of an expired, but renewable and
within-renewable-period ticket.
Is that expected, and is the above comment now a doc-bug?
Thanks
Brett
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Kevin
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Kevin Coffman
Office of Enabling Technologies
Medical School Information Services Learning Program
University of Michigan Medical School
517 917 0592
On Tue, Sep 18, 2012 at 5:00 PM, Matt Garman matthew.gar...@gmail.com wrote:
On Tue, Sep 18, 2012 at 3:20 PM, Frank Cusack fr...@linetwo.net wrote:
Since you are initializing the ccache in the crontab itself, first of all
make sure your kinit command is placing the ccache in the correct (for
2011/5/26 Greg Hudson ghud...@mit.edu:
On Thu, 2011-05-26 at 04:58 -0400, Bjørge Solli wrote:
I have a situation when testing our brand new NetApp (NAS) as NFS4+krb5
home dirs. Tickets from our KDC dissapears, but seems to have no affect
on usage, and then appears again by itself after some
I'm sure this is better asked on an NFS or Linux list, rather than Kerberos.
Check to see if all the required kernel modules are loaded.
(rpcsec_gss_krb5 in particular)
K.C.
On Sun, May 15, 2011 at 1:15 PM, Sascha ml...@xtc4nrg.com wrote:
Hi,
I am using Ubuntu 11.04 with threes KVM and three
preauth data types after sorting: 19
salt len=-1; preauth data types: 19
etype info 0: etype 18 salt len=-1
trying modules for pa_type 19, flag 2
[root@client bin]#
Attached are a bunch of information that may help.
Thanks again for your help.
P
On 31/03/2011 16:44, Kevin Coffman wrote
=0x93763b4 fe80::20f:1fff:feba:2e13%eth0
netmask=0x93763d8 :::::
}
krb5kdc: starting...
On 04/04/2011 17:34, Kevin Coffman wrote:
It doesn't appear that the KDC is offering PKINIT as a
pre-authentication option (pa_types 15,16,17,18). I believe the KDC's
certificate looks
On 04/04/2011 17:52, Kevin Coffman wrote:
I don't see any attempt at initializing pkinit. Is the plugin there?
On Mon, Apr 4, 2011 at 11:39 AM, JAKOBI Pascal
pascal.jak...@thalesgroup.com wrote:
Here you go...
[root@serveur sbin]# ./krb5kdc -n
stat(/usr/local/lib/krb5/plugins/kdb/db2
On Thu, Mar 31, 2011 at 7:28 AM, JAKOBI Pascal
pascal.jak...@thalesgroup.com wrote:
Hi there
I need help in order to get PKINIT working on Fedora 14.
I have a running kerberos server with krb-server, krb-server-ldap and so
on (1.8.2).
I also have installed krb5-pkinit-openssl.
The stuff
On Wed, Jan 19, 2011 at 2:02 PM, Orion Poplawski or...@cora.nwra.com wrote:
Matt Kinni mkinni at calpoly.edu writes:
Hello, I'm trying to get kerberized nfs working on Fedora 14 server/client.
Other kerberized services work properly, just not nfs.
: qword_eol: fflush failed: errno 38
On Fri, Sep 17, 2010 at 12:59 PM, Nicolas Segoviano
nicolas.segovi...@gmail.com wrote:
Hi,
I have setup NFS + kerberos my OS is FC13 however when I try connect the NFS
server generates the following error and the connection fails, what am I
missing?
Sep 17 09:49:26 snoopy
Does this help?
http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html
K.C.
On Thu, Jul 29, 2010 at 11:22 AM, Bram Cymet bcy...@cbnco.com wrote:
Hi,
I am attempting to get pkinit working. I am using my own custom CA to
generate the certs and I am having a little trouble
-n for nofork
The other command-line options are documented in src/kdc/main.c
On Wed, Jul 28, 2010 at 8:16 PM, Bram Cymet bcy...@cbnco.com wrote:
Hi,
I have recompiled MIT Kerberos, specifically pkinit with debugging
turned on. When I start up the kdc using /usr/local/sbin/krb5kdc it
prints
PKINIT is one of many methods of pre-authentication. Does the KDC
response to the client with Additional pre-authentication required
include PKINIT as an allowed pre-auth method? (You'll probably need a
packet trace to determine this.) If not, there is something wrong
with your KDC setup and it
On Wed, Oct 28, 2009 at 5:33 PM, Mikhail T. mi+t...@aldan.algebra.com wrote:
Hello!
The message at
http://mailman.mit.edu/pipermail/kerberos/2008-March/013398.html
warns about using anything but des-cbc-crc for NFS-access on Linux, but
ends with:
RHEL 5 has MIT 1.6, so the problem
On Thu, Aug 27, 2009 at 3:23 PM, Tom Yut...@mit.edu wrote:
Kevin Coffman k...@citi.umich.edu writes:
Wed, Aug 26, 2009 at 3:21 PM, Tom Yut...@mit.edu wrote:
Russ Allbery r...@stanford.edu writes:
default_enctypes, maybe?
Possibly... though we do already have default_tkt_enctypes
Wed, Aug 26, 2009 at 3:21 PM, Tom Yut...@mit.edu wrote:
Russ Allbery r...@stanford.edu writes:
Tom Yu t...@mit.edu writes:
John Harris har...@ucdavis.edu writes:
If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf
in the supported_enctypes field, I'm still able to
On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmullerchan...@antenna.nl wrote:
Hi list,
I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what
I did:
first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs
mounting from ubuntuhardy2 to
Hi,
You don't say what OS you're dealing with here. Different OS's have
different gssd implementations which have a bearing on the issue.
If Linux is involved, you'll get more help mailing the linux-nfs
mailing list (linux-nfs.vger.kernel.org). If the server is Linux, a
patch has been submitted
On Wed, Mar 4, 2009 at 7:40 PM, Loren M. Lang lor...@alzatex.com wrote:
On Wed, 2009-03-04 at 12:16 -0500, Kevin Coffman wrote:
On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang lor...@alzatex.com wrote:
On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
This symlinks point to missing
On Wed, Mar 4, 2009 at 1:49 AM, Loren M. Lang lor...@north-winds.org wrote:
I am trying to enable smartcard logins to a MIT Kerberos domain using
the recent PK-INIT preauth plugin. I am using Ubuntu 8.10 with it's
stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
-DDEBUG. I
On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang lor...@alzatex.com wrote:
On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
This symlinks point to missing certificates that have nothing to do with
the pki infrastructure I am using, but once I moved the symlinks out of
the way,
On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
ja...@rampaginggeek.com wrote:
Russ Allbery wrote:
Jason Edgecombe ja...@rampaginggeek.com writes:
We are extending the ticket lifetime for all of the users in our realm
from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
On Fri, Oct 31, 2008 at 1:01 AM, Julio Cesar Parra/Mexico/IBM
[EMAIL PROTECTED] wrote:
Hello.
Does anybody, could help me to determine what could cause the next error (
Unable to obtain initial credentials with the status 0x96c73a44).?
kinit -k krbsvr400/[EMAIL PROTECTED]
Message 0x96c73a44
This sounds like an NFS question? You should ask on the Linux NFS
list: [EMAIL PROTECTED]
On Wed, Jul 2, 2008 at 2:21 AM, KJ, Latesh [EMAIL PROTECTED] wrote:
Hi,
On AIX 5.3 Kerberos when I mount a share of NetApp storage from Linux
client having share access as anon=0. Files are created
Are you aware that there are two different flavors of pkinit? There
is the original protocol deployed by Microsoft in Windows 2000
(sometimes referred to as the Draft 9 version because it was
basically the version defined by draft 9 of the RFC) and then the
finalized RFC version (which was
On Tue, Jun 24, 2008 at 1:15 AM, naveen.bn [EMAIL PROTECTED] wrote:
Hi Kevin,
Guide on this , When i use require_preauth for the client and try to send
the AS_REQ with pa-data using the command
kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key naveen
The first AS_REQ will
I don't have an answer to why the cron thing fails. However, running
gssd with -vvv will give a clue toward what credentials caches are
being considered.
I would suggest using a keytab rather than keeping a password around
in a script, file, or wherever you are keeping it now.
You might also
The syntax of the preauth data with padata-type PA_PK_AS_REQ is
defined in section 3.2 of RFC 4556.
You might want to look at Peter Gutmann's dumpasn1 tool
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
You should be able to capture the request packet and feed it to this
tool. (Details left
Normal principals usually don't have an instance. However, there
shouldn't be anything that prevents a principal with an instance from
working.
If your certificates are correctly set up for the two principals, this
might be a bug.
K.C.
On Thu, Jun 12, 2008 at 11:10 AM, naveen.bn
[EMAIL
, CN=Kevin Coffman
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ee:6d:8b:06:d7:af:2d:80:4c:e2:d7:c5:46:2c:
b1:54:bb:b1:74:23:c0:8b:9d:a9:44:30
This means that you are either missing a Subject Alternative Name
(SAN) in your client's certificate, or it doesn't match the principal
name you are trying to authenticate.
By default, the KDC requires that the client certificate has the
id-pkinit-san as defined in rfc4556. If you specify
On Wed, May 28, 2008 at 9:06 AM, naveen.bn [EMAIL PROTECTED] wrote:
Kevin Coffman wrote:
On Tue, May 27, 2008 at 11:09 AM, naveen.bn
[EMAIL PROTECTED] wrote:
-- Forwarded message --
From: naveen.bn [EMAIL PROTECTED]
To: Kevin Coffman [EMAIL PROTECTED]
Date: Tue, 27 May
On Tue, May 27, 2008 at 11:09 AM, naveen.bn
[EMAIL PROTECTED] wrote:
-- Forwarded message --
From: naveen.bn [EMAIL PROTECTED]
To: Kevin Coffman [EMAIL PROTECTED]
Date: Tue, 27 May 2008 15:06:25 +
Subject: Re: problem in sending AS_REQ
Kevin Coffman wrote:
On Mon
On Thu, May 15, 2008 at 12:55 PM, Jeff Blaine [EMAIL PROTECTED] wrote:
If anyone has any idea what I am doing wrong here, please
chime in.
~:barnowl uname -a
SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc
SUNW,Sun-Fire-V240
~:barnowl sudo klist -e -k /etc/krb5.keytab | grep nfs
On Tue, May 13, 2008 at 4:45 AM, Jan Sanders
[EMAIL PROTECTED] wrote:
Russ Allbery wrote:
Jan Sanders [EMAIL PROTECTED] writes:
I am having a little problem here. I am running a KDC on Solaris and a
number of clients on GNU/Linux. For both the KDC and the
Kerberos-Clients I have
On Sun, Mar 16, 2008 at 10:28 PM, Sunil Chandrasekharan
[EMAIL PROTECTED] wrote:
Hello all,
I encountered an issue with UDP size (Eror code 52) while working with
kerberos 1.2.7
Many suggests me to go for new version of kerberos 1.3.x .
Please tell me how can i upgrade from kerberos
pilot server scenario under the
KDC domain.
2. why am i geting the error in test machine in another domain with no KDC
and mapping is done for cross domain.
Thanks
Sunil C
Kevin Coffman wrote:
On Wed, Mar 12, 2008 at 2:05 AM, sunilcnair [EMAIL PROTECTED]
wrote:
Hello
On Wed, Mar 12, 2008 at 2:05 AM, sunilcnair [EMAIL PROTECTED] wrote:
Hello all,
i am Sunil C. i have a domain named xx.com which has a KDC.
i also have a domain co.yy where my server is. there is no KDC in it.
users are in xx.com domain.
but my servers are in (co.yy) domain.
i had
On Thu, Feb 28, 2008 at 2:01 PM, Phil Pishioneri [EMAIL PROTECTED] wrote:
In testing Vista SP1 in our Windows AD Forest (in which account are
mapped to our MIT realm), I believe that we're seeing the same problem
that was reported on the Heimdal mailing list in October 2007; see the
thread
On Fri, Feb 15, 2008 at 12:43 AM, Victor Sudakov
[EMAIL PROTECTED] wrote:
Steven Miller wrote:
What could be the reason that I cannot telnet from
FreeBSD to Solaris 10
with the following error:
Connected to oracle.sibptus.tomsk.ru.
Escape character is '^]'.
[
On Jan 17, 2008 6:51 PM, Listbox [EMAIL PROTECTED] wrote:
Now I'm trying to figure out why
Key version number for principal in key table is incorrect
Even after I remove the keys for my principle from my keytab file, then
re-add them
Adding a new keytab entry bumps the key version
The latest versions of rpc.gssd look at file ownership rather than the
name. (It does narrow the field by looking for krb5cc_*, then
looking at file ownership.) This change went into nfs-utils-1.0.11.
Unfortunately, gssd has no access to the user's environment variables
and cannot use that to
On Jan 15, 2008 3:19 PM, Douglas E. Engert [EMAIL PROTECTED] wrote:
Ken Hornstein wrote:
That is what DCE did. The PAG number was part of the cache name in
a well know location.
I don't want the cache in a well known location. I want to tell the OS
or some utility, Hey, here's my
On Jan 7, 2008 11:15 AM, Douglas E. Engert [EMAIL PROTECTED] wrote:
Jason D. McCormick wrote:
Douglas E. Engert wrote:
Why are you using DES? All the newer Kerberos can use ArcFour. So try
ktpass witout the crypto option.
Do you know if the Linux NFSv4 stuff can use ArcFour? I've
On Nov 14, 2007 5:45 PM, Edward Beuerlein [EMAIL PROTECTED] wrote:
Hello,
I am working to upgrade our complete kerberos infrastructure to 1.6 from
1.4.4, however I have run into a problem in that the patch that created
krep has not been worked on since 1.4.4. Is anyone using krep on 1.6
and
McGovern
On Thu, 2007-11-08 at 13:30, Kevin Coffman wrote:
On 11/8/07, Anthony McGovern [EMAIL PROTECTED] wrote:
[EMAIL
PROTECTED]:/home/tssgtestbox/Kerberos/krb5-1.6.3/src/kadmin/dbutil#
./kdb5_util create -r tssg.org -s
Loading random data
Initializing database '/krb5/var
On 11/8/07, Anthony McGovern [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED]:/home/tssgtestbox/Kerberos/krb5-1.6.3/src/kadmin/dbutil#
./kdb5_util create -r tssg.org -s
Loading random data
Initializing database '/krb5/var/krb5kdc/principal' for realm
'tssg.org',
master key name 'K/[EMAIL
On 11/2/07, Manoj Mohan [EMAIL PROTECTED] wrote:
Hi,
I am new to kerberos world.. so forgive my noviceness
I have a KDC running on linux and my client server are also on linux.. After
registering the user principals and service principals when client is
connecting to server, I can see
On 11/2/07, Manoj Mohan [EMAIL PROTECTED] wrote:
Thanks Kevin.. that suggestion helped a lot!!
when I did ktutil of my keytab file.. I had 2 entries (with KVNO 2)...
I deleted the file and recreated it with ktadd but with -e option to add
only one
encryption type and then the
On 10/16/07, Ido Levy [EMAIL PROTECTED] wrote:
Hello All,
We are trying to understand the behavior of a system that support automount
by NFSv4 with security flavor krb5.
We have both Linux and AIX clients and when logging to these clients as the
root user we have noticed that:
1) From the
On 10/13/07, Roberto C. Sánchez [EMAIL PROTECTED] wrote:
Hello,
I have encoutered some weirness with machine credentials (I think).
Maybe someone can explain what is happenning.
Here is my configuration:
server1: exports user home directories via NFS using gss/krb5p
server2: is the KDC
On 9/21/07, Jeffrey Altman [EMAIL PROTECTED] wrote:
John Harris wrote:
Greetings,
Does MIT's current implementation of the Kerberos KDC include
incremental propagation? I know it didn't a long time ago, then there
were CITI patches for it, then those didn't work for awhile. I don't
On 9/21/07, John Hascall [EMAIL PROTECTED] wrote:
John Harris wrote:
Does MIT's current implementation of the Kerberos KDC include
incremental propagation? I know it didn't a long time ago, then there
were CITI patches for it, then those didn't work for awhile. I don't
seem to be
On 12 Aug 2007 16:27:22 +0530, Chittaranjan Mandal
[EMAIL PROTECTED] wrote:
Hi,
I am trying to setup kerberos, but I am getting the above problem.
My krb5.conf file is attached. Could you please help.
I had run the following commands.
# kdb5_util create -r chitta.cse.krb -s
# kadmin.local
On 13 Aug 2007 20:49:36 +0530, Chittaranjan Mandal
[EMAIL PROTECTED] wrote:
On Mon, 2007-08-13 at 09:38 -0400, Kevin Coffman wrote:
On 12 Aug 2007 16:27:22 +0530, Chittaranjan Mandal [EMAIL PROTECTED]
wrote:
I am trying to setup kerberos, but I am getting the above problem.
My krb5
On 4/23/07, Vipin Rathor [EMAIL PROTECTED] wrote:
hi all,
My questions:
1. Is this an expected behavior?
2. Is this happening because of '-randkey'? (since not specifying
-randkey
gave proper Password expiration date.)
It probably is happening because of -randkey, although I think
On 4/23/07, Nicolas Williams [EMAIL PROTECTED] wrote:
On Mon, Apr 23, 2007 at 11:27:22AM -0400, Kevin Coffman wrote:
I haven't looked at the code, but I think this is probably done on
purpose and is not a bug. When you create a keytab, you create a new
random key for the account
On 2/13/07, LukePet [EMAIL PROTECTED] wrote:
ThenI have deleted the krb5.keytab file
after I have exect this istructions:
[EMAIL PROTECTED]:~$ sudo kadmin -p krbadm/admin
kadmin: ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it
now I have this situation:
[EMAIL PROTECTED]:~$ sudo
On 2/10/07, Computer Service [EMAIL PROTECTED] wrote:
There are links on the web that report Kerberos as being spyware.
Anyone there know the truth ?
Thanks
James
Are you referring to this:
http://mailman.mit.edu/pipermail/kerberos/2006-August/010390.html
(The first hit from googling
Why pam is not getting you credentials may be applicable on this list.
However, the part about nfs access failing after getting credentials
is an nfs question. Please send a follow-up to
[EMAIL PROTECTED] with the output of running rpc.gssd with the
-vvv option.
K.C.
On 2/8/07, Jim Davis
On 2/2/07, Quanah Gibson-Mount [EMAIL PROTECTED] wrote:
Any thoughts on why identical setups aren't working much appreciated.
One other detail since I first sent this out -- My home system will now not
allow me to become the member of a domain, either.
Have you ruled out a firewall or some
On 2/2/07, Quanah Gibson-Mount [EMAIL PROTECTED] wrote:
Principal: host/[EMAIL PROTECTED]
Expiration date: [never]
Last password change: Thu Jun 29 11:16:19 PDT 2006
Password expiration date: [none]
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified:
This doesn't really answer your question, but you should not be
running kadmind on the slave machine anyway. kadmind should run only
on the master (admin_server) machine. This may be what that error
message is trying to tell you?
K.C.
On 10/17/06, chechu chechu [EMAIL PROTECTED] wrote:
Hi¡
This is probably best discussed on [EMAIL PROTECTED]
(http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4)
Enabling verbose output from rpcgssd (-vvv) on the linux client might
give a hint to the problem.
K.C.
On 10/12/06, Keagle, Chuck [EMAIL PROTECTED] wrote:
Here is one we would like to
Hi Erich,
How did you create the keytab for the NFS server? The key version
number in that keytab must match the key version number for the server
principal in the KDC.
The key version displayed for nfs/[EMAIL PROTECTED] with
klist -e -k -t /etc/krb5.keytab should match the key version
displayed
, and the solarisclient has
KVNO version 16? Am I reading that right? And if yes, what can I do to
fix it? (I hope there is something, anything, that I can do... :).
ciao, erich
Kevin Coffman wrote:
Hi Erich,
How did you create the keytab for the NFS server? The key version
number
On 6/19/06, Erich Weiler [EMAIL PROTECTED] wrote:
Your nfs server's keytab has kvno 5. You need to do the getprinc on
that same principal to see what the key version number is in the KDC.
(Your klist shows principal nfs/[EMAIL PROTECTED], but the
getprinc output is for nfs/[EMAIL
Doug Levy wrote:
I'm running the Leash client Version 2.6.3.20040525 to authenticate to
Kerberos 5. The authentication process runs very quickly both from work
and anywhere I travel (laptop, hotels, wireless, wired, etc.). However,
whenever I authenticate from home via my ISP cable
Fredrik,
I'm working on this in conjunction with Linux nfs-utils changes. As
it turns out, actually storing the ccache in the kernel keyring is not
*the* answer for NFS. It is helpful when process- or thread-level
credentials are needed for NFS access.
The essential thing the keyring will hold
Keep in mind that http://www.citi.umich.edu/projects/nfsv4/crossrealm/
is experimental. I'm interested in problems you have with ldap v2
though.
So are you saying that you are now using pam_krb5 for login
authentication? (What does your pam config file look like?)
You should contact [EMAIL
On 1/19/06, Luke Howard [EMAIL PROTECTED] wrote:
What are the current thoughts on automatically renewing Kerberos credentials
for long-lived sessions, particularly with respect to NFSv4 (where the user
experience could be adversely affected)?
It seems that Solaris has kwarnd, which can both
We started with a patch that assumed all referrals would go to one place.
We had a need to send referrals to either a test Windows forest or a
production forest. That is where the [domain_referral] stuff came
from. Then we found that some requests were coming in without
fully-qualified names,
On 11/9/05, Mike Friedman [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 9 Nov 2005 at 15:36 (-0500), Kevin Coffman wrote:
Our patches are here:
http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
The page will be updated soon with a patch
On 11/9/05, Josh Howlett [EMAIL PROTECTED] wrote:
Kevin Coffman wrote:
We started with a patch that assumed all referrals would go to one place.
We had a need to send referrals to either a test Windows forest or a
production forest. That is where the [domain_referral] stuff came
from
I would suspect a simple error in the configuration of your local
realm in /etc/krb5.conf, or a DNS issue.
Can you post your /etc/krb5.conf ?
On 10/26/05, yi zeng [EMAIL PROTECTED] wrote:
Hi, there,
I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have
/etc/hosts mapping
Hello,
Is there any method of extracting the Kerberos key from a GSS ticket?
Microsoft sends the Kerberos ticket (SPNEGO over http) using the GSS
methods. If one attempts to handle the internal Kerberos ticket
information (such as the case of the PAC data) he will have to use the
Message-
From: Kevin Coffman [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 24, 2005 5:15 PM
To: Claus Lund
Cc: kerberos@mit.edu; Kevin Coffman
Subject: Re: Network address resolution problem on AIX
I have struggled with this for almost two days now and I just
can't seem
I have struggled with this for almost two days now and I just can't seem to
get past this hurdle... Hopefully somebody out there will say: Duh, you're
doing XYZ wrong!.
I keep getting a kinit(v5): Cannot resolve network address for KDC in
requested realm while getting initial credentials
On Tue, Jul 05, 2005 at 01:48:54PM -0700, Phil Dibowitz wrote:
from kadmin, great (though is that no salt supposed to be there?)!
=20
However, klist -e shows:
=20
[EMAIL PROTECTED] unstale]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: [EMAIL PROTECTED]
=20
Jeffrey == Jeffrey Altman [EMAIL PROTECTED] writes:
Jeffrey peter huang wrote:
Can someone tell me how to fix this error? this error came
from curl using --negotiate option on a window platform using
MSLSA: as ccache (AD is the KDC in this case). the client is
I'll assume we are dealing with a Linux NFS client here. The problem
is that the Linux kernel code currently (still) only supports
des-cbc-crc. However, if the nfs service principal is set up correctly
(with only a des key), there should be no need to restrict the enctypes
in krb5.conf.
This probably isn't the list for this question, but from the Linux
view, you set up a NFSv3 mount the same as a v4 mount except the fstype
is nfs instead of nfs4.
See http://linux-nfs.org/pipermail/nfsv4/2005-February/001081.html
Any further questions should go to [EMAIL PROTECTED]
A brief
and now after the kinit
here is the klist :
Ticket cache: FILE:/tmp/krb5cc_596_yE9M3i
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
12/01/04 14:21:05 12/02/04 00:21:05 krbtgt/[EMAIL PROTECTED]
renew until 12/01/04 14:21:05
1)
Also check the properties on the client and service principals
(including the krbtgt principals). I forget whether max renewable
lifetime is one of them, but if it is, it would be set when the
principal is created or when you use modprinc in kadmin, and the
config file specifications
-Original Message-
From: Phil Dibowitz [mailto:[EMAIL PROTECTED]
Sent: Monday, October 25, 2004 4:51 PM
To: Kevin Coffman
Cc: [EMAIL PROTECTED]
Subject: Re: Renewable Tickets
On Mon, Oct 25, 2004 at 04:46:21PM -0400, Kevin Coffman wrote:
Also check the properties on the client
Hi Derek,
I have a few questions, and then I can generate a new keytab for your
afs/umd.umich.edu principal. You will then need to run the asetkey program
to copy the key out of the keytab and into your KeyFile. You'll need a copy
of the asetkey program, hence the questions:
1) What OS platform
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Wyllys Ingersoll
Sent: Friday, October 08, 2004 9:34 AM
To: Rob J Meijer
Cc: [EMAIL PROTECTED]
Subject: Re: Portability, RPC and kerberos v5?
Rob J Meijer wrote:
I'm currently working on the
lyzhang == Lynn Zhang [EMAIL PROTECTED] writes:
lyzhang The kadmin from 1.2.8 wrote information to the log,
lyzhang Sep 17 17:02:47 Request: kadm5_init, admabcd/[EMAIL PROTECTED]
U,
lyzhang success,
lyzhang client=admabcd/[EMAIL PROTECTED], service=kadmin/[EMAIL PROTECTED]
ICH.EDU,
One of my tester's Solaris 8 Kerberos clients is sending Kerberos 4
requests (req's on port 750 anyway). Another solaris 8 machine is
doing port 88 requests.
Any suggestions why?
Is /etc/services different on the two machines?
Kerberos
I'm seeing a similar problem as reported below testing a heimdal client
with nfsv4. I'm always getting a des-cbc-md4 session key which our
kernel code doesn't like. Should these settings in /etc/krb5.conf (on
the client machine only) limit the enctypes requested in the TGS
request? (This is
Ignore me. I wasn't restarting my client between changes of krb5.conf.
After restarting the client, it seems to be honoring the config file
options and negotiating a des-cbc-crc service ticket.
[EMAIL PROTECTED] gssapi]$ /usr/heimdal/bin/klist -v
Credentials cache:
= TEST.COM
I've tried but it didn't work. Well, just want to
confirm with you...
Thank you once again,
lara
--- Kevin Coffman [EMAIL PROTECTED] wrote:
We needed this referral support in our environment
(using an MIT KDC
for initial authentication to Windows). We started
with a patch
I saw your message this morning about extracting a keytab remotely.
I'm not clear on exactly what you are trying to do, but a way to invoke
kadmin from a machine that has a different default realm is to use:
% kadmin -p [EMAIL PROTECTED] -r OTHER.REALM
Otherwise, with just -p admin is assumes
We needed this referral support in our environment (using an MIT KDC
for initial authentication to Windows). We started with a patch
reported to have originated at Microsoft. It simply sent all referrals
off to a domain specified in krb5.conf. We needed to support two
Windows forests so we
Mahai,
There is a -e option to the ktadd command to limit the keys generated
for the principal (and placed in the keytab file).
You want to do something like:
kadmin ktadd -e des-cbc-crc:normal your/[EMAIL PROTECTED]
K.C.
Mahai,
I am not familiar with the ktadd utility that exports two
Our realm has 43,000+ principals so for us, its a big deal. :) We have
slaves not only for redundancy, but also for load balancing. We don't want
all the users on our campus authenticating or changing passwords against
just one machine.
I'll see your 43,000 principals and raise you
Russ Allbery [EMAIL PROTECTED] write:
kevin mcgowan [EMAIL PROTECTED] writes:
With kx.509, users have the power to never send their Kerberos password
over the network -- translating desktop single sign-on to the web.
Cosign uses no domain cookies, allows users to logout of all cosign
Russ Allbery wrote:
Kevin Coffman [EMAIL PROTECTED] writes:
Our answer to the proxy issue when certificates are used for
authentication is Kerberized Credentials Translation (KCT). The web
server captures the SSL handshake between itself and the client,
forwards that handshake
Is the kadmind running? (kadmin.local will work fine w/o kadmind running.)
Does your krb5.conf file point to the right host for admin_server for your
realm?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Marcel Lehner
Sent: Wednesday, February 18, 2004
1 - 100 of 109 matches
Mail list logo