_
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Kevin Coffman
Learning Informatics,
Enabling Technologies,
Medical School Information Services Learning Program
University of Michigan Medical School
517 917 0
und would be to move the host keys to a different keytab file,
> but I'd rather move the nfs key instead.
>
> Cheers,
>
> Jaap
>
> ________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/l
On Tue, Sep 18, 2012 at 5:00 PM, Matt Garman wrote:
> On Tue, Sep 18, 2012 at 3:20 PM, Frank Cusack wrote:
>> Since you are initializing the ccache in the crontab itself, first of all
>> make sure your kinit command is placing the ccache in the correct (for gssd)
>> location. If that's fine (log
2011/5/26 Greg Hudson :
> On Thu, 2011-05-26 at 04:58 -0400, Bjørge Solli wrote:
>> I have a situation when testing our brand new NetApp (NAS) as NFS4+krb5
>> home dirs. Tickets from our KDC dissapears, but seems to have no affect
>> on usage, and then appears again by itself after some time. We do
I'm sure this is better asked on an NFS or Linux list, rather than Kerberos.
Check to see if all the required kernel modules are loaded.
(rpcsec_gss_krb5 in particular)
K.C.
On Sun, May 15, 2011 at 1:15 PM, Sascha wrote:
> Hi,
> I am using Ubuntu 11.04 with threes KVM and three virtual servers
1.8.3).
>
> Thxs
> P
>
>
> On 04/04/2011 17:52, Kevin Coffman wrote:
>
> I don't see any attempt at initializing pkinit. Is the plugin there?
>
> On Mon, Apr 4, 2011 at 11:39 AM, JAKOBI Pascal
> wrote:
>> Here you go...
>>
>>
>>
ddr=0x93762c4 10.222.145.255
> }
> 0x93762fc={
> name=lo
> flags=10049
> addr=0x9376318 ::1
> netmask=0x937633c :::::::
> }
> 0x9376398={
> name=eth0
> flags=11043
> addr=0x93763b4 fe80::20f:1fff:feba:2e13%eth0
s for pa_type 19, flag 2
> [root@client bin]#
>
> Attached are a bunch of information that may help.
>
> Thanks again for your help.
> P
>
>
>
> On 31/03/2011 16:44, Kevin Coffman wrote:
>
> On Thu, Mar 31, 2011 at 7:28 AM, JAKOBI Pascal
> wrote:
>>
On Thu, Mar 31, 2011 at 7:28 AM, JAKOBI Pascal
wrote:
> Hi there
>
> I need help in order to get PKINIT working on Fedora 14.
> I have a running kerberos server with krb-server, krb-server-ldap and so
> on (1.8.2).
> I also have installed krb5-pkinit-openssl.
>
> The stuff works like a charm when
On Wed, Jan 19, 2011 at 2:02 PM, Orion Poplawski wrote:
> Matt Kinni calpoly.edu> writes:
>
>> Hello, I'm trying to get kerberized nfs working on Fedora 14 server/client.
>> Other kerberized services work properly, just not nfs.
>>
>
>> : qword_eol: fflush failed: errno 38 (Function not implement
On Fri, Sep 17, 2010 at 12:59 PM, Nicolas Segoviano
wrote:
> Hi,
>
>
> I have setup NFS + kerberos my OS is FC13 however when I try connect the NFS
> server generates the following error and the connection fails, what am I
> missing?
> Sep 17 09:49:26 snoopy rpc.svcgssd[25295]: prepare_krb5_rfc41
Does this help?
http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html
K.C.
On Thu, Jul 29, 2010 at 11:22 AM, Bram Cymet wrote:
> Hi,
>
> I am attempting to get pkinit working. I am using my own custom CA to
> generate the certs and I am having a little trouble generating a correct
>
"-n" for nofork
The other command-line options are documented in src/kdc/main.c
On Wed, Jul 28, 2010 at 8:16 PM, Bram Cymet wrote:
> Hi,
>
> I have recompiled MIT Kerberos, specifically pkinit with debugging
> turned on. When I start up the kdc using /usr/local/sbin/krb5kdc it
> prints out the f
PKINIT is one of many methods of pre-authentication. Does the KDC
response to the client with "Additional pre-authentication required"
include PKINIT as an allowed pre-auth method? (You'll probably need a
packet trace to determine this.) If not, there is something wrong
with your KDC setup and i
On Tue, Feb 16, 2010 at 1:30 AM, vinay kumar wrote:
> Hi all,
>
> I am implementing PKINIT. My krb5.conf and kdc.conf are as follows
>
> *krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log
On Wed, Oct 28, 2009 at 5:33 PM, Mikhail T. wrote:
> Hello!
>
> The message at
>
> http://mailman.mit.edu/pipermail/kerberos/2008-March/013398.html
>
> warns about using anything but des-cbc-crc for NFS-access on Linux, but
> ends with:
>
> RHEL 5 has MIT 1.6, so the problem shouldn't exist
On Thu, Aug 27, 2009 at 3:23 PM, Tom Yu wrote:
> Kevin Coffman writes:
>
>> Wed, Aug 26, 2009 at 3:21 PM, Tom Yu wrote:
>>> Russ Allbery writes:
>
>>>> default_enctypes, maybe?
>
>>> Possibly... though we do already have "default_tkt
Wed, Aug 26, 2009 at 3:21 PM, Tom Yu wrote:
> Russ Allbery writes:
>
>> Tom Yu writes:
>>> John Harris writes:
>>
If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf
in the supported_enctypes field, I'm still able to create the
des-cbc-crc:normal service princ
On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller wrote:
>
>
> Hi list,
>
>
>
> I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what
> I did:
>
> first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs
> mounting from ubuntuhardy2 to ubuntuhardy1 witho
Hi,
You don't say what OS you're dealing with here. Different OS's have
different gssd implementations which have a bearing on the issue.
If Linux is involved, you'll get more help mailing the linux-nfs
mailing list (linux-nfs.vger.kernel.org). If the server is Linux, a
patch has been submitted t
On Wed, Mar 4, 2009 at 7:40 PM, Loren M. Lang wrote:
> On Wed, 2009-03-04 at 12:16 -0500, Kevin Coffman wrote:
>> On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang wrote:
>> > On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
>> >> >
>> >> > &g
On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang wrote:
> On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
>> >
>> > > This symlinks point to missing certificates that have nothing to do with
>> > > the pki infrastructure I am using, but once I moved the symlinks out of
>> > > the way, kinit
On Wed, Mar 4, 2009 at 1:49 AM, Loren M. Lang wrote:
> I am trying to enable smartcard logins to a MIT Kerberos domain using
> the recent PK-INIT preauth plugin. I am using Ubuntu 8.10 with it's
> stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
> -DDEBUG. I have a server certi
On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
wrote:
> Russ Allbery wrote:
>> Jason Edgecombe writes:
>>
>>
>>> We are extending the ticket lifetime for all of the users in our realm
>>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>>> "modprinc -maxlife 7day u...@realm.
On Fri, Oct 31, 2008 at 1:01 AM, Julio Cesar Parra/Mexico/IBM
<[EMAIL PROTECTED]> wrote:
> Hello.
>
> Does anybody, could help me to determine what could cause the next error (
> Unable to obtain initial credentials with the status 0x96c73a44).?
>
> kinit -k krbsvr400/[EMAIL PROTECTED]
> Message 0x
This sounds like an NFS question? You should ask on the Linux NFS
list: <[EMAIL PROTECTED]>
On Wed, Jul 2, 2008 at 2:21 AM, KJ, Latesh <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> On AIX 5.3 Kerberos when I mount a share of NetApp storage from Linux
> client having share access as anon=0. Files are c
Are you aware that there are two different flavors of pkinit? There
is the original protocol deployed by Microsoft in Windows 2000
(sometimes referred to as the "Draft 9 version" because it was
basically the version defined by draft 9 of the RFC) and then the
finalized RFC version (which was somet
I don't have an answer to why the cron thing fails. However, running
gssd with -vvv will give a clue toward what credentials caches are
being considered.
I would suggest using a keytab rather than keeping a password around
in a script, file, or wherever you are keeping it now.
You might also wan
On Tue, Jun 24, 2008 at 1:15 AM, naveen.bn <[EMAIL PROTECTED]> wrote:
>
> Hi Kevin,
>
> Guide on this , When i use require_preauth for the client and try to send
> the AS_REQ with pa-data using the command
> kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key naveen
>
> The first AS_
The syntax of the preauth data with padata-type PA_PK_AS_REQ is
defined in section 3.2 of RFC 4556.
You might want to look at Peter Gutmann's dumpasn1 tool
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c
You should be able to capture the request packet and feed it to this
tool. (Details left t
Normal principals usually don't have an instance. However, there
shouldn't be anything that prevents a principal with an instance from
working.
If your certificates are correctly set up for the two principals, this
might be a bug.
K.C.
On Thu, Jun 12, 2008 at 11:10 AM, naveen.bn
<[EMAIL PROTECT
CITI Production KCA, CN=Kevin Coffman
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ee:6d:8b:06:d7:af:2d:80:4c:e2:d7:c5:46:2c:
b1:54:bb:b1:74:23:c0
This means that you are either missing a Subject Alternative Name
(SAN) in your client's certificate, or it doesn't match the principal
name you are trying to authenticate.
By default, the KDC requires that the client certificate has the
id-pkinit-san as defined in rfc4556. If you specify "pkinit
On Wed, May 28, 2008 at 9:06 AM, naveen.bn <[EMAIL PROTECTED]> wrote:
> Kevin Coffman wrote:
>
> On Tue, May 27, 2008 at 11:09 AM, naveen.bn
> <[EMAIL PROTECTED]> wrote:
>
>
> -- Forwarded message --
> From: "naveen.bn" <[EMAIL
On Tue, May 27, 2008 at 11:09 AM, naveen.bn
<[EMAIL PROTECTED]> wrote:
>
>
>
> -- Forwarded message --
> From: "naveen.bn" <[EMAIL PROTECTED]>
> To: Kevin Coffman <[EMAIL PROTECTED]>
> Date: Tue, 27 May 2008 15:06:25 +
> Su
On Thu, May 15, 2008 at 12:55 PM, Jeff Blaine <[EMAIL PROTECTED]> wrote:
> If anyone has any idea what I am doing wrong here, please
> chime in.
>
> ~:barnowl> uname -a
> SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc
> SUNW,Sun-Fire-V240
> ~:barnowl> sudo klist -e -k /etc/krb5.keytab | g
On Tue, May 13, 2008 at 4:45 AM, Jan Sanders
<[EMAIL PROTECTED]> wrote:
> Russ Allbery wrote:
> > Jan Sanders <[EMAIL PROTECTED]> writes:
> >
> >
> >> I am having a little problem here. I am running a KDC on Solaris and a
> >> number of clients on GNU/Linux. For both the KDC and the
> >> Kerb
On Mon, Mar 24, 2008 at 5:49 PM, Paul B. Henson <[EMAIL PROTECTED]> wrote:
> On Sat, 22 Mar 2008, [iso-8859-1] Roberto C. Sánchez wrote:
>
> > kadmin: ktadd host/phoenix.physik.unizh.ch
> > kadmin: ktadd -e des-cbc-crc:normal nfs/phoenix.physik.unizh.ch
> >
> > That worked well for me. It
On Sun, Mar 16, 2008 at 10:28 PM, Sunil Chandrasekharan
<[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I encountered an issue with UDP size (Eror code 52) while working with
> kerberos 1.2.7
> Many suggests me to go for new version of kerberos 1.3.x .
>
> Please tell me how can i upgrade from kerb
client with the KDC
> domain xx.com.
>
> Please help me solve this issue .
>
> 1.why the version problem didnt occur in my pilot server scenario under the
> KDC domain.
> 2. why am i geting the error in test machine in another domain with no KDC
> and mapping is done
On Wed, Mar 12, 2008 at 2:05 AM, sunilcnair <[EMAIL PROTECTED]> wrote:
>
> Hello all,
>
> i am Sunil C. i have a domain named xx.com which has a KDC.
> i also have a domain co.yy where my server is. there is no KDC in it.
>
> users are in xx.com domain.
>
> but my servers are in (co.yy) domain
On Sat, Mar 1, 2008 at 1:46 AM, Matthew Andrews <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> | Matt,
> | The obvious question is whether your KDC is properly configured for
> | pkinit? Also, is the client configured to require preauthentication?
> | If so, t
On Fri, Feb 29, 2008 at 5:56 PM, Matthew Andrews <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I initially sent this to krbdev, but in retrospect it probably more
> rightly belongs here.
>
>
> Hello,
>
> I am attempting to set up pkinit authentication with th
On Thu, Feb 28, 2008 at 2:01 PM, Phil Pishioneri <[EMAIL PROTECTED]> wrote:
> In testing Vista SP1 in our Windows AD Forest (in which account are
> mapped to our MIT realm), I believe that we're seeing the same problem
> that was reported on the Heimdal mailing list in October 2007; see the
> th
On Feb 17, 2008 10:10 PM, <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I am receiving a "kint(v5): Password incorrect while getting initial
> credentials" error after entering a password in response to a prompt
> following a kinit command (kinit user/[EMAIL PROTECTED]). I know
> that I am entering the
On Fri, Feb 15, 2008 at 12:43 AM, Victor Sudakov
<[EMAIL PROTECTED]> wrote:
> Steven Miller wrote:
> > >
> > > What could be the reason that I cannot telnet from
> > > FreeBSD to Solaris 10
> > > with the following error:
> > >
> > > Connected to oracle.sibptus.tomsk.ru.
> > > Escape charact
On Jan 27, 2008 10:01 PM, <[EMAIL PROTECTED]> wrote:
> Hi everyone,
>
> I have a simple MIT Kerberos config. One KDC/KAS, a handful of
> client. I have a principal that I'd like to allow 24h expiration
> times on tickets.
>
> My kdc.conf has "max_life = 24h 0m 0s", but if I run "kinit -l 24h", I
On Jan 17, 2008 6:51 PM, Listbox <[EMAIL PROTECTED]> wrote:
>
> Now I'm trying to figure out why
> "Key version number for principal in key table is incorrect"
> Even after I remove the keys for my principle from my keytab file, then
> re-add them
Adding a new keytab entry bumps the key versio
On Jan 15, 2008 3:19 PM, Douglas E. Engert <[EMAIL PROTECTED]> wrote:
>
>
> Ken Hornstein wrote:
> >> That is what DCE did. The PAG number was part of the cache name in
> >> a well know location.
> >
> > I don't want the cache in a "well known location". I want to tell the OS
> > or some utility,
The latest versions of rpc.gssd look at file ownership rather than the
name. (It does narrow the field by looking for "krb5cc_*", then
looking at file ownership.) This change went into nfs-utils-1.0.11.
Unfortunately, gssd has no access to the user's environment variables
and cannot use that to
On Jan 7, 2008 11:15 AM, Douglas E. Engert <[EMAIL PROTECTED]> wrote:
>
>
> Jason D. McCormick wrote:
> > Douglas E. Engert wrote:
> >
> >> Why are you using DES? All the newer Kerberos can use ArcFour. So try
> >> ktpass witout the crypto option.
> >
> > Do you know if the Linux NFSv4 stuff can us
On Nov 14, 2007 5:45 PM, Edward Beuerlein <[EMAIL PROTECTED]> wrote:
> Hello,
> I am working to upgrade our complete kerberos infrastructure to 1.6 from
> 1.4.4, however I have run into a problem in that the patch that created
> krep has not been worked on since 1.4.4. Is anyone using krep on 1.6
my kdc.conf and krb5.conf files would that make any
> difference?
>
> Kind Regards
> Anthony McGovern
>
>
>
>
> On Thu, 2007-11-08 at 13:30, Kevin Coffman wrote:
> > On 11/8/07, Anthony McGovern <[EMAIL PROTECTED]> wrote:
> > >
> > > [EMAIL
>
On 11/8/07, Anthony McGovern <[EMAIL PROTECTED]> wrote:
>
> [EMAIL PROTECTED]:/home/tssgtestbox/Kerberos/krb5-1.6.3/src/kadmin/dbutil#
> ./kdb5_util create -r tssg.org -s
> Loading random data
> Initializing database '/krb5/var/krb5kdc/principal' for realm
> 'tssg.org',
> master key name 'K/[EMAIL
On 11/2/07, Manoj Mohan <[EMAIL PROTECTED]> wrote:
>
>
> Thanks Kevin.. that suggestion helped a lot!!
>
> when I did ktutil of my keytab file.. I had 2 entries (with KVNO 2)...
> I deleted the file and recreated it with ktadd but with -e option to add
> only one
> encryption type and then the
On 11/2/07, Manoj Mohan <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I am new to kerberos world.. so forgive my noviceness
>
> I have a KDC running on linux and my client server are also on linux.. After
> registering the user principals and service principals when client is
> connecting to server, I
On 10/16/07, Ido Levy <[EMAIL PROTECTED]> wrote:
>
> Hello All,
>
> We are trying to understand the behavior of a system that support automount
> by NFSv4 with security flavor krb5.
> We have both Linux and AIX clients and when logging to these clients as the
> root user we have noticed that:
>
> 1
On 10/13/07, Roberto C. Sánchez <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I have encoutered some weirness with machine credentials (I think).
> Maybe someone can explain what is happenning.
>
> Here is my configuration:
>
> server1: exports user home directories via NFS using gss/krb5p
> server2: i
On 9/21/07, John Hascall <[EMAIL PROTECTED]> wrote:
>
> > John Harris wrote:
> > > Does MIT's current implementation of the Kerberos KDC include
> > > incremental propagation? I know it didn't a long time ago, then there
> > > were CITI patches for it, then those didn't work for awhile. I don't
>
On 9/21/07, Jeffrey Altman <[EMAIL PROTECTED]> wrote:
> John Harris wrote:
> > Greetings,
> >
> > Does MIT's current implementation of the Kerberos KDC include
> > incremental propagation? I know it didn't a long time ago, then there
> > were CITI patches for it, then those didn't work for awhile.
On 13 Aug 2007 20:49:36 +0530, Chittaranjan Mandal
<[EMAIL PROTECTED]> wrote:
> On Mon, 2007-08-13 at 09:38 -0400, Kevin Coffman wrote:
> > On 12 Aug 2007 16:27:22 +0530, Chittaranjan Mandal <[EMAIL PROTECTED]>
> > wrote:
>
> > > I am trying to setup kerbe
On 12 Aug 2007 16:27:22 +0530, Chittaranjan Mandal
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am trying to setup kerberos, but I am getting the above problem.
> My krb5.conf file is attached. Could you please help.
>
> I had run the following commands.
> # kdb5_util create -r chitta.cse.krb -s
> # kadm
On 4/23/07, Nicolas Williams <[EMAIL PROTECTED]> wrote:
> On Mon, Apr 23, 2007 at 11:27:22AM -0400, Kevin Coffman wrote:
> > I haven't looked at the code, but I think this is probably done on
> > purpose and is not a bug. When you create a keytab, you create a new
>
On 4/23/07, Vipin Rathor <[EMAIL PROTECTED]> wrote:
> hi all,
>
> >> My questions:
> >> 1. Is this an expected behavior?
> >> 2. Is this happening because of '-randkey'? (since not specifying
> -randkey
> >> gave proper Password expiration date.)
>
> >It probably is happening because of -randkey,
On 2/13/07, LukePet <[EMAIL PROTECTED]> wrote:
>
> ThenI have deleted the krb5.keytab file
>
> after I have exect this istructions:
> [EMAIL PROTECTED]:~$ sudo kadmin -p krbadm/admin
> kadmin: ktadd -k /etc/krb5.keytab host/lukesky.epiluke.it
>
> now I have this situation:
> [EMAIL PROTECTED]:
On 2/10/07, Computer Service <[EMAIL PROTECTED]> wrote:
> There are links on the web that report Kerberos as being spyware.
> Anyone there know the truth ?
> Thanks
> James
Are you referring to this:
http://mailman.mit.edu/pipermail/kerberos/2006-August/010390.html
(The first hit from googling "k
Why pam is not getting you credentials may be applicable on this list.
However, the part about nfs access failing after getting credentials
is an nfs question. Please send a follow-up to
[EMAIL PROTECTED] with the output of running rpc.gssd with the
-vvv option.
K.C.
On 2/8/07, Jim Davis <[EMAI
On 2/2/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>
> Principal: host/[EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Thu Jun 29 11:16:19 PDT 2006
> Password expiration date: [none]
> Maximum ticket life: 1 day 01:00:00
> Maximum renewable life: 7 days 00:00:00
> Last m
On 2/2/07, Quanah Gibson-Mount <[EMAIL PROTECTED]> wrote:
>
> Any thoughts on why identical setups aren't working much appreciated.
>
>
> One other detail since I first sent this out -- My home system will now not
> allow me to become the member of a domain, either.
Have you ruled out a firewall
This doesn't really answer your question, but you should not be
running kadmind on the slave machine anyway. kadmind should run only
on the master (admin_server) machine. This may be what that error
message is trying to tell you?
K.C.
On 10/17/06, chechu chechu <[EMAIL PROTECTED]> wrote:
> Hi¡
This is probably best discussed on [EMAIL PROTECTED]
(http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4)
Enabling verbose output from rpcgssd (-vvv) on the linux client might
give a hint to the problem.
K.C.
On 10/12/06, Keagle, Chuck <[EMAIL PROTECTED]> wrote:
> Here is one we would like to f
On 6/19/06, Erich Weiler <[EMAIL PROTECTED]> wrote:
> > Your nfs server's keytab has kvno 5. You need to do the getprinc on
> > that same principal to see what the key version number is in the KDC.
> > (Your klist shows principal nfs/[EMAIL PROTECTED], but the
> > getprinc output is for nfs/[EMAIL
Key: vno 16, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
> So it looks like the KDC has KVNO version 5, and the solarisclient has
> KVNO version 16? Am I reading that right? And if yes, what can I do to
> fix it? (I hope there is something, anything, th
Hi Erich,
How did you create the keytab for the NFS server? The key version
number in that keytab must match the key version number for the server
principal in the KDC.
The key version displayed for nfs/[EMAIL PROTECTED] with
"klist -e -k -t /etc/krb5.keytab" should match the key version
displaye
> Doug Levy wrote:
> > I'm running the Leash client Version 2.6.3.20040525 to authenticate to
> > Kerberos 5. The authentication process runs very quickly both from work
> > and anywhere I travel (laptop, hotels, wireless, wired, etc.). However,
> > whenever I authenticate from home via my ISP
Fredrik,
I'm working on this in conjunction with Linux nfs-utils changes. As
it turns out, actually storing the ccache in the kernel keyring is not
*the* answer for NFS. It is helpful when process- or thread-level
credentials are needed for NFS access.
The essential thing the keyring will hold i
On 4/26/06, Aruna Lakmal <[EMAIL PROTECTED]> wrote:
> Hey guys...
> I use RHEL4 linux version..
> I configure my nfs server for work with kerberos as in this web site..
>
> http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html
>
> after that when i try to run command "mount -t nfs4 -o sec=
Keep in mind that http://www.citi.umich.edu/projects/nfsv4/crossrealm/
is experimental. I'm interested in problems you have with ldap v2
though.
So are you saying that you are now using pam_krb5 for login
authentication? (What does your pam config file look like?)
You should contact [EMAIL PROT
On 1/19/06, Luke Howard <[EMAIL PROTECTED]> wrote:
>
> What are the current thoughts on automatically renewing Kerberos credentials
> for long-lived sessions, particularly with respect to NFSv4 (where the user
> experience could be adversely affected)?
>
> It seems that Solaris has kwarnd, which ca
Thanks Mike! I got your patch, and generated mine. They were
identical except for the "+1" and your addition to #define UMICH in
osconf.h, which I have added to the "official" patch. The referrals
page is now updated with the 1.4.2 patch.
K.C.
K
On 11/9/05, Josh Howlett <[EMAIL PROTECTED]> wrote:
> Kevin Coffman wrote:
> > We started with a patch that assumed all referrals would go to one place.
> >
> > We had a need to send referrals to either a test Windows forest or a
> > production forest. That is
On 11/9/05, Mike Friedman <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Wed, 9 Nov 2005 at 15:36 (-0500), Kevin Coffman wrote:
>
> > Our patches are here:
> > http://www.citi.umich.edu/u/kwc/krb5stuff/referrals.html
> >
We started with a patch that assumed all referrals would go to one place.
We had a need to send referrals to either a test Windows forest or a
production forest. That is where the [domain_referral] stuff came
from. Then we found that some requests were coming in without
fully-qualified names, an
I would suspect a simple error in the configuration of your local
realm in /etc/krb5.conf, or a DNS issue.
Can you post your /etc/krb5.conf ?
On 10/26/05, yi zeng <[EMAIL PROTECTED]> wrote:
> Hi, there,
> I set up a MIT Kerberos 5 master kdc on a pc in a private domain. I have
> /etc/hosts mappi
> Hello,
>
> Is there any method of "extracting" the Kerberos key from a GSS ticket?
>
> Microsoft sends the Kerberos ticket (SPNEGO over http) using the GSS
> methods. If one attempts to handle the internal Kerberos ticket
> information (such as the case of the PAC data) he will have to use the
; 10.0.89.130
> 20 1.153866 10.0.89.178 -> 10.0.89.130 DNS Standard query
> tax106.testdomain.tax.state.vt.us
> 21 1.154601 10.0.89.130 -> 10.0.89.178 DNS Standard query response
> 22 1.154741 10.0.89.178 -> 10.0.89.130 DNS Standard query tax106
>
> I have struggled with this for almost two days now and I just can't seem to
> get past this hurdle... Hopefully somebody out there will say: "Duh, you're
> doing XYZ wrong!".
> I keep getting a "kinit(v5): Cannot resolve network address for KDC in
> requested realm while getting initial credentia
> On Tue, Jul 05, 2005 at 01:48:54PM -0700, Phil Dibowitz wrote:
> > from kadmin, great (though is that "no salt" supposed to be there?)!
> >=20
> > However, klist -e shows:
> >=20
> > [EMAIL PROTECTED] unstale]$ klist -e
> > Ticket cache: FILE:/tmp/krb5cc_36070
> > Default principal: [EMAIL PROTEC
> on 04/28/05 15:23 Kevin Coffman wrote:
> [SNIP]
>
> > The client (auth01.example.dk) thinks that the (ssh) server
> > (hostname?) is in a different realm (PROD.DK.EXAMPLE.NET) and is
> > trying to get a cross-realm ticket. Check the [domain_realm]
> > stanza o
> Now I want to try to enable single-sign-on using openssh. When trying it
> from KDC host to itself, it works fine (after I created a
> host/auth01.example.dk principle - which for some reason got a kvno of 2
> - - don't know if this matters).
> I then add my client (another FreeBSD 5.3 server) as
> > "Jeffrey" == Jeffrey Altman <[EMAIL PROTECTED]> writes:
>
> Jeffrey> peter huang wrote:
> >> Can someone tell me how to fix this error? this error came
> >> from curl using "--negotiate" option on a window platform using
> >> "MSLSA:" as ccache (AD is the KDC in this case)
I'll assume we are dealing with a Linux NFS client here. The problem
is that the Linux kernel code currently (still) only supports
des-cbc-crc. However, if the nfs service principal is set up correctly
(with only a des key), there should be no need to restrict the enctypes
in krb5.conf. Prob
The answer may very a bit depending on the platform you are on.
For Linux, your question would be better directed to
[EMAIL PROTECTED] or you might look at http://www.citi.umich.edu/proje
cts/nfsv4/linux/
I think Solaris has pretty good (online) documentation on its
Kerberos/NFS requirements.
This probably isn't the list for this question, but from the Linux
view, you set up a NFSv3 mount the same as a v4 mount except the fstype
is nfs instead of nfs4.
See http://linux-nfs.org/pipermail/nfsv4/2005-February/001081.html
Any further questions should go to [EMAIL PROTECTED]
> A brief
> and now after the kinit
> here is the klist :
>
>
> Ticket cache: FILE:/tmp/krb5cc_596_yE9M3i
> Default principal: [EMAIL PROTECTED]
>
> Valid starting ExpiresService principal
> 12/01/04 14:21:05 12/02/04 00:21:05 krbtgt/[EMAIL PROTECTED]
> renew until 12/01/04 14:21
> -Original Message-
> From: Phil Dibowitz [mailto:[EMAIL PROTECTED]
> Sent: Monday, October 25, 2004 4:51 PM
> To: Kevin Coffman
> Cc: [EMAIL PROTECTED]
> Subject: Re: Renewable Tickets
>
> On Mon, Oct 25, 2004 at 04:46:21PM -0400, Kevin Coffman wrote:
> >
> > Also check the properties on the client and service principals
> > (including the krbtgt principals). I forget whether max renewable
> > lifetime is one of them, but if it is, it would be set when the
> > principal is created or when you use "modprinc" in kadmin, and the
> > config file specif
Hi Derek,
I have a few questions, and then I can generate a new keytab for your
afs/umd.umich.edu principal. You will then need to run the asetkey program
to copy the key out of the keytab and into your KeyFile. You'll need a copy
of the asetkey program, hence the questions:
1) What OS platform
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Wyllys Ingersoll
> Sent: Friday, October 08, 2004 9:34 AM
> To: Rob J Meijer
> Cc: [EMAIL PROTECTED]
> Subject: Re: Portability, RPC and kerberos v5?
>
> Rob J Meijer wrote:
>
> >I'm currently working
> > "lyzhang" == Lynn Zhang <[EMAIL PROTECTED]> writes:
>
> lyzhang> The kadmin from 1.2.8 wrote information to the log,
> lyzhang> Sep 17 17:02:47 Request: kadm5_init, admabcd/[EMAIL PROTECTED]
> U,
> lyzhang> success,
> lyzhang> client=admabcd/[EMAIL PROTECTED], service=kadmin/[EMAIL PROTECT
1 - 100 of 122 matches
Mail list logo