Re: new 1.10 krb5_init_context_profile
On 2/16/2012 12:55 AM, Chris Hecker wrote: > I only do this on Win32, where I staticly link krb5, so I don't know if > the libprofile version on linux would have to have other changes to make > the prof functions available. I have to include profile.h in kinit.c as > well, obviously. > In my opinion, this patch is at the wrong abstraction layer. The profile library should be modified to support a REG: profile type as is done in Heimdal. Applications should not have to be changed. Jeffrey Altman signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: a question on Kerberos TGS name
On 2012-02-16 12:07, luxInteg wrote:
> thanks
> Now the manpage for x509 has this excerpt (n setting subjectAltName
> in certificates
> -
> Examples:
> subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
> subjectAltName=IP:192.168.7.1
> subjectAltName=IP:13::17
> subjectAltName=email:my@other.address,RID:1.2.3.4
> subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
> --
> i.e. there are uRLs for email:, IP: and I think there is one for DNS:
> But with a label such as
> krbtgt/REALMNAME@REALMNAME
>
> I am unsure if the 5th line above applies { and/or how}. So I would be
> grateful for an explanation on how
> subjectAltName or otherName is set. in openssl.cnf
> (for krbtgt/REALMNAME@REALMNAME )
It's otherName, but far more complex, unfortunately. See this example,
both [kdc_cert] and [client_cert] sections:
--
Mantas Mikulėnas
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: a question on Kerberos TGS name
On 02/16/2012 07:55 AM, Greg Hudson wrote: > On 02/15/2012 08:56 PM, luxInteg wrote: >> My question is what is the "Kerberos TGS name" for a kdc? Is it >> krbtgt/REALNAME or krbtgt/fdqn@REALNAME or some such? > It's krbtgt/REALMNAME@REALMNAME. > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos Hi. We have have krbtgt/REALM@REALM cat /etc/krb5.conf [libdefaults] default_realm = HH3.SITE dns_lookup_realm = false dns_lookup_kdc = true Here is a domain user steve2 logging on in the realm HH3.SITE: Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.3:58331 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: No preauth found, returning PREAUTH-REQUIRED -- ste...@hh3.site Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.3:60184 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: ENC-TS Pre-authentication succeeded -- ste...@hh3.site using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-02-16T11:51:38 starttime: unset endtime: 2012-02-16T21:51:38 renew till: 2012-02-17T11:51:38 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok HTH, Steve Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: a question on Kerberos TGS name
On Thursday 16 February 2012 06:55:17 Greg Hudson wrote:
> On 02/15/2012 08:56 PM, luxInteg wrote:
> > My question is what is the "Kerberos TGS name" for a kdc? Is it
> > krbtgt/REALNAME or krbtgt/fdqn@REALNAME or some such?
>
> It's krbtgt/REALMNAME@REALMNAME.
thanks
Now the manpage for x509 has this excerpt (n setting subjectAltName
in certificates
-
Examples:
subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
subjectAltName=IP:192.168.7.1
subjectAltName=IP:13::17
subjectAltName=email:my@other.address,RID:1.2.3.4
subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
--
i.e. there are uRLs for email:, IP: and I think there is one for DNS:
But with a label such as
krbtgt/REALMNAME@REALMNAME
I am unsure if the 5th line above applies { and/or how}. So I would be
grateful for an explanation on how
subjectAltName or otherName is set. in openssl.cnf
(for krbtgt/REALMNAME@REALMNAME )
thanks in avvance
sincerely
luxInteg
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
