Cross Realm MIT <-> Active Directory

Hi I have been through many documents for several times but I just can't seem to find the problem. Here is the idea. Users are defined in Active Directory (domain/realm WINDOWS.COM) Host and service principals are defined in MIT Kerberos (realm UNIX.COM). Now I want the Windows users to be able to

Re: Cross Realm MIT <-> Active Directory

rd? I meant on the Unix box, not on the Windows box, so sorry on that. Markus Moeller wrote: > "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Hi > > I have been through many documents for several times but I just can

Re: Cross Realm MIT <-> Active Directory

Thanks a lot Markus Could you paste your krb5.conf aswell? Kind regards Miguel Markus Moeller wrote: > "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > 1) You should use rc4-hmac. des is week and shouldn't be used. > > &

Re: Cross Realm MIT <-> Active Directory

m = UNIX.COM > unix.com = UNIX.COM > .windows.com = WINDOWS.COM > windows.com = WINDOWS.COM > > [logging] > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > > Regards > Markus > >

Cross Realm: Problem with Default Realm

Dear all I managed to do cross realm authentication between AD realm A and MIT realm B. However this only works if, hosts in realm B, have "default_realm =A" in their krb5.conf. I have some problems with this since there are quit a lot of other principals in realm B... Perhaps a setting in krb5.c

Cross Realm: Multiple AD Domains

Dear all I have asked this question already to Markus and Douglas but I am giving it another attempt. I have already successfully tested my cross realm implementation in a test phase. However the environment in test was a single domain in the forest and the acceptance/production environment has m

SSO Fails on XP SP2

Dear all I don't know whether or not I should post this here or in microsoft.xp.client but I will do both. After successfully implementing a cross realm trust between AD and a UNIX realm, it seems that the clients that user SP1 can successfully have SSO to the UNIX machine whereas the SP2 people c

Re: SSO Fails on XP SP2

owTGTSessionKey = > 0x01 (DWORD)"as described > herehttp://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/relnotes.html#mslsa > > Regards > Markus > > "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > > > Dear a

Re: SSO Fails on XP SP2

I see that I receive the cross realm ticket. However I don't receive any service ticket! On 30 jul, 21:53, "Markus Moeller" <[EMAIL PROTECTED]> wrote: > Can you use kerbtray to see if you get the service principal ? > > Markus > > "Miguel Sanders"

Re: SSO Fails on XP SP2

host/[EMAIL PROTECTED] > > I think Vintella is adding the default domain otherwise. Not sure if that is > a bug or if I missed configuration setting. > > Markus > > "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > &g

Kerberos and IP aliases

Dear all I was just wondering how Kerberos reacts to IP aliases (virtual IP addresses). Do you have to create a host principal for the virtual hostname aswell? Any information on this would be grately appreciated. Thnx Miguel Kerberos mailing lis

Question on renewable lifetime

Hi I'm having a background process which requires a service principal to work correctly. Currently, I'm having a cron job which does a kinit (with the keytab supplied) for that service principal. Wouldn't it be better to renew the ticket instead of doing the above? As a result, I would have to set

RE: Question on renewable lifetime

Hi Greg Thanks for the feedback. Much appreciated! Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.

RC4HMAC Issue To AD

Hi folks I'm observing a rather odd situation when using the RC4HMAC encryption type to AD. What I can see from the key exchanges is the following: 1) MIT Client performs AS-REQ and mentions aes256-cts-hmac-sha1-96, rc4-hmac and des3-cbc-sha1 as supported enctypes. 2) AD responds with an AS-REP wh

RE: RC4HMAC Issue To AD

Hi Ross Thanks a lot for your help. Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sand...@arcelormittal

RE: MIT Kerberos: Cannot resolve network address for KDC in realm

alezeo.com should be upper case. Realm names are always upper case! Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 0

RE: Sudo w/Ticket Support

Last sentence should have been : "Why not use NOPASSWD?" I'm getting tired... Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347

RE: Sudo w/Ticket Support

Afaik that's not available yet (however, you could integrate it yourself). But if you already obtained a TGT, why bother authenticating again? But not use just use NOPASSWD. Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage

auth_to_local struggle

tranformation rule is correct AFAIK. Thanks for your help! Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.san

RE: auth_to_local struggle

Thanks a lot Mark! Works fine! Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sand...@arcelormittal

RE: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1?

Luke You should take a look at the config/shlib.conf Apparently krb5-1.6.3 is not yet AIX6.1 aware. Just alter the *-*-aix5*) on line 410 to f.e. *-*-aix*) Should I file a bug report for this? Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems

RE: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1?

I'll open a bug report for it. If you have further questions on how to get this going on AIX, you can always send me a mail. Good luck! Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedy

RE: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1?

ijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sand...@arcelormittal.com www.arcelormittal.com/gent -Oorspronkelijk bericht---

RE: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1?

Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sand...@arcelormittal.com www.arcelormittal.com/gent -Oorspronkelijk bericht-

RE: pthreads/dlopen issue when building krb-1.6.3 on AIX 6.1?

Indeed :-) Good luck! Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sand...@arcelormittal

RE: Kerberos linking on AIX 6.1

Luke The problem here lies in the fact that the libraries you build before you run into the error are not included in the libpath (-L). Could you try added the folder that contains the libraries as an addional CFLAGS argument? Met vriendelijke groet Best regards Bien à vous Miguel SANDERS

RE: Kerberos linking on AIX 6.1

brary, all libraries (static/shared) should end with .o) Archive it: # ar -v -q gssapi_krb5.a gssapi_krb5.so Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538

RE: Kerberos linking on AIX 6.1

# cc main.c -L/someabsolutepath -lfoo If wanted, I'm willing to participate on this. Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +324

RE: UDP/TCP problem in cross-realm authentication

Have you rebooted after setting MaxPacketSize? (It's Windows you know...) :-) Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +

RE: UDP/TCP problem in cross-realm authentication

Moreover, do you even see the KRB5KRB_ERR_RESPONSE_TOO_BIG reply from the KDC? Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478

RE: krb5_aname_to_localname() issue

Very cryptic indeed, especially when you want to play around with all instance components. It was more like trial and error for me tbh. Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan

RE: Problem: passwordless SSH-login with Kerberos doesn't work

Hans Are you attempting Kerberos based password authentication or single sign on? Could also give the sshd trace (-ddd)? Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T

HostToRealm issue on Windows

rtunately, this is not what is happening :( Any idea what is wrong with scenario above? Thanks for your help Met vriendelijke groet Best regards Bien à vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538