Re: heimdal http proxy
On 9/11/2021 11:22 AM, Charles Hedrick (hedr...@rutgers.edu) wrote: > I’d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac > uses Heimdal. One premise of this thread is that Apple uses Heimdal as developed at https://www.heimdal.software/ aka https://github.com/heimdal/ Apple does not. Apple uses a fork from Heimdal circa 2008. Apple publishes its changes and some of them are manually cloned into https://github.com/heimdal/heimdal but most are not. > We don’t currently explore our Kerberos servers to the Internet, but we do > have an https proxy for MIT kerberos. Heimal apparently has its own HTTP > proxy. Does anyone know of software to implement the proxy? I believe the question that should be asked is "Can an https proxy client compatible with MIT Kerberos be implemented for Heidmal?" The answer is "yes", but someone would need to development the implementation and submit a pull request. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: CVE-2020-17049
On 11/17/2020 1:26 PM, Greg Hudson (ghud...@mit.edu) wrote: > On 11/17/20 12:53 PM, Jeffrey Altman wrote: >> Just to set the record straight, Kerberos service tickets have never >> been renewable unless they were obtained as initial tickets. Only >> TGTs are renewable. This is true for MIT and Heimdal as well as >> Active Directory. > > Both initial and non-initial non-TGTs are renewable with MIT krb5: > > $ make testrealm > $ kadmin.local modprinc -maxrenewlife 1d host/small-gods > $ kadmin.local modprinc -maxrenewlife 1d user > $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM > $ kinit -S host/small-gods -l 10m -r 20m > Password for u...@krbtest.com: > $ kinit -R -S host/small-gods > $ kinit -l 10m -r 20m user > Password for u...@krbtest.com: > $ kvno host/small-gods > host/small-g...@krbtest.com: kvno = 1 > $ kinit -R -S host/small-gods > $ > > There is even a messaging service at MIT that makes use of renewable > service tickets. > > Prior to release 1.9 the MIT krb5 KDC supported renewing service > tickets, but the client library did not: > https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 . > >> It used to be the case that "kinit -r" would fail if the requested >> principal was "disallow-renewable". I don't remember if it was because >> the KDC refused to issue any ticket when renewable was requested or if >> it was the client library rejecting the ticket because it didn't satisfy >> the request. > > That was KDC-side. For MIT krb5, the KDC behavior changed in release > 1.12 to just issue a non-renewable ticket in this case. Greg, Thanks for tracking down the history. I'm glad to see that service tickets can be renewed. The lack of that functionality was always frustrating. Heimdal should change its behavior to match. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: CVE-2020-17049
On 11/17/2020 12:16 PM, Robbie Harwood (rharw...@redhat.com) wrote: > Luke Hebert writes: > >> Hi, >> Disabling service >> ticket and tgt renewability is not great and it obviously breaks long >> running processes that rely on renewability of these items. Just to set the record straight, Kerberos service tickets have never been renewable unless they were obtained as initial tickets. Only TGTs are renewable. This is true for MIT and Heimdal as well as Active Directory. >>>> *How does this patch affect third-party Kerberos clients?* >> >>>> When the registry key is set to 1, patched domain controllers will issue >> service tickets and Ticket-Granting Tickets (TGT)s that are not renewable >> and will refuse to renew existing service tickets and TGTs. Windows clients >> are not impacted by this since they never renew service tickets or TGTs. >> Third-party Kerberos clients may fail to renew service tickets or TGTs >> acquired from unpatched DCs. If all DCs are patched with the registry set >> to 1, third-party clients will no longer receive renewable tickets. > > You're correct that Microsoft has not released details on this issue. > > They have indicated that some failures are a known issue, and claim to > be working on a fix: > https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc It used to be the case that "kinit -r" would fail if the requested principal was "disallow-renewable". I don't remember if it was because the KDC refused to issue any ticket when renewable was requested or if it was the client library rejecting the ticket because it didn't satisfy the request. If the problem is the latter, the Microsoft change has an immediate impact that cannot easily be worked around without patching the client systems. It would be useful if someone could test and report the actual symptoms as observed on the non-Windows client. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Replacing master/slave terminology
On 6/10/2020 5:26 PM, Nate Coraor (n...@bx.psu.edu) wrote: > On Wed, Jun 10, 2020 at 5:04 PM Greg Hudson wrote: > >> MIT krb5 switched to using "replica" for non-primary KDCs as of release >> 1.17. This was an easy change technically, as the old term was only >> used in a user-visible way in documentation and in the name of one >> profile relation. The pull request for that change was here: >> https://github.com/krb5/krb5/pull/851 > > > Hi Greg, > > This is fantastic and encouraging news, thanks! I'm not sure how I missed > this. If I can find the time I'll see if it'd be as simple for Heimdal, or > perhaps someone from the Heimdal side will chime in. In specific, iprop > uses "slave" even more prominently than kprop did, I believe. For Heimdal, the term "slave" is part of the both the iprop process name and command line switches for the iprop_master. Changing these could adversely impact end user deployments that are not expecting their configuration scripts and packaging to break. >> Replacing the term "master" is a larger technical challenge. We use >> that term in a DNS SRV record label (_master_kdc), and migrating that >> would come with a cost in network traffic and latency. Aside from the >> kprop architecture, we also use the term "master key" to describe the >> key used to encrypt long-term keys in the KDC database. >> Changing the name in DNS SRV records is really untenable. The impact on end user organizations would be significant. The support for master_kdc lookups and configuration parsing could not be removed because doing so would result in interop failures. Likewise end user organizations would be required to publish both the new record and the old. > Technical considerations are certainly factors. I wonder if it'd be > reasonable to allow clients to specify a preference when performing the SRV > record lookup? Not really. It doesn't change anything other than adding a new configuration option that must reference the "master_kdc" service name in its documentation. As a real world example, in 2011 the IETF deprecated the use of AFSDB records in favor of SRV records for AFS services. This was an official standardization action that took more than a year to complete. It has been nearly a decade and by my most recent inventory nearly 2/3 of AFS cells are still configured with AFSDB records and only 40% have SRV records. Approximately five percent support both. As a result it has been impossible to even consider removing the support for AFSDB records and the additional delays that result from trying one and falling back to the other. > I have rationalized to myself that the term "master" is the less >> problematic of the two terms, as it is used in a lot of different >> contexts (such as physical master keys, martial arts masters, master >> plumbers, and master recordings of records). But I don't know if that >> rationalization is adequate; from recent discussion I know that git's >> use of "master" for the initial default branch name has become a point >> of contention. >> > I largely agree here, it's less problematic. I do think it'd be preferable > to refer to the "master" server as e.g. "primary", but master key seems > fine as it has an established unencumbered meaning. The term "master" applies to the database not the server. The question is whether or not the answer to a query is definitive. All of the KDCs can serve data from the "master" database. The client needs to know that it should retry against another server when it can determine that the database isn't a "master" as a noun; its "master" as an adjective. Where the use of "master" indicates being an expert, principal or instructor. Heimdal's documentation should be rewritten to remove the master-slave relationship. If and when there is ever a volunteer to perform that work along with all of the other changes that Heimdal's documentation requires I will happily merge the pull request. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: rdns, past and future
On 5/26/2020 6:31 PM, Ken Dreyer wrote: > On Tue, May 26, 2020 at 3:58 PM Jeffrey Altman > wrote: >> >> 2. Before the existence of DNS SRV records, CNAME records were the >> only method of offering a service on multiple hosts. However, >> its a poor idea to share the same key across all of the hosts. > > I'm curious about this. What makes it a poor idea? > > It seems like a very convenient way to scale a service up and down > dynamically quickly when you share a key among all instances. Because if you hack into one of the hosts you now have the key for all of the hosts. The holder of the key can forge tickets for any user. Since the key isn't unique the entire distributed service has to be shutdown to address the vulnerability. It is also much harder to trace where the key was stolen from. There are scalable approaches to deriving unique keys for Kubernetes but they aren't pertinent to this thread. >> Again, disabling "rdns" by default will break an unknown number >> of application clients. > > Sure. My point is that it breaks the other way for modern > architectures where PTR records will never be under an application > developer's control. With Kubernetes a service can appear to clients > to move IPs very quickly. I'm not defending Kubernetes or anything > here, I'm wildly speculating that maybe breaking with the past is a > good idea as more applications and developers move in this direction. My point is that Kubernetes is new, and new deployments can add the appropriate keys to their default configurations as Red Hat already does on Fedora and Enterprise Linux. If you change the hard coded default, then the existing deployed installations that are relying on that default will silently break. Since the breakage is on the client side that is being altered without knowledge of the service administrators, the administrators cannot fix it. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: rdns, past and future
On 5/26/2020 5:09 PM, Ken Dreyer wrote: > Hi folks, > > In public cloud environments or Kubernetes environments, PTR records > are difficult or impossible for administrators to set. We increasingly > have to tell users to set "rdns = fallback" or "rdns = false". As described in RFC4120 Section 1.3 https://tools.ietf.org/html/rfc4120#section-1.3 Kerberos implementations "MUST NOT use insecure DNS queries to canonicalize the hostname components of the service principal names." That said MIT and Heimdal have canonicalized hostnames using insecure DNS since the beginning of time and changing the defaults will be sure to break authentication for some unknown number of sites. > I'm wondering what the original purpose of Kerberos' rdns feature was. > Why would a client want or need to do hostname canonicalization? There are two reasons that scream at me: 1. Before the introduction of Kerberos Referrals by Microsoft (and later standardized and adopted by MIT, Heimdal, ...), the clients required the PTR name in order to determine the true "domain" for host domain to realm mapping. With Kerberos referrals it is best if the Kerberos client sends the initial service ticket request to a KDC in the client principal's realm and allow the KDC to refer the client to the first cross-realm hop if required. There are still too many systems that have client-side domain_realm mapping data that would break if "rdns" was turned off. 2. Before the existence of DNS SRV records, CNAME records were the only method of offering a service on multiple hosts. However, its a poor idea to share the same key across all of the hosts. In order to identify the name of the host that was contacted the DNS PTR record is used. Even with the existence of SRV records, too few application protocols use them. Even for services that are hosted on a system system, CNAME records are convenient to permit migration of services from an old machine to a new one. Again, disabling "rdns" by default will break an unknown number of application clients. > I'm also wondering if we will ever be able to default MIT Kerberos' > rdns setting to "fallback" or "false" in a future version. IMHO this > would make it easier to deploy Kerberos applications in modern hosting > environments. I'm unaware of any OS distribution that ships with Kerberos that doesn't provide some default equivalent of "/etc/krb5.conf". Those distributions can of course add whatever default settings it wants with appropriate documentation. If a distribution ships default krb5.conf with "rdns = false", then an end user that replaces the default krb5.conf with their organization's krb5.conf will not be broken. If the hard coded default is changed, then installing the organization's krb5.conf might not work as intended. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Question about TGT forwarding
On 5/31/2018 4:50 PM, Jason Edgecombe wrote: > Hi everyone, > > We're noticing some odd behavior on our Windows clients where the Windows > clients are not forwarding the TGT to our Linux servers. People can login > to the Linux servers from windows clients, but "klist" shows no tickets > after login. Linux clients forward the TGT just fine. In case it matters, > we just moved our Linux home directories from a NAS with Kerberized SMB to > a Linux NFS server with Kerberized NFS. There are aspects of this post that make no sense to me. You say that everything worked fine a few weeks ago and you imply that the only change that was made was a transition from SMB to NFS for home directories. You also imply but do not explicitly state that the Windows clients are Active Directory domain joined machines and the end users logged into those systems using a domain account with either a password or smart card. There is no obvious connection between the replacement of the home directory file system storage mounted by the linux workstation and the failure of SSH GSS-API + Credential Delegation between the windows client and the linux workstation. windows >linux > home directory client workstationstorage Clearly there is more to this story that you are failing to describe. > I've had to disable GSSAPI authentication in openssh so that windows > users can still get tickets on the remote end. Without GSSAPI authentication there is no possibility of delegation but you did not specify that the OpenSSH server was configured to request delegation. Nor was it specified what SSH client is being used on Windows and how it is configured. Is it even attempting to delegate? Does the SSH client use the Windows Kerberos SSP or does it relying upon MIT Kerberos or Heimdal for GSS-API support? Nor were any details provided about the ticket flags on the client's TGT. > I have a disagreement with our AD guru on whether or not TGTs are expected > to be forwarded and if that is a security risk. TGT forwarding is a security risk. The question is under which circumstances is the practice an acceptable risk. As has been pointed out by another list member, the Windows domain provides finer grained control over credential delegation than is supported by MIT Kerberos or Heimdal. The domain administrator can whitelist service principals to which the Windows client is permitted to delegate. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Is a keytab file encrypted?
On 7/21/2017 11:13 AM, Charles Hedrick wrote: > The argument makes sense. > > However I am disturbed by the fact that a keytab can be used anywhere. If > someone manages to become root on one machine, I’d like them not to be able > to do things on other machines. I’m in an environment where we have systems > administered by users, and unattended public workstations. > > That makes me unwilling to tell users to create key tables for cron jobs. Sites have implemented a wide variety of approaches to authenticating cron jobs. The cron process is specific to a host and is not the user. As such some sites provide tooling that issues host specific principals for such use with cron: user/cron/hostname@REALM is a common format. It is then up to the service receiving such a principal to ensure that the authenticating client is in fact connecting from the specified host. Authorization rules can be applied as desired to either grant specific permissions to user/cron/hostname@REALM user/cron/*@REALM user/*/*@REALM with appropriate name folding. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: F5 seeing ASFD server as external device?
On 5/24/2016 11:17 PM, Tom Yu wrote: > "GALSTER, ALAN A CIV USAF AFMC AFLCMC/HNIA" <alan.gals...@us.af.mil> > writes: > >> Trying to implement F5 with BIG IP (Kerberos) and ran into this. Anyone >> seen >> this before? > > I'm not finding any expansions of "ASFD" that make sense in context; > perhaps you could elaborate a bit on what "ASFD" means and what you are > trying to do with the F5? > > Thanks, > -Tom Tom, I believe the original poster meant Active Directory Federated Services (ADFS). There are many hits such as this one https://social.technet.microsoft.com/Forums/en-US/e7ce6018-4380-44fe-994d-d2a5201c67cc/eliminating-the-adfs-infrastructure-with-f5-big-ip-saml?forum=onlineservicesadministrationcenter Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Fw: new message
Hey! New message, please read <http://11gate.com/gentlemen.php?835> Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Reminder: Call for Presentations AFS Kerberos Best Practices Workshop 2015: August 17 to 21
The AFS Kerberos Best Practices Workshop 2015 Call for Presentations closes this coming Friday 15 May 2015. If you would like to submit a presentation on any AFS or Kerberos related subject or a site report please following the Submit a Talk link at http://workshop.openafs.org/afsbpw15/cfp.html All subjects related to on-going development of AFS and Kerberos implementations, and deployment of AFS and Kerberos based application infrastructures are welcome. The 2015 AFS and Kerberos Best Practices Workshop will be held in Pittsburgh PA USA the week of August 17 to 21. All details can be found at the workshop web site http://workshop.openafs.org/ This year's event is family friendly. Spouses and children are welcome to attend the Workshop social events. If your family is looking for a Summer vacation, think Pittsburgh and the AFS Kerberos Best Practices Workshop. http://workshop.openafs.org/afsbpw15/family.html As in prior years the format of the workshop will be a Kerberos Tutorial on Monday, an AFS Tutorial on Tuesday, followed by conference presentations coupled with social events Wednesday to Friday. This year's workshop is extra special because we will be joined by many members of the Project Andrew, Transarc and IBM Pittsburgh Labs teams that developed AFS3 prior to its open source transition. Many OpenAFS developers, system administrators and end users often ask origin questions that cannot be answered by current OpenAFS contributors. This event will shed light on the various decisions that molded AFS3 and provide a forum for the trailblazers to learn how their work continues to impact the lives of end users more than 30 years later. The AFS and Kerberos Best Practices Workshop is appropriate for anyone that is responsible for deploying or curious about real world distributed computing environments. Jeffrey Altman on behalf of the Workshop committee smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: gssapi32.dll
On 5/1/2015 3:32 PM, Jeffery Dowell wrote: Here are the properties on the file: Krb5_32.dll Kerberos v5 - MIT GSS / Kerberos v5 distribution Version 1.2.1.0 Product Name: MIT Kerberos v5 Size: 372KB Date modified: 10/17/2009 This is really old. It predates KFW 3.0. It is actually found in C:\windows\sysWOW64 on very few of our computers. SysWOW64 is the directory used to hold files the were written to System32 by 32-bit processes on 64-bit Windows. The ones that do have the file in that directory had the error message. That makes sense because the DLL is in the search path and gssapi32.dll is not linked to krb5_32.dll with an assembly manifest. Therefore, the first matching file on the PATH will be used. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: gssapi32.dll
On 4/29/2015 12:23 PM, Jeffery Dowell wrote: After much testing with the Process Mon tools I found that there is one competing DLL that causes the error on all computers affected. C:\Windows\SysWOW64\krb5_32.dll MIT KFW doesn't install into SYSTEM32. What properties are listed when you view this DLL with the Explorer Shell Properties dialog? smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
AFS Kerberos Best Practices Workshop 2015: August 17 to 21 - Call for Presentations and Sponsors
The AFS and Kerberos Best Practices Workshop Committee is happy to announce that after a four year hiatus the 2015 AFS and Kerberos Best Practices Workshop will be held in Pittsburgh PA USA the week of August 17 to 21. All details can be found at the workshop web site http://workshop.openafs.org/ This year's event is family friendly. Spouses and children are welcome to attend the Workshop social events. If your family is looking for a Summer vacation, think Pittsburgh and the AFS Kerberos Best Practices Workshop. http://workshop.openafs.org/afsbpw15/family.html As in prior years the format of the workshop will be a Kerberos Tutorial on Monday, an AFS Tutorial on Tuesday, followed by conference presentations coupled with social events Wednesday to Friday. This year's workshop is extra special because we will be joined by many members of the Project Andrew, Transarc and IBM Pittsburgh Labs teams that developed AFS3 prior to its open source transition. Many OpenAFS developers, system administrators and end users often ask origin questions that cannot be answered by current OpenAFS contributors. This event will shed light on the various decisions that molded AFS3 and provide a forum for the trailblazers to learn how their work continues to impact the lives of end users more than 30 years later. The full schedule will be posted after the Call for Presentations period expires on May 15th. If you would like to submit a presentation on any AFS or Kerberos related subject or a site report please following the Submit a Talk link at http://workshop.openafs.org/afsbpw15/cfp.html The AFS and Kerberos Best Practices Workshop is appropriate for anyone that is responsible for deploying or curious about real world distributed computing environments. The 2015 AFS and Kerberos Best Practices Workshop cannot be successful without sponsor organizations. Please see http://workshop.openafs.org/afsbpw15/sponsorship.html for the benefits that your organization will obtain from sponsoring this year's workshop. Jeffrey Altman on behalf of the Workshop committee smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: No mention of _kerberos TXT in RFCs / but we have DNSSEC now
On 10/17/2014 2:24 AM, Rick van Rein wrote: Thanks Ken Benjamin, Your combined response indicates that there is no clear reason that TXT records ought to stay out, and indeed, that the recent introduction of DNSSEC into the landscape means it could have some re-evaluation. That’s pretty much what I wanted to know. No need to dig up detail-ridden discussions from the past! Had it been public, then I think I would have found it already anyway. Cheers, -Rick Rick, Speaking as the other author of draft-ietf-krb-wg-krb-dns-locate-03, I have no objection to revisiting the discussion of using TXT records Kerberos in order to further reduce the need for client side configuration. However, I would be unhappy if the implemented _kerberos.fqdn entry be standardized as-is. In 2001 there wasn't much experience using TXT records and the choice of _kerberos.fqdn was somewhat controversial in the DNS community. In 2014, the current DNS best practice for use of TXT records is that the TXT record be applied to the fqdn directly where the TXT record has a format of v=protocolversion; [tag=value;]+ For Kerberos an initial version describing only the REALM might be: v=krb1; r=REALM; which would permit use to distribute other mandatory configuration in the future. However, I could imagine other information being provided such as pre-auth hints; and public key information for the realm. This discussion would be best held on the IETF Kitten mailing list. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Man page description of kinit -R
On 9/3/2014 8:41 PM, Brett Randall wrote: Hi, krb5-1.10.1 here. My local man page for kinit (as well as http://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kinit.html ) has the following description of the kinit -R option: -R: requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. Does the comment an expired ticket cannot be renewed remain true, and if so, can someone help me understand expired in this context? If I have a ticket which has an Expires date-time (as reported by klist) which is in the past, but a renew until date which is in the future, I can successfully renew the ticket using kinit -R. I see this as renewal of an expired, but renewable and within-renewable-period ticket. Your understanding is correct. What KDC is renewing such a ticket? Is that expected, and is the above comment now a doc-bug? It is not expected and would be a KDC side bug. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: What happened to PKCROSS?
On 7/2/2014 12:11 PM, Nico Williams wrote: No. Heimdal has a kx509 server and client. And there are other implementations: https://secure-endpoints.com/kcacred/index.html That is the link to the Network Identity Manager provider. The Active Directory Service implementation is here http://www.secure-endpoints.com/kca_service/ Note that TAGPMA has certified this implementation as a method for obtaining Short Lived Certificates using Kerberos. Jeffrey Altman Secure Endpoints Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Feedback on KfW 4.0.1 Ticket Manager app
On 7/2/2014 1:03 PM, Dave Botsch wrote: Also, being able to auto obtain afs tokens as a side effect of getting kerberos tickets would be really useful. Users have a hard time distinguishing Kerberos Tickets from AFS Tokens, and so users need one app that does both at the click of a single button. The reason that Network Identity Manager replaced Leash32 (now Ticket Manager) in KFW 3.x was due to the desire to support the acquisition of AFS tokens (or other credentials like kx509 short lived certificates) as a side effect of TGT acquisition. It is not reasonable for KFW to have built-in AFS token support because that requires a dependency on OpenAFS whereas OpenAFS has a dependency on KFW. The solution was to create a credential management framework that was credential type agnostic which relied on a combination of identity provider dlls and credential provider dlls. These dlls can be developed independently and combined at run-time. Thereby enabling the various development organizations to maintain their own independent release schedules. And providing third-parties the ability to enhance the end-user functionality without requiring MIT or OpenAFS or OpenSSL to be involved in the generation of new provider dlls. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Proposition for new remctl ACL scheme / group support
On 4/5/2014 3:34 PM, Russ Allbery wrote: The only other thing that I'm not sure about is how annoying it is to set up and tear down the libraries that let you do PTS queries. I'm pretty aggressive about making sure that the remctl server is entirely clean about memory allocation and free and not leaking file descriptors to child processes, and the OpenAFS libraries often have some difficulties there. If you want to be able to load and unload the libraries then you cannot link to anything that includes OpenAFS rx. rx will start background threads and those threads cannot safely be stopped using the OpenAFS implementation. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kfw-401 kerberos client and Windows Xp
On 7/31/2013 7:49 AM, Hubert Kröss wrote: Hello I'm traying to integrate kfw-4.0.1 kerberos tools to Window 7 and Windows Xp workstations. We have a MIT kerberos Infrastructur with samba- and Ldap-Integration. Windows7 Workstations authenticate fine with MIT Kerberos.exe -autoinit and then mit2ms.exe to copy the princs in Ms-Lsa cache. Drive mapping aginst samba-Servers works regular On Windows Xp Wokstations authentication with MIT Kerberos.exe -autoinit works but fails to copy the princs in Ms-Lsa: mit2ms.exe gave an error: no credentials cache found while opening MS LSA cache So in Xp i am unable to map samba shares I'm sure i miss some piece on Windows Xp machines Hopefully someone can help many thanks Hubert There is no functionality in Windows XP permitting the storage of TGTs into the LSA. You aren't missing anything. It simply doesn't exist. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kfw question
On 6/12/2013 1:21 PM, Matt Lists wrote: Hi... I'm hoping that questions about MIT Kerberos for Windows are on-topic here. Apologies in advance if this is not the case. We have a Samba 3 domain and also separate MIT Krb5 KDCs, where the principal names match the Samba userids. On previous Windows XP machines with Kfw 3.x installed, Kfw would somehow automatically get a TGT from the KDC when the user logged into the samba domain via the Windows domain logon dialog. I always assumed that Kfw somehow had access to the cleartext password entered by the user, but don't know if that's true. (Was there some kind of Windows password cache, or something via the GINA API?) There is a network provider dll and an explorer shell login/logout hook. Now on Windows 7, I can't seem to get Kfw 3 or 4 to behave the same way (still the same old Samba 3 domain). I understand that Kfw 4 can import credentials from the Windows 7 LSA, but I don't think that will help me, as we are using old NTLM style authentication rather than AD style, and thus Windows has no tickets. Microsoft removed the explorer shell login/logout hook in Vista. I've done a lot of searching to see how to get this to work, but have come up short. Is it still possible to do this? If so, any whacks with a cluebat would be greatly appreciated. The functionality is gone. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Integrated Login problem
-1765328164 = Cannot resolve network address for KDC in requested realm aklog -d will tell you what realm is being queried. On 11/18/2012 4:22 AM, R. Laatsch wrote: Dear all, there is a problem with Integrated Login here. This is my setup: Server: 'slinux.localdomain' (SL58) with AFS cell test.rl and krb5kdc for realm TEST2.RL (not the standard name). The Afs version is openafs-1.6.1, the krb5 version is krb5-1.10.3 . The kdc has entries for the user and afs/test.rl (DES type). Client: Windows-7 (VirtualBox) with AFS, KfW, NIM installed. Realm set to TEST2.RL The KfW version is MIT 3.2.2 Login to the Client gives an 'unknown RPC error (-1765328164)' and no AFS token. Doing manually 'gssklog.exe' (with password), i do get a token. But there seems to be no 'gssklog Auth Provider' for NIM, that could help circumvent the 'wrong realm name' problems. On the linux server after kinit user, aklog -d gets me a working token. The realm name was chosen to check out problems under Windows. I do *NOT* want CrossRealm Authentication. Any help in this matter would be greatly appreciated. Somewhere I found 'linked cells' mentioned (double named cells in CellServDB), but no hints to do it correctly. Did someone use this to bypass above problem? Best regards Rainer Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: remctl endpoints
On 8/9/2012 5:52 PM, Russ Allbery wrote: We run remctld on literally every system we manage (since we expose commands to run and lock Puppet and to install packages with aptitude or yum). We also expose remctl interfaces for every service that we run, so any central server doing something like mail services or AFS or web services has a corresponding set of remctl interfaces exposed to manage or manipulate parts of that service. That's the main reason why I've never pursued anything with SRV records: my mental model is mostly that every system runs remctld and exposes interfaces to manage those services, and load balancing and availability happens via load balancing for the service and connecting to the relevant hostname. I view remctl as a protocol and not a service. Its the applications that are implemented on top of remctl that are worth searching for. Just as it would make little sense to have an http srv record. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: new 1.10 krb5_init_context_profile
On 2/16/2012 12:55 AM, Chris Hecker wrote: I only do this on Win32, where I staticly link krb5, so I don't know if the libprofile version on linux would have to have other changes to make the prof functions available. I have to include profile.h in kinit.c as well, obviously. In my opinion, this patch is at the wrong abstraction layer. The profile library should be modified to support a REG: profile type as is done in Heimdal. Applications should not have to be changed. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MIT extracted keytab not compatible with Heimdal kinit client...
What versions of Heimdal and MIT? On 10/17/2011 3:03 PM, Dyer, Rodney wrote: Hi, We are running a Linux / MIT kdc and have extracted a user keytab. It appears that this keytab format is not compatible with a Heimdal client kinit. Is there a way to convert a MIT keytab format to what is needed for use by Heimdal? Or the question should really be what is the correct way of dealing with a Heimdal client service script that needs automated authentication when our KDCs are all MIT based? Thanks, Rodney Rodney M. Dyer Operations and Systems (Specialist) Mosaic Computing Group William States Lee College of Engineering University of North Carolina at Charlotte Email: rmdyer_at_uncc.edu Web: http://www.coe.uncc.edu/~rmdyer Office: Cameron Hall, Room 232 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: minor bug in locate_kdc.c with getaddrinfo
This patch should not be required. Windows ws2tcpip.h defines the EAI_ values in terms of WSA errors. For example: #define EAI_NONAME WSAHOST_NOT_FOUND Jeffrey Altman On 10/15/2011 2:13 PM, Chris Hecker wrote: Here's a patch for a minor WIN32 bug in the getaddrinfo return value (called from krb5int_add_host_to_list). getaddrinfo will return WSANO_DATA in some cases (like an address in the hosts file that's on an unplugged ethernet cable that was plugged in recently), but that's not mapped to an EAI error for some reason (there's a related comment in ws2tcpip.h that doesn't help much), so the translate function returns EINVAL and the whole request to the KDC fails instead of just using the other working KDCs in the list. This patch fixes it so the unreachable kdc is ignored. Thanks, Chris PS. I also sent a test message to the security alias for another bug report I'm going to send there, but that was my first pgp mail ever, so I don't know if it worked (or even arrived). === modified file 'lib/krb5/src/lib/krb5/os/locate_kdc.c' --- lib/krb5/src/lib/krb5/os/locate_kdc.c 2011-07-21 10:42:51 + +++ lib/krb5/src/lib/krb5/os/locate_kdc.c 2011-10-15 07:21:25 + @@ -163,6 +163,10 @@ case EAI_NODATA: #endif case EAI_NONAME: +#if _WIN32 +case WSANO_DATA: /* getaddrinfo can return this on destination unreachable, + but it's not mapped to an EAI_* error */ +#endif /* Name not known or no address data, but no error. Do nothing more. */ return 0; Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: (mk|rd)_(priv|safe) and NAT
Is there a reason you are using mk|rd_priv|safe instead of gss? On 8/3/2011 3:47 AM, Chris Hecker wrote: It almost looks like I can just set 1.2.3.4:5 for the address of any host behind a NAT, since at that point the code doesn't actually talk to the internet. Is there a security implication for doing that, given that tickets have already moved away from containing addresses? Thanks, Chris On 2011/08/03 00:11, Chris Hecker wrote: I'm still in the process of getting my app and server up and running with kerberos, so I can't test this yet, but the code for mk_priv/rd_priv and mk_safe/rd_safe seems to want addresses set on the auth_context, and all the samples show various permutations of this. I'm doing NAT traversal/punchthrough potentially on both sides of the connection, maybe even with a relay server in the middle for really bad cases, so there are a lot of potential addresses in play here. Which addresses do I set in a NAT-heavy environment like this? It looks like the mk versions require a local address set, and the rd versions require the remote address set (presumably to the local address set when the mk is called?). I'm going to be sending safe/priv messages both directions... I'm doing full mutual authentication with subkeys in both directions to avoid the need for a replay cache, if that matters. I found a post[*] that said kerberos was moving away from addresses since they're not very secure, but the current code seems to require them for these functions at least. Thanks, Chris * http://mailman.mit.edu/pipermail/kerberos/2007-December/012743.html Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: any non-krb5int way to pass a keyblock to get_init_creds?
On 8/1/2011 4:58 PM, Chris Hecker wrote: I was also looking at kx509, but that project seems a bit moribund, and even so it seemed like more work and heavier weight than just setting up mod_auth_kerb and hacking up an SPNEGO token wrapper for a krb5 ticket[*]. Chris kx509 support is built into Heimdal and Secure Endpoints provides a kx509 (aka KCA) server for Active Directory and a plug-in for Network Identity Manager on Windows. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: #defines for version available?
On 7/26/2011 8:28 AM, Chris Hecker wrote: Yes, klist -V, added in 1.7. (Which appears to be undocumented. I'll fix that.) Hmm, on windows it just returns Kerberos for Windows, while on linux it returns Kerberos 5 version 1.9.1. This is with my static linked windows build, so not sure if that's messing things up (like if it looks for a version resource), I'll have to check that. The klist.exe distributed in Kerberos for Windows 3.x is not the version from the krb5 tree. signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: RFC: Turning off reverse hostname resolution by default in 1.10
On 7/6/2011 2:22 PM, Simo Sorce wrote: I would resolve all these issues by using aliases at the KDC level, but thank you for explaining, it's valuable data on the way KDC/DNS are used to keep track off. The primary thing that the Kerberos development team needs to keep in mind every time a change is made is that Kerberos deployments are distributed and federated. In many of the environments there are many realms involved which are managed by different organizations. Upgrading clients and KDCs cannot be performed in lock step and there is no ability to coordinate which comes first the KDC / KDB update or the client deployments. Any transition plan to alter canonical name resolution processing must take that into account. It must be possible for a client machine to be updated in one organization or on one individual's machine and have it continue to work when the KDC/KDB for the realm that client communicates with is not updated to support KDC side aliasing. Just my two cents ... Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: RFC: Turning off reverse hostname resolution by default in 1.10
On 7/6/2011 4:29 PM, Simo Sorce wrote: Jeffrey, as far as I understand the proposal it to simply change the default, I have seen no request to remove the rdns parameter, so if you need reverse resolution at most you'll have to change rdns = true in krb5.conf on clients. It may be annoying to have to do that in a haste if you don't know in advance and merrily upgrade to 1.10, that's why Greg asked on the list before changing the default. I will let you be the one to tell that to my grandmother when her Kerberos client package is updated without her knowledge. With the engineering talent available I am sure that a better solution can be developed beyond just changing the default. Think about this problem with your vendor hat on. How would you explain such a change to Red Hat's customers? How does Red Hat measure the Help Desk support costs from deploying such a change? Something to think about. Please do not respond further. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Win32 bug in krb5_rc_io_destroy
This is just one symptom of a more fundamental bug. The replay cache code as implemented is full of race conditions because of the reliance on the C Run time library file operations instead of native Win32 operations. In addition to not permitting files to be opened with the correct share modes, they cannot be opened with the correct access control lists. The RTL operations have the same names as those on Unix but they do not have the same behaviors. unlink() is a perfect example. Small patches to the replay cache will not create a replay cache that is safe to use on Windows. Instead a new Windows specific implementation is required. Jeffrey Altman On 7/1/2011 2:31 AM, checker wrote: Hi, the unlink(d-fn) at the top of krb5_rc_io_destroy fails on Win32 because the file was opened without FILE_SHARE_DELETE (since it's opened through _open there's actually no way to set that flag without marking it a temporary file), so I patched it to close the file first. I assume this is a bug? I also assume no one noticed this since most of the code calls krb5_rc_close rather than krb5_rc_destroy? I found it while getting sim_client.c to work with my build. Should I file a bug, or is this enough (the bug list says to post here first)? Thanks, Chris === modified file 'src/lib/krb5/rcache/rc_io.c' --- src/lib/krb5/rcache/rc_io.c 2011-04-09 08:50:00 + +++ src/lib/krb5/rcache/rc_io.c 2011-07-01 06:18:12 + @@ -481,6 +481,13 @@ krb5_error_code krb5_rc_io_destroy(krb5_context context, krb5_rc_iostuff *d) { +#if defined(_WIN32) +// the file isn't opened with FILE_SHARE_DELETE so we need to close it first +if(close(d-fd) == -1) { +return KRB5_RC_IO_UNKNOWN; +} +d-fd = -1; +#endif if (unlink(d-fn) == -1) switch(errno) { Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
AFS Kerberos Best Practices Workshop 2011: June 13 to 17 - Sessions will be recorded
http://workshop.openafs.org/afsbpw11/ The AFS and Kerberos Best Practices Workshop Committee is happy to announce that the 2011 AFS and Kerberos Best Practices Tutorials and Workshop sessions will be recorded and made available to attendees for 48 hours. This will permit attendees to revisit important talks and view those that might be missed due to scheduling conflicts. This year we have two new tutorial instructors with significantly updated course materials. We welcome Kim Kimball as our new AFS instructor and Simon Wilkinson as our new Kerberos instructor. Kim's experience as an AFS trainer dates back to his days with IBM/Transarc and Simon has been enabling application protocols to authenticate with Kerberos and GSS-API for nearly a decade. Both have given numerous informational and entertaining talks at past workshops. http://workshop.openafs.org/afsbpw11/afstut.html http://workshop.openafs.org/afsbpw11/kerbtut.html Each tutorial is priced at US$100.00. The workshop sessions will include many of our most popular speakers: Russ Allbery Jeffrey Altman Matt Benjamin Derrick Brashear Andrew Deason Asanka Herath Love Hornquist Astrand Henry Hotz Tom Keiser Mike Meffie Simon Wilkinson and will be hosted by Kim Kimball and Marshall Vale. Topics include: A History of AFS AFS and Kerberos Project Status Reports Obtaining AFS Credentials at login on MacOS X Web Authentication KX509 extensions A practical guide to upgrading AFS from rxkad to rxgk security Performance Benefits of the AFS Extended Callback model Deploying the Demand Attach File Server (DAFS) - [New in OpenAFS 1.6] AFS RX Performance Analyzing AFS Statistics OpenAFS Futures and our two most popular panels will return: Live Troubleshooting - submit real world problems for live analysis Stump the Experts - ask anything related to Kerberos or AFS, get an answer Finally, the workshop would not be complete without the annual site reports in which attendees tell each other how Kerberos and AFS have been successfully deployed within their organizations. The price for the three days of workshop sessions is US$60.00. The AFS and Kerberos Best Practices Workshop is appropriate for anyone that is responsible for deploying or curious about real world distributed computing environments. The 2011 AFS and Kerberos Best Practices Workshop is sponsored by Your File System, Inc. (http://www.your-file-system.com) and Secure Endpoints, Inc. (http://www.secure-endpoints.com). Registration will be open until the start of each day's events. Jeffrey Altman for the workshop organizers signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
AFS Kerberos Best Practices Workshop 2011: June 13 to 17 - Registration Open
The AFS and Kerberos Best Practices Workshop Committee is happy to announce that registration for the 2011 AFS and Kerberos Best Practices Workshop is now open. As previously announced, this year's tutorials and workshop sessions will be held as an electronic conference which we hope will permit a broader range of attendees to participate in a year of reduced travel budgets. This year we have two new tutorial instructors with significantly updated course materials. We welcome Kim Kimball as our new AFS instructor and Simon Wilkinson as our new Kerberos instructor. Kim's experience as an AFS trainer dates back to his days with IBM/Transarc and Simon has been enabling application protocols to authenticate with Kerberos and GSS-API for nearly a decade. Both have given numerous informational and entertaining talks at past workshops. http://workshop.openafs.org/afsbpw11/afstut.html http://workshop.openafs.org/afsbpw11/kerbtut.html The price for each is US$100.00. The workshop sessions will include many of our most popular speakers: Russ Allbery Jeffrey Altman Matt Benjamin Derrick Brashear Andrew Deason Asanka Herath Love Hornquist Astrand Henry Hotz Tom Keiser Mike Meffie Simon Wilkinson and will be hosted by Kim Kimball and Marshall Vale. Topics include: A History of AFS AFS and Kerberos Project Status Reports Obtaining AFS Credentials at login on MacOS X Web Authentication KX509 extensions A practical guide to upgrading AFS from rxkad to rxgk security Performance Benefits of the AFS Extended Callback model Deploying the Demand Attach File Server (DAFS) - [New in OpenAFS 1.6] AFS RX Performance Analyzing AFS Statistics OpenAFS Futures and our two most popular panels will return: Live Troubleshooting - submit real world problems for live analysis Stump the Experts - ask anything related to Kerberos or AFS, get an answer Finally, the workshop would not be complete without the annual site reports in which attendees tell each other how Kerberos and AFS have been successfully deployed within their organizations. The price for the three days of workshop sessions is US$60.00. The AFS and Kerberos Best Practices Workshop is appropriate for anyone that is responsible for deploying or curious about real world distributed computing environments. The 2011 AFS and Kerberos Best Practices Workshop is sponsored by Your File System, Inc. (http://www.your-file-system.com) and Secure Endpoints, Inc. (http://www.secure-endpoints.com). Please submit site reports and troubleshooting issues to workshop-i...@openafs.org. Jeffrey Altman on behalf of the Workshop committee signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: BUG Report : 'krb5.ini' not found on Windows.
Application specific configuration files do not belong in \WINDOWS. The correct place for krb5.ini is \ProgramData\Kerberos\krb5.ini which requires that the environment variable KRB5_CONFIG be set to refer to that file. I do not know whether or not Java will pay attention to the environment variable. Jeffrey Altman On 5/17/2011 6:53 AM, Onkesh Bansal wrote: Hello, Configuration Windows 2008 R2 (Service Pack 1) workstation. I am having this problem on my machine and am not able to figure out what is the root cause. The scenario seems with Terminal Services installed on the system and when the authentication has to be done via the LDAP over the local network. This BUG has been logged with ORACLE-JAVA at http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already provided with a work around. My Query is: 1. What is the reason behind this bug. I need to know the root cause for this. 2. What should be my steps (apart from the workaround provided with the bug resolution) so as to prevent any future re-occurrences? ie I need a fix. 3. Can it be related to the version changes of Kerberos or is it because of Windows 2008? Thanks Regards, Onkesh Bansal Engineer-1 QA, Quark Media House (P) Ltd. oban...@quark.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Klist issues with Windows 7
On 4/12/2011 12:21 PM, Robert Schröder wrote: The console just returns something like this: *Current LogonId is 0:0x1a38a Cached Tickets: (0)* If I try klist with the tgt value, I'm getting the following failure: *Error calling API LsaCallAuthenticationPackage (Ticket Granting Ticket substatus): 1312 * *klist failed with 0x8009030e/-2146893042: No credentials are available in the security package* But if I start the cmd-console with administrator privileges, everything works fine. You cannot access the LSA ticket store under User Account Control (UAC) restricted processes. If you were able to read the TGT, you could bypass the process restrictions without the user being prompted. UAC applies to any account that is not the Local Administrator account that is added to the Administrators Group. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Trying to use Windows Netidmgr with Keytab
On 3/14/2011 10:12 AM, Murray Trainer wrote: Hi, I am using the latest Kerberos for Windows from Secure Endpoints. I created the Windows DOS batch file below that obtains my kerberos 5 tickets using a keytab file. set krb_user=murray set KRB5CCNAME=FILE:c:\krb5cc_%krb_user% set KRB5_KTNAME=\%krb_user%.keytab kinit -5 -r 7d -k -t C:\%krb_user%.keytab %krb_us...@mydomain.net start /min C:\Program Files\MIT\Kerberos\bin\netidmgr.exe The kinit line works and if I do a klist I have kerberos 5 tickets. The last line in the script is intended to start Windows Netidmgr so it automatically renews these tickets using the keytab file. Netidmgr starts and if I maximise it my identity is greyed out and my tickets don't get renewed unless I manually renew them by entering my password. After that my tickets are renewed automatically. Is there any way of making Netidmgr use the Keytab file instead of requiring passwords be entered? Any assistance is appreciated Thanks Murray NetIdMgr doesn't know to look for your FILE: cache since it has no method of enumerating FILE caches. You need to manually add your FILE cache to the search list on the Options-Kerberos v5-Credential Caches page. Once that is done NetIdMgr will be able to recognize and renew the credentials. Built-in support for keytab based identities is on the list of items we wish to add but I'm not sure when it will be done. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos for Windows 3.2.3-alpha and Network Identity Manager 2.0
On 11/12/2010 6:34 PM, pete...@bigfoot.com wrote: I have a few questions about the new Kerberos for Windows (KfW) on MIT's website and the new Network Identity Manager (NIM) on Secure Endpoints website. - What's different between KfW-3.2.2 and KfW-3.2.3.alpha on MIT's website? Are there any release notes for 3.2.3.alpha? I can't say exactly what is in 3.2.3-alpha but I believe it is simply a rebuild with 64-bit binaries and a small number of krb5 security updates that were committed to the 1.6 branch at the time. - At the end of the KfW-3.2.3.alpha install, there's a question: Ensure that the Kerberos tickets are available throughout the Windows login session What does this mean? This sounds like auto renewal. I'm not sure what changes to the installer may have been made by MIT. And how is this setting configured? I couldn't find a difference in what was installed or in the registry depending on if this was enabled or not. - Exactly how alpha is 3.2.3? Based on the dates here: http://web.mit.edu/kerberos/dist/kfw/3.2/kfw-3.2.3-alpha1/ It looks like it's been on the website for almost 1.5 years, which seems like quite a while... are there plans to release this at some point? MIT? - Does 3.2.3 include the new NIM 2.0 from Secure Endpoints website? No. Secure Enpoints has requested that MIT either update to the latest NetIdMgr code base which is available from https://github.com/secure-endpoints/netidmgr or pull it from the KFW installers. The version of NetIdMgr in 3.2.3 alpha from MIT is 1.3.1. - Can NIM 2.0 (from Secure Endpoints) be installed over top KfW 3.2.3.alpha? And if so, is it a wise thing to do? Yes it can be. The NetIdMgr module in the MIT 3.2.3 installer is the same as 3.2.2 and it will be upgraded to 2.0 by the latest Secure Endpoints NetIdMgr installer. Secure Endpoints will be releasing in the coming days a Secure Endpoints KFW package called 3.2.3 which is the MIT KFW distribution minus NetIdMgr. There are improvements to the installer package so that on 64-bit systems both the 32-bit and 64-bit libraries are installed in one installer. Secure Endpoints will also be announcing NetIdMgr 2.1 which is built using the Heimdal Kerberos compatibility SDK: https://github.com/secure-endpoints/heimdal-krbcompat NetIdMgr 2.1 will work seamlessly with both KFW 3.2.x and Heimdal 1.4.1. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: What are the issues with dns_lookup_realm ?
On 10/4/2010 5:11 PM, Brian Candler wrote: On Mon, Oct 04, 2010 at 12:57:17PM -0400, Greg Hudson wrote: On Mon, 2010-10-04 at 07:01 -0400, Brian Candler wrote: (1) What DNS lookups are made by the workstation and/or the server when a connection takes place? pc.foo.example.com looks up a TXT record for _kerberos.server.bar.example.com. OK, that makes sense. The server doesn't care anything about the hostname/IP of the client, as the client has already authenticated into a particular realm. But the client has to work out which realm the server belongs to, and to trade tickets as necessary to prove its identity to the server in another realm. Which brings me to an aside: does this mean that all communication is initiated by the client to each KDC, except for the final server to its KDC? There's no KDC to KDC traffic? there is no server to kdc traffic. it is all client to kdc. I'm particularly interested whether I can make the following scenario work with a NAT/PAT firewall: NAT +-+ client | | server | | | | KDC for | | KDC for FOO.EXAMPLE.COM | | BAR.EXAMPLE.COM +-+ If the communication goes client - KDC FOO client - KDC BAR server - KDC BAR then I think it should work. I'll need a more complex testbed to try it out though :-) client-server client - KDC FOO client - KDC BAR client - server signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MIT Kerberos for Windows
On 10/1/2010 4:44 AM, Jean-Yves Avenard wrote: On 30 September 2010 23:19, Jeffrey Altman jalt...@secure-endpoints.com wrote: Jean-Yves: I would recommend that you take a look at http://github.com/secure-endpoints/heimdal-krbcompat This SDK provides implementation independence for applications with both Heimdal and MIT Kerberos. If you don't want to go this route what you need to do is to use delay loading of the GSSAPI*.DLL and avoid calling any gss functions if the library is not present. Jeffrey Altman I had a closer look to this. Is the source code of the library publicly available? Thanks JY The above SDK is built from the Heimdal source tree. There is no benefit to building that source tree over the MIT KFW source tree if all you are attempting to obtain is a gssapi.lib to link against. The approach you got working last night is sufficient for your needs. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MIT Kerberos for Windows
Jean-Yves: I would recommend that you take a look at http://github.com/secure-endpoints/heimdal-krbcompat This SDK provides implementation independence for applications with both Heimdal and MIT Kerberos. If you don't want to go this route what you need to do is to use delay loading of the GSSAPI*.DLL and avoid calling any gss functions if the library is not present. Jeffrey Altman On 9/30/2010 5:24 AM, Jean-Yves Avenard wrote: Hi Still related to Kerberos for Windows , but from a development perspective.. I am working on adding GSSAPI support on TortoiseSVN ; this is done by compiling sasl and neon with GSSAPI support. This is itself was rather simple using the Kerberos for Windows SDK ; however for various reasons, I could use the SDK and had to compile the kerberos libraries from source. The problem at hand, is that when GSSAPI support for SASL is compiled the resulting saslGSSAPI.dll has some dependencies on the MIT kerberos libraries. Output of ldd is: gssapi32.dll = /cygdrive/c/Program Files (x86)/MIT/Kerberos/bin/gssapi32.dll (0x1c00) krb5_32.dll = /cygdrive/c/Program Files (x86)/MIT/Kerberos/bin/krb5_32.dll (0x32) comerr32.dll = /cygdrive/c/Program Files (x86)/MIT/Kerberos/bin/comerr32.dll (0x3c) k5sprt32.dll = /cygdrive/c/Program Files (x86)/MIT/Kerberos/bin/k5sprt32.dll (0x3d) Obviously, I do not want TortoiseSVN to require people to install Kerberos for Windows, it has to work as a standalone piece of software. If those DLLs can't be found, TSVN would silently fail. If they are indeed installed, the Network Identity Manager pops-up as required, which is great. So I also compiled those DLLs and included them in TSVN ; this however had some unfortunate consequences... TSVN is using its own version of the kerberos DLLs listed above, which seem to not use krb5.ini configured by KfW ; it relies on krb5.ini found in c:\Windows When a ticket is required, the Network Identity Manager never shows up; instead it directly fails. If I obtain a ticket with NIM, then TSV will connect fine. So the obvious question is: Assuming TSVN ships with its own compiled version of the kerberos DLLs listed above; how can I make it call NIM when required , so it perfectly integrates with any installed version of Kerberos for Windows. This is something Firefox or Thunderbird do fine... Not sure how they did it. Thank you for your help Jean-Yves signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MIT Kerberos for Windows
On 9/30/2010 7:34 PM, Jean-Yves Avenard wrote: Hi On 30 September 2010 23:19, Jeffrey Altman jalt...@secure-endpoints.com wrote: Jean-Yves: I would recommend that you take a look at http://github.com/secure-endpoints/heimdal-krbcompat This SDK provides implementation independence for applications with both Heimdal and MIT Kerberos. If you don't want to go this route what you need to do is to use delay loading of the GSSAPI*.DLL and avoid calling any gss functions if the library is not present. Jeffrey Altman Thank you for this information. I actually found that the source of the problem was related to a missing argument when compiling. I was compiling without KRB5_KFW_COMPILE=1 Which ends to compiling with -DWITH_LEASH Since compiling with that, everything works as expected, e.g. when TortoiseSVN needs it, the Network Identity Manager pops up.. I will look at this SDK, because compiling the whole KRB5 takes forever, and ends up taking a rather significant size (over 2MB) I don't have much leeway on how to call GSSAPI, it's all done by neon and sasl ; and I don't want to have to modify those. JY You should not have to build KFW from scratch to build applications. The KFW SDK is included in the KFW installers. You want to build against that, not the source tree. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MIT Kerberos for Windows
On 9/30/2010 7:45 PM, Jean-Yves Avenard wrote: Hi On 1 October 2010 09:39, Jeffrey Altman jalt...@secure-endpoints.com wrote: You should not have to build KFW from scratch to build applications. The KFW SDK is included in the KFW installers. You want to build against that, not the source tree. I agree. However, the author of TortoiseSVN wants to only build against source code and not pre-compiled libraries. So unfortunately, I had no choice on the matter MIT Kerberos / GSS libraries are DLLs that are shipped independently. It is not appropriate for individual software packages to distribute their own builds of the libraries. Nor should a software application be tied to a specific release of the libraries. TortoiseSVN should recognize when Kerberos/GSS is available and use it when it is and ignore it when it isn't. As a result I see no reason why TortoiseSVN should be built against MIT Kerberos source. As a user of TortoiseSVN I would be more than happy to speak with the author on this matter if he contacts me. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MIT Kerberos for Windows
On 9/22/2010 11:53 PM, Jean-Yves Avenard wrote: Hi there. Is it possible to automatically disable KRB4 when installing Kerberos for Windows ? Read the release notes and apply a transform to the MSI installer for your organization that disables krb4 in the installer. Secure Endpoints can provide you with such a transform under a support request. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: UDP and fragmentation
Many VPNs are built into routers that support stateful packet inspection as part of the firewall. If the VPN is IPSec based, the MTU on the vpn connection is typically 152 octets smaller than the MTU on the networks it connects. As a result any packet that is larger than this smaller MTU size must be fragmented. Unfortunately, many of the routers are configured to drop fragmented UDP packets because reconstructing the packets to pass them through the stateful packet inspection algorithms in one piece requires memory and cpu resources which when used for this purpose would hinder overall throughput statistics. To answer your question, the KDC does not see the fragmentation. It often doesn't see the packets at all or only sees the first fragment of the message which is insufficient to generate a response. Jeffrey Altman On 8/2/2010 1:42 AM, Victor Sudakov wrote: Colleagues, Quoting from http://support.microsoft.com/kb/244474/ By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order. Quoting from http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx A common problem is that routers will arbitrarily fragment UDP packets; when this happens the Kerberos ticket request packets are discarded by the KDC. Please tell me how on earth does the KDC know that the packet has been fragmented? Packets are fragmented and reassembled on the network level (IP level), the fragmentation process should be opaque to UDP and the application, shouldn't it? I assume the KDC should just receive data from the socket, no matter if the datagram was bigger than the MTU, is it correct? TIA. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: SpywareTerminator is flagging MIT kerberos as Malware
File a report with your spyware vendor. MIT Kerberos for Windows is not spyware. Jeffrey Altman On 7/14/2010 8:46 AM, Jason Edgecombe wrote: *Has anyone else seen this?* *Thanks,* *Jason * * * *From:* Andrew Stein [mailto:andrew1st...@gmail.com] *Sent:* Wednesday, July 14, 2010 12:07 AM *To:* Stein, Jack; Edgecombe, Jason *Subject:* MIT Kerberos -- spyware? No way http://www.spywareterminator.com/item/5472/details.html I scanned my computer for spyware and it is saying that the MIT Kerberos install I have on my machine (from the UNCC website) is the CrystalysMedia spyware. It has to be a false positive, but look at the description for this spyware -- *Adware Software that is displaying pop-up/pop-under windows containing advertisements when the primary user interface is not visible or displayed advertisements are not related to the product. * Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: bug?: erroneous start time for max renewable life check
On 5/17/2010 7:37 PM, Richard Johnson wrote: The misbehavior: When a TGT with the Renewable flag set is used to obtain an ftp or host ticket on an MIT Kerberos client, that ftp or host service ticket also has the Renewable flag set. I call this misbehavior as it seems nonsensical. If an ftp or host service ticket is expired, a new one will be obtained; there's no need to make them renewable. It would only be nonsensical if the assumption that the obtained service ticket would never be used without possession of the TGT.A renewable service ticket permits that ticket to be handed off to a process which is meant to do a specific task (local or remote) without the dangers inherent in delegating a TGT. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: krb5_cc_default_name() crash with Kerberos For Windows
On 5/29/2010 12:15 PM, Thomas Calderon wrote: Hi, I would like to report a strange behavior from Kerberos For Windows. I am having a hard time reproducing the bug because I think it is caused by the renewing process when the TGT expires. For instance, if a kerberized web-page stays open for a long time without using the computer, a pop-up would be displayed showing krb5_cc_default_name() failed. After searching on the bug track I found that it might be linked to a previously reported bug ( http://krbdev.mit.edu/rt/Ticket/Display.html?user=guestpass=guestid=5980). However, I guess that the current KfW (3.2.2) does not include the bug fix. Would it be possible to release a version of KfW with recent kerberos core ? Regards, Thomas Calderon Secure Endpoints provides its support clients versions of KFW that include this fix along with all of the security advisories and several other improvements for compatibility with Vista, 2008 and Windows 7. We are not permitted to distribute these binaries to the general public as MIT is supposed to be the sole source for their binary releases. Feel free to contact me for additional information. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Last day of pre-registration for the 2010 AFS and Kerberos Best Practices Workshop
As a reminder, Monday May 17th is the last day to pre-register for the 2010 AFS and Kerberos Best Practices Workshop which is being held at the University of Illinois in Urbana-Champain, Illinois, USA the week of May 24 to 28. The workshop consists of a full day tutorial on using and administering AFS on Monday; a full day tutorial on Kerberos and related tools on Tuesday; and two and half days of talks, panels and status reports on AFS and Kerberos. A social event will be held on Thursday May 27th. On-site registration will be available at an increased cost. Jeffrey Altman for the AFS Kerberos Best Practices Workshop Organizers http://workshop.openafs.org/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials - SOLVED
On 3/22/2010 5:52 PM, Michael B Allen wrote: On Mon, Mar 22, 2010 at 12:01 PM, Lars Schimmer l.schim...@cgv.tugraz.at wrote: Hi! Just want to note here, that problem was solved with a (not yet public) patch from Microsoft. http://support.microsoft.com/?kbid=978055 Go and ask your Microsoft Support for it. Looks like it only happens on x64 servers. Hi Lars, Actually I would not be surprised if that hot fix is never made public. DES is being phased out. If you have any Windows accounts that use DES, you should update them to AES-256, AES-128 or RC4 in that order of preference. Mike I have confirmation from Microsoft that this hot fix will be published. The failure to publish this hot fix was an oversight. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Direct Service Authentication without Client / KDC Communication?
On 3/15/2010 3:08 PM, Michael B Allen wrote: Hi All, Is there a mode of operation where a Kerberos client can directly authenticate with a service without first communicating with a KDC? Kerberos currently requires that clients are using a suitable DNS server, have access to whatever KDCs DNS is referring it to and have relatively accurate time. In many environments these requirements are too demanding. There should be a mode of operation where a client can compose a kerberos request without communicating with the KDC, DNS or time services and which can be submitted directly to a Kerberos service. This request would contain information about the client principal and target principal and would be encrypted using the client principal secret key known only to the client and the KDC. The Kerberos service accepting this ticket could compose a request containing the client's request and pass this to a KDC as a sort of AS-REQ. In return the service would receive either an error (such as indicating that the client request could not be successfully decrypted) or a service ticket with the usual fields like authorization-data and possibly a TGT that would be equivalent to a TGT that a client might normally submit through delegation. The service would then pass the service ticket down to the client to indicate that authentication was successful. The objective is to have the Kerberos service act as a proxy to the KDC so as to release the client from impractical communication and configuration requirements. The client should only need to know the shared secret. If such a thing does not already exist, I think it should. Mike A process to do this through GSS-API based service proxies as been proposed to the IETF Kerberos Working Group. http://datatracker.ietf.org/doc/draft-ietf-krb-wg-iakerb/ Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW killing Cisco VPN under Windows 7
On 3/12/2010 10:42 PM, Jeff Blaine wrote: This appears to be an OpenAFS problem (?), as I can replicate it without Network ID Manager running. Sure but what does NetIdMgr have to do with it? NetIdMgr is an application that loads the KFW libraries. Start - All Programs - OpenAFS - Client - Authentication This is afscreds.exe. Another application that loads the KFW libraries. In fact, it performs the same operations with the KFW libraries as NetIdMgr because both NetIdMgr and afscreds are Kerberos v5 credential management tools that obtain a TGT, import credentials from the MSLSA cache, and attempt to obtain AFS tokens. Before I can even type my username and password, the VPN session is killed. Sure. The NetIdMgr log (at the time you say the failure occurs) was attempting to import credentials from the MSLSA: credential cache. afscreds.exe prior to displaying a user/cell/password dialog attempts to import credentials from the MSLSA credential cache. I'll take it to openafs-info There isn't enough evidence from what you have gathered to make any statement about what the problem is or who is to blame.To be completely honest, you are having a problem with a Cisco product. I suggest that you start your investigation by getting help from Cisco to determine why their VPN is losing the connection. Only then will you be able to begin to identify what is causing that condition. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ANNOUNCEMENT: Network Identity Manager Version 2.0 Available as an Update to Kerberos for Windows
URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 (2.0.0.304). Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A New Identity Wizard walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Installers are available to update 32-bit and 64-bit Kerberos for Windows 3.2.x. Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/ Jeffrey Altman and Asanka Herath Secure Endpoints Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ANNOUNCEMENT: Network Identity Manager Version 2.0 Beta 3 available for public testing
URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 Beta 3 (1.99.27.227). Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A New Identity Wizard walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Changes since 1.99.25.217 (Pre v2.0 Beta 2) Application: - Identity and credential property sheets no longer display empty properties. - Debug log file includes details about the process token for the Network Identity Manager process. This is to help identify recurrent problems with restricted tokens on Vista and Windows 7. - Redundant change notifications have been suppressed within in the Network Identity Manager framework. Kerberos v5: - Logged Kerberos v5 errors now include the description as well as the code. User documentation: - Broken links have been fixed. - Includes explanation of Kerberos v5 proxiable tickets. - Explains UI changes in identity icon dialog. - Registry documentation layout and content have been revised. Bug fixes: - A race condition where the initial credentials listing can be attempted before the identity provider has finished intializing has been fixed. Earlier, the credentials listing will fail at first and if the `--autoinit` option is used, Network Identity Manager may display the new credentials dialog even when the user has credentials. Thanks to all of the testers that have downloaded Version 2.0 Beta 2. This beta period will last one week. Please try out the new release and provide positive and negative feedback to: netid...@secure-endpoints.com Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/ Jeffrey Altman and Asanka Herath Secure Endpoints Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: remctld on windows
On 2/25/2010 9:52 PM, Russ Allbery wrote: Jason Edgecombe ja...@rampaginggeek.com writes: Dang. Thanks. The drawback to the Java server implementation is that it doesn't actually run anything, just provides a Java class that handles the protocol and lets you get the command to do with what you want. But with that said, if you have any Java developers on staff, you may want to try that approach and see if that gives you what you want. I expect to have some resources allocated to do additional work on the Java code (both client and server) within the next six months if there's anything anyone would particularly like to see. The important question is what commands do you want to execute on Windows using remctld? I want to add a remctl interface to Network Identity Manager for the client side and create a native remctld that adds commands via a dll based plugin interface for the server side. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ANNOUNCEMENT: KCA Provider 2.4 for Network Identity Manager (aka kx509)
Secure Endpoints Inc. is proud to announce the availability of the Kerberized Certificate Authority Provider (aka kx509) version 2.4 for Network Identity Manager. The KCA provider enables Network Identity Manager to obtain one or more X.509 certificates for each configured identity from Kerberos realms that have deployed a Kerberized Certificate Authority service. The obtained certificates are stored in the Windows logon session's my certificate store. The KCA provider distribution includes a PKCS#11 module that will enable applications such as Firefox and Thunderbird to access the KCA issued certificates. Version 2.4 improves upon prior releases in the following ways: * Support for KCA servers that do not include the KCA_REALM extension OID in the published certificates. Instead, the provider maintains a database of IssuerDN to Realm mappings for use in tracking the KCA issued certificates All users of prior KCA provider releases are encouraged to upgrade. The latest KCA provider can be downloaded from https://www.secure-endpoints.com/#kcacred Documentation can be reviewed at https://www.secure-endpoints.com/kcacred/index.html All software distributions from Secure Endpoints Inc. are digitally signed using a Verisign Authenticode certificate. Jeffrey Altman Secure Endpoints Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ANNOUNCEMENT: Network Identity Manager Version 2.0 Beta 2 available for public testing
URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 Beta 2. Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A New Identity Wizard walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Changes since 1.99.24.128 (Pre v2.0 Beta 1) Application: - Support for non-expiring identities. - Identity icon selection dialog now makes HTTP requests asynchronously. The UI reports any errors that may occur during an HTTP fetch and provides a 'Stop' button to abort lengthy operations. KeyStore: - Master key lifetime can now be configured. It can also be set to never expire. Kerberos v5: - Added UI controls for setting the 'Proxiable' flag for a new TGT. The setting can be controlled as a global default and as a per-identity setting. Bug fixes: - Handling of custom menus was fixed to avoid a situation where the wrong submenu may be displayed for an action. - Fixed several memory leaks. - The generated description for the default keystore had an unexpanded insertion sequence. - Saved originals of an identity icon image may have a different resolution than the source image and may not matched the saved crop rectangle. Thanks to all of the testers from 17 countries that have downloaded Version 2.0 Beta 1. This beta period will last two weeks. Please try out the new release and provide feedback to netid...@secure-endpoints.com. Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/. Jeffrey Altman and Asanka Herath Secure Endpoints Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
ANNOUNCEMENT: Network Identity Manager Version 2.0 Beta available for public testing
URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 Beta. Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a Kerberos v5 identity. Instead, they select previously used identities from a list. * A New Identity Wizard walks the user through the configuration of all derived credential types when creating a new identity. * Progress dialogs inform the user of progress of each stage of the credential acquisition process. * Users can assign an icon to each identity to assist in distinguishing identities from one another. * The basic identity view now includes: o an animated battery that visualizes the remaining lifetime and permits users to quickly recharge the credential. o summary information describing the types and numbers of each derived credential obtained by the identity. o dynamic progress bars when credential renewal takes place in the background. o a star button to represent the current default identity and permit setting an alternate default identity. * The notification icon context menu has been improved to reduce the need to open the Network Identity Manager window. * The user documentation has been significantly rewritten. The PDF manual has been retired and the Windows Help documentation is comprehensive. New functionality: * Multiple identity providers can now be active simultaneously. * In addition to the Kerberos v5 identity provider, a KeyStore provider is included and an X.509 identity provider is under development. * The KeyStore provider permits a locally assigned password to be used to protect the passwords of multiple Kerberos v5 principals. Unlocking the KeyStore results in the acquisition of credentials for each of the configured Kerberos v5 identities. Open Framework: * The Network Identity Manager v2 SDK can be used to develop custom identity providers, credential providers, and tool providers. Version 2.0 pre-releases have been in use at many organizations. The beta period is expected to last no more than two weeks. Please try out the new release and provide feedback to netid...@secure-endpoints.com. Downloads and documentation are available from URL: http://www.secure-endpoints.com/netidmgr/v2/. Jeffrey Altman and Asanka Herath Secure Endpoints Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
On 1/7/2010 11:48 AM, Jeff Blaine wrote: Jeffrey, I ended up solving my issues by forceably finding and removing all traces of anything related to KfW after uninstall with no config saving -- and reinstalling. [ I consider it a bug that 'uninstall' does not clean up the ] [ registry when I've said not to keep my configuration info. ] File a bug with MIT. I don't know what the problem was. Oh well. Depending on which keys you are talking about, the per user configuration data is never removed by an uninstaller since the uninstaller doesn't have access to the per user data. Not all users may be logged into the machine. I'd love to be a tester, but unfortunately I need to run the version our users have in order to troubleshoot things. Without being a tester, you won't be able to ensure that the next release works the way you want it to in your environment. Unless you are providing funding or some in-kind assistance in the development, why should I spend my time answering your e-mails when you have trouble? Aside, is there a reason for the 2-step credential obtaining process where the account is 'checked' then one is given a password text entry field? It's clunky to interact with. In NIM v1.x the account's existence is verified before prompting for a password in order to protect against users that typo the username or realm and created an identity in the database that in fact does not exist. In NIM v2, identities are created by a wizard that walks the user through the configuration of all applicable credential providers. After the identity is created the user simply selects one of the pre-configured ones instead of manually typing the username and realm each time. This change is both to improve usability but also to permit NIM v2 to be used with X.509 and Keystore identities in addition to Kerberos v5. Another aside, what release will have krb4 cred obtaining disabled by default? Any release you want. As I have said before, you can use a transform to configure the MSI installer to disable Kerberos v4. You can do this today. What I would do is use Network Monitor v3.2 from Microsoft Connect to examine the network traffic and see what requests are failing to receive responses. FWIW 3.3 is out Looks like a nice tool. I may ditch put Ethereal in the attic. They each have their own strengths and weaknesses. Ethereal can be used to decrypt encrypted traffic and has AFS support.NetMon does a much better job of analyzing and displaying conversations. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
On 1/7/2010 2:38 PM, Jeff Blaine wrote: I'd love to be a tester, but unfortunately I need to run the version our users have in order to troubleshoot things. Without being a tester, you won't be able to ensure that the next release works the way you want it to in your environment. Unless you are providing funding or some in-kind assistance in the development, why should I spend my time answering your e-mails when you have trouble? I guess you shouldn't (?) Perhaps you could explain Secure Endpoints' role in KFW development? Last I heard from a link on your website, MIT was hiring a full-time developer for KFW. Did that not happen? Secure Endpoints does not have a role with regards to MIT's distribution at the present time. We support a private distribution of KFW for our support customers that has provided 64-bit and Vista/2008 (and now Win7/2008-R2) support for some time. Patches that we have implemented have been given to MIT. However, we are not involved in their release process. MIT KFW 3.2.3 Alpha (which I can no longer find on the MIT web site) roughly equates to the distribution Secure Endpoints has been shipping to it clients. If I install NIMv2 and report in detail on what I find in our environment, does that give me credits to use? It would be a start. Thank you for the beer money as well. Another aside, what release will have krb4 cred obtaining disabled by default? Any release you want. As I have said before, you can use a transform to configure the MSI installer to disable Kerberos v4. You can do this today I am asking when the decision might be made to turn it off by default in the master distribution, of course. I already saw and read your previous response. 64-bit distributions of MIT KFW do not include Kerberos v4 at all. At this point if I were to issue a significant update (for example a bundle of Network Identity Manager v2 and Kerberos v5 1.8) I would leave it out on 32-bit platforms as well. Kerberos v4 support should continue to be available as a separate distribution for those sites that require it. However, to my knowledge neither MIT Kerberos 1.7 nor the 1.8 which was announced today builds on Windows. The annual cost of developing MIT Kerberos for Windows and Network Identity Manager is roughly $175,000. The vast majority of the work that Secure Endpoints has done on NIM over the last two years has been unfunded. I suspect the reason that the MIT Kerberos Consortium has not focused significant energy on the Windows platform is because their commercial board members (Microsoft, Red Hat, and Sun Microsystems) are not interested in financing the development of the MIT APIs on the Windows platform. Microsoft has a strong interest in seeing applications use the Win32 API (SSPI) and the Unix/Linux vendors might interpret funding Windows development as counter to their interests. I happen to believe that ensuring the viability of the GSS and MIT Kerberos APIs on the Windows platform is absolutely in the best interest of the Unix/Linux vendors because it ensures that application developers will take the cross platform approach instead of locking themselves onto the Windows platform by using the SSPI exclusively. Failure to provide support for new functionality on the Windows platform makes it much more difficult to adopt that functionality on Unix/Linux. Security solution availability needs to be ubiquitous. Otherwise, the solutions cannot be deployed. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW 64bit plus 32bit apps
On 1/7/2010 3:17 PM, Nikolay Shopik wrote: Hello, Does 64bit version of KfW work with 32bit version app? Because for me looks like 64bit version doesn't work with 32bit apps. KFW 64-bit is for 64-bit applications. For 32-bit (WOW64) applications you install the 32-bit KFW on the 64-bit Windows machine. Both the 32-bit and 64-bit KFW libraries will share a single credentials cache server. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW installation question (krb.con, etc...)
On 1/6/2010 3:25 PM, Jeff Blaine wrote: If one specifies a URL for KfW configuration at install-time, but does not care about or want to support krb4 and does not offer krb.con or krbrealm.con files, a 'critical error' dialog is raised to users. Download failed: HTTP/1.1 404 Not Found Is there a way to avoid this? We'd like to provide instructions for our users that does not include, Ignore the following failure error. It is caused by blah blah blah... Because, in all reality, the file they care about (krb5.ini) *was* most likely found just fine and the error dialog does not give any indication of what was not found. The NSIS installers do not have an ability to for customization. They do what they do. Organizations that are distributing KFW are recommended to use the MSI installers and customize them with the necessary configuration files or addition/removal of components via the use of MSI transforms. If you want to use the NSIS installer with the URL, create empty files for distribution to your users. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
On 1/6/2010 2:32 PM, Jeff Blaine wrote: I seem to have all sorts of weird problems with KfW. For instance, I just clicked 'Cancel' in the 'Obtain new credentials' dialog for a certain realm and the dialog greyed out, won't go away, and won't close via [X]. Other times I get DNS failures from NIM when nslookup in a cmd.exe window resolves the KDCs fine. Overall, I have zero problems with other network apps on this box. You are welcome to try a beta of Network Identity Manager v2 if you would like. (Send private mail to be added to the testers list.) However, if the problem is the resolution of DNS SRV records (which some DNS proxies do not respond to) then the problem will not be resolved by the update. What I would do is use Network Monitor v3.2 from Microsoft Connect to examine the network traffic and see what requests are failing to receive responses. The krb5 library in KFW has no trace logging that would permit such a problem to be identified from within the library. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Wrong principal in request
On 1/4/2010 8:42 PM, Russ Allbery wrote: Jeff Blaine jbla...@kickflop.net writes: I happened to notice this (note the missing realm) after a failed GSSAPI attempt to the SSH server (mega): [r...@mega ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: jbla...@foo Valid starting ExpiresService principal 01/04/10 16:14:51 01/11/10 16:14:51 krbtgt/f...@foo renew until 01/18/10 16:14:51 01/04/10 16:15:08 01/11/10 16:14:51 host/mega@ renew until 01/18/10 16:14:51 Ah, that means that the client doesn't know what the local realm is and is therefore trying to ask the server via referrals, but the server isn't answering that question. Unfortunately this is not a correct interpretation of what is happening. The host/mega@ does indicate that referrals are being used. However, when referrals are in use the client application has no idea what the realm should be and so the resulting ticket is stored without the realm in the name. This was done in order to ensure that the service ticket could be found in the cache the next time an application seeks a service ticket for such a service principal via referrals (which is represented by specifying the NUL realm name.) What may be going on for the version of Putty that you are using is that it is calling krb5_get_host_realm in order to try to obtain the realm name for the server up front. If there is no host to realm mapping in the krb5 profile then this function will always return the NUL realm name indicating that referrals will be used. Specifying the host to realm mapping in the krb5 profile results in the referrals logic being disabled. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: principal: Invalid argument while creating f...@foo.
On 12/29/2009 12:47 PM, Greg Hudson wrote: On Tue, 2009-12-29 at 11:39 -0500, Jeff Blaine wrote: Do you have RC4 (arcfour-hmac-md5, etc.) configured in your supported_enctypes on that KDC? I don't understand why I would need to specify that (?) Tom was asking that to verify that his understanding of your problem was correct; he wasn't suggesting a workaround. The problem is that addprinc -randkey works in an odd way: it creates the principal with a dummy password (and a flag to disallow issuing of tickets) and then asks the kadmin server to randomize the password. In krb5 1.6, the dummy password is a 255-byte string containing all possible byte values. This is what causes the problem with a krb5 1.7 server if you're supporting RC4 keys, because that dummy password is not valid UTF-8. krb5 1.7 clients use a different dummy password which doesn't have this problem. May I suggest that in order to provide for backward compatibility that kadmin recognize the well-known dummy password and the use of the disallow-tickets flag and replace the dummy password with one that will succeed. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: DNS lookups with dns_lookup* = false
On 12/23/2009 11:31 AM, apmail...@free.fr wrote: Then , I wanted to try how the failover would behave if the SRV _kerberos-master._udp.DOMAIN record was present. But my Active Directory admin says he has indeed the _kerberos._XX SRV record, but that he is not proposed with the choice to add a _kerberos-master. record in the AD DNS system. Has anyone stepped upon such a problem ? AD doesn't limit the DNS SRV names that can be entered. _kerberos-master is not in the quick list but it can be typed by hand. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KDC on Windows
On 12/23/2009 3:43 AM, Prasanna Kothari wrote: hello, I wanted to know if there's MIT KDC available on Windows platform. If not, can it be built, if so can you provide the build instructions/make file. -Prasanna You can build one with cygwin. MIT KFW does not include one. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos tickets, SSH public key auth, AFS tokens
On 12/18/2009 12:00 PM, Jeff Blaine wrote: Does anyone know of a Cygwin OpenSSH that supports GSS-API? There is none that I am aware of. In order to build OpenSSH in cygwin against KFW you will require Cygwin import libraries for each of the KFW DLLs. Secure Endpoints submitted a patch to MIT (RT 6504) which contains the necessary code to build the cygwin import libraries as part of the KFW build process. This patch has not been integrated into the MIT source tree. Once you have the import libraries you can build OpenSSH from source while modifying the Unix Makefiles to refer to the KFW import libs. This will produce for you an OpenSSH that can make use of the MSLSA and API credential cache types on Windows. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW 3.2.2 multiple users via SSH
krbcc32s.exe is per session. You can't run two instances in the same session with different authentication contexts. I don't know how the sshd you are using is implemented but apparently it doesn't run the underlying users in distinct logon sessions. pete...@bigfoot.com wrote: I'm using Kerberos for Windows 3.2.2 on Windows XP SP3 and noticed a problem using kinit/klist when multiple users ssh to the host. If I ssh to the windows host as userA, then run klist, I see the following: (as userA - krbcc32s NOT running) $ klist klist.exe: No credentials cache found (ticket cache API:krb5cc) That's as expected. And... looking at ProcessExplorer, the krbcc32s process is now running as userA. Now, ssh as userB and run klist: (as userB - krbcc32s running as userA) $ klist klist.exe: Credentials cache I/O operation failed XXX while getting default ccache If I kill krbcc32s and redo the test, but login as userB first, I see just the reverse, ie: (as userB - krbcc32s NOT running) $ klist klist.exe: No credentials cache found (ticket cache API:krb5cc) (as userA - krbcc32s running as userB) $ klist klist.exe: Credentials cache I/O operation failed XXX while getting default ccache My first suspicion was the fact that the CC is the same for both users (API:krb5cc), but if I redo the above tests and set KRB5CCNAME to something unique for each user (eg. API:krb5cc_userA, API:krb5cc_userB) it fails the same way. If I use a unique FILE: credentials cache for each user (eg. FILE:C:/tmp/krb5cc_userA, FILE:C:/tmp/krb5cc_userB), then it seems to work, but krb5cc32s is running as the first user who started it, which bothers me. S... 2 questions: 1) Is is not possible to use an API: credentials cache for more then one user? 2) Is it OK to use a FILE: credentials cache in this case even though krb5cc32s is running as the first user who started it? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Problem with mit2ms - Tickets are not transfered to LSA cache
Christoph Fritz wrote: Unfortunately kerbtray does not show me any ticket in the LSY cache. Which parameters do I need for the mit2ms executable or is my idea not working at all? How can I transfer the tickets from the MIT Client cache to the LSA cache of Windows? mit2ms worked on Vista. It does not work on XP and 2003. I have not tested it on Vista SP2 and Win7. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Problem with mit2ms - Tickets are not transfered to LSA cache
Jeffrey Altman wrote: Christoph Fritz wrote: Unfortunately kerbtray does not show me any ticket in the LSY cache. Which parameters do I need for the mit2ms executable or is my idea not working at all? How can I transfer the tickets from the MIT Client cache to the LSA cache of Windows? mit2ms worked on Vista. It does not work on XP and 2003. I have not tested it on Vista SP2 and Win7. I just tested on Win7 and it won't work there until the krb5 library cc_mslsa.c is updated to handle the current behavior. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Fwd:Windows 7 Kerb bug
authentication. 5. A new progress dialog that explains what the various credential providers are doing during a new credential acquisition or a renewal. 6. User assignment of icons to each network identity 7. Addition of an animated battery for each identity which shows valid lifetime and can be used to initiate renewal. 8. Addition of a star to indicate the current default identity instead of a color palette change. Here are some screen shots: * http://www.secure-endpoints.com/netidmgr/v2/nim-basic-icons.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-idsel.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-basic-ks.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-idspec.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-adv-ks.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-progress.PNG A presentation on Network Identity Manager v2 was given at the 2009 AFS Kerberos Best Practices Workshop by Asanka Herath, Daniel Kouřil, and myself. http://workshop.openafs.org/afsbpw09/thu_3_3.html Many peer institutions including Stanford University, Carnegie Mellon and FermiLab are extremely happy with Network Identity Manager and Secure Endpoints has a direct channel to their help desks. Whenever there were problems with Network Identity Manager, they were addressed in subsequent releases. I should point out that due to MIT's discomfort with the switch from Leash32 to NetIdMgr that the KFW 3.2.x 32-bit MSI does include the leash32 binary and MIT can apply a transform to the MSI that will install leash32 and not Network Identity Manager 1.3. If the reason that MIT has continued to ship KFW 2.6.5 for all of these years is a dislike for Network Identity Manager, it has done so for no good reason. Of course, this is only true for 32-bit platforms because Leash32 will not compile on 64-bit platforms. Regarding Network Identity Manager release schedules, I am hoping to be able to ship v2 by the end of this month. I do not know whether it will be shipped as part of a KFW package, or standalone, or whether the Network Identity Manager distribution will include a bundled Kerberos distribution. If you have any questions regarding Network Identity Manager, please feel free to ask them. Jeffrey Altman Secure Endpoints Inc. Richard Edelson wrote: I actually wanted to get rid of 2.6.5 this summer but I'm still holding off because of issues people are having with NIM. I heard NIM is going away.do you have info on upcoming release schedules? Richard -Original Message- From: Jeffrey Altman [mailto:jalt...@secure-endpoints.com] Sent: Monday, October 05, 2009 5:26 AM To: redel...@mit.edu Cc: akoz...@mit.edu; kerberos@mit.edu; windows7-rele...@mit.edu Subject: Re: Fwd:Windows 7 Kerb bug Richard Edelson wrote: I have a separate installer the pismere build machine made of 2.6.5 which works fine, it's on DFS: \\win.mit.edu\dfs\msi\MIT Windows Utilities\KfW\kfw2005-12-20.msi While you may believe that kfw 2.6.5 works fine on Vista and Win7, it really doesn't. Microsoft Crash Reporting receives more than 6000 crash reports a month from 2.6.5 leash32.exe, gssapi32.dll and krb5_32.dll. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: FW: Windows 7 Kerb bug
Tom Yu wrote: Jeffrey Altman jalt...@secure-endpoints.com writes: The problem is not an OpenAFS issue. The problem is a bug in netbios name resolution in Windows 7. Concerned organizations should report the issue to Microsoft in order to ensure that it will be fixed. Jeffrey Altman Based on the rather lengthy series of forwarded messages, it was not clear that the underlying issue was a NetBIOS name resolution bug. I would have found it helpful to have a summary of which bug to report, and what information was most important. Microsoft has reacted quite poorly in the past to cookie cutter bug reports being received from multiple sites. What they want are sites to experience the issue themselves and file their own bug report. * Install Windows 7. * Install OpenAFS and KFW * Boot the machine without network * Login to the machine * Obtain a network address * Determine that it is impossible to enumerate \\AFS * Call PSS and File a bug report If you have network when the machine boots, all is fine. The problem only occurs when the machine obtains a network address after logon. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Fwd:Windows 7 Kerb bug
Richard Edelson wrote: I have a separate installer the pismere build machine made of 2.6.5 which works fine, it's on DFS: \\win.mit.edu\dfs\msi\MIT Windows Utilities\KfW\kfw2005-12-20.msi While you may believe that kfw 2.6.5 works fine on Vista and Win7, it really doesn't. Microsoft Crash Reporting receives more than 6000 crash reports a month from 2.6.5 leash32.exe, gssapi32.dll and krb5_32.dll. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: MS IWA - extended protection - SSPI - channel binding
Markus Moeller wrote: I am reading the MS article about IWA and extended protection http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this affects GSSAPI based applications like Apache with mod_auth_kerb ? Does this mean MS has added channel bindings to SSPI ? Unfortunately I don't have Windows 7 to test. Thank you Markus You do not need Windows 7. The change was backported all the way to XP SP2 and the update was pushed as critical two weeks ago. When activated GSS-API over TLS will use channel bindings if the application requests extended protection. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Johnny Russ wrote: I have a desktop PC running Windows 7 32-bit and a laptop running Windows 7 64-bit. I use kerberos and network identity manager to access my AFS files. Everything seems to work fine. Except that randomly (every few days or so) I will notice my CPU is maxed out. When I check the task manager netidmgr.exe and explorer.exe will be the 2 processes that are maxing out the CPU. This usually happens when I am not even directly using netidmgr or AFS. I cannot kill them from task manager, with taskkill, or with pskill from sysinternals. I have to reboot to stop them from maxing out the CPU. I realize that Windows 7 is not officially supported or even officially released yet, but it will be soon. Network Identity Manager, Kerberos, and AFS all seem to work fine without any issues. I was just curious if anybody else is running Windows 7 and seeing this issue. How can I confirm that this is actually a bug when running under Windows 7? Or even better any ideas how to avoid it would be appreciated. I haven't seen the issue but would be happy to track it down and squash it. Since you are comfortable using SysInternals tools, could you configure procdump to monitor netidmgr.exe and explorer.exe for cpu spikes and have it capture a process dump when the issue occurs? http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx Please send mail to netid...@secure-endpoints.com. Given that the issue affects both netidmgr.exe and explorer.exe I suspect the problem isn't actually with netidmgr but is more likely an interaction between Windows 7 and OpenAFS but we shall see. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
Danny Mayer wrote: I have seen something like this on my XP box and I believe it was netidmgr if that is the app that sits in the system tray. After some time (days) it seems to be grabbing all the messages in the message pump and suddenly all of my windows go crazy, flashing windows all over the screen. I have to find my DOS window and kill it off and then things return to normal. I don't think this is specific to Windows 7. I haven't had time to follow up as I have plenty of other projects on my plate. Danny Danny: I have to say this sounds extremely unlikely.If you have any evidence to back up this theory I would love to see it. The problem that Mr Russ is experiencing appears to be related to interactions with Offline Folders and OpenAFS Pioctls. I am following up with him to collect additional information. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW 3.2.2 on Win XP SP3 + file cache = repeated password asking?
Try setting the default identify after you alter the associated cache name. Kronus David wrote: Hi all, I'm not really expert so this might be a sign of my misunderstanding but... I'm using Network ID manager to authenticate to a Linux server running MIT Kerberos KDC and other kerberized servers (SSHd, Apache+mod_auth_kerb). When I initially configured my identity in NetIdMgr, everything worked fine - input my password just once and then no more (using kerberized Putty, TortoiseSVN, Firefox...). So I conclude from this that there is no problem with the server. Then I played with Java and wanted to use my cached credentials from KfW also using JAAS. I changed the cache in my identity configuration from API:... to FILE:c:\Temp\ccache. Cache worked, the file had been created after obtaining credentials. And after some time JAAS started to work. I was amazed but not for long because I've realized that with file-based cache NetIdMgr is asking for my password each time when some application using KfW dlls needs credentials (Firefox, Putty...). Even when I open putty twice for the same SSH server, NetIdMgr asks for password. Otherwise everything works but this is totally unusable. I tried to play with the settings but haven't arrived to a solution or an explanation. When I change back to API: cache, everything works fine (except JAAS...). So, what's the problem? 1) Is this expected behaviour when using file-based cache? Shall I configure something to get rid of the repeated password prompt? I haven't really found any information about using file cache with KfW, it seems to be out-of-fashion, since Java is probably able to read from LSA, but that doesn't help me in this case (no AD domain), does it? 2) If the answer to question 1) is YES, it it expected and you can't do anything about it, can you please advice me on a way in which KfW and JAAS can cooperate in a nice way? Thanks for any help. David Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Active Directory Kerberos Server and Windows MIT Tools Client
IIS and other Windows SSPI based applications will only use credentials that are obtained via the Microsoft logon screen. You cannot use MIT KfW to obtain a TGT for those applications. In other words, you must log onto the machine with the domain account and not a local account if you wish to use IE. Your other option is to start IE using RunAs domainAcct and issue your username/password for the domain account each time you start IE. Jeffrey Altman Schreiter,Jonathan M. wrote: Hello, I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA. I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen. Also, MYDOMAIN.COM = MYREALM.COM After logging in locally, I tried to do a simple kinit myu...@mydomain.com and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password. I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here). I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist from c:\Program Files\MIT\Kerberos\Bin I get a klist: No credentials cache found (ticket cache API:myu...@mydomain.com. Also, If I try to run IE to hit an IIS web server requiring Kerberos, it still prompts me for my credentials. I think I'm almost there - but can someone help me connect the pieces? Again, I would like to log in to a windows xp / vista computer, enter a username and password to obtain a tgt in the mslsa, so that IE can hit an IIS server that requires kerberos w/o typing in the password again. Any help would be GREATLY appreciated. Many thanks, Jonathan Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW and NiM getting mutliple TGT's
David Bear wrote: On Thu, Apr 30, 2009 at 4:41 PM, Jeffrey Altman jalt...@secure-endpoints.com mailto:jalt...@secure-endpoints.com wrote: David Bear wrote: Normally, when we install KfW (currently using 3.2.2) on windows, we include a krb5.ini file that is mostly the same as the krb5.conf we use on linux. Our krb5.ini only has asu.edu http://asu.edu realm information in it. We also have an AD domain to which our windows clients are joined. When a user does a domain logon, they normally get 2 credentials automatically, one for the AD domain, and one for our ASU.EDU http://ASU.EDU realm. This is the behavior we like. However, today, using the same configuration file, NiM is only reporting credentials for the AD domain -- it is not automatically getting credentials from the ASU.EDU http://ASU.EDU realm. We have selected (obtain new creds at startup) and (destroy all creds on exit) but this makes no difference. For some reason, KfW is not getting all the creds we are used to at startup. Any advice on how to get the behavior back that we want? NIM does not obtain the credentials. The KFW network provider (kfwlogon.dll) does this if and only if: 1. the password for the AD and MIT realms are the same 2. kfwlogon.dll is installed 3. the default realm in the krb5.ini file is the MIT realm The NIM obtain new creds at startup does not affect the kfwlogon.dll. What it does is prompt the user for credentials if there are none available at startup. We have set the asu.edu http://asu.edu realm to be the default realm in the krb5.ini file. The passwords between AD domains and MIT Krb realms are identical. Still, KfW doesn't auto-get asu.edu http://asu.edu realm credentials. We can obtain credentials using NiM AFTER standard windows logon. But it is just not getting them automatically. Is there some other configuration option we have missed or munged? You should verify that the Network Provider kfwlogon.dll is installed and assuming that is true then you can turn on Windows Application Event Logging HKLM\System\\CurrentControlSet\\Services\\MIT Kerberos\\NetworkProvider Debug DWORD 0x01 smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Race condition in /ccache/cc_memory.c
Hong Ye wrote: Hi, Our authentication application developed using MIT kerberos crashed in multi-thread environment on Windows. I found this post which describes the same problem as we were seeing. The post was dated Nov,2005. Has this problem been resolved in latest Kerberos library. If not, is there work around? Using the MEMORY credentials cache from multiple threads is not thread-safe and crashes. http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html Any suggestions are appreciated, Hong What version of KFW are you using? smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Race condition in /ccache/cc_memory.c
How have you confirmed that the issue you are experiencing is the one described in the Nov 2005? do you have a stack trace or a crash dump from the application? Hong Ye wrote: latest release KFW 3.2.2. Jeffrey Altman wrote: Hong Ye wrote: Hi, Our authentication application developed using MIT kerberos crashed in multi-thread environment on Windows. I found this post which describes the same problem as we were seeing. The post was dated Nov,2005. Has this problem been resolved in latest Kerberos library. If not, is there work around? Using the MEMORY credentials cache from multiple threads is not thread-safe and crashes. http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html Any suggestions are appreciated, Hong What version of KFW are you using? smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW and NiM getting mutliple TGT's
David Bear wrote: Normally, when we install KfW (currently using 3.2.2) on windows, we include a krb5.ini file that is mostly the same as the krb5.conf we use on linux. Our krb5.ini only has asu.edu realm information in it. We also have an AD domain to which our windows clients are joined. When a user does a domain logon, they normally get 2 credentials automatically, one for the AD domain, and one for our ASU.EDU realm. This is the behavior we like. However, today, using the same configuration file, NiM is only reporting credentials for the AD domain -- it is not automatically getting credentials from the ASU.EDU realm. We have selected (obtain new creds at startup) and (destroy all creds on exit) but this makes no difference. For some reason, KfW is not getting all the creds we are used to at startup. Any advice on how to get the behavior back that we want? NIM does not obtain the credentials. The KFW network provider (kfwlogon.dll) does this if and only if: 1. the password for the AD and MIT realms are the same 2. kfwlogon.dll is installed 3. the default realm in the krb5.ini file is the MIT realm The NIM obtain new creds at startup does not affect the kfwlogon.dll. What it does is prompt the user for credentials if there are none available at startup. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: webauthldap(SUNetID): cannot get ticket: Too many open files (24)
Fletcher Cocquyt wrote: Hi, I am following the code now on this one - after posting to the webauth list a couple weeks ago we are still experiencing several hundred of these errors per day - we have maxed out our file descriptors hard and soft limits at 64k and verified with running plimit. webauthldap(SUNetID): cannot get ticket: Too many open files (24) Env: Solaris 9, apache 2.0.52, webauth 3.5.4, MIT kerberos krb5-1.4.1 Our apache threads are now approaching 250-300 open files (as reported by lsof). I suspect the issue may be isolated to the webauth and associated kerberos calls to related to keytab and ticket cache operations. this suspicion is based on: 1) error only occurs on mod_webauth protected URLs 2) error is always associated with webauthldap(SUNetID): cannot get ticket: Too many open files (24) messages Hypothesis: This version of webauth kerberos is somehow not using the 64k file descriptor limit, but is using a 256 file limit and throwing the error on the ticket operations when the apache thread has more than 256 files open. there are other threads related to the use of char vs int resulting in return value overflow...is there a kerberos bug in 1.4.1 version which is since fixed? thanks I'm going to hazard a guess that the problem is gssapi maintaining an open file descriptor per context for the replay cache or that you are experiencing a leak of file descriptors to the replay cache. I do not remember exactly the version that plugged the leak and fixed it by maintaining a rcache fd per gss context. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos Tickets flushed on unlocking Windows Xp?
Rahul Kohli wrote: Hi, I am facing a strange issue with Kerberos authentication on my Windows XP system. I noticed that on lock and unlock Windows XP system all the kerberos TGT and service tickets get deleted and recreated. Is this a Known feature or defect ? Please let me know when does these kerberos tickets get flushed on the lock, or the unlock? Is there a patch/fix available for this behavior? Can the default locl/unlock behavior be changed for kerberos. Thanks, Rahul During the unlock XP is re-authenticating the user against the KDC. This results in a new TGT being obtained which replaces any previously cached tickets. This is a fairly standard behavior across Kerberos implementations. What is the problem that you are experiencing from this behavior? smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: non-KDC replay cache problems?
Tom Yu wrote: Has anyone experienced problems due to false positive conditions on an application replay cache? The motivation that Roland and I have for re-working the replay cache are primarily driven by application replay cache false positives. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: non-KDC replay cache problems?
Ken Raeburn wrote: On Dec 23, 2008, at 03:42, Jeffrey Altman wrote: Tom Yu wrote: Has anyone experienced problems due to false positive conditions on an application replay cache? The motivation that Roland and I have for re-working the replay cache are primarily driven by application replay cache false positives. How much do these problems still occur with the Windows time-offset code fixed? Ken The problem needs to be fixed at the service end. There are many clients not all of whom are MIT code base and even those that are, its not possible to force upgrades to new code. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KVNO/Keytab Question
[EMAIL PROTECTED] wrote: Hi Douglas, thanks for you response. ktpass was used to create the keytab. The KDC is maintained by our local service unit. We're really scratching our heads at the moment, it seems that each time we create a new keytab file shortly afterwards the KVNO in the client ticket changes. I've no idea why they are out of sync. What changes etc could cause the KVNO to increment on the KDC? Thanks Kev Everytime you generate a new keytab with ktpass the key is replaced in the KDC. Generate the keytab once with ktpass and then distribute it to your service ASAP. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Trouble with service principal missing its realm
A service ticket in the credential cache without a realm name is a service ticket that was obtained using server side referrals. The actual realm name was not specified by the client when requesting the service ticket. Your domain_realm mappings provide the client a mapping of all hosts in the staging.wg domain as being part of the STAGING.WG realm. However, the hostname db.wg is not covered by that mapping. As a result, server side referrals are used when requesting the service ticket. You could work around the problem by providing in the krb5.conf file a mapping for .wg or db.wg to the STAGING.WG realm. However, it would be useful to determine exactly which piece of code is generating the error you are receiving. Whichever it is, it needs to be fixed to deal with server side referrals. Jeffrey Altman Rich McDonough wrote: I'm having a strange issue that is proving very troublesome to diagnose, and I've been unable to reproduce it on another network. We're working toward rolling-out Kerberos and OpenLDAP on our staging and production networks shortly, but are having a strange issue that is likely simple to solve, but still eludes us. In short, our service principals look like this after trying to do an ldapwhoami or other such operations, and incidentally maybe the cause of an issue with mod_auth_kerb as well (though I won't stray into that right now): staging [EMAIL PROTECTED] ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 11/27/08 02:11:09 11/28/08 02:10:41 krbtgt/[EMAIL PROTECTED] 11/27/08 02:11:57 11/28/08 02:10:41 ldap/db.wg@ The missing @STAGING.WG seems to be causing issues with GSSAPI and LDAP as they are (rightly, I believe) returning an error 144 (wrong principal in request). I'm fairly sure that this is a configuration issue or course, and not really sure how I'm getting a service principal like this in the first place. Here's our krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAGING.WG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] STAGING.WG = { kdc = db.wg:88 admin_server = db.wg:749 default_domain = staging.wg } [domain_realm] .staging.wg = STAGING.WG staging.wg = STAGING.WG [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Also, lookups for hosts work both forward and reverse without issue, / etc/hosts files are in good shape and hostnames are certainly right. LDAP and Kerberos are both running on the same host (db), and the /etc/ krb5.keytab looks like this, and has been made world-readable (though once things are working I obviously want to move the ldap service principal to its own keytab): staging [EMAIL PROTECTED] richm]# klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 7 host/[EMAIL PROTECTED] (DES cbc mode with CRC-32) 3 ldap/[EMAIL PROTECTED] (Triple DES cbc mode with HMAC/sha1) 3 ldap/[EMAIL PROTECTED] (DES cbc mode with CRC-32) Finally, here is the kdc.conf from our system: [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] STAGING.WG = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab #supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des- hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal } We're running CentOS 5.2 x64. Thank you for any assistance that you can give us! Rich McDonough Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon
Jonathan Barber wrote: After downloading putty from here: http://web.mit.edu/jaltman/Public/putty-0.59-with-gssapi.zip This version is known to be buggy and should have been deleted from that location long ago. It now has been. and copying the dll's from the MIT NetIDMgr install to C:\Windows\system32, Why are you copying DLLs from the installer directory to \WINDOWS\System32? Application binaries do not belong there. we get the following message from putty when we try to connect to a kerberised ssh server: Event Log: GSSAPI error: Unspecified GSS failure. Minor code may provide more information Event Log: GSSAPI mech specific error: Cannot resolve network address for KDC in requested realm The same ssh server works fine from a linux client with the same principal. the problem is not your ssh server, its the putty client. Secure Endpoints provides gss putty clients that work (for 32-bit and 64-bit windows) to its clients. Jeffrey Altman Secure Endpoints Inc. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: ktutil get
Victor Sudakov wrote: It seems that kadmin ktadd could do this for me if only it were compatible with Heimdal's kadmind. If you are using a Heimdal server, than you must use Heimdal's tools. The kadmin protocol for each of Solaris, MIT, Heimdal, AD, ... are all different and incompatible. Simply build the Heimdal tools for each platform you wish to use ktutil on. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW 3.2.2 and plink on Vista
The error is in plink and putty. Obtain a new version of both. [EMAIL PROTECTED] wrote: I have a Kerberos enabled version of PuTTY which works fine on XP using both KfW 3.1.0 and 3.2.2. It also works fine on Vista using KfW 3.1.0. But on Vista using KfW 3.2.2, plink triggers a Vista error popup with the following detailed info. Is this a problem with KfW? Or plink? Or Vista? Problem signature: Problem Event Name: APPCRASH Application Name:plink.exe Application Version: 0.0.0.0 Application Timestamp: 442da71c Fault Module Name: ntdll.dll Fault Module Version:6.0.6001.18000 Fault Module Timestamp: 4791a7a6 Exception Code: c005 Exception Offset:000659c3 OS Version: 6.0.6001.2.1.0.256.16 Locale ID: 1033 Additional Information 1:0278 Additional Information 2:fca079b4ae336117388507dcafefd8fe Additional Information 3:ed28 Additional Information 4:e4da8b766cc83f8ab38503727fc11ef0 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW 3.2.2 and plink on Vista
[EMAIL PROTECTED] wrote: If it's plink (and I'm not saying it isn't), then why does plink work fine on Vista using KfW 3.1.0? It's only Vista using KfW 3.2.2 that triggers the problem. In other words, what's different between 3.1.0 and 3.2.2 that triggers the problem... and only on Vista? Its not Vista. Its KFW 3.1 vs 3.2. The GSSAPI implementation was replaced between those releases. In 3.1 a single mechanism GSSAPI implementation was included. In 3.2 a multi-mechanism implementation is included. In 3.1 the GSSAPI could refuse to deallocate memory that wasn't allocated by the mechanism. In 3.2 the GSSAPI does not. plink/putty has a bug. I know it has a bug because the bug was fixed a long time ago. the bug was masked by KFW 3.1 and is not masked by 3.2. Please get a new putty. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: KfW and Vista
The installer runs with Administrator privileges under the Administrator session. It is running in a different logon session than the user session. If you see Windows report the second session as the same user it is because the user is in the Administrators Group and as such is running in a second session without the UAC restrictions. Once the installer process is running elevated it is not possible to have it CreateProcess within the original logon session. Jeffrey Altman [EMAIL PROTECTED] wrote: I have a special installer (NSIS) that first installs KfW and then starts the NIM so the user can enter their Kerberos password and then accesses a server via SSH/GSSAPI. On Win XP, this works fine. Vista on the other hand seems to run the NIM in a different context or session or something. It's running as the same user, but credentials available via the NIM are not available via command line clients (ie running klist from the command line says there's no credentials even though the NIM says there are). If I run Process Explorer, I see there are 2 - krbcc32s.exe processes and I presume that means they are using separate credentials caches? Is there any way to force a NIM that was started via an installer so it uses the same credential cache as the command line kinit/klist/kdestroy? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: [Ietf-krb-wg] Proxiable/forwardable question
Lewis Adam-CAL022 wrote: It might help a lot if you give up on the hypothetical and tell us what you're really trying to do. There's a good chance that there is a solution based on existing technology, but it's hard to tell without knowing more about what's going on. Okay, so basically my situation is that I have a user which is going to authenticate to a central server. This central server will then alert other application servers that the user is on-line. So when the user authenticates to the central server by sending it a Kerberos ticket, I would like for that central server to forward the user's ticket to the other (application) servers, and for the end result to be that the user has a shared session key with each of those application servers. Is this possible? Let me start by suggesting that you hold this discussion on kerberos@mit.edu instead of on the IETF Kerberos WG mailing list. kerberos@mit.edu is for questions regarding Kerberos deployments whereas this mailing list is intended for discussions regarding the development of Kerberos protocol standards. Next I will suggest if you have not already done so read one or more of the tutorials on Kerberos so that you have a better idea of how the protocol actually works and what the roles of the participants are. You can find some good introductory tutorials at http://web.mit.edu/kerberos/papers.html In your environment you have client C, the KDC K, the Central Server CS, and an application server AS. When C wants to authenticate to CS it obtains a service ticket for CS from K using a previously obtained Ticket Granting Ticket for the user. This ticket T is encrypted in a key that only CS knows and contains a session key that is known to C. If CS can decrypt T it can obtain the session key and with it C and CS can prove their identity to one another. If C ever talks to AS directly then C would obtain a service ticket for AS from K. There is no need for CS to send a session key to AS. If CS is going to be communicating to AS on behalf of C, then C could forward a ticket to CS that CS can use to authenticate to AS as C. Note that it is very unclear from your description what your intended communication flow is or what protocols are involved. I have set followup-to [EMAIL PROTECTED] Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Question about dns_lookup_realm and domain_realm
Jos Backus wrote: On Fri, Jun 27, 2008 at 01:57:37AM -0400, Jeffrey Altman wrote: There are several issues here. First, DNS TXT records are known to be insecure. Turning them on for use in realm resolution provides for convenience but at the risk that your clients can be redirected to a realm that you do not control. Understood. Second, any domain_realm mapping for your domain .foo.com is going to override the use of DNS lookups. That is because local configuration data is considered to be trustworthy whereas DNS lookups are not. That's something my patch changes as it performs the DNS lookup first (when configured). Which in turn would disable Kerberos referrals. In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your hosts are in one and some are in the other. By default you want PROD.FOO.COM to be used. However, for specific hosts you want DEV.FOO.COM.Using the config file you would specify [domain_realm] devhost1.foo.com = DEV.FOO.COM .foo.com = PROD.FOO.COM Yup, tried that, works, but doesn't scale well. There is a serious need for the zero configuration solution for Kerberos deployments. Of course, DNS is insecure so relying on DNS to boot strap your authentication system is undesirable. That is not to say it has not been used but only because there have been no other choices. If you want to rely on DNS TXT records you have to make sure that there are no mappings in the config file. Then you would create records for _kerberos.devhost1.foo.com IN TXT DEV.FOO.COM _kerberos.foo.com IN TXT PROD.FOO.COM Okay. We have the former (obviously) but not the latter. I can add that. Because DNS TXT records are insecure and there is a need to be able to provide for centralized configuration data Microsoft created the Kerberos referrals mechanism. Using referrals a client asks the KDC belonging to the TGT realm for a referral to the correct realm for the desired service principal. Referrals are used whenever there is not a local [domain_realm] mapping. So this implies two-way trust and communication, yes? I wonder if this will require network/ACL changes. For referrals to work the user must have already obtained a TGT. If you are trying to decide which identity a user should obtain a credential for based upon the host that the user is going to communicate with, that is not something that will be solved by referrals. To be honest, I don't think it will be solved by domain_realm mappings whether stored locally or in DNS. The safe way to add DNS TXT records back into the equation would be to add the DNS TXT lookup after the referrals request fails. ISTR that's where krb5_get_fallback_host_realm() is called, from a comment in the code. Now it's clear why although I still don't quite grok the referral mechanism. Time to study the documentation. Thanks for the critique and helpful information, Jeffrey. No problem. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Question about dns_lookup_realm and domain_realm
Simo Sorce wrote: There are several issues here. First, DNS TXT records are known to be insecure. Jeff, this statements is interesting, how are TXT records insecure ? I will refer you to the security considerations section of the internet draft. Note that the insecurity is one reason that the TXT record portion of the draft was not added to RFC 4120 as the DNS SRV records portion was. http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03 Turning them on for use in realm resolution provides for convenience but at the risk that your clients can be redirected to a realm that you do not control. You can do the same with DNS poisoning, if you do not trust DNS any name resolution becomes insecure. Isn't validation all about verifying the KDC is one we can really trust by using a trusted secret ? If the host name resolves to a different IP address, the authentication will fail. Second, any domain_realm mapping for your domain .foo.com is going to override the use of DNS lookups. That is because local configuration data is considered to be trustworthy whereas DNS lookups are not. How is local configuration data trustworthy given that to resolve names to IPs we still rely on DNS ? Or do you also rely on /etc/hosts for most of the data ? If the host name resolves to a different IP address, the authentication will fail. The safe way to add DNS TXT records back into the equation would be to add the DNS TXT lookup after the referrals request fails. Do we have information on which clients support referrals ? And are they implemented in MIT KDC (and how) ? Heimdal, MIT, and Microsoft support referrals as implemented in Windows Active Directory. The IETF Kerberos working group is still working on an RFC for referrals. http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-10.txt Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Question about dns_lookup_realm and domain_realm
Simo Sorce wrote: Uhmm perhaps we are thinking of two different things, once you control DNS you control both direct and reverse address resolution. Hence the reason that reverse DNS lookups are not to be used as per the Security Considerations of RFC 4120. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Question about dns_lookup_realm and domain_realm
Jos Backus wrote: (I know, following up on myself...) http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS says: The second mechanism works by looking up the information in special TXT records in the Domain Name Service. This is currently not used by default because security holes could result if the DNS TXT records were spoofed. If this mechanism is enabled on the client, it will try to look up a TXT record for the DNS name formed by putting the prefix _kerberos in front of the hostname in question. (Fwiw, 1.5.4 has similar verbiage.) The dns_lookup_realm libdefaults option supposedly enables this mechanism on the client. The doc for it says: Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host. However, this doesn't actually work (at least in krb5 1.6.1, and likely other MIT versions as well), so either the docs are incorrect or there's a bug. This behavior was most likely broken when the referrals code was added. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Question about dns_lookup_realm and domain_realm
Jos Backus wrote: On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote: This behavior was most likely broken when the referrals code was added. So it's a regression. Until this is fixed properly (which I don't claim my patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong with the patch as such? There are several issues here. First, DNS TXT records are known to be insecure. Turning them on for use in realm resolution provides for convenience but at the risk that your clients can be redirected to a realm that you do not control. Second, any domain_realm mapping for your domain .foo.com is going to override the use of DNS lookups. That is because local configuration data is considered to be trustworthy whereas DNS lookups are not. In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your hosts are in one and some are in the other. By default you want PROD.FOO.COM to be used. However, for specific hosts you want DEV.FOO.COM.Using the config file you would specify [domain_realm] devhost1.foo.com = DEV.FOO.COM .foo.com = PROD.FOO.COM If you want to rely on DNS TXT records you have to make sure that there are no mappings in the config file. Then you would create records for _kerberos.devhost1.foo.com IN TXT DEV.FOO.COM _kerberos.foo.com IN TXT PROD.FOO.COM Because DNS TXT records are insecure and there is a need to be able to provide for centralized configuration data Microsoft created the Kerberos referrals mechanism. Using referrals a client asks the KDC belonging to the TGT realm for a referral to the correct realm for the desired service principal. Referrals are used whenever there is not a local [domain_realm] mapping. The safe way to add DNS TXT records back into the equation would be to add the DNS TXT lookup after the referrals request fails. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos