RE: replicating windows 2000 principals

2002-09-26 Thread Christos Ricudis
On Thu, 2002-09-26 at 16:43, Eric Lee Steadle wrote: > You are correct, Microsoft does not implement the Kerberos Admin portion of > the Kerberos spec. But I don't think you are totally out of luck. > > As far as replication goes, yes, Microsoft uses a proprietary mechanism > (Active Directory Mu

Re: Kerberos for Macintosh 4.0.3 released

2002-09-26 Thread Rodney McDuff
Hi Marshall Are we ever going to see this on the Cryptography Publishing Project site for us foreign devils? Marshall Vale wrote: > The MIT MacDev team is pleased to announce the availability of Kerberos > for Macintosh 4.0.3. This release is available from the MIT Kerberos site: > >

Re: replicating windows 2000 principals

2002-09-26 Thread Clint Chaplin
Um, in the user account in AD, you can set an option to not require pre-auth. I would reccommend that you do so. If you do not, then the AS_REP will be so big that the Microsoft KDC will send it using TCP/IP instead of UDP/IP. Most clients will not expect this. There is an option you can se

Permission denied in replay cache code

2002-09-26 Thread Rick
I'm using the GSS-API in an application server I wrote and periodically get the message "Permission denied in replay cache code". It appears to be the result of a failed call to gss_acquire_cred(). I can't find any information on what the replay cache is, how it works. Does anyone have any idea

Re: password dictionary ignored

2002-09-26 Thread Jason
[EMAIL PROTECTED] (Jason) wrote in message news:<[EMAIL PROTECTED]>... > Well I have set up a krb5.dict file with one three lines in it as > follows: > === > test > testme > testmeyes > === > when I use kpasswd or kadmin with cpw and try a password of test for > my test user, it a

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Douglas E. Engert
Turbo Fredriksson wrote: > > > "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes: > > Douglas> Check that under the System Properities->Network > Douglas> Identification->Proprities->More the "Change primary DNS > Douglas> suffix when domain membership changes" is not ch

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes: Douglas> Check that under the System Properities->Network Douglas> Identification->Proprities->More the "Change primary DNS Douglas> suffix when domain membership changes" is not checked. 'NOT checked'!? I thought it sai

Kerberos for Macintosh 4.0.3 released

2002-09-26 Thread Marshall Vale
The MIT MacDev team is pleased to announce the availability of Kerberos for Macintosh 4.0.3. This release is available from the MIT Kerberos site: Follow the "Getting Kerberos Sources and Binaries from MIT" link. All feedback and bug reports for Kerberos for Ma

Re: password dictionary ignored

2002-09-26 Thread Sam Hartman
Make sure all the principals you want checked against the dictionary have some password policy assigned. Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Douglas E. Engert
Turbo Fredriksson wrote: > > > "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes: > > > "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes: > Eric> Tell us more about your Windows client. Version, Service > Eric> Pack, etc. Does it participate in a domain? Have any >

RE: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Eric Lee Steadle
How about the encryption types? Windows only supports 2 types of encryption. I didn't mention it before because I think one of them is the default for MIT Kerberos. Let's see... DES-CBC-CRC and DES-CBC-MD5 according to the "step by step" guide. Can you try removing all other encryption types from

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "Steve" == Steve Harper <[EMAIL PROTECTED]> writes: Steve> Definately remove the "REQUIRES_PRE_AUTH" flag from the Steve> principal for majorskan (which is your windows 2000 Steve> machine, if I'm not mistaken). Steve> kadmin: modify_principal -requires_preauth Steve> h

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Steve Harper
Definately remove the "REQUIRES_PRE_AUTH" flag from the principal for majorskan (which is your windows 2000 machine, if I'm not mistaken). When the KDC is forcing the WIN2K client to generate PRE_AUTH data the client includes additional information (I think it's SID) in the Authorization_Data fie

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "John" == John Green <[EMAIL PROTECTED]> writes: John> I don't know if you're aware of this utility, and forgive me John> if I'm speaking the obvious, but this is on the Win2K cd-rom John> (extract /support/tools/support.cab) . It's called ksetup. John> It will have the mac

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes: >> 'a local or AD account'. I don't have AD, but I _DO_ have a >> local account. Luke> So, according to Microsoft's documentation, it should "just Luke> work". Exactly. Dang, I hate when it (software) does this! :) >>

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes: > "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes: Eric> Tell us more about your Windows client. Version, Service Eric> Pack, etc. Does it participate in a domain? Have any Eric> registry settings been adjusted?

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Luke Howard
>'a local or AD account'. I don't have AD, but I _DO_ have a local >account. So, according to Microsoft's documentation, it should "just work". >- s n i p - >Sep 26 08:02:19 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 >-135}) >(88): UNKNOWN_SERVER: authtime 10330

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes: Luke> The Windows "solution" is, as previously mentioned, to have Luke> a local or Active Directory account for the user. That's Luke> where the authorization information comes from (in an AD Luke> domain it is included in th

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes: Eric> Tell us more about your Windows client. Version, Service Eric> Pack, etc. Does it participate in a domain? Have any Eric> registry settings been adjusted? etc. Windows 2000 5.00.2195, Service Pack 3. >> Sep 26 15

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Luke Howard
>Just thinking that it might be a little like NSS/PAM. In Linux >I need Lib{PAM,NSS}-LDAP for uid/gid number mapping etc (authorization) >and LibPAM-Krb5 for password (authentication)... The Windows "solution" is, as previously mentioned, to have a local or Active Directory account for the user.

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes: >> But as the KDC logs show, it seems like the login was >> successful. Do I have to have something more (Samba comes to >> mind)? Luke> SAMBA does not support the additional RPCs necessary for Luke> native Windows 2000

password dictionary ignored

2002-09-26 Thread Jason
Well I have set up a krb5.dict file with one three lines in it as follows: === test testme testmeyes === when I use kpasswd or kadmin with cpw and try a password of test for my test user, it allows the password change with no complaints!?! To check if it was loading the file I ren

RE: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Eric Lee Steadle
>- s n i p - >rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0 >Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 >-133 -128 3 1 24 -135}) (88): >NEEDED_PREAUTH: turbo@ for >krbtgt/@, Additional pre-authentication required Well, my interpretation of this is that the Win

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Luke Howard
>But as the KDC logs show, it seems like the login was successful. Do I have >to >have something more (Samba comes to mind)? SAMBA does not support the additional RPCs necessary for native Windows 2000 domain logon, so no, this won't help. Did you map your account to a local account with ksetup

Re: replicating windows 2000 principals

2002-09-26 Thread Luke Howard
>I am trying to replicate the kerberos database from a Windows 2000 AD >server to a UNIX krb5 KDC. Problem is that, although Microsoft mentions >kprop in its Kerberos 5 interoperability document, this service is >nowhere to be found in Windows 2000. > >Some documents in MSDN report that "windows

Re: Win logon to a MIT Kerberos V KDC?

2002-09-26 Thread Turbo Fredriksson
[let's keep this on the list] Quoting "Eric Lee Steadle" <[EMAIL PROTECTED]>: > Did you read this MS document? > [...] > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp Yes, I found that eventually. > I've followed the steps and it definitely works. It only half

replicating windows 2000 principals

2002-09-26 Thread Christos Ricudis
Dear kerberos users. I am trying to replicate the kerberos database from a Windows 2000 AD server to a UNIX krb5 KDC. Problem is that, although Microsoft mentions kprop in its Kerberos 5 interoperability document, this service is nowhere to be found in Windows 2000. Some documents in MSDN rep

Betriebsanleitung zum Millionärwerden!

2002-09-26 Thread Der Millionär <\"Der Millionär\"
.