Greg Hudson wrote:
> On 07/22/2017 12:55 PM, Michael Ströder wrote:
> We are also working on a pluggable interface for kadmin authorization,
> targeted for 1.16:
>
> https://k5wiki.kerberos.org/wiki/Projects/kadmin_access_interface
> https://github.com/krb5/krb5/pull/675
Nic
HI!
I've read through kadm5.acl(5):
http://web.mit.edu/kerberos/www/krb5-latest/doc/admin/conf_files/kadm5_acl.html
I'm investigating the possibility to auto-generate kadm5.acl based on access
control
rules defined my LDAP directory (with rather complex entity relationships).
Are there more co
HI!
What's the default for LDAP attribute 'krbTicketFlags' if absent?
Or the other way:
If user input of ticket flags in an admin UI would result in no ticket flags set
at all (integer 0) should the attribute value be set to "0" or removed?
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptog
Tom Yu wrote:
> Michael Ströder writes:
>> src/util/reconf is not available anymore in the source tree.
>>
>> Does that mean one should simply use plain autoreconf instead?
>
> Correct. We updated the documentation accordingly:
>
> http://web.mit.e
Tom Yu wrote:
> The MIT Kerberos Team announces the availability of MIT Kerberos 5
> Release 1.15.
src/util/reconf is not available anymore in the source tree.
Does that mean one should simply use plain autoreconf instead?
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
_
Greg Hudson wrote:
> Is it sufficient for just the master key to be behind a PKCS #11 device, so
> that the existing database format can be preserved at the cost of letting
> long-term keys pass through KDC application memory?
IMO yes.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographi
Paul B. Henson wrote:
From: Michael Ströder
Sent: Monday, April 06, 2015 6:47 AM
1. Make sure to be aware of this schema declaration bug:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8150
Hmm, looks like Greg just replied to that bug? What is the expected failure?
Would the index be
Paul B. Henson wrote:
I've been happily using the ldap backend via openldap for many years.
Over the past couple of days, I've seen a new message pop up a handful
of times that I've never seen before:
Apr 1 16:45:47 chaos slapd[8670]: <= mdb_substring_candidates:
(krbPrincipalName) not indexed
Greg Hudson wrote:
> On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
>> So, this means, when adding an alias, addition work is not needed, just
>> another value for krbPrincipalName?
>> I had the impression that some additional stuff needs to be stored along
>> with the alias, like, i don't know, key
Simo Sorce wrote:
> On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
>> On 2015-02-11 15:25, Simo Sorce wrote:
>>> You should also search on KrbCanonicalName if you need exact matching,
>>> krbPrincipalName is multivalued and may contain aliases.
>>
>> A bit off the topic, but please allow
Simo Sorce wrote:
> On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
>> HI!
>>
>> Maybe some of you are using MIT Kerberos with LDAP backend.
>>
>> For creating a decent web2ldap search form template for the Kerberos schema
>> I'd like to kno
HI!
I'm looking closer at the attribute type descriptions in kerberos.schema
(schema file for OpenLDAP shipped by openSUSE package
krb5-plugin-kdb-ldap-1.13-154.2.x86_64).
For some attribute types with IA5Syntax there's defined:
SUBSTR caseExactSubstringsMatch
IMHO this is wrong. It has
HI!
Maybe some of you are using MIT Kerberos with LDAP backend.
For creating a decent web2ldap search form template for the Kerberos schema
I'd like to know which kind of searches you usually do when looking into your
backend via LDAP.
Which attributes are you usually using in the search?
Which
LUISRAMOS wrote:
>
> Michael Ströder wrote:
>> LUISRAMOS wrote:
>>> We have a unix web server with Apache were we installed kerberos to
>>> implement single sign on.
>> I guess you're using mod_auth_kerb?
>>
>>> The idea with this is to h
.
See also: http://modauthkerb.sourceforge.net/configure.html
Ciao, Michael.
--
Michael Ströder
E-Mail: mich...@stroeder.com
http://www.stroeder.com
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
tand that quite well.
> For authentification kerberos should be used.
> Is it possible (with the smbk5pwd-Module), to give newly created
> ldap-entries (posixAccounts) a kerberos-password automatically ??
As already said:
> Michael Ströder wrote:
>> OpenLDAP's slapo-
Julian Thomé wrote:
> is it possible to compile the smbk5pwd-module, that it can be used with
> MIT kerberos so that we can sync passwords between ldap and kerberos ?
> It seems that this module with this configuration only works with
> heimdal-kerberos.
OpenLDAP's slapo-smbk5pwd only works with h
PGNet Dev wrote:
> i'm attempting to load opensuse's mit-kerberos schema
> (/usr/share/doc/packages/krb5/kerberos.schema) into an openDS -- not
> openLDAP -- server.
Why don't you use /usr/share/doc/packages/krb5/kerberos.ldif since
OpenDS reads schema information from LDIF file?
Not sure whether
Adriana Gologaneanu wrote:
> Debian Etch
> - slapd: 2.3.30-5+etch2
> - krb5-kdc: 1.4.4-7etch6
>
> I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data
> to be stored in an LDAP server.
> Let me test it and I will give you a feedback.
It won't help since the credentials are sto
Adriana Gologaneanu wrote:
>
> I'm using LDAP for authorization and Kerberos for authentication. The
> workstations are configured with pam_krb5 module.
> There is a way to sync passwords between LDAP and Kerberos? Both are on
> same machine and the passwords to ldap db are sent in MD5 via a virtu
Xu, Qiang (FXSGSC) wrote:
>
> Yes, now I am also suspecting something is wrong with DNS settings.
> But I don't know how to check them. Could you give me some examples?
Use nslookup.exe on host name and IP address. They must match.
> [libdefaults]
> default_realm = durian.fujixerox.com
> [..]
>
Douglas E. Engert wrote:
> Xu, Qiang (FXSGSC) wrote:
>
> Michael said in an earilier note ktpass was not want you needed.
> Unless I missed something, I assumed the ldap service is going to be
> running on a Unix system. In which case ktpass is what you want.
As I understood the original poster
Xu, Qiang (FXSGSC) wrote:
>> -Original Message-
>> From: kerberos-boun...@mit.edu
>> [mailto:kerberos-boun...@mit.edu] On Behalf Of Michael Str?der
>> Sent: Tuesday, March 17, 2009 8:20 PM
>> To: kerberos@mit.edu
>> Subject: Re: SASL authentication
>>
>> First try to do a kinit with provid
Xu, Qiang (FXSGSC) wrote:
>> -Original Message-
>> From: kerberos-boun...@mit.edu
>> [mailto:kerberos-boun...@mit.edu] On Behalf Of Michael Str?der
>> Sent: Monday, March 16, 2009 7:18 PM
>> To: kerberos@mit.edu
>> Subject: Re: SASL authentication
>>
>> Try with obtaining the TGT with 'kin
Xu, Qiang (FXSGSC) wrote:
>
> I am trying to do LDAP SASL binding to ADS in Windows 2003 server, which is
> where KDC resides at the same time.
>
> Unfortunately, an error is confusing me:
> ==
> (Fri Mar 13 2009 13:34:19.846)
>
> INFO>> SASL
Richard E. Silverman wrote:
>> "MKJ" == Mikkel Kruse Johnsen writes:
> MKJ> I also had a problem getting this to work and it turned out to be
> MKJ> a problem with "mod_auth_kerb" I had to recompile it, using it's
> MKJ> internal GSSAPI support and not MIT Kerberos under RHEL5 Don'
Henrik Hodne wrote:
> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen wrote:
>
>> Yes, that is possible.
>>
>> You need to set your LDAP to authenticate using SASL like this:
>>
>> # SASL
>> sasl-host kerberos.cbs.dk
>> sasl-realm CBS.DK
>> sasl-secpropnoplain,noanonymous,mins
Dax Kelson wrote:
> If either tools has not been created, there is code from the FreeIPA
> project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that
> fetches the master key and properly create the ASN.1 encoded key. That
> code could be used as a starting point or inspiration.
Security
slainde...@kabelmail.de wrote:
> @Paul Moore: What do you mean, with "an AD account with that SPN"?
He meant an AD user entry for this service with the appropriate service
principal name set in (LDAP attribute) 'servicePrincipalName'.
> I had created an extra user and password at the AD. This log
Michael Ströder wrote:
> Andrew Cobaugh wrote:
>> On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder
>> wrote:
>>> HI!
>>>
>>> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
>>> SPNEGO/Kerberos working with MS AD W2K3SP1.
Andrew Cobaugh wrote:
> On Fri, Jan 16, 2009 at 2:58 PM, Michael Ströder wrote:
>> HI!
>>
>> I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
>> SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
>> receive a forwardable ti
HI!
I'm trying to test mod_auth_kerb-5.4 built with MIT libs 1.6.3 for
SPNEGO/Kerberos working with MS AD W2K3SP1. My ultimate goal is to
receive a forwardable ticket (env var KRB5CCNAME) and use that for LDAP
SASL/GSSAPI bind to AD. The service account in AD is AFAICS properly
initialized.
The w
Thomas Mueller wrote:
> first, the online documentation**, says to create new ACL's ending with
> "by * none". this disabled the access for all except the two kerberos
> users. after reading man slapd.access it may be better read "by * break"
> to let slapd evaluate the next access statements?
Ronni Feldt wrote:
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Are you actually using MDNS? You will run into problems if your domain
names end with .local.
Ciao, Michael.
Kerberos mailing list Kerberos@mit.edu
https
Michael B Allen wrote:
>
> It's the client's responsibility to decide whether or not to include a
> TGT. A client can always request a forwardable TGT in which case it
> can be submitted to the web server. For example on Linux if you do
> kinit -f [EMAIL PROTECTED] and then point Firefox at an SPN
Simon Wilkinson wrote:
>
> On 18 Jul 2008, at 12:13, Michael Ströder wrote:
>> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
>> it's just a service ticket.
>
> SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the
> de
Michael B Allen wrote:
> On Thu, Jul 17, 2008 at 6:46 PM, Russ Allbery <[EMAIL PROTECTED]> wrote:
>>> And that is the scenario where direct SPNEGO / NTLMSSP solutions are
>>> going to perform better.
>> If by "better" you mean "pretty much the same," yes, modulo the
>> configuration note that I men
Russ Allbery wrote:
> (If you use
> Firefox, you don't have to actually be a member of the domain; you can use
> a different mechanism for getting Kerberos tickets, such as NIM.)
What is NIM?
Ciao, Michael.
Kerberos mailing list Kerberos@
Sharad Desai wrote:
>> You may want to search for SPNEGO and mod_auth_kerb. Windows IE and IIS
>> have SPNEGO built in, and can use the Kerberos in Active Directory.
>> Apache can use mod_auth_kerb that supports SPNEGO. With FireFox 2 on any
>> platform
>> see the about:config and the network.negot
Matthew Devine wrote:
> So I'm looking for a little guidance on setting up a Kerberos environment
> from scratch simply for testing purposes (I.E. No Domain Controller or
> anything yet).
How about using the VMWare-Player for setting up various test machines?
Ciao, Michael.
__
[EMAIL PROTECTED] wrote:
> On 9 Jun., 10:17, Michael Ströder <[EMAIL PROTECTED]> wrote:
>> [EMAIL PROTECTED] wrote:
>>> SAP Support says, that the guys at MIT have successfully implemented
>>> such a scenario
>> One of my customers also successfully insta
[EMAIL PROTECTED] wrote:
> SAP Support says, that the guys at MIT have successfully implemented
> such a scenario
One of my customers also successfully installed that. I wasn't involved
in that though.
With this particular error message I'd examine two things:
1. DNS A and PTR RRs for all invol
Anshuman Hazarika wrote:
> Woul= the Kerberos database and the open ldap database be different?
> Or is it possible to make the open ldap database, the kerberos
> database.
Both is possible.
> If so, how? =f not how would they both function together?
The KDC can use the OpenLDAP server as databa
Eswar S wrote:
> Is it possible to having CA certs/intermediate Cert also in
> Standard smartcard?
This is a rather PKI-related question. Note that trusted root CA certs
should be pre-installed explicitly marked as trusted in the entity which
trys to validate a certain certificate. Y
Wes Modes wrote:
> Michael Ströder wrote:
>>
>> Maybe you should think about why "creative hacks" are not a good idea
>> and therefore the experts do not suggest any. Kerberos has a certain
>> security model. For security reasons the TGT is not something whi
Wes Modes wrote:
> Thanks, Sean. I've set up the OpenLDAP to Kerberos connection using
> Saslauthd and the [EMAIL PROTECTED] That part at least is
> indeed possible.
> [..]
> I know now that I can't just plug them in end-to-end and expect them to
> work. But I was hoping that experts on this
HI!
I'm using Java GSS of Java 1.5.0_14 with MS AD. I'd like to avoid setting
the property java.security.krb5.kdc to specify the KDCs. I'd prefer to let
JGSS locate the KDCs via DNS. Is this possible with this Java version? I
tried to switch to using krb5.conf with
[libdefaults]
dns_lookup_kdc
47 matches
Mail list logo