Re: Protocol benchmarking / auditing inquiry

I have used this as a guide, but I think MIT Kerberos version 1.10 is the latest available: https://www.cisecurity.org/benchmark/mit_kerberos Not sure if this is what you are looking for or not. < Preferably something smaller and more focused than nmap or OpenSCAP. 😉 From: Brent Kimberley Sent

Re: Constraint Delegation with MIT Kerberos

It would be helpful to understand more of your environment. Can you provide more details of what you are trying to accomplish? Are multiple Kerberos realms involved or just a single Active Directory domain? Is an MIT KDC involved? Or just MIT Kerberos clients? What errors are you seeing with M

Re: Constraint Delegation with MIT Kerberos

For Active Directory: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview < I did not get a response from anybody. Does anybody have instructions for > setting up Constraint Delegation on any platform? > > Thanks, > Joseph > > -Origin

Re: Windows KDC - Delegation Option

Try checking the "Account is sensitive and cannot be delegated" option in the user properties and see if that does what you want. (I'm not sure if it will or not, but I believe this is the option actually intended to prevent Kerberos delegation.) < Hi, > > Scenario : User A forwards his creden

Re: Streamlining host principal keytab provisioning?

I'm not using this myself (I create keytabs as needed manually using ktpass.exe against AD) but this may be of interest to some of you: http://www.eyrie.org/~eagle/software/wallet/ "One of the object types it supports is Kerberos keytabs, making it suitable as a user-accessible front-end to Kerb

Re: Problem with kerberos - kvno getting bumped..

That blog doesn't say what you think it says, and I suspect it is referning to domain joined Windows computers, not pure Kerberos non-Windows ones. You'll note that when the CLIENT initiates a password change, the kvno is incremented. This happens with any flavor of Kerberos. The (client) com

Re: trouble deciding which kerberos flavor

Ken Dreyer wrote: > On Thu, Oct 21, 2010 at 1:10 PM, eric wrote: >> I just want to know any differences that MIT and Heimdal have with each >> other: > > I think someone at the 2010 Kerberos Conference summarized it this way: > > MIT is likely to be what your OS vendor ships. Heimdal has more fea

Re: What are the issues with dns_lookup_realm ?

Brian Candler wrote: > The error message from /var/log/http/ssl_error_log was unhelpful: > > [Mon Oct 11 11:20:17 2010] [error] [client 172.31.131.185] > krb5_verify_init_creds() failed: Key table entry not found > > What was even more odd, if I did a 'su' to the apache user, I was able to > 'kini

Re: Using ksu/sudo with Kerberos

Russ Allbery wrote: > Brian Candler writes: > >> (1) create separate principals for each user who should have root access, >> e.g. >> candl...@foo.example.com >> candlerb/ad...@foo.example.com > >> Then map */admin to the root account using auth_to_local, and people >> can use ksu to

Re: Kerberos troubles

Jean-Yves Avenard wrote: > I have now identified the cause of the issue. > When using mod_auth_kerb with MIT krb5 v1.6.x it works perfectly > with krb5 1.7 and 1.7.1 same. > However, I get this "GSS-API major_status:000d, > minor_status:000186a3" error whenever I use MIT 1.8.x kerberos > libra

Re: MIT kdc with Windows 7 pc

Jean-Yves Avenard wrote: > Am I to understand that it is not currently possible to authenticate > on a windows machine using a MIT kerberos KDC ? It would be a good > windows domain replacement I sort-of have this working, although this is probably different than your setup. UIUC.EDU is an MIT

Re: Any way to propagate db

Russ Allbery wrote: > Simo Sorce writes: >> Ah sorry, I thought he wanted to use them as completely alternative >> users. If you do map each MIT principal to an existing Windows user then >> it does work, although it seem to make sense only as a transition tool >> to me. > > It's the way that we

Re: Kerberos help required.

Jeremy Hunt wrote: > On 23/03/2010 3:18 PM, Sayali Patankar wrote: >> I require some help in understanding Kerberos. I am very new to this >> concept and hence required help in some basic commands. >> My application uses Kerberos and I wanted to know whether there is some >> unix command which I

Re: Win 2008R2 kdc and linux client: no support for encryption typewhile getting initial credentials - SOLVED

John Jasen wrote: > Michael B Allen wrote: > >> Actually I would not be surprised if that "hot fix" is never made >> public. DES is being phased out. If you have any Windows accounts that >> use DES, you should update them to AES-256, AES-128 or RC4 in that >> order of preference. > > I'd have to

Re: remctld on windows

Jason Edgecombe wrote: > Christopher D. Clausen wrote: >> Jason Edgecombe wrote: >>> We want to have a tool for our help desk students to list and kill >>> processes for other users on workstations along with being able to >>> trigger a remote shutdown or rebo

Re: remctld on windows

Jason Edgecombe wrote: > We want to have a tool for our help desk students to list and kill > processes for other users on workstations along with being able to > trigger a remote shutdown or reboot. Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows systems and already do this,

Re: Windows event id 4 (kerberos)

ng over there. But I could not understand it. > > It's my humble request to verify those and make me understand. > > > > > > From: Christopher D. Clausen > To: raj esh L > Cc: kerberos@mit.edu > Sent: Wed, 20 January, 2010 21:15:

Re: Windows event id 4 (kerberos)

3 > TCP Statistics for IPv4 > Failed Connection Attempts = 4275 > Segments Retransmitted = 24512 > UDP Statistics for IPv4 > Receive Errors = 22753 > > > Please let me know if any other information is required. > > > > > >

Re: Windows event id 4 (kerberos)

Is this for an actual Windows computer? Or a non-Windows machine running something like Samba? - I see these all the time. I believe these occur on occation when a computer account automatically updates its machine account password in Active Directory. (This is a normal function of a co

Re: openssh + kerberos + windows ad

Marcello Mezzanotti wrote: > On Wed, Jan 6, 2010 at 12:30 PM, Bob Rasmussen wrote: >> 1) What version(s) of PuTTY work in your environment? Did you try the >> developer's build from the official PuTTY site? > > http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip > > i tested another clie

Re: KfW 64bit plus 32bit apps

Nikolay Shopik wrote: > Hello, > > Does 64bit version of KfW work with 32bit version app? Because for me > looks like 64bit version doesn't work with 32bit apps. No. Just install both the 32-bit and 64-bit versions to support both 32-bit and 64-bit apps. And last I tried it, the order they wer

Re: openssh + kerberos + windows ad

Marcello, Can you show us the output of klist -kte (as root) on the machine running sshd? You need to have a proper keytab for ssh to use GSSAPI authentication. Against AD, you can generate a keytab using ktpass.exe. Make sure you are using the 2003 SP2 version (or newer) of ktpass as some k

Re: Kerberos tickets, SSH public key auth, AFS tokens

Jeff Blaine wrote: > Thanks Doug > >> The which PuTTY has GSSAPI: >> >> Quest has one that uses SSPI. http://rc.quest.com/topics/putty/ > > Hmm, I can't see to get this to work at all (ignoring CVS). > > I have KfW creds for jblaine, afs, and krbtgt on this Windows > box. I believe that Quest's p

Re: windows 2003 domain controller, mod_auth_kerb in linux, issuewitt kerberos

Windows AD accounts require "allow this account to be trusted for delegation" to have Internet Explore actually delegate credentials to the web server (which you are requesting via the KrbSaveCredentials On parameter.) Try turning this off and see if it does what you want. Also, (and this is p

Re: ftp client: authentication failed

Lloyd wrote: > Hi, > I am new to kerberos and trying to set up in a sample scenario as > part of learning. I have downloaded and installed Kerberos 5 on a > Linux system. As per the install guide I have successfully configured > KDC and Application server. in the application server the "ftpd" >

Re: kerberos and windows XP home edition

Hubert Chomette wrote: > I try to add a windows XP home edition on my realm and I've got issue. > Same setup works with windows XP pro. > Is there an incompatiblity with XP home or do I miss something with > the configuration? > thank's for your help I know that Windows XP Home systems do not sup

Re: cross-realm authentication problem

Bjørn Tore Sund wrote: > I'd like to thank Douglas Engert, Christopher Clausen and Guillaume > Rosse for the help with this matter. Netdom.exe was indeed the > answer, and as I was pestering our main AD honcho on the matter he > started to remember (I still don't...) that I'd pulled up that > com

Re: cross-realm authentication problem

Bjoern Tore Sund wrote: > Any ideas where I need to look to figure this one out? It looks as if > the RHEL5 server somehow fails to inform the windows client that it > needs to get a TGT for UNIX.UIB.NO, but why then does the RHEL4 > server provide this information? Kerberos works the other way.

Re: Sudo w/Ticket Support

pete...@bigfoot.com wrote: > Main reason for not setting NOPASSWD is because I don't have control > over the sudoers file on most of the systems I have access to. And > the SA's are very reluctant to use "NOPASSWD". Do you know about the ksu command? Or using a ~root/.k5login and ssh -o "GssapiA

Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not tobe???

kerbie_newbie wrote: > At least in Apache 2.0, it is extremely difficult in Apache to get two > authentication modules to co-exist; Apache by and large considers any > particular portion of the URL space to be protected by only one > authentication scheme (possibly combined with IP address > restr

Fw: Kerberos Password change over WWW

Brett Delle Grazie wrote: > Is there an open-source product that is secure and will permit > password changes to kerberos via the web (e.g. .cgi program or > similar). I am expecting the user to have already authenticated with > their existing username / password - this is so they can then change

Re: Finding the version of kinit/klist

Ken Raeburn wrote: > On Mar 6, 2009, at 13:43, pete...@bigfoot.com wrote: >> Is there any way to determine the version of kinit or klist? > > I'm afraid not, aside from the krb5-config option you noted. > > It's still in our bug database, but hasn't gotten any attention yet. > :-( (I knew it had

Re: Kerberos <-> Microsoft Active Directory & DNS

Michael B Allen wrote: > In general, both the MIT and Heimdal clients are not optimized for a > Windows environment. We have an AD integration product that uses > Heimdal that we made a lot of changes to try to better emulate Windows > behavior. Please just stop trying to sell folks your product

Re: Solaris 10 client, MIT 1.6 server, kpasswd command

Edward Irvine <[EMAIL PROTECTED]> wrote: > Has anyone else had trouble changing passwords from a Solaris client? > > I'm using the Solaris 10 version of kpasswd: > > /bin/kpasswd unsername > kpasswd: Changing password for [EMAIL PROTECTED] > Old password: > kpasswd: Cannot establis a session with

Re: WTS and KfW for SPNEGO

Christian, I recomend that you read through this email and follow its instructions: http://mailman.mit.edu/pipermail/kerberos/2008-January/012978.html That should solve the problem permanently. I personally like having my own per-user krb5.ini. I can fix configuration problems on machines wher

Re: WTS and KfW for SPNEGO

I bet the problem is that KfW is switching to a per-user krb5.ini instead of using the one you likely have in C:\Windows. Try to copy your system krb5.ini to c:\documents and settings\user\windows and see if that helps any when in Terminal Services mode. < wrote: > Hi, > > we use Kerberos for

Re: SSO

Michael B Allen <[EMAIL PROTECTED]> wrote: > On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <[EMAIL PROTECTED]> > wrote: >>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are >>> going to perform better. >> >> If by "better" you mean "pretty much the same," yes, modulo the >> conf

Re: Help on using AD as KDC

Zhiguo Huang <[EMAIL PROTECTED]> wrote: > Could any person who has experience on using Active Directory as KDC > give any pointer and helpful instruction? Regarding what? You just use it as a KDC and it works.

Re: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.

Can you post and compare your krb5.conf files? Are they identical? Have you asked someone at Stanford? This might be a specific configuration problem for that realm. If you join the #kerberos IRC on Freenode, various people may be able to help you out interactively. < wrote: > Hi Again, > >

Re: max number of requests/sec (on KDC)

Matthew Loar <[EMAIL PROTECTED]> wrote: > Vladimir Konrad <[EMAIL PROTECTED]> wrote: >> Hello, >> >> Is there a way to increase allowed number of requests per second on >> KDC? I have several different CRON jobs (using the same keytab in >> kinit), which run at the same time, and I get: >> >> DISPA

Re: support SSO in Windows with Keberos TGT

sylvain cortes <[EMAIL PROTECTED]> wrote: > So, for example, a windows computer which use Putty can present a > kerberos ticket to a Unix machine with the Centrofy client, without > any re-authentication. And Unix to Windows, or Unix to Unix works > also in the same way. You can do that without pa

Re: kadmin -c : shouldn't this work?

Jeff Blaine <[EMAIL PROTECTED]> wrote: > % /usr/rcf-krb5/bin/kinit -p admin/admin > Password for admin/[EMAIL PROTECTED]: > % /usr/rcf-krb5/sbin/kadmin -c /tmp/krb5cc_26560 > Authenticating as principal admin/[EMAIL PROTECTED] with existing > credentials. > kadmin: Matching credential not found whi

Re: [lib]kadm on Windows?

Russ Allbery <[EMAIL PROTECTED]> wrote: > We took an end-run around this problem and instead use: > >http://www.eyrie.org/~eagle/software/kadmin-remctl/ > > to provide a remctl interface to kadmin calls. This still requires > that you get remctl working on Windows, though. It may or may not b

Re: Password Syncing to Kerberos using SFU's ssod

-) > > Colin > > On Wed, 2008-01-09 at 17:13 +, Christopher D. Clausen wrote: >> Colin Simpson <[EMAIL PROTECTED]> wrote: >>> I'm looking at finding a new solution to syncing password between AD >>> and >>> Kerberos. We had been using CEDAR

Re: Password Syncing to Kerberos using SFU's ssod

Colin Simpson <[EMAIL PROTECTED]> wrote: > I'm looking at finding a new solution to syncing password between AD > and > Kerberos. We had been using CEDAR for this and it's great but the > passwdHK dll on windows hates it if you pass in 8 bit ascii passsword. AD already is Kerberos. Why don't you

Re: Heimdal KDC, Windows XP and local users

Victor Sudakov <[EMAIL PROTECTED]> wrote: > I have configured Windows XP to use a Heimdal KDC for user > authentication. All existing Windows users can authenticate against > the KDC, user > mapping is "ksetup /mapuser * *". > > However, Windows does not create a new local user with the same name >

Re: Query about an admin testing a user's creds

Coy Hile <[EMAIL PROTECTED]> wrote: > If we need to test, for example, that a user is actually getting a > TGT, we need to inform the user that we're changing their password > temporarily, change it, authenticate as them directly, and then have > them change it back. We've all been wondering aloud

Re: mac os x ticket cache

Ranga Samudrala <[EMAIL PROTECTED]> wrote: > On a Mac OS X machine, is there a way to force the SSH client to use > a Kerberos TGT from a cache on the file system instead of the > default - in the memory? Change what the KRB5CCNAME variable points to.

Re: Need an old MIT Kerberos distribution

Jeff Blaine <[EMAIL PROTECTED]> wrote: > I'm failing to find/get 1.3.0 for a specific need. http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.tar from: http://web.mit.edu/kerberos/dist/historic.html#krb5-1.3-src

Re: Listing what's already mapped

[EMAIL PROTECTED] wrote: > On Oct 1, 11:27 am, "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: >> >> from a cmd.exe prompt (on a computer joined to this domain,) you can >> run net group "domain computers" /domain to get a list all every >&

Re: cross realm and capaths question

Douglas E. Engert <[EMAIL PROTECTED]> wrote: > Markus Moeller wrote: >>> TGS-REP error_code: KRB5KDC_ERR_PATH_NOT_ACCEPTED (28) > > This looks like AD is checking the transited path, and does not like > it. RFC4120 section 2.7 does not require the KDC to check the > transited field, and the client

Re: Listing what's already mapped

[EMAIL PROTECTED] wrote: > How can I list all the servers that I have mapped with the Ktpass > command? > > We are using Kerberos for SSO from our Middle Tier application that we > develop. To make this work I must map the middle Tier's servername > with an account in the domain. Here's a sample

Re: Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock <[EMAIL PROTECTED]> wrote: > No, the entire network is on a single, private IP address range. In > fact, I'm trying these particular commands on the same host that > kadmind is running on. However, the behavior is identical from a > remote host. Does kpasswd work on the KDC itself fo

Re: Problems with kadmind, kpasswd and cross-realm authentication

Anthony Brock <[EMAIL PROTECTED]> wrote: > I have created several cross-realm trusts on a test server. At this > point, nearly everything is working properly. However, users are > unable to change their passwords unless their account is in the > initial domain. Users see the following when attempti

Re: Active Directory LDAP SSH

Michael B Allen <[EMAIL PROTECTED]> wrote: > On 9/4/07, Roman S <[EMAIL PROTECTED]> wrote: >> I've configured a Microsoft Active Directory with LDAP and Kerberos, >> and some Linux (Redhat) clients who authenticate to it. >> I'm able to get some tickets for the users who are in the Active >> Direct

Re: Using keytab on Windows with KfW

Markus Moeller <[EMAIL PROTECTED]> wrote: > Thanks for the pointer. I thought I fixed the enctypes in krb5.ini > too, but copied it under the domain_realm section instead of > libdefaults. (The default krb5.ini didn't have the same order as my > krb5.conf ) I'd strongly suggest NOT specifying enc

Re: Using keytab on Windows with KfW

Markus Moeller <[EMAIL PROTECTED]> wrote: > I am trying to use a keytab on Windows with KfW 3.2, but get always > an error "Key table entry not found while getting initial > credentials". The account works interactively and if I use the keytab > on Unix it works fine too. > Is this a known problem

Re: "Key table entry not found while verifying ticket for server"

Danny Mayer <[EMAIL PROTECTED]> wrote: > Peter Losher wrote: >> Yup, I had fatfingered the hostname during the initial OS install; >> what you said above reminded me to check the one place I hadn't >> updated - /etc/hosts. :) > > /etc/hosts??? That doesn't sound like a place ISC would use! Does the

Re: Where can I find how-to advice on setting up a local KDC?

Kevin Koch <[EMAIL PROTECTED]> wrote: > It is too hot to work upstairs where the wired connection is. The > wireless on this laptop stops connecting randomly. I can't debug NIM > timing issues without being able to connect to a KDC. I can't ship a > product without those fixes. > > Where can I f

Re: Kerberos for authentication, php for authorization

[EMAIL PROTECTED] wrote: > On Windows the two browsers can only acquire credentials > from the LSA which means the workstation needs to be joined to a > domain, I believe. That isn't true. You can configure FireFox on Windows to use credentials from Kerberos for Windows ccaches instead of using

Re: Use ssh key to acquire TGT?

John Hascall <[EMAIL PROTECTED]> wrote: >> One of these days I'm going to request (for HCOOP) crossrealm trusts >> with the top 10 computer science universities in the USA [*] and >> document (a) my success rate, (b) how many emails it took, and (c) >> how many months from first request to working

Re: Use ssh key to acquire TGT?

Russ Allbery <[EMAIL PROTECTED]> wrote: > Adam Megacz <[EMAIL PROTECTED]> writes: >> "Christopher D. Clausen" <[EMAIL PROTECTED]> writes: >>> UIUC has AFS? Is there some other UIUC that I don't know about? > >> Hrm, I was going by the

Re: Use ssh key to acquire TGT?

Adam Megacz <[EMAIL PROTECTED]> wrote: > John Hascall <[EMAIL PROTECTED]> writes: >> How many of the top-10 use Kerberos? >> And what exactly is the top-10 (which list?)( >> For the sale of argument lets say they are: > > Well, based on AFS usage (which requires Kerberos right now), all of > the sc

Re: Use ssh key to acquire TGT?

Adam Megacz <[EMAIL PROTECTED]> wrote: > "Christopher D. Clausen" <[EMAIL PROTECTED]> writes: >> How exactly is having a private key password different from simply >> telling the user to kinit ONCE on their local machine before >> attempting to SSH to you

Re: Use ssh key to acquire TGT?

Adam Megacz <[EMAIL PROTECTED]> wrote: > Our (hcoop.net) users love their new AFS homedirs, but are complaining > a lot about ssh public keys not working the way they're accustomed to. > Telling them to "kinit" after logging in doesn't quite cut it either. > > We're aware that this goes against the

Re: kerberos, hpux 11.11, ssh

Wilson, Michael <[EMAIL PROTECTED]> wrote: > ***KLIST -kte*** > [abc]:/var/adm/syslog # klist -kte > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > - > >6 05/08/07 16:12:33 host/[EMAIL PROTECT

Re: kerberos, hpux 11.11, ssh

Wilson, Michael <[EMAIL PROTECTED]> wrote: > Hello, > > We are running into problems with the installation of Kerberos V5 on > and hpux 11.11 machine. > > When we try to login using Active Directory Authentication we get the > following in our debug.log file: > > May 8 09:59:21 PAM: load_function:

Re: Cross Realm MIT <-> Windows Close But No Cigar

Michael B Allen <[EMAIL PROTECTED]> wrote: > On Thu, 3 May 2007 20:31:55 -0500 > "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: >> Try creating a ~/.k5login file in the home directory of >> the user you are logging in as listing authorized Kerberos >

Re: Cross Realm MIT <-> Windows Close But No Cigar

Michael B Allen <[EMAIL PROTECTED]> wrote: > On Thu, 3 May 2007 23:33:29 +0100 > "Markus Moeller" <[EMAIL PROTECTED]> wrote: > >> What does sshd -ddde show when you connect ? Do you use a .k5login >> or auth_to_local ? > > Hi Markus, > > I'm not familiar with .k5login or auth_to_local. The only th

Re: Kerberos for Windows NT 4.0

Warren Coykendall <[EMAIL PROTECTED]> wrote: > Hello, I was wondering we have a NT 4.0 domain which we cannot > migrate to Windows 2003. Is there a way to have the NT 4.0 domain > work with Kerberos so we can get single sign-on w/out the pain of > upgrading to active directory? I do not think the

Re: Changing password on linux machine hangs

M <[EMAIL PROTECTED]> wrote: > Yep. Tried that. Same behavior. Its not just one linux machine, its > all linux machines that do this. So its something thats set > environment wide...I've ruled out the firewall...not sure what else it > could be. What does your krb5.conf file look like? Do you hav

Re: Changing password on linux machine hangs

M <[EMAIL PROTECTED]> wrote: > We use Active Directory to create User accounts and make the person > change his/her password the first time he/she logs on to any of our > machines (linux or windows). Changing password on the Windows machines > works just fine but no one can change their passwords o

Re: Win Kerb Server

Gayal <[EMAIL PROTECTED]> wrote: > On 2/8/07, Christopher D. Clausen <[EMAIL PROTECTED]> wrote: >> Gayal <[EMAIL PROTECTED]> wrote: >>> Hi, >>> I want to implement SSO with Win2003 Server for Linux Clients. >>> But I dont have access to Win2003

Re: KfW 3.1: Re-directed stderr of kinit/klist displays dialog

[EMAIL PROTECTED] wrote: > On Tue, 20 Feb 2007, Jeffrey Altman wrote: > >> [EMAIL PROTECTED] wrote: >> >>> Is there a way to redirect stderr from kinit/klist to a file? >> >> stdin and stderr cannot be redirected. they are used for password >> prompting > > Hmmm but I'm not trying to redirect

Re: KfW 3.1: Re-directed stderr of kinit/klist displays dialog

[EMAIL PROTECTED] wrote: > On Tue, 20 Feb 2007, Jeffrey Altman wrote: >> [EMAIL PROTECTED] wrote: >> >>> Is there a way to redirect stderr from kinit/klist to a file? >> >> stdin and stderr cannot be redirected. they are used for password >> prompting > > Hmmm but I'm not trying to redirect th

Re: Authentication using the KRB5A method issues (AIX-AD)

Mohamad Nurhafiza <[EMAIL PROTECTED]> wrote: > Yes it's part from krb.client.rte fileset (AIX CD) > > bash-3.00# /usr/krb5/bin/klist -k > Keytab name: FILE:/etc/krb5/krb5.keytab > Unable to start keytab scan. > Status 0x96c73ad5 - Unsupported key table format version > number. > bash-3.00#

Re: Problem with Kerberos Service

LukePet <[EMAIL PROTECTED]> wrote: > Ok and about telnet...waht can you tell me? > > "[EMAIL PROTECTED]:~$ kinit pippo > Password for [EMAIL PROTECTED]: > [EMAIL PROTECTED]:~$ telnet -a -l pippo lukesky.epiluke.it > Trying 192.168.182.185... > Connected to lukesky.epiluke.it (192.168.182.185). > Es

Re: kadmin problem

scotty adams <[EMAIL PROTECTED]> wrote: > This is what i am getting after all > > bash-2.05# kadmin scotty > Enter Password: > Enter Password: > kadmin: Preauthentication failed while initializing kadmin interface Preauth failed is usally a "wrong password" message. Can you kinit scotty ?

Re: Authentication using the KRB5A method issues (AIX-AD)

Mohamad Nurhafiza <[EMAIL PROTECTED]> wrote: > I did the single sign on working, but now Im trying to do aix > authenticate using kerberos to a 2003 AD without ticket verification > (non single sign on) > > Now..the password changes in AD is immediately noticed by cleint(AIX). > > But I still have

Re: Problem with Kerberos Service

LukePet <[EMAIL PROTECTED]> wrote: > I tray and I have this: > > [EMAIL PROTECTED]:~$ kinit -k host/[EMAIL PROTECTED] > kinit(v5): Permission denied while getting initial credentials > [EMAIL PROTECTED]:~$ sudo kinit -k host/[EMAIL PROTECTED] > [EMAIL PROTECTED]:~$ This is expected. The /etc/krb5

Re: Problem with Kerberos Service

LukePet <[EMAIL PROTECTED]> wrote: > So, >> What does klist -kte (as root) show? > > [EMAIL PROTECTED]:~$ sudo klist -kte > 2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (Triple DES > cbc mode with HMAC/sha1) > 2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (DES cbc > mode with CRC-32) > >> Can you ki

Re: Win Kerb Server

Gayal <[EMAIL PROTECTED]> wrote: > Hi, > I want to implement SSO with Win2003 Server for Linux Clients. > But I dont have access to Win2003 Server. ex:creating keytab files > are not possible. > So i installed MIT Kerberos KDC server to a Debian Etch and try to > implement SSO for Linux Client. > >

Re: Problem with Kerberos Service

Luca Petrini <[EMAIL PROTECTED]> wrote: > Hello, I'm italian user and my name is Luca. > > I'm working with Kerberos on my Ubuntu 6.10. > > 1) Configure the /etc/hosts file: > 127.0.1.1 laptop > 192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it > 127.0.0.1 localhost localhost.local

Re: KDC not included with Kerberos V5 for Windows?

[EMAIL PROTECTED] wrote: > Am I correct in concluding that there isn't a KDC binary for > DOS/Windows (or kadmin, KDB5_Util etc)? Yes.

Re: kinit problem

s any other kerberos commands found in the > solaris environment. How can I proceed? > > Thanks, > Scotty > > "Christopher D. Clausen" <[EMAIL PROTECTED]> wrote: scotty adams > wrote: >>Cause: The host that was entered for the admin server, also >

Re: kinit problem

scotty adams <[EMAIL PROTECTED]> wrote: >Cause: The host that was entered for the admin server, also > called the master KDC, did not have the kadmind daemon running. > Solution: Make sure that you specified the correct host name for the > master KDC. If you specified the correct host name,

Re: Kerberos environment under windows

I don't know to do this from C code, but I generally kinit -kt \path\to\keytab principal/[EMAIL PROTECTED] and then run the app as needed. No need to additionaly code in keytab support into the app. < wrote: > Hi, > > actually I'm trying to write a C app (similar to the sample gss-client > and g

Re: putty/winscp with gssapi/krb5 ticket forwarding

Lars Schimmer <[EMAIL PROTECTED]> wrote: > Christopher D. Clausen wrote: >> Lars Schimmer <[EMAIL PROTECTED]> wrote: >>> Christopher D. Clausen wrote: >>>> So you have an Active Directory domain that the Windows machines >>>> are on?

Re: Kerberos environment under windows

Peger, Daniel Heinrich <[EMAIL PROTECTED]> wrote: > How do I tell a C/C++ (using GSSAPI) app what my current kerberos > environment is? For testing purposes I don't want to use the standard > environment but authenticate against a test kerberos setup, which > needs to be specified somwhere. Edit t

Re: Cache location in KFW

Diego Lima <[EMAIL PROTECTED]> wrote: > Is there any way I can point the default cache location to > FILE:c:\path\ticket so that upon log on the ticket will be available > there? Setting the KRB5CCNAME environment variable seems to work for me. > And where can I find some detailed documentation o

Re: kinit problem

scotty adams <[EMAIL PROTECTED]> wrote: > i am getting the following error: We need more details. > kinit: Cannot contact any KDC for requested realm while getting > initial credentials Which realm are you requesting tickets in? (E.g. what principal are you passing to kinit.) What does your k

Re: klist problem

scotty adams <[EMAIL PROTECTED]> wrote: > bash-2.05# klist -k > Keytab name: FILE:/etc/krb5/krb5.keytab > klist: Unknown code 2 while starting keytab scan > > etc/krb5/krb5.keytab doesnt exists can anyone assist me Why are you running klist -k if you do not have a valid keytab file? (Error code 2

Re: Re.How to configure kerberos with windows 2000 AD

Bharat Thakur <[EMAIL PROTECTED]> wrote: > Dear Sir, > Thanks for your reply. There are three linux server and one windows > 2003 AD(R2) in same network with 180 linux thin clients and 400 > windows clients. KDC installed in first linux server other two are > application server for sun clients. I w

Re: putty/winscp with gssapi/krb5 ticket forwarding

Lars Schimmer <[EMAIL PROTECTED]> wrote: > Christopher D. Clausen wrote: >> Lars Schimmer <[EMAIL PROTECTED]> wrote: >>> Thanks for the link. >>> Maybe I don4t get it right on my thoughts. >>> Setup here: >>> AD with 1 server and x client

Re: kerberos configuration

scotty adams <[EMAIL PROTECTED]> wrote: > Hi Christopher, > > Actually i need the SEAM > Can you also pass me a full KDC configuration? No, I cannot. I suggest that you read the Sun Docs on SEAM: http://docs.sun.com/app/docs/doc/816-5164 And please reply to the list, not to me directly.

Re: No Kerberos environment found

Gayal <[EMAIL PROTECTED]> wrote: > Greetings, > > I installed MIT krb5-kdc, krb5-admin-server, krb5-user using apt-get > install on my Debian Etch box. Use the Debian package libapache2-mod-auth-kerb instead of trying to compile from source.

Re: Wrong principal in request using virt interface

[EMAIL PROTECTED] wrote: > On Mon, 29 Jan 2007, Christopher D. Clausen wrote: >> [EMAIL PROTECTED] wrote: >> >>> I'm moving the server to a new cluster of RHE hosts that use virtual >>> interfaces (eg. eth0:1) to allow for failover to a new host while >>

Re: Wrong principal in request using virt interface

[EMAIL PROTECTED] wrote: > On Mon, 29 Jan 2007, Christopher D. Clausen wrote: >> Can you simply fail-over using the same IP on both interfaces? (I >> believe there is a bonding module in Linux that can do this.) > > The point of the virt interface is so it can be moved to a

Re: Wrong principal in request using virt interface

[EMAIL PROTECTED] wrote: > I'm moving the server to a new cluster of RHE hosts that use virtual > interfaces (eg. eth0:1) to allow for failover to a new host while > still maintaining the original IP address. On this new system I'm > getting the following error when I run sshd in debug (-ddd) mode

Re: Re.How to configure kerberos with windows 2000 AD

Bharat Thakur <[EMAIL PROTECTED]> wrote: > I have installed krb5 in linux AS4 . There is already running windows > 2000 Advance Server. in the same network. I want to integrate > kerberos with windows AD. So that AD user also can logon through > linux client. Kindly help me to do this. Please don

  1   2   >