You probably do not have reverse DNS set up properly, or the reverse DNS
name does not match the keytab installed on the application server.
In any case, you should ditch telnet and rlogin in favour of SSH.
On Tue, 2010-01-19 at 18:19 +0530, vinay kumar wrote:
I want to capture
As far as I know, MIT kerberos can run multiple KDC's from the same
machine, but each realm needs to have it's own IP or set of ports.
On Fri, 2010-01-01 at 13:19 +0100, BOUCHER, Flavien wrote:
Hi,
I need to setup kerberos for six distinct domain, there is no trust
relationship between
Openfire, MIT Kerberos (I've done it elsewhere with Heimdal) and
OpenLDAP, with the Cyrus saslauthd daemon to allow plain text logins.
This link was incredibly helpful for getting saslauthd to comply;
http://www.semicomplete.com/articles/openldap-with-saslauthd/
GSSAPI and plain text logins work
There's a bunch of things there that are a bit messed up.
Firstly, if you aren't sure what the hostname is, run;
hostname -s
If this tells you it's 'localhost', you should edit the /etc/hostname to
be something more descriptive (and the same as whatever you pick for
myserverhostname below) and
You will need to specify the principle you wish to use when running
kinit. This is because keytabs can contain multiple principles.
ie;
kinit -kt /etc/krb5/krb5.keytab host/uk0108.bxc@bxc.com
Hope this helps!
Cheers,
Edward
On Tue, 2009-08-18 at 13:04 -0700, dxtans wrote:
Hello,
I have
You can either add service principles for the other domains to the
keytab, or establish cross realm trusts between the realms. The latter
is probably better if you expect to have lots of places where you need
interoperate.
Cheers,
Edward
On Thu, 2009-08-13 at 17:50 -0400, Farzad Kohantorabi
I've been wondering about this problem for a while. My current solution
on my laptop is to use a normal /etc/passwd login, and run kinit once
I'm logged in.
What I would like is to allow some method of transparently caching
passwords, then creating a TGT once network connectivity if
established.
On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote:
Edward Murrell edw...@murrell.co.nz writes:
I've been wondering about this problem for a while. My current solution
on my laptop is to use a normal /etc/passwd login, and run kinit once
I'm logged in.
What I would like is to allow
libraries for handling active
directory
LDAP lookups.
Cheers,
Edward Murrell
On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote:
Hi everyone I have a noob question for ya.
I need to develop a website for a company that uses kerberos
login, the web server resides
)
compliant LDAP schemas. Other people have already written (and to be
fair, support much better) php libraries for handling active directory
LDAP lookups.
Cheers,
Edward Murrell
On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote:
Hi everyone I have a noob question for ya.
I need
Hi,
From my notes for 10.4 for doing this a few years ago (at a company that
I no longer work for, so my memory may be fuzzy and/or out of date) you
need to run through the instructions here;
http://support.apple.com/kb/TA20987?viewlocale=en_US
AND you need modify the pam files in /etc/pam.d/
Assuming your DNS is set up properly, you'll need to set the host tab's
to have the principal fully qualified domain name, ie
host/[EMAIL PROTECTED] instead of host/[EMAIL PROTECTED]
You can check if it is by running host against the IP of the hostname.
So assuming rofe.one.com has the IP
Yep, also confirmed to work with Dovecot IMAP server.
Victor Sudakov wrote:
Is there anyone for whom Thunderbird with GSSAPI really works?
I hope it is not just theory, someone is using it or has tested it?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/[EMAIL PROTECTED]
Can anyone explain to me whats the relation between LDAP vs Kerberos
(The longer explanation)
Authentication is the process of proving who you are. But, just because I
can prove I'm who I say I am via a drivers licence, doesn't mean I'm
getting into the club. Your name isn't on the list.
Hi,
NSS doesn't configure the order of authentication, it does (among other
things, the order of look up for user is in what group and owns what
files (or more accurately, which UID/GIDs map to which user/groups).
Authentication is performed by PAM. (see /etc/pam.d/). Authconfig is a
Redhat
us know.
Thanks,
On Feb 7, 2008 9:57 AM, Edward Murrell [EMAIL PROTECTED] wrote:
Hi,
NSS doesn't configure the order of authentication, it does
(among other
things, the order of look up for user is in what group and
owns what
files
Well, I own a couple of webservers, so I'm sure something could be
arranged.
This week though, I'm swamped with work, and have the flu. Next week I
could look at stick something up somewhere and/or providing you an
account?
-Edward
On Tue, 2008-02-05 at 20:49 -0500, Ken Hornstein wrote:
Ken,
On Tue, 2008-02-05 at 21:44 -0500, Ken Hornstein wrote:
Sure. However, somehow I am still ignorant of the mechanics of
actually creating any kind of useful web content. I can write text,
I can provide you the actual files, but I would rather just hand
it all to you and you can make it
Sounds like something that would be better served using LDAP groups,
that way it could hook into existing infrastructure.
However, the current PADL pam implementation (last I looked anyway)
wasn't especially brilliant at providing control for lots of hosts with
lots of users. It was possible to
No to try and rain on your parade but...
Wouldn't it be easier to use the standard mod_auth_kerb lib and write an
apple only directory service apache module (if it doesn't already
exist), and set up the auth kerb as non-authoritative?
Cheers
Edward
On Mon, 2008-01-21 at 10:55 -0700, Nathan
in kadmin, like so;
ktadd -k /home/jyho/bar.keytab host/bar.intra.foobar.com
These days, I've got a very simple Kerberos setup, so I can't really
shed much light I'm afraid...
Cheers,
~Edward Murrell
On Tue, 2007-06-26 at 09:31 +0800, Anthony Ho wrote:
Hi Guys,
Anyone got better ideas
Erm, dunno if this will help you any. This is a straight copy/paste from
my Wiki, which may only apply to my domain, but it sounds about right;
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
This occurs when kadmin is attempting to talk to the KDC with the wrong
realm.
Your DNS looks like it's working correctly then.
I would guess that client is trying to connect using NFSv3, and the
server is correctly complaining that the client is not listed for NFSv3
in /etc/exports.
Although it will generate huge amounts of text, try running the
following as root to help
!
Cheers,
Edward Murrell
Luca Lauretta wrote:
hi i'm struggling in configuring nfsv4 working with mit kerberos v5
/etc/exports on server (sequoia)
#/home/condivisa sughero.reti.dist.unige.it(rw,sync)
/home/condivisa gss/krb5(rw,fsid=0,insecure,no_subtree_check,no_root_squash)
#/home/prova
Jeff Blaine wrote:
Jeffrey Altman wrote:
tkt=1 ses=1}, [EMAIL PROTECTED] for [EMAIL PROTECTED]
Do you really have a lowercased realm?
Yes. No good?
Not for the best. Active Directory assumes upper case everything for
example.
The FAQ at
A list of useful links is here;
http://swik.net/kerberos+LDAP+Java
Shigeru Ishida wrote:
Hi,
When I use the style of combination with Kerberos and OpenLDAP,
I try to write java-codes with Novell LDAP Classes for Java to
entry LDAP data needed for Kerberos authentication.
Please tell me
to share this under the GPL if anyone would care.
Regards
Edward Murrell
[EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi all,
I've run into some problems with a KDC slave that's started giving me
grief out of the blue.
System (bender) is Debian testing, x86. Krb5 packages are all 1.4.4-6.
The master KDC (becks) is Ubuntu 6.06 (LTS) running KRB5, with Krb5
packages 1.4.3-5ubuntu0.2. The master KDC also feeds
the old realm understood the new realm.
Anyway, this fix was to have the correct realm in krb5.conf.
Regards
Edward
Edward Murrell wrote:
Hi all,
I've run into some problems with a KDC slave that's started giving me
grief out of the blue.
System (bender) is Debian testing, x86. Krb5
this helps you some!
Regards,
Edward Murrell
Luca Petrini wrote:
Hello, I'm italian user and my name is Luca.
I'm working with Kerberos on my Ubuntu 6.10.
I have installed the krb5 packages and configurated the kdc.conf and
krb5.conf files. The files are configurate to test the authentication
[EMAIL PROTECTED] wrote:
Sorry, I guess I wasn't very clear. The servers aren't KDCs, they are
CVS/Subversion servers accessed via OpenSSH using GSSAPI Authentication
and GSSAPI Key Exchange.
In the very simplest case we would have 2 hosts -- one for CVS and one
for Subversion. If one
Nicolas Williams wrote:
Give your server host/f.q.d.n principals and keytab entries for all its
interfaces' canonical names.
Did that. SSH ignores them.
And get a client that know how to decode the SSH_MSG_KEXGSS_ERROR
message :)
Nico
That's really not an option. In most cases, the
correctly
checks out, but still allowing the forward DNS from the internal LAN to
work properly.
I hope this helps someone in the future. :)
Regards
Edward Murrell
Edward Murrell wrote:
Hi there,
I've currently fighting issues with a couple of multi-homed hosts on my
network here.
I've read
I think screeds of information could be added on Troubleshooting, as
well as Installation notes and use with various other products (SSH,
PAM, and Windows probably being the main three).
I could probably get permission from my boss to copy/paste most of the
notes in our wiki about Kerberos.
Jeff
Hi all,
I've got an issue with KRB5 auto_to_local and ssh that I'm trying to
work out.
I have a machine called 'hobbes' with a common user account that I'm to
get working with SSH and Kerberos.
Normal SSH + Kerberos works perfectly.
However, the specs call for anyone with a valid Kerberos
,
Scotty
*/Edward Murrell [EMAIL PROTECTED]/* wrote:
Hi Scotty,
The problem sounds like the Kerberos realms are different on each
machine, rather than the hosts name.
What is the default realm for the kdc and the client machine? Also, if
you do a klist before running
This is a really fast response, since I'm about to disappear out the
door for Xmas.
Probably cause.
a) krb5.conf doesn't have kdc address
b) DNS doesn't have kdc address
c) address specified for kdc is internal address (eg kdc.local.lan.only)
d) address specified for kdc no longer exists for some
Hi Scotty,
The problem sounds like the Kerberos realms are different on each
machine, rather than the hosts name.
What is the default realm for the kdc and the client machine? Also, if
you do a klist before running kadmin, what realm does it list?
Regards
Edward Murrell
[EMAIL PROTECTED
I thought I'd post back here how I got on.
So it turned out to be a funky combination of my earlier silliness in
having single names as hostnames (apollo, instead of apollo.office),
returning the single hostname in the reverse DNS, and having a single
name set in the /etc/hostname (which I'm sure
Ken Hornstein wrote:
Now I get a string of errors like this;
Nov 22 14:57:55 becks krb5kdc[5216](info): TGS_REQ (7 etypes {18 17 16
23 1 3 2}) 10.37.80.11: PROCESS_TGS: authtime 0, unknown client for
host/[EMAIL PROTECTED], Key table entry not found
So, here's what would be
Paco Pelma wrote:
Hi.
In my work I do this for put a windows machine into the domain
1. Assign a valid name, for example w000
2. My pc/properties
3. Change name
4. Domain: my_domain
Then it prompts for a user an a password:
my_domain\my_user
my_password
I want to do this with
Hmm, yes, diagnostics would be helpful wouldn't they. :P
OK, so things have progressed slightly.
First mistake was finding EXAMPLE.COM in one of my addprincs, and
following your advice, and someone else noting that quite possible two
different encryption types were in use here, I've deleted the
Marcus Watts wrote:
Edward Murrell [EMAIL PROTECTED] writes
...
[EMAIL PROTECTED] ~ $ kadmin -s becks -p edward/[EMAIL PROTECTED]
Authenticating as principal edward/[EMAIL PROTECTED] with password.
Password for edward/[EMAIL PROTECTED]:
kadmin: GSS-API (or Kerberos) error while
two realms in parallel and
tell them to trust each other. Unfortunately, MIT Kerberos doesn't
appear to allow you to run two KDC's on the same server.
Anyone have ideas?
Regards
Edward Murrell
[EMAIL PROTECTED]
Kerberos mailing list
Ken Raeburn wrote:
You can, but you have to write the config files to specify different
port numbers for them. (The code doesn't currently support using only
some of a machine's IP addresses, if you wanted to put one on one
address and one on another.) The code theoretically supports serving
45 matches
Mail list logo