Re: Sun/MIT <-> Heimdal version compatibility issue?
Brian Thompson wrote: > > Ok, this one has me a bit stumped... > > We have a functioning production kerberos environment > that I'm trying to add a Solaris 11 (beta 79) client to. > > The kdc in my immediate realm where the host principals > are located is a Solaris 9 host, and we have several working > Solaris 10 client machines within the same realm. The kdc > in the parent university realm is an older Heimdal kdc > (version 0.6.3) and limited to only speak des-cbc-crc. All > of the student user principals are located in the parent realm. > > If I stay strictly within the local Sun/MIT realm everything > works fine and I can ssh into the Solaris 11 client machine > using my local realm credentials. The krb5.keytab file on > the client machine matches the host principal stored on > the Solaris 9 kdc, etc. > > And, if I log into the Solaris 11 client machine using a local > account, do a "kinit [EMAIL PROTECTED]", > type in my university password, and then a "klist", that works > fine too and shows me what I would normally see if I simply > ssh into the other Solaris 10 client machines using my > university account and type klist. > > The problem comes in when I try to ssh into the new > Solaris 11 client machine. The logs on the university's > Heimdal kdc look fine, but on the local Solaris 9 kdc where > the host principal is located, the following shows up in the > kdc log: > > krb5kdc[617]: TGS_REQ sol11client (88): PROCESS_TGS: authtime > -1765328353, for > host/[EMAIL PROTECTED], Decrypt integrity check > failed > > The clocks on all of the machines involved are in sync > via ntp, so it shouldn't be a clock issue. Any tips on what > I might be able to look at next would be greatly appreciated. > > Thanks, > Brian > > I still haven't been able to make any progress on the above... I did notice though that what I stated above about it working fine if I stay strictly within the local Sun/MIT realm isn't completely correct. Although everything "appears" to work correctly when logging into the Solaris 11 client machine using my local realm credentials, an error does get written to the Solaris 9 kdc logs. krb5kdc[617]: TGS_REQ sol11client(88): INVALID TGS OPTIONS: authtime 1205035040, [EMAIL PROTECTED] for host/[EMAIL PROTECTED], KDC can't fulfill requested option No such error occurs when logging into the other Solaris 10 client machines. Any hints on what I might be able to check next would be greatly appreciated. Thanks, Brian Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Problem compiling kerberos for maemo: cannot find add_error_table in com_err library
Hi There, I'm trying to compile kerberos for the Nokia N800/810 running Maemo. I'm using scratchbox to compile and I get the following configure messages: checking which version of com_err to use... system checking for add_error_table in -lcom_err... no configure: error: cannot find add_error_table in com_err library ls shows lrwxrwxrwx 1 maemo maemo17 Feb 28 22:07 /lib/libcom_err.so.2 -> libcom_err.so.2.1 -rw-r--r-- 1 maemo maemo 5728 May 26 2006 /lib/libcom_err.so.2.1 I saw several other mailing list messages about lib com_err, but I don't know what to do. My eventual goal is to get openafs with krb5 support on the N800, but right now, I need to get kerberos working. "dpkg -l | grep err" gives: ii comerr-dev 2.1-1.37-2sarge1 common error description library - headers a ii libcomerr2 1.37-2sarge1 common error description library I'm trying to recompile the debian kerberos 1.4.4 source packages for the N800/N810. Any help is appreciated. Thanks, Jason Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Cross Realm Authentication
Hi all,I've right setted up a multi realm KDC. My setting is the following: I have 2 realm SOLARIS and SOLARIS2. I can right authenticate on machine having the ticket for that realm machine. With a ticket for realm SOLARIS I can authenticate on machines that have as the default realm SOLARIS and the same for the realm SOLARIS2. Now, i want to obtain that with a ticket for SOLARIS realm i can authenticate on SOLARIS2 realm based machine. I putted in the KDC the realm krbtgt/[EMAIL PROTECTED] but it doesn't work, reading guide on cross realm authentication they said that adding this particular realm is the only thing to do making the cross realm authentication working. Any suggestions? Am i missing something for the correct configuration, thanks in advance guys! -- Andrea Cirulli Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Kerberos on Windows
Chris Lowe wrote: After some long and painful research, I've discovered the mit2ms command, which only works in Vista. Does anything implement this functionality in XP? -Chris Chris: The reason that mit2ms cannot work on XP or 2003 is because those operating systems do not provide the necessary functionality. The only way to obtain a Kerberos ticket that can be used by SSP applications such as IE, SMB Redirector, Outlook, etc. is by configuring Windows to obtain the credentials at logon either by joining the machine to the domain or configuring the laptop to support an external Kerberos realm. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
