Re: Browser authentication
Thank you for answer. The reason why I found this thread was to find which (additional) products I need to to create a web page accessible through webserver (Apache) when a user (client on Windows or Linux) has a valid MIT K5 ticket in their cache. - is there any existing browser (for both Windows and Linux) suitable fo r this? - how does it work? does the webserver receive user's TGT or what? Thank you. lukas Wyllys Ingersoll wrote: On Mon, 2004-02-23 at 04:24, Lukas Kubin wrote: I would like to know, whether there is a functional solution for MIT Kerberos authentication using web browser or not? I mean a solution, where it is enough to have valid ticket in Kerberos cache - ie. no need to type password anywhere. If yes, what do I need to use to make it work? Which browsers are enabled for such solution? Thank you. The correct way to do this is with GSSAPI, Microsoft implemented a similar method with IE and IIS. Mozilla is working on adding this functionality to the upcoming 1.7 release (for Unix users). http://bugzilla.mozilla.org/show_bug.cgi?id=17578 -Wyllys -- Lukas Kubin phone: +420596398275 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz -- Lukas Kubin phone: +420596398275 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Browser authentication
Wyllys Ingersoll wrote: The correct way to do this is with GSSAPI, Microsoft implemented a similar method with IE and IIS. Mozilla is working on adding this functionality to the upcoming 1.7 release (for Unix users). http://bugzilla.mozilla.org/show_bug.cgi?id=17578 and corresponding apache module can be found at modauthkerb.sourceforge.net -- Daniel Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Thread-safe libraries
Is there any progress in the ability of Kerberos libraries on Linux to be used by threads-enabled applications? I'm still having troubles using sasl kerberos authentication to ldap server on Linux (Debian). It always fails when parallel connection appears. Is there any solution for this now? Thank you. lukas -- Lukas Kubin phone: +420596398275 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
RE: Thread-safe libraries
Lukas, Our TrustBroker products are threadsafe and we are currently working on a solution which uses SASL/GSS to administer Active Directory from Linux, Solaris, HPUX, AIX and Windows systems. Please let me know if you would like to discuss this further by contacting me offlist. Thanks, Tim. -Original Message- From: Lukas Kubin [mailto:[EMAIL PROTECTED] Sent: 24 February 2004 12:11 To: [EMAIL PROTECTED] Subject: Thread-safe libraries Is there any progress in the ability of Kerberos libraries on Linux to be used by threads-enabled applications? I'm still having troubles using sasl kerberos authentication to ldap server on Linux (Debian). It always fails when parallel connection appears. Is there any solution for this now? Thank you. lukas -- Lukas Kubin phone: +420596398275 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
problems conpiling Kerberos 1.3.1 in in NetBSD 1.6ZK
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm trying to compile kerberos 1.3.1 in a NetBSD 1.6ZK -current. I'm getting the error: working ut_exit.e_exit in utmpx is e_exit checking consistency of sysV-ish utmp API... not ok configure: error: have setutent but no ut_id, ut_type, or ut_pid in utmp configure: error: /usr/pkg/bin/bash './configure' failed for util/pty while configuring. Do you know can I solve it? It seems like it is trying to configure for a SYSV system instead for a BSD. I had compile it fine in NetBSD 1.6.1-stable systems, but I can't get problem in this system. Best regards and thanks in advance - -- Christian Palomino mailto::[EMAIL PROTECTED] http://www.palominocassain.com GPG FingerPrint: BFF6 784E 01D1 1722 90C2 276A 00CD 900D 624D 100F -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (NetBSD) iD8DBQFAO0h4AM2QDWJNEA8RAh0xAKCEDd7ar8pYpLqbtXkOLb912fd8GACeKk3F Zc5nokXz2zAHfFSh+vFF3N8= =Q4q6 -END PGP SIGNATURE- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Browser authentication
On Tue, 2004-02-24 at 04:00, Lukas Kubin wrote: Thank you for answer. The reason why I found this thread was to find which (additional) products I need to to create a web page accessible through webserver (Apache) when a user (client on Windows or Linux) has a valid MIT K5 ticket in their cache. - is there any existing browser (for both Windows and Linux) suitable fo r this? Internet Explorer has support today or Mozilla with the additional negotiateauth extension (planned to be in the upcoming 1.7 release). - how does it work? does the webserver receive user's TGT or what? The browser and web server exchange GSSAPI tokens encoded in the HTTP header. The GSSAPI tokens are created from the HTTP service ticket that the browser gets from the KDC using the TGT. TGTs are never used directly for authentication, they are only used to get the service tickets. -Wyllys Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: problems conpiling Kerberos 1.3.1 in in NetBSD 1.6ZK
zakhrin == Christian Palomino [EMAIL PROTECTED] writes: zakhrin I'm trying to compile kerberos 1.3.1 in a NetBSD 1.6ZK zakhrin -current. I'm getting the error: zakhrin working ut_exit.e_exit in utmpx is e_exit zakhrin checking consistency of sysV-ish utmp API... not ok zakhrin configure: error: have setutent but no ut_id, ut_type, or ut_pid in utmp zakhrin configure: error: /usr/pkg/bin/bash './configure' failed for util/pty zakhrin while configuring. Do you know can I solve it? It seems like zakhrin it is trying to configure for a SYSV system instead for a zakhrin BSD. I had compile it fine in NetBSD 1.6.1-stable systems, zakhrin but I can't get problem in this system. Could you please send the portion of the configure script output corresponding to the util/pty directory (from configuring in util/pty to the next configuring in line)? That might help us to diagnose this problem. I believe the problem is related to some recent changes to utmp.h and utmpx.h in NetBSD-current which have not propagated to 1.6.1-stable. ---Tom Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: problems conpiling Kerberos 1.3.1 in in NetBSD 1.6ZK
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 24 Feb 2004 10:53:39 -0500 Tom Yu [EMAIL PROTECTED] wrote: Could you please send the portion of the configure script output corresponding to the util/pty directory (from configuring in util/pty to the next configuring in line)? That might help us to diagnose this problem. Of course, if I can give any other information, please tell me. Thank you and best regards configure: configuring in util/pty configure: running /usr/pkg/bin/bash './configure' --prefix=/usr/local --cache-file=../.././config.cache --srcdir=. configure: loading cache ../.././config.cache checking for gcc... (cached) gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... (cached) o checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking how to run the C preprocessor... (cached) gcc -E checking for gcc option to accept ANSI C... (cached) none needed Looking for ./../../config configure: adding extra warning flags for gcc built in krb4 support checking which version of com_err to use... krb5 checking which version of subsystem package to use... krb5 checking for an ANSI C-conforming const... (cached) yes checking for gethostbyname... (cached) yes checking for socket... (cached) yes checking if DNS Kerberos lookup support should be compiled in... yes checking for res_search... (cached) yes checking for gawk... (cached) awk checking for fchmod... yes checking for fchown... yes checking for revoke... yes checking for vhangup... no checking for killpg... yes checking for _getpty... no checking for openpty in -lutil... yes checking for ANSI C header files... (cached) yes checking for sys/types.h... (cached) yes checking for sys/stat.h... (cached) yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for memory.h... (cached) yes checking for strings.h... (cached) yes checking for inttypes.h... (cached) yes checking for stdint.h... (cached) yes checking for unistd.h... (cached) yes checking for mode_t... yes checking for time_t... yes checking for strsave... no checking for setreuid... yes checking for gettosbyname... no checking for setsid... yes checking for ttyname... yes checking for line_push... no checking for ptsname... no checking for grantpt... no checking for openpty... yes checking for unistd.h... (cached) yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking pty.h usability... no checking pty.h presence... no checking for pty.h... no checking sys/filio.h usability... yes checking sys/filio.h presence... yes checking for sys/filio.h... yes checking sys/sockio.h usability... yes checking sys/sockio.h presence... yes checking for sys/sockio.h... yes checking sys/label.h usability... no checking sys/label.h presence... no checking for sys/label.h... no checking sys/tty.h usability... yes checking sys/tty.h presence... yes checking for sys/tty.h... yes checking sys/wait.h usability... yes checking sys/wait.h presence... yes checking for sys/wait.h... yes checking ttyent.h usability... yes checking ttyent.h presence... yes checking for ttyent.h... yes checking lastlog.h usability... no checking lastlog.h presence... no checking for lastlog.h... no checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking sys/ptyvar.h usability... no checking sys/ptyvar.h presence... no checking for sys/ptyvar.h... no checking util.h usability... yes checking util.h presence... yes checking for util.h... yes checking for waitpid... yes checking for sys_errlist declaration... (cached) yes checking POSIX signal handlers... yes checking for sigprocmask... (cached) yes checking for sigset_t and POSIX_SIGNALS... (cached) yes checking for sigsetjmp... yes checking for sigjmp_buf... yes checking for dirent.h... (cached) yes checking termios.h usability... yes checking termios.h presence... yes checking for termios.h... yes checking for cfsetispeed... yes checking utmp.h usability... yes checking utmp.h presence... yes checking for utmp.h... yes checking utmpx.h usability... yes checking utmpx.h presence... yes checking for utmpx.h... yes checking for setutent... yes checking for setutxent... yes checking for updwtmp... no checking for updwtmpx... yes checking for logwtmp... yes checking for getutmp... yes checking for getutmpx... yes checking for utmpname... yes checking for utmpxname... yes checking struct utmp members checking for ut_host in struct utmp... yes checking for ut_syslen in struct utmp... no checking for ut_addr in struct utmp... no checking for ut_id in struct utmp... no checking for ut_pid in struct utmp... no checking for ut_type
Re: Thread-safe libraries
Lukas == Lukas Kubin [EMAIL PROTECTED] writes: Lukas Is there any progress in the ability of Kerberos libraries Lukas on Linux to be used by threads-enabled applications? I'm Lukas still having troubles using sasl kerberos authentication to Lukas ldap server on Linux (Debian). It always fails when Lukas parallel connection appears. Is there any solution for Lukas this now? Thank you. I believe someone has written a patch to the SASL library to use mutexes around GSSAPI calls. MIT is working on thread safety for our libraries but has not released any code yet. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Thread-safe libraries
Sam Hartman wrote: Lukas == Lukas Kubin [EMAIL PROTECTED] writes: Lukas Is there any progress in the ability of Kerberos libraries Lukas on Linux to be used by threads-enabled applications? I'm Lukas still having troubles using sasl kerberos authentication to Lukas ldap server on Linux (Debian). It always fails when Lukas parallel connection appears. Is there any solution for Lukas this now? Thank you. I believe someone has written a patch to the SASL library to use mutexes around GSSAPI calls. MIT is working on thread safety for our libraries but has not released any code yet. Some time ago, I had the same worry. Apparently, the only thread-safe Kerberos libraries around are from Tim Aslop's company (he replied on this list), Cybersafe, I think. It is also worth noting, that, while Heimdal is not thread safe (at least there are no guarantees), it has proven to be much more thread-robust than MIT. OpenLDAP page and a couple of users have expirienced problems with MIT and threaded OpenLDAP server, while Heimdal performed flawlessly. It could be that Heimdal IS thread-safe, just nobody knows for sure. :-) Nix. P.S. Cyrus SASL 2.1.17 recognizes MIT, Heimdal, Cybersafe and SEAM (Sun) Kerberos implementations. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Thread-safe libraries
It is also worth noting, that, while Heimdal is not thread safe (at least there are no guarantees), it has proven to be much more thread-robust than MIT. OpenLDAP page and a couple of users have expirienced problems with MIT and threaded OpenLDAP server, while Heimdal performed flawlessly. It could be that Heimdal IS thread-safe, just nobody knows for sure. :-) The recent Heimdal snapshots have considerable improvements in the thread safety department, and I expect these will be in 0.7 when it is released. -- Luke Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
