I'm pleased to announce release 4.4 of pam-krb5.
pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password
Russ Allbery wrote:
> > I am just curious. What Windows client programs and Unix server programs
> > (or vice versa) must you use? How do you use this trust?
> We allow all Active Directory users at Stanford to log on either in the AD
> realm or in the university Heimdal realm, and try to set up a
Greg Hudson wrote:
[dd]
> > But earlier you said that DNS-canonicalization of the gethostname() is
> > used. If we have no DNS, who will canonicalize the hostname?
> That's shorthand because so many installations use DNS for hostname
> resolution. Heimdal uses getaddrinfo() for its canonicaliza
On Fri, 2010-12-31 at 06:32 -0500, Brian Candler wrote:
> I'd like to propose this upstream, but first would like some feedback as to
> whether this is likely to be a safe change to make, remembering that some
> people may be using older versions of MIT, or different Kerberos libraries,
> underneat
My understanding from previous postings is that a modern Kerberos app should
just try decrypting the ticket with every key in its keytab until it finds
one which works.
On the openldap-technical mailing list, Russ Allbery has just posted a
one-line patch he uses for Cyrus-SASL:
--- a/plugins/gssa
On Thu, Dec 30, 2010 at 04:58:09PM -0500, Greg Hudson wrote:
> On Thu, 2010-12-30 at 05:55 -0500, Brian Candler wrote:
> > Is this behaviour intentional? Unless I've missed something, it means I
> > can't run kadmin anywhere that hasn't had krb5.conf explicitly configured
> > with the realm.
>
> I