Kerberos setup steps
Hi, I have AD (Active Directory) Server installed on Win2003 server I have another win2003 server as a client what are the steps i have to follow to enable kerberos services, on which boxes i need to confiure and i want to authenticate the user using JNDI and kerberose Can you please help me regarding the same Thanks in advance Ramesh Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberized Apache
Hello All, I am looking for a way to enable users to get access to their space through the web browser. I would like to integrate it with our Kerberized SSO environment as well. I tried this module http://modauthkerb.sourceforge.net/ but I have encounter some issues: 1) I didn't succeed in configuring SSO For each access through the web browser I have been asked for user and password although I already had a valid ticket 2) The .htaccess file must be used to control access to each directory. For each space I would like to give an access I have to create an .htaccess file and add an entry in the apcahe configuration file as well Does anyone have experience with this issue ? Are there any other Kerberos modules for apache that better suits my needs ? Thanks, Ido Levy Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
kadmin.local segfault
has anyone been able to figure this out? thanks! Steven Very weird, when running kadmin.local under valgrind, it does NOT segfault. I am including the valgrind output. --- [EMAIL PROTECTED] ~]# valgrind kadmin.local ==9674== Memcheck, a memory error detector. ==9674== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al. ==9674== Using LibVEX rev 1575, a library for dynamic binary translation. ==9674== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP. ==9674== Using valgrind-3.1.1, a dynamic binary instrumentation framework. ==9674== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al. ==9674== For more details, rerun with: -v ==9674== Authenticating as principal root/[EMAIL PROTECTED] with password. kadmin.local: cpw test Enter password for principal test: Re-enter password for principal test: ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x402FC40: cleanup_key_data (kdb_cpw.c:88) ==9674==by 0x4030CAB: krb5_dbe_def_cpw (kdb_cpw.c:588) ==9674==by 0x402EB06: krb5_dbe_cpw (kdb5.c:1736) ==9674==by 0x40177A8: kadm5_chpass_principal_3 (svr_principal.c:1328) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) ==9674== ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x402F242: krb5_dbekd_decrypt_key_data (decrypt_key.c:118) ==9674==by 0x4016F6B: create_history_entry (svr_principal.c:1007) ==9674==by 0x4017860: kadm5_chpass_principal_3 (svr_principal.c:1364) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) ==9674== ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x402F077: krb5_dbekd_encrypt_key_data (encrypt_key.c:122) ==9674==by 0x4016FCA: create_history_entry (svr_principal.c:1014) ==9674==by 0x4017860: kadm5_chpass_principal_3 (svr_principal.c:1364) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) ==9674== ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x427AFF2: krb5_dbe_free_contents (ldap_principal.c:107) ==9674==by 0x427B199: krb5_ldap_free_principal (ldap_principal.c:135) ==9674==by 0x402DA89: krb5_db_free_principal (kdb5.c:928) ==9674==by 0x401AE31: kdb_free_entry (server_kdb.c:295) ==9674==by 0x4017A52: kadm5_chpass_principal_3 (svr_principal.c:1453) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) Password for [EMAIL PROTECTED] changed. kadmin.local: quit ==9674== ==9674== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 69 from 2) ==9674== malloc/free: in use at exit: 1,441 bytes in 68 blocks. ==9674== malloc/free: 2,280 allocs, 2,212 frees, 348,960 bytes allocated. ==9674== For counts of detected errors, rerun with: -v ==9674== searching for pointers to 68 not-freed blocks. ==9674== checked 174,336 bytes. ==9674== ==9674== LEAK SUMMARY: ==9674==definitely lost: 733 bytes in 34 blocks. ==9674== possibly lost: 0 bytes in 0 blocks. ==9674==still reachable: 708 bytes in 34 blocks. ==9674== suppressed: 0 bytes in 0 blocks. ==9674== Use --leak-check=full to see details of leaked memory. [EMAIL PROTECTED] ~]# Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: AD using an external Kerberos realm
We received a lot of good information from the Windows Higher Ed list, but I thought it might be valuable to get feedback from the folks who support external KDCs as well. Are there any major gotchas that those of us who support Kerberos or the Windows community at large should be aware of? The big one is to make sure you don't configure your AD domain with the same name as your external (I don't personally like that word in this context) realm. E.g., you don't want WAM.UMD.EDU to be the name of both your Kerberos realm and AD domain. If you do that, you will be setting yourself up for massive pain down the road. --Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberized Apache
Hi Ido, The modauthkerb website says you need an extention for Mozilla (I'm assuming the Mozilla Suite and Firefox) to do ticket-passing authentication*. We have it setup for doing username and password authentication right now and it works quite well. The configuration for a .htaccess is a little strange. Here's a sample: [snip] AuthType Kerberos KrbMethodNegotiate Off KrbServiceName HTTP Krb5Keytab /path/to/keytab AuthName physics.unc.edu KrbVerifyKDC off KrbAuthRealms PHYSICS.UNC.EDU require user [EMAIL PROTECTED] require user [EMAIL PROTECTED] SSLRequireSSL [/snip] You probably want to turn on the KrbMethodNegotiate. This is working now and has been working for a few years with only minor modifications when we upgrade modauthkerb. We have also successfully used require valid-user to do authentication for any user in our realm. If your .htaccess seems to not be working, you may need to fix your AllowOverride line for your DocumentRoot or some directory under that where you want to do authetication. Once AllowOverride is set correctly, you should be able to use .htaccess files without trouble. Can you use AuthType Basic, or any other AuthType, currently? *NegotiateAuth is here: http://negotiateauth.mozdev.org/ but it looks like Linux/i386 only. Hope this helps! Kevin - Kevin Sumner [EMAIL PROTECTED] (919) 962-6494 Assistant Systems Administrator Physics and Astronomy Networking Infrastructure and Computing University of North Carolina at Chapel Hill On Tue, 19 Feb 2008, Ido Levy wrote: Hello All, I am looking for a way to enable users to get access to their space through the web browser. I would like to integrate it with our Kerberized SSO environment as well. I tried this module http://modauthkerb.sourceforge.net/ but I have encounter some issues: 1) I didn't succeed in configuring SSO For each access through the web browser I have been asked for user and password although I already had a valid ticket 2) The .htaccess file must be used to control access to each directory. For each space I would like to give an access I have to create an .htaccess file and add an entry in the apcahe configuration file as well Does anyone have experience with this issue ? Are there any other Kerberos modules for apache that better suits my needs ? Thanks, Ido Levy Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Why krb5kdc and kadmind sets up ports for listening differently ?
On Feb 19, 2008, at 02:17, Sachin Punadikar wrote: While doing code walkthrough of krb5kdc and kadmind programs, I noticed a difference between these two in the way it sets up the ports for listening. krb5kdc uses ioctl calls to get the interfaces list and then on each interface/ip-address its sets up the port for listening. While in case of kadmind it uses wildcard to set up the port for listening. Any specific reason for having different approaches while setting up ports? The UDP service offered by the KDC needs to respond from the same IP address that the client used to reach it. That's not possible with a wildcard-address listener unless your system has support for IP_PKTINFO or IPV6_PKTINFO, which is now supported in our code as well. The TCP listener does use a wildcard address. In kadmind, we're only using TCP, so it can just use the wildcard. The krb524d server uses a wildcard address for UDP, I believe. I don't recall if the client code checks the server's address; it may be a bug to use the wildcard, and we may need to revise the code to match the KDC's code someday, if anyone cares. -- Ken Raeburn, Senior Programmer MIT Kerberos Consortium Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: IIS refuse un-preauth-ed tickets?
There is a requirement that preauth'ed service accounts (which IIS would have) only accept preauthed tickets. * Speedo [EMAIL PROTECTED] [2008-02-19 10:32]: Sorry to post into 2 groups. I have a Java application using Kerberos to talk to IIS on a Windows domain. First I call java's kinit and then use the acquired initial TGT to connect to IIS with JGSS. When the initial ticket is pre- authed, I can get the web content. However, if I set the user account as do not require preauth and acquire such an un-preauth-ed initial TGT, and then get a service ticket for IIS using this TGT, it seems this ticket cannot be used to retrieve pages from IIS (using SPNEGO). Is this a designed feature? Thanks Speedo Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- John Washington Security Officer, University of Illinois Urbana-Champaign signature.asc Description: Digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Debugging Script using get_in_tkt_with_password
On Feb 19, 10:47 am, [EMAIL PROTECTED] wrote: Hello all, I have a specific question coming from my activities in a prior thread (Trouble Getting Ticket into Cache). The thread got confusing when others attached to it with different questions. I thought a new post was in order. My C script is using get_in_tkt_with_password() to cache a password. Everything is set up correctly, I believe. I am compiling through gcc and linking the object file to /usr/lib/libkrb5.so. I am getting the following error text when running the executable in gdb: begin gdb read out Failed to read a valid object file image from memory. Program received signal SIGSEGV, Segmentation fault. 0xb7f11f8c in krb5_get_in_tkt_with_password () from /usr/lib/ libkrb5.so.3 (gdb) list 1 init.c: No such file or directory. in init.c (gdb) bt #0 0xb7f11f8c in krb5_get_in_tkt_with_password () from /usr/lib/ libkrb5.so.3 #1 0x08048774 in main () end gdb read out Does this look like a problem with my Kerberos install or gdb? Is init.c (which I understand to be memory protection) a file that should be installed on my server. Thanks much for any assistance. Sincerely, Angus B. Atkins-Trimnell Sorry about the use of the word script. It should be program. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
IIS refuse un-preauth-ed tickets?
Sorry to post into 2 groups. I have a Java application using Kerberos to talk to IIS on a Windows domain. First I call java's kinit and then use the acquired initial TGT to connect to IIS with JGSS. When the initial ticket is pre- authed, I can get the web content. However, if I set the user account as do not require preauth and acquire such an un-preauth-ed initial TGT, and then get a service ticket for IIS using this TGT, it seems this ticket cannot be used to retrieve pages from IIS (using SPNEGO). Is this a designed feature? Thanks Speedo Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberized Apache
Ido Levy [EMAIL PROTECTED] writes: I am looking for a way to enable users to get access to their space through the web browser. I would like to integrate it with our Kerberized SSO environment as well. I tried this module http://modauthkerb.sourceforge.net/ but I have encounter some issues: Using mod_auth_gss (http://cvs.opensolaris.org/source/raw/sfwnv/test_stevel/usr/src/cmd/apache2/mod_auth_gss/mod_auth_gss.c, install with apxs -c -i -l gss mod_auth_gss.c) I have apache-2.2.8 running with authentication via Kerberos. While mod_auth_kerb has the advantage of providing a username/password fallback, I haven't compiled it under Solaris. For an authentication needing part of your website you could either put these directives into a .htaccess file (assuming that your httpd configuration allows authentication override) or a directory or location section: AuthType GSSAPI AuthGssServiceName HTTP AuthGssKeytabFile /opt/apache/2.2.8/conf/http.keytab AuthGssDebug 0 require valid-user The username - should you need to specifiy access only for select users - is the Kerberos principal. Sebastian Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: kadmin.local segfault
With all of the testing I've been doing, the scenario you describe has happened. I've been testing on multiple machines, so I'm not sure if it's happened on all of the ones that are failing. Steven --- Kenneth Grady [EMAIL PROTECTED] wrote: Have you reloaded an account from a dump? and was the policy for that account deleted? Steven Miller wrote: has anyone been able to figure this out? thanks! Steven Very weird, when running kadmin.local under valgrind, it does NOT segfault. I am including the valgrind output. --- [EMAIL PROTECTED] ~]# valgrind kadmin.local ==9674== Memcheck, a memory error detector. ==9674== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al. ==9674== Using LibVEX rev 1575, a library for dynamic binary translation. ==9674== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP. ==9674== Using valgrind-3.1.1, a dynamic binary instrumentation framework. ==9674== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al. ==9674== For more details, rerun with: -v ==9674== Authenticating as principal root/[EMAIL PROTECTED] with password. kadmin.local: cpw test Enter password for principal test: Re-enter password for principal test: ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x402FC40: cleanup_key_data (kdb_cpw.c:88) ==9674==by 0x4030CAB: krb5_dbe_def_cpw (kdb_cpw.c:588) ==9674==by 0x402EB06: krb5_dbe_cpw (kdb5.c:1736) ==9674==by 0x40177A8: kadm5_chpass_principal_3 (svr_principal.c:1328) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) ==9674== ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x402F242: krb5_dbekd_decrypt_key_data (decrypt_key.c:118) ==9674==by 0x4016F6B: create_history_entry (svr_principal.c:1007) ==9674==by 0x4017860: kadm5_chpass_principal_3 (svr_principal.c:1364) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) ==9674== ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x402F077: krb5_dbekd_encrypt_key_data (encrypt_key.c:122) ==9674==by 0x4016FCA: create_history_entry (svr_principal.c:1014) ==9674==by 0x4017860: kadm5_chpass_principal_3 (svr_principal.c:1364) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) ==9674== ==9674== Conditional jump or move depends on uninitialised value(s) ==9674==at 0x427AFF2: krb5_dbe_free_contents (ldap_principal.c:107) ==9674==by 0x427B199: krb5_ldap_free_principal (ldap_principal.c:135) ==9674==by 0x402DA89: krb5_db_free_principal (kdb5.c:928) ==9674==by 0x401AE31: kdb_free_entry (server_kdb.c:295) ==9674==by 0x4017A52: kadm5_chpass_principal_3 (svr_principal.c:1453) ==9674==by 0x401743F: kadm5_chpass_principal (svr_principal.c:1276) ==9674==by 0x804BD27: kadmin_cpw (kadmin.c:831) ==9674==by 0x80516CB: check_request_table (execute_cmd.c:89) ==9674==by 0x8051738: really_execute_command (execute_cmd.c:130) ==9674==by 0x8051899: ss_execute_line (execute_cmd.c:215) ==9674==by 0x8051BB6: ss_listen (listen.c:125) ==9674==by 0x804E57E: main (ss_wrapper.c:62) Password for [EMAIL PROTECTED] changed. kadmin.local: quit ==9674== ==9674== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 69 from 2) ==9674== malloc/free: in use at exit: 1,441 bytes in 68 blocks. ==9674== malloc/free: 2,280 allocs, 2,212 frees, 348,960 bytes allocated. ==9674== For counts of detected errors, rerun with: -v ==9674== searching for pointers to 68 not-freed blocks. ==9674== checked 174,336 bytes. ==9674== ==9674== LEAK SUMMARY: ==9674==
Debugging Script using get_in_tkt_with_password
Hello all, I have a specific question coming from my activities in a prior thread (Trouble Getting Ticket into Cache). The thread got confusing when others attached to it with different questions. I thought a new post was in order. My C script is using get_in_tkt_with_password() to cache a password. Everything is set up correctly, I believe. I am compiling through gcc and linking the object file to /usr/lib/libkrb5.so. I am getting the following error text when running the executable in gdb: begin gdb read out Failed to read a valid object file image from memory. Program received signal SIGSEGV, Segmentation fault. 0xb7f11f8c in krb5_get_in_tkt_with_password () from /usr/lib/ libkrb5.so.3 (gdb) list 1 init.c: No such file or directory. in init.c (gdb) bt #0 0xb7f11f8c in krb5_get_in_tkt_with_password () from /usr/lib/ libkrb5.so.3 #1 0x08048774 in main () end gdb read out Does this look like a problem with my Kerberos install or gdb? Is init.c (which I understand to be memory protection) a file that should be installed on my server. Thanks much for any assistance. Sincerely, Angus B. Atkins-Trimnell Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: support SSO in Windows with Keberos TGT
Hi, no. The centrofy client makes the unix/linux/mac computers AD aware, and kerberos aware. The central kdc is the Active Directory KDC, and the unix/linux/mac are exactly as Windows AD client. So, for example, a windows computer which use Putty can present a kerberos ticket to a Unix machine with the Centrofy client, without any re-authentication. And Unix to Windows, or Unix to Unix works also in the same way. is that more clear ?Sylvain CORTES [EMAIL PROTECTED] Date: Thu, 14 Feb 2008 10:32:26 -0500 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: kerberos@mit.edu Subject: Re: support SSO in Windows with Keberos TGT sylvain cortes wrote: it's managed by the centrify client deployed on the Unix/Linux host You do understand that the issue here is how to use applications written to use KFW and applications written to use Kerberos SSP on the Windows platform with the same credential cache. Are you suggesting that the user switch from Windows based clients to UNIX/Linux based clients as a solution to his SSO issues on Windows? _ Nouveau ! Créez votre profil Messenger ! http://home.services.spaces.live.com/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Ubuntu and ldap backend
Javier Palacios ha scritto: If you experience problems with MIT, try with heimdal. Configuration only departs from non-ldap backend in the fact that you must supply an ldap dbname in the database section. OK, I'll try. Thanks for the answers -- questo articolo e` stato inviato via web dal servizio gratuito http://www.newsland.it/news segnala gli abusi ad [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: support SSO in Windows with Keberos TGT
sylvain cortes [EMAIL PROTECTED] wrote: So, for example, a windows computer which use Putty can present a kerberos ticket to a Unix machine with the Centrofy client, without any re-authentication. And Unix to Windows, or Unix to Unix works also in the same way. You can do that without paying for Centrify. All you need to is to correctly setup the machine keytab and get a putty version that supports GSSAPI credential forwarding. CDC Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Ubuntu and ldap backend
[EMAIL PROTECTED] (hiroshi) writes: Javier Palacios ha scritto: If you experience problems with MIT, try with heimdal. Configuration only departs from non-ldap backend in the fact that you must supply an ldap dbname in the database section. OK, I'll try. Thanks for the answers Building the LDAP storage module is an open wishlist bug against the Debian krb5 packages, but I don't want to try to add it without checking with Sam first. Hopefully we'll be able to get that into lenny. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Help with SASL/GSSAPI to remote Kerberos server
I am using SASL/GSSAPI to authenticate to Kerberos from OpenLDAP. I haven't gotten that to work yet. Almost all of the docs I found presume that I am setting up the KDC on the same server at OpenLDAP. In my case, the KDC is administered by another group who is willing to grant me access to Kerberos. However, none of the docs I've found offer help in setting up SASL/GSSAPI here and the Kerberos server elsewhere. Can someone point me to anything that would guide me through this process? Or does anyone want to share portions of their configuration? Specifics: OS: Red Hat Enterprise 4 v2.6.9 OpenLDAP v2.2.13 Local MIT Kerberos5 v1.3.4 KDC: MIT Kerberos5 v? Cyrus SASL v2.1.19 Other questions that have come up: What tests can I run here that will help me know if I've configured my end correctly to connect with the Kerberos server? How can I test to see if I have everything I need in the keytab was given by the Kerberos administrators? This project has been delayed weeks and weeks while I climb and climb up Samba, OpenLDAP, and Kerberos' very steep learning curve. So your prompt response will be hugely helpful. Thanks in advance. Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help with SASL/GSSAPI to remote Kerberos server
Wes Modes wrote: I am using SASL/GSSAPI to authenticate to Kerberos from OpenLDAP. I haven't gotten that to work yet. Are you saying you want to use SASL/GSSAPI/Kerberos between a ldap client and and ldapserver? Almost all of the docs I found presume that I am setting up the KDC on the same server at OpenLDAP. In my case, the KDC is administered by another group who is willing to grant me access to Kerberos. The Kerberos KDCs can store their data in LDAP, but that does not sound like what you are trying to do, as the KDCs are being run by someone else. However, none of the docs I've found offer help in setting up SASL/GSSAPI here and the Kerberos server elsewhere. Sounds like you have been reading about the KDCs using ldap for their data. Can someone point me to anything that would guide me through this process? Or does anyone want to share portions of their configuration? If this is for an ldap client to an ldap server using GSSAPI: On OpenLDAP server in slapd.conf: security sasl=56 says require sasl authentication, with at least DES. You can add other options as well. The dn of a sasl authenticated user would look like: uid=username,realm=realm,cn=gssapi,cn=auth where the user's Kerbeors principal would have been username@realm If the realm id the default realm of the slapd server machines, the dn would be uid=username,cn=gssapi,cn=auth Look at the sasl-regexp on how to map these to something else. The slapd needs a keytab file with a service principal like: ldap/fqdn@realm Where fqdn is the hostname of the ldap server. Since slapd is not normally run as root, it needs access to its own keytab file, and something like this in the /etc/default/slapd or /etc/init.d/slapd KRB5_KTNAME=/etc/ldap/krb5.keytab export KRB5_KTNAME On OpenLDAP clients: The user would have gotten a Kerberos ticket (using kinit), then ldapsearch -Y GSSAPI -h ldap.server.com ... Specifics: OS: Red Hat Enterprise 4 v2.6.9 OpenLDAP v2.2.13 Local MIT Kerberos5 v1.3.4 KDC: MIT Kerberos5 v? Cyrus SASL v2.1.19 Other questions that have come up: What tests can I run here that will help me know if I've configured my end correctly to connect with the Kerberos server? How can I test to see if I have everything I need in the keytab was given by the Kerberos administrators? This project has been delayed weeks and weeks while I climb and climb up Samba, OpenLDAP, and Kerberos' very steep learning curve. So your prompt response will be hugely helpful. Thanks in advance. Wes -- Douglas E. Engert [EMAIL PROTECTED] Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: support SSO in Windows with Keberos TGT
hi - you always can do everything...it's a question about time ;-) I did the classic way before using centrify, and it was hell to maintain: manage the keytab, manage the ad account, manage the NTP client to have the right ticket session, etc... Sylvain CORTES [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: kerberos@mit.edu Subject: Re: support SSO in Windows with Keberos TGT Date: Tue, 19 Feb 2008 13:08:22 -0600 sylvain cortes [EMAIL PROTECTED] wrote: So, for example, a windows computer which use Putty can present a kerberos ticket to a Unix machine with the Centrofy client, without any re-authentication. And Unix to Windows, or Unix to Unix works also in the same way. You can do that without paying for Centrify. All you need to is to correctly setup the machine keytab and get a putty version that supports GSSAPI credential forwarding. CDC _ Microsoft vous recommande de mettre à jour Internet Explorer. http://specials.fr.msn.com/IE7P25 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Help with SASL/GSSAPI to remote Kerberos server
I am using SASL/GSSAPI to authenticate to Kerberos from OpenLDAP. I haven't gotten that to work yet. Almost all of the docs I found presume that I am setting up the KDC on the same server at OpenLDAP. In my case, the KDC is administered by another group who is willing to grant me access to Kerberos. However, none of the docs I've found offer help in setting up SASL/GSSAPI here and the Kerberos server elsewhere. Can someone point me to anything that would guide me through this process? Or does anyone want to share portions of their configuration? Specifics: OS: Red Hat Enterprise 4 v2.6.9 OpenLDAP v2.2.13 Local MIT Kerberos5 v1.3.4 KDC: MIT Kerberos5 v? Cyrus SASL v2.1.19 Other questions that have come up: What tests can I run here that will help me know if I've configured my end correctly to connect with the Kerberos server? How can I test to see if I have everything I need in the keytab was given by the Kerberos administrators? This project has been delayed weeks and weeks while I climb and climb up Samba, OpenLDAP, and Kerberos' very steep learning curve. So your prompt response will be hugely helpful. Thanks in advance. Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help with SASL/GSSAPI to remote Kerberos server
To clarify. To separate and modularize some of these services, we have three servers: A file server running Samba; A directory server running OpenLDAP to provide personal and group identities; and an authentication server running Kerberos (administered by another group). Samba connects to OpenLDAP through smbldap-tools. And OpenLDAP connects to the Kerberos server via SASL/GSSAPI. When someone requests a Samba logon, Samba requests an LDAP bind, which in turn should use SASL to authenticate via Kerberos. The connection between Samba and OpenLDAP is working swell. It is the Kerberos connection that has me flummoxed. Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on one server, while the Kerberos KDC will be running on another server. I haven't found any documents that address this not-so-wacky design. So when a document says, run kadmin.local, to generate a principle, that is not available to me. If I can ask specifically for what I want, I might be able to convince the kerberos administrators to do it for me, but I have to be pretty specific about what I want. The docs I'm referring to are Cyrus SASL for System Administrators http://www.sendmail.org/~ca/email/cyrus/sysadmin.html http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html OpenLDAP 2.2 Administrator's Guide - Using SASL http://www.openldap.org/doc/admin22/guide.html#Using%20SASL Thank you for the OpenLDAP config suggestions. Those are more or less consistent with what I read. However, in several documents, it was suggested that before you try connecting OpenLDAP to Kerberos that you test to make sure your Kerberos configuration is working. That makes a lot of sense to me. So I want to perform a series of checks, but I don't know what those tests might be. Here's what I would like to test: * Can I connect to the Kerberos server directly? (kinit) * Is direct authentication to the Kerberos server working? * Am I getting returned a proper ticket? (klist) * Is the keytab file on my OpenLDAP server being recognized and accepted by the Kerberos server? * Is my machine being authenticated as a principle? Does it need to be? * How do I test SASL2 before getting OpenLDAP involved? * After making changes to my OpenLDAP config, how do I test the Kerberos connection through OpenLDAP? Do you have any pointers here? Douglas E. Engert wrote: snip... If this is for an ldap client to an ldap server using GSSAPI: On OpenLDAP server in slapd.conf: security sasl=56 says require sasl authentication, with at least DES. You can add other options as well. The dn of a sasl authenticated user would look like: uid=username,realm=realm,cn=gssapi,cn=auth where the user's Kerbeors principal would have been username@realm If the realm id the default realm of the slapd server machines, the dn would be uid=username,cn=gssapi,cn=auth Look at the sasl-regexp on how to map these to something else. The slapd needs a keytab file with a service principal like: ldap/fqdn@realm Where fqdn is the hostname of the ldap server. Since slapd is not normally run as root, it needs access to its own keytab file, and something like this in the /etc/default/slapd or /etc/init.d/slapd KRB5_KTNAME=/etc/ldap/krb5.keytab export KRB5_KTNAME On OpenLDAP clients: The user would have gotten a Kerberos ticket (using kinit), then ldapsearch -Y GSSAPI -h ldap.server.com ... Incidently, to this I get [root]# ldapsearch -Y GSSAPI testuser1 SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) The logs say: Feb 19 15:32:47 dir slapd[2694]: == sasl_bind: dn= mech=GSSAPI datalen=494 Feb 19 15:32:47 dir slapd[2694]: SASL [conn=5650] Failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name) Feb 19 15:32:47 dir slapd[2694]: send_ldap_result: err=80 matched= text=SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name) The directory server has a keytab generated on the Kerberos server that contains ldap/[EMAIL PROTECTED] as a principle. Specifics: OS: Red Hat Enterprise 4 v2.6.9 OpenLDAP v2.2.13 Local MIT Kerberos5 v1.3.4 KDC: MIT Kerberos5 v? Cyrus SASL v2.1.19 Other questions that have come up: What tests can I run here that will help me know if I've configured my end correctly to connect with the Kerberos server? How can I test to see if I have everything I need in the keytab was given by the Kerberos administrators? This project has been delayed weeks and weeks while I climb and climb up Samba, OpenLDAP, and Kerberos' very steep learning curve. So your prompt response will be hugely helpful. Thanks in advance. Wes -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services
Re: Help with SASL/GSSAPI to remote Kerberos server
Wes Modes wrote: To clarify. To separate and modularize some of these services, we have three servers: A file server running Samba; A directory server running OpenLDAP to provide personal and group identities; and an authentication server running Kerberos (administered by another group). Samba connects to OpenLDAP through smbldap-tools. And OpenLDAP connects to the Kerberos server via SASL/GSSAPI. smbldap-tools contacts the KDC (Kerberos server) and obtains a service ticket for the OpenLDAP server. In order for this to be possible there must be a service principal in the KDC database for the OpenLDAP service and a keytab containing the matching key(s) must be installed on the OpenLDAP server. When someone requests a Samba logon, Samba requests an LDAP bind, which in turn should use SASL to authenticate via Kerberos. The service ticket for the OpenLDAP server is used to authenticate the connection between Samba and OpenLDAP. The connection between Samba and OpenLDAP is working swell. It is the Kerberos connection that has me flummoxed. For what purpose is the OpenLDAP server communicating with the KDC? Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on one server, while the Kerberos KDC will be running on another server. I haven't found any documents that address this not-so-wacky design. So when a document says, run kadmin.local, kadmin.local is a version of the kadmin tool that works only on the local system. If you are not on the local system you use the 'kadmin' tool. to generate a principle, that is not available to me. If I can ask specifically for what I want, I might be able to convince the kerberos administrators to do it for me, but I have to be pretty specific about what I want. You have to explain what you want in this forum as well, otherwise you won't get very many useful answers. The docs I'm referring to are Cyrus SASL for System Administrators http://www.sendmail.org/~ca/email/cyrus/sysadmin.html http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html OpenLDAP 2.2 Administrator's Guide - Using SASL http://www.openldap.org/doc/admin22/guide.html#Using%20SASL Thank you for the OpenLDAP config suggestions. Those are more or less consistent with what I read. However, in several documents, it was suggested that before you try connecting OpenLDAP to Kerberos that you test to make sure your Kerberos configuration is working. Again the question is connecting OpenLDAP to Kerberos for what purpose? The KDC is not under your control so you do not have the ability to create new principals or alter the configurations of the existing ones. Are you really expecting the OpenLDAP server to establish a network channel with the KDC? What messages are you expecting to have sent? Or are you simply confused about the concept of a service principal and the associated key? smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help with SASL/GSSAPI to remote Kerberos server
Jeffrey Altman wrote: Wes Modes wrote: To clarify. To separate and modularize some of these services, we have three servers: A file server running Samba; A directory server running OpenLDAP to provide personal and group identities; and an authentication server running Kerberos (administered by another group). Samba connects to OpenLDAP through smbldap-tools. And OpenLDAP connects to the Kerberos server via SASL/GSSAPI. smbldap-tools contacts the KDC (Kerberos server) and obtains a service ticket for the OpenLDAP server. In order for this to be possible there must be a service principal in the KDC database for the OpenLDAP service and a keytab containing the matching key(s) must be installed on the OpenLDAP server. I understand that you are saying that instead of the ldap-bind, one can configure smbldap-tools to do a Kerberos authentication instead. In that configuration, one would not need SASL at all. In my case, smbldap-tools are running on the Samba server, and while it might be possible (and I might be forced to) configure smbldap-tools to do the kerberos auth, I'd like to do it indirectly via LDAP and SASL/GSSAPI. Reason for this is that eventually, our campus kerberos service will be replaced with a secure LDAP auth. But it remains an open question for me whether it is possible to have Samba/smbldap-tools ask LDAP/GSSAPI which indirectly asks Kerberos for authentication. When someone requests a Samba logon, Samba requests an LDAP bind, which in turn should use SASL to authenticate via Kerberos. The service ticket for the OpenLDAP server is used to authenticate the connection between Samba and OpenLDAP. Right now I don't have a problem connecting OpenLDAP and Samba via TLS authenticaion . The connection between Samba and OpenLDAP is working swell. It is the Kerberos connection that has me flummoxed. For what purpose is the OpenLDAP server communicating with the KDC? See above. Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on one server, while the Kerberos KDC will be running on another server. I haven't found any documents that address this not-so-wacky design. So when a document says, run kadmin.local, kadmin.local is a version of the kadmin tool that works only on the local system. If you are not on the local system you use the 'kadmin' tool. I get root# kadmin Authenticating as principal wmodes/[EMAIL PROTECTED] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface to generate a principle, that is not available to me. If I can ask specifically for what I want, I might be able to convince the kerberos administrators to do it for me, but I have to be pretty specific about what I want. You have to explain what you want in this forum as well, otherwise you won't get very many useful answers. The docs I'm referring to are Cyrus SASL for System Administrators http://www.sendmail.org/~ca/email/cyrus/sysadmin.html http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html OpenLDAP 2.2 Administrator's Guide - Using SASL http://www.openldap.org/doc/admin22/guide.html#Using%20SASL Thank you for the OpenLDAP config suggestions. Those are more or less consistent with what I read. However, in several documents, it was suggested that before you try connecting OpenLDAP to Kerberos that you test to make sure your Kerberos configuration is working. Again the question is connecting OpenLDAP to Kerberos for what purpose? The KDC is not under your control so you do not have the ability to create new principals or alter the configurations of the existing ones. Well I have access but only through the proxy of its system administrators... Are you really expecting the OpenLDAP server to establish a network channel with the KDC? What messages are you expecting to have sent? I'm hoping that where it now does an ldap-bind at the request of the SMB server, it can instead authenticate against the KDC via GSSAPI. Or are you simply confused about the concept of a service principal and the associated key? As I understand it, before the KDC will allow a server access, it needs to ensure that the server is allowed that access. So it does a key match to certify that the server is who it says it is, and checks to see if it is a principle. Or I may just be completely confused about everything. Which would certainly account for some of my vagueness, for which I apologize. On the other hand, if I understood enough to ask perfectly intelligent questions, I suspect I might have already been able to suss out the answer from the reams of info I've already read. W. -- Wes Modes Server Administrator Programmer Analyst McHenry Library Computing Network Services Information and Technology Services 459-5208 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Help with SASL/GSSAPI to remote Kerberos server
Let me rephrase what you are attempting to do. You want to authenticate the LDAP query from the Samba client to the OpenLDAP server by sending a username and password from Samba to OpenLDAP over a TLS protected connection using SASL. Instead of the LDAP server storing the password and using that for authentication, you want to have the LDAP server ask the Kerberos KDC if the password is valid. Please confirm that this is your desire. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberized Apache
Hello All, I am looking for a way to enable users to get access to their space through the web browser. I would like to integrate it with our Kerberized SSO environment as well. I tried this module http://modauthkerb.sourceforge.net/ but I have encounter some issues: 1) I didn't succeed in configuring SSO For each access through the web browser I have been asked for user and password although I already had a valid ticket Do you mean that you have a TGT, or that you acquired the necessary HTTP service ticket? Take a look at the Apache error log; anything there from mod_auth_kerb? 2) The .htaccess file must be used to control access to each directory. For each space I would like to give an access I have to create an .htaccess file and add an entry in the apcahe configuration file as well Does anyone have experience with this issue ? Are there any other Kerberos modules for apache that better suits my needs ? -- Richard Silverman [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: AD using an external Kerberos realm
JE == Jay Elvove [EMAIL PROTECTED] writes: JE Last month, a colleague of mine sent a message to the Windows JE Higher Ed list asking about possible problems authenticating JE certain Microsoft applications to an external KDC. We're getting JE ready to roll out our very first campus-wide Active Directory JE environment, which will include Exchange 2007 and Microsoft JE SharePoint Server (MOSS) 2007. User accounts and other data will JE be populated into AD using Microsoft Identify Lifecycle Manager JE 2007. The plan, which thus far has worked successfully in test, JE is to store user passwords in our Heimdal KDC and force all JE authentications to occur through the external KDC Can you give more details about your setup? I'm guessing that you have an AD realm, a Heimdal realm, cross-realm trust at least of Heimdal by AD, and that you have people choose the Heimdal realm when logging into Windows. JE Several key departments have voiced concerns over whether or not JE web authentication to applications such as MOSS 2007, Outlook Web JE Access (OWA) and Citrix will work using an external KDC. If the setup is as above, you'll need to set the altSecurityIdentities attribute on your AD accounts with the corresponding Kerberos principals from your Heimdal realm, so that when AD receives a request for a service ticket based on a TGT issued by Heimdal, it can return the appropriate PAC in the ticket. The Windows service to which you present the ticket needs it. JE We received a lot of good information from the Windows Higher Ed JE list, but I thought it might be valuable to get feedback from the JE folks who support external KDCs as well. Are there any major JE gotchas that those of us who support Kerberos or the Windows JE community at large should be aware of? There are plenty of other gotchas, unfortunately, although they may not all apply to you. A few that spring to mind: * There are registry bits you need to set on Windows clients so that they will use an external realm, including features of the realm such as TCP support, trust for delegation, whether the client will use the DNS to locate KDCs, etc. Some of these bits are not documented. * Unix clients are responsible for determining the realm of a service host, and use static configuration or the DNS to do so. Windows clients always assume a host is in the local AD realm, and rely on AD to return Kerberos referrals to redirect them. On the other hand, these referrals must never be returned to Unix clients, which will not know how to handle them. This issue applies if you're trying to access kerberized services in the Unix realm from Windows, e.g. an Apache server using mod_auth_kerb. * Kerberos tickets including the PAC can get quite large, and some non-Windows services can't deal with them, either because they can't handle the size or they don't expect anything in the authorization field at all. Cisco routers have problems with them, as does Apache / mod_auth_kerb (the latter problem can be fixed). Some older Kerberos software can only do UDP, and so can't fall back on TCP to transfer a big ticket which won't fit in a single UDP message. JE Thanks, JE Jay - Jay Elvove Distributed Computing Services University of JE Maryland Office of Information Technology Computer Space JE Sciences Building Room 1301A College Park, MD 20742 [EMAIL PROTECTED] -- Richard Silverman [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Sun/MIT - Heimdal version compatibility issue?
Ok, this one has me a bit stumped... We have a functioning production kerberos environment that I'm trying to add a Solaris 11 (beta 79) client to. The kdc in my immediate realm where the host principals are located is a Solaris 9 host, and we have several working Solaris 10 client machines within the same realm. The kdc in the parent university realm is an older Heimdal kdc (version 0.6.3) and limited to only speak des-cbc-crc. All of the student user principals are located in the parent realm. If I stay strictly within the local Sun/MIT realm everything works fine and I can ssh into the Solaris 11 client machine using my local realm credentials. The krb5.keytab file on the client machine matches the host principal stored on the Solaris 9 kdc, etc. And, if I log into the Solaris 11 client machine using a local account, do a kinit [EMAIL PROTECTED], type in my university password, and then a klist, that works fine too and shows me what I would normally see if I simply ssh into the other Solaris 10 client machines using my university account and type klist. The problem comes in when I try to ssh into the new Solaris 11 client machine. The logs on the university's Heimdal kdc look fine, but on the local Solaris 9 kdc where the host principal is located, the following shows up in the kdc log: krb5kdc[617]: TGS_REQ sol11client (88): PROCESS_TGS: authtime -1765328353, unknown client for host/[EMAIL PROTECTED], Decrypt integrity check failed The clocks on all of the machines involved are in sync via ntp, so it shouldn't be a clock issue. Any tips on what I might be able to look at next would be greatly appreciated. Thanks, Brian Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos