Re: Hemidal and MIT Kerberos Compatibility
On Friday, December 19, 2003 10:26:58 -0500 [EMAIL PROTECTED] wrote: Hi everyone! Does anyone know the extent of Heimdal and MIT Kerberos compatibility? I have an MIT Kerberos KDC on RedHat that works with other MIT Kerberos kadmin's, but when I try to add a host via kadmin from SuSE's Heimdal and it is getting: kadmin> add -r host/host1.jin.com jin/[EMAIL PROTECTED]'s Password: Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes []: jin/[EMAIL PROTECTED]'s Password: kadmin: kadm5_create_principal: Bad response (during sendauth exchange) jin/[EMAIL PROTECTED]'s Password: kadmin: kadm5_randkey_principal: Bad response (during sendauth exchange) Segmentation fault I'm using MIT Kerberos version 1.2.7, and Heimdal version 0.3e. Heimdal and MIT krb5 interoperate quite well with regard to the Kerberos protocol itself. They also have pretty good API compatibility (though not perfect). However, they use completely different administrative protocols which do not interoperate. As far as I know, neither group has any plans to support the other's current admin protocols. There is hope for the future, though, in the form of an ongoing effort to develop a common administrative interface. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos and freeradius
On Friday, December 19, 2003 14:12:52 -0600 Steve Langasek <[EMAIL PROTECTED]> wrote: On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote: On Friday, December 19, 2003 08:47:27 -0600 dave schrader <[EMAIL PROTECTED]> wrote: > Are there any modules available that will allow freeradius to do > kerberos authentication under netbsd ? Dave Schrader Freeradius includes a 'rlm_krb5' module which will verify passwords against your krb5 KDC. Note that this is not the same as using Kerberos to authenticate the RADIUS protocol spoken between the NAS and RADIUS server. I have attached a patch against freeradius-0.3 which makes some improvements to the rlm_krb5 module, including actually validating the tickets it obtains in the process of verifying a password. We've been running this for a couple of years with good results. It won't be exactly what you need, but it should serve as a good starting point. Notably... freeradius 0.3 is substantially out of date, and probably has remotely exploitable vulnerabilities (or then again, maybe it's too old for them...). The current version of the rlm_krb5 module (0.9+) includes the enhancements you describe, including improved portability between MIT KRB5 and Heimdal (though I recently made some changes to CVS HEAD that I haven't tested on Heimdal, so I may have ruined that again ;). Yeah; that doesn't surprise me. We don't actually use it much, and keeping it up to date hasn't been a high priority for me... I'm glad to hear that work has been done on improving the rlm_krb5 module; I seem to recall last I looked that it was still broken, but that was quite some time ago. -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Intranet Kerberos Authentication using Safari in a Mac, Windows, Unix Environment
Hi all, We have a mix network mostly composed of Windows, Unix, and Mac OS X (Panther). The KDCs are on Windows 2000 Active Directory Servers, and DNS is configured on Unix Servers with BIND 8. We cannot browse the intranet using Safari's Mac OS X Kerberos authentication, it does not work in our scenario. However Windows 2000 workstations can browse with no trouble. We were able to get Safari authenticate using Kerberos by integrating DNS into active directory, but this is not a viable solution for our Organization since the bosses argue that "PC networks works fine". I have not a lot of experience in configuring Kerberos and I would kindly appreciate any help to find an alternative solution to this issue? Thank you very much. Harvey Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos and freeradius
On Fri, Dec 19, 2003 at 03:00:05PM -0500, Jeffrey Hutzelman wrote: > On Friday, December 19, 2003 08:47:27 -0600 dave schrader > <[EMAIL PROTECTED]> wrote: > >Are there any modules available that will allow freeradius to do kerberos > >authentication under netbsd ? Dave Schrader > Freeradius includes a 'rlm_krb5' module which will verify passwords against > your krb5 KDC. Note that this is not the same as using Kerberos to > authenticate the RADIUS protocol spoken between the NAS and RADIUS server. > I have attached a patch against freeradius-0.3 which makes some > improvements to the rlm_krb5 module, including actually validating the > tickets it obtains in the process of verifying a password. We've been > running this for a couple of years with good results. It won't be exactly > what you need, but it should serve as a good starting point. Notably... freeradius 0.3 is substantially out of date, and probably has remotely exploitable vulnerabilities (or then again, maybe it's too old for them...). The current version of the rlm_krb5 module (0.9+) includes the enhancements you describe, including improved portability between MIT KRB5 and Heimdal (though I recently made some changes to CVS HEAD that I haven't tested on Heimdal, so I may have ruined that again ;). -- Steve Langasek postmodern programmer Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos and freeradius
On Friday, December 19, 2003 08:47:27 -0600 dave schrader <[EMAIL PROTECTED]> wrote: Are there any modules available that will allow freeradius to do kerberos authentication under netbsd ? Dave Schrader Freeradius includes a 'rlm_krb5' module which will verify passwords against your krb5 KDC. Note that this is not the same as using Kerberos to authenticate the RADIUS protocol spoken between the NAS and RADIUS server. I have attached a patch against freeradius-0.3 which makes some improvements to the rlm_krb5 module, including actually validating the tickets it obtains in the process of verifying a password. We've been running this for a couple of years with good results. It won't be exactly what you need, but it should serve as a good starting point. Notably... - We've run this on Linux, but not any of the BSD's - I've made no attempt to port to newer versions of freeradius - We build against Heimdal, and there are some API differences. I can't promise this will build as-is against MIT krb5. If you have an AFS client (see www.openafs.org), you can find our full source tree in /afs/cs.cmu.edu/misc/nettools/src/freeradius-0.3 (and patches in ../Patches), and our configuration (minus the actual keys) in /afs/cs.cmu.edu/data/domain/config/raddb Good luck... -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA freeradius-krb5.patch Description: Binary data Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kerberos and freeradius
On Fri, Dec 19, 2003 at 08:47:27AM -0600, dave schrader wrote: > Are there any modules available that will allow freeradius to do > kerberos authentication under netbsd ? > Dave Schrader There is an rlm_krb5 module included in the freeradius source. I believe one of the developers who've worked on it uses NetBSD. -- Steve Langasek postmodern programmer Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
kerberos and freeradius
Are there any modules available that will allow freeradius to do kerberos authentication under netbsd ? Dave Schrader -- Chaos reigns within. Reflect, repent and reboot. Order shall return. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Hemidal and MIT Kerberos Compatibility
Hi everyone! Does anyone know the extent of Heimdal and MIT Kerberos compatibility? I have an MIT Kerberos KDC on RedHat that works with other MIT Kerberos kadmin's, but when I try to add a host via kadmin from SuSE's Heimdal and it is getting: kadmin> add -r host/host1.jin.com jin/[EMAIL PROTECTED]'s Password: Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes []: jin/[EMAIL PROTECTED]'s Password: kadmin: kadm5_create_principal: Bad response (during sendauth exchange) jin/[EMAIL PROTECTED]'s Password: kadmin: kadm5_randkey_principal: Bad response (during sendauth exchange) Segmentation fault I'm using MIT Kerberos version 1.2.7, and Heimdal version 0.3e. Any help would be great! Thanks! Jin Xiong Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Changing default keytab name problem
> "Illia" == Illia Baidakov <[EMAIL PROTECTED]> writes: Illia> Hello, Kerberos! I wish to change default name and Illia> location of keytab file. When I run kadmin and type "ktadd Illia> -k /some/where/krb5.keytab primary/[EMAIL PROTECTED]", the Illia> command has success. But when I add "default_keytab_name = Illia> /some/where/krb5.keytab" relation to [libdefaults] section Illia> of /etc/krb5.conf file, the command "ktadd Illia> primary/[EMAIL PROTECTED]" returns the error message "kadmin: Illia> Cannot write to specified key table while adding key to Illia> keytab". The target directory has 755-mode permissions. Illia> Without adding default_kaytab_name relation the latter Illia> command creates /etc/krb5.keytab file successfully. Try using WRFILE:/path/to/krb5.keytab instead of just the pathname. This should work with 1.3.1 and should work with kadmin from any version, but may break some services accessing the keytab with Kerberos older than 1.3. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos