Greg Hudson wrote:
> On 07/22/2017 12:55 PM, Michael Ströder wrote:
> We are also working on a pluggable interface for kadmin authorization,
> targeted for 1.16:
>
> https://k5wiki.kerberos.org/wiki/Projects/kadmin_access_interface
> https://github.com/krb5/krb5/pull
HI!
I've read through kadm5.acl(5):
http://web.mit.edu/kerberos/www/krb5-latest/doc/admin/conf_files/kadm5_acl.html
I'm investigating the possibility to auto-generate kadm5.acl based on access
control
rules defined my LDAP directory (with rather complex entity relationships).
Are there more
HI!
What's the default for LDAP attribute 'krbTicketFlags' if absent?
Or the other way:
If user input of ticket flags in an admin UI would result in no ticket flags set
at all (integer 0) should the attribute value be set to "0" or removed?
Ciao, Michael.
smime.p7s
Description: S/MIME
Tom Yu wrote:
> Michael Ströder <mich...@stroeder.com> writes:
>> src/util/reconf is not available anymore in the source tree.
>>
>> Does that mean one should simply use plain autoreconf instead?
>
> Correct. We updated the documentation accordingly:
>
>
Tom Yu wrote:
> The MIT Kerberos Team announces the availability of MIT Kerberos 5
> Release 1.15.
src/util/reconf is not available anymore in the source tree.
Does that mean one should simply use plain autoreconf instead?
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Greg Hudson wrote:
> Is it sufficient for just the master key to be behind a PKCS #11 device, so
> that the existing database format can be preserved at the cost of letting
> long-term keys pass through KDC application memory?
IMO yes.
Ciao, Michael.
smime.p7s
Description: S/MIME
Paul B. Henson wrote:
From: Michael Ströder
Sent: Monday, April 06, 2015 6:47 AM
1. Make sure to be aware of this schema declaration bug:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8150
Hmm, looks like Greg just replied to that bug? What is the expected failure?
Would the index
Paul B. Henson wrote:
I've been happily using the ldap backend via openldap for many years.
Over the past couple of days, I've seen a new message pop up a handful
of times that I've never seen before:
Apr 1 16:45:47 chaos slapd[8670]: = mdb_substring_candidates:
(krbPrincipalName) not indexed
Greg Hudson wrote:
On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
So, this means, when adding an alias, addition work is not needed, just
another value for krbPrincipalName?
I had the impression that some additional stuff needs to be stored along
with the alias, like, i don't know, keys, or
Simo Sorce wrote:
On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
On 2015-02-11 15:25, Simo Sorce wrote:
You should also search on KrbCanonicalName if you need exact matching,
krbPrincipalName is multivalued and may contain aliases.
A bit off the topic, but please allow me a
Simo Sorce wrote:
On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
HI!
Maybe some of you are using MIT Kerberos with LDAP backend.
For creating a decent web2ldap search form template for the Kerberos schema
I'd like to know which kind of searches you usually do when looking
HI!
Maybe some of you are using MIT Kerberos with LDAP backend.
For creating a decent web2ldap search form template for the Kerberos schema
I'd like to know which kind of searches you usually do when looking into your
backend via LDAP.
Which attributes are you usually using in the search?
Which
LUISRAMOS wrote:
Michael Ströder wrote:
LUISRAMOS wrote:
We have a unix web server with Apache were we installed kerberos to
implement single sign on.
I guess you're using mod_auth_kerb?
The idea with this is to have the ability of autenticating through the
Windows Active Directory once
.
--
Michael Ströder
E-Mail: mich...@stroeder.com
http://www.stroeder.com
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
.
For authentification kerberos should be used.
Is it possible (with the smbk5pwd-Module), to give newly created
ldap-entries (posixAccounts) a kerberos-password automatically ??
As already said:
Michael Ströder wrote:
OpenLDAP's slapo-smbk5pwd only works with heimdal since currently
Julian Thomé wrote:
is it possible to compile the smbk5pwd-module, that it can be used with
MIT kerberos so that we can sync passwords between ldap and kerberos ?
It seems that this module with this configuration only works with
heimdal-kerberos.
OpenLDAP's slapo-smbk5pwd only works with
PGNet Dev wrote:
i'm attempting to load opensuse's mit-kerberos schema
(/usr/share/doc/packages/krb5/kerberos.schema) into an openDS -- not
openLDAP -- server.
Why don't you use /usr/share/doc/packages/krb5/kerberos.ldif since
OpenDS reads schema information from LDIF file?
Not sure whether it
Adriana Gologaneanu wrote:
Debian Etch
- slapd: 2.3.30-5+etch2
- krb5-kdc: 1.4.4-7etch6
I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data
to be stored in an LDAP server.
Let me test it and I will give you a feedback.
It won't help since the credentials are stored in
Adriana Gologaneanu wrote:
I'm using LDAP for authorization and Kerberos for authentication. The
workstations are configured with pam_krb5 module.
There is a way to sync passwords between LDAP and Kerberos? Both are on
same machine and the passwords to ldap db are sent in MD5 via a virtual
Xu, Qiang (FXSGSC) wrote:
Yes, now I am also suspecting something is wrong with DNS settings.
But I don't know how to check them. Could you give me some examples?
Use nslookup.exe on host name and IP address. They must match.
[libdefaults]
default_realm = durian.fujixerox.com
[..]
In
Douglas E. Engert wrote:
Xu, Qiang (FXSGSC) wrote:
Michael said in an earilier note ktpass was not want you needed.
Unless I missed something, I assumed the ldap service is going to be
running on a Unix system. In which case ktpass is what you want.
As I understood the original poster he
Xu, Qiang (FXSGSC) wrote:
-Original Message-
From: kerberos-boun...@mit.edu
[mailto:kerberos-boun...@mit.edu] On Behalf Of Michael Str?der
Sent: Tuesday, March 17, 2009 8:20 PM
To: kerberos@mit.edu
Subject: Re: SASL authentication
First try to do a kinit with providing the
Xu, Qiang (FXSGSC) wrote:
-Original Message-
From: kerberos-boun...@mit.edu
[mailto:kerberos-boun...@mit.edu] On Behalf Of Michael Str?der
Sent: Monday, March 16, 2009 7:18 PM
To: kerberos@mit.edu
Subject: Re: SASL authentication
Try with obtaining the TGT with 'kinit -A
Xu, Qiang (FXSGSC) wrote:
I am trying to do LDAP SASL binding to ADS in Windows 2003 server, which is
where KDC resides at the same time.
Unfortunately, an error is confusing me:
==
apManager (Fri Mar 13 2009 13:34:19.846)
Richard E. Silverman wrote:
MKJ == Mikkel Kruse Johnsen mik...@linet.dk writes:
MKJ I also had a problem getting this to work and it turned out to be
MKJ a problem with mod_auth_kerb I had to recompile it, using it's
MKJ internal GSSAPI support and not MIT Kerberos under RHEL5
Henrik Hodne wrote:
On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen mik...@linet.dkwrote:
Yes, that is possible.
You need to set your LDAP to authenticate using SASL like this:
# SASL
sasl-host kerberos.cbs.dk
sasl-realm CBS.DK
sasl-secprop
slainde...@kabelmail.de wrote:
@Paul Moore: What do you mean, with an AD account with that SPN?
He meant an AD user entry for this service with the appropriate service
principal name set in (LDAP attribute) 'servicePrincipalName'.
I had created an extra user and password at the AD. This login
Michael Ströder wrote:
Andrew Cobaugh wrote:
On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder mich...@stroeder.com
wrote:
HI!
I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
receive a forwardable ticket
HI!
I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
initialized.
The
Ronni Feldt wrote:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Are you actually using MDNS? You will run into problems if your domain
names end with .local.
Ciao, Michael.
Kerberos mailing list Kerberos@mit.edu
Michael B Allen wrote:
It's the client's responsibility to decide whether or not to include a
TGT. A client can always request a forwardable TGT in which case it
can be submitted to the web server. For example on Linux if you do
kinit -f [EMAIL PROTECTED] and then point Firefox at an SPNEGO
Michael B Allen wrote:
On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery [EMAIL PROTECTED] wrote:
And that is the scenario where direct SPNEGO / NTLMSSP solutions are
going to perform better.
If by better you mean pretty much the same, yes, modulo the
configuration note that I mentioned.
No, I
Simon Wilkinson wrote:
On 18 Jul 2008, at 12:13, Michael Ströder wrote:
Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
it's just a service ticket.
SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the
deleg_creds flag when calling into the API
Sharad Desai wrote:
You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
have SPNEGO built in, and can use the Kerberos in Active Directory.
Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
platform
see the about:config and the
Russ Allbery wrote:
(If you use
Firefox, you don't have to actually be a member of the domain; you can use
a different mechanism for getting Kerberos tickets, such as NIM.)
What is NIM?
Ciao, Michael.
Kerberos mailing list
Matthew Devine wrote:
So I'm looking for a little guidance on setting up a Kerberos environment
from scratch simply for testing purposes (I.E. No Domain Controller or
anything yet).
How about using the VMWare-Player for setting up various test machines?
Ciao, Michael.
[EMAIL PROTECTED] wrote:
SAP Support says, that the guys at MIT have successfully implemented
such a scenario
One of my customers also successfully installed that. I wasn't involved
in that though.
With this particular error message I'd examine two things:
1. DNS A and PTR RRs for all
[EMAIL PROTECTED] wrote:
On 9 Jun., 10:17, Michael Ströder [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
SAP Support says, that the guys at MIT have successfully implemented
such a scenario
One of my customers also successfully installed that. I wasn't involved
in that though
Anshuman Hazarika wrote:
Woul= the Kerberos database and the open ldap database be different?
Or is it possible to make the open ldap database, the kerberos
database.
Both is possible.
If so, how? =f not how would they both function together?
The KDC can use the OpenLDAP server as database
Eswar S wrote:
Is it possible to having CA certs/intermediate Cert also in
Standard smartcard?
This is a rather PKI-related question. Note that trusted root CA certs
should be pre-installed explicitly marked as trusted in the entity which
trys to validate a certain certificate.
Wes Modes wrote:
Thanks, Sean. I've set up the OpenLDAP to Kerberos connection using
Saslauthd and the [EMAIL PROTECTED] That part at least is
indeed possible.
[..]
I know now that I can't just plug them in end-to-end and expect them to
work. But I was hoping that experts on this and
HI!
I'm using Java GSS of Java 1.5.0_14 with MS AD. I'd like to avoid setting
the property java.security.krb5.kdc to specify the KDCs. I'd prefer to let
JGSS locate the KDCs via DNS. Is this possible with this Java version? I
tried to switch to using krb5.conf with
[libdefaults]
42 matches
Mail list logo