On 03/06/12 06:27, Greg Hudson wrote:
> (1) Avoid the use of principal expiry times
> (2) Patch your KDC not to send principal expiry times in AS replies
> (3) Deploy the MIT krb5 fix to your client systems
>
> I can send a patch for (2) or (3) if you decide to go that route. (3)
> should
Hi,
We recently upgraded some ArchLinux systems to the latest, which
means that they switched from using heimdal to mit krb5.
Our KDC however remains a heimdal system (running on NetBSD).
Now when you log in to these ArchLinux systems with an account that has
an account expiry time but no passw
On Tue, 21 Jun 2011, Douglas E. Engert wrote:
> OK, AD does not store the krbtgt as a principal, but this artical
> on setting up trust might help.
Thanks, that was the piece I was missing.
cheers
mark
Kerberos mailing list Kerberos@mit.e
On Mon, 20 Jun 2011, Douglas E. Engert wrote:
> > How does one check in AD? and change it if it is?
>
> Check the userAccountControl attribute of the cross realm TGT
> look for USE_DES_KEY_ONLY = 2097152, i.e. 0x20
> http://support.microsoft.com/kb/305144
But how do you find the cross realm
On Saturday 18 June 2011 06:08:33 Douglas E. Engert wrote:
> > surely the rc4-hmac type should be supported?
>
> Yes it should be. But when you setup the cross realm trust,
> did W2K3 assume the MIT realm could only do DES?
> Id the des-only bit on in the TGT account in AD?
How does one check in
We have previously successfully set up cross-realm between our heimdal
realm and a windows server 2008 r2 based AD domain, but I'm now trying
to set up cross-realm to a 2k3 based AD domain and having problems.
On the windows side, they have entered our realm in lowercase which
may cause some is
We have previously successfully set up cross-realm between our
heimdal
realm and a windows server 2008 r2 based AD domain, but I'm now
trying
to set up cross-realm to a 2k3 based AD domain and having problems.
On the windows side, they have entered our realm in lowercase which
may cause some
On Tue, 11 Sep 2007, Simon Wilkinson wrote:
> Whilst it's not Russ's patch (I wrote this before I realised he had
> one too), I've attached the patch we use locally. If you set
> KrbServiceName to 'Any', then it will accept any credential from
> the keytab.
Works nicely.
thanks
mark
_
On Tue, 11 Sep 2007, Russ Allbery wrote:
> I patched mod_auth_kerb a long time back to do this and thought
> that patch was incorporated into the upstream source, but
> apparently it wasn't. You have to patch it to not explicitly
> import credentials and instead let the GSS-API library figure out
Russ Allbery wrote:
> In some cases the client will just use whatever hostname is given on
> the command line, but in many cases it will do a forward and reverse
> DNS lookup to canonicalize the hostname (although this is less
> secure if you can't trust DNS, and most people can't). So in
> practi
10 matches
Mail list logo
