Re: KRB5CCNAME is not reread

the application chooses to open the default credentials cache. The application passes a handle to the credential cache to the library with each call. If the credential cache needs to be changed, it is the responsibility of the application to make that decision. Jeffrey Altman _

Re: Shall I capture Kerberos-password failure error message ALONE?

on failure due to the incorrect password is identified by the client and a password error is produced. The KDC does not send incorrect password errors. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Question about Kerberos

his > OS. > > Should it build through the sources ?? > > Thanks in advance > > Peter MIT Kerberos does not build the server libraries or applications for Microsoft Windows. Jeffrey Altman Kerberos mailing list

Re: KDC Hardware

> You can't buy a server that small any more. > > -GAWollman I have some old Sparc machines I am willing to part with for shipping costs. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: need help with KfW 3.0

ale is not configured either for the user or the system, then the message string DLLs which are only available in "en_US" will not be loaded. This will be fixed later this month in KFW 3.1. Jeffrey Altman Kerberos mailing list Ke

Re: Common keytab file for all the application servers - Is it possible

be any of the devices that shared that principal name and keytab. As long as the devices are considered unique entities from the perspective of the client connecting to them, they should be assigned unique service principals. Jeffrey Altman

Re: Kerberos Question = Stale Tickets

incorrect authentication data. Jeffrey Altman Brady, Ted wrote: > We are implementing a conferencing platform for collaborative > conferencing and ran into an issue with authentication. A small group of > users were being challenged for domain authentication when trying to > access the conf

Re: Key version number for principal in key table is incorrect -

client principal for which you know the password and can obtain a TGT. This will create for you a credential cache. kvno will not ask you for a credential cache unless it cannot find one with a valid TGT. "kvno sample/[EMAIL PROTECTED]" will report the key ve

Re: Key version number for principal in key table is incorrect -

[EMAIL PROTECTED] wrote: > Hi all, > > I have seen the earlier replies to the similar issues and tried to > debug myself. Could not solve the issue, so posting once again. > > I am trying to run the gss api sample applications using windows 2003 > server. I have two linux machines and I am tryin

Re: User delegation in Kerberos V5

using AFS, you can give Alice your AFS token to access AFS, but then Alice has all of the privileges that you have. She will not be restricted only to the directories you wish her to access but can do anything you can do. This is simply not smart. Jeffrey Altman ___

Re: User delegation in Kerberos V5

I don't think you want to give Alice your credentials in this case. What you want to do is associated an ACL on your files/directories which provide Alice permissions to access them in the methods you wish to permit. Jeffrey Altman [EMAIL PROTECTED] wrote: > Hi, > > I am wonderi

Re: kfw-3.0 can't obtain tickets from heimdal kdc 0.7.1(Bad address

jay alvarez wrote: > > Jeffrey Altman <[EMAIL PROTECTED]> wrote: Both of the Heimdal KDCs I have > access to work fine but I do > not know what version of Heimdal they are using. > Before, I use to have a heimdal-0.6.x + Leash ticket manager(kfw2.6.5) and >

Re: kfw-3.0 can't obtain tickets from heimdal kdc 0.7.1(Bad address

ses listed in the ticket request. Do you have a [libdefaults] entry "noaddresses = false" ? If so, does it make a difference if you change it to "true"? Jeffrey Altman jay alvarez wrote: > Ok, here's what I did: > I am trying to setup a kdc server for mixed un

Re: Permission denied in replay cache code

environments. Note that GSSAPI was not designed with multi-threaded environments in mind. While the MIT implementation is now safer, you must still ensure that only one thread uses each gss security context. Jeffrey Altman Balakrishnan, Sivakumar wrote: > Hi, > > > > I have install

Re: KfW 3.0 problem: identity provider

Kerberos 5 identity manager. If you determine why the krb5_32.dll cannot be loaded, you will have the answer to your problem. I ask about other implementations because the versions of krb5_32.dll that NRL used to distribute have incompatibilities with the ones distributed by MIT. Jeffrey

Re: Interop/Compat: 3DES used in AS-REP despite no client support

When creating or modifying the cross realm principals with MIT kadmin, you must specify the list of enc:salt combinations you wish created for that principal. If you do not specify a list, the default list from kdc.conf will be used. You use the "-e enc:salt ..." option as documented here: http:

Re: Telnet authentication problem

n > ecrypted telnet session, telnetd comes back with "authorization failed". > Auth is taking place within a single realm. > > Any ideas? TIA! Your service principals do not have single DES enctypes. The MIT Telnet only supports single DES. The Telnet distribution from http:/

Re: new leash 3.0 issues

Are you sure that you mean Leash? Leash has been replaced by NetIdMgr in kfw 3.0. I will contact you privately with a new build to test. Jeffrey Altman Matthew Cocker wrote: > Hi > > I have been having some fun with the 3.0 MSI based install. It seems > that the debug(?) dlls

Re: Some problem in forming the TGS request pkt with krb5_parse_name()

construct the request to the KDC? Please keep in mind that Kerberos authenticates two peers to each other by name. The requirement is that the service principal exist in the Kerberos Database. Do you have service principals in the KDB of the form "host/[EMAIL PROTECTED]"? Jeff

Re: Quick Question?

d. If you want clients outside the firewall to be able to contact KDCs inside the firewall, you need to open inbound. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Handling credentials cache on Win32 without loading krbcc32s.exe?

to enter their credentials. If this is an end user application, it is preferable for the tickets to be obtained via the provided ticket manager. Leash32.exe in KFW 2.6.5. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Cross-realm network traffic...

onfigured > appropriately in each realm.) The client talks to a KDC in each realm in order to obtain the TGTs for each realm. KDCs from different realms do not talk to one another. Firewalls should not block port 88/udp or 88/tcp. Otherwise, clients ca

Re: X.509 Interop

o use a Kerberos service ticket to obtain an X.509 certificate with the same lifetime as the Kerberos ticket. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Kerberos V5 Authentication for a Telnet Session

-Kermit's Telnet Debugging is superb if what you are looking for are dumps of the negotiations. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Ker

Re: Kerberos V5 Authentication for a Telnet Session

Neither Microsoft's Telnet Server nor their Telnet client support Kerberos authentication. In order to use Kerberos 5 authentication on Windows you will need to find third party products that provide this functionality. Jeffrey Altman [EMAIL PROTECTED] wrote: > Here is what i want

Re: Unable to to get a TGT that abides to specified renewal interval

/05 13:51:29 krbtgt/[EMAIL PROTECTED] > renew until 10/15/05 03:51:29, Flags: RI > > I would really appreciate any insights to solve this riddle. > > Ciao > Stefano Check the lifetime settings for the krbtgt/[EMAIL PROTECTED] and [EMAIL PROTECTED] principals in the K

Re: question on keytabs

osign installation to anyone else. If you have done so, you should change the keys immediately. Anyone with access to the cosign keys can gain access to all of the Kerberos 5 TGTs for users that have logged into Cosign. Jeffrey Altman -- - This e-mail account is not read on a

Re: KSSL

SL_KEYTAB,KRB5KEYTAB); > } > } > .... > > Thanks, > vj > There are no browsers that I am aware of that support the Kerberos ciphers. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send priv

Re: tgt lifetime

Vladimir Konrad wrote: > hello, > > i am trying to extend the tgt lifetime to 5 days. i have modified the krbtgt > principal (the showprinc reports the correct lifetime value). the kdc.conf > looks ok (the max_life is set to 7 days). > > but when doing "kinit -l 5d", all i get is 2 days of lifeti

Re: AS_REP question

ipal and you must obtain a service ticket for that principal and validate that you can decrypt it with the service principal's long term key. Take a look at krb5_verify_init_creds() Jeffrey Altman -- - This e-mail account is not read on a regular basis.

Re: Config for enctypes on *recieved* service tickets

A Bad Integrity error is most likely the result of having the wrong key in the keytab entry. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu _

Re: Kerberos 4 Authentication

ining a TGT fail with kinit -4 [EMAIL PROTECTED] and succeed with klog [EMAIL PROTECTED] with the same password? Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to j

Re: Where donwload MIT KDC binary for Windows?

Siva: At the present time MIT KFW only provides the Kerberos client libraries and tools. KFW does not contain either a KDC or any of the kadmin libraries. Jeffrey Altman Balakrishnan, Sivakumar wrote: > You can find it at > > http://web.mit.edu/kerberos/dist/index.html#KFW2.6.5 &g

Re: Where donwload MIT KDC binary for Windows?

raries on Windows. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: get only username from REMOTE_USER variable

authentication from multiple realms, it is necessary to include the full principal name in REMOTE_USER to distinguish the source of the authentication. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ___

Re: Building Debug version of MIT kerberos for windows

The only Platform SDK that is supported is the "Windows XP SP2 Platform SDK". The compiler that is used to build it is VS.NET 2003. It sounds like you must obtain a version of awk that works as well. Jeffrey Altman Balakrishnan, Sivakumar wrote: > Hi, > > > >

Re: Kerberos support in Thunderbird

an't seem to get Thunderbird to retrieve my > email. I do not believe that the MIT mail servers support SASL GSSAPI Kerberos 5 for authentication. You might want to contact the Help Desk to confirm this. Jeffrey Altman -- - This e-mail account is not read on a

Re: Kerberos support in Thunderbird

27;s original role in supporting Firefox's > NegotiateAuth implementation - fixing this in some way is bug #307788 @ > bugzilla.mozilla.org > > Simon. I can confirm that prompting works on Windows with MIT KFW 3.0 and the appropriate settings entered into about:config. Jeffrey Alt

Re: Kerberos support in Thunderbird

users need to have the ability to disable the use of GSSAPI on a per mailbox basis until such time as we have better client principal selection algorithms in place. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at

Re: Kerberos support in Thunderbird

et to get MIT's Kerberos > For Windows (and it's GSSAPI library) used instead of Microsoft's > sspi. > > This line: > > user_pref("network.auth.use-sspi", false); > > Needs to be put into a user's "prefs.js" in their user profile d

Re: Win2k3 SP1 ktpass problem.

Is the correct kvno value being written to the keytab entry? Use the KFW kvno.exe command to find out what kvno the service principal is using. Then include that value in the ktpass.exe command line with the -kvno command line option. Jeffrey Altman Srini wrote: > Hi, > > I have

Re: Win2k3 SP1 ktpass problem.

Are you specifying the correct kvno and are you extracting the correct enctype? 2K3 SP1 supports the export of RC4-HMAC keys and that might be the new default. Jeffrey Altman Srinivas Cheruku wrote: > Hi, > > I am using Win2k3 as my KDC. > > I was using the keytab extrac

Re: sspi cache vs mit credential cache

t all. If the application is written to use the MIT Kerberos libraries then there are two choices. Leash can copy the credentials from the MSLSA ccache into the MIT CCAPI cache or the user can choose to use the MSLSA cache directly. Be sure you are using KFW 2.6.5. Jeffrey Altman -- ---

Re: Password Changing failing from Windows to MIT KDC

Mike: Thanks for this additional piece of information. It is quite possible that the issue is related to NAT affects. I will need to look into the reason for why a ticket containing addresses is being obtained. The default for KFW is to not obtain tickets with addresses. Jeffrey Altman

Re: Tickets get flushed when Windows Xp locked?

mathieu.bouffard wrote: > Hi, I have some problems with some compiling jobs runing while Windows > Xp is locked, and I noticed that when you lock and unlock a session, > all the kerberos TGT and service tickets get deleted and recreated. > This seems to only happens under Windows Xp (new security f

Re: windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS wrote: > Quoting Jeffrey Altman <[EMAIL PROTECTED]>: > >> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos >> support. If you want them to have Kerberos credentials, Windows must >> obtain them for you when you login to Win

Re: windows browsers send ntlm instead of kerberos tokens

Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos support. If you want them to have Kerberos credentials, Windows must obtain them for you when you login to Windows using an Active Directory account. Jeffrey Altman Julien ALLANOS wrote: > Hello, > > I'm

Re: Mail.app with multiple accounts using Kerberos

John Rudd wrote: > Jeffrey Altman wrote: > > >> The reality is that in the current day you either need to use >> cross-realm or your applications have to maintain knowledge of which >> principal should be used to access the given resource. >> >> This is

Re: Password Changing failing from Windows to MIT KDC

Mike: I can verify that there is a problem although I cannot determine at the moment what the source of it is. What is the most recent version of KFW that you are aware works? Please send a bug report to [EMAIL PROTECTED] Jeffrey Altman Mike Friedman wrote: > I posted on this a few days

Re: Kerberos for Windows 2.6.5 ccname FILE: issues

I can replicate the problem but don't see anything obviously wrong. Please send a bug report to [EMAIL PROTECTED] Jeffrey Altman Hughes, Noah L [ECSS] wrote: > Jeffrey, > > You are right, kdestroy.exe works with the FILE:c:\temp\krbcache. The > reason I had trouble was

Re: Mail.app with multiple accounts using Kerberos

you either need to use cross-realm or your applications have to maintain knowledge of which principal should be used to access the given resource. This is a non-trivial problem. Jeffrey Altman Kerberos mailing list Kerberos@mit

Re: Memory Leak problems with krb5_get_init_creds_password?

Chet Burgess wrote: > It is important to note that even if you have the > REALM and KDC(s) listed in the file properly the library will still > try DNS first, so you MUST add "dns_fallback = false" to turn off the > resolver calls. I am fairly sure that DNS is not used in preference to the config

Re: Kerberos

If you are using the MIT Kerberos APIs they are the same for Unix and Windows. The SDK is available as part of the KFW distribution. Jeffrey Altman Janos wrote: > Hello! My problem is this: > I need to write two simple keberized application for > windows. I have seen examples

Re: Kerberos on AIX 5.3 : error :Cannot retrieve key from keytab

s/[EMAIL PROTECTED] > > > When klist is able to read /etc/krb5/krb5.keytab file why is kinit > not able to retrive the key. You are using a Java version of kinit. Does the version of Java you are using support all of the key types included in the keytab file? Jeffrey Altman -- --

Re: SPN Canonicalization

Kerberos mechanism it will obtain a Kerberos service ticket and establish a connection to the service. The requirement to make this work is that the names entered by the user (or those constructed by lookup) must have service principal names in the KDB and the keytab files on the machines that are

Re: EAP-Kerberos

realm act as a proxy to other realms? You already have a proxy that will be communicating with the KDC from the local realm. Why wouldn't that proxy act like a normal Kerberos client and communicate with each of the realms necessary to obtain service tickets for the source client

Re: Minimizing Leash on Start up

remove the -autoinit parameter. If you haven't read the Leash User Documentation, KFW Release Notes, and MSI Deployment Guide, please do. Jeffrey Altman Noah Hughes wrote: > Is there any current way to keep Leash from prompting for a password > the first time it starts? Ideally, It

Re: Kerberos for Windows 2.6.5 ccname FILE: issues

:\src\openafs\openafs-cvs\src\WINNT\afsd]kdestroy [C:\src\openafs\openafs-cvs\src\WINNT\afsd]klist klist.exe: No credentials cache found (ticket cache FILE:c:\temp\krbcache) Kerberos 4 ticket cache: API:krb4cc klist.exe: No ticket file (tf_util) Jeffrey Altman Noah Hughes wrote: > I have fou

Re: Windows SSH client that uses tickets not obtained from AD login

Kermit 95 provides support for SSH with GSS and it derives its tickets from KFW. The version distributed by Columbia University is old and not quite up to date but it works. jay alvarez wrote: > Hi, > Do you know any windows ssh client that can use > gss

Re: Assertion failuers

-disable-threads will turn off support for building multi-threaded applications. In my opinion, it is best if you build your libraries and applications for the specific version of the OS you are using. Backward compatibility only goes so far. Jeffrey Altman -- - This e-mail account i

Re: Java sample for SSO using JAAS on XP SP2,

indows using Kerberos, you can obtain the Kerberos user principal name. This name does not have to match the name of the Windows logon name. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses

Re: Updating encryption types

Phil Dibowitz wrote: > On Tue, Jul 05, 2005 at 01:48:54PM -0700, Phil Dibowitz wrote: > >>from kadmin, great (though is that "no salt" supposed to be there?)! >> >>However, klist -e shows: >> >>[EMAIL PROTECTED] unstale]$ klist -e >>Ticket cache: FILE:/tmp/krb5cc_36070 >>Default principal: [EMAIL

Re: Windows KDC interoperablity with linux clients

[EMAIL PROTECTED] wrote: > Hi, > > I am trying to use no windows clienst to use Windows as KDC. Does the > non windows clients need to be part of the domain ? If you want to be able to use kerberos for login to the machine then you should have assigned to the machine a "host/[EMAIL PROTECTED]" se

Re: Offline password attacks on AS-REQ

ld force all AS-REQ and AS-REP across an SSL tunnel. If you are this concerned, you should probably require IPSec when talking to your Domain controllers. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Plea

Re: Offline password attacks on AS-REQ

IETF Kerberos Working Group. Unfortunately, due to existing patents and the deployment strategies of some vendors we have not been able to reach consensus on a single approach that would be interoperable for all. Jeffrey Altman -- - T

Re: remote printing/drive mapping to windows ad with mit kerberos

his functionality. One option you have is to allow your users to join their machines to the WIN.AD.REALM. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: potential for harm in DES AD/MIT trust

l such time as they no longer need to be used. With 2003 Server SP1 there should no longer be a reason to use DES keys for anything but compatibility with Java 1.5 and earlier. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private response

Re: Kerberos for Wireless Authentication

n work on at a given time. If members of the wireless community were to participate in the working group, it would increase the amount of work that can be accomplished. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerber

Re: kerberos authentication for apache on windows

that uses the MIT Kerberos APIs, you can build the module against the SDK that is installed as a part of MIT Kerberos for Windows. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ___

Re: Kerberos for Wireless Authentication

ver all you are doing is using Kerberos to perform a database lookup. This technique is frequently used as a means of providing single password functionality to an organization but it is not Kerberos. Jeffrey Altman -- - This e-mail account is not read on a re

Re: ckermit on Mac OS 10.3.9 with Kerberos?

u/user/j/a/jaltman/Public/kermit/kermit.macosx103.secure http://web.mit.edu/jaltman/Public/kermit/kermit.macosx103.secure Unfortunately, source is not available. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses

Re: kerberos question?

nt this you should require pre-authentication on your principals. This way the client must prove to the kdc that it knows the password or has possession of the necessary credentials before she can obtain a TGT. Jeffrey Altman -- - This e-mail account is not read on a regular

Re: kpasswd not working against w2k3 sp1 kerberos server

Vandeir Eduardo wrote: > It's really weird. When I do a kinit and after a klist, look at > the Expires. It's shows 12/31/69. It could this be the > cause? At windows, maximum lifetime for user ticket is 10 hours. > > [EMAIL PROTECTED] krb5-1.4.1]# /usr/local/krb5/bin/kinit dito > Password for [EM

Re: AD Cross Realm Trust Integration

John Harris wrote: > Greetings, > > We're currently looking at increasing the session and ticket encryption > types for our Unix-based Kerberos clients (command-line and GSSAPI-based > client/web clients) up to AES. > > One of our issues is to continue to support the cross-realm authentication >

kerberos@mit.edu

Surendra wrote: > Hi Team, > > This is regarding Pre-auth issue: How can I know... what encryption type to > be used for pre-authentication from KDC client? > > Some one has answered about 'Use DES' flag (mentioned in the mail below). But > how to extract the Encryption information from the pr

Re: replay cache proposal

criptors when running Apache. I most often saw the problem with database access from Apache. Tuning the system is often necessary. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu ___

Re: Reading KDCs from DNS (multiple domain controlers and KDCs)

Pawe? wrote: > I need to support configuration with many Domain Controlers. I found > that I can enter many KDCs in krb5.conf file f.e.: > [realms] > XYZ.INTERNAL.COM = { > kdc = s1.xyz.internal.com:88 > kdc = s2.xyz.internal.com:88 > } > Is it correct ? This is correct but does

Re: gss_init_sec_context() failed: : Ccache function not supported:

h clout that make the request the better chance we have of getting them to implement it. > -peter Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu __

Re: gss_init_sec_context() failed: : Ccache function not supported:

o convince them to open the LSA cache so that third party libraries such as MIT KFW can store tickets. If you choose to file such a request, be sure to explain to them why the Microsoft Kerberos implementation cannot obtain tickets in your cross-realm environment. Jeffrey Altman -- -

Re: gss_init_sec_context() failed: : Ccache function not supported:

d Now there is one possibility. Perhaps the Windows Kerberos subsystem has no knowledge of the realm from which you are obtaining tickets. If the realm information is only located in the krb5.ini file and has not been configured via ksetup.exe, you may see KRB5_CC_READONLY errors. Jeffrey Altman

Re: gss_init_sec_context() failed: : Ccache function not supported:

Sam Hartman wrote: >>>>>>"Jeffrey" == Jeffrey Altman <[EMAIL PROTECTED]> writes: > > > Jeffrey> peter huang wrote: > >> Can someone tell me how to fix this error? this error came > >> from curl using "--negotiate&

Re: gss_init_sec_context() failed: : Ccache function not supported:

You can use the current release of MIT Krb5. I don't remember seeing this issue at all when I was performing gss-interop testing on Windows. Jeffrey Altman peter huang wrote: > thanks for the quick reply. I understand that gss_init_sec_context try to > erase the context which i

Re: gss_init_sec_context() failed: : Ccache function not supported:

o experience the same error with kerberos ftp with kclient. Is it > a problem of the library or the way the library get used. > > thanks > -peter huang The MSLSA is a read-only ccache implementation. You can't attempt to erase its contents, create a n

Re: netapp, nfs, kerberos, and ldap

Mark Dieterich wrote: > Ahh... So maybe this is my problem. Should I be limiting the > encryption type on my client side? I'm positive that we have limited > the nfs/host service principles to des-cbc-crc, but our client configs > allow stronger encryption types. The clients seem to be getting

Re: Getting single DES TGT[was Re: KDC: upgrade to 3DES]

d by the client application. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/m

Re: Getting single DES TGT[was Re: KDC: upgrade to 3DES]

NOT attempt to place restrictions on the enctypes lists in the krb5.conf file. You are only going to get yourself into deep trouble in the future. default_tgs_enctypes and default_tkt_enctypes should 99.9% of the time never be used by anyone. Jeffrey Altman _

Re: netapp, nfs, kerberos, and ldap

vice principal used for the filer to des-cbc-crc Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Kerberos mailing list Kerberos@mit.edu http

Re: SSPI/GSS-API : mech_dh: Invalid or unknown error

; mean ? Diffie-Hellman mechanism ??? > > What differences between Kerberos SSP W2K SP4 and WinXP SP 1 ? > > > Thanks for any hint, > -- > Jacques I suggest you obtain a network trace for the exchange. Jeffrey Altman -- - This e-mai

Re: GSSAPI AES Support?

fore, there are no QOP constants defined for AES128 or AES256 as AES can only be used with GSS Krb5 Version 2. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: krb5-1.4 and DCE

Derek T. Yarnell wrote: > So I have installed the new krb5-1.4 release on both RHEL3 and Solaris > 2.8 and found that when I want to talk to my DCE servers I get this, > > [EMAIL PROTECTED] bin]$ /opt/UMldap2/bin/kinit [EMAIL PROTECTED] > kinit(v5): Incorrect net address while getting initial cre

Re: GSSAPI AES Support?

John Harris wrote: > Greetings, > > It looks like as of June last year GSSAPI libraries didn't support AES > encryption. Do they still not? We have several applications built with > it and will need to stick to DES3 if it's not shortly forthcoming. > > Thanks, MIT Kerberos 1.4 supports GSSAPI

Re: Kerberos and windows problem ...

[EMAIL PROTECTED] wrote: > > Mar 15 18:12:26 kdc.xyz.com krb5kdc[3820](info): AS_REQ (7 etypes {23 > -133 -128 3 1 24 -135}) 192.168.100.7: ISSUE: authtime 1110890546, > etypes {rep=3 tkt=16 ses=1}, [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] > > Mar 15 18:12:26 kdc.xyz.com krb5kdc[3820](info)

Re: Kerberos and windows problem ...

Have you created a host principal for the machine in the KDB? Have you set the Kerberos Password on the machine using KSETUP? Are there errors reported in the KDC log? Are there errors reported in the Windows Event Log? Jeffrey Altman daylebo wrote: > same as a lot of people on the forum

Re: KFW with NT4 domain

se Kerberos. Either deploy an Active Directory with a cross-realm trust to a non-AD KDC or deploy one of the AD workalikes. You can travel to the future and bring back a copy of Samba 4. That will do what you desire. Jeffrey Altman Kerberos maili

Re: KFW with NT4 domain

Franco Milicchio wrote: > Jeffrey Altman wrote: > >> Leash has the ability to extract the Kerberos 5 tickets obtained by >> Windows during the login process when the Windows domain controller is >> Active Directory. When the domain controller is NT4, there is n

Re: KFW with NT4 domain

Leash has the ability to extract the Kerberos 5 tickets obtained by Windows during the login process when the Windows domain controller is Active Directory. When the domain controller is NT4, there is no Kerberos 5 support available through Windows. Therefore, Leash cannot obtain Kerberos ticke

Re: KFW with NT4 domain

There is currently no mechanism by which a Kerberos 5 ticket may be obtained by the "System" account and stored into the user's session based credential cache. I believe you are confusing KFW with the OpenAFS Integrated Login which obtains AFS toke

Re: manage access to services

Whether or not this key is used to encrypt the session data is up to the application protocol. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

Re: manage access to services

granted. Jeffrey Altman paul b wrote: > Hello, > I have a question about managing the access to the different services > in Kerberos. > > When I have my TGT and I ask the TGS to get access to a specific > service(for ex. kerberized FTP), how does the TGS know if I have the >

Re: Problems with SSO authentication in windows XP sp2

If the Java application is requesting your username and password, then it is not attempting to obtain Kerberos tickets from the Microsoft LSA cache. Instead it is obtaining tickets and storing them for you in a file based cache. Therefore, it does not matter if you lock and unlock your desktop be

<    1   2   3   4   5   6   7   >