From my understanding you need to enable preauth per principal.
When I enabled preauth on my server I had to write a little script that
added the +require_preauth to my users:
#!/bin/sh
USERS=$(echo get_principals | kadmin.local | grep -v \/ | grep -v
kadmin.local:)
### Note 'grep -v \/' is
klist should always fail after a kdestroy
kinit should work fine to get you a new TGT
On 05/12/2010 01:32 PM, Yang Li wrote:
Thanks Russ for your response.
What puzzle me is, this behavior is not consistent. Most of time, after
kdestroy, either klist or kinit can still get TGT ticket, but i
of OS? I see it
work fine on Windows? any suggestions?
Thanks, -Yang
-Original Message-
From: Tom Parker [mailto:tpar...@cbnco.com]
Sent: Wednesday, May 12, 2010 1:40 PM
To: Yang Li
Cc: 'Russ Allbery'; kerberos@mit.edu
Subject: Re: error message after kdestroy
klist should
is physically at a remote office.
My question therefor is: Is there a way to run a single KDC with two
realms, One as master for XX.EXAMPLE.COM and one as slave for
EXAMPLE.COM? And if not, how would you solve this?
Thanks
Tom Parker
Canadian Bank Note Company, Ltd
On 09/03/2010 04:40 PM, Greg Hudson wrote:
On Fri, 2010-09-03 at 15:36 -0400, Tom Parker wrote:
My question therefor is: Is there a way to run a single KDC with two
realms, One as master for XX.EXAMPLE.COM and one as slave for
EXAMPLE.COM? And if not, how would you solve
by the auth_to_local rules?
If not does anyone have any suggestions on how to make this work some
other way? I am also considering adding a domain component to my user
names (eg: tparker.cent...@central) but the domain is already there in
the principal and it would be nice to use that.
Thanks!
Tom Parker
On 09/29/2010 10:34 AM, Douglas E. Engert wrote:
On 9/27/2010 8:11 PM, Tom Parker wrote:
I apologize for the long posting. I am stumped here and my scenario
is a bit complex.
As I am sure the list has noticed from all my questions, in the past few
weeks I have been trying to build
Hi Kevin
This should just work. kadmin and kadmin.local will list all the
principals found in any subtrees that are found in the Kerberos Realm
Container.
You should be able to see your subtrees in the LDAP tree under the realm
container using any LDAP browser.
In my test tree my Kerberos
Hi Kevin,
One more thing I just thought of.
Check the value for sscope (Search Scope). It should be in your
Kerberos Realm Container as krbSearchScope. If this is set to 1 it will
not search your subtrees.
From the krb5_ldap_util man page:
-sscope search_scope
Specifies the
but then fails)
08:15:57 - kadmind starting (fails)
08:15:59 - SLAPD started (accepting requests)
Is there a way to set a number of retries before krb5kdc will exit? Or
if not does the kerberos community have a workaround that does not
involve setting fixed sleep times in the init scripts?
Thanks
Tom
Good Morning
I am wondering if the account
account required pam_krb5.so minimum_uid=1000
line is required at all in common-account if I am using LDAP for access
control. it seems to be doing nothing on my systems and my login
behaviour does not change if this line is commented out.
We have a similar scenario with user collisions in a cross realm
environment. We are using fully qualified Principal names as usernames
on all our servers (stored in ldap and accessed with nss_ldap)
user@REALM is the user that is logged in. Not just user
Our auth-to-local rules are:
Hi Jonathan
Googling Kerberos For Windows returns MIT Kerberos Distibution as the
first link.
http://web.mit.edu/Kerberos/dist/index.html
Here you can download the KfW installer.
Tom
On 02/25/2011 01:02 PM, Jonathan Day wrote:
Hi,
Does anyone know of a recent MIT Kerberos build for
You need to use ssl with mod_auth_kerb so that if negotiate auth fails and the
user is prompted for their username and password this is protected.
Mod_auth_kerb uses basic auth to get this info and your username and password
are transmitted in the clear to the server in this scenario. I would
Good Afternoon.
I am having problems getting my krb5kdc to talk to an LDAP server
protected with StartTLS on port 389.
I am not sure how to tell my kdc in kdc.conf to use TLS with a specific
CA certificate.
Is this possible and if so how.
Thanks a lot.
Tom Parker
... Nothing else is logged here.
Is this a regression in krb 1.9.1 (has it been fixed in 1.9.2. This is
not yet available in the SLES build service) or is something else going on?
Thanks
Tom Parker
Kerberos mailing list Kerberos@mit.edu
https
Hi Russ
No. I don't. The only thing that has changed between working and
broken is the upgrade of the krb5 packages from 1.8.3 to 1.9.1
Here is my client side krb5.conf
[libdefaults]
default_realm = LS.CBN
# This line has to be somewhere or the krb5kdc init script will
Good Afternoon.
After our upgrade from 1.8.3 to 1.9.1 I am also having problems with
account lockout. (It was not working under 1.8.3 either and I was
hoping 1.9.1 would fix it)
I have my default policy set to 10 password attempts before a lockout.
When a user hits the 10 attempts, the
18 Nov 2011 05:13:16 PM EST, Greg Hudson wrote:
On 11/18/2011 02:17 PM, Tom Parker wrote:
The problem I have is that if I update my client from 1.8.3 to 1.9.1 my
High Availability breaks. A 1.9.1 client will not successfully
authenticate if one of my KDCs is down. My 1.8.3 clients work fine
\/LS.CBN\@LS.CBN@X-CACHECONF:
from FILE:/tmp/krb5cc_0
[19969] 1321656825.632173: Storing tpar...@ls.cbn -
krb5_ccache_conf_data/fast_avail/krbtgt\/LS.CBN\@LS.CBN@X-CACHECONF: in
FILE:/tmp/krb5cc_0
On 11/18/2011 05:13 PM, Greg Hudson wrote:
On 11/18/2011 02:17 PM, Tom Parker wrote:
The problem
, Greg Hudson ghud...@mit.edu wrote:
On 11/18/2011 04:48 PM, Tom Parker wrote:
I have my default policy set to 10 password attempts before a lockout.
When a user hits the 10 attempts, the failed attempt counter stops
incrementing, the last failed count stops changing however they are
still able
.
I will try to get you more logs and traces.
Tom
On 2011-11-19, at 13:04, Greg Hudson ghud...@mit.edu wrote:
On 11/18/2011 04:48 PM, Tom Parker wrote:
I have my default policy set to 10 password attempts before a lockout.
When a user hits the 10 attempts, the failed attempt counter stops
01:04 PM, Greg Hudson wrote:
On 11/18/2011 04:48 PM, Tom Parker wrote:
I have my default policy set to 10 password attempts before a lockout.
When a user hits the 10 attempts, the failed attempt counter stops
incrementing, the last failed count stops changing however they are
still able to get
Hi Nalin
Thanks for your answer. One thing I don't understand. Is this fixed in
1.9.2 or will it be in 1.10.x?
For now I will hold off migrating my clients from 1.8.3.
Tom Parker
On 11/18/2011 06:32 PM, Nalin Dahyabhai wrote:
On Fri, Nov 18, 2011 at 05:41:44PM -0500, Tom Parker wrote
responses.
Tom Parker
On Sat 19 Nov 2011 11:39:36 PM EST, Greg Hudson wrote:
On 11/19/2011 11:09 PM, Tom Parker wrote:
Thanks for your answer. One thing I don't understand. Is this fixed in
1.9.2 or will it be in 1.10.x?
Based on the information in this thread so far, it appears that the bug
!
On Sun 20 Nov 2011 12:01:45 AM EST, Greg Hudson wrote:
On 11/19/2011 10:32 PM, Tom Parker wrote:
Password failure count reset interval: 0
After staring at the code for a while, I believe if you set a reset
interval (it can be very long), things should work as expected.
This appears
As far as I know you need to have the users in some kind of list. I use
LDAP for groups and users and Kerberos for User Auththentication.
My pam common-* config files look like this and will do what you want.
At first login a homedir is created for the user and from then on it is
persistent.
running the following versions:
krb5-1.8.3-45.1
krb5-plugin-kdb-ldap-1.8.3-45.1
krb5-client-1.8.3-45.1
krb5-32bit-1.8.3-45.1
pam-krb5-4.4-1
krb5-server-1.8.3-45.1
Thanks for any insight.
Tom Parker
Kerberos mailing list Kerberos@mit.edu
Hi Derek.
What I have done is set shorter timeouts in my resolv.conf file
options timeout:1
options attempts:2
and set my LDAP bind timelimits to 3 seconds in /etc/ldap.conf
# Search timelimit
timelimit 3
# Bind/connect timelimit
bind_timelimit 3
I figure that if I can't contact an LDAP
Hello
Is it possible to server several realms from a single kadmind process?
With the the krb5kdc process it's as simple as specifying multiple -r
REALM flags on the command line?
I have a server that needs to support 4 separate realms and the kdc is
working fine but whenever users try to
Hello. I have had no response to this post. Does anyone have any suggestions on
how I can serve multiple realms from a single kadmind.
Thanks.
From: Tom Parker
Sent: Tuesday, May 21, 2013 11:55 AM
To: kerberos@mit.edu
Subject: Multiple realms served by single kadmind
Hello
Is it possible
On Tue 28 May 2013 12:44:52 AM EDT, Greg Hudson wrote:
On 05/24/2013 02:28 PM, Tom Parker wrote:
Is it possible to server several realms from a single kadmind process?
With the the krb5kdc process it's as simple as specifying multiple -r
REALM flags on the command line?
We do not have that feature
wrote:
In regard to: Re: Multiple realms served by single kadmind, Tom Parker
said...:
Thanks for the information. How can I tell my clients to use a custom
port for password change? The man pages I have don't mention this and
they tell me erroneously that kadmind will server multiple
Good evening.
I am trying to set up a new kerberos realm using the ldap plugin and I
am getting the following error when I try to run:
/usr/sbin/kdb5_ldap_util stashsrvpw -f
/var/kerberos/krb5kdc/ldap_service_password cn=admin,dc=ls,dc=cbn
kdb5_ldap_util: Unable to find requested database type
34 matches
Mail list logo