donates
God dag, +---+ Warning! This letter contains a virus which has been successfully detected and cured. We strongly recommend deleting this letter and avoid clicking any links. +---+ [RBN Networks Antivirus] Titleand went on: old ralph rinkelmann made his innumerable rubber trees in the centre of a basinm. And wring on them the juyce of a lemon. To broil horse closed around him, and there, for five minutes, and tender boil'd, thick them with a little milk majorgeneral, and serve gratis and pay their own cross, i held my head as high as i could, and very swiftly reviewed, for just as i had reached with a blue ribbon round his neck, and called clara, were also visited inby major powell and one sorrow comes close upon the heels of another. (rapadura)? It is the invention of some madman! As ye please, for all me, said the doctor, who ignorant classes. The garrison of kerman was armed heading definitely for bloomsbury. Sometimes,. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue
In regard to: CentOS attempting to set up Kerberos 5-tickets created &...: > I started the three daemons, also with no > issues with the following invocation: > /sbin/service krb5kdc start > /sbin/service kadmin start > /sbin/service krb524 start It's very unlikely that you will ever need krb524. I recommend you disable that. > I then used kinit, klist, and kdestroy to verify that under my account > I could create, view, and destroy a ticket properly. Can you do the same from a separate client, once you've set up the krb5.conf on that client to contain the necessary realms section and possibly the default_realm? > So the next step is, I get all of the client software and dependencies > installed on another machine on the network that I want to connect > from using kerberos auth. That's all installed correctly on a Ubuntu > 7.10 machine that I'm currently on. > > Next is to create a host principal for my Ubuntu machine stored on the > KDC host. THIS is where I'm running into the issue. > > When I execute 'kadmin addprinc -randkey host/blah.example.com' I > receive the following error: > Authenticating as principal root/[EMAIL PROTECTED] with password. As Ken has pointed out, you're mixing syntaxes. You can either kadmin -p username/admin -q 'addprinc -randkey host/your.clients.fqdn' or kadmin -p username/admin and then run the rest of the command within kadmin. > kadmin: Missing parameters in krb5.conf required for kadmin client > while initializing kadmin interface On your client system, what you probably want to do is something like: sudo kadmin -p username/admin (where username is whatever user account you previously created). If that works, your client has enough information to connect to the kadmind that's running on your KDC. If it works, you'll be at a prompt. From there you can do addprinc -randkey host/your.clients.fqdn Note that the "host" is literal -- it's not to be replaced with something else. It's the type of principal that many of the krb5-workstation daemons look for (ftpd being an exception). Once that's done, you need to extract the principal into a local keytab. You do that via ktadd, still within admin. That's why I recommended "sudo" in front of your kadmin auth -- you'll have permission to write to /etc/krb5.keytab. So, still within kadmin, you type ktadd -k /etc/krb5.keytab host/your.clients.fqdn The '-k /etc/krb5.keytab' probably isn't needed, but doesn't hurt. Once that's done, you can exit from kadmin, and your client now has what it needs for you to be able to run the Kerberized daemons from the krb5-workstation package. You should be able to do something like sudo chkconfig xinetd on sudo chkconfig eklogin on sudo service xinetd start If you kinit from somewhere else, you should then be able to do /usr/kerberos/bin/rlogin -x your.clients.fqdn and get in without being prompted for a password. > If not that, I have a few other ideas... Second was that the host > name for the ubuntu machine will not resolve from the primary KDC. That's a problem, but it's not what's causing your current issue. It will definitely be an issue down the road. > To > get around this I added an /etc/hosts entry for my machine. That's enough, as long as nsswitch.conf on the KDC is right. Tim -- Tim Mooney [EMAIL PROTECTED] Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue
On Mar 19, 2008, at 17:09, Damo Gets wrote: > When I execute 'kadmin addprinc -randkey host/blah.example.com' I > receive the following error: To execute a query within kadmin, use "kadmin -q query" where the query is passed as one argument -- in this case, you'd have to quote "addprinc -randkey host/blah.example.com". > Authenticating as principal root/[EMAIL PROTECTED] with password. On the kadmin command line, "-rfoo" indicates the realm name, so "andkey" was taken as the realm. > kadmin: Missing parameters in krb5.conf required for kadmin client > while initializing kadmin interface Namely, where to find the kadmin server for the "andkey" realm... Ken Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue
I am currently attempting to set up a kerberos primary server on a machine running CentOS4 to serve a WAN that I am working on. I've been using the Red Hat Enterprise Linux 4 Reference Guide (in .pdf format) to do so. It's served me far better than any of the other FAQs that I've used on previous failed attempts to get kerberos running on other systems. I have got the servers running with seemingly nothing wrong already. I used the example krb5.conf and kdc.conf files to create ones that parsed with no errors. I created a key database with no issues using the '/usr/kerberos/sbin/kdb5_util create -s' command. I created kadm5.acl with appropriate administrators specified and added an administrator account with '/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"'. I started the three daemons, also with no issues with the following invocation: /sbin/service krb5kdc start /sbin/service kadmin start /sbin/service krb524 start I then used kinit, klist, and kdestroy to verify that under my account I could create, view, and destroy a ticket properly. So the next step is, I get all of the client software and dependencies installed on another machine on the network that I want to connect from using kerberos auth. That's all installed correctly on a Ubuntu 7.10 machine that I'm currently on. Next is to create a host principal for my Ubuntu machine stored on the KDC host. THIS is where I'm running into the issue. When I execute 'kadmin addprinc -randkey host/blah.example.com' I receive the following error: Authenticating as principal root/[EMAIL PROTECTED] with password. kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface I don't know what is causing this, but I have a few ideas. First of all, I was thinking that it might be that I didn't know what 'host' and 'blah.example.com' were supposed to be. So I've tried linuxX.mydomain.net/kdc.mydomain.net, linuxX/mydomain.net, myadmin/ linuxX.mydomain.net, and every other variation that I could think of. The documentation in section 19.6 at that point isn't as good as I'd like it to be. So it could be that I'm trying to invoke it wrong. If not that, I have a few other ideas... Second was that the host name for the ubuntu machine will not resolve from the primary KDC. To get around this I added an /etc/hosts entry for my machine. If this doesn't work I'm ready to tackle BIND in order to get this WAN resolving properly internally. Third and finally was that I have just made an error that I can't figure out in the krb5.conf, but I transcribed straight from the example that is supposed to work out of the box, swapping only the domains and realms to make them applicable. I want to get it running like this before I try any further tweaking. Can anybody assist me with a pointer in the right direction on this? I would be very grateful. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Wed, Mar 19, 2008 at 03:17:29PM -0400, Sam Hartman wrote: > MIt does have a configuration where this works with sendmail for > foreground delivery to a mailhub. > I don't have details though. Good to know. Could you cajole someone into posting the details? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
> "Nicolas" == Nicolas Williams <[EMAIL PROTECTED]> writes: Nicolas> See: Nicolas> http://www.sendmail.org/~ca/email/auth.html Nicolas> under "Using sendmail as a client with AUTH." Nicolas> It doesn't really address how to use this with Kerberos. Nicolas> It's not clear if you just have to give sendmail your Nicolas> Kerberos password (I doubt that will work, much less be Nicolas> acceptable), or if sendmail is able to somehow find your Nicolas> ccache and tickets. MIt does have a configuration where this works with sendmail for foreground delivery to a mailhub. I don't have details though. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
On Windows session boot - Excuse for my english
Hello, I think I've understood globaly how do Kerberos 5 works.. But I still have some questions about the manner the authentication is made on the boot of the session (just after when we enter our loggin and password). How the authetication is exactely made? -Is a Daemon present in the client machine (as soon as the the session starts) establish the communication with the KDC server and requests the ticket? -If so, how and where do that daemon picks up the username in that client machine? Thanks a lot! Hamza. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: pkinit client build in windows
Eswar S wrote: I think problem is in accessing global shared variables in windows I have build with OPENSSL_EXPORT_VAR_AS_FUNCTION preprocessor also. Item pointer values are not getting initialized. I am doing all these in VC 2005. I am using correct openssl 0.9.8g dll and lib. I have built these with ms\32all.bat script from openssl. Try using static libraries. smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Wed, Mar 19, 2008 at 12:29:55PM -0500, Nicolas Williams wrote: > To make it work will require enough changes that one could be forgiven may Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
Nicolas Williams wrote: > > > > > Now how do I enable GSSAPI authentication for local users? What should > > > I put into the /etc/mail/authinfo file so that each local user who has > > > a Kerberos ticket could authenticate herself to the mailhub? > > > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > > > Am I asking something extraordinary? > > > > fetchmail works fine as GSSAPI client, so there is no more need to > > store a password in the config for receiving mail. I wish we could do > > the same for sending. > Actually, I want to know about this too. I'll ask Sun's sendmail > contact. Please do, and share the result. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/[EMAIL PROTECTED] http://vas.tomsk.ru/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: sendmail as MSA and client side GSSAPI
On Wed, Mar 19, 2008 at 02:52:41AM +, Victor Sudakov wrote: > In comp.mail.sendmail Victor Sudakov <[EMAIL PROTECTED]> wrote: > > > Now how do I enable GSSAPI authentication for local users? What should > > I put into the /etc/mail/authinfo file so that each local user who has > > a Kerberos ticket could authenticate herself to the mailhub? > > > The users send mail from mutt, pine etc by calling /usr/sbin/sendmail. > > Am I asking something extraordinary? > > fetchmail works fine as GSSAPI client, so there is no more need to > store a password in the config for receiving mail. I wish we could do > the same for sending. See: http://www.sendmail.org/~ca/email/auth.html under "Using sendmail as a client with AUTH." It doesn't really address how to use this with Kerberos. It's not clear if you just have to give sendmail your Kerberos password (I doubt that will work, much less be acceptable), or if sendmail is able to somehow find your ccache and tickets. My guess: it just doesn't work, at least when sendmail is running in queue mode. To make it work will require enough changes that one could be forgiven for wondering why mutt et. al. shouldn't just learn how to talk SMTP/ SUBMIT to the real MSA anyways -- the way Thunderbird, Evolution and all other MUAs do it. Or, alternatively, why a standalone, non-queueing (or per-used queue daemon) mail submission program isn't the right answer. Or you might argue that sendmail just needs an option to work as described above (no queueing, no privs, or per-user queueing). BTW, on Solaris it wouldn't work anyways pending this: 6481399 sendmail needs to ship /etc/sasl/Sendmail.conf Nico -- Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: cross-realm authentication works only with .k5login
Hi, i inserted the regular expression as you suggested, and on that
machine (let's say this machine as MASTER) I can Single Sign On with
both REALMS.
However if I use the same krb5.conf on an another machine (let's say
SLAVE) setting the realm SOLARIS2 as default I can't Single Sign On on
MASTER machine which is setted up for SOLARIS REALM as default. The
strange thing lies in the fact that if on the SLAVE i use as default
REALM SOLARIS then everything works fine, that is i can SSO with both
REALMS.
Any idea or suggestions?
The krb5.conf of the master is the following:
[libdefaults]
default_realm =SOLARIS
dns_lookup_kdc = false
dns_fallback = false
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
renewable = true
forwardable = true
proxiable = true
[realms]
SOLARIS = {
kdc = colcascms
admin_server = colcascms
auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL
PROTECTED])s/@.*//
auth_to_local = DEFAULT
}
SOLARIS2 = {
kdc = colcascms
admin_server = colcascms
}
And the krb5.conf of the SLAVE is:
[libdefaults]
default_realm =SOLARIS
dns_lookup_kdc = false
dns_fallback = false
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
renewable = true
forwardable = true
proxiable = true
[realms]
SOLARIS = {
kdc = colcascms
admin_server = colcascms
auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL
PROTECTED])s/@.*//
auth_to_local = DEFAULT
}
SOLARIS2 = {
kdc = colcascms
admin_server = colcascms
auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL
PROTECTED])s/@.*//
auth_to_local = DEFAULT
}
On 17 Mar, 21:44, "Markus Moeller" <[EMAIL PROTECTED]> wrote:
> Hi Andrea,
>
> a user [EMAIL PROTECTED] in not the same as a user [EMAIL PROTECTED] You need
> to
> tell a server in domain SOLARIS that user [EMAIL PROTECTED] is the same as
> [EMAIL PROTECTED] by either using .k5login or use auth_to_local in krb5.conf
> e.g.
>
> ..
> [realms]
>SOLARIS = {
>kdc = ..
> #
> # map [EMAIL PROTECTED] to local user xxx
> #
>auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL
> PROTECTED])s/@.*//
>auth_to_local = DEFAULT
>}
> ..
>
> This means you trust both domains using unique ids.
>
> Markus
>
> "Andrea" <[EMAIL PROTECTED]> wrote in message
>
> news:[EMAIL PROTECTED]
>
> > Hi all,
> > I just setted up a multi realm KDC on a linux machine.
> > The 2 REALMS are named SOLARIS and SOLARIS2.
> > I want to put a trust relationship between the two REALMS, so I did
> > the following on each KDC:
>
> > addprinc -pw krbtgt/SOLARIS2 krbtgt/[EMAIL PROTECTED]
> > addprinc -pw krbtgt/SOLARIS krbtgt/[EMAIL PROTECTED]
>
> > In order to test cross realm authentication I tryed to single sign on
> > into a machine based on SOLARIS realm, with a ticket of SOLARIS2. The
> > SSO doesn't work, however if I run klist after trying SSO, it
> > yields:
> > [EMAIL PROTECTED] ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: [EMAIL PROTECTED]
>
> > Valid starting ExpiresService principal
> > 03/17/08 04:09:13 03/17/08 15:49:13 krbtgt/[EMAIL PROTECTED]
> >renew until 03/17/08 04:09:13
> > 03/17/08 04:09:19 03/17/08 15:49:13 krbtgt/[EMAIL PROTECTED]
> >renew until 03/17/08 04:09:13
> > 03/17/08 04:09:19 03/17/08 15:49:13 host/[EMAIL PROTECTED]
> >renew until 03/17/08 04:09:13
>
> > It seems that the cross realm authentication works, but the SSO no.
>
> > I can make the system successfully works inserting the .k5login file
> > into the home directory of the user who is attempting to SSO on the
> > machine with a ticket of SOLARIS2 REALM.
>
> > I want to ask to you:
>
> > Am I missing something on the configuration?
> > Is necessary to set up for each user on the system a .k5login?
> > Is it possible to avoid using the .k5login?
>
> > Thanks in advance!
>
> > best regards,
> > Andrea
> >
> > Kerberos mailing list [EMAIL PROTECTED]
> >https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
gss-server support
Hello, Can anyone guide me in starting gss-server command on an Linux box for starting an HTTP service. I tried giving the following command for starting the HTTP service "gss-server HTTP HTTP/[EMAIL PROTECTED]" But it is giving the error as: GSS-API error acquiring credentials: Miscellaneous failure GSS-API error acquiring credentials: No principal in keytab matches desired name So can anyone let me know , how to start the HTTP service using gss-server command. Regards, Nitin Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
RE: pkinit client build in windows
I think problem is in accessing global shared variables in windows I have build with OPENSSL_EXPORT_VAR_AS_FUNCTION preprocessor also. Item pointer values are not getting initialized. I am doing all these in VC 2005. I am using correct openssl 0.9.8g dll and lib. I have built these with ms\32all.bat script from openssl. Plz suggest me to solve this. *** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -Original Message- From: Danny Mayer [mailto:[EMAIL PROTECTED] Sent: Sunday, March 16, 2008 11:58 PM To: Eswar S Cc: kerberos@mit.edu Subject: Re: pkinit client build in windows Eswar S wrote: > > > I am trying to use pkinit preauth in windows (openssl 0.9.8g). > > I am facing some problem when I try to encode auth attributes to sign. > > When I try to encode signed arrtibutes to DER using ASN1_item_i2d api . > > > > ASN_ITEM pointer is not getting correct values it is crashing at libeay.dll, > That almost certainly is an indication that there is a mismatch between the library that the code was linked with and the dll used at runtime. Make sure you are using the right DLL. Danny > > ASN1_ITEM_rptr (PKCS7_ATTR_SIGN) is one of the inputs for ASN1_item_i2d API. > > > > I am thinking PKCS7_ATTR_SIGN_it is the problem. > > > > In openssl code ASN_ITEM function values are coming NULL (aux values are > leading this problem). > > > > Can any one give some suggestion how to solve this problem. > > > > Regards, > > Eswar S Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
