r 2016 domain member.
Client prog is running on same server under same session / user (hmmm...).
Packet captures look normal.
The failed case client gets an AES256 TGT and then an AES128 ticket as
expected.
[1] There is an AS-{REQ,REP} for the acceptor account which is slightly
unexpected (and fai
On Wed, Jan 24, 2024 at 4:27 PM Sam Hartman wrote:
>
> >>>>> "Michael" == Michael B Allen writes:
>
> Michael> Hi Ken,
>
> Michael> Indeed. Unfortunately my stock packages on CentOS 9 Stream
> Michael> are 1.21 but the KRB5_TRACE
r trying to pin AES128 that I'm
dancing outside the lines of sanity at this point.
Really glad to see KRB5_TRACE was added.
Thanks for your support.
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
Kerberos mailing list
my prod machines to use DNS for test machines is not ideal.
Ideas?
Mike
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Thu, Aug 25, 2016 at 10:09 AM, Simo Sorce <s...@redhat.com> wrote:
> On Wed, 2016-08-24 at 22:05 -0400, Michael B Allen wrote:
>> But, again, the point is that the client would not be "joined" to a
>> domain, it would not be required to have network access to a K
ve to
run the client application in the context of the principal (meaning
they would not have to "login" as a specific user first), the client
would not have to do fancy SRV queries to find the right KDC and the
client would not submit huge tickets with e
On Wed, Aug 24, 2016 at 3:12 PM, Simo Sorce <s...@redhat.com> wrote:
> On Wed, 2016-08-24 at 12:35 -0400, Michael B Allen wrote:
>> On Wed, Aug 24, 2016 at 2:36 AM, Rick van Rein <r...@openfortress.nl> wrote:
>> > Hey Mike,
>> >
>> >> But
On Wed, Aug 24, 2016 at 2:36 AM, Rick van Rein wrote:
> Hey Mike,
>
>> But it would be even better if the client could (or had the option to)
>> do authentication with the service directly and thus eliminate the
>> numerous dependencies for clients (DNS, KDC access, stale
ity as well.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
beros tickets cannot be "stale" (use kerbtray.exe to purge on clients)
But in your case it sounds like the client is initiating auth which
means it's getting a ticket so it's more likely to be 3, 5, 6 or 7.
This all assumes that this "flask" thing knows about SPNEGO (would be
be the toe-hold necessary to do something like a proper
stand-alone authentication over HTTP.
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
the Client-ID
to lookup the authentication state. And if the Client-ID also included
an integrity code, that would go a looong way.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list
content of the token as it is largely handled by GSSAPI /
JGSS.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
be pretty solid.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
to
access the ccache. The API is horrible as evidenced by the flaming
hula hoops you had to go through to do anything remotely
sophisticated.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list
compatibility. Maybe your security policy has been
tweaked to reject DES in this way.
Just hypothesizing.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
-Original Message-
From: Michael B Allen [mailto:iop...@gmail.com]
Sent: Thursday, July 28, 2011
/ default_tgs_enctypes set?
What enctype did Java use to encrypt the padata in the AS-REQ?
Mike
-Original Message-
From: Michael B Allen [mailto:iop...@gmail.com]
Sent: Thursday, July 28, 2011 3:22 PM
To: Sabharanjak, Ravi
Cc: kerberos@mit.edu
Subject: Re: Is Windows server 2008+KDC
should be
able to get Java's Kerberos implementation to work.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, Mar 23, 2010 at 7:30 AM, John Jasen jja...@realityfailure.org wrote:
Michael B Allen wrote:
Actually I would not be surprised if that hot fix is never made
public. DES is being phased out. If you have any Windows accounts that
use DES, you should update them to AES-256, AES-128 or RC4
on x64 servers.
Hi Lars,
Actually I would not be surprised if that hot fix is never made
public. DES is being phased out. If you have any Windows accounts that
use DES, you should update them to AES-256, AES-128 or RC4 in that
order of preference.
Mike
--
Michael B Allen
Java Active Directory
Hi All,
Is there a mode of operation where a Kerberos client can directly
authenticate with a service without first communicating with a KDC?
Kerberos currently requires that clients are using a suitable DNS
server, have access to whatever KDCs DNS is referring it to and have
relatively accurate
implementations either because
they good (password protocol) or because Active Directory is
ubiquitous.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https
this with Java but given the
spotted history of Java's builtin Kerberos implementation I don't
expect that to be tackled easily. I kinda wish I just had a really
solid ASN.1 compiler and crypto lib for the various languages. Ho-hum.
Thanks,
Mike
--
Michael B Allen
Java Active Directory Integration
http
be substituted with a proper realm and which
one?
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
the @domain
and sent the AS-REQ to the default authority.
Mike
On Fri, Nov 20, 2009 at 7:48 PM, Michael B Allen iop...@gmail.com wrote:
Hi,
Is it possible to acquire credentials using kinit from AD using the
userPrincipalName on an AD account if the DNS domain does not match
the AD realm
of
an account in Windows.
So this is off topic for this list but I'll give you some pointers:
1. Use rpcclient from the Samba package
2. Google for JCIFS, create a jcifs.smb.SID, use resolve() with
suitable credentials and then toDisplayString().
Mike
--
Michael B Allen
Java Active Directory
in one go. Also, professional software that
does Kerberos auth usually includes some capability to do all of this
for you. If you're using a bare-bones solution like mod_auth_kerb,
it's up to you to create a keytab.
Good luck,
Mike
--
Michael B Allen
PHP Active Directory Integration
http
a password at all.
On corporate intranets this is a highly desirable feature.
You do not want to do anything with PAM or SASL.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos
. And you can create the service account and set the
password entirely from Plexcel.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
with it.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
.
You're setting yourself up for a migration migraine.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[])ctx.inquireSecContextByOid(sspiSessionKeyOid);
Otherwise you're going to end up just adding more methods in an
already overwhelming API.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list
On Thu, Jan 29, 2009 at 10:00 AM, Christopher D. Clausen
cclau...@acm.org wrote:
Michael B Allen iop...@gmail.com wrote:
In general, both the MIT and Heimdal clients are not optimized for a
Windows environment. We have an AD integration product that uses
Heimdal that we made a lot of changes
might still consider broken)?
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Wed, Jan 28, 2009 at 4:57 PM, Morten Sylvest Olsen
mortenol...@gmail.com wrote:
On Jan 28, 9:27 pm, Michael B Allen iop...@gmail.com wrote:
Hi Morten,
It's not clear to me what component is doing a reverse lookup. What
software is actually getting the name mixed up? Is it an LDAP client
On Wed, Nov 19, 2008 at 11:45 AM, S2 [EMAIL PROTECTED] wrote:
Michael B Allen wrote:
If you have PHP see the link in my sig about Plexcel. It certainly
could do what you describe.
The back end services are a mix of Java, .NET, php and rails apps (on
windows and on linux servers), so
comparison.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Thu, Oct 30, 2008 at 10:47 AM, yuval [EMAIL PROTECTED] wrote:
Hi
I try to authenticate web server clients on Linux apache.
I have keytab from win2003 and kinit pass OK.
Klist show valid principal.
[EMAIL PROTECTED] klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal:
OSS stack. Anyway, if you try Plexcel or have any
questions about it, please contact IOPLEX Software support directly
and I'll help you in whatever way I can.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos
. For me this seems like a bug in IE7, has
anyone found solutions for this?
That's not a bug. You will need to add SPNs to the desired account
(using setspn) for each virtual hostname.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com
mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/krbdev
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Michael B Allen
PHP Active Directory SPNEGO SSO
that there is such a credential. Unfortunately
GSSAPI does not define how to acquire initial credentials. Like I said
- there are a lot of details that are not handled by GSSAPI alone.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos
for
browsers not doing Kerberos (obviously if you are not using Plexcel
you will need to ignore any product specific references but getting
browsers to do Kerberos is pretty much the same regardless of what you
are using on the server side).
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
the
keys from a DC and dump them into a keytab but it is only (sometimes)
useful for debugging purposes with WireShark. The resulting keytab is
not valid for use with any kind of service.
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com
have to use symbol versioning if you're
loading things dynamically.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Fri, Jul 18, 2008 at 5:28 AM, Simon Wilkinson [EMAIL PROTECTED] wrote:
On 18 Jul 2008, at 06:57, Russ Allbery wrote:
Michael B Allen [EMAIL PROTECTED] writes:
If you read the whole thread you'd know I'm only talking about the
*IntrAnet* scenario. With SPNEGO you do not type
On Fri, Jul 18, 2008 at 7:13 AM, Michael Ströder [EMAIL PROTECTED] wrote:
Michael B Allen wrote:
On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote:
And that is the scenario where direct SPNEGO / NTLMSSP solutions are
going to perform better.
If by better you mean pretty
off the Trusted for
delegation flag on the HTTP service account).
Mike
[1] Kerberos provides other ways to limit how the TGT can be used and
to proxy service tickets and such but I don't think browsers have
support for such things yet.
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http
(obsolete), raw NTLMSSP (rare), raw
Kerberos 5 (rarer) or SPNEGO (very common - used to negotiate either
NTLMSSP or Kerberos 5).
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos
On Thu, Jul 17, 2008 at 5:01 PM, Russ Allbery [EMAIL PROTECTED] wrote:
Michael B Allen [EMAIL PROTECTED] writes:
and, more important, they do not give you true single-sign-on
behavior. They're more like double sign on because you have to login
to a central server and they get redirected back
and the 200 response is less than 20 ms (or ~50
ms if the user is in a few hundred groups).
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu
it as trusted for delegation.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On 6/2/08, Ken Raeburn [EMAIL PROTECTED] wrote:
On May 29, 2008, at 22:22, Michael B Allen wrote:
Is there a reference anywhere that outlines the different password
salting methods used by different KDCs?
There are RFCs 3961, 3962, and 4757, which outline how salt strings
performance and get rid of annoying Windows preauthentication failed
event log errors.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
client and server programs use entirely GSSAPI to handle
authentication. The KDC (MIT, Heimdal, Active Directory, ...) should
already be setup and running in the target environment.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com
On 4/24/08, Douglas E. Engert [EMAIL PROTECTED] wrote:
Michael B Allen wrote:
Hi All,
Sorry for the MS specific question.
Regarding the Privilege Attribute Certificate in the
authorization-data field, someone using my SPNEGO HTTP server product
is getting an error that indicates
.
So now what?
Could it be that the hardware clock and system clock are not in sync?
From experience it doesn't matter if the hardware clock is UTC or not.
I'm stumped. Any ideas?
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com
the following to get AM vs PM:
C:\time /T
The time on the Windows server was set to 3 AM and not 3 PM.
Thanks,
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https
On 3/18/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
On Mar 18, 12:59 am, Michael B Allen [EMAIL PROTECTED] wrote:
If the HTTP server returns WWW-Authenticate: NTLM then the client
must use NTLMSSP tokens. If it returns WWW-Authenticate: Negotiate
then the tokens must be SPNEGO
a GSSAPI implementation that supports SPNEGO
and you're done.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
support delegation so if I remember your
original post correctly, implementing NTLM with pass-through
authentication would not help your particular scenario.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos
://support.microsoft.com/kb/885887
http://support.microsoft.com/kb/906524/en-us
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On 3/17/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
On Mar 17, 9:12 pm, Michael B Allen [EMAIL PROTECTED] wrote:
The problem is that the client will not or cannot initiate Kerberos.
Nice try, however no. The client has no problems using Kerberos.
There are credentials in the cache
a capture and generally
adjust your terminology into failed to get a TGT, the SPN is,
service ticket this, credential that, ...
Is the HTTP a_service.smnyl.com.mx supposed to be an SPN? Perhaps
that should be HTTP/a_service.smnyl.com.mx?
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
(LdapCtx.java:290)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL
(LdapCtxFactory.java:175)
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https
to 10.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
(although it does
at the krb5 level).
Thanks,
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On 10/4/07, Russ Allbery [EMAIL PROTECTED] wrote:
Michael B Allen [EMAIL PROTECTED] writes:
Active Directory does not use the userPrincipalName attribute to do
Kerberos authentication. It uses [EMAIL PROTECTED]
I just tested against our Active Directory with an account that had both
On 9/4/07, Roman S [EMAIL PROTECTED] wrote:
Hey guys!
I've configured a Microsoft Active Directory with LDAP and Kerberos, and some
Linux (Redhat) clients who authenticate to it.
I'm able to get some tickets for the users who are in the Active Directory,
but SSH behaves a bit strange.
I
Markus
Markus Moeller [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
But the input to gss_init_sec_context is a gss_OID structure. How do I
build the structure ? If I use gss_str_to_oid I get an error Invalid
argument
Thanks
Markus
Michael B Allen [EMAIL PROTECTED
On 6/30/07, Markus Moeller [EMAIL PROTECTED] wrote:
Which mech OID do I need to use in gss_init_sec_context to get a SPNEGO
token ? I looked in the header files of 1.6.1 but it is not defined there.
Hi Markus,
The OID for SPNEGO is 1.3.6.1.5.5.2.
Mike
had success with it when experiencing unreliable behavior like you're
describing.
Mike
-Ursprüngliche Nachricht-
Von: Michael B Allen [mailto:[EMAIL PROTECTED]
Gesendet: Mittwoch, 13. Juni 2007 08:57
An: Djihangiroff, Matthias (KC-DD)
Cc: Todd Stecher; kerberos@mit.edu
Betreff: Re
|..(.|
This is raw NTLMSSP. Check your browser settings.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman
account. Then
you can use any one of those hostnames and it works equally well.
What is it that mod_auth_kerb is doing differently?
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list
,
for example.
Ahh, ok. But why is using GSS_C_NO_CREDENTIAL a problem exactly? If the
key is good the key is good no?
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https
Hi,
Has anyone noticed that Firefox (1.5.0 on Linux x86 in my case at least)
requests a TGT everytime it authenticates?
Why doesn't it use the one it has in the ccache? It gets the HTTP service
ticket from the ccache file just fine.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
Thomas,
Your post is totally inappropriate. Please do not post this stuff
here (or anywhere else for that matter).
Mike
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
page or a login page. Now you can't. So if you have a Kerberos site with
fallback to a login form this annoying and confusing Network Password
dialog pops up and you have to hit cancel five times to get in.
Someone please tell me there's a registry setting to fix this.
Mike
--
Michael B Allen
PHP
on the KDC associated with the service principal matches
the key in the keytab used by sshd then it should work.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https
might post the exact error text here.
Mike
[1]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC
[2]
http://www.h5l.se/manual/heimdal-0-7-branch/info/heimdal.html#Configuring-Windows-2000-to-use-a-Heimdal-KDC
--
Michael B Allen
PHP Active Directory Kerberos SSO
Dear all,
My code can't find the KDC on a particular customer's network. The
problem is DNS.
The DNS communication looks like the following:
C: SRV _kerberos._udp.EXAMPLE.COM
S: No such name
C: SRV _kerberos._tcp.EXAMPLE.COM
S: 3 answer records:
krb1.EXAMPLE.COM
krb2.EXAMPLE.COM
}
I don't understand how a DNS server can answer an SRV record and not be
able to resolve the names it returns. We're either using a bad DNS server
or it must expect the client to recur on authority records 3 levels deep.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http
but the leaks
should never grow beyond a fixed size.
Mike
PS to kitten: This is another thing that would be more elegant with an
application context.
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list
Hi Vijay and Sriram,
Client configuration and the service account all *looks* good.
Now reboot the client and try again.
If you ever get the Windows Network Password Dialog DO NOT enter
anything into it. IE will remember the credentials and try to do NTLM
for the remainder of your logon
:
http://www.ioplex.com/d/Plexcel_Operators_Manual.pdf
Note: Our product is not related to mod_auth_kerb but the protocol and
client configuration is the same.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com
._udp.B.W.NET
S: DNS No such name
Can anyone explain this behavior and tell me if it is consistent with
what is supposed to happen?
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method gssapi-with-mic
Failed gssapi-with-mic for ioplex from :::192.168.2.16 port 48735 ssh2
debug1: userauth-request for user ioplex service ssh-connection method publickey
debug1: attempt 4 failures 4
Michael B Allen [EMAIL
.k5login.
Now I wonder what smbclient's problem is with the bad echo'd
signatures. Wheres Andrew Bartlett when you need him ...
Mmm, UIUC. I have droves of family in Champaign.
Thanks,
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com
Good job Sriram. I'm cc-ing the mod_auth_kerb list. They were talking about
this issue a while back.
Mike
On Tue, 1 May 2007 19:08:05 -0700 (PDT)
SriramG [EMAIL PROTECTED] wrote:
Just wanted to update back, if anyone ends up with this issue.
We contacted MS they provided a hotfix as
]
The signature in the SMB response packet is identical to the one
in the request packet (i.e. it was echo'd).
Any ideas?
Do I need to do anything special with DNS?
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com
thought I'd make sure.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
there's something
wrong with your network or it's a bug in IE. Either way, I'd want to
fix it rather than add some feature that just masks the problem.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing
like a simple domain controller availability issue. Perhaps
mod_auth_kerb or libkrb5 could benifit from some retry capability.
Mike
-Original Message-
From: Michael B Allen [mailto:[EMAIL PROTECTED]
Sent: Monday, April 16, 2007 4:56 PM
To: Gopalan, Sriram
Cc: kerberos@mit.edu
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
, when you
feel most or all of the passwords are set in both stores, migrate your
applications to the new Kerberos infrastructure.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list
for the paying customers.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
interested, it's called Plexcel and is available for download
here (no registration required):
http://www.ioplex.com/plexcel.html
Again, it's free for 25 user's so a little PHP script used by a few
admins isn't going to trip up the limit.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http
1 - 100 of 184 matches
Mail list logo