miliar with kerberos on Mac-OS, so maybe i am missing a thing
Klaas
> with kind regards,
>Marcel
>
>
>
> Klaas Hagemann wrote:
>
>> Hi marcel,
>>
>> check the domain-realm mapping in /etc/krb5.conf, maybe something
>> there is wrong.
>
Hi marcel,
check the domain-realm mapping in /etc/krb5.conf, maybe something there
is wrong.
then you can monitor krb5kdc.log while trying to access zeus and see
whats going on.
does principal marcel gets a service ticket for zeus?
- Klaas
Marcel Koopmans schrieb:
> Hello everybody,
>
> I ha
Hello,
i have a problem running kerberos on ia64 with red hat adavanced server
2.1 (kernel 2.4.18).
Compiling was no problem and went fine.
The system itsself works fine, the server gets its new database using
rsync the dump and kdb5_util load every 5 minutes.
When i start krb5kdc, it works a
Jens Kleineheismann schrieb:
Hi there,
Hi Jens,
there are tree points where the ticket lifetime is defined:
1. kdc.conf, you checked this
2. the principals, you checked this as well
3. the /etc/krb5.conf on the client side.
There you can define a default ticket lifetime.
In the section [libdefault
Chee Leong Dew schrieb:
Hi Klass,
Sorry for interrrupting u again, but I really need helps from forum to
solved my problem here. Sorry again for the interruption.
np, that's for what mailing lists are for.
I used klist; it show :
--
Chee Leong Dew schrieb:
Hi,
The next question is, how do I obtain the credentials ?
If you do "kinit", kerberos will attempt to get credentials (the Ticket
Granting Ticket) from the kdc for you.
Having done kinit you can see them using klist.
These Ticket Granting Ticket is then used by kerberiz
Chee Leong Dew schrieb:
Hi team,
I have installed Kerberos V5 on Linux 7.2 and is running ok.I used kinit
:
[EMAIL PROTECTED] sbin] kinit root/admin
Password for root/[EMAIL PROTECTED]:
[EMAIL PROTECTED] sbin]
But it seems like nothig is added to my /etc/krb5.keytab
That is correct, in /etc/krb
Thomas Konrath schrieb:
Hi !!!
We are doing a project for our university and we have a problem
concerning the Kerberos 5 Loginmodul from sun.
We are using the class com.sun.security.auth.module.Krb5LoginModule in
our Java project. We have configured the krb5.ini file as it is
described under htt
Chee Leong Dew schrieb:
Hi team,
After running the command /usr/local/sbin/kadmin.local I have a error
while running the command /usr/local/sbin/kadmin
The error is :
[root@client8 root]# /usr/local/sbin/kadmin
Authenticating as principal [EMAIL PROTECTED] with password.
kadmin: Cannot resolve
Ken,
ok, this makes sense...
Thanks
Klaas
Ken Raeburn schrieb:
Klaas Hagemann <[EMAIL PROTECTED]> writes:
Hi,
after doing kinit the kerberos client creates a krb5 ticket cache file
like /tmp/krb5cc_506.
Another user having root privileges on this client can optain these
ticket
<<< text/plain; charset=ISO-8859-1; format=flowed: Unrecognized >>>
--- Begin Message ---
Donn Cave schrieb:
Quoth [EMAIL PROTECTED] (Klaas Hagemann):
...
| after doing kinit the kerberos client creates a krb5 ticket cache file
| like /tmp/krb5cc_506.
|
| Another user having
Hi,
after doing kinit the kerberos client creates a krb5 ticket cache file
like /tmp/krb5cc_506.
Another user having root privileges on this client can optain these
ticket cache file and have the network wide rights of the owner of this
ticket.
Is there any chance that the ticket is stored in
Hi,
i just tested a bit with my logfiles.
There i realized, that i get the entry in the kerberos logfile after typing
kinit but before entering my password.
Then no extra entry is listed.
So i thing "preauthentication" is not enabled.
I use MIT kerberos 1.2.6. Do i have to enable preauthentication
November 26, 2002 2:33 AM
Subject: Re: krb5.exe for Windows
> You must be using a very old version of krb5.exe and the related
> Kerberos for Windows dlls. All recent versions have used an in-memory
> cache as opposed to a file to store the credentials.
>
> In article <008701c29
Hi,
i use krb5.exe for windows to get kerberos-tickets in windows.
It requires the dll-files in the winnt-directory.
So it writes the krb5cc-file (the kerberos ticket cache) as well in
c:\winnt.
This leads to problems for multi-Users using krb5.exe on the same host.
Is there any way to configure
Hi Mait,
you can only have one admin server. that comes from the kerberos replication
system.
but you can spezify multiple kdcs in your krb5.conf
there you have a [realms] section:
[realms]
MY.REALM.DE = {
kdc=kerberos-server1
kdc=kerberos-server2
admin_server=kerberos-admin
default_domain = my.
Hi,
we have set up a knew realm.
To get all the users in the realm, we told them to change their password.
Our passwortmanagement runs over a web-based php-applikation, which then
writes the password into kerberos.
The php-applikation uses kadmin with a host-Prinzipal and a keytab on the
host. The
Parag,
i only know it from linux, but did you compile
kerberos with shared-libaries-support? (configure --enabled-shard
?)
Klaas
- Original Message -
From:
Parag Godkar
To: [EMAIL PROTECTED]
Sent: Monday, November 18, 2002 7:15
AM
Subject: Problem compiling pam_
Hello,
we have the problem, that the user does not get informed when the ticket has
expired.
the users only have a grafically desktop, so they won't check in manually
with "klist".
Does anyone have a solution or a working enviroment for this problem?
Thanks
Klaas
___
Hi Christian,
i have the same problem but i am not that familiar with working on windows.
So can you please give me a link or send me the compiled version?
Thanks,
Klaas
- Original Message -
From: "Christian" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, November 08, 2002 10:4
Hi,
concerning the documentation, i have to add an pam_afs entry in the
appdefaults-section of the krb5.conf file (src/krb524d/README).
My Question:
Do i only have to change the krb5.conf on the servers running the krb524d?
or on the clients as well?
Klaas
- Original Message -
From: "Ken
> At the end of the day, there is a ticket in a Keyfile that does not agree
> with the service ticket stored in your KDC. This is the ONLY possible
> cause of this error (at least, the only one I've ever seen).
That is not the problem i meant.
It works fine with my krb5-1.2.4 kerberos master serv
Hi,
i have strange problems in integrating openafs into krb5.
I use openafs 1.2.7 and kerberos 1.2.6 for the slave-server and 1.2.4 for
the kerberos master/admin server.
I checked everything with these key-versions (thanks to Derek on the openafs
mailing lis), but it did not help.
I always get "ti
Hi list,
is it possilbe, to change the master key of a realm?
I build up a realm for testing purpose with a very simple master key.
No i want to migrate it into the production enviroment and therefore i want
to have a more difficult master password.
Since i want to keep the data stored in kerbero
Thanks..
so with the krb524d it will work?
- Original Message -
From: "Sam Hartman" <[EMAIL PROTECTED]>
To: "Klaas Hagemann" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, September 19, 2002 2:44 PM
Subject: Re: experiences with ximian
Hi,
does anyone have experiences with the groupware ximian evolution and MIT
Kerberos authentication?
Thanks,Klaas
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
Hi Tim,
to my point of view using pam_krb5 is the best
solution.
For Linux, i use the pam_krb5 shipped in RedHat,
but the sourcecode for it should be available anywhere in the www
Klaas
- Original Message -
From:
Leong Tim
To: [EMAIL PROTECTED]
Sent: Wednesday, Se
Hi,
is there any possibility to rename principals without having to enter the
password again?
We want to do some skript-base renaming.
Thanks, Klaas
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerbero
Hi,
does anyone have any experiences using smartcards for kerberos initial
authentication?
Any help is welcome
Thanks,
Klaas
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
Hi Harry,
the best way is to use the pam_krb5 module. i used the one which is shipped
with redhat.
it works perfect for suse linux.
download the rpm and install the pam-module.
you will need the krb5-libs from redhat as well or you will have to do some
renaming with the libaries.
to be sure that
Hi John,
you only need to add principal for hosts which are housing kerberized server
deamons, e.g. openssh.
Unfortunatly, this can be in case of openssh every host.
Klaas
- Original Message -
From: "John Green" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 08, 2002
OK, i got it!!
I had to change the krbtgt/REALM ticket!!! This one was set to one hour!
Klaas
- Original Message -
From: "Sam Hartman" <[EMAIL PROTECTED]>
To: "Klaas Hagemann" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, July
t; <[EMAIL PROTECTED]>
To: "Klaas Hagemann" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, July 31, 2002 10:57 PM
Subject: Re: ticket lifetime
> You need to look at the values for both the server and client principal.
>
loading it
Klaas
- Original Message -
From:
Monica Lau
To: klaas hagemann ; [EMAIL PROTECTED]
Sent: Monday, July 29, 2002 10:49
PM
Subject: Re: Few quick questions
Hi Klaas,
Thanks for your help! I'm a bit confused by the krb5.conf file --
doesn't
Hi Monica,
as far as i understood it, changes in krb5.conf
take affect immediatly. This is a Client side konfiguration file, which is used
by kinit and other "kerberized" applikations.
You can make a dump of the slave kdc manually and
load it in the master kdc by hand. This is no problem.
Hi,
although there have been already many mailings concerning this toppic, i
still have problems with the ticket lifetime.
I always get tgt's vaild for 1 hour.
The Maximum ticket lifetime of the principal is one day (with 10h it is the
same).
The maximum ticket lifetime in /var/krb5kdc/kdc.conf is
Hi,
how is the ticket lifetime of the tgt specified?
I first do kinit to get a ticket manually.
Using klist, the ticket lifetime is always one hour, it does not make any
effekt, which value i take for ticket_lifetime in the libdefaults section in
krb5.conf.
My maximum ticket lifetime in the kdc.
The main reason is, that we need mutliple shares beeing configured in an
ldap directory.
So we will have shares depending on the user, on the group and the location,
where the user logs in.
So you should have entries in your directory, which shares each person
should get mounted. To the others, he
Hi,
we are building a distributed linux enviroment with a few thousands of
clients. To realize single sign on we decided to use Kerberos V for
authentication and Netscape LDAP for authorisation.
This works fine so far. But we need a few directorys, beeing available all
over the network, e.g. home
Hi,
i am not familiar with Solaris, but as far as i understood it you will not
be able to get ticket based authentication by simply useing pam_krb5 within
SSH.
pam_krb5 allows you to check your password against Kerberos and to get a
tgt
at login. So if you use pam_krb5 in ssh and log in by
Hi
first of all you should use a seperate konsole while testing this.
Log at the output on the konsole or in /var/log/messages, if there are
any libs missing.
If you are using MIT kerberos from the source file, there are a lot of
libs missing.
Install lib_krb5 as well.
Then you should have a g
Hi,
i need Kerberos 5 in Europe-Germany. Is there any free site outside
USA/Canada, where i can download it in a legal way?
Regards
Klaas Hagemann
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo
It is confusing...
when i set suid to ssh (which is by default), i
have this problems.
Bit when i disable suid, everything works fine, but
i do not understand why?? And why should suid to be set by default?
Thanks, Klaas
- Original Message -
From: klaas hagemann
To: [EMAIL
hi,
kadmind's keytab was gone or does not exist:
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin
kadmin/changepw
kadmin.local:q
then kadmind should work
Klaas
- Original Message -
From: "Stefan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 1
i used the red hat linux rpm from ftp.redhat.com.
There you can also get the sourcecode package.
Although i am using suse linux, this works fine for me.
Klaas
- Original Message -
From: "Harry Rüter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 18, 2002 1:39 PM
Subjec
Hi,
i am still having problems with kerberized
ssh.
I applied the patches (www.sxw.org.uk/computing/patches/openssh.html),
ran autoconf and installed it.
Host keys are createt and extracted.
When i do
ssh hostname,
everything works fine, but when i do
ssh ipadress_of_hostname, i get "segme
Cheruku
To: klaas hagemann
Cc: [EMAIL PROTECTED]
Sent: Thursday, April 11, 2002 10:15
AM
Subject: RE: ssh
1. Apply the
Kerberos patch and then the
Openssh-gssapi patch.
2. Run the
autoreconf after applying the patches. (autoreconf
version should be later than 2.50
segmentation fault error is
comming.
May
be some configuration and compilation issue.
-Original Message-From: klaas hagemann
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 10, 2002 7:48
PMTo: Srinivas Cheruku; [EMAIL PROTECTED]Subject: Re:
ssh
ok, i got openssh
n's GSSAPI/Kerberos patch from http://www.sxw.org.uk/computing/patches/openssh.html
Srini
-Original Message-----From: klaas hagemann
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, April 10, 2002 4:44
PMTo: [EMAIL PROTECTED]Subject:
ssh
Hi,
where can i get
Hi,
where can i get ssh server and client supporting
kerberos auth for linux?
i apologize if this is a faq, but i haven't found
anything.
thanks
klaas
t; <[EMAIL PROTECTED]>
To: "klaas hagemann" <[EMAIL PROTECTED]>
Cc: "Cesar Garcia" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, April 08, 2002 3:58 PM
Subject: Re: slave server and replication
> On Mon, Apr 08, 2002 at 02:44:45PM +0200, klaas ha
Hi,
i need a kerberized email (imaps) server and
client.
the user should log on to the imaps server using
kerberos.
i have no idea where to get such a system or if
there were an alternative solution.
Can anyone give me some advise?
Thanks, Klaas
hi there,
i have still a problem with kerberos and
ldap.
i have got a ldap v3 directory (netscape
iplanet) with all my user information.
now i want to make singel sign on using kerberos V.
how can i make kerberos storing all the keys in the
ldap directory?
the user should log on using
53 matches
Mail list logo