Re: Win logon to a MIT Kerberos V KDC?
> "Actually" == Actually davidchr <[EMAIL PROTECTED]> writes: >> 1. Installed W2k Pro 2. Installed SP3 a. Auth to non-M$ KDC >> requires SP2 or greater! SP3 is the latest from M$. Actually> Clarification: Actually> No service pack is required to make Win2K authenticate Actually> to a non-MS KDC-- it works out of the box. However, Actually> installing the latest SP is still always recommended. On some M$ site page, it was said that SP2 (or higher) was required. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: thread safety of gssapi and dependencies
The krb5 library is not thread safe. IN practice you may be able to simply put a mutex around context setup (gss_init_sec_context and gss_accept_sec_context) calls and be OK, but this is not guaranteed. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: cracklib patch crashes kadmind
Well that is exactly what I did, grabed the patch, and slurped out the
server_dict.c section, patched and compiled it with #define
KADM5_USE_CRACKLIB 1, but when I try to change a password with kadmin
or kpasswd it kills the kadmind server. I am using a redhat 7.3
cracklib rpm, so maybe I should get the source for craklib or
something. It does not make sense as it works fine with the default
server_dict, but not with the cracklib patch, yet the calls to
cracklib seem quite simple and straight forward.
Now that I know it works for everyone else, I think I will start with
a fresh rebuild of the krb5 and cracklib, as I am the only one to have
this problem. Although I might just have to debug it to see what the
hell is going on with my build that is not with everyone else's.
I will let you know what if I decide to find out whats up.
Thanks all for you input.
Jason
[EMAIL PROTECTED] (Raymond M Schneider) wrote in message
news:<[EMAIL PROTECTED]>...
> just some more info on this... i just grabbed the Kens monsterpatch,
> stripped out everything except for the server_dict.c diff, and applied it
> to server_dict.c from the latest MIT (that I just grabbed a moment ago).
>
> Every hunk applied successfully. After applying the patch, if you dont mind
> having the use of cracklib forced all the time, then just set
>
> #define KADM5_USE_CRACKLIB 1
>
> somewhere in the file before it is used, and whalla...done. this is
> essentially what i have done in the past, and at least this part of the
> monster patch applies cleanly.
>
> below ive included the stripped out bits from the monster patch for you:
>
> have fun.
>
> -ray
>
> Index: lib/kadm5/srv/server_dict.c
> diff -c krb5/lib/kadm5/srv/server_dict.c:1.1.1.2 krb5/lib/kadm5/srv/server_dict.
> c:1.5
> *** krb5/lib/kadm5/srv/server_dict.c:1.1.1.2Mon Nov 3 16:35:35 1997
> --- krb5/lib/kadm5/srv/server_dict.cThu Dec 4 12:23:30 1997
> ***
> *** 17,29
> --- 17,39
> #include
> #include
> #include
> + #ifdef HAVE_MEMORY_H
> #include
> + #endif
> #include
> #include"server_internal.h"
>
> + #ifndef KADM5_USE_CRACKLIB
> static char **word_list = NULL; /* list of word pointers */
> static char *word_block = NULL; /* actual word data */
> static intword_count = 0; /* number of words */
> +
> + #else /* KADM5_USE_CRACKLIB */
> + static char *dict_path = NULL;
> + extern char *FascistCheck();
> +
> + #endif /* KADM5_USE_CRACKLIB */
> +
> extern interrno;
>
> /*
> ***
> *** 47,52
> --- 57,63
> return (strcasecmp(*(char **)s1, *(char **)s2));
> }
>
> + #ifndef KADM5_USE_CRACKLIB
> /*
>* Function: init-dict
>*
> ***
> *** 196,198
> --- 207,287
> word_count = 0;
> return;
> }
> +
> + #else /* KADM5_USE_CRACKLIB */
> +
> + /*
> + * Get dictionary file path from params, check it and store for later
> + * use by find_word().
> + */
> + int init_dict(kadm5_config_params *params)
> + {
> + struct stat st;
> + char *dict_file;
> +
> +
> + if (dict_path)/* Already been initialized */
> + return KADM5_OK;
> +
> + if (! (params->mask & KADM5_CONFIG_DICT_FILE)) {
> + syslog(LOG_INFO, "No dictionary file specified, continuing "
> + "without one.");
> + return KADM5_OK;
> + }
> +
> + /*
> + * Check for one of the cracklib dictionary files. We'll
> + * assume that if it's there, then the other two are.
> + *
> + * Note that for cracklib the path specified is just the
> + * prefix filename. The actual files will be the path
> + * plus an appened ".hwm", ".pwd", and ".pwi".
> + */
> +
> + dict_file = malloc(strlen(params->dict_file) + 5);
> +
> + if (dict_file == NULL) {
> + syslog(LOG_ERR, "malloc() failed.");
> + return errno;
> + }
> +
> + strcpy(dict_file, params->dict_file);
> + strcat(dict_file, ".hwm");
> +
> + if (stat(dict_file, &st) == 0) {
> + dict_path = params->dict_file;
> + syslog(LOG_INFO, "Using cracklib dictionary with prefix %s", dict_path);
> + } else {
> + syslog(LOG_ERR, "WARNING! Cannot find cracklib dictionary file %s, "
> + "continuing without one.", dict_file);
> + }
> +
> + free(dict_file);
> + return KADM5_OK;
> + }
> +
> + int
> + find_word(const char *word)
> + {
> + char *msg;
> +
> +
> + if (dict_path == NULL)
> + return WORD_NOT_FOUND;
> +
> + if (msg = FascistCheck(word, dict_path)) {
> + syslog(LOG_INFO, "cracklib rejected new change: %s", msg);
> + return KADM5_OK;
> + } else {
> + return WORD_NOT_FOUND;
> + }
> + }
> +
> + void
> + destroy_dict(void)
> + {
> + dict_path = NULL;
> + return;
> + }
> +
> + #endif /* KADM5_USE_CRACKLIB */
>
> ___
Canadian funds available
CANADIAN SUBSIDY DIRECTORY 4865 HWY 138,R.R 1 ST-ANDREWS WEST ONTARIO, KOC 2A0 PRESS RELEASE CANADIAN SUBSIDY DIRECTORY YEAR 2002 EDITION Legal Deposit-National Library of Canada ISBN 2-922870-02-2 (2002) ISBN 2-922870-01-4 (2001) M.G. Publishing is offering to the public a revised edition of the Canadian Subsidy Directory, a guide containing more than 2800 direct and indirect financial subsidies, grants and loans offered by government departments and agencies, foundations, associations and organizations. In this new 2002 edition all programs are well described. The Canadian Subsidy Directory is the most comprehensive tool to start up a business, improve existent activities, set up a business plan, or obtain assistance from experts in fields such as: Industry, transport, agriculture, communications, municipal infrastructure, education, import-export, labor, construction and renovation, the service sector, hi-tech industries, research and development, joint ventures, arts, cinema, theatre, music and recording industry, the self employed, contests, and new talents. Assistance from and for foundations and associations, guidance to prepare a business plan, market surveys, computers, and much more! The Canadian Subsidy Directory is sold $ 49.95, to obtain a copy please call one of the following distributors: Canadian Business Resource Center: (250)381-4822, 8am-4pm pacific time. Fureteur bookstore: (450)465-5597 Fax (450)465-8144 (credit card orders only). Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: cracklib patch crashes kadmind
just some more info on this... i just grabbed the Kens monsterpatch,
stripped out everything except for the server_dict.c diff, and applied it
to server_dict.c from the latest MIT (that I just grabbed a moment ago).
Every hunk applied successfully. After applying the patch, if you dont mind
having the use of cracklib forced all the time, then just set
#define KADM5_USE_CRACKLIB 1
somewhere in the file before it is used, and whalla...done. this is
essentially what i have done in the past, and at least this part of the
monster patch applies cleanly.
below ive included the stripped out bits from the monster patch for you:
have fun.
-ray
Index: lib/kadm5/srv/server_dict.c
diff -c krb5/lib/kadm5/srv/server_dict.c:1.1.1.2 krb5/lib/kadm5/srv/server_dict.
c:1.5
*** krb5/lib/kadm5/srv/server_dict.c:1.1.1.2Mon Nov 3 16:35:35 1997
--- krb5/lib/kadm5/srv/server_dict.cThu Dec 4 12:23:30 1997
***
*** 17,29
--- 17,39
#include
#include
#include
+ #ifdef HAVE_MEMORY_H
#include
+ #endif
#include
#include"server_internal.h"
+ #ifndef KADM5_USE_CRACKLIB
static char **word_list = NULL; /* list of word pointers */
static char *word_block = NULL; /* actual word data */
static intword_count = 0; /* number of words */
+
+ #else /* KADM5_USE_CRACKLIB */
+ static char *dict_path = NULL;
+ extern char *FascistCheck();
+
+ #endif /* KADM5_USE_CRACKLIB */
+
extern interrno;
/*
***
*** 47,52
--- 57,63
return (strcasecmp(*(char **)s1, *(char **)s2));
}
+ #ifndef KADM5_USE_CRACKLIB
/*
* Function: init-dict
*
***
*** 196,198
--- 207,287
word_count = 0;
return;
}
+
+ #else /* KADM5_USE_CRACKLIB */
+
+ /*
+ * Get dictionary file path from params, check it and store for later
+ * use by find_word().
+ */
+ int init_dict(kadm5_config_params *params)
+ {
+ struct stat st;
+ char *dict_file;
+
+
+ if (dict_path)/* Already been initialized */
+ return KADM5_OK;
+
+ if (! (params->mask & KADM5_CONFIG_DICT_FILE)) {
+ syslog(LOG_INFO, "No dictionary file specified, continuing "
+ "without one.");
+ return KADM5_OK;
+ }
+
+ /*
+ * Check for one of the cracklib dictionary files. We'll
+ * assume that if it's there, then the other two are.
+ *
+ * Note that for cracklib the path specified is just the
+ * prefix filename. The actual files will be the path
+ * plus an appened ".hwm", ".pwd", and ".pwi".
+ */
+
+ dict_file = malloc(strlen(params->dict_file) + 5);
+
+ if (dict_file == NULL) {
+ syslog(LOG_ERR, "malloc() failed.");
+ return errno;
+ }
+
+ strcpy(dict_file, params->dict_file);
+ strcat(dict_file, ".hwm");
+
+ if (stat(dict_file, &st) == 0) {
+ dict_path = params->dict_file;
+ syslog(LOG_INFO, "Using cracklib dictionary with prefix %s", dict_path);
+ } else {
+ syslog(LOG_ERR, "WARNING! Cannot find cracklib dictionary file %s, "
+ "continuing without one.", dict_file);
+ }
+
+ free(dict_file);
+ return KADM5_OK;
+ }
+
+ int
+ find_word(const char *word)
+ {
+ char *msg;
+
+
+ if (dict_path == NULL)
+ return WORD_NOT_FOUND;
+
+ if (msg = FascistCheck(word, dict_path)) {
+ syslog(LOG_INFO, "cracklib rejected new change: %s", msg);
+ return KADM5_OK;
+ } else {
+ return WORD_NOT_FOUND;
+ }
+ }
+
+ void
+ destroy_dict(void)
+ {
+ dict_path = NULL;
+ return;
+ }
+
+ #endif /* KADM5_USE_CRACKLIB */
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
RE: Win logon to a MIT Kerberos V KDC?
> From: Turbo Fredriksson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 03, 2002 4:23 AM
[...]
> 1. Installed W2k Pro
> 2. Installed SP3
> a. Auth to non-M$ KDC requires SP2 or greater!
>SP3 is the latest from M$.
Clarification:
No service pack is required to make Win2K authenticate to a non-MS KDC--
it works out of the box. However, installing the latest SP is still
always recommended.
-
This message is provided "AS IS" with no warranties, and confers no
rights.
Message may originate from an unmonitored alias ("davespam"). If so,
use "davidchr" if a direct reply is required.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
I reside in Washington, USA, where Title 19 declares that sending me
Unsolicited Commercial Email can result in a $500 fine.
Harvesting of this address for purposes of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request. I retaliate
viciously against spammers and spam sites.
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
Re: cracklib patch crashes kadmind
Yes, the patch was made for a much older version of Krb5. I certainly was not complaining Ken, I was happy just to see it compile :). I was just wondering if there was a newer patch floating around before I broke out my debugger. Like most Sysadmins I don't have much free time for anything, especially fun stuff like developement, so I was hoping there was a newer patch out there. I did not mean to imply that the code was bad, sorry if I did, and thanks for all of your contributions. Thanks again, Jason. Ken Hornstein <[EMAIL PROTECTED]To: [EMAIL PROTECTED] (Jason) .navy.mil> cc: [EMAIL PROTECTED] Subject: Re: cracklib patch crashes kadmind 10/03/2002 12:57 PM >Well I tried to hack server_dict.c with crack lib and when attempting >to change a password kadmind dies. So I grabed the patch for >server_dict out of the monster-patch for afs-krb5 and applied it, and >got the same results. I just recomplied the libraries both times. > >I am using the krb5-1.2.5 source code, and the monster-patch from >afs-krb5-1.3. It's not surprising, since the monster patch is from ... what, 1.0.6? I've updated the cracklib bits since we've upgraded our KDC to 1.2.6 ... but I'm still in the middle of the migration, and I've been too busy to produce a new migration kit. It's probably going to be a while until I do (and it may even work out that the bits of the migration kit simply get folded into the relevant software distributions). But I will say that all of the work I recall doing regarding cracklib support was simply fixing up the autoconf stuff ... it "just worked" after that was done. --Ken Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
thread safety of gssapi and dependencies
Hi, I was wondering what the thread safety situation is with ligss and underlying libraries. We intend to use these apps in heavily threaded applications (including middle tier servers that act as both security context initiators and acceptors). We seem to be running in to KRB5_FCC_INTERNAL "Internal credentials cache error" with the 1.2.2 distribution. We're currently porting to 1.2.6. However, I don't see anything in the release notes that would indicate 1.2.6 would change this situation much. I haven't looked at the specifics of these errors at this point. I will shortly, but I thought I'd throw the question out there for now. Any insight would be appreciated. Thanks. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
RE: microsoft xp gssapi client talking to solaris8 gssapi server
Our gssapi samples do not speak the same wireprotocol as the
corresponding gssclient/gssserver in the MIT distribution because ours
are based on an earlier implementation. See Paul's email on this
(attached).
If you need the samples to test interop between the two implementations,
I recommend that you grab incarnations of gssclient and gssserver from
previous MIT distributions.
-
This message is provided "AS IS" with no warranties, and confers no
rights.
Message may originate from an unmonitored alias ("davespam"). If so,
use "davidchr" if a direct reply is required.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
I reside in Washington, USA, where Title 19 declares that sending me
Unsolicited Commercial Email can result in a $500 fine.
Harvesting of this address for purposes of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request. I retaliate
viciously against spammers and spam sites.
> -Original Message-
> From: Tony Hoyle [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 03, 2002 10:40 AM
> To: [EMAIL PROTECTED]
> Subject: Re: microsoft xp gssapi client talking to solaris8
> gssapi server
>
>
> On Thu, 3 Oct 2002 15:40:50 + (UTC), [EMAIL PROTECTED] (R
> Howard) wrote:
>
> >The code I am compiling on XP is from the MS platform
> >SDK (2/2002). The server on the solaris box is from
> >the krb5-1.2.6 distribution.
> >
> >I am now trying to port the same gss-client from the
> >MIT distribution to the XP box. The Microsoft
> >compiler does not recognize the gss_nt_service_name
> >function call.
> >
> You can't compile a Unix GSSAPI program on Windows as it
> isn't compatible at the API level. The Windows GSSAPI
> samples are rewritten in SSPI to show the equivalent
> functions (No, I never got them to work either).
>
> Tony
>
>
> Kerberos mailing list [EMAIL PROTECTED]
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
--- Begin Message ---
Hi,
It sounds like version skew.
On XP are you compiling the sample code that came from the same MIT
disitribution that you are compiling on the Solaris box?
AT one time Microsoft was distributing the GSS sample code from an MIT
snapshot. MIT didn't know it at the time and made some incompatible changes
to our sample code. If you mixed the code it didn't work.
Yes, we're sorry about this.
Paul
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
R Howard
Sent: Thursday, October 03, 2002 10:39 AM
To: [EMAIL PROTECTED]
Subject: microsoft xp gssapi client talking to solaris8 gssapi server
Hey folks, hope someone can help me with this. I have
compiled the sample gssapi client on a microsoft xp
box. It compiled fine. I have the MIT gssapi sample
server compiled on a solaris box. The gssapi server
on the solaris box seems to be working fine. I can
connect to it just fine using the MIT gssapi sample
client. But when I try to use the gssapi client
supplied by Microsoft it just sits there waiting. And
the server on the solaris box seems to be waiting as
well.
Has anyone gotten this to work? Do I need to use the
MIT gssapi sample client on the Microsoft XP box?
Any help would be appreciated. Thanks
__
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
--- End Message ---
Re: microsoft xp gssapi client talking to solaris8 gssapi server
On Thu, 3 Oct 2002 15:40:50 + (UTC), [EMAIL PROTECTED] (R Howard) wrote: >The code I am compiling on XP is from the MS platform >SDK (2/2002). The server on the solaris box is from >the krb5-1.2.6 distribution. > >I am now trying to port the same gss-client from the >MIT distribution to the XP box. The Microsoft >compiler does not recognize the gss_nt_service_name >function call. > You can't compile a Unix GSSAPI program on Windows as it isn't compatible at the API level. The Windows GSSAPI samples are rewritten in SSPI to show the equivalent functions (No, I never got them to work either). Tony Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: cracklib patch crashes kadmind
On Thu, Oct 03, 2002 at 12:57:02PM -0400, Ken Hornstein wrote: > >Well I tried to hack server_dict.c with crack lib and when attempting > >to change a password kadmind dies. So I grabed the patch for > >server_dict out of the monster-patch for afs-krb5 and applied it, and > >got the same results. I just recomplied the libraries both times. > > > >I am using the krb5-1.2.5 source code, and the monster-patch from > >afs-krb5-1.3. > > It's not surprising, since the monster patch is from ... what, 1.0.6? > Ive got the cracklib bits stripped out of the monster patch applied to 1.2.5 I believe, works with no problem. I dont give people the option at configure time though, the macro is hardcoded so it _has_ to use cracklib all the time. ;) So that said, I just wanted to give words of encouragement. just strip out Kens bits about cracklib for the server_dict.c file and apply them, then deal with the macro as you see fit, either let configure play with it or set it in the file..ie. #define KADM5_USE_CRACKLIB 1 put that in and cracklib will always be used. I didnt want anyone not using cracklib so this was my approach at that time.. So just slurp the bit of monster patch out that has to do with FascistCheck and patch server_dict.c with it and add the macro define above and you should be in business... -ray Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: cracklib patch crashes kadmind
>Well I tried to hack server_dict.c with crack lib and when attempting >to change a password kadmind dies. So I grabed the patch for >server_dict out of the monster-patch for afs-krb5 and applied it, and >got the same results. I just recomplied the libraries both times. > >I am using the krb5-1.2.5 source code, and the monster-patch from >afs-krb5-1.3. It's not surprising, since the monster patch is from ... what, 1.0.6? I've updated the cracklib bits since we've upgraded our KDC to 1.2.6 ... but I'm still in the middle of the migration, and I've been too busy to produce a new migration kit. It's probably going to be a while until I do (and it may even work out that the bits of the migration kit simply get folded into the relevant software distributions). But I will say that all of the work I recall doing regarding cracklib support was simply fixing up the autoconf stuff ... it "just worked" after that was done. --Ken Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: Win logon to a MIT Kerberos V KDC?
Apparently there's a but in MIT Kerberos 1.2.3-1.2.6 that breaks Microsoft clients (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=162794&repeatmerged=yes). The version I'm using seems to have had the first part of the patch merged but not the second part - although looking at the code I can't see why the second patch would be necessary (since ret is set to zero a few lines further down). I'll try applying the second patch to see if it improves things. Tony Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
RE: microsoft xp gssapi client talking to solaris8 gssapi server
The code I am compiling on XP is from the MS platform SDK (2/2002). The server on the solaris box is from the krb5-1.2.6 distribution. I am now trying to port the same gss-client from the MIT distribution to the XP box. The Microsoft compiler does not recognize the gss_nt_service_name function call. --- "Paul B. Hill" <[EMAIL PROTECTED]> wrote: > Hi, > > It sounds like version skew. > > On XP are you compiling the sample code that came > from the same MIT > disitribution that you are compiling on the Solaris > box? > > AT one time Microsoft was distributing the GSS > sample code from an MIT > snapshot. MIT didn't know it at the time and made > some incompatible changes > to our sample code. If you mixed the code it didn't > work. > > Yes, we're sorry about this. > > Paul > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > R Howard > Sent: Thursday, October 03, 2002 10:39 AM > To: [EMAIL PROTECTED] > Subject: microsoft xp gssapi client talking to > solaris8 gssapi server > > > Hey folks, hope someone can help me with this. I > have > compiled the sample gssapi client on a microsoft xp > box. It compiled fine. I have the MIT gssapi > sample > server compiled on a solaris box. The gssapi server > on the solaris box seems to be working fine. I can > connect to it just fine using the MIT gssapi sample > client. But when I try to use the gssapi client > supplied by Microsoft it just sits there waiting. > And > the server on the solaris box seems to be waiting as > well. > > Has anyone gotten this to work? Do I need to use > the > MIT gssapi sample client on the Microsoft XP box? > > Any help would be appreciated. Thanks > > __ > Do you Yahoo!? > New DSL Internet Access from SBC & Yahoo! > http://sbc.yahoo.com > > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
RE: microsoft xp gssapi client talking to solaris8 gssapi server
Hi, It sounds like version skew. On XP are you compiling the sample code that came from the same MIT disitribution that you are compiling on the Solaris box? AT one time Microsoft was distributing the GSS sample code from an MIT snapshot. MIT didn't know it at the time and made some incompatible changes to our sample code. If you mixed the code it didn't work. Yes, we're sorry about this. Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R Howard Sent: Thursday, October 03, 2002 10:39 AM To: [EMAIL PROTECTED] Subject: microsoft xp gssapi client talking to solaris8 gssapi server Hey folks, hope someone can help me with this. I have compiled the sample gssapi client on a microsoft xp box. It compiled fine. I have the MIT gssapi sample server compiled on a solaris box. The gssapi server on the solaris box seems to be working fine. I can connect to it just fine using the MIT gssapi sample client. But when I try to use the gssapi client supplied by Microsoft it just sits there waiting. And the server on the solaris box seems to be waiting as well. Has anyone gotten this to work? Do I need to use the MIT gssapi sample client on the Microsoft XP box? Any help would be appreciated. Thanks __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
cracklib patch crashes kadmind
Well I tried to hack server_dict.c with crack lib and when attempting to change a password kadmind dies. So I grabed the patch for server_dict out of the monster-patch for afs-krb5 and applied it, and got the same results. I just recomplied the libraries both times. I am using the krb5-1.2.5 source code, and the monster-patch from afs-krb5-1.3. Has anyone else ran into this problem? Is there a way to get cracklib to work with krb5-1.2.5 or higher? Thanks in advance, Jason. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: Win logon to a MIT Kerberos V KDC?
On Thu, 3 Oct 2002 11:22:38 + (UTC), [EMAIL PROTECTED] (Turbo Fredriksson) wrote: >1. Installed W2k Pro >2. Installed SP3 >a. Auth to non-M$ KDC requires SP2 or greater! > SP3 is the latest from M$. >3. Executed the 'ksetup.exe' commands >a. ksetup /SetRealm MYREALM.TLD >b. ksetup /AddKdc MYREALM.TLD kerberos1.domain.tld >c. ksetup /AddKpasswd MYREALM.TLD kerberos1.domain.tld >d. ksetup /MapUser * * >e. ksetup /SetComputerPassword secretpw >4. Setup & Start w32time >a. net time /setsntp:fartein.ifi.uio.no >b. net start w32time >c. Setup w32time to start auto, not manually >5. Installed OpenAFS client >a. OpenAFS_Client_126.exe > >That's the steps, in detail. Nothing forgotten, nothing hidden. Exept for >the occational reboots that's needed :). Works for me! No idea then... apart from the OpenAFS Client I've done exactly the same - several times. Also a complete reinstall of the KDC was tried as well. I've already spent far too much time on this - I think I'll go with the disable preauth solution as it's the only reliable method I can find. Tony Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
microsoft xp gssapi client talking to solaris8 gssapi server
Hey folks, hope someone can help me with this. I have compiled the sample gssapi client on a microsoft xp box. It compiled fine. I have the MIT gssapi sample server compiled on a solaris box. The gssapi server on the solaris box seems to be working fine. I can connect to it just fine using the MIT gssapi sample client. But when I try to use the gssapi client supplied by Microsoft it just sits there waiting. And the server on the solaris box seems to be waiting as well. Has anyone gotten this to work? Do I need to use the MIT gssapi sample client on the Microsoft XP box? Any help would be appreciated. Thanks __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: keberos v5 and WS-Security specification question
--- Luke Howard <[EMAIL PROTECTED]> wrote: > > From my brief reading of the WS-Security spec it > doesn't look like > the GSS-API token format is used. Yeah, i've suspect that :-( The WS-security spec mention Kerberos v5 tickets as per rfc1510, but i do not see GSS API nor MIT kerberos functions to: - encrypt/sign (and reverse) a message with a ticket. (or at least i can't found any example how to do that). Any oppinion please? Thanks a lot, Mitko > > -- LUke > > >From: Mitko Iliev <[EMAIL PROTECTED]> > >Subject: keberos v5 and WS-Security specification > question > >To: [EMAIL PROTECTED] > >Date: Mon, 30 Sep 2002 08:12:22 -0700 (PDT) > > > >hello all, > > > >i'm implementing a SOAP server which is supposed > use > >Kerberos v5 TGS tickets to encrypt/sign the data > using > >WS-Security specification by microsoft. > >But my problem is that i can't extract with GSSAPI > >encryption or signing algorithm (this is needed to > >make properly the Algorithm=""> > >element). > > > >Could anyone help me ? > > > >Thanks in advance, > >Mitko Iliev > > > >= > >--- > > Homo homenes lupus est. > > > > > >__ > >Do you Yahoo!? > >New DSL Internet Access from SBC & Yahoo! > >http://sbc.yahoo.com > > > >Kerberos mailing list [EMAIL PROTECTED] > >http://mailman.mit.edu/mailman/listinfo/kerberos > > -- > Luke Howard | PADL Software Pty Ltd | www.padl.com __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: Win logon to a MIT Kerberos V KDC?
> "Tony" == Tony Hoyle <[EMAIL PROTECTED]> writes: Tony> Already done that. The system clock on Windows is correct Tony> (to the nearest second). The windows kerberos clock is Tony> incorrect. How do I make them equal? To my knowledge (I also think I've read something about that on some site I was looking through when I tried to get this to work last week) Kerberos is using the system clock. Now, I also remember that I got the same problem as you, but it still works for me... I'm reinstalling (for the n:th time to verify my documentation) so I'll see if I get the same problem, but I don't think I will. Last time I installed, this is what I did (it worked then, but I'm setting up a demo machine which will have 6 OS'es that work with Kerberos/AFS on it) to get W2k authenticated against my MIT Kerberos V KDC: 1. Installed W2k Pro 2. Installed SP3 a. Auth to non-M$ KDC requires SP2 or greater! SP3 is the latest from M$. 3. Executed the 'ksetup.exe' commands a. ksetup /SetRealm MYREALM.TLD b. ksetup /AddKdc MYREALM.TLD kerberos1.domain.tld c. ksetup /AddKpasswd MYREALM.TLD kerberos1.domain.tld d. ksetup /MapUser * * e. ksetup /SetComputerPassword secretpw 4. Setup & Start w32time a. net time /setsntp:fartein.ifi.uio.no b. net start w32time c. Setup w32time to start auto, not manually 5. Installed OpenAFS client a. OpenAFS_Client_126.exe That's the steps, in detail. Nothing forgotten, nothing hidden. Exept for the occational reboots that's needed :). Works for me! Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: Win logon to a MIT Kerberos V KDC?
On Thu, 3 Oct 2002 05:17:46 + (UTC), [EMAIL PROTECTED] (Turbo Fredriksson) wrote: >> "Clint" == Clint Chaplin <[EMAIL PROTECTED]> writes: > >Clint> Now I need to sync the Win2k kerberos client with the rest >Clint> of Win2k - obviously it's not automatic. The Win2k clock >Clint> is correct & synced with win32time. Any ideas on how to do >Clint> this? > >- s n i p - >net stop w32time >net time /setsntp:fartein.ifi.uio.no >net start w32time >- s n i p - > >Then you need to setup the 'Windows Time' service to run automaticly. >Don't know how to do this from the shell... Already done that. The system clock on Windows is correct (to the nearest second). The windows kerberos clock is incorrect. How do I make them equal? Tony Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
Re: Win logon to a MIT Kerberos V KDC?
On Wed, 2 Oct 2002 21:58:00 + (UTC), [EMAIL PROTECTED]
("Clint Chaplin") wrote:
>Read that log again carefully. It's saying that the >client< time is 1989, not the
>server time...
>
Windows is the client. The server is a Linux KDC.
Tony
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
