_bug.cgi?id=15218
but no success. I have reverted back to debian official glibc package.
I test the upstream patch your package refers to, and no success
On Thu, 4 Apr 2013, 王剑 wrote:
To make sure I don't miss any necessary patch, I git-buildpackage from your
modified
debian-krb5 repository and test again.
The kdc I setup is used as both client and server, using
$ ssh -vvv root@192.168.0.254
RESULTS:
Patched glibc package + official
On Fri, 19 Apr 2013, Ray Vand wrote:
Then I moved the sapldap.keytab to my SAP Server in tmp directory
# ktutil
ktutil: rkt /tmp/sapldap
ktutil: l -e
slot KVNO Principal
-
17
On Sun, 21 Apr 2013, Dagobert Michelsen wrote:
Hi Ray,
Am 21.04.2013 um 19:13 schrieb Benjamin Kaduk ka...@mit.edu:
On Fri, 19 Apr 2013, Ray Vand wrote:
Then I moved the sapldap.keytab to my SAP Server in tmp directory
# ktutil
ktutil: rkt /tmp/sapldap
ktutil: l -e
slot KVNO Principal
On Mon, 22 Apr 2013, Ray Vand wrote:
But when I try it with -k option, I am still getting error.
# kinit -k -t /etc/krb5/krb5.keytab
kinit(v5): Client not found in Kerberos database while getting initial
credentials
The default behavior for 'kinit -k' is to try to get credentials for
On Mon, 22 Apr 2013, Ray Vand wrote:
Still getting error.
# kinit -k -t /etc/krb5/krb5.keytab sapldap/ads.company@company.com
kinit(v5): Key table entry not found while getting initial credentials
#
# klist -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO
[putting the list back in the cc]
On Mon, 22 Apr 2013, Ray Vand wrote:
Ben,
kvno was 9 because I gave a new value in addent command.
ktutil: addent -password -p sapldap/ads.company@company.com -k 9 -e
DES-CBC-MD5
Ah, okay. As I said earlier, I don't think this kvno will affect
On Mon, 22 Apr 2013, Ray Vand wrote:
On Apr 22, 2013, at 2:55 PM, Nebergall, Christopher wrote:
What does this return?
kvno -e des-cbc-md5 sapldap/ads.company@company.com
Something is wrong with your command. May be it is incomplete.
Can you please send me the correct syntax?
The
On Wed, 1 May 2013, steve wrote:
openSUSE 12.3 with Samba 4.0 KDC
Hi
Our Linux clients need a root cache available for cifs mounts. I have a
machine key available on all clients. I've put:
kinit -k -t /etc/krb5.keytab MACHINE$
in /etc/init.d/boot.local
Other commands in boot.local run
On Sat, 22 Jun 2013, kannan rbk wrote:
Dear Team,
I installed kerberos on ubuntu 12.04. But ubuntu 12.04 has some problems
it crashes frequently. So I reinstalled the ubuntu os. Now , I want to
restore the kerberos into the machine. I have kerberos dump and key stash
file. How can I
On Mon, 24 Jun 2013, Lee Eric wrote:
Hi,
I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents.
LoadModule auth_kerb_module modules/mod_auth_kerb.so
Location /opendcim
SSLRequireSSL
AuthType Kerberos
AuthName Kerberos Login
KrbMethodNegotiate On
KrbMethodK5Passwd
On Wed, 26 Jun 2013, Lee Eric wrote:
Hi Ben,
Thanks. Just curious, how kinit queries the DNS server? Is it using
/etc/resolv.conf?
The krb5 library (which is what kinit uses) uses the libc resolver, which
should honor /etc/resolv.conf.
-Ben
On Wed, 31 Jul 2013, Hubert Kröss wrote:
Hello
I'm traying to integrate kfw-4.0.1 kerberos tools to Window 7 and
Windows Xp workstations. We have a MIT kerberos Infrastructur with
samba- and Ldap-Integration.
Windows7 Workstations authenticate fine with MIT Kerberos.exe
-autoinit and then
On Thu, 29 Aug 2013, Julien ÉLIE wrote:
Hi,
Building krb5 1.11.3 fails on NetBSD 5.1 with the following error:
/home/iulius/autobuild/bin/gcc-4.8.1/bin/gcc -fPIC -DSHARED -I../../../include
-I../../../include -I. -I./../builtin -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE -g -O2 -Wall
On Sun, 1 Sep 2013, Julien ÉLIE wrote:
Hi Benjamin,
../../../include/k5-trace.h:93:20: error: anonymous variadic macros
were introduced in C99 [-Werror=variadic-macros]
#define TRACE(ctx, ...)\
^
Would it be possible to fix the issue
On Thu, 5 Sep 2013, Sebastian Singer wrote:
Hi,
I have been installing Kerberos form scratch on a Debian Wheezy this day
following http://techpubs.spinlocksolutions.com/dklar/kerberos.html .
Double checked everything but when trying to start KDC this is what the
log says:
On Thu, 5 Sep 2013, Sebastian Singer wrote:
Nothing changed. I disabled IPv6:
# echo net.ipv6.conf.all.disable_ipv6=1 /etc/sysctl.d/disableipv6.conf
and did
# sysctl -p /etc/sysctl.d/disableipv6.conf
restarted both servers kadmin and kdc.
Still the same old error.
But are there any IPv6
Please do.
-Ben
On Thu, 5 Sep 2013, Sebastian Singer wrote:
Yes. Should I comment them?
ursprüngliche Nachricht-
Von: Benjamin Kaduk ka...@mit.edu
An: Sebastian Singer sebastian.sin...@kesslar.de
Kopie: kerberos MIT.EDU kerberos@MIT.EDU
Datum: Thu, 5 Sep 2013
On Mon, 23 Sep 2013, sergio.con...@laposte.net wrote:
So, with 20 concurrent changes going on at once, you may simply be
overloading the server and getting timeouts on the clients.
Thanks for your response ...
I find no way to indicate the timeout with kadmin.
I write a perl script who do
On Thu, 26 Sep 2013, Jürgen Obermeyer wrote:
Hi Jeremy!
Thank you for your long answer! You're right; the information given are
insufficient - it was very late yesterday ... so I'll try to do better now:
Master: Debian stable (Wheezy) with krb5-kdc version 1.10.1+dfsg-5+deb7u1.
Slave: Debian
On Thu, 26 Sep 2013, David Thompson wrote:
I have a working kerberos environment, with Windows 2008R2 acting as
KDC, serving a mix of OS X and Linux (think RHEL 6) clients.
I am trying to add ksu ability, with principals of the form USER/root,
and cannot authenticate those principals.
I
On Sun, 29 Sep 2013, Jaap wrote:
Hi folks,
Does anyone here have experience with NFSv4? I'm interested, but its
Kerberos implementation seems rather inflexible. It appears that nothing
can be specified and that its single encryption key must be saved in the
default keytab. A pity, as I
On Thu, 3 Oct 2013, maxwellsu...@sohu.com wrote:
Hi, Kerberosnbsp;Experts:
nbsp;
I met a problem, while I am using Network ID Manager, it alwasys return a
prompt as:
nbsp;
kdc has no support for encryption type,nbsp;doesnbsp;whonbsp;how to fix
it?
nbsp;
And, I am on Windows 8 system.
There are certainly some places in the pkinit code where the return value
is initialized to ENOMEM which can get returned for failures other than
memory allocation. It's hard to venture a guess as to which one(s) you
are running into, though.
Do you have a sense for how reproducible the
On Wed, 23 Oct 2013, Edgecombe, Jason wrote:
Hi everyone,
I've been able to reproduce my problem on a test system and simplify the
failure case. I can also reproduce the error when initializing the KDC
database.
When I run:
kdb5_util create
I get the following error after
On Wed, 23 Oct 2013, Edgecombe, Jason wrote:
Hi Everyone,
Thanks to Ben Kaduk and others on IRC, I solved the problem. The
problem was with my supported_enctypes line in kdc.conf. The newer
version of Kerberos didn't like some of my enc_types. I got kdb5_util
create to work on 1.11
On Fri, 25 Oct 2013, Frédéric Goudal wrote:
That's the trail I'm following but with no clear result :
After the mount I have the following
25/10/2013 14:07:45 26/10/2013 14:07:44 krbtgt/DO.M@DO.M
Etype (skey, tkt): des-cbc-crc, aes256-cts-hmac-sha1-96
25/10/2013 14:07:45 26/10/2013
On Tue, 12 Nov 2013, Tomas Kuthan wrote:
Hi all,
I am confuzzled about usefulness of the QOP concept in GSS-API.
RFC 2743 states, that using non-default QOP is a mechanism specific,
non-portable construct.
RFC 4121 says, that applications using different QOP than default are
not
On Sun, 17 Nov 2013, Hui Li wrote:
Hi,
I cross-compile Kerberos for ARM arch.
Debian builds arm packages from our sources with no extra handling, so
either something in your environment is wrong, or the cross-compile is the
root cause.
configure script command line:
On Thu, 16 Jan 2014, Morgan Patou wrote:
From a Unix client, I can execute a Klist command to see that I have a
valid ticket (expires in 10h). So the next step is to access to the
kerberized application with a web browser. In Mozilla Firefox, I've set
the following configuration:
*
On Wed, 19 Feb 2014, Rick van Rein wrote:
Hello,
I’m trying to understand how to configure Constrained Delegation in the KDC. I
think I got the GSSAPI client side part, notably S4U2Proxy, but I can only seem
to find proxy / proxiable flags in the KDC setup. And these don’t have
On Mon, 24 Feb 2014, subrahmanya wrote:
Hi
We are randomly facing an issue while authenticating with KDC. KDC is
hosted in one machine.
I enabled logging in MIT code and also added some more tracing. I observed
that EINVAL is printed as value of 'e'. And, looking at other log messages
it
On Thu, 6 Mar 2014, Nico Williams wrote:
It'd be trivial to reject requests using tickets predating the last
password change.
I wonder whether we would want this behavior to be behind a knob of some
form. (Maybe some people rely on the current behavior.) I was having a
discussion off-list
On Tue, 11 Mar 2014, Jeremy Page wrote:
I am trying to set up multi-realm authentication via SSH into an Ubuntu
box against a Windows 2008 AD forest with multiple AD domains/Kerberos
realms in it.
Inside our network this works as I would like, assuming users UIDs are
unique -
On Thu, 20 Mar 2014, Wendy Lin wrote:
I have this in my Suse 11.3 /etc/krb.conf for libdefaults:
allow_weak_crypto = true
# permitted_enctypes = des-cbc-crc arcfour-hmac des3-cbc-sha1
aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
permitted_enctypes = des-cbc-crc
Now
On Thu, 20 Mar 2014, Wendy Lin wrote:
On 20 March 2014 15:23, Simo Sorce s...@redhat.com wrote:
On Thu, 2014-03-20 at 14:48 +0100, ольга крыжановская wrote:
Can any one confirm, or deny, that using only
permitted_enctypes = des-cbc-crc
will work around the problem?
In older kernels the
...@minipax.terroronwar.org with password.
kadmin: KDC has no support for encryption type while initializing
kadmin interface
Olga
On Thu, Mar 20, 2014 at 11:32 PM, Benjamin Kaduk ka...@mit.edu wrote:
On Thu, 20 Mar 2014, Wendy Lin wrote:
I have this in my Suse 11.3 /etc/krb.conf for libdefaults
On Wed, 26 Mar 2014, Tareq Alrashid wrote:
….within 7 seconds of each other.
At krb5.10.2 - Never seen this before! No record of any negative/malicious or
network issues
Could this have been cause? due to kdc’s having received a malformed pack
On Tue, 1 Apr 2014, Chris Hecker wrote:
I hope this won't turn into a giant thread, I'm just looking for some
succinct facts and/or links to thoughtful discussion, I'm not interested
in a bunch of opinions or a flame war or anything like that, and I don't
think that'd be appropriate for this
On Wed, 2 Apr 2014, Wang Shouhua wrote:
Is there such an utility which can issue a ping (null command) to
the kdc to see if it is still responding?
I'm not aware of a dedicated utility. However, the KDC is basically a
stateless UDP service, so recording a live transaction and replaying an
On Wed, 16 Apr 2014, arpit.orb wrote:
Hi All,
1. What apis in MIT Kerberos lib are called when the pkinit is
successful. Shouldkrb5_get_init_creds_password be called in case of
pkinit ?
I'm not sure I understand the question. For one, is this anonymous pkinit
nor non-anonymous?
2.
On Mon, 12 May 2014, Arpit Srivastava wrote:
Hi All,
I built static libraries for MIT Kerberos and got following:
We don't officially support building static libraries. If they happen to
work for you, we can't really stop you from using them, but we
disrecommend it. A number of classes of
On Tue, 13 May 2014, kannan rbk wrote:
Hi,
I am trying to change my password with kpasswd. I got Authentication
Error while changing password with kpasswd. In kerberos log ,
kadmin/changepw request is received. I don't know how to debug this.
Please help me to fix this. I can able to
On Fri, 30 May 2014, Jaap wrote:
Hi folks,
When SSH with Kerberos authentication is used, how can destination hosts
with short-name machine credentials be accessed?
For example, when the destination host has machine credentials in the
form host/host.domain@REALM accessing it with SSH is no
On Fri, 13 Jun 2014, 陈勇 wrote:
Hellow
MIT Kerberos members
when I use the MIT Kerberos for Windows 2.6.5, I have some problems with it.
This product is 10 years old and unsupported, and there have been two
major release series since then. I would suggest you use a more modern
On Wed, 25 Jun 2014, Giuseppe Mazza wrote:
Is it the normal behaviour?
I thought you should have a valid stash file on place to access the
database on the slave. Maybe not?
Or there is some kind of caching?
Do you know how it works?
The master key is ~only used to encrypt the long-term key
Hi,
On Sat, 21 Jun 2014, Karl-Philipp Richter wrote:
Hi,
I've been wondering if there's any way to validate Kerberos'
configuration file(s) (e.g. like `apachectl -S` of the apache2 web
server), get information about error location or get more than
krb5kdc: Improper format of Kerberos
On Mon, 7 Jul 2014, kannan rbk wrote:
Hi,
I am using krb5 authentication to authenticate users in my machine. I
am trying to change my password using `passwd` command but it failed.
Have you considered using the standalone command 'kpasswd' which is
dedicated to changing kerberos passwords?
On Mon, 7 Jul 2014, kannan rbk wrote:
Hi,
I tried it. I am getting authentication error while resetting password.
With both the old and new passwords from the previous attempt?
-Ben
Kerberos mailing list Kerberos@mit.edu
On Tue, 15 Jul 2014, Rick van Rein wrote:
(*) List, if this discussion should (or should not) take place here,
let me/us know. I’m not sure what is desired.
The best place for discussion of potential kerberos protocol
extensions/improvements is kit...@ietf.org, but I wouldn't say that it's
On Wed, 16 Jul 2014, Giuseppe Mazza wrote:
My questions
- Any idea how to solve the above problem?
- If you think that the two kerberos versions are too different, can you
think a different strategy to solve the problem?
You neglected to show the 'klist -kt /etc/krb5.keytab' output for
On Wed, 16 Jul 2014, Giuseppe Mazza wrote:
On 16/07/14 15:12, Benjamin Kaduk wrote:
On Wed, 16 Jul 2014, Giuseppe Mazza wrote:
My questions
- Any idea how to solve the above problem?
- If you think that the two kerberos versions are too different, can you
think a different strategy
On Fri, 18 Jul 2014, jarek wrote:
Hello!
How can I automatically get kadmin/kdc.domain@REALM ticket, so I can
access kadmin without entering password second time ?
If I have valid ticket I can connect with ssh, and ticket for
host/server is created automatically. The same is
On Wed, 23 Jul 2014, Paul van der Vlis wrote:
Hello,
I am the administrator of a Kerberos system. The backend of Kerberos is
LDAP. I use it for NFS home-directories and shares. Now there is a
second location of the organisation, they would like to have the same
system there.
What I did is
On Thu, 31 Jul 2014, Chris Hecker wrote:
Unless things have changed, the KDC doesn't check for account lock if the
tgt is valid. There's a thread from a couple years back where I asked
about this and then patched it, but I haven't submitted patches for the
current revision. I need to do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
MITKRB5-SA-2014-001
MIT krb5 Security Advisory 2014-001
Original release: 2014-08-07
Last update: 2014-08-07
Topic: Buffer overrun in kadmind with LDAP backend
CVSSv2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chris Hecker wrote:
To be extra clear, this doesn't affect normal KDC client access with LDAP
backends, only kadmin access? In other words, if I don't expose kadmin I
don't have to freak out? What about password changing through a web
On Mon, 11 Aug 2014, Michael Osipov wrote:
Am 2014-08-11 um 16:02 schrieb Greg Hudson:
On 08/11/2014 03:40 AM, Michael Osipov wrote:
I have made several improvements to the build files, especially for HP-UX
11 on IA64.
Where is the best place to discuss then? This list or rather dev@?
On Fri, 22 Aug 2014, Roland Mainz wrote:
Hi!
It seems the Kerberos5 OpenGrok interface at
http://src.mit.edu/opengrok/krb5/search?q=kshdefs=refs=path=hist= is
currently broken... instead of allowing searchescode browsing it
returns the error Error: Index database not found ... ;-(
On Fri, 22 Aug 2014, Roland Mainz wrote:
Is there no way to get Krb5's opengrok working again (git-svn might be
usefull to get the current setup running again) ?
The opengrok setup is maintained by a different group than the krb5 team,
and I don't know what their staff availability is. It
On Wed, 27 Aug 2014, ольга крыжановская wrote:
How can I use multiple principals from different realms via kinit?
I tried:
kinit fle...@waronterror.com
...
klist shows tgt for fle...@waronterror.com
klist -A shows tickets in all caches in the collection, not just the
current cache (as
On Thu, 4 Sep 2014, Brett Randall wrote:
Initially I had checked kdc.conf, but of course clockskew is declared
in krb5.conf, and I found my KDC had a (non-default) setting of
clockskew = 3600 (1 hour). If I wait the full hour, the renewal is
then rejected as expected.
The KDC merges
On Sat, 13 Sep 2014, Rick van Rein wrote:
Hello,
Am I correct that the kfw-4.0 GUI does not support a Canonicalisation
option for the principal name?
I'm not sure I understand the question correctly. Are you asking about
RFC 6806 name canonicalization, as used for (e.g.) enterprise
On Sun, 14 Sep 2014, Rick van Rein wrote:
Hello Benjamin,
Am I correct that the kfw-4.0 GUI does not support a Canonicalisation
option for the principal name?
I'm not sure I understand the question correctly. Are you asking about
RFC 6806 name canonicalization, as used for (e.g.)
On Wed, 17 Sep 2014, Lionel Cons wrote:
No. krb5.conf sets default_ccache_name = DIR:/run/user/%{uid}/krb5cc,
but only with ONE colon, not two.
One vs. two colons with DIR: is an implementation trick to distinguish
between when the directory is being treated as a collection, and when a
single
On Thu, 18 Sep 2014, Vignesh, Vanna G. wrote:
Hello Rick,
I think there is no back end store. All the principals are created by
running add princ command. All the data rest within the Kerberos. Is
there no way I can retrieve it to other Kerberos master server?
The standard way to do this is
On Tue, 30 Sep 2014, Ben H wrote:
Just discovered an issue in an environment with mixed Win 2003 and 2008 R2
servers that I'm surprised I haven't seen before, nor can find much of
anybody reporting it previously.
I would expect that people are trying to migrate off of Win 2003, since it
goes
decisions which can
use a fall-back instead of fool proof design.
The quoted text doesn't give me enough information to see what Microsoft
is doing on the Kerberos protocol level, so I can't really comment more
about it.
-Ben
On Wed, Oct 1, 2014 at 12:45 PM, Benjamin Kaduk ka...@mit.edu wrote
On Fri, 10 Oct 2014, Roland Mainz wrote:
Hi!
Just curious: What happened to the Kerberos ticket extensions
draft-ietf-krb-wg-ticket-extensions-00 proposal (see
http://tools.ietf.org/id/draft-ietf-krb-wg-ticket-extensions-00.html),
e.g. was there ever any further work on it ?
This
I am not sure I fully understand the situation, but are the appropriate
[domain_realm] mappings in the krb5.conf?
-Ben Kaduk
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi William,
On Sun, 19 Oct 2014, William Clark wrote:
I know this seems like an idiotic thing, but here is the scenario. I
have a multi KDC setup that has been the backbone of Kerberos for a
large organization. Traditionally we have had to keep week crypto
around because of some legacy
On Wed, 29 Oct 2014, Baghel, Gaurav wrote:
Hi MIT Team,
I am doing setup for MIT KDC on solaris machine. I searched a lot over
internet, but couldn't find any appropriate doc for the KDC setup.
Request you to please give me all the steps or link to setup MIT KDC over
solaris. Also on one
I would default to starting from a guide such as
http://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html and
following up on this list if things don't work as the guide indicates they
should. (It is not really necessary to install slave KDCs from the start,
if one is still figuring out
On Fri, 31 Oct 2014, Rufe Glick wrote:
Hello,
I have Kerberos infrastructure set up and GSSAPI enabled in
ssh_config/sshd_config of the SSH client/server (GSSAPIAuthentication
yes). When I connect to the SSH server using verbose mode I see that SSH
client uses 'gssapi-with-mic' mode to
On Wed, 12 Nov 2014, Todd Grayson wrote:
Hi,
I've been searching around looking for clear discussion around how to
enable (debug) logging on windows, for the MIT Kerberos for Windows. I
found the following discussion in the release notes for the kfw 3.2.2,
which stated the following:
I followed up on github, but for the list/archives: I can build master on
my win7/VS2010 machine. We will investigate why the build fails for
Bratislav.
-Ben
Kerberos mailing list Kerberos@mit.edu
On Sun, 30 Nov 2014, Ken Hornstein wrote:
We would really like to understand better (and hopefully counter) this
idea that KDCs should not be exposed to the public internet.
I can only offer my $0.02.
Thanks for sharing your thoughts, Ken and Bryce -- it is useful to hear
them.
I don't know
On Fri, 5 Dec 2014, Antonio Senatore wrote:
Hello everybody.
I do hope this is the correct mailing list.
I have configure kerberos incremental propagation using this guide here:
https://www.soljerome.com/blog/2013/01/12/mit-incremental-database-propagation/
I have one master and one
On Mon, 15 Dec 2014, John Burkett, CPA, CITP wrote:
At Duke we are unable to get SAP GUI 7.30, while using a Kerberos ticket
with the Apple supplied Kerberos, to authenticate and login to SAP.
Manual login without snc works fine.
Error below is generated when attempting snc login to SAP
On Fri, 2 Jan 2015, Prashanth Marampally wrote:
Hi,
I am naive to kerberos.
Would like to know whether or not can we configure kerberos 5 with AES
SHA2. If yes, please guide me with some articles, documentations etc.
Currently, you cannot.
There is a draft proposal for how such a
On Thu, 22 Jan 2015, Cedric Blancher wrote:
We're debugging a KDC problem and ran into a wall. Is there any
context data in KDC to peek which principal and realm is currently
being processed in the KDC?
AS-REQ processing has a struct as_req_state that holds a lot of useful
data. TGS-REQ
On Mon, 19 Jan 2015, Zaid Arafeh wrote:
If I have the K/M key (which is in the database) and I have the password
for the master key, would that make extracting hashes from the database
easier? I looked at the keytab file (thnx) , unfortunately keytab files
usually don't store the krbtgt key
On Wed, 18 Feb 2015, Giuseppe Mazza wrote:
A collegue of mine lets me know that it could be a different issue.
Here is his root principal:
kadmin.local: get_principal collegue/root
Principal: collegue/r...@doc.ic.ac.uk
Expiration date: [never]
Last password change: Thu Feb 24 11:40:22 GMT
On Tue, 17 Feb 2015, Giuseppe Mazza wrote:
However on the client I have got:
client% head -5 /etc/krb5.conf
[appdefaults]
# [dwm] necessary for DOC.IC.AC.UK
allow_weak_crypto=true
allow_weak_crypto is applicable in the [libdefaults] section, not
[appdefaults]. Was your text quoted
On Fri, 23 Jan 2015, Fabio Pecoraro wrote:
Hello,
When I try to install the MIT Kerberos for Windows on
Windows 7 x64 Ultimate the following error appears (with both the x86 and x64
versions):
“Failed to install Kerberos network provider. Status 2”
Does anyone know what could be
On Fri, 6 Mar 2015, Christopher Penney wrote:
On Fri, Mar 6, 2015 at 12:44 PM, Benjamin Kaduk ka...@mit.edu wrote:
I believe I have fixed these bugs in the krb5 development branch, but they
have not made it into a new KfW release yet. If you are interested in
building KfW from
Hi Chris,
On Fri, 6 Mar 2015, Christopher Penney wrote:
I run a Linux environment that's setup in an MIT Kerberos Realm. That realm
has a one way trust setup that allows tickets for Active Directory
principals (from Windows 7 clients) to be accepted as authentication (for
SSH and ODBC for
On Fri, 13 Mar 2015, Robert Wehn wrote:
- - klist
- TGT for jane@REALM
BUT!
- localuser can still access alice's files
- localuser can never access jane's files
- no new NFS service ticket fetched or needed till the end
of the ticket lifetime
What doesn't help:
- - logout
1 - 100 of 197 matches
Mail list logo