Re: GSS_S_CONTINUE_NEEDED when doing Kerberos authentication?
Thanks for the help, when I looked at the output, it contained mech 1.3.6.1.5.2.5 which I guess is GSS_IAKERB_MECHANISM ... Looking into that I think I had a somewhat similar problem to this: http://stackoverflow.com/questions/23759016/spnego-kerberos-no-credential-found-error-with-requests-from-linux-client But it wasn't a problem with my reverse dns - that was set up properly, but the problem was some errant capitalization of the service principal in the kdc database. When I looked at the wireshark output I saw that it was the TGS-REQ was failing with an "UNKNOWN_SERVER" error, and looking into that a bit more I realized I had a problem with the name. When using AD I had had a SPN with CamelCase and that hadn't caused a problem, but with the MIT KDC it did, which was a stupid problem that I should've figured out. Thanks for your help :) Thanks, Jordan Weitman-Soet Safer Payments Software Developer Phone: 1-778-327-7338 | Tie-Line: 3177338 | Mobile: 1-778-867-5683 E-mail: jordan.s...@ca.ibm.com 1190 Homer St Suite 401 Vancouver, BC V6B 2X6 Canada From: Rick van Rein To: Jordan Soet/CanWest/IBM@IBMCA Cc: kerberos@mit.edu Date: 08/27/2016 05:03 AM Subject:Re: GSS_S_CONTINUE_NEEDED when doing Kerberos authentication? Hi Jordan, > I looked into it, but my negotiate messages look like this: > > "Negotiate YIID..." which I think means that they're kerberos messages? You should base64-decode it [Section 4.1 of RFC 4559] and dump that as GSSAPI content which, at least in this early phase, is DER-encode. You should make a dump of the decoded binary content with a tool like "openssl asn1parse" with a few layout options or, for much more/better information, with my Python script on https://github.com/vanrein/hexio/blob/master/derdump There will be a number of OIDs to signal content following; these you can lookup on duckduckgo.com. You should see a general offer packet providing the available mechanisms, followed by one that it takes a proactive guess it -- normally Kerberos. If you're still confused, you could also try sending the output here. -Rick Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Bind kerberos daemons to a specific IP address
On Mon 29.Aug'16 at 11:08:31 -0400, Greg Hudson wrote: > On 08/29/2016 04:29 AM, C. L. Martinez wrote: > > Hi all, > > > > I have setup two kerberos servers (slave and master) in a pair of CentOS 7 > > hosts, all is working perfect. But I need to bind kerberos daemons to a > > specific IP address on these hosts. I don't see any option to accomplish > > this. Can I assign an IP address? > > > > Kerberos release is 1.13 in both hosts. > > That functionality is present in the master branch, and will be in the > forthcoming 1.15 release. You can't do it with 1.13; you'll need to use > separate port numbers instead. > Many thanks Greg for the info. -- Greetings, C. L. Martinez Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Bind kerberos daemons to a specific IP address
On 08/29/2016 04:29 AM, C. L. Martinez wrote: > Hi all, > > I have setup two kerberos servers (slave and master) in a pair of CentOS 7 > hosts, all is working perfect. But I need to bind kerberos daemons to a > specific IP address on these hosts. I don't see any option to accomplish > this. Can I assign an IP address? > > Kerberos release is 1.13 in both hosts. That functionality is present in the master branch, and will be in the forthcoming 1.15 release. You can't do it with 1.13; you'll need to use separate port numbers instead. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: [EXTERNAL] Re: FAST OTP
Thanks I will look into using sssd. > RHEL 7 also has IdM (open source project is FreeIPA >http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server >as part of its domain controller offering which is free. Dmitri – thanks, however we already have an IDM with Kerberos, LDAP, DNS management and keytab generation and management services. If I was starting from scratch using FreeIPA would be a no brainer. Appreciate the help. Glenn On 8/28/16, 3:57 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal" wrote: On 08/27/2016 09:10 PM, Machin, Glenn D wrote: > Thanks to Dio I was able to get the Pkinit Anonymous working to enable the armor key. I noticed that RedHat 7 supports OTP in Kerberos and the kinit works fine. You do need to force TCP for Kerberos, since the radius transaction can take longer than a second to complete at times. Using UDP I was getting a failure on the RH7 system (a VM on my laptop) because the initial AS_REQ did not complete until after a second AS_REQ was sent, which failed, while the first came back successful. > > Next step was to be able to use it for login/sudo.I modified the pam_krb5 step to below in system-auth. What I see on the KDC are only encrypted timestamp preauth. > > Can RHEL7 pam_krb5 do OTP? > >auth[success=done authinfo_unavail=ignore new_authtok_reqd=ok ignore=ignore default=die]pam_krb5.so no_initial_prompt no_subsequent_prompt armor=true armor_strategy=pkinit SSSD rather than pam_krb5. https://fedorahosted.org/sssd/ You an fact need to use TCP for the reasons you described and SSSD does it for you. RHEL 7 also has IdM (open source project is FreeIPA http://www.freeipa.org/page/Main_Page) that includes MIT Kerberos server as part of its domain controller offering which is free. All the manual things you are exploring now are taken care for you in RHEL 7, Fedora and CentOS using IdM/FreeIPA and its client that configures SSSD, Kerberos client, DNS and other parts of the system. Thanks Dmitri > > Any help would be appreciated. > > > Glenn > > > > > On 8/26/16, 4:09 PM, "kerberos-boun...@mit.edu on behalf of Dmitri Pal" wrote: > > On 08/26/2016 04:38 PM, Diogenes Jesus wrote: > > > >> I was able to configure a krb5-1.14.2 KDC to use FAST OTP with an RSA Authentication Manager Radius server. > >> > >> I have a couple of questions: > >> > >> > >> · FAST requires an existing ticket cache. If you need a TGT to get a FAST OTP TGT how do you do that? > > One way is to enable Anonymous support (http://k5wiki.kerberos.org/wiki/Anonymous_kerberos) - DONT forget to restrict anonymous to tgt only on your kdcs! > > > > Dio > > > > > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > OK you can use host key to armor the FAST tunnel for a client system if > your host is also a part of the Kerberos realm. > You can check FreeIPA project, there all these pieces are integrated and > automated. > > -- > Thank you, > Dmitri Pal > > Engineering Director, Identity Management and Platform Security > Red Hat, Inc. > > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Thank you, Dmitri Pal Engineering Director, Identity Management and Platform Security Red Hat, Inc. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Bind kerberos daemons to a specific IP address
Hi all, I have setup two kerberos servers (slave and master) in a pair of CentOS 7 hosts, all is working perfect. But I need to bind kerberos daemons to a specific IP address on these hosts. I don't see any option to accomplish this. Can I assign an IP address? Kerberos release is 1.13 in both hosts. Thanks -- Greetings, C. L. Martinez Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
