Re: Password Expiration, winXP client

is still UDP only. Jeffrey Altman -- - This e-mail account is not read on a regular basis. Please send private responses to jaltman at mit dot edu Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman

Re: Password Expiration, winXP client

authenticating realm directly. In this case, change password operations are taking place as expected. Can you provide more details about your workstation configuration? Jeffrey Altman William G. Zereneh wrote: > Hello, > > In reference to the posting from: > > J-F Cloutier jfclouti

Re: leash32.exe can not read memory

immediately or after a random period of time? Thanks. Jeffrey Altman Göran Hjorth wrote: > Best one! > > I install Kerberos because Rexx for MySQL need it. > Leash32.exe have problem to read a memory, see including file from print screen. > It happens at -autoinit when I start my PC.

Re: Where are Kerberos configuration/credentials stored in a Windows

If you wish to utilize the Microsoft LSA obtained credentials with Java Kerberos you should use the JAAS Login Provider. Note this provider in JRE 1.4.2 is broken on Windows XP. The JRE 1.5 version should work. Sleepy wrote: > I'm attempting to use Java's implementation of Kerberos in a Window

Re: MIT/Heimdal(/Microsoft) Equivalencies

Henry B. Hotz wrote: > MIT rc4 == Heimdal arcfour == preferred Microsoft encryption type? Yes. Although in the current released products from Microsoft, RC4 cannot be used for cross-realm with non-MS KDCs. In those cases you must use DES-CBC-MD5.

Re: Windows integrated logins with KfW 2.6.1 and XP.

hikari wrote: > hikari wrote: > >> I'll redo it on both (the kdc and xp) and then try again. > > > Which didn't make a difference. You will have to diagnose it from the Windows side then. The KDC is issuing a host key and the Windows host is rejecting it. What is the enctype of the key

Re: Windows integrated logins with KfW 2.6.1 and XP.

hikari wrote: > Jeffrey Altman wrote: > >> What messages are appearing in the KDC log? > > > Comes up with a NEEDED_PREAUTH: > [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED] > > then two ISSUEs: > [EMAIL PROTECTED] for krbtgt/[EMAIL PROTE

Re: Windows integrated logins with KfW 2.6.1 and XP.

Did you set the password using KSETUP ? hikari wrote: > Jeffrey Altman wrote: > >> Please detail exactly what you have done. > > > I've added the host and cifs principles (short version and FQDN) for > the workstation to the KDC, with its password. I

Re: Windows integrated logins with KfW 2.6.1 and XP.

What messages are appearing in the KDC log? Are you able to obtain tickets with Leash? What messages are being logged in the Windows Event Log? hikari wrote: > Jeffrey Altman wrote: > >> Did you set the password using KSETUP ? > > > Y

Re: Windows integrated logins with KfW 2.6.1 and XP.

Please detail exactly what you have done. hikari wrote: > Hi All, > > I'm trying (and XP is /being/ very trying right now) to get > integrated logins working with XP and an MIT KDC. I've been following > the brief guide in the Release Notes and got it so, that as far as I can > tell, it

Re: Kerborizing the applications !!!!

which ships with Kerberos. http://srp.stanford.edu/ Jeffrey Altman mdj_kerberos wrote: > Hi Group, > > I am trying to kerborize both telnet server and client. Could you > please assist in how to go about it ? > ( say, first we need to get the context for the kerberos ...).

Re: Cannot contact any KDC for requested realm (error 156)

Did you configure the %WINDIR%\KRB5.INI to specify the location of the kdc in the realm? Dominic Komareddy wrote: > Hi, > I am new to Kerberos. I have set up the Kerberos server on a Linux box. The KDC > and Kadmin deamons are running. I have also downloaded Kerberos for Windows on > anothe

Re: kdc.conf

Are you unable to create the path /usr/local/var/krb5kdc ? Graham Turner wrote: > Dear all, > > quoting the install guide in the krb51-3.3 distribtion from MIT > > "The kdc.conf file contains KDC configuration information, including > defaults used when issuing Kerberos tickets. Normally, you sh

Re: KFW 2.6.1

Dan Million wrote: > Jeffrey Altman wrote: > > Yup. It's a brand new machine and this is the first time we've tried KFW. > > Thank you. I'll keep trying. > > Dan What do have specified in your KRB5.INI file? __

Re: KFW 2.6.1

e this change for the next release. As for why you are unable to obtain a KDC from Leash but can from kinit.exe, I have no idea. They should both be using the same krb5.ini file and the same libraries. Are you sure you have only one version of KFW on the machine? Jeffrey Altman Dan Millio

Re: kinit sending clear text password

kinit does not send the password in clear text unless the kerberos libraries have been replaced by a trojan horse. melissa_benkyo wrote: > hello folks, > > thanks for all the help. I wouldn't have make it here so far without > your help. :) thanks. Now I'm trying to use pam api's instead but t

Re: SEAM krb API

Wyllys Ingersoll wrote: > krb5_kuserok is sort of an abberation. Its a weak attempt at > an authorization interface. Its very easy to write your own > non-KRB5-API dependent version of krb5_kuserok using just GSSAPI calls > and standard C library functions. > > Obviously, you must assume some Ke

Re: Storing TGT in cache

or Kerberos. If you support this idea, please file a request with Sun. Jeffrey Altman Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Storing TGT in cache

You can always use JNI to wrap the necessary function calls from the C based MIT Kerberos library. Or you can extract the credential cache file format from the MIT source code and re-implement it in Java. Richard Gundersen wrote: > Hi > > In case my previous question didn't sound clear, I've

Re: aklog output

Your output shows a kerberos 5 afs service ticket for WEB.RPI.EDU and an afs token for web.rpi.edu. aklog worked. Andrew Bacchi wrote: > Using MIT Krb5 1.3.2 from source, and afs-krb5.2.0. > > I'm not sure I'm getting converted tokens with aklog. I cannot > read/write to AFS even if I kinit a

Re:

Milos Djukic wrote: > How can Kerberos authenticate a user who isn't communicating through a Kerberized > server? Will the request be automatically rejected as the user is trying to gain a > service from an un-trusted server. If so, can the administrators of the Kerberos and > the non-kerberos s

Re: Key table entry not found

What does "hostname" say the machine name is? [EMAIL PROTECTED] wrote: > Thanks for the suggestions ... I thought it might be the kvno - but I > checked: > --- > kadmin.local: getprinc host/kas.ruz.lat > Principal: host/[EMAIL PROTECTED] > Expiration date: [never] > Last password change: Sat Ap

Re:

Via e-mail? :-) I do not understand this question. Kerberos is an authentication protocol not a messaging protocol. Milos Djukic wrote: > How do Kerberos users communicate with non-kerberos users? > > > - > Yahoo! Messenger - Communicate insta

Re: kinit programming

credential cache files. MIT Kerberos is certainly a choice for this. Jeffrey Altman melissa_benkyo wrote: > I'm looking it up. and I'm using SEAM kerberos. I don't think it > supports the kerberos API calls. Has anyone done kinit with SEAM > kerberos? > > thank

Re: Krb5 1.3.1 Solaris 9 CC WorkShop 6 Update 2 link warning

The warning does not say all that much to me without providing a list of the function names it thinks are the same. Jeffrey Altman Thomas Huang wrote: > Hi, > > I am trying to build a custom Kerberos client application under Sun > Solaris 9 using CC WorkShop 6 Update 2. The build

Re: Cross-realm issue - what am I missing?

Inger, Slav (.) wrote: > Hi all, > > I tested cross-realm awhile back and it seemed to work fine, not sure why I'm > running into issues now, maybe I'm forgetting something obvious. Scenario: KDC is > Active Directory, clients are running Solaris and HP-UX with Kerberos and > appropriate patc

Re: scaling problems

[EMAIL PROTECTED] wrote: > Hi, folks > > 2) Users wouldn't be happy if they were unable to login one hour every > time they change password. > > So, logical consequence is that master must answer all TGT requests. > Having a slave around in case master dies is better than nothing, but > slave

Re: Authenticat Kerberos-enabled Linux client at Active Directory

this list. Jeffrey Altman Frank Wu wrote: > Hello All, > > I dowloaded and installed krb5-1.3.3-i686-pc-linux-gnu.tar on RedHat 9, > and tried to set it up to work with MS Active Directory for > cross-platform authentication, but without success. Has anyone tried > thi

Re: setup kerberos client

on must see the same name for the machine as the client machine does from DNS. The GSSAPI Service does not look for a keytab entry matching the client request, it attempts to load the keytab entry when it starts. I agree there are few good ways to debug this other then trac

Re: client-side support for SASL/GSSAPI on windows?

ft LSA credentials into a new MIT Kerberos credentials cache or access the MS LSA credentials in read-only mode via the MIT krb5_ccache "MSLSA:" ccache interface. Jeffrey Altman Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Antwort: Re: Encryption types [Virus checked]

[EMAIL PROTECTED] wrote: >>Make sure that the service principals in the KDC do not contain >>any enctypes other than DES-CBC-CRC or DES-CBC-MD5. Java cannot >>handle them. > > > Don't understand this. Aren't client programs supposed to choose the > encryption types they do understand out of th

Re: Disable Mac OS X Kerberos Auto Prompting

In Panther you can #define KERBEROSLOGIN_NEVER_PROMPT 1 I'm not sure that this works with earlier releases. Nebergall, Christopher wrote: > Is there a way to programmatically or in a configuration file to disable Mac > OS X auto-prompting for the user's kerberos password? > > I'm interested in

Re: Windows with MIT krb5 and OpenLDAP

Sensei wrote: > > AFS, Kerberos and LDAP are currently on the same server... and I'll keep > it so... Many folks on this list will consider running any services on the same machine as the Kerberos KDC to be a security weakness. You increase the attack surface of the machine when you do so. If

Re: Windows with MIT krb5 and OpenLDAP

contain the user's profile and Documents and Settings folders. I do not know how you would use OpenLDAP in place of the Windows Active Directory. I suggest you ask that question on an OpenLDAP mailing list. Jeffrey Altman Sensei wrote: > Hi. > > I've built an afs cell, a kerber

Re: Kerberos diagnostic tool?

GSS-API Kerberos authentication is embedded within application specific protocols. In this case, you need to write a test application which implements the SQL query protocol as implemented by the ODBC drivers. the Java-ODBC driver interface provides very poor performance and is usually regarded a

Re: Questions regarding Kerberos and Active Directory and SQL Server

Sleepy wrote: > Hello all, > > I have some questions that I would appreciate getting some expert > Kerberos assistance with. > > 1) Is SQL Server limited to DES encryption only? > > The reason I ask is that I have discovered empirically that the > SQL Server service startup account needs

Re: Encryption types

enctypes other than DES-CBC-CRC or DES-CBC-MD5. Java cannot handle them. Jeffrey Altman Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

In speaking with contacts at Microsoft, they have assured me that this situation, Logon Session Authenticated by NTLM and yet having Kerberos tickets in the LSA Cache can only happen if the KDC on the PDC was not functioning at the time you logged in. If this is the case, there will be records in

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

Vikas Gandhi wrote: > Jeffrey > Even I am trying hard to understand the meaning of this. I also run > the sspi samples and they ran fine. So I am more than confused ??? > > Can u guide me what next should I try to debug How can I cange > NTLM to Kerberos > Any hind to proceed > >

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

Vikas Gandhi wrote: > In function IsKerberosLogon() > if ( !lstrcmp(L"Kerberos",buffer) ) > Success = TRUE; > The value of buffer in NTLM so success is false. > If you logon session is not authenticated with Kerberos but with NTLM, how are you obtaining tickets for display by microsoft's "k

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

I have no idea why you can't find the MSLSA: credential cache. Since you have built from source why don't you trace it in the debugger. You should be able to figure it out quite easily. src/athena/auth/krb5/src/lib/krb5/ccache/cc_mslsa.c Ker

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

Vikas Gandhi wrote: > Finally I found my mistake. I put a variable set KRB5_KTNAME=.\\krb5kt > Then I started running the server and this was successful > Now the client part It cribs > C:\gss>gss-client.exe -port beetle mittest hello > GSS-API error initializing context: Miscellaneous f

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

Vikas Gandhi wrote: > Now I reversed the entry >HKLM\Software\MIT\Kerberos5\ > PreserveInitialTicketIdentity = 0x0 (DWORD) >HKCU\Software\MIT\Kerberos5\ > PreserveInitialTicketIdentity = 0x0 (DWORD) > and introduced new entry > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerbe

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

You need a keytab file for the gss-server.exe because the service must know its key. If it does not know its key, then it cannot decode the service ticket presented to it by the gss client. Jeffrey Altman Vikas Gandhi wrote: > Why do need krb5kt for It is no where. > I understan

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

You did not answer the most important question I asked you. Where is your krb5kt file? and is there a service key in the file? As for kinit, you cannot use 'kinit' with MSLSA: ccaches since the MSLSA: ccache is read-only. MSLSA: only works if you have already performed a login via Windows and th

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

the KRB5.INI file should go in %WINDIR%. Where are you placing the keytab file containing the server keys for the service principal? Vikas Gandhi wrote: > Hi > Also I tried to run the gss-server that comes along where I am > getting > C:\OSBA\kfw-2.6-final\src\athena\auth\krb5\src\appl\g

Re:

hipping. Not to say that forcing the use of des-cbc-crc is a good idea, its not. Just pointing out that there are still interop problems based entirely in the implemented set of enctypes. Jeffrey Altman Kerberos mailing list

Re: Problem in running gss.exe of kfw 2.6 using MSLSA cache and using

What are you testing gss.exe against? The version of the GSS-SSPI server which is shipped as part of the MS SDK is incompatible with the GSS.EXE as shipped in KFW 2.6. We are working with Microsoft to release updated versions of the example code. Jeffrey Altman Vikas Gandhi wrote: > Hi

Re: Question about MIT Kerberos for Windows 2.0

The current version is Kerberos for Windows 2.6 and it is available from http://web.mit.edu/kerberos/ Christopher T Vogan wrote: > > > > Hi, > > I am a test for IBM NFS for z/OS product. > I am trying to test NFS with auth_GSS authentication. This method requires > the use of Kerberos v5. >

Re: Can I use the KFW 2.6 libraries for authenticating against Microsoft

Yes. Set the environment variable KRB5CCNAME=MSLSA: before initializing the GSSAPI32.DLL Vikas Gandhi wrote: > Hi ALL > As MSLSA is supported by current distribution of the kfw 2.6. Can > this be used to authenticate against the Active Directory of windows > 2003. > > i.e. Can I wr

Re: restriction of AS based on requestor

who has authenticated has the necessary privileges or not to access the service. Jeffrey Altman Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: kfw 1.2.6 with TCP

What is KFW 1.2.6 ? KFW version numbers are 2.5 and 2.6. Krb5 version numbers are 1.2.x and 1.3.x. KFW 2.5 ships with Krb5 1.3.1 KFW 2.6 ships with Krb5 1.3.2 Jeffrey Altman KFW Maintainer Marcel wrote: > hello, > > just wanted to ask if there is possibility or a howto to force

Re: unable to authenticate using active directory/mit kfw 2.5 and

Vikas: I answered the question that I could answer. I do not know the answer to whether anyone has written a program that uses both the netscape-sdk and MIT KfW 2.5. I certainly have not. Jeffrey Altman Vikas Gandhi wrote: > Hi Jeffrey > I am asking a basec fundamental question. Has s

Re: unable to authenticate using active directory/mit kfw 2.5 and

efore starting your application and the credentials from the MS LSA cache will automatically and transparently be used. Jeffrey Altman KFW Maintainer Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: compiling MIT kerberos KDC for windows

If you are an MSDN subscriber I suggest you download Virtual PC for Windows and install Linux within a virtual machine to use for testing. If you are not an MSDN subscriber, I suggest you purchase a license to VMWare. Ish-Lev Avshalom wrote: > I have downloaded kfw-2.5 and it compiled fine on

Re: Unable to d/l kerberos-2.5 for windows because i don't have IE

defective and really needs to be upgraded to correct not only security problems but a programming error which can result in system crashes from correct use by applications. Jeffrey Altman KFW Maintainer steve hauser wrote: > Hello, I'd like to use your kerberos for my Win98 system but it w

Re: Telnet With Encryption

TELNET only supports DES encryption types. However, that warning means that the telnet client does not include support for encryption. Which client are you using? Jeffrey Altman Neelima Adusumilli wrote: > Hi! > When I'm running telnet with -ax option it is giving th

Re: Getting Started with KfW 2.5.0

KFW is only a Kerberos client library. The MIT KDC is not supported on Windows. Jeffrey Altman KFW Maintainer Gerard Murphy wrote: > Is it possible to set up a KDC, using KfW 2.5, on a Windows 2000 > Professional or XP machine, so that I can us the LeashManager to get > tickets? >

Re: compiling error

Doug: KfW requires Aug 2001. There is nothing in the newer SDKs that is required. Using newer SDKs is advised but not required. - Jeff Douglas E. Engert wrote: > Have se this before. You need a the Microsoft SDK. > See [krbdev.mit.edu #1675] Windows build needs Feb 2003 Platform SDK > ___

Re: Diffrents between Linux and Windows Sources

ndows maschine. no > i'm asking, because my test-suite is on a windows xp maschine and the final version > has to > run on a vxworks system. there is no in memory credentials cache for vxworks. Jeffrey Altman Kerbero

Re: How to keep credentials in memory

the in memory credential cache is distributed as part of the MIT Kerberos for Windows distribution. Version 2.5 is the last official release; 2.6 is currently in beta. http://web.mit.edu/kerberos Jeffrey Altman KfW Maintainer Marcel Lehner wrote: > I had read somewhere that it is possi

Discussion of krb5_get_init_creds_password() behavior was Re:problem with the kinit_prompter in kfw 2.5

The [EMAIL PROTECTED] mailing list is an inappropriate place for this discussion. Please hold this discussion on [EMAIL PROTECTED] OR open a bug report in the Request Tracker by sending e-mail to [EMAIL PROTECTED] Thank you. John Hascall wrote: Beata A. Pruski wrote: I must say I don't underst

Re: Kerberos error authenticating from Unix to Windows AD

Workstation using KSETUP? Jeffrey Altman Tyson Oswald wrote: > Hello all, > > I read the white paper on the MS site > (http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp) > to setup AD authentication on Unix. It is based on MIT KDC, but I am > using SE

Re: AD MIT Interoperability rc4-hmac

Jeffrey Altman wrote: As the tool affects the Windows 2003 Server LSA configuration, it should allow RC4-HMAC cross realm trusts to be configured with any non-MS KDC. (Assuming I can get it to work.) RC4-HMAC support for cross realm trusts will not be available in Win2003 Server until SP1. Jeffrey

Re: AD MIT Interoperability rc4-hmac

Alberto Patino wrote: On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote: I have verified with Microsoft that the default configuration of Windows 2003 does not allow the use of RC4-HMAC with MIT KDC Trust relationships. There is functionality to support this mode of operation unfortunately

Re: problem with the kinit_prompter in kfw 2.5

Examine the Kerberos 5 1.3.2 Admin Docs on the MIT Kerberos web site. Beata A. Pruski wrote: I did some more search within the source code (kfw-2.5) and found out that there are two entries in the realms section of the configuration file which are used for locating kdc(s). They are called "kd

Re: problem with the kinit_prompter in kfw 2.5

Beata A. Pruski wrote: I must say I don't understand why within krb5_get_init_creds_password, after the first call to krb5_get_init_creds (with use_master being 0) returns KRB5KDC_ERR_KEY_EXP, there is still another call made to the same function with use_master set to 1. Shouldn't there be some

Re: AD MIT Interoperability rc4-hmac

ation to construct a tool to enable RC4-HMAC support for MIT KDC Trust relationships and will endeavor to build one in the next day or two for inclusion within the final release of KfW 2.6. At the very least this tool will allow you to specify a MIT Realm Name and allow the RC4-HMAC

Re: Problem with kadmin

Is kadmind running? Marcel Lehner wrote: > Does anyone can help me? > > When I try to start kadmin I always get the following message after entering > my password: > > "kadmin: Communication failure with server while initializing kadmin interface" > > KDC is running fine and I also get tickets

Re: problem with the kinit_prompter in kfw 2.5

registered as the prompter and it is called as a result of krb5_get_init_creds_password() without a password being provided as an argument. Hence, the password is only prompted for once. Jeffrey Altman KfW Maintainer Beata A. Pruski wrote: > I have hard time to get the posix prompter to run under

Re: Windows AD and MIT KDC Cross-Realm Trust

Digant Kasundra wrote: > I think that's one of the ways you can do it, but that setup isn't > considered "pass-through authentication," which is what we are going for. That is the only way to do it. There is no term called "pass-through" authentication within Kerberos. The authentication betwe

Re: How to obtain a keytab for a Windows application server?

The kadm5 library is currently not supported on Windows as part of KfW. It would certainly be a worth while feature to request. Why don't you send a feature request to krb5-bugs (at) mit.edu. Jeffrey Altman Colin Caughie wrote: >>"kadmin" is a KDC administration tool.

Re: How to obtain a keytab for a Windows application server?

machine hosting the KDC, then you can securely move it to Windows and place it somewhere that your KfW based application can find it. Jeffrey Altman KfW Maintainer Colin Caughie wrote: > Hi, > > I'm looking into using Kerberos (probably MIT) to add secure authentication > to a

Re: AD MIT Interoperability rc4-hmac

Which version of MIT Kerberos is the KDC? And more importantly, does the user principal in the MIT KDC have a key of type RC4-HMAC associated with it? Jeffrey Altman rousset wrote: > Hello, > > I have established a trust relationship between Active Directory and MIT > Kerberos r

[Fwd: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption]

--- Begin Message --- Microsoft ASN.1 Library Length Overflow Heap Corruption Release Date: February 10, 2004 Date Reported: July 25, 2003 Severity: High (Remote Code Execution) Systems Affected: Microsoft Windows NT 4.0 (all versions) Microsoft Windows 2000 (SP3 and earlier) Microsoft Windows

[Fwd: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption]

--- Begin Message --- Microsoft ASN.1 Library Bit String Heap Corruption Release Date: February 10, 2004 Date Reported: September 25, 2003 Severity: High (Remote Code Execution) Systems Affected: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003

[Fwd: EEYE: Microsoft ASN.1 Library Bit String Heap Corruption]

--- Begin Message --- Microsoft ASN.1 Library Bit String Heap Corruption Release Date: February 10, 2004 Date Reported: September 25, 2003 Severity: High (Remote Code Execution) Systems Affected: Microsoft Windows NT 4.0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003

Microsoft announces ASN.1 Library exploit

Microsoft Security Bulletin MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) Bulletin URL: http://www.microsoft.com/technet/security/bulletin/MS04-007.asp Summary: Version Number: V1.0 Revision Date: 02-10-2004 Impact of Vulnerability: Remote Code Execution Maximum Severity Rating:

Re: kfw & krb5 1.3.1

For Windows 2000 Server the key is: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters AllowTGTSessionKey = 0x01 (DWORD) King Lung Chiu wrote: Hi Jeffrey, thanks for the reply. The session key type is 0 (or NULL). What operating system are you using? I'm running cygwin unde

Re: kfw & krb5 1.3.1

The session key type is 0 (or NULL). What operating system are you using? King Lung Chiu wrote: > OK, here's a bit more info: > > $ export KRB5CCNAME=FILE:C:/cygwin/tmp/krb5ccwin;leash32 -m;klist -5 -e > Ticket cache: FILE:C:/cygwin/tmp/krb5ccwin > Default principal: [EMAIL PROTECTED] > >

Re: kfw & krb5 1.3.1

What operating system are you running on? If it is Windows 2003 or Windows 2000 Server or Windows XP SP2 then the problem is that you need to set a registry value to enable the exportation of TGTs from the Kerberos LSA with the session key intact. Jeffrey Altman King Lung Chiu wrote: >

Re: Credentials for an arbitrary user.

(). Jeffrey Altman Kevin Burton wrote: > Do you have any suggestions as to how to do that? > > "Sam Hartman" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > >>Are you using krb5_prompter_posix? If so, this does not really work >>on Windows

Re: vms, kerberos and w2k3

You don't need to install a KDC but you do need to ensure that the keytab file you created is in the proper format expected by Kerberos on VMS. If KerberosAdmin is the only tool available to read/write keytab files then you will need to install whatever is necessary to obtain access to that tool

Re: [domain_realm] question

If you want to provide separate mappings of hosts to domains, then you will have to provide domain to realm mappings for each individual machine name Sam Hartman wrote: >>"Inger," == Inger, Slav (S B ) <[EMAIL PROTECTED]> writes: > > > Inger,> Final question for today: is it explicitl

Re: vms, kerberos and w2k3

Does the VMS KerberosAdmin tool recognize the keytab file? What does list keytab report? Juha Nieminen wrote: > We are testing Kerberos on OpenVMS. > We are running VMS 7.3-2 and > Kerberos for OpenVMS v2.0-6, client setup. > > Realm and KDC are in windows2003 server. > W2K workstations

Re: malloc hang inside krb5_sendto_kdc

Ken Weaverling wrote: > In article <[EMAIL PROTECTED]>, > Jeffrey Altman <[EMAIL PROTECTED]> wrote: >>Is the KDC being found via DNS or via entries in a krb5.conf file? > > > krb5.conf I believe -- does windows DNS on active directory stash the > kerberos lo

Re: malloc hang inside krb5_sendto_kdc

I should mention that the krb5_locate_kdc() function is one that has undergone a major re-write between 1.2.7 and 1.3.1. Any findings that the error is in krb5_locate_kdc() can only be responded to with a request that you upgrade to the current release of the distribution. Jeffrey Altman

Re: malloc hang inside krb5_sendto_kdc

> Also, this uses a windows 2000 server for KDC. It had done that for > over a year with no problems. This problem happened when we migrated > the server from redhat 7.3 to Redhat enterprise linux (RHEL) 3 over > the holidays. Is the KDC being found via DNS or via entries in a krb5.

Re: krb5 1.3.1 and openssh on cygwin

If you need to use ms2mit to gain access to your credentials then you must use KfW because only KfW has the support for the CCAPI based memory cache. This support is not available when krb5 is built under cygwin or when krb5 is built outside of the KfW framework. Jeffrey Altman KfW Maintainer

Re: krb5 1.3.1 and openssh on cygwin

None of these items are supported by the MIT Kerberos Development team. The only one that you would want to use is (3) so that the resulting program can access the in memory credentials cache. You will most likely have to modify the build for openssh to make this work. Jeffrey Altman KfW

Re: Help Required.

Version 1.3.1 distribution to install and configure a KDC on Unix/Linux. Or you can use on of the Kerberos distributions which comes with a variety of major commercial operating systems from Windows Server to HP-UX to Mac OS X to AIX to Solaris to Jeffrey Altman Prabodh Achyutha M wrote: >

Re: Kerberos vs. LDAP for authentication -- any opinions?

David Magda wrote: > > And what prevents a Kerberos server from being compromised? Any > system can have a root-kit installed on it. Simple. You don't run any other services on your KDC. All access is via physical connections. Small network footprint results in extremely low chance of hacking.

Re: service principals in AD fro unix kerberos clients

What does Kermit list for the output of AUTH K5 LIST /E after attempting to connect to the Telnet Service? Ryan Odgers wrote: > I created them with ktpass using the defaults of which DES-CBC-CRC should be > the default. I also tried switching my server to use MD5 type encryption and > using

Re: service principals in AD fro unix kerberos clients

What are the service principal and session key keytypes for the host/[EMAIL PROTECTED] ticket? If they are not DES-CBC-CRC then you will not be able to negotiate DES encryption in Telnet protocol. Ryan Odgers wrote: > I get the following error when trying to connect with kermit telnet: > key

Re: Kerberos vs. LDAP for authentication -- any opinions?

GSSAPI Kerberos V5 is being used for authentication LDAP is being used for authorization. This is not the same as using LDAP for authentication. Jeffrey Altman Harry Le wrote: > Not entirely true. > > Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerb

Re: Kerberos vs. LDAP for authentication -- any opinions?

LDAP is not an authentication infrastructure. All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network. Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to

Re: [OpenAFS-devel] OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos

mpile time. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: service principals in AD fro unix kerberos clients

software should do the rest. Jeffrey Altman Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos

Re: [OpenAFS] Re: Mystery AFS/Kerberos packet

. If you have a system which is consistently producing bad data at a known point it would be good to see if we can trace it down. Jeffrey Altman John Hascall wrote: 6303373b766d61124537494153544154452e4544550067710e403f616673 c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U

Re: service principals in AD fro unix kerberos clients

ol\Lsa\Kerberos\Parameters AllowTGTSessionKey = 0x1 (DWORD) if you want to allow KfW to import Windows LSA credentials into the MIT ccache via either ms2mit or Leash. Jeffrey Altman Ryan Odgers wrote: > Hi Doug, > > still on win2000 > I can authenticate and get tgt ticket wit

<    1   2   3   4   5   6   7   >