Re: Protocol benchmarking / auditing inquiry

[Christopher D. Clausen]

I have used this as a guide, but I think MIT Kerberos version 1.10 is 
the latest available:

https://www.cisecurity.org/benchmark/mit_kerberos

Not sure if this is what you are looking for or not.

<
Preferably something smaller and more focused than nmap or OpenSCAP. 

From: Brent Kimberley
Sent: Wednesday, February 14, 2024 12:44 PM
To: kerberos@mit.edu
Subject: Protocol benchmarking / auditing inquiry

Hi.
Can anyone point me to some methods to benchmark and/or audit Kerberos v5?

For example, SSH:
Manual
   Read the RFCs and specs.
   Semi-automatic.
   jtesta/ssh-audit: SSH server & client security 
auditing (banner, key exchange, encryption, mac, compression, compatibility, security, 
etc) (github.com)
Automatic
   SSH Configuration Auditor 
(ssh-audit.com)


TLS example upon request.



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Constraint Delegation with MIT Kerberos

[Christopher D. Clausen]

For Active Directory:
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview


< I did not get a response from anybody.  Does anybody have instructions for 
> setting up Constraint Delegation on any platform?
> 
> Thanks,
> Joseph
> 
> -Original Message-
> From: kerberos-boun...@mit.edu  On Behalf Of 
> Jeffries, Joseph L
> Sent: Wednesday, April 3, 2019 8:47 AM
> To: kerberos@mit.edu
> Subject: Constraint Delegation with MIT Kerberos
> 
> Hello All,
> I am new to Kerberos and I am trying to setup Constraint Delegation with MIT 
> Kerberos.  I do have Full\Open Delegation working, but one of the servers 
> (Microsoft Power BI Server OnPrem) requires Constraint Delegation.  I have 
> not found instructions for setting Constraint Delegation up in a Windows 
> server environment.  Could someone share the instructions, if they exists or 
> provide me the steps to make this work?
> 
> Thank you in advance!
> 
> Joseph

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Windows KDC - Delegation Option

[Christopher D. Clausen]

Try checking the Account is sensitive and cannot be delegated option 
in the user properties and see if that does what you want.  (I'm not 
sure if it will or not, but I believe this is the option actually 
intended to prevent Kerberos delegation.)

CDC

Vipul Mehta wrote, On 2/10/2014 12:50 AM:
 Hi,

 Scenario : User A forwards his credentials to User B. User B uses the
 forwarded credentials to interact with User C on behalf of user A.
 [Delegation]

 In windows KDC there is delegation option associated with user properties.
 I've set it to Do not trust this user for delegation for User B i.e. User
 B will not be able to use delegated credentials.

 In Windows SSPI API, it works fine and User B is not able to use delegated
 credentials.

 But the option doesn't seem to be having any impact in MIT Kerberos API in
 C++. User B is able to use A's forwarded credentials to establish security
 context with User C.

 Is this a problem from KDC side ? Any solution for this ?


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Streamlining host principal keytab provisioning?

[Christopher D. Clausen]

I'm not using this myself (I create keytabs as needed manually using 
ktpass.exe against AD) but this may be of interest to some of you:
http://www.eyrie.org/~eagle/software/wallet/

One of the object types it supports is Kerberos keytabs, making it 
suitable as a user-accessible front-end to Kerberos kadmind with richer 
ACL and metadata operations

CDC

Sebastian Galiano sebastian.gali...@spilgames.com wrote:
 True, I'm also looking for a solution for that. I was thinking if it
 will be possible doing puppet but I'm not yet sure.
 
 From: kerberos-boun...@mit.edu [kerberos-boun...@mit.edu] on behalf
 of Jeff Blaine [jbla...@kickflop.net]
 Sent: 24 April 2012 15:06
 To: kerberos@mit.edu
 Subject: Streamlining host principal keytab provisioning?

 How are people provisioning host principal keytabs in
 large quantities? I've never really seen anyone discuss
 this. It's not 1988 anymore ;)


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: trouble deciding which kerberos flavor

[Christopher D. Clausen]

Ken Dreyer ktdre...@ktdreyer.com wrote:
 On Thu, Oct 21, 2010 at 1:10 PM, eric krb.h...@hopevaleufsd.org wrote:
 I just want to know any differences that MIT and Heimdal have with each
 other:

 I think someone at the 2010 Kerberos Conference summarized it this way:

 MIT is likely to be what your OS vendor ships. Heimdal has more features.

I'd say that depends on the features you want.

Unless my information is out of date, MIT KDCs support policies where you 
can setup groups of principals with different security requirements (like 
say, students, faculty, staff, hosts, services, etc.) and then customize 
password length, strength, expiration and other settings for each of these 
groups.  In Heimdal this needs to be set on each principal which makes it 
really annoying to change after initial account creation.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem with kerberos - kvno getting bumped..

[Christopher D. Clausen]

That blog doesn't say what you think it says, and I suspect it is referning 
to domain joined Windows computers, not pure Kerberos non-Windows ones.

You'll note that when the CLIENT initiates a password change, the kvno is 
incremented.  This happens with any flavor of Kerberos.  The (client) 
computer should know the new password and update the keytab if it is 
changing the computer account password.

The real question is, what is changing the password on the account that you 
are using in the keytab?  Are you using something like samba instead of pure 
Kerberos utilities?

My Linux systems (with Windows AD as a KDC) do not have their kvnos 
randomaly incremented, it happens only when I knowingly do a password/keytab 
change.

If you have some unknown process changing your Kerberos passwords, you 
really need to find out what is going that.

If you are trying to share a single account for a Windows and a Linux 
computer, don't do that.  Give each computer (and each service) its own 
principal within AD or at least realize the consequences of sharing them.

CDC

Karuppiah, Deepak dkarupp...@microstrategy.com wrote:
 The password is indeed reset automatically as per this blog article from
 MSFT folks which explains the increments in KVNO.

 http://blogs.msdn.com/b/openspecification/archive/2009/11/13/to-kvno-or-
 not-to-kvno-what-is-the-version.aspx

 I am not certain if that is true if the Linux box turned off.
 Thanks,
 -Deepak

 -Original Message-
 From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On
 Behalf Of Eric Youngdale
 Sent: Wednesday, October 20, 2010 12:37 PM
 To: kerberos@MIT.EDU
 Subject: Problem with kerberos - kvno getting bumped..


I have a Linux (Ubuntu) box joined to a Windows domain (I
 believe the domain controllers are server 2003) so I can use Kerberos
 authentication.  Initially everything is working fine - I can ssh into
 the box using gssapiauthentication.



After some number of days, this stops working however.   I
 would find that I could re-generate the keytab and the problem would go
 away for a while and eventually come back.   The most recent time I
 noticed that it stopped working on a Monday morning - implying perhaps
 that something changed over a weekend.



 I build the Kerberos libraries with optimization turned off so I could
 step through, and what became clear was that the KVNO for the machine
 account had changed - in AD the number was now 30, but the keytab had a
 KVNO of 24.  So it wasn't just one bump - there were several (the keys
 were generated on 09/25/10).



 At this point, I don't know *why* the kvno is changing.   Right now I
 have a script running that polls the KVNO every 5 minutes so I can see
 exactly when the thing changes - once I have a time, I can start looking
 at logs (both on the Linux box and perhaps even on the domain
 controller).   For that matter, I could probably shut down the Linux box
 for a few weeks to see whether the KVNO bumps happen without the machine
 being up or not.



Does anyone have anything else to suggest for what I should
 be looking for?



 -Eric


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: What are the issues with dns_lookup_realm ?

[Christopher D. Clausen]

Brian Candler b.cand...@pobox.com wrote:
 The error message from /var/log/http/ssl_error_log was unhelpful:

 [Mon Oct 11 11:20:17 2010] [error] [client 172.31.131.185]
 krb5_verify_init_creds() failed: Key table entry not found

 What was even more odd, if I did a 'su' to the apache user, I was able to
 'kinit' using one of the usernames/passwords which apache was rejecting as
 Basic Auth credentials. Surely mod_auth_kerb should be doing the same??

There is more to it than just a kinit, unless you have KrbVerifyKDC off 
which you shouldn't b/c it can be a security problem.  Mod_auth_kerb is just 
blindly trusting that ANY successful Kerberos reply comes from your KDC with 
this turned off.  When it is on, it uses its keytab to verify that the KDC 
that responded is legit and not one an attacher setup.

 [snip]
 The fact that adding the DNS record fixed things suggests that it was a
 hostname-to-realm mapping issue. But I'd really like to know what
 principal
 it was looking for when I got the Key table entry not found error
 message.

The requested service principal name would likely be logged on the KDC when 
apache tries to authenticate users and produces this message.

CDC 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Using ksu/sudo with Kerberos

[Christopher D. Clausen]

Russ Allbery r...@stanford.edu wrote:
 Brian Candler b.cand...@pobox.com writes:

 (1) create separate principals for each user who should have root access,
 e.g.
   candl...@foo.example.com
   candlerb/ad...@foo.example.com

 Then map */admin to the root account using auth_to_local, and people
 can use ksu to switch.

 We do this, except we use .k5login with a specific list of principals that
 should have access to root.  I wouldn't use auth_to_local for...

Note that depending upon your SSH setup, adding user principals to root's 
.k5login (or auth_to_local rules) might allow one to login directly as root 
on the system via SSH.  In general, that is exactly what I prefer to do:

ssh r...@machine gets me in as root but logs that cclausen (or 
cclausen/admin) made the connection.  Of course it doesn't log every 
individual action, but IIRC neither does ksu.

I have PermitRootLogin set to without-password in sshd_config so that 
Kerberos is allowed but not password based auth for the root user.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: MIT kdc with Windows 7 pc

[Christopher D. Clausen]

Jean-Yves Avenard jyaven...@gmail.com wrote:
 Am I to understand that it is not currently possible to authenticate
 on a windows machine using a MIT kerberos KDC ? It would be a good
 windows domain replacement

I sort-of have this working, although this is probably different than your 
setup.

UIUC.EDU is an MIT Kerberos realm.  Our Windows domain, AD.UIUC.EDU has a 
trust with UIUC.EDU and we have the proper altSecurityIdentifier field 
configured on the user accounts within Active Directory.

I had to allow single DES for the Windows 7 computer as Windows trusts from 
AD to non-Windows KDCs were single DES only at the time our trust was setup:
The Configure encryption types allowed for Kerberos policy setting is 
located in Computer Configuration\Security Settings\Local Policies\Security 
Options.  (I think this is in secpol.msc.)

Once single DES was enabled, I ran the appropriate ksetup /addkdc commands 
and I can now login using my cclau...@uiuc.edu Kerberos principal on a 
computer joined to AD.UIUC.EDU.

-

If you are attempting this on a stand-alone computer not also joined to a 
Windows domain, I believe that Windows 7 REQUIRES having computer password 
set to the same service principal password on the KDC side for the computer 
to be able to authenticate the KDC itself.  Windows XP did not have this 
requirement.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos troubles

[Christopher D. Clausen]

Jean-Yves Avenard jyaven...@gmail.com wrote:
 I have now identified the cause of the issue.
 When using mod_auth_kerb with MIT krb5 v1.6.x it works perfectly
 with krb5 1.7 and 1.7.1 same.
 However, I get this GSS-API major_status:000d,
 minor_status:000186a3 error whenever I use MIT 1.8.x kerberos
 libraries (tested with 1.8.1 and 1.8.3)

I'm guessing you need to enable single DES encryption types on the KDCs, the 
web server and the clients.

You should look into the allow_weak_crypto = true in the [libdefaults] 
section of krb5.conf

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Any way to propagate db

[Christopher D. Clausen]

Russ Allbery r...@stanford.edu wrote:
 Simo Sorce sso...@redhat.com writes:
 Ah sorry, I thought he wanted to use them as completely alternative
 users. If you do map each MIT principal to an existing Windows user then
 it does work, although it seem to make sense only as a transition tool
 to me.

 It's the way that we have our production realms at Stanford configured and
 have for quite some time.  For large sites, I'm a big advocate of running
 both AD and UNIX KDCs with cross-realm trust and making them
 interchangeable from the user perspective.  It gives you lots of useful
 flexibility in deploying applications.

I advocate just using the Active Directory realm.  It is much, much simpler 
to troubleshoot when there is no cross-realm invovled, especially when 
different groups operate the different realms.

Other than some solvable issues of generating keytabs on non-Windows 
platforms, I can't think of a reason why someone would want to make more 
work for themselves with multiple realms.

What problem are you trying to solve by setting up a cross-realm trust?

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Win 2008R2 kdc and linux client: no support for encryption typewhile getting initial credentials - SOLVED

[Christopher D. Clausen]

John Jasen jja...@realityfailure.org wrote:
 Michael B Allen wrote:

 Actually I would not be surprised if that hot fix is never made
 public. DES is being phased out. If you have any Windows accounts that
 use DES, you should update them to AES-256, AES-128 or RC4 in that
 order of preference.

 I'd have to check again, but I think linux-nfs still uses DES.

OpenAFS also requires single DES, which is what what the original poster is 
using based on a similar message sent to the openafs mailing list.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos help required.

[Christopher D. Clausen]

Jeremy Hunt jere...@optimation.com.au wrote:
 On 23/03/2010 3:18 PM, Sayali Patankar wrote:
 I require some help in understanding Kerberos. I am very new to this
 concept and hence required help in some basic commands. 
 My application uses Kerberos and I wanted to know whether there is some
 unix command which I can execute to know which vendor/version of
 Kerberos I have installed on my unix box.  
 
 I don't think there is a good way, you could try either of these:
 strings `type -a kinit | head -1` | less
 strings `type -a kpasswd | head -1` | less
 
 You have to manually look at the strings displayed in your less screen.
 MIT kerberos usually has at least krb5_MIT on one of the lines. I have
 no idea what you would see with other vendors.

You could try this command: krb5-config --all

May not be available with all Kerberos versions though.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: remctld on windows

[Christopher D. Clausen]

Jason Edgecombe ja...@rampaginggeek.com wrote:
 We want to have a tool for our help desk students to list and kill
 processes for other users on workstations along with being able to
 trigger a remote shutdown or reboot.

Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows 
systems and already do this, assuming you have the proper admin share 
access enabled on the remote system.

The more generic psexec.exe is available from sysinternals:
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
and the Linux version of it at:
http://eol.ovh.org/winexe/

There is also the wmic.exe command and its associated options:
http://technet.microsoft.com/en-us/library/bb742610.aspx

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: remctld on windows

[Christopher D. Clausen]

Jason Edgecombe ja...@rampaginggeek.com wrote:
 Christopher D. Clausen wrote:
 Jason Edgecombe ja...@rampaginggeek.com wrote:
 We want to have a tool for our help desk students to list and kill
 processes for other users on workstations along with being able to
 trigger a remote shutdown or reboot.

 Tasklist.exe, taskkill.exe and shutdown.exe are already on Windows
 systems and already do this, assuming you have the proper admin share
 access enabled on the remote system.

 The more generic psexec.exe is available from sysinternals:
 http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
 and the Linux version of it at:
 http://eol.ovh.org/winexe/

 There is also the wmic.exe command and its associated options:
 http://technet.microsoft.com/en-us/library/bb742610.aspx

 Can this be run by non-priviledged used without needing the admin
 password?
 I need a kind of remote sudo to do the task list and such, preferably
 cross-platform. We have an in-house system that I would like to
 replace for various reasons.

I am fairly certain you can grant the ability to force shutdown from a 
remote system without needing a user to be in the Administrators group 
on a system.  Not sure about the other commands.  I'd hope not just 
anyone could start killing my processes though, that would be bad.

-

You could have remctld on non-windows call commands using 
http://eol.ovh.org/winexe/ with the appropriate parameters passed in. 
This actually might be simpler as you could keep the credentials used 
for authentication on the single system running remctld and ACL commands 
there to subsets of computers instead of needing to configure remctld on 
every computer.

In theory the user on the remctl side only needs permission to make the 
call through remctld and it will have embedded credentials to access the 
system.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Windows event id 4 (kerberos)

[Christopher D. Clausen]

The error list in netstat (as well as in the other email that you sent) 
seems reasonable for a machine that has been up for a period of time. 
Setspn output looks reasonable as well.

Have you tried just un-joining and re-joining the computer account in 
question to the domain?  This usually fixes the problem in my 
experience, assuming there isn't some actual underlying cause (like 
duplicated accounts.)  You may need to delete and re-create the computer 
account after un-joining.

Are the times and time zones correct on these systems?  Do they 
regularly syncronize to the domain controller's time?

Are there any errors in the event log on the domain controllers about 
duplicate computer accounts?

Some of the suggestions here might be useful to you as well:
http://eventid.net/display.asp?eventid=4eventno=1968source=Kerberosphase=1
http://eventid.net/display.asp?eventid=11eventno=569source=KDCphase=1

CDC

raj esh L rrcrajesh2...@yahoo.com wrote:
 No samba and non-windows. All are windows servers.


 U:\setspn -l SLH-001155
 Registered ServicePrincipalNames for
 CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E
 UR,DC=dir,DC=ucb-group,DC=com:
 HOST/SLH-001155
 HOST/SLH-001155.dir.ucb-group.com

 U:\setspn -l BRAPRINT001
 Registered ServicePrincipalNames for
 CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL,
 OU=EUR,DC=dir,DC=ucb-group,DC=com:
 HOST/BRAPRINT001
 HOST/BRAPRINT001.dir.ucb-group.com

 U:\setspn -l ATL017784
 Registered ServicePrincipalNames for
 CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM
 E,DC=dir,DC=ucb-group,DC=com:
 HOST/ATL017784
 HOST/ATL017784.dir.ucb-group.com

 U:\netstat -s
 IPv4 Statistics
 Received Header Errors = 0
 Received Address Errors = 42563
 Unknown Protocols Received = 0
 Received Packets Discarded = 0
 Routing Discards = 0
 Discarded Output Packets = 0
 Output Packet No Route = 0
 Reassembly Failures = 0
 Datagrams Failing Fragmentation = 0
 ICMPv4 Statistics
 Errors 0 13
 TCP Statistics for IPv4
 Failed Connection Attempts = 4275
 Segments Retransmitted = 24512
 UDP Statistics for IPv4
 Receive Errors = 22753


 Please let me know if any other information is required.




 
 From: raj esh L rrcrajesh2...@yahoo.com
 To: Christopher D. Clausen cclau...@acm.org
 Cc: kerberos@mit.edu
 Sent: Wed, 20 January, 2010 3:47:11
 Subject: Re: Windows event id 4 (kerberos)


 Than Q very much for your information and would appreciate. But

 I verified SPNs and computer names - No duplication found.

 These computers not updated recently and exist from long time.

 Thanks once again about networking help .I would check and give you
 update.

 i will give the setspn details also.

 I spent days together to search the fix but did not find a correct
 solution. your help would be highly appreciable.

 we get the message on every day. But we see the same event id, same
 description with different names 'SLH-001155' with different cifs\

 First of all, I do not understand clearly about the description. if
 you would explain what is going here with examples of server names
 based on description that would be great.


 
 From: Christopher D. Clausen cclau...@acm.org
 To: raj esh L rrcrajesh2...@yahoo.com
 Cc: kerberos@mit.edu
 Sent: Wed, 20 January, 2010 3:01:30
 Subject: Re: Windows event id 4 (kerberos)

 Is this for an actual Windows computer? Or a non-Windows machine
 running something like Samba?

 -

 I see these all the time. I believe these occur on occation when a
 computer account automatically updates its machine account password in
 Active Directory. (This is a normal function of a computer joined to
 AD.)

 I'd suggest un-joining and re-joining the computer to the domain if
 this
 is a persistent problem on this system.

 If the issue persists you likely have a network connection problem.
 Check netstat -s output and look for high error counts and check
 duplex
 settings on all ends of the connection.

 -

 Another thing to check is for identially named accounts (as
 mentioned,)
 including SPNs that were set with setspn.exe or ktpass.exe. These are
 hard to track down and may require specific LDAP queries to locate.

 -

 Please send output of setspn -l SLH-001155

 CDC

 raj esh L rrcrajesh2...@yahoo.com wrote:
 We have observed Kerberos event id4 on one member server (Print
 server )BRAPRINT001 (10.1.37.167). Please find the description below
 about the event id. Can some one please help me on it ?

 Event Type: Error
 Event Source: Kerberos
 Event Category: None
 Event ID: 4
 Date: 1/13/2010
 Time: 6:16:35 PM
 User: N/A
 Computer: BRAPRINT001
 Description:
 The kerberos client received a KRB_AP_ERR_MODIFIED error from the
 server SLH-001155$. The target name used was
 cifs/ATL017784.dir.ucb-group.com. This indicates that the password
 used to encrypt the kerberos service ticket is different than that on
 the target server. Commonly, this is due to identically named
 machine accounts in the target realm (DIR.UCB

Re: Windows event id 4 (kerberos)

[Christopher D. Clausen]

I have no other suggestions.  I'd say to try re-joining all three 
computers, one at a time, and see if the errors go away.

The error basically means that the Kerberos stuff sent across the 
network could not be used by the client computer.  Again, this is 
usually due to two computer accounts with the same name and the wrong 
one being used for communication from some other computer.  It could 
also be that network errors caused packet corruption causing the message 
to be generated.

CDC

raj esh L rrcrajesh2...@yahoo.com wrote:
 Thanks for your response.

 I have not tried to un-join  join. I can try this option as a last
 effort.
 If i need to un-join, Which machine do I need to do? Is BRAPRINT001?
 Time zones are correct on all servers.
 I queried all the dcs event logs for eventid 11 through
 eventcombat.exe but none of these SPNS found.

 As per the description, 3 server names (braprint001 where I get
 alerts and other two) are involved in this problem. I could not able
 to understand the description itself. Can you plz explain what it is?
 I captured netmon for it at the time of problem occurred. These all
 names are appearing over there. But I could not understand it.

 It's my humble request to verify those and make me understand.




 
 From: Christopher D. Clausen cclau...@acm.org
 To: raj esh L rrcrajesh2...@yahoo.com
 Cc: kerberos@mit.edu
 Sent: Wed, 20 January, 2010 21:15:13
 Subject: Re: Windows event id 4 (kerberos)

 The error list in netstat (as well as in the other email that you
 sent)
 seems reasonable for a machine that has been up for a period of time.
 Setspn output looks reasonable as well.

 Have you tried just un-joining and re-joining the computer account in
 question to the domain? This usually fixes the problem in my
 experience, assuming there isn't some actual underlying cause (like
 duplicated accounts.) You may need to delete and re-create the
 computer
 account after un-joining.

 Are the times and time zones correct on these systems? Do they
 regularly syncronize to the domain controller's time?

 Are there any errors in the event log on the domain controllers about
 duplicate computer accounts?

 Some of the suggestions here might be useful to you as well:
 http://eventid.net/display.asp?eventid=4eventno=1968source=Kerberosphase=1
 http://eventid.net/display.asp?eventid=11eventno=569source=KDCphase=1

 CDC

 raj esh L rrcrajesh2...@yahoo.com wrote:
 No samba and non-windows. All are windows servers.


 U:\setspn -l SLH-001155
 Registered ServicePrincipalNames for
 CN=SLH-001155,OU=Laptops,OU=SLH,OU=GBR,OU=E
 UR,DC=dir,DC=ucb-group,DC=com:
 HOST/SLH-001155
 HOST/SLH-001155.dir.ucb-group.com

 U:\setspn -l BRAPRINT001
 Registered ServicePrincipalNames for
 CN=BRAPRINT001,OU=Servers,OU=Global,OU=BEL,
 OU=EUR,DC=dir,DC=ucb-group,DC=com:
 HOST/BRAPRINT001
 HOST/BRAPRINT001.dir.ucb-group.com

 U:\setspn -l ATL017784
 Registered ServicePrincipalNames for
 CN=ATL017784,OU=Laptops,OU=ATL,OU=USA,OU=AM
 E,DC=dir,DC=ucb-group,DC=com:
 HOST/ATL017784
 HOST/ATL017784.dir.ucb-group.com

 U:\netstat -s
 IPv4 Statistics
 Received Header Errors = 0
 Received Address Errors = 42563
 Unknown Protocols Received = 0
 Received Packets Discarded = 0
 Routing Discards = 0
 Discarded Output Packets = 0
 Output Packet No Route = 0
 Reassembly Failures = 0
 Datagrams Failing Fragmentation = 0
 ICMPv4 Statistics
 Errors 0 13
 TCP Statistics for IPv4
 Failed Connection Attempts = 4275
 Segments Retransmitted = 24512
 UDP Statistics for IPv4
 Receive Errors = 22753


 Please let me know if any other information is required.




 
 From: raj esh L rrcrajesh2...@yahoo.com
 To: Christopher D. Clausen cclau...@acm.org
 Cc: kerberos@mit.edu
 Sent: Wed, 20 January, 2010 3:47:11
 Subject: Re: Windows event id 4 (kerberos)


 Than Q very much for your information and would appreciate. But

 I verified SPNs and computer names - No duplication found.

 These computers not updated recently and exist from long time.

 Thanks once again about networking help .I would check and give you
 update.

 i will give the setspn details also.

 I spent days together to search the fix but did not find a correct
 solution. your help would be highly appreciable.

 we get the message on every day. But we see the same event id, same
 description with different names 'SLH-001155' with different cifs\

 First of all, I do not understand clearly about the description. if
 you would explain what is going here with examples of server names
 based on description that would be great.


 
 From: Christopher D. Clausen cclau...@acm.org
 To: raj esh L rrcrajesh2...@yahoo.com
 Cc: kerberos@mit.edu
 Sent: Wed, 20 January, 2010 3:01:30
 Subject: Re: Windows event id 4 (kerberos)

 Is this for an actual Windows computer? Or a non-Windows machine
 running something like Samba?

 -

 I see these all the time. I believe these occur on occation

Re: Windows event id 4 (kerberos)

[Christopher D. Clausen]

Is this for an actual Windows computer?  Or a non-Windows machine 
running something like Samba?

-

I see these all the time.  I believe these occur on occation when a 
computer account automatically updates its machine account password in 
Active Directory.  (This is a normal function of a computer joined to 
AD.)

I'd suggest un-joining and re-joining the computer to the domain if this 
is a persistent problem on this system.

If the issue persists you likely have a network connection problem. 
Check netstat -s output and look for high error counts and check duplex 
settings on all ends of the connection.

-

Another thing to check is for identially named accounts (as mentioned,) 
including SPNs that were set with setspn.exe or ktpass.exe.  These are 
hard to track down and may require specific LDAP queries to locate.

-

Please send output of setspn -l SLH-001155

CDC

raj esh L rrcrajesh2...@yahoo.com wrote:
 We have observed Kerberos event id4 on one member server (Print
 server )BRAPRINT001 (10.1.37.167). Please find the description below
 about the event id. Can some one please help me on it ?

 Event Type:Error
 Event Source:  Kerberos
 Event Category:  None
 Event ID:4
 Date:   1/13/2010
 Time:   6:16:35 PM
 User:   N/A
 Computer:   BRAPRINT001
 Description:
 The kerberos client received a KRB_AP_ERR_MODIFIED error from the
 server SLH-001155$.  The target name used was
 cifs/ATL017784.dir.ucb-group.com. This indicates that the password
 used to encrypt the kerberos service ticket is different than that on
 the target server. Commonly, this is due to identically named
 machine accounts in the target realm (DIR.UCB-GROUP.COM), and the
 client realm.   Please contact your system administrator.

 For more information, see Help and Support Center at
 http://go.microsoft.com/fwlink/events.asp.


 ATL017784.dir.ucb-group.com [10.70.11.107]

 We captured network for it. Can you please help here what is going on?


 captured file is available at http://www.megaupload.com/?d=WDIG1CAT



 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KfW 64bit plus 32bit apps

[Christopher D. Clausen]

Nikolay Shopik sho...@inblock.ru wrote:
 Hello,

 Does 64bit version of KfW work with 32bit version app? Because for me
 looks like 64bit version doesn't work with 32bit apps.

No.  Just install both the 32-bit and 64-bit versions to support both 
32-bit and 64-bit apps.

And last I tried it, the order they were installed mattered as one 
version would uninstall the other, but I don't remember which was which.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: openssh + kerberos + windows ad

[Christopher D. Clausen]

Marcello Mezzanotti marcello.mezzano...@gmail.com wrote:
 On Wed, Jan 6, 2010 at 12:30 PM, Bob Rasmussen r...@anzio.com wrote:

 1) What version(s) of PuTTY work in your environment? Did you try the
 developer's build from the official PuTTY site?

 http://sweb.cz/v_t_m/putty/PuTTY-0.58-GSSAPI-2005-07-24.zip

 i tested another clients that worked too, but this is the only one
 that i got tickets (klist on linux). i didnt have time to test other
 krb5.conf options.

Note that when using SSPI credentials, you generally will NOT get 
delegated tickets on the remote system due to AD's security model. 
You need to mess around with trusted for delegation settings on the AD 
computer account in question to enable credential delegation when using 
SSPI and not KfW.

If you copy tickets from SSPI to KfW (using ms2mit.exe or similar) then 
this problem goes away.

Additionally, SSPI doesn't handle realm trusts the same way that KfW 
does.  Sometimes SSPI is better (mainly for trusts between Windows 
realms) and sometimes the KfW behaviour is better (in my case for trusts 
from AD to non-AD realms.)

The trick is to know what programs use which API and properly configure 
it the way you need it to work.

-

I'll also again mention this version of putty:
http://matthew.loar.name/software/putty/

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: openssh + kerberos + windows ad

[Christopher D. Clausen]

Marcello,

Can you show us the output of klist -kte (as root) on the machine 
running sshd?  You need to have a proper keytab for ssh to use GSSAPI 
authentication.

Against AD, you can generate a keytab using ktpass.exe.  Make sure you 
are using the 2003 SP2 version (or newer) of ktpass as some known 
problems were fixed.  http://support.microsoft.com/kb/926027

There are several of us in the #kerberos IRC channel on Freenode if you 
would like some interactive help in getting this to work.

CDC

Marcello Mezzanotti marcello.mezzano...@gmail.com wrote:
 Hans,

 Thaks for your help,  my sshd_config options match yours, sshd_config
 doesnt recognises GSSAPIKeyExchange and GSSAPITrustDNS options.

 I continue to receive the we sent a gssapi-with-mic packet, wait for
 reply DEBUG message and the ssh tries password auth.

 i saw something related to krb5.keytab, do you know something about
 this file?

 thank you,
 marcello



 On Mon, Jan 4, 2010 at 3:01 PM, Hans van Zijst h...@woefdram.nl
 wrote:
 Hi Marcello,

 A while ago I created the same construction that you want: ssh to a
 Linux machine and login automatically with Kerberos. My KDC also is
 a Windows 2003 box with UNIX Services installed. It's been a while,
 and I don't remember a lot of details. I remember it did take quit a
 bit of work though :)

 In the logs you sent, I can't really find anything, but it feels
 like an incomplete SSH daemon configuration.

 In my sshd-config there are also these lines:

 PasswordAuthentication no
 KerberosAuthentication yes
 KerberosOrLocalPasswd no
 KerberosTicketCleanup yes
 GSSAPIAuthentication yes
 GSSAPICleanupCredentials yes

 On my client machine, I configured /etc/ssh/ssh_config with:

 GSSAPIKeyExchange yes
 GSSAPITrustDNS yes
 GSSAPIAuthentication yes
 GSSAPIDelegateCredentials yes

 I hope this will help you a bit. If not, please post the
 configuration of both the ssh-server and the ssh-client and I'll
 have a closer look.

 Kind regards,

 Hans 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos tickets, SSH public key auth, AFS tokens

[Christopher D. Clausen]

Jeff Blaine jbla...@stage-infinity.com wrote:
 Thanks Doug

 The which PuTTY has GSSAPI:

 Quest has one that uses SSPI. http://rc.quest.com/topics/putty/

 Hmm, I can't see to get this to work at all (ignoring CVS).

 I have KfW creds for jblaine, afs, and krbtgt on this Windows
 box.

I believe that Quest's putty only uses SSPI credentials (from a Windows 
domain) and won't work with credentials obtained directly using KfW.

Try this one:
http://matthew.loar.name/software/putty/

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: ftp client: authentication failed

[Christopher D. Clausen]

Lloyd ll...@cdactvm.in wrote:
 Hi,
   I am new to kerberos and trying to set up in a sample scenario as
 part of learning. I have downloaded and installed Kerberos 5 on a
 Linux system. As per the install guide I have successfully configured
 KDC and Application server. in the application server the ftpd
 daemon is also started successfully. Now I dont know how to connect a
 client to the ftpd server.

 This is the output of klist in client side

 klist: You have no tickets cached
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: lloyd/ad...@efs.cyber
 Valid starting ExpiresService principal
 07/15/09 17:09:01  07/16/09 17:08:55  krbtgt/efs.cy...@efs.cyber


 Kerberos 4 ticket cache: /tmp/tkt0

 And this is the output when I try ftp command in client side

 GSSAPI error minor: No principal in keytab matches desired name

 Am I missing something in Application server, KDC or in client?

The above is your problem.  Your client thinks your FTP server has a 
different name than what the keytab has a principal for.  Check the KDC 
log to see which principal the client requested and then fix your keytab 
and/or DNS and/or /etc/hosts on these systems.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: windows 2003 domain controller, mod_auth_kerb in linux, issuewitt kerberos

[Christopher D. Clausen]

Windows AD accounts require allow this account to be trusted for 
delegation to have Internet Explore actually delegate credentials to 
the web server (which you are requesting via the KrbSaveCredentials On 
parameter.)  Try turning this off and see if it does what you want.

Also, (and this is probably more likely the problem) if you need to 
enable KrbVerifyKDC off, something is probably broken with your keytab. 
You should fix it and enable the verification step.  This will probably 
allow IE to work better and actually send GSSAPI and not NTLM data.

CDC

Nikolay Shopik sho...@inblock.ru wrote:
 And you are enabled Integrated windows authentication option in IE6,
 don't you?

 On 10.07.2009 19:20, Ahmar Nauman wrote:

   Hi,

   I'm using windows server 2003 as domain controller,
   i've succesfully followed all the necessary steps required for
   setting up an SSO, generated keytab files which gives me correct
 info if i type klist -k , integrated mod_auth_kerb and configured
 machines. My browser setting are just fine as well,


   My httpd.conf is like
   Location /myURL
   AuthType Kerberos
   AuthName Test Kerberos Login
   KrbVerifyKDC off # it doesn't work if i remove this line
   KrbMethodNegotiate On
   KrbMethodK5Passwd On
   KrbAuthRealms LAB1.DIGIDENT-SOLUTIONS.COM
   Krb5KeyTab /etc/krb5.keytab
   KrbSaveCredentials On
   KrbServiceName HTTP
   require valid-user
   /Location

   Now when i tried to test from IE(v 6) it open a login box, if i
 supply username and password as setup in active directory, it allows
 me to enter. I dont want to get this login box, so if i change
 KrbMethodK5Passwd to Off, it simply refuses me to get in by
 Authorization Required message in browser and in apache logs, i get
 the following errors,

   [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1266):
   [client x.x.x.x] Verifying client data using KRB5 GSS-API [Fri Jul
   10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1282): [client
   ..] Verification returned code 589824 [Fri Jul 10 20:31:25
 2009] [debug] src/mod_auth_kerb.c(1309): [client ..] Warning:
 received token seems to be NTLM, which isn't supported by the
 Kerberos module. Check your IE configuration. [Fri Jul 10 20:31:25
 2009] [error] [client ..9] gss_accept_sec_context() failed:
 Invalid token was supplied (No error)

   I'm trying to resolve this issue, but nothing work out so far.
   Can anybody please help here??

   regards
   - Ahmar


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos and windows XP home edition

[Christopher D. Clausen]

Hubert Chomette hubert.chome...@unilim.fr wrote:
 I try to add a windows XP home edition on my realm and I've got issue.
 Same setup works with windows XP pro.
 Is there an incompatiblity with XP home or do I miss something with
 the configuration?
 thank's for your help

I know that Windows XP Home systems do not support being joined to a 
Windows domain.  I assume that this same limitation applies to Kerberos 
realms as well.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: cross-realm authentication problem

[Christopher D. Clausen]

Bjørn Tore Sund bjorn.s...@it.uib.no wrote:
 I'd like to thank Douglas Engert, Christopher Clausen and Guillaume
 Rosse for the help with this matter.  Netdom.exe was indeed the
 answer, and as I was pestering our main AD honcho on the matter he
 started to remember (I still don't...) that I'd pulled up that
 command to him before - and the RHEL4 server where everything was
 working had indeed at some vague past point in time been added as a
 trusted server in AD.

Can you let us know what exact command you actually ran that worked?

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Sudo w/Ticket Support

[Christopher D. Clausen]

pete...@bigfoot.com wrote:
 Main reason for not setting NOPASSWD is because I don't have control
 over the sudoers file on most of the systems I have access to.  And
 the SA's are very reluctant to use NOPASSWD.

Do you know about the ksu command?

Or using a ~root/.k5login and ssh -o GssapiAuthentication yes 
r...@`hostname` ?

 I believe they just want that extra layer of protection in case a
 workstation is left unattended.


People who leave workstations unattended should not have sudo access. 
Also, if unattended and the tickets are still valid, someone can still 
use them.

 I do see what you mean though.  From a security standpoint, if sudo
 was capable of using an existing TGT, that doesn't seem like it would
 be too much different then using NOPASSWD in the sudoers file.

Yes, exactly.  Except it will stop working once the tickets expire, so 
there is some trivial level of safety.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Linux/Apache - combine mod_auth_kerb and ldap - to be or not tobe???

[Christopher D. Clausen]

kerbie_newbie zarafi...@sky.com wrote:
 At least in Apache 2.0, it is extremely difficult in Apache to get two
 authentication modules to co-exist; Apache by and large considers any
 particular portion of the URL space to be protected by only one
 authentication scheme (possibly combined with IP address
 restrictions). This is partly a limitation of Apache (particularly
 the configuration syntax) and partly related to difficulties in the
 HTTP protocol (you can't easily negotiate and attempt multiple
 authentication protocols in turn).

from:
http://modauthkerb.sourceforge.net/configure.html
KrbAuthoritative off
will allow you to pass to authn/authz to another module.

I've used a module that verifies against OpenAFS PTS groups and I assume 
LDAP works the same way.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Fw: Kerberos Password change over WWW

[Christopher D. Clausen]

Brett Delle Grazie bdellegra...@hotmail.com wrote:
 Is there an open-source product that is secure and will permit
 password changes to kerberos via the web (e.g. .cgi program or
 similar).  I am expecting the user to have already authenticated with
 their existing username / password - this is so they can then change
 their current password.

Try kpasswd.cgi from here:
http://www.umich.edu/~umweb/software/

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Finding the version of kinit/klist

[Christopher D. Clausen]

Ken Raeburn raeb...@mit.edu wrote:
 On Mar 6, 2009, at 13:43, pete...@bigfoot.com wrote:
 Is there any way to determine the version of kinit or klist?
 
 I'm afraid not, aside from the krb5-config option you noted.
 
 It's still in our bug database, but hasn't gotten any attention yet.
 :-( (I knew it had been reported, but took me a little digging to
 discover that the bug report was, in fact, from you, back in 2006...)
 
 Annoyingly, our argument parsing setup doesn't handle long options on
 most platforms, and both the 'v' and 'V' one-letter options of kinit
 are in use currently.  But it looks like klist doesn't have a either
 option yet

Can the usage message display the current version?

(And maybe add a -h option to display the help screen)

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos - Microsoft Active Directory DNS

[Christopher D. Clausen]

Michael B Allen iop...@gmail.com wrote:
 In general, both the MIT and Heimdal clients are not optimized for a
 Windows environment. We have an AD integration product that uses
 Heimdal that we made a lot of changes to try to better emulate Windows
 behavior.

Please just stop trying to sell folks your product using this list.

-

It sounds like all this guy needs is proper [domain_realm settings] in 
krb5.conf and possibly a proper [capaths] sections if a realm trust is 
involved.  (Its not clear to me if there is just a single realm or not.)

It sounds like AD is configured to do dynamic DNS for A record 
registration but is not authoritative for PTR registration and this is 
causing problems b/c AD thinks the name should be in one domain and in 
reality the PTR is in another.  (We have the exact same problem where I 
work.)  I think the solution is to ignore the AD name and use the fqdn 
that the reverse lookup returns.

If you join #kerberos on the Freenode IRC network there are folks there 
who would be willing to try and help for free and NOT try and sell you 
some Active Directory integration product.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Solaris 10 client, MIT 1.6 server, kpasswd command

[Christopher D. Clausen]

Edward Irvine [EMAIL PROTECTED] wrote:
 Has anyone else had trouble changing passwords from a Solaris client?

 I'm using the Solaris 10 version of kpasswd:

 /bin/kpasswd unsername
 kpasswd: Changing password for [EMAIL PROTECTED]
 Old password: secrret
 kpasswd: Cannot establis a session with the Kerberos administrative
 server for realm EXAMPLE.COM. Database error! Required KADM5
 principal missing.

 This works fine when I use the MIT Kerberos version of kpasswd.

See:
http://docs.sun.com/app/docs/doc/816-5174/krb5.conf-4?a=view

krb5.conf - kpasswd_protocol option:

Identifies the protocol to be used when communicating with the server 
indicated by kpasswd_server. By default, this parameter is defined to be 
RPCSEC_GSS, which is the protocol used by Solaris-based administration 
servers. To be able to change a principal's password stored on 
non-Solaris Kerberos server, such as Microsoft Active Directory or MIT 
Kerberos, this value should be SET_CHANGE. This indicates that a 
non-RPC- based protocol is used to communicate the password change 
request to the server in the kpasswd_server entry.

CDC


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: WTS and KfW for SPNEGO

[Christopher D. Clausen]

Christian,

I recomend that you read through this email and follow its instructions:
http://mailman.mit.edu/pipermail/kerberos/2008-January/012978.html

That should solve the problem permanently.

I personally like having my own per-user krb5.ini.  I can fix 
configuration problems on machines where I am just a user and do not 
have admin access.

CDC

Christian Weiß [EMAIL PROTECTED] wrote:
 Hello Christopher,

 that's it! Thank you for your really fast and helpful answer. Even
 better it would be if KfW would fall back to the 'krb5.ini' in
 c:\windows if there is none in c:\dokuments and
 settings\user\windows. Then you wouldn't have to put it into every
 user's profile folder...

 Christian 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: WTS and KfW for SPNEGO

[Christopher D. Clausen]

I bet the problem is that KfW is switching to a per-user krb5.ini 
instead of using the one you likely have in C:\Windows.  Try to copy 
your system krb5.ini to c:\documents and settings\user\windows and see 
if that helps any when in Terminal Services mode.

CDC

Christian Weiß [EMAIL PROTECTED] wrote:
 Hi,

 we use Kerberos for Windows (newest Version: 3.2.2) on our XP Clients
 for access to our intranet. This also works fine on a W2K3 Server (R2
 Standard or Enterprise Edition with SP2), unless the Terminal
 Services are enabled. If so, the user gets a TGT correctly, but
 doesn't get a Ticket for HTTP when trying to connect to the intranet.
 Acquiring a Ticket manually with kvno HTTP/$servername fixes this
 problem. With Terminal Services disabled everything works fine again.
 Our KDC runs on a SuSE SLES 8 machine.
 Is this a known Issue? Does anybody have a solution for me? I didn't
 find anything about this in the list.

 Thanks in advance!
 Christian 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: SSO

[Christopher D. Clausen]

Michael B Allen [EMAIL PROTECTED] wrote:
 On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED]
 wrote:
 And that is the scenario where direct SPNEGO / NTLMSSP solutions are
 going to perform better.

 If by better you mean pretty much the same, yes, modulo the
 configuration note that I mentioned.

 No, I definitely meant better.

 With direct SPNEGO we 401 the initial HTTP request, accept one GSSAPI
 token and get a TGT.

 With something like WebAuth, the client is redirected to a central
 server, then you have to do all of the above (or an explicit login
 which is more stuff) and then redirect the client back to the original
 target (and this doesn't include getting a TGT on the target server).

That is the whole point.  NOT sending authentication infor directly to 
the server and instead using a central auth server is a FEATURE.

 With Plexcel we can do SPNEGO, check group membership (we extract the
 group SIDs from the PAC), app-level access to basic user info and a
 get TGT without talking to a third party at all. The time between the
 initial HTTP request and the 200 response is less than 20 ms (or ~50
 ms if the user is in a few hundred groups).

The whole point of the central server is to keep end-users from typing 
passwords in at all the other random webservers.  The speed does not 
matter.  The point is that those hosting the server are not to be 
trusted with the end user passwords and the central server solves this 
problem.  This is why things like Bluestem were developed:
https://www-s4.uiuc.edu/bluestem-notes/

And the central solutions can optionally add user group data from LDAP / 
AD / whatever.

CDC



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Help on using AD as KDC

[Christopher D. Clausen]

Zhiguo Huang [EMAIL PROTECTED] wrote:
 Could any person who has experience  on using Active Directory as KDC
 give any pointer and helpful instruction?

Regarding what?  You just use it as a KDC and it works.

CDC



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.

[Christopher D. Clausen]

Can you post and compare your krb5.conf files?  Are they identical?

Have you asked someone at Stanford?  This might be a specific 
configuration problem for that realm.

If you join the #kerberos IRC on Freenode, various people may be able to 
help you out interactively.

CDC

Mukarram Syed [EMAIL PROTECTED] wrote:
 Hi Again,

 Any suggestion will be appreciated.

 Thanks

 # mukarram

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
 Behalf Of Mukarram Syed
 Sent: Friday, May 02, 2008 3:49 PM
 To: kerberos@mit.edu
 Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5
 upgrade.

 Hi Kerberos Gurus.



 I have 2 servers, the problem is that when I ssh into the box on the
 server-notworking, I get both the .k5 and .k4 tickets:



 server-notworking  klist

 Ticket cache: FILE:/tmp/krb5cc_39728_T16049

 Default principal: [EMAIL PROTECTED]



 Valid starting ExpiresService principal

 05/02/08 15:18:47  05/03/08 16:18:45  krbtgt/[EMAIL PROTECTED]

 05/02/08 15:18:47  05/03/08 16:18:45  afs/[EMAIL PROTECTED]





 Kerberos 4 ticket cache: /tmp/tkt39728_16049

 Principal: [EMAIL PROTECTED]



  Issued  Expires Principal

 05/02/08 15:18:45  05/03/08 01:18:45
 [EMAIL PROTECTED]

 05/02/08 15:18:45  05/03/08 01:18:45
 [EMAIL PROTECTED]



 But on the server that's working, I only get the k5 tickets:



 server-working  klist

 Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M

 Default principal: [EMAIL PROTECTED]



 Valid starting ExpiresService principal

 05/02/08 15:27:27  05/03/08 01:27:25  krbtgt/[EMAIL PROTECTED]

 05/02/08 15:27:27  05/03/08 01:27:25  afs/[EMAIL PROTECTED]





 Kerberos 4 ticket cache: /tmp/tkt39728

 Principal: [EMAIL PROTECTED]



  Issued  Expires Principal

 04/30/08 23:42:56  05/02/08 01:09:17
 [EMAIL PROTECTED]



 The only difference that I can see between the two klist command
 outputs is:



 05/02/08 15:18:45  05/03/08 01:18:45
 [EMAIL PROTECTED]



 What is this?



 Below is a comparison of the two servers.

 I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the
 server-notworking.  I don't think this will make a difference because
 I have already tried this on another server.  I can't upgrade the
 kernel though to match the server that is working.  The server that
 is not working is an actively used server.



 Also if I remove the .klogin file in my home directory on the
 server-notworking, I can't login to this box.  I need both .klogin and
 .k5login files otherwise I get permission denied message when ssh'ing
 in.

 I don't have the .klogin file in the server that is working.only the
 .k5login file.

 Please advise.



 Thanks for you help.



 Regards



 # mukarram syed





SYSTEM INFO



 server-notworking
 server-working





 2.4.21-27.0.2.ELsmp
 2.4.21-50.ELsmp



 Red Hat Enterprise Linux AS release 3
 Red Hat Enterprise Linux AS release 3

 (Taroon Update 4)
 (Taroon Update 9)



STATUS



 Not getting the afs tokens without
 Fully Functional.NO aklog -setpag option set.

 the aklog -setpag option in the shell

 startup scripts.  Need .klogin and .k5login

 to be able to SSH.  SSH won't work without

 .klogin file.



OPENAFS
 RPMS



 openafs-1.4.2-1.1
 openafs-1.4.2-1.1

 openafs-client-1.4.2-1.1
 openafs-client-1.4.2-1.1

 openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1
 openafs-kernel-smp-1.4.2-2.4.21_50.EL_1

 openafs-kernel-source-1.4.2-1.1
 openafs-kernel-source-1.4.2-1.1

 openafs-krb5-1.4.2-1.1
 openafs-krb5-1.4.2-1.1



KRB5 RPMS





 krb5-devel-1.2.7-42
 krb5-devel-1.2.7-64

 krb5-libs-1.2.7-42
 krb5-libs-1.2.7-64

 krb5-SU-1.4.3-12.EL3
 krb5-SU-1.4.4-4.EL3

 openafs-krb5-1.4.2-1.1
 openafs-krb5-1.4.2-1.1

 pam_krb5-SU-3.8-1.EL3
 pam_krb5-SU-3.8-1.EL3





PAM RPMS



 pam-0.75-62
 pam-0.75-72

 pam-afs-session-1.5-1.EL3
 pam-afs-session-1.5-1.EL3

 pam-devel-0.75-62
 pam_ccreds-3-3.rhel3.2

 pam_krb5-SU-3.8-1.EL3
 pam-devel-0.75-72

 pam_passwdqc-0.7.5-1
 pam_krb5-SU-3.8-1.EL3

 pam_smb-1.1.7-1
 pam_passwdqc-0.7.5-1


 pam_smb-1.1.7-1






IMPORTANT FILES:
 CKSUMS/SIZES



 782515666 1077 /etc/pam.d/system-auth
 782515666 1077 /etc/pam.d/system-auth

 292550411 160 /etc/krb.conf
 292550411 160 /etc/krb.conf

 2006343950 4385 /etc/krb5.conf
 3826595545 4386 /etc/krb5.conf

 3068285566 267416 /usr/bin/aklog
 1302602016 267416 /usr/bin/aklog

 1323949453 19 /usr/vice/etc/CellAlias
 1323949453 19 /usr/vice/etc/CellAlias

 3556331601 16 /usr/vice/etc/ThisCell
 3556331601 16 /usr/vice/etc/ThisCell

 1399150640 446 /usr/vice/etc/CellServDB
 514410920 208 /usr/vice/etc/CellServDB



 

Re: max number of requests/sec (on KDC)

[Christopher D. Clausen]

Matthew Loar [EMAIL PROTECTED] wrote:
 Vladimir Konrad [EMAIL PROTECTED] wrote:
 Hello,

 Is there a way to increase allowed number of requests per second on
 KDC? I have several different CRON jobs (using the same keytab in
 kinit), which run at the same time, and I get:

 DISPATCH: repeated (retransmitted?) request from ip-address-here,
 resending previous response

 And the jobs fail to authenticate...

If you are running jobs under the same keytab, why not have one that 
kinits with the keytab and then sequentially runs each thing that you 
want run using the same krb5cc for each job?

You can just have all of these jobs share the same ktb5cc and NOT kinit 
multple times.

CDC



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: support SSO in Windows with Keberos TGT

[Christopher D. Clausen]

sylvain cortes [EMAIL PROTECTED] wrote:
 So, for example, a windows computer which use Putty can present a
 kerberos ticket to a Unix machine with the Centrofy client, without
 any re-authentication. And Unix to Windows, or Unix to Unix works
 also in the same way.

You can do that without paying for Centrify.  All you need to is to 
correctly setup the machine keytab and get a putty version that supports 
GSSAPI credential forwarding.

CDC



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kadmin -c : shouldn't this work?

[Christopher D. Clausen]

Jeff Blaine [EMAIL PROTECTED] wrote:
 % /usr/rcf-krb5/bin/kinit -p admin/admin
 Password for admin/[EMAIL PROTECTED]:
 % /usr/rcf-krb5/sbin/kadmin -c /tmp/krb5cc_26560
 Authenticating as principal admin/[EMAIL PROTECTED] with existing
 credentials.
 kadmin: Matching credential not found while initializing kadmin
 interface


Try
kinit -p admin/admin -S kadmin/admin
and then
kadmin -c $KRB5CCNAME
and see if that works better.

CDC



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: [lib]kadm on Windows?

[Christopher D. Clausen]

Russ Allbery [EMAIL PROTECTED] wrote:
 We took an end-run around this problem and instead use:

http://www.eyrie.org/~eagle/software/kadmin-remctl/

 to provide a remctl interface to kadmin calls.  This still requires
 that you get remctl working on Windows, though.  It may or may not be
 easier than getting the kadmin libraries working on Windows.

Remctl client for windows:

http://matthew.loar.name/software/remctl/

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Heimdal KDC, Windows XP and local users

[Christopher D. Clausen]

Victor Sudakov [EMAIL PROTECTED] wrote:
 I have configured Windows XP to use a Heimdal KDC for user
 authentication. All existing Windows users can authenticate against
 the KDC, user
 mapping is ksetup /mapuser * *.

 However, Windows does not create a new local user with the same name
 as the Kerberos princical I try to authenticate as.

No, Windows does not, nor should it.  You mapped all principals to a 
single user account.  If you want seperate accounts, you'll need to 
actually create the accounts ahead of time and map the principal to the 
individual accounts.

 Can this be helped? I want to create a new user in the Kerberos
 database only, and this user's profile on the Windows machine should
 be created automatically.

You may be able to get pGina do what you want: http://www.pgina.org/

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Password Syncing to Kerberos using SFU's ssod

[Christopher D. Clausen]

Colin Simpson [EMAIL PROTECTED] wrote:
 I'm looking at finding a new solution to syncing password between AD
 and
 Kerberos. We had been using CEDAR for this and it's great but the
 passwdHK dll on windows hates it if you pass in 8 bit ascii passsword.

AD already is Kerberos.  Why don't you just use your Active Directory 
controllers as the Kerberos KDCs as well?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Password Syncing to Kerberos using SFU's ssod

[Christopher D. Clausen]

I'm guessing using a single Kerberos KDC on Windows is going to be more 
stable than some password syncronization process that neither vendor 
fully supports.

CDC

Colin Simpson [EMAIL PROTECTED] wrote:
 My only reason is we don't really trust window stability and try to
 resist MS creeping onto our servers :-)

 Colin

 On Wed, 2008-01-09 at 17:13 +, Christopher D. Clausen wrote:
 Colin Simpson [EMAIL PROTECTED] wrote:
 I'm looking at finding a new solution to syncing password between AD
 and
 Kerberos. We had been using CEDAR for this and it's great but the
 passwdHK dll on windows hates it if you pass in 8 bit ascii
 passsword.

 AD already is Kerberos.  Why don't you just use your Active Directory
 controllers as the Kerberos KDCs as well?

 CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Query about an admin testing a user's creds

[Christopher D. Clausen]

Coy Hile [EMAIL PROTECTED] wrote:
 If we need to test, for example, that a user is actually getting a
 TGT, we need to inform the user that we're changing their password
 temporarily, change it, authenticate as them directly, and then have
 them change it back.  We've all been wondering aloud whether there is
 some way for an admin to get creds as a user directly (Eg, something
 like su - user which actually does a kinit as that user).  Has
 something along those lines been implemented?  If not, what's the
 reasoning behind it not being so implemented? (I'm perfectly happy to
 accept Because it's Really Stupid(tm) for the follwing reasons... as
 an answer too :))

What flavor of Kerberos are you using?  I beleive that it is trivial 
with a Heimdal setup for a Kerberos admin to extract a keytab for any 
principal and NOT actually change the password of the principal.  (Use 
the ext_keytab command in kadmin.)  It is less easy with an MIT setup.

You can revert the krb5 database to the point it was at before a 
principal change, however if other principals were changed in the mean 
time, you could have a serious syncronization problem.  You may be able 
to do this manually by just finding the data in the dump for a 
particular principal and injecting it into a newer dump of the current 
Kerberos database.  I am unaware of potential fallout from doing this 
though.

Alternately, you could modify your change password procedure to either 
store the cleartext of the password (bad idea) or generate a keytab for 
the user using the provided password (slightly less bad of an idea) 
during the change process.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: mac os x ticket cache

[Christopher D. Clausen]

Ranga Samudrala [EMAIL PROTECTED] wrote:
 On a Mac OS X machine, is there a way to force the SSH client to use
 a Kerberos TGT from a cache on the file system  instead of the
 default - in the memory?

Change what the KRB5CCNAME variable points to.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Need an old MIT Kerberos distribution

[Christopher D. Clausen]

Jeff Blaine [EMAIL PROTECTED] wrote:
 I'm failing to find/get 1.3.0 for a specific need.

http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.tar

from:
http://web.mit.edu/kerberos/dist/historic.html#krb5-1.3-src

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Listing what's already mapped

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 How can I list all the servers that I have mapped with the Ktpass
 command?

 We are using Kerberos for SSO from our Middle Tier application that we
 develop.  To make this work I must map the middle Tier's servername
 with an account in the domain.  Here's a sample ktpass command that I
 use to do this:

 ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser svruser -
 pass svruserpwd

 I'm working in a development environment and have done this many
 times.  I'd like to know which machines I have already mapped.  How
 can I get the list?  The domain controller is Win Server 2003 SP1

from a cmd.exe prompt (on a computer joined to this domain,) you can run 
net group domain computers /domain to get a list all every computer 
account.  (Assuming you are indeed using computer accounts and not user 
accounts.)

You can then run the setspn.exe -L computername for each computername 
in the above list to see what mappings have been assigned.

I do not know of a way to specifically list computers with modified SPNs 
without checking each and every object.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: cross realm and capaths question

[Christopher D. Clausen]

Douglas E. Engert [EMAIL PROTECTED] wrote:
 Markus Moeller wrote:
 TGS-REP error_code: KRB5KDC_ERR_PATH_NOT_ACCEPTED (28)

 This looks like AD is checking the transited path, and does not like
 it. RFC4120 section 2.7 does not require the KDC to check the
 transited field, and the client may even ash the KDC to not check it,
 with the DISABLE-TRANSITED-CHECK flag, but the KDC may still check.

 AD does a lot more with trust the the MIT KDCs and may treat forests
 and external realms differently. In your diagram, you are trying to
 context TEST.COM not at the forest root. In most of the Microsoft
 documents they talk about connecting forests at the root.

 They talk about the different types of trust. I don't see
 External Transitive which is what I think you are trying to do.
 Although Realm Trust looks very close, but TGEST.COM is AD, not
 Kerberos.

 Can you connect TEST.COM to TOP.COM? This woulf be forest trust.
 Or can rename you TEST.COM to TEST.DOM1.TOP.COM and have it join the
 forest? Then AD should not have any problems,and you would not need
 the capaths, as the default ist to go up the tree then back down.

The AD domain to non-AD domain trust likely needs to be changed to a 
transitive trust using the netdom.exe tool.

for example:
netdom trust AD domain /ForestTRANsitive /domain non-AD domain

CDC




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Listing what's already mapped

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 On Oct 1, 11:27 am, Christopher D. Clausen [EMAIL PROTECTED] wrote:

 from a cmd.exe prompt (on a computer joined to this domain,) you can
 run net group domain computers /domain to get a list all every
 computer account.  (Assuming you are indeed using computer accounts
 and not user accounts.)

 You can then run the setspn.exe -L computername for each
 computername in the above list to see what mappings have been
 assigned.

 Thanks for responding.  This didn't work though.  It says Cannot find
 account SERVER10.  I tried this a few different ways with no luck.
 Even if this did work there are too many machines in the the domain to
 check (500+).


It works for me.  Perhaps you are logged on a user in a different 
domain?

C:\setspn -L KBS-CDC
Registered ServicePrincipalNames for 
CN=KBS-CDC,OU=KBS,DC=ad,DC=uiuc,DC=edu:
HOST/KBS-CDC
HOST/KBS-CDC.ad.uiuc.edu

It is pretty easy to write a for command to parse the net group output 
and then run setspn.

 I noticed that if I look at the properties of the mapped user in the
 the Active Directory tool it shows the last machine name as the User
 Logon Name on the Account tab.  Is there anyway to enumerate this a
 see all the Logon names?

You'd have to write a direct ldap query.  Again, I think you would need 
to query each object as there are adminitrative limits.

You may be able to use the ldp.exe tool to perform a query.  I'm not 
sure if the field you want is directly accessible though.  You might 
still need to query for that field on a per-object basis.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problems with kadmind, kpasswd and cross-realm authentication

[Christopher D. Clausen]

Anthony Brock [EMAIL PROTECTED] wrote:
 No, the entire network is on a single, private IP address range. In
 fact, I'm trying these particular commands on the same host that
 kadmind is running on. However, the behavior is identical from a
 remote host.

Does kpasswd work on the KDC itself for each of the realms?  If it 
doesn't work on the KDC, its not likely to work anywhere else.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Active Directory LDAP SSH

[Christopher D. Clausen]

Michael B Allen [EMAIL PROTECTED] wrote:
 On 9/4/07, Roman S [EMAIL PROTECTED] wrote:
 I've configured a Microsoft Active Directory with LDAP and Kerberos,
 and some Linux (Redhat) clients who authenticate to it.
 I'm able to get some tickets for the users who are in the Active
 Directory, but SSH behaves a bit strange.

 I can always ssh to the same machine again.
 Like
 #foo: ssh foo

 but I can't ssh to any other computers. I always get a Permission
 denied.
 I've only enabled gssapi authentication, all others are disabled.
 Debug output of ssh didn't get me any further.

 Hi Roman,

 Did you create the host principal and keytab for the target server?

I suspect yes or the inital credential forwarding would not work either.

 Also, you'll need a .k5login file in the home directory of the target:

  $ cat ~/.k5login
  [EMAIL PROTECTED]

You do not NEED a .k5login file.  It may be useful in certain 
environments, but it is not required.

 Google for info about the above and you should find a tutorial I
 would think.

You probably need to:
1) ensure that forwardable tickets are being obtained (I suspect this is 
already the case)
2) set GSSAPIDelegateCredentials yes for ssh and/or sshd

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problems with kadmind, kpasswd and cross-realm authentication

[Christopher D. Clausen]

Anthony Brock [EMAIL PROTECTED] wrote:
 I have created several cross-realm trusts on a test server. At this
 point, nearly everything is working properly. However, users are
 unable to change their passwords unless their account is in the
 initial domain. Users see the following when attempting it from the
 initial domain:

 # kpasswd
 Password for [EMAIL PROTECTED]:
 Enter new password:
 Enter it again:
 Password changed.
 #

 Unfortunately, following happens for additional domains:

 # kpasswd
 Password for [EMAIL PROTECTED]:
 Enter new password:
 Enter it again:
 Authentication error: Failed reading application request
 #

What happens if you run:
kpasswd [EMAIL PROTECTED]
and manually specify the realm name where the user account is at?
so in your case, try running:
kpasswd [EMAIL PROTECTED]
on the above machine where you were prompted for [EMAIL PROTECTED] 
credentials.

Additionally, are you behind a NAT when kpasswd fails?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Using keytab on Windows with KfW

[Christopher D. Clausen]

Markus Moeller [EMAIL PROTECTED] wrote:
 I am trying to use a keytab on Windows with KfW 3.2, but get always
 an error Key table entry not found while getting initial
 credentials. The account works interactively and if I use the keytab
 on Unix it works fine too.
 Is this a known problem ?

 Markus

 D:\c:\Program Files\mit\Kerberos\bin\klist.exe -ekt mmn.keytab
 Keytab name: FILE:mmn.keytab
 KVNO Timestamp Principal
  -
    1 08/12/07
 17:37:59 [EMAIL PROTECTED] (ArcFour with HMAC/md5)

 D:\c:\Program Files\mit\Kerberos\bin\kinit.exe -kt mmn.keytab
 [EMAIL PROTECTED]
 kinit.exe(v5): Key table entry not found while getting initial
 credentials

Works for me with a keytab from an MIT realm.  What Kerberos version / 
flavor is running on your KDC?  Could it be a problem with supported 
enc_types?  What does your krb5.conf look like?

C:\which -a kinit
C:\Program Files\MIT\Kerberos\bin\kinit.exe

C:\filever C:\Program Files\MIT\Kerberos\bin\kinit.exe
--a-- W32i   APP ENU  3.2.0.7005 shp 47,616 05-03-2007 kinit.exe

C:\klist -kt krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Timestamp Principal
 - 
   3 04/27/07 21:46:09 [EMAIL PROTECTED]
   3 04/27/07 21:46:09 [EMAIL PROTECTED]
   3 04/27/07 21:46:09 [EMAIL PROTECTED]
   3 04/27/07 21:46:09 [EMAIL PROTECTED]
   3 04/27/07 21:46:09 [EMAIL PROTECTED]

C:\kinit -kt krb5.keytab [EMAIL PROTECTED]

C:\klist
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
08/12/07 12:18:03  08/12/07 22:18:00 
krbtgt/[EMAIL PROTECTED]

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Key table entry not found while verifying ticket for server

[Christopher D. Clausen]

Danny Mayer [EMAIL PROTECTED] wrote:
 Peter Losher wrote:
 Yup, I had fatfingered the hostname during the initial OS install;
 what you said above reminded me to check the one place I hadn't
 updated - /etc/hosts. :)

 /etc/hosts??? That doesn't sound like a place ISC would use! Does the
 install process create an entry in hosts?

The install process for nearly all UNIX OSes puts an entry into the 
/etc/hosts file.

On some platforms, this end ups as something like:
127.0.0.1 hostname localhost.localdomain localhost

This is bad for Kerberos, although it works for laptops where the 
non-local IP may keep changing.

Kerberos needs an entry that returns a fqdn for the host using a valid 
external IP, like:
18.4.5.6 validhost.in.dns.fqdn.edu validhost

This is a very common problem for users asking for help in the #kerberos 
IRC channel.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Where can I find how-to advice on setting up a local KDC?

[Christopher D. Clausen]

Kevin Koch [EMAIL PROTECTED] wrote:
 It is too hot to work upstairs where the wired connection is.  The
 wireless on this laptop stops connecting randomly.  I can't debug NIM
 timing issues without being able to connect to a KDC.  I can't ship a
 product without those fixes.

 Where can I find out how to set up a KDC locally for NIM to connect
 to?

NIM is only in KfW, right?  As in, you are working on Windows?

I'd suggest using Virtual PC and running some non-Windows OS and just 
follow the normal instructions.  Otherwise, you could install a server 
version of Windows and run a domain controller on your laptop, but I 
would not suggest that.  Ask on #kerberos on Freenode IRC if you'd like 
help with a KDC install.

However, wouldn't the KDC being on your local computer also affect 
timing?  (As in, wouldn't it be really fast and not a real world 
experience?)

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos for authentication, php for authorization

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 On Windows the two browsers can only acquire credentials
 from the LSA which means the workstation needs to be joined to a
 domain, I believe.

That isn't true.  You can configure FireFox on Windows to use 
credentials from Kerberos for Windows ccaches instead of using 
Microsoft's Kerberos.   Just set 
network.negotiate-auth.using-native-gsslib to false in about:config

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Use ssh key to acquire TGT?

[Christopher D. Clausen]

John Hascall [EMAIL PROTECTED] wrote:
 One of these days I'm going to request (for HCOOP) crossrealm trusts
 with the top 10 computer science universities in the USA [*] and
 document (a) my success rate, (b) how many emails it took, and (c)
 how many months from first request to working trust entry.
 Hopefully a published case study like this will get people to stop
 pretending that crossrealm is actually a legitimate general-purpose
 solution.

 How many of the top-10 use Kerberos?
 And what exactly is the top-10 (which list?)

Lets say that there were Kerberos cross-realm trusts created between 
these various organizations.  Would that really help?  The original 
point was to gain access to the AFS filesystem.  Just logging onto the 
machine is possible now using SSH keys.  Do other sites use AFS 
foreign users through cross-realm trusts?  I supect that users will 
dislike the idea of having to change AFS ACLs on a whole bunch of files 
to add the other foreign users.

(Quickly getting off-topic for the Kerberos list...)

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Use ssh key to acquire TGT?

[Christopher D. Clausen]

Russ Allbery [EMAIL PROTECTED] wrote:
 Adam Megacz [EMAIL PROTECTED] writes:
 Christopher D. Clausen [EMAIL PROTECTED] writes:
 UIUC has AFS?  Is there some other UIUC that I don't know about?

 Hrm, I was going by the fact that ncsa.uiuc.edu and acm.uiuc.edu are
 both in the CellServDB that comes with OpenAFS (and appear to work),
 but I guess those might be sub-campus-level entities.

 I believe NCSA bears a similar relationship to UIUC as SLAC does to
 Stanford, with complications for public vs. private institutions.

Acm.uiuc.edu ( http://www.acm.uiuc.edu/ ) is a group run almost entirely 
by volunteer students.  Fewer than 300 UIUC users have accounts on those 
systems and an even smaller number of those accounts are actually 
active.  [EMAIL PROTECTED] is about as unofficial as it gets at U of I.

NCSA is basically seperate from the University of Illinois.  It just 
happens to be physically located on campus, but the networking and 
management are under completely different administrative control.

NCSA.EDU might be a good intermediary realm.  I suspect that they might 
have realms trusts with a variety of partner orgranizations for various 
research computer clusters.  But I wouldn't know for sure.  There are 
quite a few realms listed in the default krb5.conf file:
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/krb5.conf 
Its possible that those realms are not involved in any trusts what so 
ever though.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Use ssh key to acquire TGT?

[Christopher D. Clausen]

Adam Megacz [EMAIL PROTECTED] wrote:
 John Hascall [EMAIL PROTECTED] writes:
 How many of the top-10 use Kerberos?
 And what exactly is the top-10 (which list?)(
 For the sale of argument lets say they are:

 Well, based on AFS usage (which requires Kerberos right now), all of
 the schools on your list except UT Austin must have a KDC running.

UIUC has AFS?  Is there some other UIUC that I don't know about?

(There is a UIUC.EDU realm, but its certainly not used for AFS in any 
official UIUC supported capacity.  Its mostly for web-based 
authentication using bluestem: 
https://www-s.uiuc.edu/bluestem/notes/overview.html )

 Plus, would you need to get all 10?

 How many of the ten I get would be the most useful statistic.

I'll note that as a unit within the UIUC campus I have been unable to 
get a trust either inbound or outbound from the UIUC.EDU realm.

 But, your point is well taken.  Perhaps
 what would be more useful is if somebody
 like educase served as a central crossrealm
 hub (everyone exchanges keys with them and
 gets a current capaths file).

 Based on my experience with university administrations, this is even
 less politically feasible. :)

You might want to look at this:
http://www.incommonfederation.org/

It appears to be mostly for web-based SSO, but it might be possible to 
use x.509 or Kerberos in some way as well.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Use ssh key to acquire TGT?

[Christopher D. Clausen]

Adam Megacz [EMAIL PROTECTED] wrote:
 Our (hcoop.net) users love their new AFS homedirs, but are complaining
 a lot about ssh public keys not working the way they're accustomed to.
 Telling them to kinit after logging in doesn't quite cut it either.

 We're aware that this goes against the grain of kerberos security, but
 without something like this users will just start hardcoding their
 plaintext password into scripts, which is even worse.  At least with
 ssh keys we can urge them to password-encrypt their on-disk private
 keys.

How exactly is having a private key password different from simply 
telling the user to kinit ONCE on their local machine before attempting 
to SSH to your Kerberized machines?

Also, you could rig up a login script (or PAM) that used a local keytab 
file to obtain AFS tickets automatically at sucessful login.  Not sure 
if you'd have to assume that someone logging as the local UNIX user 
automatically means that user would have to the matching AFS identity. 
You would also have issues of users keeping their passwords and the 
keytabs up to date or otherwise differentiating between the keytab login 
and their real Kerberos identity.

This might be question to ask on the AFS mailing lists instead of the 
Kerberos ones.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Use ssh key to acquire TGT?

[Christopher D. Clausen]

Adam Megacz [EMAIL PROTECTED] wrote:
 Christopher D. Clausen [EMAIL PROTECTED] writes:
 How exactly is having a private key password different from simply
 telling the user to kinit ONCE on their local machine before
 attempting to SSH to your Kerberized machines?

 Because you have to kinit once **per realm**.

Well, if the passwords are differnet you can't get around that.  If the 
passwords are manually syncronized, it should be possible to have some 
process that takes a single password and gets multiple tickets from it.

And wouldn't a user need to enter multiple passwords if the passphrases 
were different on seperate private keys?

 Most users also have many accounts on many machines that are not part
 of HCOOP.  Sadly, the world does not revolve around our KDC.

Ask for realm trusts.  (Or wait for $bigcompany to create a single huge 
world-wide Kerberos realm.)

 That's the nice part about ssh public keys -- you can use the same
 private key to log into any number of servers, even if the server
 admins don't have the logistical bandwidth (or political leverage) to
 negotiate complicated cross-realm arrangements with each other.  Or
 even if some of the servers don't use kerberos.

You can similarly set your password to be the same for multiple realms.

 Also, you could rig up a login script (or PAM) that used a local
 keytab file to obtain AFS tickets automatically at sucessful login.

 Yes, unfortunately this would mean that anybody who hacked local root
 on any one of the shell servers would instantly have keytabs for every
 user.  Not good.

Anyone who hacked local root would be able to just copy all the tickets 
in the krbcc in /tmp when users login anyway.  Yes, immediate access to 
all principals would be bad, but having access to even some tickets 
would be bad enough.  Or replace the login process with something that 
grabs tickets / passwords.

I don't know know enough about sshd and private keys to know if its 
possible to use something locally on a shell server to decrypt a keytab 
at login and then use it for AFS access.  I suspect such an a sshd / PAM 
modification is possible, but I have no idea how to go about 
implementing it.

 Also, I don't know if MIT KDC supports having both a password and a
 keytab for a user.  I know it's possible in theory, but I think that
 feature just isn't there -- creating a keytab erases their password.

It should be possible.  Use the addent ktutil function.

kinit username
Password for [EMAIL PROTECTED]:
kvno username
[EMAIL PROTECTED]: kvno = 1
kdestroy

($kvno = 1)

ktutil
ktutil: addent -password -p username -k $kvno -e des-cbc-crc
Password for [EMAIL PROTECTED]:
ktutil: addent -password -p username -k $kvno -e des3-cbc-sha1
Password for [EMAIL PROTECTED]:
ktutil: wkt username.keytab
ktutil: quit

(and enc_types as needed)

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos, hpux 11.11, ssh

[Christopher D. Clausen]

Wilson, Michael [EMAIL PROTECTED] wrote:
 ***KLIST -kte***
 [abc]:/var/adm/syslog # klist -kte
 Keytab name: FILE:/etc/krb5.keytab
 KVNO Timestamp Principal
  -
 
6 05/08/07 16:12:33 host/[EMAIL PROTECTED] (DES cbc mode with
 RSA-MD5)

 ***HOSTS FILE***
 [abc]:/etc $ cat hosts
 #
 10.9.1.1abc
 127.0.0.1   localhost   loopback

Well, I suspect that should be using a FQDN and not just host/abc

does kinit -kt /etc/krb5.keytab host/abc
actually work?
(you should not get any messages, and klist should show tickets for the 
host/abc principal.)

 ***KRB5.CONF***
 [abc]:/etc # cat krb5.conf
 [logging]
  default = FILE:/var/adm/krb5lib.log
  kdc = FILE:/var/adm/krb5kdc.log
  admin_server = FILE:/var/adm/kKDCmind.log

 [libdefaults]
  ticket_liftetime = 24000
  default_realm = KDC.DIEBOLD.COM

Your Windows AD domain is called KDC.DIEBOLD.COM ?  That doesn't sound 
right.

  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5
  default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5

Delete the above two lines.  Hardcoding enctypes is a bad idea and will 
cause you much pain in the future.

 The keytab was added earlier and is now in place.
 After I read your email I reviewed a few things and here is where we
 are now:

 We can telnet into 'abc' and we get authenticated via active
 directory. When we use ssh to try this we get rejected.

Authenticated using Kerberos tickets?  OR via typing in a password?

What EXACT error message do you get from SSH?  And is the error message 
actually from SSH itself?  Or from whatever PAM type stuff that hpux 
uses?

 We have tried to find results for this on the internet, but have had
 No viable luck.

try the following:
kdestroy
kinit -f -5 -p user@REALM
klist -ef
ssh -vvv -o GSSAPIAuthentication yes machine
(Ctrl-C it if you get a password prompt or if it doesn't work.)
klist -ef
(yes, again, and look for a host/* ticket)

And what does your sshd_config file look like?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Cross Realm MIT - Windows Close But No Cigar

[Christopher D. Clausen]

Michael B Allen [EMAIL PROTECTED] wrote:
 On Thu, 3 May 2007 23:33:29 +0100
 Markus Moeller [EMAIL PROTECTED] wrote:

 What does sshd -ddde show when you connect ?  Do you use a .k5login
 or auth_to_local ?

 Hi Markus,

 I'm not familiar with .k5login or auth_to_local. The only thing I
 changed in sshd_config was I turned of UsePAM.

Kerberos only handles authentication.  You need something for 
authorization.  By default, the kerberos libraries will match principals 
in the local default realm to local users. (principal == local user 
name.)  [EMAIL PROTECTED] can login as cclausen. 
[EMAIL PROTECTED] cannot login without authorization.

 I actually think the trust is valid. I've been trying it with my HTTP
 SSO code and the GSS calls are definitely succeeding. It's something
 that happends after the auth (e.g. RC4 salting or session key
 problem).

Setting up a trust does NOT automatically grant authorization for the 
foreign realm.  Try creating a ~/.k5login file in the home directory of 
the user you are logging in as listing authorized Kerberos principals, 
one per line.

(AD.UIUC.EDU is a Windows AD domain.  ILLIGAL.UIUC.EDU is a MIT realm.)

For instance:
C:\klist
Ticket cache: API:[EMAIL PROTECTED]
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
05/03/07 20:26:36  05/04/07 06:26:36  krbtgt/[EMAIL PROTECTED]
C:\putty ial.illigal.uiuc.edu
C:\klist
Ticket cache: API:[EMAIL PROTECTED]
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
05/03/07 20:26:36  05/04/07 06:26:36  krbtgt/[EMAIL PROTECTED]
05/03/07 20:26:36  05/04/07 06:26:36 
krbtgt/[EMAIL PROTECTED]
05/03/07 20:26:58  05/04/07 06:26:36 
host/[EMAIL PROTECTED]

On the remote system:
[EMAIL PROTECTED]:~$ cat .k5login
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_L30429
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
05/03/07 20:26:58  05/04/07 06:26:36  krbtgt/[EMAIL PROTECTED]
[EMAIL PROTECTED]:~$ cat /etc/krb5.conf | grep default
[libdefaults]
default_realm = ILLIGAL.UIUC.EDU
[EMAIL PROTECTED]:~$

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Cross Realm MIT - Windows Close But No Cigar

[Christopher D. Clausen]

Michael B Allen [EMAIL PROTECTED] wrote:
 On Thu, 3 May 2007 20:31:55 -0500
 Christopher D. Clausen [EMAIL PROTECTED] wrote:
 Try creating a ~/.k5login file in the home directory of
 the user you are logging in as listing authorized Kerberos
 principals, one per line.

 That was it! SSH now works cross realm. I was clueless about .k5login.

You can use an auth_to_local rule in krb5.conf instead.  Search this 
list for a post a few weeks back for some to try.

 Now I wonder what smbclient's problem is with the bad echo'd
 signatures. Wheres Andrew Bartlett when you need him ...

After I broke AD.UIUC.EDU (yes, campus wide) several years ago using 
samba, I haven't touched it.  But I suspect that is a question for a 
samba list.  I assume you have looked at the KDC logs and possible some 
network traces to try and figure out what is going on?

 Mmm, UIUC. I have droves of family in Champaign.

I don't.  Thats why I moved here :-)

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos for Windows NT 4.0

[Christopher D. Clausen]

Warren Coykendall [EMAIL PROTECTED] wrote:
 Hello, I was wondering we have a NT 4.0 domain which we cannot
 migrate to Windows 2003.  Is there a way to have the NT 4.0 domain
 work with Kerberos so we can get single sign-on w/out the pain of
 upgrading to active directory?

I do not think there is any Kerberos in NT 4.0.  You might be able to 
make something work with Samba though.  Are you actually running NT 4 
machines?  On Windows 2000 and above you can setup the clients to talk 
Kerberos directly to an external KDC: 
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC
 
That will get you signle-sign-on, but you'll miss a lot of the other AD 
benefits.  I am of the opinion that Windows 2003 Active Directory is 
vastly superior to NT 4 domains.  I would strongly suggest using it, 
even if it is a lot of work to migrate / recreate your environment.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Changing password on linux machine hangs

[Christopher D. Clausen]

M [EMAIL PROTECTED] wrote:
 We use Active Directory to create User accounts and make the person
 change his/her password the first time he/she logs on to any of our
 machines (linux or windows). Changing password on the Windows machines
 works just fine but no one can change their passwords on a linux
 machine. Not just the first time, but ever.

 [EMAIL PROTECTED] ~]$ passwd
 Changing password for user username.
 Kerberos 5 Password:
 New UNIX password:
 Retype new UNIX password:

 After this it just hangs. The password never gets changed. i found
 pre-authentication failure kadmin/changepw...failure code 0x19. in the
 kdc admin-server event log which corresponds to additional
 pre-authentication required. I googled that but couldn't find a way
 to fix that failure. I don't see anything in the logs on the linux
 machine that I'm trying to change my password on.

Have you tired using the kpasswd command instead of passwd?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Changing password on linux machine hangs

[Christopher D. Clausen]

M [EMAIL PROTECTED] wrote:
 Yep. Tried that. Same behavior. Its not just one linux machine, its
 all linux machines that do this. So its something thats set
 environment wide...I've ruled out the firewall...not sure what else it
 could be.

What does your krb5.conf file look like?

Do you have an admin_server specified for your realm?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Win Kerb Server

[Christopher D. Clausen]

Gayal [EMAIL PROTECTED] wrote:
 On 2/8/07, Christopher D. Clausen [EMAIL PROTECTED] wrote:
 Gayal [EMAIL PROTECTED] wrote:
 Hi,
 I want to implement SSO with Win2003 Server for Linux Clients.
 But I dont have access to Win2003 Server. ex:creating keytab files
 are not possible.
 So i installed MIT Kerberos KDC server to a Debian Etch and try to
 implement SSO for Linux Client.

 I assume above proceedures can be done on Win2003 too becasue it
 has a Kerberos Server.
 Am i correct?

 Yes, using Microsoft's Active Directory.

 Is this possible without having Access to the Win2003 DC?

Depends upon what you mean by access.  You may need to have a domain 
administrator create the principals for you or otherwise extract the 
keytabs.  You do not need logon access or even domain administrator 
access.  You only need to be able to create new user / computer accounts 
and then run a few commands to extract the keytabs.  This permission can 
be delegated to you by a domain admin.

You might want to consider having the domain admin setup a Kerberos 
cross-realm trust to your MIT Kerberos realm.  That might be easier than 
having keytabs for all machines in Active Directory.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KfW 3.1: Re-directed stderr of kinit/klist displays dialog

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 On Tue, 20 Feb 2007, Jeffrey Altman wrote:
 [EMAIL PROTECTED] wrote:

 Is there a way to redirect stderr from kinit/klist to a file?

 stdin and stderr cannot be redirected.  they are used for password
 prompting

 Hmmm but I'm not trying to redirect the password prompt... in
 fact, kinit won't let me redirect the password prompt, it still
 displays it in the shell (NOT as a Windows dialog):

   C:\ kinit 2err.our
   Password for [EMAIL PROTECTED]:

 That's fine and I'm not suggesting it should work any
 different... for the password prompt that is...

 But if I'm using kinit -kt or klist or kdestroy... (none of
 which should prompt for a password or require any keyboard input),
 then I think you should be able to redirect stderr.

 Unfortunately, if I try to run any of those commands and I get an
 error AND stderr is re-directed then I get a Windows dialog instead.

   C:\ kinit -kt foobar 2err.out
   (Windows dialog with error, nothing in err.out)

 The problem is, if you're running an automated background job using a
 keytab and something's wrong (eg the keytab is missing), it makes it
 VERY difficult to find the problem.  You can't redirect stderr
 because that triggers a Windows dialog which could cause the
 background job to hang waiting for user input it's never going to
 get.  Or if it doesn't hang, there's no way to log the error to see
 why it failed.

Well, can't you check the exit error codes set by the program?

C:\kinit -kt test
kinit(v5): Cannot resolve network address for KDC in requested realm 
while getting initial credentials
C:\echo %ERRORLEVEL%
1
C:\klist
klist: No credentials cache found (ticket cache 
API:[EMAIL PROTECTED])
C:\echo %ERRORLEVEL%
1
C:\kinit cclausen
Password for [EMAIL PROTECTED]:
C:\echo %ERRORLEVEL%
0
C:\klist
Ticket cache: API:[EMAIL PROTECTED]
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
02/20/07 18:14:49  02/21/07 04:14:49  krbtgt/[EMAIL PROTECTED]
C:\echo %ERRORLEVEL%
0

Also, I can redirect the klist output just fine.  What are you doing?

C:\klist 21 1%TEMP%\test.txt
C:\cat %TEMP%\test.txt
Ticket cache: API:[EMAIL PROTECTED]
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
02/20/07 18:14:49  02/21/07 04:14:49  krbtgt/[EMAIL PROTECTED]
C:\

But yes, I'd agree that dialogs from kinit stderr redirection attempts 
are quite odd and unexpected.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KfW 3.1: Re-directed stderr of kinit/klist displays dialog

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 On Tue, 20 Feb 2007, Jeffrey Altman wrote:

 [EMAIL PROTECTED] wrote:

 Is there a way to redirect stderr from kinit/klist to a file?

 stdin and stderr cannot be redirected.  they are used for password
 prompting

 Hmmm but I'm not trying to redirect the password prompt... in
 fact, kinit won't let me redirect the password prompt, it still
 displays it in the shell (NOT as a Windows dialog):

   C:\ kinit 2err.our
   Password for [EMAIL PROTECTED]:

I managed to redirect the password prompt:

(Not sure if this is a feature or a bug.)

C:\kinit cclausen 21 1kinit.txt
C:\cat kinit.txt
Password for [EMAIL PROTECTED]:
C:\

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem with Kerberos Service

[Christopher D. Clausen]

LukePet [EMAIL PROTECTED] wrote:
 I tray and I have this:

 [EMAIL PROTECTED]:~$ kinit -k host/[EMAIL PROTECTED]
 kinit(v5): Permission denied while getting initial credentials
 [EMAIL PROTECTED]:~$ sudo kinit -k host/[EMAIL PROTECTED]
 [EMAIL PROTECTED]:~$

This is expected.  The /etc/krb5.keytab is normally only readable as 
root.

Presumably, a successful kinit as above means that your /etc/krb5.keytab 
file matches the principal on the KDC side.  If you are still having 
problems, its likely not with the host keytab.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Authentication using the KRB5A method issues (AIX-AD)

[Christopher D. Clausen]

Mohamad Nurhafiza [EMAIL PROTECTED] wrote:
 I did the single sign on working, but now Im trying to do aix
 authenticate using kerberos to a 2003 AD without ticket verification
 (non single sign on)

 Now..the password changes in AD is immediately noticed by cleint(AIX).

 But I still have problem with ssh telnet and ftp.

 and i have my tgt_verify flag=false in order not to use keytab file...

 I can use the same user's password on the aix machine (even after
 password reset in AD)
 bash-3.00# /usr/krb5/bin/kinit test5
 Password for [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] : bash-3.00#

Is that kinit part of the AIX krb.client.rte fileset?  Or are you using 
MIT Kerberos that you compiled from source?

 but not ssh, telnet or ftp...

 ssh result:
 --
 bash-3.00# ssh [EMAIL PROTECTED]
 [EMAIL PROTECTED]'s password:
 Permission denied, please try again.
 [EMAIL PROTECTED]'s password:

Thats pretty useless.  Run sshd as sshd -D -ddd -p 222 and then run 
ssh -vvv -p 222 and send the output of both so that you can actually 
check for errors.

 telnet result:
 
 [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
 failed: Unsupported key table format version number ]
 [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req
 failed: Unsupported key table format version number ]

That is omewhat more useful.  As it states above, there is something in 
the keytab file that telnet doesn't like.

Run klist -k /var/krb5/security/keytab/`hostname`.keytab as root.  If 
that doesn't work, look in /var/krb5/security/keytab/ for an old keytab 
file and possibly delete or rename it.  AIX looks there for a keytab 
file by default, instead of the usual /etc/krb5.keytab or 
/etc/krb5/krb5.keytab.

 my krb5.conf (this is thousandth time edited file already)...but this
 one works with the single sign on...
 
 [libdefaults]
 default_realm = X.Y.NET
 # default_keytab_name = FILE:/etc/krb5/krb5.keytab //someone asked me
 to try to comment it but ti don't make a different
 # default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
 des-cbc-md5 des-cbc-crc
 # default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
 des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc des-cbc-md5

Its generally a bad idea to hardcode enctypes like the above.  I'd 
recomend commenting out the above two lines.

 KRB5A:
 program = /usr/lib/security/KRB5A
 program_64 = /usr/lib/security/KRB5A_64
 # options = authonly
 options = tgt_verify = no

Hmm... Try options = tgt_verify=no just in case the spaces matter.  In 
theory this should prevent KRB5A from looking at the keytab, but from 
the telnet output, it seems that either telnetd is still rying to do 
Kerberos/GSSAPI authentication or the tgt_verify option isn't working.

And can you get the KDC logs when you try using ssh or telnet?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kadmin problem

[Christopher D. Clausen]

scotty adams [EMAIL PROTECTED] wrote:
 This is what i am getting after all

 bash-2.05# kadmin scotty
 Enter Password:
 Enter Password:
 kadmin: Preauthentication failed while initializing kadmin interface

Preauth failed is usally a wrong password message.

Can you kinit scotty ?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem with Kerberos Service

[Christopher D. Clausen]

LukePet [EMAIL PROTECTED] wrote:
 Ok and about telnet...waht can you tell me?

 [EMAIL PROTECTED]:~$ kinit pippo
 Password for [EMAIL PROTECTED]:
 [EMAIL PROTECTED]:~$ telnet -a -l pippo lukesky.epiluke.it
 Trying 192.168.182.185...
 Connected to lukesky.epiluke.it (192.168.182.185).
 Escape character is '^]'.
 [ Kerberos V5 accepts you as [EMAIL PROTECTED]'' ]
 Password for pippo:
 Login incorrect

 It seems that somethig is change...what mean [ Kerberos V5 accepts
 you as [EMAIL PROTECTED]'' ]

 why does it ask Password for pippo: ??? what have I to insert? 

I don't know why it asks for a password.  The Kerberos accepts you as 
message should indicate that telnetd has received forwarded Kerberos 
credentials from your telnet client.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Authentication using the KRB5A method issues (AIX-AD)

[Christopher D. Clausen]

Mohamad Nurhafiza [EMAIL PROTECTED] wrote:
 Yes it's part from krb.client.rte fileset (AIX CD)

 bash-3.00# /usr/krb5/bin/klist -k
 Keytab name:  FILE:/etc/krb5/krb5.keytab
 Unable to start keytab scan.
 Status 0x96c73ad5 - Unsupported key table format version
 number.
 bash-3.00# /usr/krb5/bin/klist -k /var/krb5/keytab/vx32.keytab
 Keytab name:  FILE:/var/krb5/keytab/vx32.keytab
 Unable to start keytab scan.
 Status 0x2 - A file or directory in the path name does not
 exist..

rm /etc/krb5/krb5.keytab
and try telnet / ssh again.

And please reply to the list and not me directly.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem with Kerberos Service

[Christopher D. Clausen]

Luca Petrini [EMAIL PROTECTED] wrote:
 Hello, I'm italian user and my name is Luca.

 I'm working with Kerberos on my Ubuntu 6.10.

 1) Configure the /etc/hosts file:
 127.0.1.1 laptop
 192.168.182.254 kdc.epiluke.it admin.epiluke.it lukesky.epiluke.it
 127.0.0.1 localhost localhost.localdomain

 and I have configured the /etc/hostname file with this name
 lukesky.epiluke.it


Change the 192.168 line in your /etc/hosts file to:
192.168.182.254 lukesky.epiluke.it

 2) Configure krb5.conf file:

 [realms]
  EPILUKE.IT = {
   kdc = kdc.epiluke.it:88
   admin_server = admin.epiluke.it:749
  }

For now, just use lukesky.epiluke.it for both kdc and admin_server. 
Once you get things working you can try setting up DNS aliases.

 Now I would configure kerberized telnet service but it doesn't work;
 there is something wrong.

 9) From kadmin I have defined:

 addprinc host/[EMAIL PROTECTED]
 ktadd -k /etc/krb5.keytab host/[EMAIL PROTECTED] (???
 I'm not sure that it's correct)


What does klist -kte (as root) show?

Can you kinit -kt host/[EMAIL PROTECTED] on this machine?

 Well, at this point I have exec by shell this command:

 $telnet -l pippo lukesky.epiluke.it

What does kinit show before you run the above command?

And try using:
kinit pippo
telnet -a -l pippo lukesky.epiluke.it

 but the results are:
 Trying 192.168.182.254...
 Connected to admin.epiluke.it (192.168.182.254).
 Escape character is '^]'.
 Password for pippo:
 Login incorrect

If ktelnet is working correctly (and I assume you do indeed want to use 
ktelnet) you should not be prompted for a password.  It should forward 
your Kerberos credentials to the telnetd server.

gcs# kinit
Password for [EMAIL PROTECTED]:
gcs# telnet -a -l cclausen gcs.illigal.uiuc.edu
Trying 128.174.193.202...
Connected to gcs.illigal.uiuc.edu (128.174.193.202).
Escape character is '^]'.
[ Kerberos V5 accepts you as [EMAIL PROTECTED]'' ]
Last login: Wed Dec 13 14:03:28 from ial.illigal.uiuc.edu
Linux gcs 2.6.15-27-686 #1 SMP PREEMPT Fri Dec 8 18:00:07 UTC 2006 i686 
GNU/Linux
gcs%
gcs% exit
Connection closed by foreign host.
gcs# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
02/08/07 02:20:37  02/08/07 12:20:37 
krbtgt/[EMAIL PROTECTED]
renew until 02/09/07 02:20:34
02/08/07 02:21:01  02/08/07 12:20:37 
host/[EMAIL PROTECTED]
renew until 02/09/07 02:20:34

See the lack of any password prompt?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem with Kerberos Service

[Christopher D. Clausen]

LukePet [EMAIL PROTECTED] wrote:
 So,
 What does klist -kte (as root) show?

 [EMAIL PROTECTED]:~$ sudo klist -kte
   2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (Triple DES
 cbc mode with HMAC/sha1)
   2 02/08/07 14:13:52 host/[EMAIL PROTECTED] (DES cbc
 mode with CRC-32)

 Can you kinit -kt host/[EMAIL PROTECTED] on this machine?

 [EMAIL PROTECTED]:~$ kinit -kt host/[EMAIL PROTECTED]
 kinit(v5): Client not found in Kerberos database while getting initial
 credentials

Hmm... that looks bad.  rm /etc/krb5.keytab and re-extract the 
host/lukesky.epiluke.it keytab into /etc/krb5.keytab from kadmin.

 and If I exec kinit and telnet I have:

 [EMAIL PROTECTED]:~$ kinit pippo
 Password for [EMAIL PROTECTED]:
 [EMAIL PROTECTED]:~$ telnet -a -l pippo lukesky.epiluke.it
 Trying 192.168.182.121...
 Connected to admin.epiluke.it (192.168.182.121).
 Escape character is '^]'.
 Password for pippo:
 Login incorrect

 why? what mean?

It means its not using Kerberos, likely b/c of the problem with the host 
keytab.  If you get a password prompt Kerberos ticket forwarding has 
failed and I'd suggest simply Ctrl-C-ing out of telnet.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: KDC not included with Kerberos V5 for Windows?

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 Am I correct in concluding that there isn't a KDC binary for
 DOS/Windows (or kadmin, KDB5_Util etc)?

Yes.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kinit problem

[Christopher D. Clausen]

Try reinstalling the kdc package(s) ?

Check the man pages to be sure you are running it correctly and have it 
configured correctly?

Maybe look for patches on Sun's website?

CDC

scotty adams [EMAIL PROTECTED] wrote:
 Dear Christopher,

 No i didnt compile the kadmin by myself.
 It is a command just as any other kerberos commands found in the
 solaris environment. How can I proceed?

 Thanks,
 Scotty

 Christopher D. Clausen [EMAIL PROTECTED] wrote: scotty adams
 wrote:
Cause:  The host that was entered for the admin server, also
  called the master KDC, did not have the kadmind daemon running.
 Solution:  Make sure that you specified the correct host name for the
 master KDC. If you specified the correct host name, make sure that
 kadmind is running on the master KDC that you specified. upon
 starting the kadmind daemon, i got the following:
 bash-2.05# ./kadmind start
 Bus Error (core dumped) 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kinit problem

[Christopher D. Clausen]

scotty adams [EMAIL PROTECTED] wrote:
Cause:  The host that was entered for the admin server, also
  called the master KDC, did not have the kadmind daemon running.
 Solution:  Make sure that you specified the correct host name for the
 master KDC. If you specified the correct host name, make sure that
 kadmind is running on the master KDC that you specified. upon
 starting the kadmind daemon, i got the following:
 bash-2.05# ./kadmind start
 Bus Error (core dumped)

Looks like a bad binary.  Did you compile kadmind yourself?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: putty/winscp with gssapi/krb5 ticket forwarding

[Christopher D. Clausen]

Lars Schimmer [EMAIL PROTECTED] wrote:
 Christopher D. Clausen wrote:
 Lars Schimmer [EMAIL PROTECTED] wrote:
 Christopher D. Clausen wrote:
 So you have an Active Directory domain that the Windows machines
 are on?

 Yes, there is a AD domain in which the PCs are.

 And a seperate Kerberos Realm for the Linux machines?

 The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
 lower case cgv.tugraz.at)

 Okay, this sounds bad.  You'll likely need to rename either the
 domain or the realm.  (I believe there is a Windows tool to rename a
 domain.)

 OK, we are just 20 people here using our REALM and no entry in DNS
 server, I think it is easier to rename the REALM instead of the AD
 domain. We got a /25 subnet and a DNS entry cgv.tugraz.at (yes,
 academic).
 Within this I wanted to setup OpenAFS (I think it should name after
 the dns entry cgv.tugraz.at), krb5 auth (I thought CGV.TUGRAZ.AT is
 best and the only usable one), linux clients (no probs so far) and a
 AD domain with a own AD domain server. And I think for
 DNS/network/... purpose it is far easier to name the AD domain after
 the DNS entry cgv.tugraz.at, e.g. names of clients, IPs via dhcp,...).
 I thought the only possible useable REALM was CGV.TUGRAZ.AT and I set
 it up that way and was happy as it worked for the most needed parts
 (login into AD domain [with own AD password], getting ticket from
 krb5 server for CGV.TUGRAZ.AT REALM and getting token automatic).

If your eventual goal is to setup OpenAFS, I'd suggest ONLY using the AD 
domain if your Kerberos realm only has a few users now anyway.  You can 
do just about anything in AD that could do with MIT Kerberos, although 
the management from the non-Windows side of things is a little annoying, 
but it is possible.  Having everything in one Kerberos realm simplifies 
single-sign-on and cross-platform issues.

 You cannot have this work just b/c the realms are the same.  There
 needs to be a trust setup between the realms, or you need to have
 ALL your non-Windows machines also use the Windows domain as a KDC
 instead of the MIT one.

 Some time ago it was easier to setup the MIT krb5 server instead of
 using AD krb5 auth together with OpenAFS.

 And I thought using MIT krb5 software on Windows with a active ticket
 for the correct REALM is the needed part for loging in with putty via
 ticket forwarding.

It is early as easy to have an AFS cell use an AD domain as using MIT or 
Heimdal.  Just generate a keytab for the afs/cell service principal and 
use asetkey to add it to the KeyFile.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos environment under windows

[Christopher D. Clausen]

Peger, Daniel Heinrich [EMAIL PROTECTED] wrote:
 How do I tell a C/C++ (using GSSAPI) app what my current kerberos
 environment is? For testing purposes I don't want to use the standard
 environment but authenticate against a test kerberos setup, which
 needs to be specified somwhere.

Edit the krb5.ini file and specify your test realm,  Then just kinit to 
a user in that realm before starting putty.  No need to do anything in 
C.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kerberos configuration

[Christopher D. Clausen]

scotty adams [EMAIL PROTECTED] wrote:
 Hi Christopher,

 Actually i need the SEAM
 Can you also pass me a full KDC configuration?

No, I cannot.  I suggest that you read the Sun Docs on SEAM:
http://docs.sun.com/app/docs/doc/816-5164

And please reply to the list, not to me directly.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Re.How to configure kerberos with windows 2000 AD

[Christopher D. Clausen]

Bharat Thakur [EMAIL PROTECTED] wrote:
 Dear Sir,
 Thanks for your reply. There are three linux server and one windows
 2003 AD(R2) in same network with 180 linux thin clients and 400
 windows clients. KDC installed in first linux server other two are
 application server for sun clients. I want to integrate KDC with AD .
 So that linux client also logon with AD user.


You mean you want AD users to be able to login to linux clients?

How are the users logging on?  Through SSH?  Or on the glass.?

Do you have a realm trust setup between the AD domain and linux KDC?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Wrong principal in request using virt interface

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 On Mon, 29 Jan 2007, Christopher D. Clausen wrote:
 Can you simply fail-over using the same IP on both interfaces?  (I
 believe there is a bonding module in Linux that can do this.)
 
 The point of the virt interface is so it can be moved to a different
 host. If the virt interface has the same IP as the real interface,
 then it couldn't be moved to another host.  In other words, the
 fail-over is to fail over to a completely separate host, not a
 separate interface on the same host.

Uhh, can I ask why you are doing this?  Kerberos already has a master/slave 
architecture.  There is no need to cluster Kerberos servers in the manner you 
describe.  Just setup multiple slave servers.

I thought you wanted more reliable KDCs by having redundant network interfaces.

CDC



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Wrong principal in request using virt interface

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 On Mon, 29 Jan 2007, Christopher D. Clausen wrote:
 [EMAIL PROTECTED] wrote:

 I'm moving the server to a new cluster of RHE hosts that use virtual
 interfaces (eg. eth0:1) to allow for failover to a new host while
 still maintaining the original IP address.  On this new system I'm
 getting the following error when I run sshd in debug (-ddd) mode:

   Wrong principal in request

 I have 2 IP addresses and 2 hostnames associated with the 2
 interfaces (one of them a virtual interface) on my workstation:

   interface   hostnameip
   -
   eth0gort.home.org   192.168.0.2
   eth0:1  cvs.home.org192.168.0.200

 Can you simply fail-over using the same IP on both interfaces?  (I
 believe there is a bonding module in Linux that can do this.)

 The point of the virt interface is so it can be moved to a different
 host. If the virt interface has the same IP as the real interface,
 then it couldn't be moved to another host.  In other words, the
 fail-over is to fail over to a completely separate host, not a
 separate interface on the same host.

Sorry, I think I'm missing something...  These are NOT Kerberos KDCs are 
they?

You are trying to have a clustered service that uses Kerberos for SSH? 
And can essentially be treated a multi-homed system?

Do you have proper A and PTR records for both names?  What does your 
/etc/hosts file look like?  What does hostname -f return on your system?

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Wiki?

[Christopher D. Clausen]

Jeff Blaine [EMAIL PROTECTED] wrote:
 It just seemed to me that there's a LOT of information
 that is incredibly scattered.  If nobody else is likely
 to contribute, then the hell with it.  I'm not going to
 spend the hours to share my notes if nobody else will
 offer some of their time.

IMHO, people who run services such as Kerberos need to be involved on 
the mailing lists, file bug reports, etc.  Trying to setup anything from 
a guide or how-to will result in problems in the long run when you 
encounter something unexpected.

Also, aren't these type of questions what a FAQ is for?  Isn't there a 
Kerberos FAQ?  (I thought Ken Hornstein was maintaining it.)  Perhaps 
said FAQ could be moved to the wiki:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html

That being said, I'd be willing to contribute to a wiki, provided its 
NOT running mediawiki.

CDC
-- 
Christopher D. Clausen 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: pam-krb5 2.6 released

[Christopher D. Clausen]

From the manual page:
http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html

realm=realm
If the obtained credentials are supposed to allow access to a shell 
account, the user will need an appropriate .k5login file entry or the 
system will have to have a custom aname_to_localname mapping. 

Do you have the appropriate entries in .k5login?  Or a custom 
aname_to_localname mapping (presumably in krb5.conf) ?

CDC

Markus Moeller [EMAIL PROTECTED] wrote:
 Russ,

 I have a setup where I have two domains with trust and would like to
 have users from either domain to login to my Unix machine to
 applications which can't use GSSAPI so I need to use pam_krb5 to have
 some form of SSO. My Unix system is in DOMAIN1.COM which is
 configured to be the default domain in krb5.conf . I configured pam
 (on Solaris 2.8) as follows:

 #authentication
 other auth sufficient  pam_krb5-2.6.so.1 minimum_uid=100 debug
 other auth sufficient  pam_krb5-2.6.so.1 minimum_uid=100
 realm=DOMAIN2.COM use_first_pass debug
 other auth required   pam_unix.so.1 try_first_pass debug
 # account
 other account sufficient   pam_krb5-2.6.so.1 minimum_uid=100 debug
 other account sufficient   pam_krb5-2.6.so.1 minimum_uid=100
 realm=DOMAIN2.COM debug
 other account requiredpam_unix.so.1 debug
 # session
 other session required pam_default.so.1 debug

 The problem I have is that despite setting the realm to DOMAIN2.COM
 the system always tries to connect to kdcs of DOMAIN1.COM never
 DOMAIN2.COM despite getting an unknown user from DOMAIN1 for users of
 DOMAIN2 as it should be. It seems that the kerberos context of the
 first pam_sm_authenticate call is still used for the second despite
 changing the realm.

 Thanks
 Markus

 BTW  Is it intention to use different defines for the below ?

 # grep KRB5_GET_INIT *.[ch]
 config.h:/* #undef HAVE_KRB5_GET_INIT_OPT_SET_DEFAULT_FLAGS */
 support.c:#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS
 #


 Russ Allbery [EMAIL PROTECTED] wrote in message
 news:[EMAIL PROTECTED]
 I'm pleased to announce release 2.6 of my Kerberos v5 PAM module.
 This is a bug-fix release; the feature improvements that were
 intended to be in this release have been deferred to the next
 release.

 pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or
 Heimdal. It supports ticket refreshing by screen savers,
 configurable authorization handling, authentication of non-local
 accounts for network services, password changing, and password
 expiration, as well as all the standard expected PAM features.  It
 works correctly with OpenSSH, even with
 ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
 supports configuration either by PAM options or in krb5.conf or
 both.

 Changes from previous release:

Don't assume the pointer set by pam_get_user is usable over the
life of the PAM module; instead, save a local copy.

Avoid a use of already freed memory when debugging is enabled.

Use __func__ instead of __FUNCTION__ and provide a fallback for
older versions of gcc and for systems that support neither.
Should fix compilation issues with Sun's C compiler.

On platforms where we know the appropriate compiler flags, try to
build the module so that symbols are resolved within the module in
preference to any externally available symbols.  Also add the
hopefully correct compiler flags for Sun's C compiler.

 You can download it from:

http://www.eyrie.org/~eagle/software/pam-krb5/

 Debian packages will be uploaded to Debian unstable once I have
 approval from the release managers.

 Please let me know of any problems or feature requests not already
 listed in the TODO file. 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: root login not possible

[Christopher D. Clausen]

On debian you'd want to look in /var/log/auth.log

Can you kinit as root on this system?

Also, try running a debug sshd vis:
sshd -ddd -D -p 222
and connect with putty using:
putty -P 222 [EMAIL PROTECTED]

Read through the debug output and see if there is anything useful in 
there.

CDC

Mike Dopheide [EMAIL PROTECTED] wrote:
 Unfortunately, I don't have any Debian systems so I don't know what
 their default configuration looks like.  Take a look in your
 /var/log/messages (or equivalent) and see if PAM is spitting out any
 useful information.  If there are messages, paste them here with your
 PAM config.

 Hello Mike,

 On 10/27/06, Mike Dopheide [EMAIL PROTECTED] wrote:

 What are you using to login?  telnet/rsh/ssh?  My first guess is
 that ssh is configured to disallow root logins on the second system.


 I try to login directly. Not over ssh/telnet/ or sth else.

 -Mike

  Hello ml,
 
  i have just installed Kerberos on a Debian (Sarge) System.
 
  I configured pam to allow kerberos login.
 
  Every non-root user can successfully login and get a kerberos
  ticket.
 
  But the root-user cannot login.
 
  When i try to login as root on a client-machine the login works
  (password get verified by the kerberos-server) and i get a
  kerberos ticket. 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Security pointers about Kerberos5 realms open to a WAN

[Christopher D. Clausen]

Daniel Kahn Gillmor [EMAIL PROTECTED] wrote:
 I think i understand the basic K5 protocol, but i don't have my head
 wrapped around the different possible attack vectors well enough to
 know if opening up a KDC to the internet is really asking for trouble
 (e.g. how much krb5 traffic needs to be sniffed for an attacker to
 compromise a ticket within the ticket's expiration window?).

 Has anyone on this list run KDCs that are globally accessible?

Yes.  I would imagine that nearly all sites running globally accessible 
OpenAFS cells would need globally accessible Kerberos realms to actually 
allow users to authenticate.

 did you use IP-based blocking on IPs with too many failed
 auth requests?

No.  The KDC just issues tickets.  There is no way to tell if 
authentication was successful or not (unless you enable pre-auth, which 
you probably should.)  And even if pre-auth is turned on, there isn't 
much point in trying to block certain IPs, as you'll probably just end 
up blocking valid users, as you mention below.

 if so, did you experience problems with NAT'ed
 users locking each other out?

I don't know of an easy way to actually lock out users with standard MIT 
Kerberos.  As mentioned, there is no way to tell if authentication was 
successful or not.  I supose you could read through the KDC logs and 
disable IPs where preauthentication has failed.  But as you mention, 
this will probably just lock out legit users who share the same external 
IPs.

Its more likely that someone is going to attempt attacks SSH or some 
other service that checks Kerberos on the server-side rather than 
Kerberos directly.  The SSH attack will work against nearly all UNIX 
hosts, and the Kerberos attack would need to be specific as well as 
generate lots and lots of logs on the KDC.

Without pre-auth, one could just request a single ticket for any 
principal and then crack it offline.  (I belive john the ripper has 
Kerberos TGT cracking support now, at least for DES tickets.)

 did you tunnel your krb5 traffic inside some other encrypted layer
 (e.g. ssl or ssh) to avoid sniffing?  Is this even necessary?

This is not necessary.  Kerberos was designed to run on top of a 
untrusted network.  That being said, it certainly wouldn't hurt to have 
the Kerberos traffic additionally encrypted, as offline attacks against 
un-preauthenticated TGTs (or even properly preauthenticated TGTs that 
are sent over the network and passively gathered) are more and more 
feasable.

Kerberos does depend upon properly functioning DNS as well.  Its 
possible that a compromised DNS service could do evil things to your 
Kerberos infrastructure.

 Is there some documentation i've missed?

Yes, there would appear so, as some of these questions are answered in 
various online sources in much more detail.

 Am i crazy for even considering krb5 on a WAN?

No, that is the exact situation that Kerberos was designed for.

-

I'd suggest having a minimum password length of at least 8 and requiring 
at least 2 different character classes in Kerberos passwords.  Using 
longer passwords and more characters classes would of course be better, 
but might annoy some users.  This should make offline cracking harder.

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: OpenSSH and Kerberos

[Christopher D. Clausen]

Ian [EMAIL PROTECTED] wrote:
 Hello,

 I am new to Kerberos. I want to set up passwordless logon from Linux
 workstation clients to a Linux server using SSH via Kerberos. I have
 designated one of the secure Linux workstation as the KDC. Kerberos
 and OpenSSH were installed on all my Linux workstations and the
 server by default.

 Doese anyone has the step by step instructions for setting up the
 configurations for KDC, SSH server, and SSH clients? Your help is very
 much appriciated.

This is sort of specific to our environment, but:
https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian
might be of use to you for the SSH setup.

The MIT docs on setting up a KDC were easy enough for me to follow 
whenever I've needed to do it.  If you say what Linux distribution you 
are using, someone might be able to help you out with more specific 
info.

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

[Christopher D. Clausen]

Russ Allbery [EMAIL PROTECTED] wrote:
 Rohit Kumar Mehta [EMAIL PROTECTED] writes:
 debug1: Miscellaneous failure
 No principal in keytab matches desired name.

 My krb5.keytab looks like this:
 nfsv4etch:~# ktutil
 ktutil:  rkt /etc/krb5.keytab
 ktutil:  l
 slot KVNO Principal
  
 -
 14 host/[EMAIL PROTECTED]

 Does that look like it's generated properly?

 I've run into this problem before (not with AD, but with MIT
 Kerberos) and haven't been able to figure out what was causing it.
 My theory was some sort of realm configuration mismatch, but I'm not
 at all sure.

What does hostname (or hostname -f) return on your computer?

And then do an IP lookup on that.  If it resolves to a 127.*.*.* address 
its not likely to work.

CDC 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: help with Active Directory Kerberos authentication

[Christopher D. Clausen]

Russ Allbery [EMAIL PROTECTED] wrote:
 Rohit Kumar Mehta [EMAIL PROTECTED] writes:

 Kerberized telnet does not seem to work.

 nfsv4etch:~# telnet -k AD.ENGR.UCONN.EDU -l rohitm nfsv4etch
 Trying 127.0.1.1...
 Connected to nfsv4etch (127.0.1.1).

127.0.1.1 ?  Uhh, that doesn't look right.  Edit the /ets/hosts file on 
the machine you are logging into and put the actual IP address on the 
line with the FQDN of the machine.  You want something like:

[EMAIL PROTECTED]:/]% cat /etc/hosts
127.0.0.1   localhost.localdomain   localhost
128.174.251.7   sleepless.acm.uiuc.edu  sleepless
128.174.251.6   clortho.acm.uiuc.educlortho
128.174.251.37  enzo.acm.uiuc.edu   enzo

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3

[Christopher D. Clausen]

[EMAIL PROTECTED] wrote:
 Any one had any success compiling KRB5 1.5.1 on AIX 5.2 or 5.3 ?  I am
 experiencing the same errors as a previous poster; but have not seen
 any solutions.  Configure is successful with the following flags:

 export CC=cc
 export CFLAGS='-D_LARGE_FILES -DLANL -DLANL_ICN'; export CFLAGS
 ./configure --prefix=/usr/local/kerberos --enable-dns-for-realm
 --with-tcl=/usr/local --with-vague-errors

 Same config I use to compile 1.4.4 successfully with the LANL patches
 provided by Milton Turley.

 After running make, I get the following errors:

 making all in util...
 making all in util/support...
cc   -I../../include -I./../../include -I. -I.
 -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1   -D_LARGE_FILES -DLA
 L -DLANL_ICN -qhalt=e -O -D_THREAD_SAFE   -c fake-addrinfo.c
 fake-addrinfo.c, line 1212.9: 1506-045 (S) Undeclared identifier
 my_h_ent.
 make: 1254-004 The error code from the last command is 1.


 Stop.
 make: 1254-004 The error code from the last command is 1.


 Stop.
 make: 1254-004 The error code from the last command is 1.

 Stop.

 Same errors on AIX 5.2 as well as AIX 5.3.  Also, same errors with CC
 or GCC 4.

 Any help is appreciated and I can beta test any patches.

I can tell you that I had similar problems and simply reverted to 1.4.4 
instead of trying to fight 1.5.1.  I was using IBM's Visual Age 
compiler.

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Starting kpropd as a service in Solaris 10

[Christopher D. Clausen]

Mike Friedman [EMAIL PROTECTED] wrote:
 I'm putting up a KDC (krb5-1.4.2) on a Solaris 10 system, an OS that
 new to me (I've installed MIT K5 on Solaris 8 and 9 and other
 systems).
 It seems that kpropd won't start correctly from inetd.conf, though if
 I run it standalone (-S option) it works fine.

 I know that Solaris 10 introduces the 'smf' facility for managing
 services, so I figure this has something to do with the problem. But
 so
 far our sysadmin, and our Sun contact apparently, has nothing further
 to suggest.

 The sysadmin has tried several times to 'refresh' inetd via smf
 commands, to no avail.

Did you read the lines at the top of the inetd.conf file?

Specifically the:
# Any records remaining in this file after installation or upgrade,
# or later created by installing additional software, must be converted
# to smf(5) services and imported into the smf repository using
# inetconv(1M), otherwise the service will not be available.  Once
# a service has been converted using inetconv, further changes made to
# its entry here are not reflected in the service.

Also, having run KDCs on Solaris 10, I highly recomend that you do not 
install Sun's packages if you are using MIT.  It gets very confusing.

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

.k5login and krb5.conf syntax errors

[Christopher D. Clausen]

Last night I found out the hard way that if a user creates a .k5login 
file that isn't correct, (has Windows linebreaks or has multiple 
pricipal names on the same line) that they cannot login at all to 
systems using pam-krb5 for authentication.  (This is on Ubuntu 6.06 on 
x86.)  Further, no error is listed in the auth.log at all.

Similarly, I've been completely locked out of systems if there are 
syntax errors in the krb5.conf file and I've seen Windows BSOD if the 
system krb5.ini isn't correct.  Is there no way to have a fail-safe 
method of operation?

Is this an issue with pam-krb5 (I believe that the Debian pam-kr5 is in 
use on Ubuntu) or with the MIT Kerberos libraries themselves?  Is this 
expected behavior?  Or is there a way to be warned about such syntax 
errors instead of having authentication fail silently?

versions of various things are:
[EMAIL PROTECTED]:/]% COLUMNS=120 dpkg -l *krb5* | cut -c0-54
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-co
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (S
||/ Name Version
+++---
ii  krb5-clients 1.4.3-5ubuntu0.1
ii  krb5-config  1.7
ii  krb5-user1.4.3-5ubuntu0.1
ii  libkrb5-dev  1.4.3-5ubuntu0.1
ii  libkrb53 1.4.3-5ubuntu0.1
ii  libpam-krb5  1.2.0-3
ii  openafs-krb5 1.4.1-2

Any pointers / info would be appreciated.

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: question about a kerberos play

[Christopher D. Clausen]

Luke Davis [EMAIL PROTECTED] wrote:
I just took an MCSE course and the instructor mentioned that there was
some type of 3 act play about kerberos, and that sounds like an
interesting read.   Do you know where I can find it?

http://web.mit.edu/Kerberos/dialogue.html

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

KfW 3.1 beta1 MSI installer?

[Christopher D. Clausen]

Is there an MSI for KfW 3.1 beta1?

http://web.mit.edu/kerberos/dist/testing.html#kfw-3.1
doesn't seem to have a MSI listed.

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Questions on Kerberos

[Christopher D. Clausen]

Joseph Kuan [EMAIL PROTECTED] wrote:
 1. I notice that some of the kerberos (windows authentication) packets
 have principal with dollar sign character at the end. Also the
 principal
 is not the user name, it is actually the hostname. What does it mean?

Those are the principals for machine or computer accounts.

 2. I am trying to measure the response time of windows login. For a
 windows login, can I assume the time taken from AS-REQ/REP to the
 first TGS-REQ/REP ?

seems reasonable to me.

CDC
-- 
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin 



Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos