Note that this all built fine before I added --enable-fakeka
In file included from fakeka.c:51:
../include/kerberosIV/krb.h:57:32: kerberosIV/krb_err.h: No such file or
directory
...
...
make[1]: *** [fakeka.o] Error 1
make[1]: Leaving directory `/export/home/src/krb5-1.4.3/src/kdc'
make: *** [al
Reviving an old thread here from August 2005.
http://mailman.mit.edu/pipermail/kerberos/2005-August/008229.html
I continue to have this same problem. At first I thought
it was a configuration issue on my end. I mistakenly
read a test on another machine as successful.
Sectioned info below, with
The fix I found just now after building, rebuilding,
re-installing GCCs of various sorts, etc... for days now:
src/config/shlib.conf
Add $(LDFLAGS) to SHLIB_EXPFLAGS
make distclean
rebuild
No more failed library refs for libgcc_s.so.1
Jeff Blaine wrote:
> Reviving an old thread here f
I'm stumped for sure.
Kerberos 1.4.3 with --disable-dns
/etc/krb5.conf is -rw-r--r--
It contains (among other things):
#-
[libdefaults]
default_realm = JBTEST
[realms]
JBTEST = {
kdc = 192.168.168.3
admin_server = 192.168.168.3
Ken H's response about needing [domain_realm] got me
going. Thanks Ken and Sam.
Sam Hartman wrote:
> Can I get you to try with the comment before the first bracketed
> section removed from krb5.conf?
That was only added in the email.
Kerberos mai
I'd like to post (or more likely make accessible via the
web) a PowerPoint presentation I've done describing the
absolute basics of Kerberos.
The intended audience will be users or complete newbies
who, in my opinion, do not need to know 90% of the material
covered by other "introductions" I've se
Do with it what you will. Hopefully someone finds it
useful.
http://www.kickflop.net/archive/jblaine_Kerberos_for_Users.ppt
Note that the animations and object positions do not
display properly in OpenOffice 2.0.
Thanks to the following people for their feedback:
Wayne Morrison
Mani Salveru
.
Has anyone gotten Solaris 9's sshd and pam_krb5.so
to work?
I can't seem to. I am told:
"authentication failed: Bad encryption type"
May 16 14:19:33 noodle.foo.com sshd[676]: [ID 537602 auth.error]
PAM-KRB5 (auth): krb5_verify_init_creds failed: Bad encryption type
However, MIT Ker
Nicolas Williams wrote:
> On Tue, May 16, 2006 at 02:23:16PM -0400, Jeff Blaine wrote:
>> "authentication failed: Bad encryption type"
>>
>> bash-2.05# /export/home/krb5/sbin/ktutil
>> ktutil: rkt /etc/krb5.keytab
&g
t, as it is not common to the client and server.
Nicolas Williams wrote:
> On Tue, May 16, 2006 at 03:10:04PM -0400, Jeff Blaine wrote:
>> Nicolas Williams wrote:
>>> What does "klist -ke /etc/krb5/krb5.keytab" say?
>> bash-2.05# /export/home/krb5/bin/klist -ke /et
Nicolas Williams wrote:
> On Tue, May 16, 2006 at 04:01:11PM -0400, Jeff Blaine wrote:
>> I'm confused, then, Nicolas.
>>
>> As I read the output, there are 2 keys stored
>> for these principals:
>>
>>1 using Triple DES cbc mode with HMAC/sh
Yes, MIT k5 1.4.3
The only Solaris piece I ever expect to use is pam_krb5.so
I've yet to touch/test Linux + K5, but it will be promptly
after I find most of the hiccups with Solaris + MIT for
now. Then it's on to Cyrus IMAP integration and other
fun stuff.
Maybe I'm just sore about it, but perh
> Silly question time: exactly where do you think your kdc.conf
> is? I found a bunch of times that people would mistakenly
> place it in /etc, ... You could use a system call tracer to
> make sure it's reading the right file.
bash-2.05# truss -o /tmp/out kadmin.local -q "getprinc cvs/noodl
*NOW* what am I doing wrong? :) Why are my other
tickets not being forwarded? MIT Kerberos 1.4.3
telnet and telnetd in use.
jblaine > klist -f
Ticket cache: FILE:/tmp/krb5cc_p11561
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
05/22/06 15:20:08 05
If $(prefix)/var/krb5kdc is where kdc.conf is expected (unless
overridden), why is this area not created at 'make install' time?
Seems a little odd to be able to find var/krb5kdc references
inside binaries and no directory made at install time...
Ke
http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.1/doc/krb5-install/Create-the-Database.html#Create%20the%20Database
"If you choose to install a stash file..."
What if I don't? No explanation is given as to the alternative.
Kerberos mailing list
Thanks, Ken. That's what I assumed. Shouldn't that be
mentioned in the docs? Seems logical, especially after
the words "If you choose to..."
Ken Hornstein wrote:
>> http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.1/doc/krb5-install/Create-the-Database.html#Create%20the%20Database
>>
>> "If you ch
MIT Kerberos 1.5.1 under Solaris 9 SPARC.
dbx output below.
The real problem: $(prefix)/var and $(prefix)/var/krb5kdc are
not made at 'make install' time.
Solve this by making those dirs. This should be caught instead
of coredumping, and IMO, ideally should be solved via make
install.
(dbx) ru
"The kadmind keytab is the key that the legacy admininstration daemons
kadmind4 and v5passwdd will use to decrypt administrators' or clients'
Kerberos tickets to determine whether or not they should have access to
the database."
This is listed as an optional step to support legacy daemons. How
do
[ Really embarassing complete brain failure ]
When I played with MIT Kerberos 1.4.3 11 months ago, I understood
this concept. Apparently I'm not aging gracefully, as I can't
seem to find the documentation that got me through it.
I see no real explanation of 'host' principals in the MIT
docs. Th
Ken Raeburn wrote:
> On Jan 8, 2007, at 20:45, Jeff Blaine wrote:
>> It's my understanding that any Kerberos application server
>> (let's say we're going to offer FTP service) needs to have
>> a host principal for the FTP server host *in addition to*
>&
Excellent explanation, Ken. I don't feel stupid at all
for asking my question now that I see it's not as obvious
as I thought it would be.
I'm glad I asked.
Ken Hornstein wrote:
>> What's the criteria host-principal-used-or-not is based on
>> for various apps? There has to be some sort of crite
Does anyone have a guess as to what I am doing wrong?
MIT Kerberos 1.5.1
Solaris 9 OEM SSH (latest patch cluster) with
'PAMAuthenticationViaKBDInt yes' and a pam.conf
as such (which clearly gets hit):
# Start pam.conf snippet
sshd-kbdint auth requisitepam_authtok_get.so.1
sshd-kbdint aut
Douglas E. Engert wrote:
> Jeff Blaine wrote:
>> Does anyone have a guess as to what I am doing wrong?
>>
>> MIT Kerberos 1.5.1
>
> Where is MIT Kerberos 1.5.1 used in this?
The KDC.
> You say you are using the Solaris sshd, and since the
> pam.conf file does
t? Pam will use the other sesison and account instead,
> and it most likely does not have pam_krb5 listed.
>
> Jeff Blaine wrote:
>> Douglas E. Engert wrote:
>>> Jeff Blaine wrote:
>>>> Does anyone have a guess as to what I am doing wrong?
>>>>
>&g
> This may be obvious, but does the account jblaine exist on the system? It
> has to be provided by an nsswitch provider, or sshd will always reject
> logins to that account regardless of whether it passes a PAM
> authentication check.
Yes, the account exists. I am able to telnet in fine as jbla
.)
>
>>
>> Douglas E. Engert wrote:
>>> Did you add the session and account entries to the pam.conf
>>> for sshd-kdbint? Pam will use the other sesison and account instead,
>>> and it most likely does not have pam_krb5 listed.
>>>
>>> Jeff
: siginfo: SIGCLD CLD_DUMPED pid=7054 status=0x000A
Russ Allbery wrote:
> Jeff Blaine <[EMAIL PROTECTED]> writes:
>
>> Does anyone have a guess as to what I am doing wrong?
>
>> MIT Kerberos 1.5.1
>
>> Solaris 9 OEM SSH (latest patch cluster) with
>&
Is there a Wiki for Kerberos info? It seems to me that it
would be awful useful for keeping tabs on quite a bit of
information that is buried in these mailing list archives.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/ma
-related PAM modules
** Russ Alberry's
** Red Hat's Sourceforge version (1.x)
** The "other" Red Hat version (2.x)
*** ETC ETC
* Some other topic
...
Michael B Allen wrote:
> On Wed, 17 Jan 2007 12:12:06 -0500
> Jeff Blaine <[EMAIL PROTECTED]> wrote:
>
&
1023.html
Michael B Allen wrote:
> On Wed, 17 Jan 2007 13:27:33 -0500
> Jeff Blaine <[EMAIL PROTECTED]> wrote:
>
>> My strong inclination would be to see it all in one spot.
>> IMO, the History and Protocol are pretty well documented
>> already.
>>
I think that would be excellent.
> isc has been holding the kerberos.org domain name
> for some time now, mostly to prevent it from being
> squatted upon and used for ad revenue. we would be
> happy to put a wiki on it if that's the will of the
> community. but no ads, plz, other than point
used Russ Alberry's pam_krb5.so
just fine...
3. My /etc/krb5/krb5.keytab *does* have (and has always had)
entries for both host/[EMAIL PROTECTED] and
host/[EMAIL PROTECTED]
So...
How much of a real "solution" that is from Sun is debatable,
but there's the su
This doesn't look too promising. Any help, again, would
be greatly appreciated.
Solaris 10 6/06 release. Setting up a master KDC from scratch.
See further down for spammy kadmin.local set up output that
was generated seconds b
Figured it out. Just had to clear the maintenance
state for kadmin (rolls eyes at self).
Jeff Blaine wrote:
> This doesn't look too promising. Any help, again, would
> be greatly appreciated.
>
> Solaris 10 6/06 release. Setting up a master
Jeffrey Hutzelman wrote:
> On Friday, January 19, 2007 04:05:40 PM -0500 Jeff Blaine
> <[EMAIL PROTECTED]> wrote:
>
>> Setting this value to false leaves
>> the system vulnerable to DNS spoofing attacks.
>
> This somewhat understates
As always with things like this, it's hard to determine
whether to send this here or to openafs-info.
Can anyone tell me what is going on here? This is what
krb5kdc logged when I logged into 129.83.11.213.
-- sshd + UsePAM
-- pam_krb5.so (RHELv4)
-- pam_afs_session.so (PAM session module which u
Jeffrey Altman wrote:
> Jeff Blaine wrote:
>> As always with things like this, it's hard to determine
>> whether to send this here or to openafs-info.
>>
>> Can anyone tell me what is going on here? This is what
>> krb5kdc logged when I logged into
Russ Allbery wrote:
> Jeff Blaine <[EMAIL PROTECTED]> writes:
>
>> Can anyone tell me what is going on here? This is what
>> krb5kdc logged when I logged into 129.83.11.213.
>
>> -- sshd + UsePAM
>> -- pam_krb5.so (RHELv4)
>> -- pam_afs_sessi
Hi Russ,
> Your PAM module seems to be probing for a default realm by
> trying various manipulations of your local hostname. Usually
> this would indicate that your krb5.conf isn't setting a local
> realm.
Here's /etc/krb5.conf. Using 'kinit jblaine' asks me for
the password for [EMAIL PROT
ating an improperly named krbtgt principal
or is RHELv4 pam_krb5.so improperly naming its requested
principal (lowercasing it)?
Jeff Blaine wrote:
> Hi Russ,
>
> > Your PAM module seems to be probing for a default realm by
> > trying various manipulations of your local hostname.
I believe I am chalking this (original reported issue)
up to a broken sshd_config, believe it or not. All of
the crazy UNKNOWN_SERVER errors are gone.
UsePAM was yes, ChallengeResponseAuthentication was "no"
so no PAM auth was being used. Don't ask me how, but I
was getting in somehow and gettin
Hi all,
I've already addressed this with some of the Thunderbird
developers and was directed here as it is believed it's
a configuration problem, not a Thunderbird problem.
ERROR: Server does not support secure authentication (rephrased
error message from Thunderbird dialog).
More detail
rey Altman wrote:
> Jeff Blaine wrote:
>> Hi all,
>>
>> I've already addressed this with some of the Thunderbird
>> developers and was directed here as it is believed it's
>> a configuration problem, not a Thunderbird problem.
>>
>>
Ken was right. Removing sasl_minimum_layer from imapd.conf
solved the problem... sadly.
Maybe someone else will find my write-up next time:
http://www.kickflop.net/blog/2007/08/06/thunderbird-kerberos-for-windows-and-cyrus-imap/
Kerberos mailing l
Subject says it all. Been waiting on it to move forward
with some stuff.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
./configure --disable-dns-for-realm
...
./configure: line 6255: syntax error near unexpected token `in'
./configure: line 6255: `for ac_func in'
configure: error: /bin/bash './configure' failed for plugins/preauth/pkinit
Kerberos mailing list
That worked...
Tom Yu wrote:
>>>>>> "jblaine" == Jeff Blaine <[EMAIL PROTECTED]> writes:
>
> jblaine> ./configure --disable-dns-for-realm
> jblaine> ...
> jblaine> ./configure: line 6255: syntax error near unexpected token `in'
&
I'm failing to find/get 1.3.0 for a specific need.
http://web.mit.edu/Kerberos/historical.html
->
http://web.mit.edu/Kerberos/krb5-1.3/krb5-1.3.html
->
"Retrieve it here!"
http://web.mit.edu/network/kerberos-form.html
->
"The kerberos...blahblah has moved.
I apologize for the general nature of this post. Maybe it's
better posted to the secureshell list which is loaded with
spam and is often choked up sitting on some server somewhere,
but...
I can ssh with GSSAPI auth to a Solaris 10 box fine. When
I'm in though, klist says I have no credential cac
Douglas E. Engert wrote:
> Jeff Blaine wrote:
>> I apologize for the general nature of this post. Maybe it's
>> better posted to the secureshell list which is loaded with
>> spam and is often choked up sitting on some server somewhere,
>> but...
>>
>>
Nicolas et al,
SSHD server
~:alberta> uname -a
SunOS alberta.foo.com 5.10 Generic_127111-01 sun4u sparc SUNW,Ultra-5_10
~:alberta>
~:alberta> sudo /usr/lib/ssh/sshd -p -o
"GSSAPIStoreDelegatedCredentials yes" -o "GSSAPIKeyExchange ye
Solved.
Had to force client-side "-o GSSAPIStoreDelegatedCredentials yes"
even though it was not defined anywhere as "no" (although probably
a default for some reason).
Jeff Blaine wrote:
> Nicolas et al,
>
> SSHD server ==
[ Thanks to all of you for the previous help, BTW! ]
Let's try this with PAM now. Ignore the previous work
which ended up working (see messages last week).
What works: I can ssh into the server and get krb5 creds
(all PAM with sshd-gssapi entries).
What doesn't work: I had to enter a password,
Sorry, I meant to say "GSSAPIDelegateCredentials yes"
on the client side.
Douglas E. Engert wrote:
>
>
> Jeff Blaine wrote:
>> Solved.
>>
>> Had to force client-side "-o GSSAPIStoreDelegatedCredentials yes"
>> even though it was not defined
d-gssapi session required /krb5/lib/pam_krb5_ccache.so.1 clean
>
> The pam_afs2 is the local equivelent of pam_afs_session which should
> also work.
>
> The pam_krb5_ccache sets the KRB5CCNAME to force a clean cache, to avoid
> some bugs which Sun may have fixed, then cleans up th
Very likely. One heads down roads like these and
the default 'other' stack are the last things to
consider (for me at least).
Nicolas Williams wrote:
> On Mon, Nov 05, 2007 at 02:43:56PM -0500, Jeff Blaine wrote:
>> Those 3 lines make it work. Thanks again, Doug.
>>
Has anyone gotten this to work? From all I can tell it's
not possible.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
What am I doing wrong this time?
-bash-2.05b# /usr/kerberos/bin/kinit [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
kinit(v5): Password incorrect while getting initial credentials
-bash-2.05b#
-bash-2.05b# rpm -qa | grep krb5
krb5-workstation-1.2.7-38
krb5-libs-1.2.7-38
> ...
>>>Key: vno 5, DES cbc mode with CRC-32, AFS version 3
> ...
>^
>
> Have you tried using other salt types?
>
> -Marcus Watts
I'm afraid I don't have that luxury, if I understand you
correctly. We hav
n the original message to the list) and got
the same error.
Jeff Blaine wrote:
> What am I doing wrong this time?
>
> -bash-2.05b# /usr/kerberos/bin/kinit [EMAIL PROTECTED]
> Password for [EMAIL PROTECTED]:
> kinit(v5): Password incorrect while getting initial credentials
> -b
definitions from /etc/krb5.conf
* kinit works fine for jblaine (des-cbc-crc:afs3)
Removed any enctype definitions from kdc.conf
* kinit works fine for jblaine (des-cbc-crc:afs3)
So the obvious answer is to trash RHELv3 krb5
and build our own which is really frustrating.
Jeff Blaine wrote
Marcus Watts wrote:
> I was hoping you would try different salt types on the principal itself
> (while leaving the enctype as des-cbc-crc). Still, you appear to have
> 2 of 3 necessary conditions to manifest the bug described here:
> http://mailman.mit.edu/pipermail/krb5-bugs/2006-February/0
The patch applies cleanly to 1.6.3 and solves the problem.
Old 1.2.7 kinit as provided with RHELv3 works fine now.
Marcus Watts wrote:
> I was hoping you would try different salt types on the principal itself
> (while leaving the enctype as des-cbc-crc). Still, you appear to have
> 2 of 3 necess
You've got a new UNIX box to stand up for users (or,
more appropriate for the topic, you've got 50 new UNIX
boxes...).
How are people approaching the creation of host/host.foo.com
without human intervention?
Kerberos mailing list Kerberos@
% /usr/rcf-krb5/bin/kinit -p admin/admin
Password for admin/[EMAIL PROTECTED]:
% /usr/rcf-krb5/sbin/kadmin -c /tmp/krb5cc_26560
Authenticating as principal admin/[EMAIL PROTECTED] with existing
credentials.
kadmin: Matching credential not found while initializing kadmin interface
_
Thanks Ben and Chris
-p is not valid for kinit
kinit -S kadmin/admin admin/admin is what worked.
Christopher D. Clausen wrote:
> Jeff Blaine <[EMAIL PROTECTED]> wrote:
>> % /usr/rcf-krb5/bin/kinit -p admin/admin
>> Password for admin/[EMAIL PROTECTED]:
>> % /usr/r
Is ticket_lifetime deprecated? I don't see it mentioned in the
MIT docs for 1.6.3 yet it actually works.
Related old thread:
http://mailman.mit.edu/pipermail/kerberos/2004-January/004290.html
Kerberos mailing list Kerberos@mit.edu
https:/
I've searched and found nothing worthwhile. Are there
any discussions of ticket cache practices that would be
worth reading (security-related or otherwise)?
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/ke
Is there a way to override this restriction? We can't
have this in our way.
> % /usr/rcf-krb5/bin/kpasswd
> Password for [EMAIL PROTECTED]
> Enter new password:
> Enter it again:
> Password change rejected: Password cannot be changed because it was
> changed too recently.
> Please wait unt
How strange. I sure don't remember setting a minimum
password life and I'm the only one who has touched this.
kadmin.local: getpol OURPOL
Policy: OURPOL
Maximum password life: 1209600
Minimum password life: 604800
Minimum password length: 6
Minimum number of password character classes: 2
Number
# file .k5.RCF.FOO.COM
.k5.RCF.FOO.COM: TrueType font file version 1.0 (TTF)
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Where's my -verbose flag for kprop! :) I'm obviously new to
this step (slave KDCs) so any debugging methods would be
helpful if shared. syslog shows nothing.
% sudo kdb5_util dump /var/krb5kdc/slave_datatrans
% sudo kprop -f /var/krb5kdc/slave_datatrans rcf-kdc2.foo.com
%
rcf-kdc2% pwd
/var/krb
Solved: kprop/kpropd doesn't work with DNS CNAME entries in
kpropd.acl
Jeff Blaine wrote:
> Does this help at all?
>
> ...
> ...
> 19230: so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, "", 1) = 5
> 19230: connect(5, 0xFFBFF6E0, 16, 1)
Onto the next problem:
[ This guy never got responded to in public that I can see:]
[ http://mailman.mit.edu/pipermail/kerberos/2007-August/012034.html ]
kdc% sudo sbin/kprop -f /var/krb5kdc/slave_datatrans kdc2.foo.com
sbin/kprop: Software caused connection abort while reading response from
bytes sent.
sbin/kprop: Software caused connection abort while reading response from
server
kdc%
Jeff Blaine wrote:
> Onto the next problem:
>
> [ This guy never got responded to in public that I can see:]
> [ http://mailman.mit.edu/pipermail/kerberos/2007-August/012034.html
exists
../kdc2-krb5/sbin/kpropd: /var/kdc2-krb5/sbin/kdb5_util returned a bad
exit status (1)
kdc2%
On the main KDC (where kprop is being run):
sbin/kprop: Software caused connection abort while reading response from
server
Jeff Blaine wrote:
> Oh hey, there IS a -d flag! Here's t
2".., 95) = 95
19230: write(5, "\0\0\0 e", 4) = 4
19230: write(5, " t c 0 aA003030104A10302".., 101) Err#32 EPIPE
19230: Received signal #13, SIGPIPE [default]
Jeff Blaine wrote:
> Where's my -verbose flag for kprop! :) I'm obv
os@mit.edu/msg13573.html
Another user who experienced the same thing as me (bottom
half of web page) and thankfully wrote up a solution!
http://www.ba.infn.it/~domenico/docs/AAIFiles/kerberos.html
Jeff Blaine wrote:
> And more!
>
> kdc2% sudo ../barnowl-krb5/sbin/kpropd -d -S
> Conne
If anyone has any idea what I am doing wrong here, please
chime in.
~:barnowl> uname -a
SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc
SUNW,Sun-Fire-V240
~:barnowl> sudo klist -e -k /etc/krb5.keytab | grep nfs
3 nfs/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
4 nfs/[EMAIL PROTEC
Heh, so much for "sanitizing" email before I send it out.
Everything is mitre.org. Ignore the foo.com. They
all match.
> Why does barnowl have a keytab entry for crete in its keytab?
Just me screwing around. Should be irrelevant.
> Could be hostname and principla dont match: crete.foo.com !=
> It looks like maybe you tried to hide some details, but didn't get
> them all? Does your real DNS domain match your REALM name? If not,
> does your krb5.conf (/etc/krb5/krb5.conf) properly map the hosts'
> domain(s) to your realm?
Yes *sigh* :( Everything works properly outside of this
parti
Will Fiveash wrote:
> On Thu, May 15, 2008 at 12:55:15PM -0400, Jeff Blaine wrote:
>> If anyone has any idea what I am doing wrong here, please
>> chime in.
>
> Have you followed the steps documented in the Configuring Kerberos NFS
> Servers and Configuring Kerberos Cli
Okay, well, according to the docs, I don't see that I am
doing anything wrong. Here's a load of info showing the
situation and the resulting KDC info.
PS: The catted example krb5.conf at
http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view
is missing a closing brace for gkadmin in appdefaul
> In general it looks like it should be working. Can you do the
>
> sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr
> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt
/:barnowl> sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr
/:barnowl> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt
nfs
Will, you're a little too helpful :) I'm not ready to reply
to the list and provide the summary of what the solution to
my original post was. Strange that you are ... for me!
A bit premature.
Using short hostnames did not solve the problem.
Fixing /var/krb5 on the single box that was missing i
Has anyone created a Solaris 10 SMF manifest for the following
things which are *supposed* to go in /etc/inetd.conf? Maybe
they won't work outside of inetd?
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
eklogin stream tcp nowait root /usr/local/sbin/klogind klogind
Hi all, I'm having a very strange problem below that I
cannot figure out. Any advice would be great to hear.
First a block showing the problem, then a block showing
that a different machine works perfectly fine (and others
I've tested but not showing here for briefness).
Basically, the master KD
Again, I must really not understand something. This
principal's password is getting trashed after I use
ktadd
% sudo kadmin -p admin/admin
Authenticating as principal admin/admin with password.
Password for admin/ad...@foo.com:
kadmin: ktadd -k admin.kt admin/admin
Entry for principal admin/admi
Goofy :/
I wonder how people script kadmin queries with MIT-krb5.
You know, like, setting every principal's password expiration.
Shumon Huque wrote:
> On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote:
>> Again, I must really not understand something. This
>> pri
>>> % sudo kadmin -p admin/admin
>>> Authenticating as principal admin/admin with password.
>>> Password for admin/ad...@foo.com:
>>> kadmin: ktadd -k admin.kt admin/admin
>
> You are creating a keytab to be used as the admin?
> with a random password?
>
> I think you are trying to create a keyt
Solaris 10 SPARC OS
Solaris 10 / Sun sshd
MIT Kerberos 1.7
Russ Alberry's fantastic pam_krb5 3.15 linked to above
Solaris 9 + MIT Kerberos + RA pam_krb5 works!
RHELv5 with stock MIT Kerberos + RA pam_krb5 works!
The setup above fails.
On the client side, I merely see "Permission denied."
instea
he problem. Thanks again, Russ.
Jeff Blaine wrote:
> Solaris 10 SPARC OS
> Solaris 10 / Sun sshd
> MIT Kerberos 1.7
> Russ Alberry's fantastic pam_krb5 3.15 linked to above
>
> Solaris 9 + MIT Kerberos + RA pam_krb5 works!
>
> RHELv5 with stock MIT Kerberos + RA pam
Long ago, we evaluated the facilities within OS-provided
sshd for handling our Kerberos + OpenAFS authentication
needs. That is, things like the Kerberos* settings,
GetAFSToken or whatever it was called, etc.
We found it to be an unusable mismatched moving target.
We decided to do everything via
On 12/16/2009 5:39 PM, Douglas E. Engert wrote:
> Jeff Blaine wrote:
>> Long ago, we evaluated the facilities within OS-provided
>> sshd for handling our Kerberos + OpenAFS authentication
>> needs. That is, things like the Kerberos* settings,
>> GetAFSToken or whatever i
On 12/16/2009 8:33 PM, Russ Allbery wrote:
> Jeff Blaine writes:
>
>> sshd[20489]: [ID 237248 auth.debug] (pam_afs_session):
>> pam_sm_open_session: entry (0x0)
>> sshd[20489]: [ID 237248 auth.debug] (pam_afs_session): skipping tokens,
>> no Kerberos ticket cache
>
On 12/16/2009 10:24 PM, Russ Allbery wrote:
> Jeff Blaine writes:
>
>> Yup, they're there, just no tokens. I even tried a pam_krb5RA2.so and
>> pam_afs_session2.so built against the Sun kerberos instead of our local
>> MIT kerberos for kicks. Same result.
>
> But this won't work with ssh public keys. If its winCVS
> on Windows you are interested in, it too can support GSSAPI.
Doug, I'd like to hear about WinCVS + some SSH using
GSSAPI if that's what you're referring to (using :gserver:
isn't going to cut it as far as I can see, since there will
be no
Thanks Doug
> The which PuTTY has GSSAPI:
>
> Quest has one that uses SSPI. http://rc.quest.com/topics/putty/
Hmm, I can't see to get this to work at all (ignoring CVS).
I have KfW creds for jblaine, afs, and krbtgt on this Windows
box.
I have a QuestPuTTY session named faron.foo.org
GSSAP
> Chris suggested trying: http://matthew.loar.name/software/putty/
> I have not tried it, but it sounds like it will work well with
> KfW.
It works perfectly so far.
Thanks all.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.e
1 - 100 of 150 matches
Mail list logo
