Re: Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

Hi Kostas, I haven't found the perfect solution for the problem, but I'll surely post some notes in the mailing list when I find one. > That is: active directory users & computers-> view > -> advanced features, > then right click on a user -> name mappings -> > kerberos names -> add -> > [EMAIL P

Re: Kerberos And Openssh 3.8p1 single sign-on

Sonny Zambrana wrote: > Hello, [ticket forwarding with openssh and gssapi does not work] > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes I think you missed the option: GSSAPIDelegateCredentials yes > Thank you for taking the time to read through this. Greetings A

Re: MIT Krb5 + SELinux

I cannot think of anything that Kerberos applications need other than network and urandom. The KDC does not need write access to the database, although of course kadmind does. You probably want to make it difficult for either the KDC or the kadmind to execute other programs or switch domains to l

scaling problems

Hi, folks I'm trying to figure out how the load balancing with kerberos works, and I simply don't get it. From what I've learned so far, I figure that MIT kerberos is meant to be used as a single server, with one failback slave server that usually doesn't answer any requests. This doesn't make

Re: scaling problems

>So, logical consequence is that master must answer all TGT requests. There are two things missing here. The user's password is only required for AS requests. You don't need the user's password for TGS requests, which are the vast majority of Kerberos requests. At least one major Kerberos impl

Re: scaling problems

[EMAIL PROTECTED] wrote: > Hi, folks > > 2) Users wouldn't be happy if they were unable to login one hour every > time they change password. > > So, logical consequence is that master must answer all TGT requests. > Having a slave around in case master dies is better than nothing, but > slave

Re: scaling problems

Ken Hornstein <[EMAIL PROTECTED]> writes: > >So, logical consequence is that master must answer all TGT requests. > Two more things: > - A hour a long time to wait for password updates between KDCs. Mine is > set to 5 minutes. If you are a big site (tens of thousands of principals), t

Re: kerberos programming and ldap

Hello!!! thanks for all the inputs. :) okay here's the thing. I have the following: iplanet C-sdk SEAM solaris 8 machine active directory ldap server All of them are already built. How do I use the cyrus sasl in this case? Do I need to recompile anything from the above list or just compile sasl a

Re: scaling problems

John Hascall <[EMAIL PROTECTED]> writes: > Ken Hornstein <[EMAIL PROTECTED]> writes: >> - A hour a long time to wait for password updates between KDCs. Mine is >> set to 5 minutes. > If you are a big site (tens of thousands of principals), > this is probably not an option. Most of us

Re: kerberos programming and ldap

melissa benkyo <[EMAIL PROTECTED]> writes: > Hello!!! thanks for all the inputs. :) okay here's the thing. > I have the following: > iplanet C-sdk > SEAM > solaris 8 machine > active directory ldap server > All of them are already built. How do I use the cyrus sasl in this > case? Do I need to r

Re: kerberos programming and ldap

On Apr 14, 2004, at 3:35 PM, Russ Allbery wrote: melissa benkyo <[EMAIL PROTECTED]> writes: According to: the iPlanet directory server does not support GSSAPI authentication at all. This probably means that their client libraries don't

RE: scaling problems

All, Unfortunately SUN SEAM kerberos does *not* seem to do that. Users have to wait upto one hour when the *full* prop occurs. (SUN Support indicated that the krb5 propagation cannot do delta...instead it does a full transfer each time... it is sooo clunky...) -subu email: [EMAIL PROTECTED

Anybody familiar with Java's sun.security.krb5.debug output?

Hi, I noticed somewhere that you could set the system property sun.security.krb5.debug=true to get additional Kerberos debugging information. Does anyone know of a guide to decipher this information, particularly the output provided by the new 1.5 JDK. Documentation on it seems to be very limite

Kerberos And Openssh 3.8p1 single sign-on

Hello, I have been trying to get openssh to work with kerberos using single sign-on (ticket forwarding) and have been unsuccesful at it. I have been able to successfully compile openssh-3.8.1p1 and build it against kerberos libraries. I am able to use a kerberized telnet and ftp daemon and au

Re: Kerberos And Openssh 3.8p1 single sign-on

On Tue, Apr 13, 2004 at 06:46:09PM -0400, Sonny Zambrana wrote: > # GSSAPI options > GSSAPIAuthentication yes Have you enabled this for the client as well? Try: ssh -o gssapiauthentication=yes Kerberos mailing list [EMAIL PROTECTED] htt

Antwort: Re: MIT Krb5 + SELinux [Virus checked]

>Note that in general, Kerberos tools and libraries which expect to be able >to access /dev/urandom probably won't just "work differently" without it; >they may refuse to operate at all, generating errors instead. I have reasons to believe that my kerberos server accesses /dev/random, rather

Re: Kerberos And Openssh 3.8p1 single sign-on

Yep it takes the option but still doesn't work. Sonny J Zambrana Systems Administrator - University Of Pennsylvania [EMAIL PROTECTED] On Apr 14, 2004, at 5:43 PM, Andreas wrote: On Tue, Apr 13, 2004 at 06:46:09PM -0400, Sonny Zambrana wrote: # GSSAPI options GSSAPIAuthentication yes Have you enabl

Cross-realm issue - what am I missing?

Hi all, I tested cross-realm awhile back and it seemed to work fine, not sure why I'm running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is Active Directory, clients are running Solaris and HP-UX with Kerberos and appropriate patches. I tried going Sun to Sun and

Re: Cross-realm issue - what am I missing?

Inger, Slav (.) wrote: > Hi all, > > I tested cross-realm awhile back and it seemed to work fine, not sure why I'm > running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is > Active Directory, clients are running Solaris and HP-UX with Kerberos and > appropriate patc

MIT Kerberos for Windows 2.6.1 is released

-BEGIN PGP SIGNED MESSAGE- The MIT Kerberos Team announces the availability of MIT Kerberos for Windows 2.6.1. The distribution packages and Release Notes are available from the download link on the MIT Kerberos distribution page, http://web.mit.edu/kerberos/dist/ The main MIT

RE: Cross-realm issue - what am I missing?

-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeffrey Altman Sent: Wednesday, April 14, 2004 7:00 PM To: [EMAIL PROTECTED] Subject: Re: Cross-realm issue - what am I missing? > > Cross-realm implies two different KDCs one for each realm which > are configu

Re: kerberos programming and ldap

>the iPlanet directory server does not support GSSAPI authentication at >all. This probably means that their client libraries don't support it >either. You probably want better client libraries; the OpenLDAP client >libraries are excellent. I could be wrong on this, though. I expect that Sun w

.k5users and app's other than ksu

Howdy folks, I've run across a situation where a nice solution would involve using ~/.k5users rather than .k5login to limit remote rsh abilities. ~/.k5users is a tool that I've read about but never used before. It's always struck me as odd that .k5login has it's own man page while .k5users is cov

Re: MIT Krb5 + SELinux

On Wed, Apr 14, 2004 at 12:02:46PM -0400, Sam Hartman wrote: > I cannot think of anything that Kerberos applications need other than > network and urandom. That's perfect. > You probably want to make it difficult for either the KDC or the > kadmind to execute other programs or switch domains to l

Re: Cross-realm issue - what am I missing?

"Inger, Slav (.)" wrote: > > Hi all, > > I tested cross-realm awhile back and it seemed to work fine, not sure why I'm > running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is > Active Directory, clients are running Solaris and HP-UX with Kerberos and > appropria