Hello,
I have the following configuration:
I have two realms, A.ABC.COM and B.ABC.COM and one openldap dit
(dc=abc,dc=com).
I have the master openldap server in location A with the following entry in
A.ABC.COM realm database: ldap/[EMAIL PROTECTED] and the respective
keytab on the master lda
On Jun 6, 2005, at 06:42, Manel Euro wrote:
My company has the following situation:
We have one large DNS domain sgi.nl and we are planning on creating
three realms:
SGI.NL
A.SGI.NL
B.SGI.NL
When configuraing my kerberos clientes there is a [domains_realm] tab
where should put my domains t
All,
I completely agree that we are merely using kerberos for a database
lookup, but at this point, there is no real way to authenticate to
kerberos for wireless networks. We will continue to look for a way to
forward the kerberos tickets to the clients, but at this point, we're
pretty excited abo
On Sat, 4 Jun 2005, Buck Huppmann wrote:
> anybody know if somebody's working on the issue of how to refresh cred-
> entials forwarded/delegated to a an SSH session?
I occasionally start thinking about it, but I haven't yet got as far as
writing any code. There's a lot of dependencies here, and
I really think that working on this axis [IAKERB/Wireless Auth.]
should be amongst the milestones of kerberos wg.
Work area for energetic contributors, yes. Milestones of the group,
no. IMO, of course.
Kerberos mailing list Kerberos
On Jun 6, 2005, at 10:36, Manel Euro wrote:
Is krb5-1.4.1 thread safe?
It should be, if you stick to using a krb5 or gss context and any of
the transparent data structures (those defined in krb5.h or gssapi.h)
in one thread at a time.
I've recently heard of one possible problem, which we're
The Second Annual
AFS & Kerberos
Best Practices Workshop
June 20-24, 2005
Carnegie Mellon
[EMAIL PROTECTED] wrote on 06/06/2005 10:21:12 AM:
> As I said, I've created a new keytab with the
> HTTP/[EMAIL PROTECTED] service name (using
ktpass).
> klist now shows the correct principal:
>
> > klist -k c:\WINDOWS\krb5kt
> Keytab name: FILE:c:\WINDOWS\krb5kt
> KVNO Principal
>
>
---
On Monday, June 06, 2005 09:59:56 AM -0500 Nicolas Williams
<[EMAIL PROTECTED]> wrote:
On Mon, Jun 06, 2005 at 09:27:51AM -0500, Matt Crawford wrote:
>> I really think that working on this axis [IAKERB/Wireless Auth.]
>> should be amongst the milestones of kerberos wg.
Work area for energe
Buck Huppmann wrote:
hello. sorry to cross-post, but i at least left out openssh-unix-dev@
this time around
anybody know if somebody's working on the issue of how to refresh cred-
entials forwarded/delegated to a an SSH session? e.g., if the server
is using RPCSEC_GSS-flavored NFS and your fo
Quoting Frank Balluffi <[EMAIL PROTECTED]>:
Julien ALLANOS said:
I've sniffed on port 88 but I didn't see any packet. Probably because
browser,
KDC and web server are on the same machine? (I have only 1 machine on
my domain
atm).
Yes, you will need to run a KDC on a separate machine to sni
Running Win 2003 SP1 and Win2000 latest SP (forget the num), we were forced to
add in the des-cbc-md5 encryption type for all users. The reason seemed to have
to do w. the session key being set up for the user.
So, we've seen the following behavior:
AS-REP has the TGT encrypted with des3-cbc-sha1
Julien ALLANOS said:
> I've sniffed on port 88 but I didn't see any packet. Probably because
browser,
> KDC and web server are on the same machine? (I have only 1 machine on
> my domain
> atm).
Yes, you will need to run a KDC on a separate machine to sniff the traffic
-- at least with Ethereal
On Mon, Jun 06, 2005 at 09:27:51AM -0500, Matt Crawford wrote:
> >>I really think that working on this axis [IAKERB/Wireless Auth.]
> >>should be amongst the milestones of kerberos wg.
>
> Work area for energetic contributors, yes. Milestones of the group,
> no. IMO, of course.
Such a mechani
Selon Frank Balluffi <[EMAIL PROTECTED]>:
Julien ALLANOS said:
I am now facing to the following problem: browsers don't send NTLM
tokens
anymore but SPNEGO tokens (I believe). I don't really know what I did to
make
it work, but heh, it works. That's good.
For both NTLM and SPNEGO tokens,
Hello,
Is krb5-1.4.1 thread safe?
Thank you,
M.
_
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_
Julien ALLANOS said:
> I am now facing to the following problem: browsers don't send NTLM
tokens
> anymore but SPNEGO tokens (I believe). I don't really know what I did to
make
> it work, but heh, it works. That's good.
For both NTLM and SPNEGO tokens, IE should send:
Authorization: Negotiate
Julien ALLANOS said:
> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API: Miscellaneous failure)
> [Mon Jun 06 09:57:17 2005] [error] [client 192.168.100.191] mod_spnego:
> gss_acquire_cred failed; GSS-API mechanism: No principal in keytab
Hello,
I have the following problem:
My company has the following situation:
We have one large DNS domain sgi.nl and we are planning on creating three
realms:
SGI.NL
A.SGI.NL
B.SGI.NL
When configuraing my kerberos clientes there is a [domains_realm] tab where
should put my domains to real
Selon Frank Balluffi <[EMAIL PROTECTED]>:
For IE, follow the directions on
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
(I think someone has already made this point), including shutting down ALL
instances of IE and restarting IE.
Check your IE v
20 matches
Mail list logo