Re: Kerberos - Microsoft Active Directory DNS

2009-01-29 Thread Christopher D. Clausen
Michael B Allen iop...@gmail.com wrote: In general, both the MIT and Heimdal clients are not optimized for a Windows environment. We have an AD integration product that uses Heimdal that we made a lot of changes to try to better emulate Windows behavior. Please just stop trying to sell folks

Re: Kerberos - Microsoft Active Directory DNS

2009-01-29 Thread Michael B Allen
On Thu, Jan 29, 2009 at 10:00 AM, Christopher D. Clausen cclau...@acm.org wrote: Michael B Allen iop...@gmail.com wrote: In general, both the MIT and Heimdal clients are not optimized for a Windows environment. We have an AD integration product that uses Heimdal that we made a lot of changes

Re: Windows client authentication problem

2009-01-29 Thread Richard E. Silverman
VVN == Viji V Nair vijivijayaku...@gmail.com writes: VVN Hi, I am trying to authenticate windows xp clients to an MIT VVN kerberos server. The Server is on a Linux machine and I have VVN both windows and Linux clients on my network. I have followed the VVN below steps, but no

Re: Unexpected return codes from KDC -- krb5-1.6.3

2009-01-29 Thread Tom Yu
Mike Friedman mi...@berkeley.edu writes: This is a 'sequel' to my earlier postings about getting bad return codes from the KDC. However, I've moved from a binary Linux distribution to a FreeBSD port of MIT Kerberos and my symptoms are a bit different, so I'm starting a new thread. My

Re: Unexpected return codes from KDC -- krb5-1.6.3

2009-01-29 Thread Mike Friedman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 29 Jan 2009 at 16:23 (-0500), Tom Yu wrote: The get_in_tkt APIs are deprecated in favor of the get_init_creds APIs. I know that this fact is probably not well-documented. Tom, Yes, I've been aware of this for some time. Unfortunately,

Re: Unexpected return codes from KDC -- krb5-1.6.3

2009-01-29 Thread Tom Yu
Mike Friedman mi...@berkeley.edu writes: What error shows up in the KDC logs during those failure conditions? One example is this: CLIENT KEY EXPIRED: mi...@berkeley.edu for krbtgt/berkeley@berkeley.edu, Password has expired As I said in my later note, it's not just my API code

Re: Unexpected return codes from KDC -- krb5-1.6.3

2009-01-29 Thread Mike Friedman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 29 Jan 2009 at 17:09 (-0500), Tom Yu wrote: Mike Friedman mi...@berkeley.edu writes: CLIENT KEY EXPIRED: mi...@berkeley.edu for krbtgt/berkeley@berkeley.edu, Password has expired As I said in my later note, it's not just my API

Re: Unexpected return codes from KDC -- krb5-1.6.3

2009-01-29 Thread Tom Yu
Mike Friedman mi...@berkeley.edu writes: But the fact that kinit seems to be acting the same way would appear to be the significant point. Yes. Here's what getprinc shows: kadmin.local: getprinc mikef Principal: mi...@berkeley.edu Expiration date: [never] Last password

Re: Unexpected return codes from KDC -- krb5-1.6.3

2009-01-29 Thread Mike Friedman
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 29 Jan 2009 at 17:44 (-0500), Tom Yu wrote: Do you get this sort of mismatched error code for a client principal that does not have REQUIRES_PRE_AUTH set? Tom, With 1.6.3 kinit, without REQUIRES_PREAUTH, I now get the expected message: