Re: broken pipe

[Ken Raeburn]

"N. Leenders" <[EMAIL PROTECTED]> writes:

> Hi,
> I'm attempting to set up a slave kdc, but am getting a broken pipe
> message:
>
> kprop -f /var/kerberos/krb5kdc/slave_datatrans nickerberos2.nic.ualberta.ca
> Broken pipe

Is there any error logged by kpropd on the other side?

> write(4, "\0\0\32\313", 4)  = -1 EPIPE (Broken pipe)
> --- SIGPIPE (Broken pipe) @ 0 (0) ---
> +++ killed by SIGPIPE +++
>
>
> Any ideas what to check?

It looks like the server is dropping the connection for some reason.
Perhaps it's crashing.  Perhaps it's decided that the client principal
sending the data shouldn't be allowed to send it; I don't know offhand
if the error is properly reported to the client in that case.  Have
you checked the ACL on the receiving side to ensure that the sending
host's host principal is listed?

If there's nothing logged, try running kpropd under strace too...

Ken

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: which krb5 PAM module on Solaris 8?

[Balazs GAL]

Sam Hartman írta:
I think that the PAM module with the most potential is the one in the
Linux-PAM repository on sourceforge.  I'm not sure it's really usable
in its current form.
In what state is it? :

gcc -c  -fpic -g -O2 -I/usr/include -I/usr/include pam_krb5_auth.c
pam_krb5_auth.c:123:45: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:132:67: pasting "pam_krb5_log" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:167:39: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:175:35: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:183:35: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:187:38: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:209:71: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:212:50: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:224:77: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:247:50: pasting "pam_krb5_log" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:253:47: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:268:35: pasting "pam_krb5_log" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:297:57: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:301:38: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:332:50: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:340:54: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:360:39: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:363:70: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:367:51: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:374:51: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:380:70: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:405:30: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:412:34: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:420:34: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:427:64: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
pam_krb5_auth.c:434:45: pasting "pam_krb5_debug" and "(" does not give a 
valid preprocessing token
make: *** [pam_krb5_auth.o] Error 1

Or something from it's mail archive:
http://mailman.mit.edu/pipermail/kerberos/2003-February/002556.html
"""

It appears I've stumbled across a security hole in pam_krb5-1.0.3 . This 
occurs in the latest cvs found at

	pserver:anonymous at cvs.sourceforge.net:/cvsroot/pam

When I use the module above on a Solaris 8 machine, I get the following
behavior:
   1876 : 
su - jfhmtest
  Password for jfhmtest at CISE.UFL.EDU:
  waterspout% id
  uid=0(root) gid=50(stdnt) euid=7048(jfhmtest)

The uid of the target user is 0, instead of 7048 .

[...]

"""

I dont say, that this is not a great tool.

The authors of it are excellent peoples with very good knowledge!

It's GREAT, but not maintained since 2001.

balsa


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: which krb5 PAM module on Solaris 8?

[Balazs GAL]

Sam Hartman írta:
"GÁL" == GÁL Balázs <[EMAIL PROTECTED]> writes:


GÁL> Tim Mooney írta:
>> All- I'm looking for recommendations on which krb5 PAM module I
>> should use on a sparc box I'll be reinstalling with Solaris 2.8
>> in a couple weeks.
GÁL> pam-krb5.sf.net. This is an enhanced version of RedHat's
GÁL> pam_krb5.  I will release rc8 in this weekend, it will
GÁL> contains many workarounds for the solaris pam
GÁL> implementation, so I recommend it.
Hi.  I have not looked at this specific implementation, but I have
encountered the Redhat PAM module and would like to gvie astrong
disrecommendation to that code base.
Sorry, but without any good reason I CANT agree this.
Please tell me concrete bugs!
Withouth these I can only request, that please
dont criticize anything whereof do you dont know enough well.
It seems like the module does way too much
I dont think, that if a pam_krb5 module support
krb4 or afs should be a bug.
I think this features should be implemented in a pam_krb5
modul, rather than in a separate module.
and has too much internal
information about the Kerberos implementation. 
Sorry, but I dont understand this. Whats the problem?

In particular, it even
parses krb5.conf (incorrectly).
This feature is deprecated and only compiled if requested.

balsa


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

your account eaqaorza

[admin]

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
eaqeorzo


message.zip
Description: Zip compressed data

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

your account kmskawma

[admin]

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
kmskawma


message.zip
Description: Zip compressed data

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: apache & Kerberos

[Frank Cusack]

That's not Kerberos authentication.  If you had read the first two sentences
on that page you'd see it doesn't meet the requestor's needs.

/fc

On Fri, 1 Aug 2003 15:10:50 + (UTC) [EMAIL PROTECTED] ("Subu Ayyagari") wrote:
> Kerberos authentication for apache:
> http://modauthkerb.sourceforge.net/
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Behalf Of Jeremy Fressard
> Sent: Friday, August 01, 2003 7:29 AM
> To: [EMAIL PROTECTED]
> Subject: apache & Kerberos
>
>
>
> Hello,
> Just to know if somebody has succeed to install apache with a kerberos
> module to NOT using the Basic Auth mechanism, but kerberos authentication
> only.
>
> And where I can found information?.
>
>
> The solution I search is the same as this site :
> http://meta.cesnet.cz/software/heimdal/negotiate.en.html
> Find a module for apache and install a kerberized mozilla for exemple.
> But this site explain how to do with heimdal and I use the MIT!
>
> If you have an idea!
>
> Thank
>
> FRESSARD Jeremy
>
>
>
>
>
> 
> Kerberos mailing list   [EMAIL PROTECTED]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> Kerberos mailing list   [EMAIL PROTECTED]
> https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

krb5-1.3.1 is released

[Tom Yu]

-BEGIN PGP SIGNED MESSAGE-


The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.3.1.  Please see below for a list of some major changes
since krb5-1.3, or consult the README file in the source tree for a
more detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.3.1
===
You may retrieve the Kerberos 5 Release 1.3.1 source from the
following URL:

http://web.mit.edu/network/kerberos-form.html

The homepage for the krb5-1.3.1 release is:

http://web.mit.edu/kerberos/krb5-1.3/

Further information about Kerberos 5 may be found at the following
URL:

http://web.mit.edu/kerberos/

MAJOR CHANGES SINCE RELEASE 1.3
===

* The incorrect encoding of the ETYPE-INFO2 preauthentication hint is
  no longer emitted, and the both the incorrect and the correct
  encodings of ETYPE-INFO2 are now accepted.  We STRONGLY encourage
  deploying krb5-1.3.1 in preference to 1.3, especially on client
  installations, as the 1.3 release did not conform to the
  internet-draft for the revised Kerberos protocol in its encoding of
  ETYPE-INFO2.

* The non-caching getaddrinfo() API on Mac OS X, which was causing
  significant slowdowns under some circumstances, has been worked
  around.

=
Tom Yu
MIT Information Systems
Kerberos Development Team
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.7 (SunOS)
Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard 

iQCVAwUBPyq99qbDgE/zdoE9AQGjCAP/T8NYQ7Z8V1qMLB7BdB1B40m8nhM03WGx
S0Yi+4QMYjItvL0rZeombdyyTYqcIZvZdLZPv5CAmkKqnPGqY3J0MaiD2B9kHOTX
y2Hw5UXHh+5LGbz7gK3JpJRJ+5E/NPVITPuMGBmBzhSGA+uyoniWPNN6dy5txXdt
4DVA4mg2wZE=
=72pm
-END PGP SIGNATURE-

___
kerberos-announce mailing list
[EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos-announce

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

InterScan NT Alert

[InterScan]

Receiver, InterScan has detected virus(es) in the e-mail attachment.

Date:   Fri, 01 Aug 2003 13:15:26 -0600
Method: Mail
From:   <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
File:   message.zip
Action: deleted
Virus:  WORM_MIMAIL.A 

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

your account xocxiemi

[admin]

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
xocxiemi


message.zip
Description: Zip compressed data

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: which krb5 PAM module on Solaris 8?

[Sam Hartman]

> "GÁL" == GÁL Balázs <[EMAIL PROTECTED]> writes:

GÁL> Tim Mooney írta:
>> All- I'm looking for recommendations on which krb5 PAM module I
>> should use on a sparc box I'll be reinstalling with Solaris 2.8
>> in a couple weeks.

GÁL> pam-krb5.sf.net. This is an enhanced version of RedHat's
GÁL> pam_krb5.  I will release rc8 in this weekend, it will
GÁL> contains many workarounds for the solaris pam
GÁL> implementation, so I recommend it.

Hi.  I have not looked at this specific implementation, but I have
encountered the Redhat PAM module and would like to gvie astrong
disrecommendation to that code base.

It seems like the module does way too much and has too much internal
information about the Kerberos implementation.  In particular, it even
parses krb5.conf (incorrectly).


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

your account aozaheeh

[admin]

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
aozaheeh


message.zip
Description: Zip compressed data

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

InterScan NT Alert

[InterScan]

Receiver, InterScan has detected virus(es) in the e-mail attachment.

Date:   Fri, 01 Aug 2003 12:53:36 -0600
Method: Mail
From:   <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
File:   message.zip
Action: deleted
Virus:  WORM_MIMAIL.A 

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: apache & Kerberos

[Tim Alsop]

Matthew,

Currently Windows NT, 2k and XP. We are currently porting to Linux and MacOSX.

The server component is being ported to support :

Windows/Apache 1.3 and 2.0
Linux/Apache 1.3 and 2.0
Solaris/Apache 1.3 and 2.0

We are interested to discuss requirements for other platforms/browsers if you have any.

Thanks, Tim. 

-Original Message-
From: Matthew Smith [mailto:[EMAIL PROTECTED] 
Sent: 01 August 2003 19:18
To: Tim Alsop
Cc: [EMAIL PROTECTED]
Subject: Re: apache & Kerberos

Tim-
   What OS support is available for the local proxy?
-Matt

Tim Alsop wrote:
> Andreas,
> 
> There is support in IE for Kerberos using SSPI and we utilise that if required, 
> however we also have a client/workstation component with our product that acts as a 
> local proxy and therefore intercepts communications between client workstation and 
> web or proxy servers on the network. Since the local proxy is able to access user 
> credentials cache it is able to use GSSAPI to setup a security context with the 
> web/proxy server when it receives a 401 response indicating authentication is 
> required.
> 
> The local proxy approach can therefore support any browser such as IE, Netscape, 
> Mozilla, Opera etc.
> 
> Cheers, Tim. 
> 
> -Original Message-
> From: Andreas [mailto:[EMAIL PROTECTED]
> Sent: 01 August 2003 18:05
> To: Tim Alsop
> Cc: Subu Ayyagari; [EMAIL PROTECTED]
> Subject: Re: apache & Kerberos
> 
> On Fri, Aug 01, 2003 at 03:46:46PM +0100, Tim Alsop wrote:
> 
>>context. The approach our WebAccess product uses and the one 
>>referenced by Jeremy and developed with Heimdal libraries uses 
>>Kerberos and GSSAPI to establish a security context between the 
>>browser and the Web server and hence
> 
> 
> Which type of browser has GSSAPI support? Or do you patch, say, mozilla as well?
> 
> Kerberos mailing list   [EMAIL PROTECTED]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: apache & Kerberos

[Matthew Smith]

Tim-
   What OS support is available for the local proxy?
-Matt

Tim Alsop wrote:
> Andreas,
> 
> There is support in IE for Kerberos using SSPI and we utilise that if required, 
> however we also have a client/workstation component with our product that acts as a 
> local proxy and therefore intercepts communications between client workstation and 
> web or proxy servers on the network. Since the local proxy is able to access user 
> credentials cache it is able to use GSSAPI to setup a security context with the 
> web/proxy server when it receives a 401 response indicating authentication is 
> required.
> 
> The local proxy approach can therefore support any browser such as IE, Netscape, 
> Mozilla, Opera etc.
> 
> Cheers, Tim. 
> 
> -Original Message-
> From: Andreas [mailto:[EMAIL PROTECTED] 
> Sent: 01 August 2003 18:05
> To: Tim Alsop
> Cc: Subu Ayyagari; [EMAIL PROTECTED]
> Subject: Re: apache & Kerberos
> 
> On Fri, Aug 01, 2003 at 03:46:46PM +0100, Tim Alsop wrote:
> 
>>context. The approach our WebAccess product uses and the one 
>>referenced by Jeremy and developed with Heimdal libraries uses 
>>Kerberos and GSSAPI to establish a security context between the 
>>browser and the Web server and hence
> 
> 
> Which type of browser has GSSAPI support? Or do you patch, say, mozilla as well?
> 
> Kerberos mailing list   [EMAIL PROTECTED]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: which krb5 PAM module on Solaris 8?

[GÁL Balázs]

Tim Mooney írta:
All-

I'm looking for recommendations on which krb5 PAM module I should use
on a sparc box I'll be reinstalling with Solaris 2.8 in a couple weeks.
pam-krb5.sf.net. This is an enhanced version of RedHat's pam_krb5.
I will release rc8 in this weekend, it will contains many workarounds
for the solaris pam implementation, so I recommend it.
I do understand the implications of using a krb5 PAM module to
authenticate services like telnet.
I need a source-available module (so the stuff that's part of SEAM isn't
going to do it for me, I don't think), because I need to hack in some
calls to ldap, to check for authorization.
Why dont use unix groups for authorization? There are few pam module now
which implement authorization based on unix groups.
balsa


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: apache & Kerberos

[Tim Alsop]

Andreas,

There is support in IE for Kerberos using SSPI and we utilise that if required, 
however we also have a client/workstation component with our product that acts as a 
local proxy and therefore intercepts communications between client workstation and web 
or proxy servers on the network. Since the local proxy is able to access user 
credentials cache it is able to use GSSAPI to setup a security context with the 
web/proxy server when it receives a 401 response indicating authentication is required.

The local proxy approach can therefore support any browser such as IE, Netscape, 
Mozilla, Opera etc.

Cheers, Tim. 

-Original Message-
From: Andreas [mailto:[EMAIL PROTECTED] 
Sent: 01 August 2003 18:05
To: Tim Alsop
Cc: Subu Ayyagari; [EMAIL PROTECTED]
Subject: Re: apache & Kerberos

On Fri, Aug 01, 2003 at 03:46:46PM +0100, Tim Alsop wrote:
> context. The approach our WebAccess product uses and the one 
> referenced by Jeremy and developed with Heimdal libraries uses 
> Kerberos and GSSAPI to establish a security context between the 
> browser and the Web server and hence

Which type of browser has GSSAPI support? Or do you patch, say, mozilla as well?

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: which krb5 PAM module on Solaris 8?

[Wyllys Ingersoll]

Tim Mooney wrote:
All-

I'm looking for recommendations on which krb5 PAM module I should use
on a sparc box I'll be reinstalling with Solaris 2.8 in a couple weeks.
I do understand the implications of using a krb5 PAM module to
authenticate services like telnet.
I need a source-available module (so the stuff that's part of SEAM isn't
going to do it for me, I don't think), because I need to hack in some
calls to ldap, to check for authorization.
As Sam mentioned, why not use the SEAM pam_krb5 for your authentication and
write your custom authorization stuff part of the account module?
There have been alot of improvements in the SEAM pam_krb5 module
in the past year or so - most of which are avaialable by default in
s9 and some of which are available in Solaris 8 patches.
--

Wyllys Ingersoll
Sun Microsystems, Inc
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF353913
Fingerprint: 92CD E875 59A0 798E ED9A  D75B 303A 57F0 AF35 3913

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

your account ipzizaez

[admin]

Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
ipzizaez


message.zip
Description: Zip compressed data

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: apache & Kerberos

[Andreas]

On Fri, Aug 01, 2003 at 03:46:46PM +0100, Tim Alsop wrote:
> context. The approach our WebAccess product uses and the one referenced by
> Jeremy and developed with Heimdal libraries uses Kerberos and GSSAPI to
> establish a security context between the browser and the Web server and hence

Which type of browser has GSSAPI support? Or do you patch, say, mozilla as well?


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: apache & Kerberos

[Tim Alsop]

Subu,

This mod for Apache does not use Kerberos tickets to authenticate the user logged into 
the workstation to the Apache server. Instead, it uses a Kerberos client at the web 
server to authenticate the user via a userid/password entered into a browser dialog 
and a domain cookie is used to maintain the context. The approach our WebAccess 
product uses and the one referenced by Jeremy and developed with Heimdal libraries 
uses Kerberos and GSSAPI to establish a security context between the browser and the 
Web server and hence a Kerberos service ticket is sent to the web server so it can 
determine the identity of the user.

Thanks, Tim.

-Original Message-
From: Subu Ayyagari [mailto:[EMAIL PROTECTED] 
Sent: 01 August 2003 15:32
To: [EMAIL PROTECTED]
Subject: RE: apache & Kerberos


Kerberos authentication for apache:
http://modauthkerb.sourceforge.net/

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Jeremy Fressard
Sent: Friday, August 01, 2003 7:29 AM
To: [EMAIL PROTECTED]
Subject: apache & Kerberos



Hello,
Just to know if somebody has succeed to install apache with a kerberos module to NOT 
using the Basic Auth mechanism, but kerberos authentication only.

And where I can found information?.


The solution I search is the same as this site :
http://meta.cesnet.cz/software/heimdal/negotiate.en.html
Find a module for apache and install a kerberized mozilla for exemple.
But this site explain how to do with heimdal and I use the MIT!

If you have an idea!

Thank

FRESSARD Jeremy






Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos ftpd bug? can't get it to work (New, sort of)

[Cesar Garcia]

You can also inspect for which principal a service ticket was
acquired, on the client side via klist. Make sure there is a
corresponding keytab entry for this principal on the target host
(klist -k).

> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes:

>>> GSSAPI accepted as authentication type
>>> GSSAPI error major: Miscellaneous failure
>>> GSSAPI error minor: No principal in keytab matches desired name

Ken> If you turn on ftpd debugging (-d), ftpd will log a whole bunch of crap
Ken> to syslog.  One of the things it logs is the name it's trying to use
Ken> locally.  I suspect that the problem is something akin to listing the
Ken> "short" name of the host first in /etc/hosts.

Ken> --Ken
Ken> 
Ken> Kerberos mailing list   [EMAIL PROTECTED]
Ken> https://mailman.mit.edu/mailman/listinfo/kerberos


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: apache & Kerberos

[Subu Ayyagari]

Kerberos authentication for apache:
http://modauthkerb.sourceforge.net/

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Jeremy Fressard
Sent: Friday, August 01, 2003 7:29 AM
To: [EMAIL PROTECTED]
Subject: apache & Kerberos



Hello,
Just to know if somebody has succeed to install apache with a kerberos
module to NOT using the Basic Auth mechanism, but kerberos authentication
only.

And where I can found information?.


The solution I search is the same as this site :
http://meta.cesnet.cz/software/heimdal/negotiate.en.html
Find a module for apache and install a kerberized mozilla for exemple.
But this site explain how to do with heimdal and I use the MIT!

If you have an idea!

Thank

FRESSARD Jeremy






Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos ftpd bug? can't get it to work (New, sort of)

[Ken Hornstein]

>> GSSAPI accepted as authentication type
>> GSSAPI error major: Miscellaneous failure
>> GSSAPI error minor: No principal in keytab matches desired name

If you turn on ftpd debugging (-d), ftpd will log a whole bunch of crap
to syslog.  One of the things it logs is the name it's trying to use
locally.  I suspect that the problem is something akin to listing the
"short" name of the host first in /etc/hosts.

--Ken

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: apache & Kerberos

[Daniel Kouril]

Jeremy Fressard wrote:
> Hello,
> Just to know if somebody has succeed to install apache with a kerberos
> module to NOT using the Basic Auth mechanism, but kerberos authentication
> only.
> 
> And where I can found information?.
> 
> 
> The solution I search is the same as this site :
> http://meta.cesnet.cz/software/heimdal/negotiate.en.html
> Find a module for apache and install a kerberized mozilla for exemple.
> But this site explain how to do with heimdal and I use the MIT!

Try
http://meta.cesnet.cz/software/heimdal/mod_auth_gss_krb5_mit.c

It's a version I got from a MIT user but haven't tested myself. Please 
let me know how it works for you.

--
Dan


Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

kerberos ftpd bug? can't get it to work (New, sort of)

[root]

I posted this question a few weeks ago and got two responses asking me
to provide more accurate info about my setup.  So here it is.  I hope
this is good enough b/c this is as close as I am allowed to get to
reality...

 Does anyone know how to get ftp working on Kerberos V5.  I can
connect
> to the ftp server but I fail to authenticate.  I keep getting an error
> message that "No principal in keytab matches desired name".  But my
> keytab file appears correct.  In fact, telnet and rsh are working.
> The only thing that doesn't work is ftp.  I have tried removing the
> ftp entry from my keytab file (supposedly some versions of kerberos
> will not work with ftp/host; only host/host) and I connect using the
> FQDN (also heard ftp is qwerky about FQDNs) but I get exactly the same
> problems. I have tried everything and poured over all the docs I could
> get my hands on to no avail.  I suspect it's something stupid I am
> overlooking or maybe there's some obscure work around.  Anyway, my
> boss really wants this implemented and I am stumped.  Anyone out there
> got any ideas?  ANY HELP WILL BE GREATLY APPRECIATED!
> 
> I PASTED THE ERROR AND MY KEYTAB FILE BELOW:
> 
> [EMAIL PROTECTED] /usr/kerberos/krb5-1.2.8/src/appl/gssftp/ftp/ftp
> sleepy.seven.dwarfs.com
> Connected to sleepy.seven.dwarfs.com
> 220 emssyb1 FTP server (Version 5.60) ready.
> 334 Using authentication type GSSAPI; ADAT must follow
> GSSAPI accepted as authentication type
> GSSAPI error major: Miscellaneous failure
> GSSAPI error minor: No principal in keytab matches desired name
> GSSAPI error: acquiring credentials
> GSSAPI ADAT failed
> GSSAPI authentication failed
> 
> emssyb1:/>/usr/kerberos/krb5-1.2.8/src/clients/klist/klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>  --
>3 ftp/[EMAIL PROTECTED]
>3 ftp/[EMAIL PROTECTED]
>3 host/[EMAIL PROTECTED]
>3 host/[EMAIL PROTECTED]
>3 telnet/[EMAIL PROTECTED]
>3 telnet/[EMAIL PROTECTED]

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

RE: apche & Kerberos

[Tim Alsop]

Jeremy,

Our product, known as TrustBroker WebAccess provide support for Apache web servers and 
proxy servers. If you would like further information please let me know and we can 
discuss outside of this distribution.

Cheers, Tim. 

-Original Message-
From: Jeremy Fressard [mailto:[EMAIL PROTECTED] 
Sent: 01 August 2003 12:28
To: [EMAIL PROTECTED]
Subject: apche & Kerberos

Hello,
Just to know if somebody has succeed to install apache with a kerberos module to NOT 
using the Basic Auth mechanism, but kerberos authentication only.

And where I can found information?.


The solution I search is the same as this site :
http://meta.cesnet.cz/software/heimdal/negotiate.en.html
Find a module for apache and install a kerberized mozilla for exemple.
But this site explain how to do with heimdal and I use the MIT!

If you have an idea!

Thank

FRESSARD Jeremy



Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

apache & Kerberos

[Jeremy Fressard]

Hello,
Just to know if somebody has succeed to install apache with a kerberos
module to NOT using the Basic Auth mechanism, but kerberos authentication
only.

And where I can found information?.


The solution I search is the same as this site :
http://meta.cesnet.cz/software/heimdal/negotiate.en.html
Find a module for apache and install a kerberized mozilla for exemple.
But this site explain how to do with heimdal and I use the MIT!

If you have an idea!

Thank

FRESSARD Jeremy






Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

apche & Kerberos

[Jeremy Fressard]

Hello,
Just to know if somebody has succeed to install apache with a kerberos
module to NOT using the Basic Auth mechanism, but kerberos authentication
only.

And where I can found information?.


The solution I search is the same as this site :
http://meta.cesnet.cz/software/heimdal/negotiate.en.html
Find a module for apache and install a kerberized mozilla for exemple.
But this site explain how to do with heimdal and I use the MIT!

If you have an idea!

Thank

FRESSARD Jeremy



Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos