How are folks performing functional testing of KDCs (without PKINIT)?
We have a very primitive Nagios/Icinga plugin (loosely based on [1])
which invokes `kinit' with a keytab. This verifies that the round-trip
principal-KDC-OpenLDAP is possible.
-JP
[1]
Hola Javier,
I'm trying to setup a krb5 server with openldap backend. According to
documentation seems that ldapi is a valid method to connect, but I'm not
able to create the database.
Trying to use
kdb5_ldap_util -H ldapi:/// create -r DOMAIN.LOCAL -s
gives an 'LDAP bind dn value
Hello,
The documentation of remctl (version 3.2) is not clear to me in regard
to setting the source IP address of outgoing connections:
remctl_set_source_ip(3) in doc/api/ specifies:
Call this function before remctl_open() if remctl client connections
need to come from a
When I run this script on one of my linux boxes I get this (as expected):
Kerberos 5 version 1.8.3
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
klist returned false
And on a different one:
Kerberos 5 version 1.10-beta1
klist: No
FWIW, I've written [1] a short article on my very good experience with
Wallet. Thanks to Russ for having created it and for help in
understanding!
-JP
[1]:
http://jpmens.net/2012/06/25/streamlining-distribution-of-kerberos-keytabs-and-other-secure-data/
I'll post code when ready.
FWIW, it works :) I've put it up at [1] with an attempt at explaining it.
Regards,
-JP
[1] https://github.com/jpmens/tenDB
Kerberos mailing list Kerberos@mit.edu
Hello,
I'm *really* liking Wallet (v0.12), but have a few questions, mainly
regarding ACLs and their use. I hope you can help me. Here goes:
1. I'm unsure of the order in which wallet commands are issued. In order
to create and then obtain (i.e. `get') a keytab I seem to have to
issue the
Russ,
You may want to grab the latest Git version, which has an implementation
(although it may still not be quite what you want).
It looks good, but is indeed not quite what I want: your code compares
an attribute type in a principal's LDAP entry to a specified attribute
type, whereas I
+++-+++
|+-- SSH - semi+-- SSH - trusted|
| PC || trusted |||
+++-++---^+
|
+---++
Ross,
On Tue Jun 05 2012 at 08:54:11 CEST, Russ Allbery wrote:
Our KDCs have always been open to the Internet.
Oh, I've always thought KDCs need to be particularly protected from the
elements...
Are you willing/able to share a bit more information on what kind of
protection measures (apart
Are you willing/able to share a bit more information on what kind of
protection measures (apart from basic Unix) you apply to your KDCs, or
is there a paper on how MIT has implemented that?
Apologies: I meant Stanford, of course.
-JP
Ugh. Any do's and dont's? How do you harden the KDC (not the host but
the kerberos side)?
It will solve some of our problems as well but it was deemed too risky.
+1 :)
-JP
Kerberos mailing list Kerberos@mit.edu
I need a bit of help, please for the following scenario: a bunch of
workstations (PCs, on the left) currently connect via SSH to a
semi-trusted bastion host, from which users jump onto machines in a
truested environment. This design cannot be changed.
+++-+++
The idea behind the multi (two) master setup is to have a failover
solution for everything, so that one slapd or one kdc can go down.
It sounds like a good idea, but IMO it may be more trouble than it's
worth.
I've thrown aside my pessimism and have implemented the following
scenario
Do I need to use the kprop tool if I want to run more than one KDC for
the same realm or can both KDCs just access the same database inside
the DIT of OpenLDAP at the same time?
Don't use kprop. The advantage of storing the KDC database in LDAP is
that you make use of OpenLDAP's replication to
The multi master OpenLDAP setup works like a charm. As far as I can
say there are no problems at all.
That is very good to hear. Maybe I should shrug my pessimism off and
give it a try. Considering I'm in the midst of a project setting up
Kerberos with an LDAP back-end, I might do that... :)
I am a software developer in a commercial company, currently we are
planning to Kerberize our product, I want to know if there are restrictions
in using krb5 libs, specifically:
The MIT Kerberos license is very liberal [1]; IANAL but it would seem
possible for you to do pretty much what you
My next step is to create a puppet recipe to automatize all the
process and to packet-ize wallet so it is easier to install it.
I, for one, would be interested in your Puppet solution once you have
it. :)
-JP
Kerberos mailing list
18 matches
Mail list logo