Hello:
My name is Nicolas Tubilla and I am now engaged
in this very promising online business opportunity.
Perhaps all of us want to have our own business at
home that really gives real income. And upon
observing the worsening state of our economy that
threatens the stability of our employment sec
Ethereal (http://www.ethereal.com/).
-- Luke
>From: [EMAIL PROTECTED] (Tony Cowan)
>Subject: Re: Architectural Question ...
>To: [EMAIL PROTECTED]
>Date: 6 Feb 2003 16:02:08 -0800
>Organization: http://groups.google.com/
>
>All good suggestions.
>Apparently the packets were going back to the KD
All good suggestions.
Apparently the packets were going back to the KDC (I assume AS) not
some other registry or service, so I'm thinking maybe it wasn't
another service. I'm leaning towards a broken implementation as the
explanation.
I'll try to have a look at the sniffed packets to see what it's
Thanks for your help Luke.
Cheers,
Tc.
Tony Cowan - IBM SWG Services. ([EMAIL PROTECTED])
Phone: (206) 675 0095 Cell: (206) 280 6942
There is no tomorrow. Only a succession of todays. Don't wait too long to
figure that out.
|-+>
| | Luke
>So you're suggesting that the common practice is to have a single principal
>for the box that identifies all services rather than separate principals
>for each service.
Under Windows 2000, which supports name canonicalisation, yes (the host
principal can be advertised as multiple service princip
Steve Langasek wrote:
>
> On Thu, Feb 06, 2003 at 11:36:36AM -0800, John Rudd wrote:
> > (before you ask "why the heck would you want to do THAT?" ... our pop
> > server uses PAM for authenticating non-kpop users against their kerberos
> > password, and in doing so it leaves behind a TON of key ca
Ken Hornstein wrote:
>
> You don't need to put it in the krb5.conf; just make sure it's in the
> POP server's environment.
Heh. I should have thought of that.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listi
On Thu, Feb 06, 2003 at 11:36:36AM -0800, John Rudd wrote:
> > Donn Cave schrieb:
> > > Yes! Try this:
> > >
> > > $ KRB5CCNAME=MEMORY:0 kinit
> Hm. So, how would I put that into the krb5.conf?
> (before you ask "why the heck would you want to do THAT?" ... our pop
> server uses PAM for auth
>(before you ask "why the heck would you want to do THAT?" ... our pop
>server uses PAM for authenticating non-kpop users against their kerberos
>password, and in doing so it leaves behind a TON of key caches ... I'm
>wondering if this might be one way to get rid of them)
>
>(and, before you sugges
> Donn Cave schrieb:
> > Yes! Try this:
> >
> > $ KRB5CCNAME=MEMORY:0 kinit
Hm. So, how would I put that into the krb5.conf?
(before you ask "why the heck would you want to do THAT?" ... our pop
server uses PAM for authenticating non-kpop users against their kerberos
password, and in doing
Test
Clint (JOATMON) Chaplin
Maurice Wilkes recalls in his memoirs, "By June 1949, people had begun to realize that
it was not so easy to get a program right as had at one time appeared. I well remember
when this realization first came on me with full force. The EDSAC was on the top floor
o
Thanks.
Tony Cowan - IBM SWG Services. ([EMAIL PROTECTED])
Phone: (206) 675 0095 Cell: (206) 280 6942
There is no tomorrow. Only a succession of todays. Don't wait too long to
figure that out.
|-+>
| | "Jacques A. |
| |
On Thu, Feb 06, 2003 at 08:08:57AM -0800, Tony Cowan wrote:
>
> Hi Jacques,
>
> Thanks for this info.
> I'm not familiar with the releases ... is the Heimdal GSSAPI library
> something from which many others were derived?
No, not really, although it is commonly bundled with BSD systems.
> I'm u
Hi Jacques,
Thanks for this info.
I'm not familiar with the releases ... is the Heimdal GSSAPI library
something from which many others were derived?
I'm using a java JGSS implementation.
Thanks for your time.
Tc.
Tony Cowan - IBM SWG Services. ([EMAIL PROTECTED])
Phone: (206) 675 0095 Cell: (
Thanks again Luke,
So you're suggesting that the common practice is to have a single principal
for the box that identifies all services rather than separate principals
for each service.
That would explain why the lesser priveleged service in your example didn't
have it's own service key, and also
On Thu, Feb 06, 2003 at 06:03:30AM -0800, Tony Cowan wrote:
> > No, that's the beauty of Kerberos.
>
> Thanks Luke.
> Someone tells me they've been sniffing and found that one particular
> implementation does in fact hit the KDC to validate the ticket.
> I wonder if it's actually hitting the KDC f
On Thu, 2003-02-06 at 10:08, Luke Howard wrote:
> Also, it's possible that a service that does not use the
> authorisation data will use some other out-of-band means
> to determine a principal's authorisation information,
> which could involve accessing a network directory service.
AFS does this,
Also, it's possible that a service that does not use the
authorisation data will use some other out-of-band means
to determine a principal's authorisation information,
which could involve accessing a network directory service.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
___
[EMAIL PROTECTED] (Tony Cowan) writes:
> Someone tells me they've been sniffing and found that one particular
> implementation does in fact hit the KDC to validate the ticket.
> I wonder if it's actually hitting the KDC for some other purpose.
> Getting further information perhaps .. I guess the "s
Ken,
ok, this makes sense...
Thanks
Klaas
Ken Raeburn schrieb:
Klaas Hagemann <[EMAIL PROTECTED]> writes:
Hi,
after doing kinit the kerberos client creates a krb5 ticket cache file
like /tmp/krb5cc_506.
Another user having root privileges on this client can optain these
ticket cache fil
If a Windows 2000 service is not running as the local system account,
then the Local Security Authority will contact the KDC to validate
the authorisation data in the ticket. This is to prevent a service
running with least privilege from forging a ticket to itself with
more privileged authorisatio
Klaas Hagemann <[EMAIL PROTECTED]> writes:
> Hi,
>
> after doing kinit the kerberos client creates a krb5 ticket cache file
> like /tmp/krb5cc_506.
>
> Another user having root privileges on this client can optain these
> ticket cache file and have the network wide rights of the owner of
> this ti
[EMAIL PROTECTED] (Rich) writes:
> Hopefully someone on here can help me out, I have recently seen the
> security alert for Kerberos 1.2.4 and below, and I would like to check
> to see what version we have installed at our site. However I cannot
> see how to do this! I have had a look on the FAQ an
> No, that's the beauty of Kerberos.
Thanks Luke.
Someone tells me they've been sniffing and found that one particular
implementation does in fact hit the KDC to validate the ticket.
I wonder if it's actually hitting the KDC for some other purpose.
Getting further information perhaps .. I guess th
Dear Sir,
I am Mr Peter Irabor chairman- audit committee, with
the Nigerian National Petroleum Corporation (NNPC), I
headed the audit committee whose assignment was to
audit, review and recommend payment for all contracts
awarded in the NNPC by the corrupt past military
administration.
In the cour
>Has there been any progress in this area? I need to get something like a
>w2k BDC working, and I'm trying ldap, kerberos and samba. Unfortunately,
>it seems that samba doesn't play this role yet (not even samba 3, which
>I'm using). I also tried the ldap way, but, as some have already said,
>this
Em Fri, Sep 27, 2002 at 09:31:12AM +0300, Christos Ricudis escreveu:
> > done that here as well, and it's pretty easy if you use the MIT Kerberos
> > libraries. They will talk to a Windows KDC and retrieve tickets for use with
> > LDAP. Very cool. Chekc out this link:
> > http://www.microsoft.com/w
27 matches
Mail list logo