Please can you tell what jar file the following class is in com.sun.security.auth.module.Krb5LoginModule
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 12 September 2005 17:02 To: kerberos@mit.edu Subject: Kerberos Digest, Vol 33, Issue 10 Send Kerberos mailing list submissions to kerberos@mit.edu To subscribe or unsubscribe via the World Wide Web, visit https://mailman.mit.edu/mailman/listinfo/kerberos or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Kerberos digest..." Today's Topics: 1. Re: Kerberos support in Thunderbird (Markus Moeller) 2. Re: Kerberos support in Thunderbird (Mark Sirota) 3. Re: Kerberos support in Thunderbird (Jim Alexander) 4. Key size is incompatible (Ryan Olejnik) 5. Re: Kerberos support in Thunderbird (Jeffrey Altman) 6. Re: Kerberos support in Thunderbird (Simon Wilkinson) 7. Re: Kerberos support in Thunderbird (Jeffrey Altman) ---------------------------------------------------------------------- Date: Sun, 11 Sep 2005 18:27:26 +0100 From: "Markus Moeller" <[EMAIL PROTECTED]> To: kerberos@mit.edu Subject: Re: Kerberos support in Thunderbird Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Precedence: list Message: 1 Simon, is there also somewhere a documentation of how to enable it ? I didn't see any option when setting up an account nor for an outgoing smtp server. Thank you Markus "Simon Wilkinson" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > The Thunderbird beta (1.5b1) that was released yesterday contains new > support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP > servers. > > It would be really good to get some test coverage against different > servers, and in different environments. I originally wrote and tested > the code against the U-W IMAP server - it's also been tested against > various servers using Cyrus SASL for their GSSAPI support. > > The beta can be downloaded from > http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html > > Cheers, > > Simon. > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ------------------------------ Date: Sun, 11 Sep 2005 19:28:13 -0400 From: Mark Sirota <[EMAIL PROTECTED]> To: Markus Moeller <[EMAIL PROTECTED]>, kerberos@mit.edu Subject: Re: Kerberos support in Thunderbird Message-ID: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii; format=flowed MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: list Message: 2 --On Sunday, September 11, 2005 6:27 PM +0100 Markus Moeller <[EMAIL PROTECTED]> wrote: > is there also somewhere a documentation of how to enable it ? I didn't > see any option when setting up an account nor for an outgoing smtp > server. Make sure "Use Secure Authentication" is checked in the "Security Settings" tab for IMAP and POP (the "Never" radio button for secure connection works just fine). Nothing special needs to be done for SMTP (if Kerberos tokens exist, SMTP will take advantage of the credentials if possible). For Windows, a special pref needs to be set to get MIT's Kerberos For Windows (and it's GSSAPI library) used instead of Microsoft's sspi. This line: user_pref("network.auth.use-sspi", false); Needs to be put into a user's "prefs.js" in their user profile dir, or use options | advanced | config to change the pref. Mark -- Mark Sirota, Associate Director, Network Engineering and Services University of Pennsylvania, Information Systems and Computing [EMAIL PROTECTED], 215/573-7214 ------------------------------ Date: Sun, 11 Sep 2005 17:05:01 +0000 (UTC) From: [EMAIL PROTECTED] (Jim Alexander) To: kerberos@MIT.EDU Subject: Re: Kerberos support in Thunderbird Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Precedence: list Message: 3 In article <[EMAIL PROTECTED]>, Simon Wilkinson <[EMAIL PROTECTED]> wrote: ]The Thunderbird beta (1.5b1) that was released yesterday contains new ]support for Kerberos/GSSAPI authentication against POP3, IMAP and SMTP ]servers. ] ]It would be really good to get some test coverage against different ]servers, and in different environments. I originally wrote and tested ]the code against the U-W IMAP server - it's also been tested against ]various servers using Cyrus SASL for their GSSAPI support. ] ]The beta can be downloaded from ]http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html I'd love to try this out, but I cannot find information on how to make GSSAPI the default auth for IMAP and SMTP. There's nothing in the GUI, nor anything obvious in about:config. I assume there's a hidden pref, but googling and searching the relevant bugs in bugzilla for it has come up empty. Is this documented anywhere? (As a side note, it seems pretty odd to trumpet "Kerberos Authentication" as one of big new features of 1.5 when there's no obvious way of activating it!) -- ________ Jim Alexander __________________ [EMAIL PROTECTED] ________________ I have yet to see a problem, however complicated, which, when you looked at it in the right way, did not become still more complicated. -- Poul Anderson ------------------------------ Date: Sun, 11 Sep 2005 22:19:45 -0500 From: Ryan Olejnik <[EMAIL PROTECTED]> To: kerberos@mit.edu Subject: Key size is incompatible Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Precedence: list Message: 4 hello, does anyone know what might cause this problem: kinit: krb5_get_init_creds: Key size is incompatible with encryption type I am only running a master KDC, so that rules out a problem with the slave. thanks, ryan olejnik ------------------------------ Date: Mon, 12 Sep 2005 13:53:22 GMT From: Jeffrey Altman <[EMAIL PROTECTED]> To: kerberos@MIT.EDU Subject: Re: Kerberos support in Thunderbird Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Precedence: list Message: 5 Mark Sirota wrote: > Make sure "Use Secure Authentication" is checked in the "Security > Settings" tab for IMAP and POP (the "Never" radio button for secure > connection works just fine). Nothing special needs to be done for SMTP > (if Kerberos tokens exist, SMTP will take advantage of the credentials if > possible). Mark: For e-mail, I believe that you really want the ability to specify in the account setup the Kerberos principal name that should be used for the client. On Mac OS X and with KFW on Windows, you may also want to specify the name of the ccache to use. On Mac OS X and KFW, the Kerberos libraries will prompt the user for credentials if there are not any. What test is Thunderbird using to determine whether or not GSSAPI authentication should be negotiated for a given account? > For Windows, a special pref needs to be set to get MIT's Kerberos > For Windows (and it's GSSAPI library) used instead of Microsoft's > sspi. > > This line: > > user_pref("network.auth.use-sspi", false); > > Needs to be put into a user's "prefs.js" in their user profile dir, > or use options | advanced | config to change the pref. Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ------------------------------ Date: Mon, 12 Sep 2005 15:31:47 +0100 From: Simon Wilkinson <[EMAIL PROTECTED]> To: Jeffrey Altman <[EMAIL PROTECTED]> Cc: kerberos@mit.edu Subject: Re: Kerberos support in Thunderbird Message-ID: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: list Message: 6 Jeffrey Altman wrote: > For e-mail, I believe that you really want the ability to specify > in the account setup the Kerberos principal name that should be used > for the client. There's not much intelligence in the code at the moment - it will use whatever the default principal in the current credentials cache is. To give some background - I implemented the SASL/GSSAPI support on top of the existing GSSAPI support that's used for NegotiateAuth in Firebird. Some things (like disabling the credentials prompting support under Mac OS X), come from the heritage of this underlying module. > On Mac OS X and with KFW on Windows, you may also want to specify the > name of the ccache to use. How do you do this from within the GSSAPI? > What test is Thunderbird using to determine whether or not GSSAPI > authentication should be negotiated for a given account? At the moment, if the 'Use Secure Authentication' option is set for a given protocol, the server at the other end offers GSSAPI as one of its supported SASL mechanisms, and the first call to init_secure_context for that server succeeds, we'll try to do GSSAPI auth against that server. If GSSAPI fails, then we'll fall back to trying a different authentication scheme. Cheers, Simon. ------------------------------ Date: Mon, 12 Sep 2005 15:13:27 GMT From: Jeffrey Altman <[EMAIL PROTECTED]> To: kerberos@MIT.EDU Subject: Re: Kerberos support in Thunderbird Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]><[EMAIL PROTECTED]> Precedence: list Message: 7 Simon Wilkinson wrote: >>On Mac OS X and with KFW on Windows, you may also want to specify the >>name of the ccache to use. > > > How do you do this from within the GSSAPI? At the moment, via the KRB5CCNAME environment variable. (Yes, I know, its not thread safe to do so) >>What test is Thunderbird using to determine whether or not GSSAPI >>authentication should be negotiated for a given account? > > > At the moment, if the 'Use Secure Authentication' option is set for a > given protocol, the server at the other end offers GSSAPI as one of its > supported SASL mechanisms, and the first call to init_secure_context for > that server succeeds, we'll try to do GSSAPI auth against that server. > If GSSAPI fails, then we'll fall back to trying a different > authentication scheme. This can end up causing some problems for end users. It is entirely possible for the GSSAPI authentication to succeed and yet the user will be unable to access the mailbox they are attempting to reach because the principal used is not the one which has authorization for accessing the mailbox. At the very least I think that users need to have the ability to disable the use of GSSAPI on a per mailbox basis until such time as we have better client principal selection algorithms in place. Jeffrey Altman -- ----------------- This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ------------------------------ _______________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos End of Kerberos Digest, Vol 33, Issue 10 **************************************** ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos