On Oct 12, 2010, at 12:06, Phillip Moore wrote:
Then I extract the keytab file for use in the test suite using:
ktadd -k /path/to/$principal.keytab $principal
I've discovered that as soon as I run ktadd, then I can no longer manually
authenticate as that principal anymore.
Yes, that's
On Oct 10, 2010, at 19:46, Jeremy Hunt wrote:
Hi Dominic,
Thanks for your feedback. You make a good point about reporting a bug. Though
my memory is that the Kerberos team knew about them all..
The second issue is as designed, and given that kprop is so efficient, isn't
as bad as I
On Jun 9, 2010, at 17:36, Richard E. Silverman wrote:
res == Richard E Silverman r...@qoxp.net writes:
res One day, due to an error, the number of KDC SRV records for one
res of our realms doubled from 27 to 54... and KDC lookups via DNS
res prompty broke. I bumped up the nextincr
both.
Ken
--
Ken Raeburn / raeb...@mit.edu / just an interested Kerberos geek :)
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On May 17, 2010, at 11:02, Richard Smits wrote:
But now we have a user who wants to authenticate from home with his ssh
private/public key. His public key is in his homedir. (Which is not
mounted yet)
If the user logges in, this mechanism works for a couple of hours.
(ticket is valid
with
patches to make it build and run successfully on HPUX 11.31 -- documentation
updates related to building on modern HPUX would be great, also!
Ken
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing
basis.
That's not a mode that the code typically gets built in -- if ever. It's not
surprising that it doesn't build, unfortunately. If you can use the code
without NOIOSTUFF, that's probably the easiest way for you to move forward.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos
Nice info, thanks!
If it's easy to compile the data, I'd be curious to see what your peak load per
{some small unit of time -- second, minute?} is.
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Feb 25, 2010, at 12:12, Abe Singer wrote:
I'll give you a reason for why I need it. I'm trying to fire up
krb5kdbc listening on a virtual interface on a host where there's another
process (not krb5kdc) listening on the same port on other interfaces.
That makes sense, thanks; though I'm
On Feb 22, 2010, at 18:32, Greg Hudson wrote:
On Mon, 2010-02-22 at 16:56 -0500, Abe Singer wrote:
Am I missing something in the documentation, or is there no way to tell
krb5kdc to bind to a single network interface (as oppposed to binding to
all of them)?
My reading of the code is that
of
the point was avoiding having to have two authentication mechanisms at work. I
could be wrong about that.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https
On Feb 4, 2010, at 16:27, Girish Mandhania wrote:
Hello,
I am working for a university and have Kerberos installed on our server.I
wish to use Kerberos authentication of Subversion(change management
application) on Linux.
Could you please help me with the clear list of steps to be followed,
).
Ken
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
from ctypes import *
libkrb5 = cdll.LoadLibrary(libkrb5.so.3)
princname = raeb...@athena.mit.edu
def fatal(err, what):
msg = error + str(err)
get_msg = libkrb5.krb5_get_error_message
get_msg.argtypes
,
the others should have the necessary data for one to be (manually) promoted to
be the new master. It is still a one-master-at-a-time setup, though.
Just making sure you don't think LDAP is the only way to run multiple KDCs for
a realm
Ken
--
Ken Raeburn / raeb...@mit.edu / no longer
. On Linux, the MIT libraries can use
the keyring support in modern kernels.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
would look through my latest krop dump for lines
starting with
princ and grab the 7th and 13th fileds. For example:
We really should make it easier to extract these data in a more
helpful form... :-)
Ken
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
to support per-KDC info. (And for all I know, maybe in the
1.8 branch they do now.)
and
1b) I'd bug the Kerb team to fix this :)
Go for it, but note the signature below... :-)
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
with GSSAPI support is probably better than
Kerberos rlogin on telnet for any number of reasons.
Ken
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
to go anywhere
Ken
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Dec 10, 2009, at 08:19, Tadoori (EXT), Vilas wrote:
Hello All,
I am new to the Kerberos field and would like to know the basic
differences between a TGT and a Service Ticket and it would be great
if anyone can provide an example on this.
The fundamental difference is that the TGT is a
On Nov 12, 2009, at 07:57, leon.ke...@thomsonreuters.com
leon.ke...@thomsonreuters.com
wrote:
Maybe you're refering to a more recent repository version?
Is there a version that I could download which would yield better
results on solaris 8 for compilation?
Oh, and regarding Solaris 8...
On Nov 12, 2009, at 07:57, leon.ke...@thomsonreuters.com
leon.ke...@thomsonreuters.com
wrote:
Hi Ken,
I'm following your thread on mailman.mit.edu/pipermail/kerberos,
october
19 20:46:20
Check the messages from November -- Tom Shaw pointed this out too, and
I tracked down the
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Nov 8, 2009, at 22:33, Tom Shaw wrote:
I hadthe same problem on Solaris 9. I just downloaded the latest
krb5-1.7-signed.tar (http://web.mit.edu/kerberos/dist/krb5/1.7/
krb5-1.7-signed.tar) and the configure script is not quite the same as
you have listed.
Instead of:
solaris2.[1-9])
any desktop or server
system you can buy off the shelf these days should be able to handle
it easily.
Ken
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https
On Oct 29, 2009, at 18:35, kanevsky_ark...@emc.com wrote:
Can I use capitalization in names used in kerberos domain?
I am bumping into a issue when capital letters are used in domain
but not in the hostname only.
Details below.
Needless to say all sort of other authentication also fails.
On Oct 19, 2009, at 16:55, eightball wrote:
This would be dependent on some configuration macros,
HAVE_PRAGMA_WEAK_REF and NO_WEAK_PTHREADS; can you see which are set
in include/autoconf.h in the build tree? The former should be
defined
(based on tests of the compiler, so it may also
On Oct 15, 2009, at 19:20, Tom Yu wrote:
eightball sthg...@gmail.com writes:
I am having the same problem with Solaris 8 and 9, but not 10. The
output is the same between 8 and 9, so I am just sending 8.
Thanks for your help,
Steve
A comment in k5-thread.h implies that Solaris 10 have a
On Oct 8, 2009, at 02:19, Mohammad, Meraj wrote:
Kerberos 5 release 1.7. I am always getting assertion failure and
program is aborted.
I am not getting a stack trace and i have no idea, how to get stack
trace.
Do you know how to use gdb?
Something like this sequence of commands should work:
On Oct 2, 2009, at 04:57, Remi Ferrand wrote:
I'm working with MIT Kerberos5 1.6.3
I would like to be able to refresh an existing TGT on my local
machine, without using the KDC.
My first idea was to decrypt the TGT, modifying its informations
(start time, end time, renewable time) and
On Sep 16, 2009, at 02:34, suma wrote:
I am running several Kerberos authentications in a multithreaded
application. The application abruptly stopped with the message
Replay I/O operation failed XXX
When would the GSSAPI throw this error. Did the I/O not go through...
It should probably say
On Sep 1, 2009, at 19:30, Markus Moeller wrote:
What does Loopong detected ... mean ?
#/opt/krb5-1.7/bin/kinit -kt /opt/squid-3.0/etc/HTTP.keytab
HTTP/centos.dom.local
kinit: Looping detected inside krb5_get_in_tkt while getting initial
credentials
The get_in_tkt code goes into a loop when
of bytes that reflect my encrypted key.
- binary write keyblock to new.keytab.
This is not the mechanism Kerberos uses for generating a DES key from
a password and salt. Check RFC 3961, particularly section 6.2.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
, and then both writing the incremented value, causing one
increment to be lost).
So, in short, the current implementation doesn't really support these
fields well at all.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos
is trickier to do
with only loose synchronization.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
addresses.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
authentication attempt to ip-addr-1 at that
point. If it can use them, but you can't get new working credentials
for the service at ip-addr-1, that's a different problem
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
here.
Getting it to pay attention to the config file is the first step
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
doesn't tell you where to reach it.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
to use kadmin.local to create them. It'll go
through the KDC database layer and contact the LDAP server directly,
and should (like kadmind) be set up to have write access to the
appropriate LDAP data.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
, but I think the most portable versions require
multithreading support and creation of threads, which capabilities
we're not requiring of the OS and application at present.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
and kdc.conf vs what the
program is looking for. (We made kdc.conf optional at one point --
all the info could go into krb5.conf if you wanted -- and I *think*
that was part of the 1.6 code base, but couldn't swear to it, and
haven't time to check at the moment, sorry...)
--
Ken Raeburn / raeb
will be looked up. If you do specify the KDCs, then SRV records won't
be used; only those KDCs will be used, and they'll be tried in the
order you indicate in the file.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
, and the similarity to the name
of one of the source/object files is accidental.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
it doesn't have to be re-
checked if the script is run again, but if you've switched compilers
that information may be invalid.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
a : \(a\)
Killed
as_expr=false
Sounds like whatever version of 'expr' you're using has problems. Can
you run
expr a : \(a\)
from the command line or does it die? You might also check what
version of expr you're using (Solaris? some GNU package?) and see if
it's broken in some way.
--
Ken
encountered this.
--
Ken Raeburn / raeb...@mit.edu / no longer at MIT Kerberos Consortium
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Apr 17, 2009, at 04:36, Andrea Cirulli wrote:
Hi all,
I have the following problem:
We are managing the authentication of several servers with Kerberos.
The
issue lies in the fact that the servers are in different time-zone,
so we
have problem with clock skew errors. Are there any
On Apr 17, 2009, at 05:02, Ken Raeburn wrote:
On Apr 17, 2009, at 04:36, Andrea Cirulli wrote:
Hi all,
I have the following problem:
We are managing the authentication of several servers with
Kerberos. The
issue lies in the fact that the servers are in different time-zone,
so we
have
On Mar 19, 2009, at 12:45, matthew.garr...@external.total.com wrote:
DNS both forward and reverse work fine for the Slave KDC
By work fine, do you mean that when you look up
hutch.uk.ad.ep.corp.local you get an address (or more than one), and
when you look up that address, you get back the
On Mar 16, 2009, at 16:50, Tom Anderberg wrote:
I work on a security library that provides access to Kerberos through
GSS-API. We are trying to log Kerberos errors using
gss_display_status. We
have noticed that the same error code can, at different times, produce
either a helpful or an
On Mar 11, 2009, at 14:39, Mathew Rowley wrote:
My problem was actually a typo. In my realm, I had:
database_module = opeldap_ldapconf
Which did not match ‘opeNldap_ldapconf’
Thanks for the followup.
It would definitely be better if we printed a more informative message
about this,
On Mar 9, 2009, at 12:23, Santos wrote:
BTW, dns_lookup_realm doesn't seen to work. It could help my case, if
kerberos queried the NS for TXT records in which i could specify the
realm
in upper case.
I sniffed the DNS queries but no TXT queries. Any idea why?
The TXT records are used for
On Mar 7, 2009, at 21:49, Rainer Laatsch wrote:
The OpenAFS people force a string into their programs at compile
time, no extra flags. Doing e.g. 'strings /usr/vice/etc/afsd | grep
OpenAFS' shows the version. A similar setup for krb5 would suffice;
just propagate the
corresponding item
On Mar 6, 2009, at 13:43, pete...@bigfoot.com wrote:
Is there any way to determine the version of kinit or klist?
I'm afraid not, aside from the krb5-config option you noted.
It's still in our bug database, but hasn't gotten any attention yet. :-(
(I knew it had been reported, but took me a
On Mar 6, 2009, at 18:55, Christopher D. Clausen wrote:
Can the usage message display the current version?
That'd be an idea too... actually, standardizing *all* the usage
messages to do this would be smart.
I just checked in (a little while ago) a patch to add klist -V to
print the version
On Mar 3, 2009, at 08:47, zhaoyang mao wrote:
Can i use one machine as the kdc server and the openldap server?
Certainly, that should work fine.
Some people would suggest, though, that you run different services on
different machines so that an accidental compromise of one doesn't
impact
--
Ken Raeburn, Senior Programmer Analyst
MIT Kerberos Consortium http://www.kerberos.org/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Feb 23, 2009, at 04:39, Speedo wrote:
I guess this issue had been discussed before: WS-Security negotiates
with Kerberos 5 but uses the session key in a different way from GSS
tokens. Since GSS-API is the public API to access Kerberos 5, is there
any recent progress in enhancing the GSS-API
On Feb 23, 2009, at 19:05, Goo wrote:
That said, I believe the MIT 1.7 release will include an API for
extracting
a session key if there is one, but no earlier release from MIT
will, and I'm
not sure how portable that API will be to other implementations.
Nice to hear that. Do you know
On Feb 22, 2009, at 12:23, David Brown wrote:
kinit: Unable to initialize kerberos login options: Unable to read
Kerberos Login preferences. The file may be missing, inaccessible or
corrupted.
kinit: Error getting initial tickets: Operation not permitted
kinit works if run with sudo, which
On Feb 13, 2009, at 06:23, Lorenzo Costanzia wrote:
Hi everybody,
I'm trying to set up a AFP server with (MIT) Kerberos authentication
and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in
my home network (which uses a private .lan top level domain). The AFP
server works
On Feb 7, 2009, at 23:34, zhangwe...@realss.com wrote:
Dear all. I've installed mit version of kerberos V on my Gentoo Linux
through the package repository (called portage in Gentoo). krlogin
works
but krsh strangely quit with a message I don't understand:
zhangwe...@esmeralda:~$ krlogin
On Feb 3, 2009, at 11:15, Omair Sajid wrote:
Detailed error message from apache error log, we are on red hat
enterprise 5
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
*.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Tue Feb 03
On Feb 3, 2009, at 14:48, matthieu wrote:
I'm currently writing a kerberized daemon and would like to disable
replay cache. I'm using krb5-1.6.1 (RedHat 5.2).
I did not find any relevant function in the API. I finally find the
krb5_rc_resolve_full function in the krb5 source code and use it
On Jan 15, 2009, at 09:41, John Hascall wrote:
I think you might want to also change krb5_sendauth() to
call krb5int_net_writev() directly (or yet another helper
function!) since krb5_sendauth() will still be doing two
consecutive writes where it does the two version strings:
Yeah, I missed
On Jan 15, 2009, at 00:40, Randy Turner wrote:
Hi Ken,
Is this problem in the current release? I assume from so since
John's original email didn't specify a release (like 1.6.1).
We may be experiencing something like this occasionally...
Yes, I think it would've been in most of our
On Jan 14, 2009, at 15:22, John Hascall wrote:
I don't recall having seen this discussed on this
list and google doesn't seem to either, so...
I just discovered that hard way that the way that
krb5_sendauth/krb5_recvauth work tickles the nasty
interaction between the TCP NAGLE and DelayedAck
I think this is fixed in the sources now, with revision 21749. If you
want to try out my change, you can get the changes from
http://src.mit.edu/fisheye/changelog/krb5/?cs=21749
... um, when the fisheye server starts updating again. Or off the
anonsvn server.
Ken
Still skimming messages in the thread today, but:
On Jan 13, 2009, at 13:16, Mike Friedman wrote:
I should also mention that during the period of my testing, the
following
messages are scattered through the KDC logs:
o Authentication attempt failed: origin IP address, GSS-API
error
On Jan 8, 2009, at 18:47, Ken Raeburn wrote:
The autoconf-generated configure scripts generally have the ability
to cache configuration information learned from the environment, to
speed up later invocations. The file config.cache will be
generated after a successful invocation, so you
On Jan 8, 2009, at 15:44, Pedro Cavalcante wrote:
Hi everybody
I'm trying to cross compile krb5 for sh4 (STLinux) and i stopped in
this problem: Cannot test for constructor/destructor support when
cross
compiling. My question is: Can I cross compile krb5 for any
plataform?
Could you
On Dec 23, 2008, at 03:42, Jeffrey Altman wrote:
Tom Yu wrote:
Has anyone experienced problems due to false positive conditions on
an
application replay cache?
The motivation that Roland and I have for re-working the replay cache
are primarily driven by application replay cache false
On Dec 22, 2008, at 12:06, Mathew Rowley wrote:
I am trying to set up a server for kerberos authentication, but when
I copy
my krb5.conf file over to the server, I get the following error
while trying
to do a kinit:
kinit(v5): Improper format of Kerberos configuration file while
On Dec 19, 2008, at 09:41, Fletcher Cocquyt wrote:
Hi, a recent campus firewall change has caused user's kerberos
logins to hang on
this system. The problem has been isolated to a krb524 attempt
(which used to
swiftly fail - but now tries for 60-90 seconds before failing).
My guess is
On Nov 14, 2008, at 11:42, Robert Marcano wrote:
yes that was the reason, Windows was running on an VM (virtualbox.org)
on my laptop connected to the net using NAT. So this test passed :-),
but I think this will cause me a little trouble on production when a
user is behind of one of those
On Nov 13, 2008, at 12:47, [EMAIL PROTECTED] wrote:
Yes... A, not SRV. Oddly, the exact case of the realm it queries is
mixed, eg: COMPANY.com, instead of COMPANY.COM. The config file only
uses all uppercase for the realm name and all lowercase for the domain
name in the [domain_realm]
On Nov 13, 2008, at 18:22, [EMAIL PROTECTED] wrote:
If by joined to a domain you mean there's a DNS entry associated
with this host, then yes there is... both forward and reverse.
No, I was thinking of Active Directory or Open Directory. I assume
that's what would trigger ODLocate.bundle
On Nov 13, 2008, at 17:55, Robert Marcano wrote:
When a password is expired i have problems to replace it with a new
password on Windows clients:
With kinit:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit(v5): Password change failed while getting
On Nov 5, 2008, at 21:16, Stefan Monnier wrote:
How can I destroy expired tickets?
They're useless at best, and in some cases they're positively harmful
(their presence prompts `ssh' to contact the KDC to try and delegate
credentials, which is a waste if the tickets are expired, and is
On Oct 19, 2008, at 11:45, [EMAIL PROTECTED] wrote:
Is there a way on UNIX kerberos to only have the thing listen on one
interface or IP address. intead of listening on all ips with port 88.
Not in MIT's current implementation, no.
Ken
Kerberos
On Oct 13, 2008, at 12:23, Paul Moore wrote:
Which bugs is this article referring to
http://news.zdnet.co.uk/security/0,100189,39165276,00.htm
Kerberos harbours critical flaws
The network-authentication technology can leave
On Sep 11, 2008, at 13:03, Victor Sudakov wrote:
Colleagues,
Is there a way to configure a Kerberos client to use TCP for obtaining
tickets, other that explicitly listing all KDC's in krb5.conf with
the tcp prefix?
I want to be able to prefer TCP transport and still retain the
possibility
On Aug 13, 2008, at 07:55, E. Braun wrote:
Is this the expected behaviour, that the root user of a client (the
user has
no interactive access to the Kerberos and AFS servers) can use a
copy of the
credentials cache for getting an afs token?
Yes. Finding a place where the superuser
On Aug 2, 2008, at 06:03, kisito wrote:
In the operation of the Kerberos protocol, why Authentication
Server , when
delivering the TGT, does not directly issued the service ticket? (so
I do
not see why have complicated the protocol by introducing the TGS)
If you're going to contact a
On Jul 29, 2008, at 08:49, Abhishek Chowdhury wrote:
Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If
I go
through the method above then I have to enter the 400 entries
separately for
the services in AMIT.ABHI.COM. Also I cannot write abhi.com =
AMIT.ABHI.COM
or
On Jul 15, 2008, at 11:21, Klaus Heinrich Kiwi wrote:
I'd like to know what are the supported methods of usage if I have to
use two or more KDC instances with one LDAP directory. I can see a
couple of scenarios but I'm not really sure what is the supported
way of
dealing with them. For
On Jul 8, 2008, at 11:25, [EMAIL PROTECTED] wrote:
I need to initialize multiple krb5_context's in a multi-threaded
program
and each context *must* be initialized from a different config file.
krb5_init_context() seems to read config from /etc/krb5.conf or the
file
pointed to by
On Jul 8, 2008, at 10:53, Klaus Jensen wrote:
I'm working on using a script to change the password for a given
principal.
The resulting command line is something like this:
kadmin -k -t keytapfile -p host/host.foobar -q cpw -pw
somepassword [EMAIL PROTECTED]
When somepassword contains
On Jun 27, 2008, at 11:17, Simo Sorce wrote:
this statements is interesting, how are TXT records insecure ?
If a forged TXT RR is received, the client may be told the server is
in a different realm. That realm may have been compromised by an
attacker, and cross-realm authentication to it
On Jun 27, 2008, at 11:51, Simo Sorce wrote:
Thanks, the explanation there makes a lot of sense, but reading
through
the lines it probably would not affect the original poster security,
because the insecurity of the TXT record is exploitable only in
case a
trusted realm is compromised
On Jun 23, 2008, at 09:03, Simo Sorce wrote:
Is there a specific reason why the database layer has not been
abstracted appropriately ? Any chance we can work to fix these
problems
and come up with a better schema ?
Mostly lack of resources/priority/motivation/etc I guess; certainly no
On Jun 17, 2008, at 07:57, Klaus Heinrich Kiwi wrote:
On Mon, 2008-06-16 at 23:38 -0400, Ken Raeburn wrote:
I suspect there are several LDAP schemas we could do a better job of
supporting and integrating with...
And what, in your opinion, would be the better approach to accomplish
this task
On Jun 18, 2008, at 16:33, Jeffrey Altman wrote:
I believe that the meaning of allow_tix should be altered such that
it only applies to the client
in a TGS or AS request. This would permit -allow_tix to be applied
to a service principal
and ensure that no client ticket requests can be
On Jun 16, 2008, at 19:00, Klaus Heinrich Kiwi wrote:
Is there a better description of what's in the tl_data structure? I
saw
some #defines in the kdb_ldap.h header file but couldn't correlate to
anything just by looking at their names. Also, looks like this tl_data
structure has a function
On Jun 16, 2008, at 22:58, Klaus Heinrich Kiwi wrote:
thank you for your explanation. I'm still a bit confused about how KDC
uses the TL data at the same time the KDB LDAP plugin also has some
specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData'
accommodate any kind of
On Jun 9, 2008, at 04:52, Savitha R wrote:
On Sat, Jun 7, 2008 at 1:46 AM, in message
[EMAIL PROTECTED], Klaus Heinrich Kiwi
[EMAIL PROTECTED] wrote:
Hi,
I hav some questions regarding how data is organized when using the
LDAP KDB plugin for a realm. I hope this is the right place to ask.
On Jun 4, 2008, at 09:11, Tadoori (EXT), Vilas wrote:
I have written an GSSAPI server application and the kerberos is MIT
V5.
When I run my application on the sun solaris I get the following
message
I have checked that the kerberos is running or not, and I see that
kerberos is running
On May 29, 2008, at 22:22, Michael B Allen wrote:
Is there a reference anywhere that outlines the different password
salting methods used by different KDCs?
There are RFCs 3961, 3962, and 4757, which outline how salt strings
are incorporated in the string-to-key conversion function for each
included by an operating
system vendor, it may or may not be recent enough to have the LDAP
support, and the LDAP support may or may not have been compiled...
--
Ken Raeburn, Senior Programmer
MIT Kerberos Consortium
Kerberos mailing list
1 - 100 of 405 matches
Mail list logo