[EMAIL PROTECTED] (Dave Snoopy) writes:
I traced down the error to the Kerberos function
gss_import_name, which is being called from the SASL
function sasl_gss_client_step. This problem only
happens when the non FQDN kdc name is returned from
DNS. Is this a Kerberos or SASL problem? Does
[EMAIL PROTECTED] (Browning Curtus L Capt AFRL/MLOC) writes:
Although everything else was working fine, I found my problem with
scp to be that the kadmind was not running on the kdc. There was
no indication of this in the logs or error messages. Lesson
learned.
This could not have been
Phil Camus [EMAIL PROTECTED] writes:
I have my Solaris 5.8 systems running SSH-3.1.0. I've decided to install
Kerberos 5-1.0.6. Both softwares work fine, and I've decided to make the
final step : to compile SSH with kerberos support.
First, this is an old version of kerberos. Get something
[EMAIL PROTECTED] (Jacques A. Vidrine) writes:
If you send messages to this list with an incorrect or forged `From:'
address, do not expect replies.
He's been getting useful, substantial replies for a month. I don't
see why he should expect that to change just because you don't
approve.
[EMAIL PROTECTED] (Russ) writes:
We are trying to somehow create a single sign-on environment between
logging into our Active Directory and logging into SAP. We want an
easy way to have this kerberos data passed between the two so we
aren't required to log in over and over. Does anyone
Did you do this by implementing the kerberos protocol in perl, calling
out to the command line apps, creating a .xs interface to libkrb5, or
some other approach?
Marc
[EMAIL PROTECTED] (Ed Schaller) writes:
Greetings,
I have recently written a perl module to perform some
[EMAIL PROTECTED] (Glen Matthews) writes:
thanks for your response, marc. actually, i *am* implementing the full
spec, all (except for ccc?) of which is working - CCC is just an option
(which we will deprecate and warn people about). or at least i think i am -
rfc 2228. i don't see any
I haven't looked at the MIT code in a long time, but I just took a
quick glance, and it looks like either the username is invalid, or the
initial password request fails. If you can look at the kdc logs, find
out if the AS-REQ is really succeeding.
I also have to mention that using CCC isn't a
[EMAIL PROTECTED] (Simon Wilkinson) writes:
However, is this overiding something that should be set in a kerberos
config file?
Yes, it is. The patch you sent forces initial tickets to be
forwardable, regardless of what the kerberos config file requests.
With MIT krb5, you can set the
Rick [EMAIL PROTECTED] writes:
ktpass -princ [EMAIL PROTECTED] -mapuser user1 -pass
pass1 -out krb5.keytab
gss-server asample
GSS-API error acquiring credentials: Miscellaneous failure
GSS-API error acquiring credentials: No principal in keytab matches desired
name
You need give the
Philippe Perrin [EMAIL PROTECTED] writes:
Can anyone tell me
1) what this A flag means ?
It means the client used preauthentication to get the ticket.
2) what I have to configure to have the F (forwardable) flag on my TGT ?
Add to krb5.conf:
[libdefaults]
forwardable = true
[EMAIL PROTECTED] (Ian Downard) writes:
Here's a quote from Tom Wu's paper
(http://theory.stanford.edu/~tjw/krbpass.html):
While this is an improvement relative to Kerberos V4, an attacker
with a network sniffer can still carry out the same off-line
dictionary attack against any
[EMAIL PROTECTED] (Nicolas Williams) writes:
Actually, I think that it would be a good thing if there were an
authorization data type for packing ticket ACLs (i.e., princ name
patterns) into forwarded TGTs. The idea being that you could forward a
TGT that is crippled and allows the receiver
[EMAIL PROTECTED] (Krassimir Boyanov (Anaheim)) writes:
We kind of running into the same problem.
Our clients apps connect directly to Oracle 8.1.6 keeping
persistent connection to the database (MS client RDO libraries are used)
I am interesting to hear how we can use GSS-API (with K5)
to
[EMAIL PROTECTED] (Steve Langasek) writes:
It would be nice to not have to configure an explicit capath, of course.
Still, I gather from your comments that after configuring the shared keys
this should Just Work. Since it did not, I'm lead to the same conclusion
that there's a bug at
Paul Vixie [EMAIL PROTECTED] writes:
... IMHO, the default capath through the root is also a bad idea, but
since there has never been a gTLD kerberos realm that I am aware of, and
there is unlikely to be one, it's a moot point in practice.
maybe. i'm not convinced that a pay-for-CA
[EMAIL PROTECTED] (hot ice) writes:
From what I have digested so far about Kerberos - kerberos seems to
use DES. any specific reason for choosing DES? IMHO - there are
faster and m ore secure techniques out there - for instance
Blowfish.
In 1992, what would you have chosen?
DES is just
17 matches
Mail list logo
