kerberos ticket length and IP addresses

2008-02-07 Thread Cesar Garcia
[this is largely a kerberos question, but I am cross posting in case anyone on the openafs mailing list may have had a similar experience] We are having two problems with larger krb5 afs/service tickets. Specifically when krb5_creds.ticket.length exceeds order of about 350 bytes we run into these

Re: Thread-safe libraries

2004-02-25 Thread Cesar Garcia
clearly sets auth_context with KRB5_AUTH_CONTEXT_DO_SEQUENCE. What am I missing? >>>>> "Sam" == Sam Hartman <[EMAIL PROTECTED]> writes: >>>>> "Cesar" == Cesar Garcia <[EMAIL PROTECTED]> writes: Cesar> wrt to gssapi and 1.3.1 ... Cesa

Re: Thread-safe libraries

2004-02-25 Thread Cesar Garcia
> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes: >> It is also worth noting, that, while Heimdal is not thread safe (at least there >> are no guarantees), it has proven to be much more thread-robust than MIT. >> OpenLDAP page and a couple of users have expirienced problems with MIT and

Re: I am stuck at krb5_cc_initialize, how to check?

2003-08-14 Thread Cesar Garcia
Are you building your own app or is this from one of the stock applications? Can you provide a stack trace and other relevent details that you can obtain from your debugger? Which version of the kerberos libraries does this application use, did you build your own are you using libraries provided

Re: kerberos ftpd bug? can't get it to work (New, sort of)

2003-08-01 Thread Cesar Garcia
You can also inspect for which principal a service ticket was acquired, on the client side via klist. Make sure there is a corresponding keytab entry for this principal on the target host (klist -k). > "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes: >>> GSSAPI accepted as authentication ty

Re: Can credentials from different realms be put in the same/tmp/krb5cc_ file?

2003-07-31 Thread Cesar Garcia
This is really impractical, since most applications attempt to use tickets for the default principal named in the ticket. Unless [all of] your applications intend explicitly acquire credentials for a named [client] principal, a single credential's cache is going to be difficult. My personal recomm

no file locking used when reading/writing replay cache?

2003-07-12 Thread Cesar Garcia
short: There does not appear to be use of file locks when reading/writing to replay cache files. long: We are implementing gss authentication via client and server side security exits invoked by a vendor application. The application is both multi-processed and multi-threaded. We have applied var

gss_accept_sec_context server principal

2003-03-16 Thread Cesar Garcia
Hi, I'm am trying to change the behavior of a functioning GSS-enabled application server such that the server principal and corresponding keytab entry used by gss_accept_sec_context is determined dynamically based on the server principal named in the client's ticket (implicitly specified by the in

Re: krb524d, aklog and AFS tokens

2003-03-05 Thread Cesar Garcia
Understood, I've just been delaying for no good reason. I'll find time one of these weekends to submit various patches. Thanks. >>>>> "Sam" == Sam Hartman <[EMAIL PROTECTED]> writes: >>>>> "Cesar" == Cesar Garcia <[EMAIL PR

Re: krb524d, aklog and AFS tokens

2003-03-05 Thread Cesar Garcia
in it's form was not compiled or tested, I just forged it from actual working changes, but it looks correct. (it also includes a one line fix for a memory leak). >>>>> "Matthew" == Matthew Mauzy <[EMAIL PROTECTED]> writes: Matthew> I found the following p

Re: afs-krb5 integration

2002-10-18 Thread Cesar Garcia
this bug. But with your Klaas> patch, the krb524d works good together with openafs? Klaas> Thanks Klaas - Original Message - From: "Cesar Garcia" Klaas> <[EMAIL PROTECTED]> To: "Ken Hornstein" Klaas> <[EMAIL PROTECTED]> Cc: "Cesar Garci

Re: afs-krb5 integration

2002-10-17 Thread Cesar Garcia
Not sure - I'm not exactly an AFS subject matter expert and I haven't seen the AFS code that implements the key retrieval (from KeyFile) and token validation. When I first started looking at MIT's krb524, this was the first problem we saw. [the 524 client setting the lifetimes incorrectly was the

Re: afs-krb5 integration

2002-10-17 Thread Cesar Garcia
There is also a bug in krb524d that does not set the kvno on the returned V4 ticket. Here's a patch: $ diff -c krb524d.c.orig krb524d.c *** krb524d.c.orig Thu Oct 17 13:37:30 2002 --- krb524d.c Thu Oct 17 13:39:55 2002 *** *** 412,418 memset (key, 0, sizeof (*

Re: thread safety of gssapi and dependencies

2002-10-04 Thread Cesar Garcia
We'll try this. Thanks. > "Sam" == Sam Hartman <[EMAIL PROTECTED]> writes: Sam> The krb5 library is not thread safe. IN practice you may be able to Sam> simply put a mutex around context setup (gss_init_sec_context and Sam> gss_accept_sec_context) calls and be OK, but this is not guarantee

thread safety of gssapi and dependencies

2002-10-03 Thread Cesar Garcia
Hi, I was wondering what the thread safety situation is with ligss and underlying libraries. We intend to use these apps in heavily threaded applications (including middle tier servers that act as both security context initiators and acceptors). We seem to be running in to KRB5_FCC_INTERNAL "In

MIT client and AD KDC interoperability

2002-09-06 Thread Cesar Garcia
Part of our migration from NT to active directory involves cloning NT user accounts to initialize the AD account (including the password). This allows a user to log in to XP (a member of an AD domain) using the cloned password, at least initially. It's not clear whether the cloning mechanism all

Re: kadm5.acl rights for foreign principals

2002-03-12 Thread Cesar Garcia
> "Marcio" == Marcio d'Avila Scheibler <[EMAIL PROTECTED]> writes: Marcio> Since we have a multi-realm KDC and in real life the same Marcio> people will manage those realms, I'd like to give permissions Marcio> to the same principal and if possible I wouldn't like Marcio> create user/admin@RE

Re: Ticket forwarding and IP addresses

2002-02-13 Thread Cesar Garcia
vno; return 0; } else if (use_master) { return kdc_get_server_key(context, p, key, kvnop, ktype, kvno); >>>>> "Cesar" == Cesar Garcia <[EMAIL PROTECTED]> writes: Cesar> OK. I may have figured the error. Cesar> Although the the ke

Re: Ticket forwarding and IP addresses

2002-02-12 Thread Cesar Garcia
of 0. >>>>> "Cesar" == Cesar Garcia <[EMAIL PROTECTED]> writes: Cesar> This is not exactly a Kerberos specific issue, but perhaps Cesar> the folks on this mailing list might have some insight. Cesar> I decided for now to go with Ken's suggestion that

Re: Ticket forwarding and IP addresses

2002-02-12 Thread Cesar Garcia
is machines, openafs 1.2.2 on our linux boxes. AFS servers are solaris. Before I go digging into this problem some more, I was wondering if anyone might have some insight on this one. Thanks in advance. >>>>> "Cesar" == Cesar Garcia <[EMAIL PROTECTED]> writes: Ce

Re: Ticket forwarding and IP addresses

2002-02-08 Thread Cesar Garcia
> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes: >> Since we use NIS as the primary source for hostname >> resolution, all host lookups render a single IP address, >> even for multihomed machines. Moving to DNS is not an >> option at the moment. Ken> I have to ask ... you're STILL using

Ticket forwarding and IP addresses

2002-02-08 Thread Cesar Garcia
I've been working with 1.2.2 for a some months now, and only recently have attempted to get the rcmds working, mainly in an effort to better understand how ticket forwarding works, since we have a need to do this in a homegrown application. The behavior that I see is that when I invoke ticket f

Re: KERB V5 + SEGV_MAPERR

2002-02-06 Thread Cesar Garcia
e kerberos libs are referencing the global errno, instead of the thread specific errno which stat is actually using. Hence your problem. >>>>> "Christopher" == Christopher Burke <[EMAIL PROTECTED]> writes: Christopher> [EMAIL PROTECTED] (Cesar Garcia) wrote in

Re: KERB V5 + SEGV_MAPERR

2002-02-05 Thread Cesar Garcia
I gather your application is multithreaded, or at least built with threads in mind ... You should build your kerberos libs with -D_REENTRANT. At least in 1.2.2, the problem begins in src/util/profile/prof_file.c in the profile_update_file method, where a stat is done to look for the krb5.conf f

Re: Kerberos on the web

2002-01-18 Thread Cesar Garcia
Actually they are sharing the details, but only for review/ analysis. The Microsoft PAC specification is available at Microsoft's web site, but subject to a rather prohibitive license. http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20597 Unfortunately, at least from my interpretation

user to user support in GSSAPI

2001-11-17 Thread Cesar Garcia
Does anyone know if user to user is supported in the MIT implementation of GSSAPI? or if there are any plans for it. Thanks. smime.p7s Description: S/MIME Cryptographic Signature

alternate keytab for gssapi

2001-09-21 Thread Cesar Garcia
Hi, I was just wondering if it was possible for an application to specify an alternate keytab when obtaining credentials (gss_acquire_cred) that will be used to accept a security context (gss_accept_sec_context). If not, should I bother to make changes to gssapi_krb5, or is expected to be in the