Cannot contact any KDC for requested realm while initializingkadmin interface

2003-07-10 Thread Kim Holburn 
I need some help installing kerberos.  Any help greatly appreciated.

I am using debian woody.  

I installed the debian binaries (1.2.4) using apt-get 
ii  krb5-admin-ser 1.2.4-5woody4  Mit Kerberos master server (kadmind)
ii  krb5-clients   1.2.4-5woody4  Secure replacements for ftp, telnet and rsh 
ii  krb5-config1.4Configuration files for Kerberos Version 5
ii  krb5-doc   1.2.4-5woody4  Documentation for krb5
ii  krb5-kdc   1.2.4-5woody4  Mit Kerberos key server (KDC)
ii  krb5-user  1.2.4-5woody4  Basic programs to authenticate using MIT Ker
ii  libkrb5-dev1.2.4-5woody4  Headers and development libraries for MIT Ke
ii  libkrb53   1.2.4-5woody4  MIT Kerberos runtime libraries

and followed the directions on the install page:
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/install_toc.html


-/etc/krb5.conf ---
[libdefaults]
default_realm = MYDOMAIN.COM
ticket_lifetime = 600
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
MYDOMAIN.COM = {
kdc = kerberos.mydomain.com
#   kdc = kerberos-1.mydomain.com:88
admin_server = kerberos.mydomain.com
default_domain = mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log

[login] 
krb4_convert = false
krb4_get_tickets = false

-/etc/krb5.conf ---

-/etc/krb5kdc/kdc.conf ---
[kdcdefaults]
kdc_ports = 750,88

[realms]
MYDOMAIN.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
#   kdc_ports = 750,88
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:afs3
#   supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 
des:normal des:v4 des:norealm des:onlyrealm des:afs3
#   default_principal_flags = +preauth
}

-/etc/krb5kdc/kdc.conf ---



I get no unusual messages in the logs when I start kdc and kadmind: 
Jul 11 13:43:45 kerberos krb5kdc[2438](info): setting up network...
Jul 11 13:43:45 kerberos krb5kdc[2438](info): listening on fd 8: 150.203.126.1
9 port 750
Jul 11 13:43:45 kerberos krb5kdc[2438](info): listening on fd 9: 150.203.126.1
9 port 88
Jul 11 13:43:45 kerberos krb5kdc[2438](info): set up 2 sockets
Jul 11 13:43:45 kerberos krb5kdc[2439](info): commencing operation


Jul 11 13:43:45 kerberos kadmind[2442](info): starting


When I run kadmin, kinit they hang for 30 seconds or so and then I get this message:
# kadmin
Authenticating as principal root/[EMAIL PROTECTED] with password.
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface


[EMAIL PROTECTED]:/etc# lsof -i
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
syslogd  160 root   18u  IPv4153   UDP *:syslog 
sshd 181 root3u  IPv4309   TCP *:ssh (LISTEN)
ntpd 184 root4u  IPv4359   UDP *:ntp 
ntpd 184 root5u  IPv4360   UDP localhost:ntp 
ntpd 184 root6u  IPv4361   UDP kerberos.mydomain.com:ntp 
krb5kdc 2439 root8u  IPv4  31995   UDP kerberos.mydomain.com:kerberos4 
krb5kdc 2439 root9u  IPv4  31996   UDP kerberos.mydomain.com:kerberos 
kadmind 2442 root8u  IPv4  32068   TCP *:kerberos-adm (LISTEN)
kadmind 2442 root9u  IPv4  32069   UDP *:464 

where:
# grep ker /etc/services
kerberos88/tcp  kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos88/udp  kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos-adm749/tcp # Kerberos `kadmin' (v5)
kerberos-adm749/udp # Kerberos `kadmin' (v5)
kerberos4   750/udp kerberos-iv kdc # Kerberos (server) udp
kerberos4   750/tcp kerberos-iv kdc # Kerberos (server) tcp
kerberos_master 751/udp # Ker

Re: GSSAPI x Kerberos

2003-07-10 Thread silvio 
Citando "Douglas E. Engert" <[EMAIL PROTECTED]>:
> >  The other problem I'll have to solve is to implement the authentication
> over
> > HTTP, any suggestions?
> 
> Look at the kx509 from the University of Michigan. It uses Kerberos
> authentication
> to obtain a short term certificate. This certificate can then be used by IE
> or Netscape. 
> You then use the standard SSL in the browsers and web servers. 
> The client can run on any Unix, Mac or Windows. 

Sorry, I forgot to give a few informations about why I need to use GSS over 
HTTP (the link will help anyway :-))

I have an application that uses HTTP (or HTTPS) to communicate between the 
server and the clients and neither are browsers or web servers... The 
application contains the implementation of HTTP to server and client, today, 
there's support to Basic and Digest Authentication and I want to put GSS 
authentication there too... I know that some browsers (IE and patched Mozilla) 
suports that, but I don't know witch to use, the Mozilla implementation os 
Microsoft's... They both seens to be very simple, the GSS information goes 
after a specific tag (IE uses Negoticate, Mozilla uses GSS-Negotiate), like 
this:
WWW-Authenticate: Negotiate SPNEGO_data

SPNEGO seens to encapsulate GSSAPI data (I didn't readed all of the RFC yet), 
but I don't think it will be useful, I was thinking in implementing the GSS 
data directly...

Any recomendations?

Silvio Fonseca
Linux Consultant
-
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42
Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

MIT Kerberos 1.3

2003-07-10 Thread silvio 

I noticed that Kerberos 1.3 isn't avaible outside USA/Canada yet in 
http://www.crypto-publish.org, any idea when it will be?

Silvio Fonseca
Linux Consultant

-
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42
Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Purpose of Server Public/Private Key??

2003-07-10 Thread Russ Allbery 
Jake Mudau <[EMAIL PROTECTED]> writes:

> What is the purpose of having a server public/private key architecture?
> I mean, when a user needs to be authenticated, the following is quite
> sufficient [or is it :)]:

Kerberos uses a secret key architecture and doesn't have public/private
key pairs, so I'm not entirely sure what you're asking.

> 1.  UserID passed in plain-text to server;
> 2.  Server submits an encrypted "challenge"-plus-unique-session_id with the
> user's password back to client;

This is what Kerberos calls pre-auth and is used to prevent off-line
dictionary attacks.  Kerberos v4 didn't have these steps; they were added
in Kerberos v5.  With Kerberos v4, you just asked the server for a TGT and
it gave you one, encrypted in the user's private key.  If you could
decrypt it, you could use it right away without authentication to the KDC.
Kerberos v5 added (optional, but generally should always be turned on)
pre-authentication before it would give you a TGT.

> 3.  Client decrypts challenge from server with password and conducts
> pre-defined scrambling (not encrypting) of plain-text;
> 4.  Client encrypts scrambled plain-text with unique session_id and sends
> back to server;

With Kerberos, this is instead a follow-up request to the KDC for what's
called a "ticket granting ticket" or TGT, which is the user credentials.

> 5.  Server decrypts with previously sent unique session_id and confirms
> correctness of scrambled challenge.  If ok, client authenticated and new
> session_id passed for rest of the client's operations.

Server sends the TGT back to the user encrypted in the user's password and
the user decrypts it.  Then, whenever that user wants to connect to
another network service, it sends a request to the KDC using that TGT and
gets back a service ticket for that particular service, which is a piece
of information encrypted in the private key of that service.  The client
then uses that service ticket to authenticate to the service, and the
service can check that the service ticket is valid by decrypting it with
its own private key.

Maybe what you're missing is that Kerberos isn't designed solely to
authenticate a user to a single service, but instead to provide the user
with a set of credentials which can then be used to authenticate to *any*
Kerberos service without requiring further authentication events in the
client?

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Purpose of Server Public/Private Key??

2003-07-10 Thread Jake Mudau 
Hi, I am new to kerberos and would appreciate some help understanding some
basics:

What is the purpose of having a server public/private key architecture?  I
mean, when a user needs to be authenticated, the following is quite
sufficient [or is it :)]:

1.  UserID passed in plain-text to server;
2.  Server submits an encrypted "challenge"-plus-unique-session_id with the
user's password back to client;
3.  Client decrypts challenge from server with password and conducts
pre-defined scrambling (not encrypting) of plain-text;
4.  Client encrypts scrambled plain-text with unique session_id and sends
back to server;
5.  Server decrypts with previously sent unique session_id and confirms
correctness of scrambled challenge.  If ok, client authenticated and new
session_id passed for rest of the client's operations.

Each client is given its own unique session_id and the server knows which
client it is by the session_id.

Can someone please help me understand why we then need server private and
public keys (and why they have to travel as part of the authenticator)?

Many thanks

JM



Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos ftpd bug? can't get it to work

2003-07-10 Thread Donn Cave 
In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (root) wrote:

> HAS ANYONE GOTTEN FTP/FTPD TO WORK ON KERBEROS V5?  I need help.

Talk to us.  Douglas Engert posted a followup in response to
your initial question.  He asks what host name you're connecting
to, what host name is in the keytab.  I might add, what host
name shows up in klist afterwards, if any.  GSS ftp does have
some host name issues.  On the bright side, at least you're not
running krb5-1.3 yet, so telnet probably works.

   Donn Cave, [EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

MIT Kerberos for Windows 2.5 beta 3 is released

2003-07-10 Thread Tom Yu 
-BEGIN PGP SIGNED MESSAGE-


The MIT Kerberos Team announces the availability of MIT Kerberos for 
Windows 2.5 beta 3, the first public testing release.

Major new features of this release include:

- - Based on MIT Kerberos v5 1.3
- - Numerous enhancements to Leash

Please consult the Release Notes file for further details on changes.

The distribution packages and Release Notes are available from the 
authorized downloads link on the MIT Kerberos web page,


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard 

iQCVAwUBPw29Y6bDgE/zdoE9AQHqAQQA0h+TdLIs6bO8S018UAutfnuHvh+8tANF
6dZzJcCWuw36+qHnizg24RSBU8MeALoETl5sEcvgMXL7T0zt2Pi2wwQZV96TF0tj
TrirqcugZIWQDJrJyTKNRHK7ct1ZnzPtqw4kVBaBJstIA+KDEB5e8pUYm6zOpoij
+S93GRvfuuk=
=N3MS
-END PGP SIGNATURE-

___
kerberos-announce mailing list
[EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos-announce

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Updated Kerberos Extras for Mac OS X is released

2003-07-10 Thread Tom Yu 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


The MIT Kerberos Team announces the availability of an updated 
Kerberos Extras for Mac OS X 10.2 and later is now available.

Kerberos Extras for Mac OS X allows CFM applications to access the 
Kerberos functionality built into Mac OS X.

This new version of Kerberos Extras installs a CFM support file which 
works on both Mac OS X 10.2 (Jaguar) and Mac OS X 10.3 (Panther) and 
supersedes previous Kerberos Extra releases.

Further information including download link is available from:


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard 

iD8DBQE/Db4TSO8fWy4vZo4RAtGmAKCWBDXux8bIOyVJTt+5N4G4yIViVACcCJYd
9bHXwy+MVeIY/uYQcocPW9M=
=z6wl
-END PGP SIGNATURE-

___
kerberos-announce mailing list
[EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos-announce

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

kerberos ftpd bug? can't get it to work

2003-07-10 Thread root 
HAS ANYONE GOTTEN FTP/FTPD TO WORK ON KERBEROS V5?  I need help.

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

You have a new subscriber.

2003-07-10 Thread FastTrak 
Would you like to see this in your inbox?
  With FastTRAK you will!

 Here is the link - NO TIME TO THINK! 
   http://www.fasttrak.biz/topopps 
  New and Growing FAST 

With FastTRAK.biz you get INSTANT CASH deposited directly into your PayPal account  
…and for every month thereafter! 

That's because PayPal pays you directly from their account like clockwork. 
   
  http://www.fasttrak.biz/topopps 

FastTRAK.biz officially launched on February 18, 2003 at 10 PM EST, but you didn't 
have to be present to score big. 

 Recurring consistant"subscription"payments 

  You can secure your position right now! 
 BONUS! 

Top spots will get first dibs from our 1 million double opt-in E-Mail blast campaign 
starting upon members upgrades. 
  
  http://www.fasttrak.biz/topopps 

To Your Success 

This email is sent in compliance with strict anti-abuse and NO SPAM regulations. You 
are receiving this because either you are in my Private email list or your address was 
collected as a result of posting to a link, a classified ad, a message to my FFA Page, 
you sent me an e-mail recently, you were on a list I purchased?or we have exchanged 
business opportunities before.

__

To change your subscription details or stop receiving emails, click here:
http://owenboren.com/c/3/kerberos%40mit.edu


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KDC doesn't start

2003-07-10 Thread Maik Hentsche 
"Maik Hentsche" <[EMAIL PROTECTED]> wrote:
> [.. my problems with KDC..]

Well, I solved the problem by destroying the stashfile and rebuilding it.
Thanks to everyone, who helped me.

so long
Maik

-- 
Der Verstand ist wie eine Fahrkarte. Sie hat nur Sinn wenn man sie benutzt.
(Ernst R. Hauschka (*1926), deutscher Essayist,
Aphoristiker und Bibliothekar)

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: GSSAPI x Kerberos

2003-07-10 Thread Douglas E. Engert 


[EMAIL PROTECTED] wrote:
> 
> Citando "Douglas E. Engert" <[EMAIL PROTECTED]>:
> > >  The other problem I'll have to solve is to implement the authentication
> > over
> > > HTTP, any suggestions?
> >
> > Look at the kx509 from the University of Michigan. It uses Kerberos
> > authentication
> > to obtain a short term certificate. This certificate can then be used by IE
> > or Netscape.
> > You then use the standard SSL in the browsers and web servers.
> > The client can run on any Unix, Mac or Windows.
> 
> Sorry, I forgot to give a few informations about why I need to use GSS over
> HTTP (the link will help anyway :-)) 
> 
> I have an application that uses HTTP (or HTTPS) to communicate between the
> server and the clients and neither are browsers or web servers... 

Another option is that OpenSSL can encapsulate Kerberos tickets in what
SSL thinks are certificates. 

> The
> application contains the implementation of HTTP to server and client, today,
> there's support to Basic and Digest Authentication and I want to put GSS
> authentication there too... I know that some browsers (IE and patched Mozilla)
> suports that, but I don't know witch to use,

So you have control over the client and server code and the platforms they run on?
This is not an option for most of us. The users will use IE or Netscape
and we have to work around that. That is why the kx509 looks so atractive,
no chnages are need to the browsers, and it works on W98, ME, W2K, XP, with IE 
or Netscape, and on Mac, Linux and any other Unix that has Netscape. 

> the Mozilla implementation os
> Microsoft's... They both seens to be very simple, the GSS information goes
> after a specific tag (IE uses Negoticate, Mozilla uses GSS-Negotiate), like
> this:
> WWW-Authenticate: Negotiate SPNEGO_data
> 
> SPNEGO seens to encapsulate GSSAPI data (I didn't readed all of the RFC yet),
> but I don't think it will be useful, I was thinking in implementing the GSS
> data directly...

If you do implement SPNEGO, the ietf-krb-wg would be interested to know that.
There is some concern that it can not be done based on the current drafts.   

> 
> Any recomendations?
> 
> Silvio Fonseca
> Linux Consultant
> -
> Relato Consultoria de Informática
> Rua Mto. João Gomes de Araújo, 106 cj. 42
> Alto de Santana - São Paulo - SP
> Telefones: (11) 6978-5253 / (11) 6978-5262
> Fax: (11) 6971-3115

-- 

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Multiple realms

2003-07-10 Thread Sam Hartman 
The multi-realm support in MIT Kerberos is kind of buggy. It's not
something we really test.  Don't be surprised if the docs don't
correspond to the observed behavior.  

If you do figure out what works and what doesn't--especially if you
figure out why things break--please let us know.


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Multiple realms

2003-07-10 Thread Vladimir Terziev 
  The following is from krb5kdc man page:
"...
   krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3

   specifies  that the KDC listen on port 2001 for REALM1 and
   on port 2002 for REALM2 and  REALM3.   Additionally,  per-
   realm  parameters  may  be specified in the kdc.conf file.
..."

Vlady


On Thu, 10 Jul 2003 14:45:05 +0200
"Nikola Milutinovic" <[EMAIL PROTECTED]> wrote:

> Am I reading the docs correctly?
> 
> The man page of "krb5kdc" states that there can be only one realm per TCP/UDP port. 
> Am I reading it right?
> 
> Nix.
> 
> 
> Kerberos mailing list   [EMAIL PROTECTED]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Multiple realms

2003-07-10 Thread Nikola Milutinovic 
Am I reading the docs correctly?

The man page of "krb5kdc" states that there can be only one realm per TCP/UDP port. Am 
I reading it right?

Nix.


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

KDC doesn't start

2003-07-10 Thread Maik Hentsche 
Hi!
I tried out MIT kerberos 1.2.8, but it doesn't work properly. When I try
to start krb5kdc, it prints "krb5kdc: cannot initialize realm
SUBNET.MM-DOUBLE.DE" at the commandline and "krb5kdc: No matching key in
entry - while finding master key for realm SUBNET.MM-DOUBLE.DE" in the
logfile. I strictly followed the instructions in doc/install-guide.ps and
did the following things: I created a database with

[EMAIL PROTECTED]:~# kdb5_util create -r SUBNET.MM-DOUBLE.DE -s

That told me,the masterkeys name is K/[EMAIL PROTECTED] Then I added
the principal admin/[EMAIL PROTECTED], who is given full access in
kadm5.acl. At last, I added the kadmin keytab for kadmin/admin and
kadmin/changepw. According to the documentation, krb5kdc should start now,
but it doesn't (as written above). Can anyone tell me, what is missing
here or what I have to do, to get kerberos running?

Thanks in advance and so long
Maik

-- 
Der Verstand ist wie eine Fahrkarte. Sie hat nur Sinn wenn man sie benutzt.
(Ernst R. Hauschka (*1926), deutscher Essayist,
Aphoristiker und Bibliothekar)

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos