Re: Hi All,

[Ming Zhi]

Thanks for your great suggestion, it solves my problem!

On Wed, May 27, 2020 at 6:01 AM Greg Hudson  wrote:

> On 5/26/20 2:54 AM, Ming Zhi wrote:
> > But with GSSAPI, I cannot find an official way to set the hook between
> the
> > `context' creation and the start of kdc traffic, as is done in a single
> > function `gss_init_sec_context'. The worst situation is that I need to
> get
> > hands dirty to change the source code.
>
> Unfortunately I don't think we have a good solution here.  We have a
> "locate" pluggable interface [1] which might work (basically, have it
> always return a local service, which then parses out the realm name from
> the request).
>
> I am personally fond of the idea of having a krb5 interface to control
> the per-thread krb5_context object used by the GSS mech, for situations
> like these.  But other people have disliked the idea, so I haven't
> implemented it.
>
> [1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html
>

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi All,

[Greg Hudson]

On 5/26/20 2:54 AM, Ming Zhi wrote:
> But with GSSAPI, I cannot find an official way to set the hook between the
> `context' creation and the start of kdc traffic, as is done in a single
> function `gss_init_sec_context'. The worst situation is that I need to get
> hands dirty to change the source code.

Unfortunately I don't think we have a good solution here.  We have a
"locate" pluggable interface [1] which might work (basically, have it
always return a local service, which then parses out the realm name from
the request).

I am personally fond of the idea of having a krb5 interface to control
the per-thread krb5_context object used by the GSS mech, for situations
like these.  But other people have disliked the idea, so I haven't
implemented it.

[1] https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/locate.html

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Hi All,

[Ming Zhi]

I have met a development issue about the kerberos's GSSAPI.
The krb5 library has a `send hook' support as is done in
`krb5_set_kdc_send_hook'. This is very useful for me, in a project where
the network traffic is restricted to a single  TCP connection, which is
shared between different clients by multiplexing. And a dedicated KDC
communication channel is not available. The hook provides a perfect way for
the KDC messages to its destination over the shared tcp connection.

On the other hand, GSSAPI is cool to have a uniformed interface to
different authentication mechanisms as well as the kerberos, and it saves a
lot of effort compared to using the native krb API. And I would like to use
it for the kerberos development.

But with GSSAPI, I cannot find an official way to set the hook between the
`context' creation and the start of kdc traffic, as is done in a single
function `gss_init_sec_context'. The worst situation is that I need to get
hands dirty to change the source code.

Does any of you have some suggestions on this issue ? looking forward to
your comments.

woodhead99

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

hi,how can i add a client to KDS? kadmin: Incorrect password while initializing kadmin interface

[ch huang]

hi,maillist:
   i do the following action but seems not work

# yum install krb5-workstation
copy krb5.conf from KDS host

and here is my krb5.conf content

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
[realms]
 BENCHMARK.COM = {
  kdc = kerberos.benchmark.com:88
  admin_server = kerberos.benchmark.com:749
  default_domain = benchmark.com
 }
[domain_realm]
 .benchmark.com = BENCHMARK.COM
 benchmark.com = BENCHMARK.COM
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
also, client can find KDS

# nslookup 192.168.10.124
Server: 192.168.10.124
Address:192.168.10.124#53
124.10.168.192.in-addr.arpa name = kerberos.benchmark.com.
# ping kerberos.benchmark.com
PING kerberos.benchmark.com (192.168.10.124) 56(84) bytes of data.
64 bytes from CH124 (192.168.10.124): icmp_seq=1 ttl=64 time=0.109 ms
64 bytes from CH124 (192.168.10.124): icmp_seq=2 ttl=64 time=0.166 ms

when i do this from client ,it not work

# kadmin -r BENCHMARK.COM -p host/monitor.benchmark@benchmark.com -w
root -q ktadd  -k /etc/krb5.keytab host/monitor.benchmark@benchmark.com

Authenticating as principal host/monitor.benchmark@benchmark.com with
password.
kadmin: Incorrect password while initializing kadmin interface
but i can do on KDS with same password,i do not know why? anyone can help?

# kadmin -r BENCHMARK.COM
Authenticating as principal root/ad...@benchmark.com with password.
Password for root/ad...@benchmark.com:
kadmin:

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: hi,how can i add a client to KDS? kadmin: Incorrect password while initializing kadmin interface

[ch huang]

and here is log output from KDS

Dec 19 14:49:48 CH124 krb5kdc[16324](info): AS_REQ (12 etypes {18 17 16 23
1 3 2 11 10 15 12 13}) 192.168.10.126: SERVER_NOT_FOUND:
host/monitor.benchmark@benchmark.com for
kadmin/kerberos.benchmark@benchmark.com, Server not found in Kerberos
database
Dec 19 14:49:48 CH124 krb5kdc[16324](info): AS_REQ (12 etypes {18 17 16 23
1 3 2 11 10 15 12 13}) 192.168.10.126: ISSUE: authtime 1387435788, etypes
{rep=18 tkt=18 ses=18}, host/monitor.benchmark@benchmark.com for
kadmin/ad...@benchmark.com

On Thu, Dec 19, 2013 at 2:57 PM, ch huang justlo...@gmail.com wrote:

 hi,maillist:
i do the following action but seems not work

 # yum install krb5-workstation
 copy krb5.conf from KDS host

 and here is my krb5.conf content

 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
 [libdefaults]
  default_realm = EXAMPLE.COM http://example.com/
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes
 [realms]
  BENCHMARK.COM http://benchmark.com/ = {
   kdc = kerberos.benchmark.com:88
   admin_server = kerberos.benchmark.com:749
   default_domain = benchmark.com
  }
 [domain_realm]
  .benchmark.com = BENCHMARK.COM http://benchmark.com/
  benchmark.com = BENCHMARK.COM http://benchmark.com/
 [appdefaults]
  pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
  }
 also, client can find KDS

 # nslookup 192.168.10.124
 Server: 192.168.10.124
 Address:192.168.10.124#53
 124.10.168.192.in-addr.arpa name = kerberos.benchmark.com.
 # ping kerberos.benchmark.com
 PING kerberos.benchmark.com (192.168.10.124) 56(84) bytes of data.
 64 bytes from CH124 (192.168.10.124): icmp_seq=1 ttl=64 time=0.109 ms
 64 bytes from CH124 (192.168.10.124): icmp_seq=2 ttl=64 time=0.166 ms

 when i do this from client ,it not work

 # kadmin -r BENCHMARK.COM http://benchmark.com/ -p
 host/monitor.benchmark@benchmark.com -w root -q ktadd  -k
 /etc/krb5.keytab host/monitor.benchmark@benchmark.com
 Authenticating as principal host/monitor.benchmark@benchmark.com with
 password.
 kadmin: Incorrect password while initializing kadmin interface
 but i can do on KDS with same password,i do not know why? anyone can help?

 # kadmin -r BENCHMARK.COM http://benchmark.com/
 Authenticating as principal root/ad...@benchmark.com with password.
 Password for root/ad...@benchmark.com:
 kadmin:




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi

[vlad]

Deepak,

Actually if your sites are for internal users only you might as well just 
protect the entire site with kerberos authentication, using Apache's mod_krb5  

When your entire site is protected you don't need any special login code in 
your application.  Just get the user identity from REMOTE_USER variable.

If you are on IIS,  all you need to do is to click the checkbox that says  
'Enable Integrated Windows Authentication'

If you have a hybrid site that is accessible to both internal and external 
users, you have to go with the Ken's suggestion.

Good thing about having the entire site proctected is that every browser 
request will be protected by unique token.  This way you will get extra 
protection against people who try to steal authenitcation cookies  Don't worry 
about the performance, kerberos authentication is ligthningly fast.   However,  
if your traffic goes outside of your corporate network you have to use 
encrypted channels either through VPN or HTTPS.

  


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi

[Ken Dreyer]

On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia toreachdeep...@gmail.com wrote:
 Hi Ken,

 Thanks for your mail.

 Yes, we are using Apache as the web server.

 Also we are using ldap_bind to authenticate a user from active directory.

 Do you think if we replace ldap_bind by mod_authnz_ldap and then use
 modauthkerb, it will solve our problem ?

 Regards

 Deepak Bhatia


Hi Deepak,

In order to use single-sign-on in a web application like this, you
should extend the web application to have a special HTTP login URL.
For example, let's say that currently your web application has a
username/password web form, and that form posts to something like
auth.php. Your auth.php file gets the username and password from
$_POST, and then submits those via the PHP ldap_bind() function.

To add Kerberos support, you'd want to create a parallel
authentication URL, say, auth-http.php. In terms of a GUI, for
your login form page, you can have users click a link that says sign
in with Kerberos.

You'll use mod_auth_kerb to protect that URL. You don't have to
protect the entire web app, just that single /auth-http.php page. This
will allow you to still support LDAP authentication, or even no
authentication for some parts.

This auth-http.php page should check if the  is set. If it is set,
then you know that Apache successfully authenticated the user, and you
can pass them through to your application, setting the appropriate
session cookies, etc. Depending on your use case, you may want to then
look this user up in LDAP to get more attributes, like a UID, email,
or full name.

If the $_SERVER['REMOTE_USER'] variable is not set, then either the
user did not have proper Kerberos credentials, or the user's browser
is misconfigured. You can even show a custom 401 HTTP error to the
user, indicating that he or she should check their Kerberos ticket and
browser settings.

I'm simplifying a lot, but hopefully you get the idea. It would be a
good idea to look at some existing open source web applications that
already implement this in order to understand it. Fedora's Koji
(Python) and Gitorious (Ruby) are the web apps I know that do this
already. I think Cacti has support for general HTTP authentication
as well, but I'm pretty sure that they assume you'll restrict the
entire web app (/cacti/) with Apache. When you restrict only a
sub-URL (such as /auth-http.php), then you have the ability to
support Kerberos without making it a requirement to use your web app
at all.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi

[Deepak Bhatia]

Thanks a lot Ken, I will get back to you soon after analyzing your detailed
mail below.

On Mon, Jan 28, 2013 at 10:02 PM, Ken Dreyer ktdre...@ktdreyer.com wrote:

 On Wed, Jan 16, 2013 at 6:05 AM, Deepak Bhatia toreachdeep...@gmail.com
 wrote:
  Hi Ken,
 
  Thanks for your mail.
 
  Yes, we are using Apache as the web server.
 
  Also we are using ldap_bind to authenticate a user from active directory.
 
  Do you think if we replace ldap_bind by mod_authnz_ldap and then use
  modauthkerb, it will solve our problem ?
 
  Regards
 
  Deepak Bhatia


 Hi Deepak,

 In order to use single-sign-on in a web application like this, you
 should extend the web application to have a special HTTP login URL.
 For example, let's say that currently your web application has a
 username/password web form, and that form posts to something like
 auth.php. Your auth.php file gets the username and password from
 $_POST, and then submits those via the PHP ldap_bind() function.

 To add Kerberos support, you'd want to create a parallel
 authentication URL, say, auth-http.php. In terms of a GUI, for
 your login form page, you can have users click a link that says sign
 in with Kerberos.

 You'll use mod_auth_kerb to protect that URL. You don't have to
 protect the entire web app, just that single /auth-http.php page. This
 will allow you to still support LDAP authentication, or even no
 authentication for some parts.

 This auth-http.php page should check if the  is set. If it is set,
 then you know that Apache successfully authenticated the user, and you
 can pass them through to your application, setting the appropriate
 session cookies, etc. Depending on your use case, you may want to then
 look this user up in LDAP to get more attributes, like a UID, email,
 or full name.

 If the $_SERVER['REMOTE_USER'] variable is not set, then either the
 user did not have proper Kerberos credentials, or the user's browser
 is misconfigured. You can even show a custom 401 HTTP error to the
 user, indicating that he or she should check their Kerberos ticket and
 browser settings.

 I'm simplifying a lot, but hopefully you get the idea. It would be a
 good idea to look at some existing open source web applications that
 already implement this in order to understand it. Fedora's Koji
 (Python) and Gitorious (Ruby) are the web apps I know that do this
 already. I think Cacti has support for general HTTP authentication
 as well, but I'm pretty sure that they assume you'll restrict the
 entire web app (/cacti/) with Apache. When you restrict only a
 sub-URL (such as /auth-http.php), then you have the ability to
 support Kerberos without making it a requirement to use your web app
 at all.

 - Ken


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi

[toreachdeepak1]

Hi,

Can you please help in setting up the kerberos ? Actually we already have a 
active directory and kerberos setup in our organization ? Only thing we need to 
do is to kerberize the Web Server. 

We have lot of internal web sites on a web server in which users authenticate 
against active directory and log into the web site. But they have to do it for 
every web site they access in our company.

The websites are PHP Sites.

Thanks

Deepak

On Friday, May 25, 2012 12:08:57 AM UTC+5:30, Neelam Shah wrote:
 Hi,
 
 
 
 I have implemented Kerberos authentication in my organization. I have
 
 implemented it in around 15 servers..
 
 
 
 Its working fine for almost 4 months..but recently I am facing some
 
 issues and need your help..
 
 
 
 1st issue -
 
 
 
 When I type
 
 
 
 okinit command, I am getting OSD error..


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi

[Ken Dreyer]

On Tue, Jan 8, 2013 at 3:02 AM,  toreachdeep...@gmail.com wrote:
 Hi,

 Can you please help in setting up the kerberos ? Actually we already
 have a active directory and kerberos setup in our organization ? Only
 thing we need to do is to kerberize the Web Server.

What software does your web server run? Apache, or IIS?

If it's Apache, you should look into
http://modauthkerb.sourceforge.net/ . I recommend getting Basic auth
working first, then moving on and setting up Negotiate auth.

 We have lot of internal web sites on a web server in which users
 authenticate against active directory and log into the web site. But
 they have to do it for every web site they access in our company.

What specific software does this AD authentication? Is it Apache's
mod_authnz_ldap, or is it in PHP code?

If it's Apache's mod_authnz_ldap, it will probably be easier to drop
in mod_auth_kerb as an authentication replacement. If it's PHP code
that uses ldap_bind(), it will probably be trickier to implement
single sign-on.

- Ken

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Hi

[Neelam Shah]

Hi,

I have implemented Kerberos authentication in my organization. I have
implemented it in around 15 servers..

Its working fine for almost 4 months..but recently I am facing some
issues and need your help..

1st issue -

When I type

okinit command, I am getting OSD error..

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

HI

[steve zhang]

HI all



Nice to meet you here. I have a question.

Below is it.

 

[EMAIL PROTECTED] sbin]# krlogin 172.26.26.77 -k EXAMPLE.COM -l stevezhang

error getting credentials: Server not found in Kerberos database

Trying krb4 rlogin...

krb_sendauth failed: You have no tickets cached

[EMAIL PROTECTED] sbin]#

 

If you know about how to resolve it as to login by using krlogin with
Kerberos ,please  let me  know.

Thks.

 

Best regards

Steve zhang


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

hi

[ahmed F]

hi is kerberos uesd for LAN , how instulation for windows xp ?

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

hi

[ahmed F]

i need requires authorization for kerberos name and password
for ues leash kerberos for windows

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

hi

[Kiran Chandra]

Hi,
I am facing an issue with Kerberos authentication using Java GSS API.
Following is the scenario. I have a web application running on a solaris
box. The KDC is running on a Win2K server which is also a domain controller.
Whenever a user logs into the domain and tries to access teh web app running
on the solaris box, he should be authenticated using Kerberos. To make this
happen an account is created for the Unix Server(HTTP service) on the KDC.
The account was tested from UNIX using kinit and it works fine.
To do the Kerberos authentication, the Kerberos token is requested from IE.
This was achieved by making the Webapplication running on Solaris set a
WWW-Authenticate header in the response and the status code as 401. On
receiving this, the client (IE) contacts the KDC and fetches the Kerberos
service ticket for the server. IE sends the Kerberos Token wrapped as a
SPNEGO token and send back this data in the Authorization header.
I am using a C library to parse out the Kerberos token and validate it. The
token I receive passes through the validation successfully. This was
verified by accessing the webapp without logging into domain, during which
the parsing and validation failed.
Now I have a valid Kerberos token which contains the client authentication
infomation. From the server application I am verifying the authenticity of
client using JAVA GSS API. I am logging into the KDC using the account
created for the server and create a GSSContext (part of GSS API spec) . The
next step to do is to pass in the Kerberos token to the acceptSecContext
method of GSSCotext. This method will check the client info and returns a
token back. The returned token will contain information whether the client
was authenticated correctly, or the server requires more information (for
further exchanges between client and server) or whether the client
authentication faled etc.
Now I am facing an issue with the acceptSecurityContext call. When I pass in
the token which was already verified as a valid Kerberos 5 token, I am
getting error.
Following is the error.
GSSException: Defective token detected (Mechanism level: AP_REQ token id
does not match!)
at
sun.security.jgss.krb5.InitSecContextToken.init(InitSecContextToken.java:7
2)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:719)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at com.iormyx.webapp.security.GSSCallImpl.run(GSSCallImpl.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:320)
at com.iormyx.webapp.security.GSSCallImpl.startServer(GSSCallImpl.java:59)
at
com.iormyx.webapp.security.Authenticate.verifyCredential(Authenticate.java:5
0)
at com.iormyx.webapp.actions.LoginAction.execute(LoginAction.java:67)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProces
sor.java:484)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:237)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:157)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:214)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContext
Valve.java:198)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:152)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137
)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118
)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:109)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160

Hi,I got an Error 70

[jiangsukid]

Hi,
   I downloaded the kerberos for windows from the url:
http://web.mit.edu/kerberos/www/dist/index.html#KFW2.6.4
.After I installed it , I run the Leash Kerberos ticket manager.
I can get a ticket from my kdc, it has no problem. But when I select the Action menu 
and click the change password button,
and type my new password, It report an error 70. It says that the remote server has 
closed the current connection.
   I am sure my kdc doesn't have a problem. Because I can change password, add new 
principals on it. 
   And Actually what I want to do with leash is that I found it has a dll, and the dll 
has a interface to change password remotely. I want to integrate this function to my 
Login program. Because I used JAAS to authenticate user, It only can verfiy user, 
cannot change password or add new user. But the customer wants a GUI for admin 
kerberos principal. So I found leash. 
   I have also searched Error 70 on google, and Found some messages below. But I have 
tried that, It doesn't help.
   Please give me some advices.

Q: Kerberos Error 70 (get_intkt)

A: The system has lost its TEMP variable. Unless instructed otherwise, ticket files 
are created in the TEMP directory. If the temp variable disappears, then Kerberos 4 
has no idea what to do and it quits with the Kerberos error 70.

Solution:
Edit autoexec.bat (in Windows 3.1 or 95) or the environment pane in the System control 
of NT to SET TEMP=C:\TEMP or the equivalent.
Then restart the system.


===

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Hi,I got an Error 70

[Jeffrey Altman]

Error 70 is a Kerberos 4 error.
Does your KDC not support Kerberos 5?

You should not be receiving any Kerberos IV error messages for
change password unless your KDC does not speak Kerberos 5; or
you have deleted the krb5_32.dll file

Jeffrey Altman


jiangsukid wrote:

 Hi,
I downloaded the kerberos for windows from the url:
 http://web.mit.edu/kerberos/www/dist/index.html#KFW2.6.4
 ..After I installed it , I run the Leash Kerberos ticket manager.
 I can get a ticket from my kdc, it has no problem. But when I select the Action 
 menu and click the change password button,
 and type my new password, It report an error 70. It says that the remote server has 
 closed the current connection.
I am sure my kdc doesn't have a problem. Because I can change password, add new 
 principals on it. 
And Actually what I want to do with leash is that I found it has a dll, and the 
 dll has a interface to change password remotely. I want to integrate this function 
 to my Login program. Because I used JAAS to authenticate user, It only can verfiy 
 user, cannot change password or add new user. But the customer wants a GUI for admin 
 kerberos principal. So I found leash. 
I have also searched Error 70 on google, and Found some messages below. But I 
 have tried that, It doesn't help.
Please give me some advices.
 
 Q: Kerberos Error 70 (get_intkt)
 
 A: The system has lost its TEMP variable. Unless instructed otherwise, ticket files 
 are created in the TEMP directory. If the temp variable disappears, then Kerberos 4 
 has no idea what to do and it quits with the Kerberos error 70.
 
 Solution:
 Edit autoexec.bat (in Windows 3.1 or 95) or the environment pane in the System 
 control of NT to SET TEMP=C:\TEMP or the equivalent.
 Then restart the system.
 
 
 ===
 
 Kerberos mailing list   [EMAIL PROTECTED]
 https://mailman.mit.edu/mailman/listinfo/kerberos
 

-- 
-
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: hi

[bwayne . smith3]

hey its me again.. did you see this site?

Every day thousands of Americans are saving money, don't be one of the few who miss 
out!

I personally couldnt have got out of the mess I was in without this site

http://btrack.iwon.com/r.pl?redir=http://[EMAIL 
PROTECTED]/viewso65/index.asp?RefID=198478

Kerberos mailing list   [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Hi there

¿Â¶óÀÎ »ó´ãÀÌ µé¾î¿Ô½À´Ï´Ù.
 ([EMAIL PROTECTED]) on Thursday, January 17, 2002 at 12:45:58
---

message:   Hello, Sir.  We have got something that will interest you.  Three great 
books to help you master and WIN in the game of love. The information offerred at our 
website will help you pick up the hottest woman, and educate you to exactly what their 
deepest needs arebrbr a href=http://www.joinfreee.com;Pornstar's Guide to All 
Natural Penis Enlargement/a-brThe best online guide to a bigger cock, 
naturally!brbr a href=http://www.joinfreee.com;How to Pickup Woman 
2000/a-brThe ultimate guide to survival in the deadly world of modern 
datingbrbr a href=http://www.joinfreee.com;How to give your Woman a Screaming 
Orgasm/a-brShe will be forever grateful, and your sex life will be 
awesome.brbrClick below or on any of the other links to enterbr a 
href=http://www.joinfreee.com;http://www.joinfreee.combrbr/aNote: For mature 
viewers only (18 ).  You will get full access to all three online books instantly for 
a whole year after you joi!
n.br

---