Re: leaking rcache opens in gss_accept_sec_context
On Jul 20, 2011, at 1:07 AM, Greg Hudson wrote: On Tue, 2011-07-19 at 16:21 -0400, Benjamin Coddington wrote: gss_acquire_cred gss_accept_sec_context gss_export_lucid_sec_context gss_delete_sec_context I found that before we got to gss_delete_sec_context(), we had already tried to clean up the context in gss_krb5_export_lucid_sec_context() - krb5_gss_delete_sec_context(), which fails with G_VALIDATE_FAILED. It also sets the context to GSS_C_NO_CONTEXT, so once we get to gss_delete_sec_context(), context validation fails there too. Aha. Yes, that's the bug you found a reference to. (And thank you for explaining why that bug wasn't resulting in gssd crashes for everyone in previous releases. I had forgotten about the pointer validation code.) I've attached the patch which is due for krb5 1.9.2. gss_delete_sec_context should be unnecessary when gss_export_lucid_sec_context succeeds. Of course, it's harmless given the way GSS handles contexts (nulling out the pointer when they are released). patch.txt Thank you, Greg. I can confirm that this fixes the problem we were seeing. It also fixes a leak when running without '-n', which was less obvious because we didn't open a new handle to the rcache each time. Ben Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Kerberos configuration issue
Hello, Can i post here some configuration issue? Best regards Dmitry Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
web administration for KRB5?
Is there a web admin interface that can be added to MIT kerberos to ease the addition of users? Currently I have a menu interface (to add/remove users and systems in krb5) for a project I'm working on but the project requirements specify a web interface. We have attempted to use GoSA, and Fusion(fork from GoSA) to no avail. Webmin has a KRB5 client module but no administration interface that I can find. Any other ideas? Thanks. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: web administration for KRB5?
On Jul 20, 2011 10:58 PM, Jimmy g17ji...@gmail.com wrote: Is there a web admin interface that can be added to MIT kerberos to You could try freeipa from freeipa.org. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
error Wrong principal in request
Hi, Can someone help me to troubleshoot this error in apache log: [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(994): [client 192.168.20.17] Using HTTP/itgc-merc.msk.mts...@msk.mts.ru as server principal for password verification [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(698): [client 192.168.20.17] Trying to get TGT for user m...@msk.mts.ru [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(609): [client 192.168.20.17] Trying to verify authenticity of KDC using principal HTTP/itgc-merc.msk.mts...@msk.mts.ru [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(652): [client 192.168.20.17] krb5_rd_req() failed when verifying KDC [Mon Jul 11 10:27:18 2011] [error] [client 192.168.20.17] failed to verify krb5 credentials: Wrong principal in request [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(698): [client 192.168.20.17] Trying to get TGT for user m...@mts.ru [Mon Jul 11 10:27:18 2011] [error] [client 192.168.20.17] krb5_get_init_creds_password() failed: Realm not local to KDC [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(1073): [client 192.168.20.17] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL) [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(1628): [client 192.168.20.17] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon Jul 11 10:27:18 2011] [debug] src/mod_auth_kerb.c(1566): [client 192.168.20.17] matched previous auth request It is SSO with apache+kerberos Best regards, Dmitry Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
