On 8/10/2013 5:05 AM, Harald Barth wrote:
The versions where I have seen the problem were:
* 1.5.2 master on Solaris and slave on amd64 FreeBSD
* 1.3.3 master and slave on i386 OpenBSD
The patch which changes the abort() to a warning is at
The versions where I have seen the problem were:
* 1.5.2 master on Solaris and slave on amd64 FreeBSD
* 1.3.3 master and slave on i386 OpenBSD
The patch which changes the abort() to a warning is at
file:///afs/pdc.kth.se/public/ftp/outgoing/heimdal-1.3.3-kadmlog.patch
Because I'm doing lots of updates to 1.5.2 patched
with the patch I posted, using kadmin from 1.6~git20120403+dfsg1-3, and
having no trouble.
That's good. I will have to double check versions of everything. Maybe
I'm confused, maybe there is another patch at another place in there,
that
Harald Barth h...@kth.se writes:
What I understand from the reports I got, some verson of kadmin sets
something called policy after setting attributes. The policy is set
to default whatever that means.
kadmin mod haba
Attributes [requires-pre-auth, disallow-postdated]: ENTER
Policy
You should package the tip of heimdal-1-5-branch.
Agree. But you might want to know:
Your slaves will abort() if you update a pricipal with the Heimdal
kadmin shipped with modern Debian/Ubuntu That one was cut from some
snapshot. To fix that you will need another patch. We have one, but
that
Harald Barth h...@kth.se writes:
Agree. But you might want to know:
Your slaves will abort() if you update a pricipal with the Heimdal
kadmin shipped with modern Debian/Ubuntu That one was cut from some
snapshot. To fix that you will need another patch. We have one, but
that only fixes the
On Mon, Jul 29, 2013 at 4:12 PM, Jeffrey Altman
jalt...@secure-endpoints.com wrote:
Secure Endpoints has pushed fixes to https://github.com/heimdal/heimdal
for both the 'master' (aka pre-1.6) and 'heimdal-1-5-branch' branches.
I have a question about the exact patches that are necessary. There
Ken Dreyer ktdre...@ktdreyer.com writes:
I have a question about the exact patches that are necessary. There were
several patches that went into heimdal-1-5-branch after 1.5.3 that
appear to relate to enctypes. I'm working on packaging Heimdal 1.5.3 for
Fedora and EPEL, so will I need all of
You should package the tip of heimdal-1-5-branch.
On 8/6/2013 7:23 PM, Russ Allbery wrote:
Ken Dreyer ktdre...@ktdreyer.com writes:
I have a question about the exact patches that are necessary. There were
several patches that went into heimdal-1-5-branch after 1.5.3 that
appear to relate to
Secure Endpoints has pushed fixes to https://github.com/heimdal/heimdal
for both the 'master' (aka pre-1.6) and 'heimdal-1-5-branch' branches.
Warning: Real-life results show that the code path for preauth always
seems to go through the strongest enctype configured (for example
aes256), even
On 7/30/2013 6:57 AM, Harald Barth wrote:
Secure Endpoints has pushed fixes to https://github.com/heimdal/heimdal
for both the 'master' (aka pre-1.6) and 'heimdal-1-5-branch' branches.
Warning: Real-life results show that the code path for preauth always
seems to go through the strongest
On Tue, 30 Jul 2013, Jeffrey Altman wrote:
This is an incorrect description. The explicit problem occurs when the
following combination is true:
1. user has one or more strong enctype keys with non-default
password salts
2. the only keys with default password salts are weak enctypes
3.
On 7/30/2013 7:32 PM, Benjamin Kaduk wrote:
On Tue, 30 Jul 2013, Jeffrey Altman wrote:
This is an incorrect description. The explicit problem occurs when the
following combination is true:
1. user has one or more strong enctype keys with non-default
password salts
2. the only keys
On Tue, 2013-07-30 at 19:44 -0400, Jeffrey Altman wrote:
On 7/30/2013 7:32 PM, Benjamin Kaduk wrote:
On Tue, 30 Jul 2013, Jeffrey Altman wrote:
This is an incorrect description. The explicit problem occurs when the
following combination is true:
1. user has one or more strong
This is an incorrect description.
That might very well be, but I thought it was better than nothing
because others who are in trouble might want to know that they are not
alone ;-/
The explicit problem occurs when the
following combination is true:
1. user has one or more strong enctype
Secure Endpoints has pushed fixes to https://github.com/heimdal/heimdal
for both the 'master' (aka pre-1.6) and 'heimdal-1-5-branch' branches.
With the HEAD of each branch the following is now true:
1. The svc_use_strongest_session_key option does not need to
be enabled. If you choose to
* Andrew Deason [2013-07-25 14:35:58 -0500]:
On Thu, 25 Jul 2013 15:22:50 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
On Thu, 25 Jul 2013, Sergio Gelato wrote:
I've been poking a bit into this. First of all, let's make sure I
don't misunderstand your expectation here: do you
On Fri, 2013-07-26 at 10:57 +0200, Sergio Gelato wrote:
Speaking of which, is anyone known to be working on rxkad-kdf support for
Heimdal's libkafs? I'd like kinit --afslog to do the right thing.
It's on my todo list, but I won't complain if someone else gets there
first.
-- Jeff
On Fri, 26 Jul 2013 13:39:22 -0700
Russ Allbery r...@stanford.edu wrote:
This plus
[kdc]svc-use-strongest-session-key=true
Works.
svc-use-strongest-session-key looks like it still tries to find
something in the common subset of supported keys between the client
and server, and legacy
Andrew Deason adea...@sinenomine.net writes:
Russ Allbery r...@stanford.edu wrote:
svc-use-strongest-session-key looks like it still tries to find
something in the common subset of supported keys between the client and
server, and legacy aklog sends only des-cbc-crc as its supported keys.
So
On Fri, Jul 26, 2013 at 5:09 PM, Andrew Deason adea...@sinenomine.netwrote:
On Fri, 26 Jul 2013 13:39:22 -0700
Russ Allbery r...@stanford.edu wrote:
This plus
[kdc]svc-use-strongest-session-key=true
Works.
svc-use-strongest-session-key looks like it still tries to find
On Thu, 25 Jul 2013 09:11:38 -0400 (EDT)
step...@physics.unc.edu wrote:
In the cell rekeying instructions found at
http://openafs.org/pages/security/how-to-rekey.txt, there is a note
for sites using Heimdal KDCs. It mentions a bug present in certain
versions of the Heimdal KDC software which
* Andrew Deason [2013-07-25 10:03:18 -0500]:
On Thu, 25 Jul 2013 09:11:38 -0400 (EDT)
step...@physics.unc.edu wrote:
In the cell rekeying instructions found at
http://openafs.org/pages/security/how-to-rekey.txt, there is a note
for sites using Heimdal KDCs. It mentions a bug present in
Sergio Gelato sergio.gel...@astro.su.se writes:
I've been poking a bit into this. First of all, let's make sure I don't
misunderstand your expectation here: do you want the KDC to be willing to
issue a ticket with a des-cbc-crc session key (as requested by old aklog)
even though the afs
On Thu, 25 Jul 2013, Sergio Gelato wrote:
I've been poking a bit into this. First of all, let's make sure I don't
misunderstand your expectation here: do you want the KDC to be willing to
issue a ticket with a des-cbc-crc session key (as requested by old aklog)
even though the afs service
On Thu, 25 Jul 2013 15:22:50 -0400 (EDT)
Benjamin Kaduk ka...@mit.edu wrote:
On Thu, 25 Jul 2013, Sergio Gelato wrote:
I've been poking a bit into this. First of all, let's make sure I
don't misunderstand your expectation here: do you want the KDC to be
willing to issue a ticket with a
On Thu, 25 Jul 2013 19:12:11 +0200
Sergio Gelato sergio.gel...@astro.su.se wrote:
I've been poking a bit into this. First of all, let's make sure I
don't misunderstand your expectation here: do you want the KDC to be
willing to issue a ticket with a des-cbc-crc session key (as requested
by
27 matches
Mail list logo
