For an existing principal you can enable preauth from kadmin with:
modprinc +requires_preauth principalname
I don't know of a way to enable preauth globally aside from setting it
for each principal.
-Mike
Gopal Paliwal wrote:
Hi Friends,
Recently I set up the whole kerberos system using
Attached is a converted patch for 1.4.3 (closer to your 1.4.2). This
includes all three advisories. I just finished compiling, but haven't
tested it yet so use it at your own risk.
-Mike
Tom Yu wrote:
mikef == Mike Friedman [EMAIL PROTECTED] writes:
mikef On Tue, 3 Apr 2007 at 14:10
Specifically,
diff -Nur krb5-040307/lib/kadm5/configure krb5/lib/kadm5/configure
--- krb5-040307/lib/kadm5/configure 2005-11-16 16:47:28.0 -0600
+++ krb5/lib/kadm5/configure2007-04-03 15:15:04.0 -0500
@@ -5453,7 +5453,7 @@
-for ac_func in openlog
Attached is a patch to add wildcard support at the beginning and end of
kadm5.acl components. I'd love to see this or something like it get
added to the standard codebase. We haven't used this in the field yet,
I wanted to get people's opinions first. I may not have considered all
of the
As is typical, attached is the correct version of the patch with one
less bug. Sorry about that.
-Mike
Mike Dopheide wrote:
Attached is a patch to add wildcard support at the beginning and end of
kadm5.acl components. I'd love to see this or something like it get
added to the standard
Whoops. ktadd, by default, randomizes your key (password) and tries to
write a keytab to /etc/krb5.keytab. Assuming you didn't successfully
write out a keytab you have no choice but to contact your administrator
to get your password reset.
-Mike
Dragomir Radev wrote:
Our university
,
On 10/27/06, Mike Dopheide [EMAIL PROTECTED] wrote:
What are you using to login? telnet/rsh/ssh? My first guess is that ssh
is configured to disallow root logins on the second system.
I try to login directly. Not over ssh/telnet/ or sth else.
-Mike
Hello ml,
i have just
What are you using to login? telnet/rsh/ssh? My first guess is that ssh
is configured to disallow root logins on the second system.
As an aside, I'd highly recommend against using a 'root' principle. It's
dangerous and doesn't leave a good audit trail. We prefer our admins to
login with
I'm stumped.
I still think there's something inconsistent with the hostname,
/etc/hosts, and/or DNS, but I'm not sure what else to suggest.
-Mike
Mike Dopheide wrote:
Hhmm.. okay. First of all, you don't want to have the same keys in
krb5.keytab on both systems. A system should really
. The
slave should also have a kpropd.acl with just the text
host/master.ph.ic.ac.uk, not the actual key.
Hopefully that will get you further.
-Mike
Mike Dopheide wrote:
My first guess is that the slave KDC doesn't have a host/ entry in the
principal database (and in it's krb5.keytab). Check
My first guess is that the slave KDC doesn't have a host/ entry in the
principal database (and in it's krb5.keytab). Check your kerberos logs
and see if you're getting a client not found error for
host/rapanui.ph.ic.ac.uk
Other common propagation problems come from missing entries in
Please don't laugh.
Some of my users have a need for a Windows FTP client that works with KfW.
Wait, it gets better.
The only two I'm familiar with are FileZilla and Kermit 95. The problem
is that the specialized server they need to connect to doesn't support the
ftp PROT command (ie,
Yes, we do. :) But they were written in 1998 and I can't get them to
build in Windows against KfW.
-Mike
NCSA had mods to the MIT ftp to run under Windows a few years ago, that
worked
with We used to use them. Goole for: ncsa ftp kerberos
Here's what we do...
There's one master KDC and two slaves. The master propagates it's
database to the slaves every 5 minutes if there were any changes. All of
the servers have the same startup script that detects the existence of a
file. If said file exists, it starts the server as a
Well that's handy to know. Is than an intentionally undocumented feature
or should someone like myself submit a man page patch?
-Mike
Right: ktadd randomizes the key and increments the key version number.
Instead, use ktutil addent to create the keytab, using the password.
--
Richard
Something like this:
--- ktutil.M2006-07-11 23:16:06.0 -0500
+++ ktutil.M.dop2006-07-11 22:55:48.0 -0500
@@ -43,11 +43,15 @@
.BR clear .
.TP
\fBdelete_entry\fP \fIslot\fP
-Delets the entry in slot number
+Delete the entry in slot number
.I slot
-from the
To my knowledge there is no built-in mechanism to disable a principal
after a certain number of failed logins. If you have preauth enabled you
could probably patch the KDC or write a script to monitor your logs.
However, without preauth the KDC has no idea whether a login attempt
(kinit) was
In my experience only your TGT will be forwarded, not every ticket in your
credentials cache. The tickets have your IP address encoded in them so
during the forwarding process you're actually getting a new TGT with the
IP address of the remote system you're telnetting into.
-Mike
*NOW*
Steve,
To my knowledge there is no way to convert keys like you're wanting to do.
My suggestion, if it's possible in your environment, would be to implement
a password expiration policy with a deadline of a few months and let
everyone gradually change their password.
The inevitable problem
While testing 1.4 we are seeing this same error with kadmin. So far it
seems to be only a kadmin client issue and happens regardless of whether
the server is running 1.3.5, 1.3.6, or 1.4.
The 1.3.5 and 1.3.6 kadmin clients work fine. Has anyone else seen this
issue?
I hope to find time
Has anyone attempted to build shared object libraries under AIX 5.1?
MIT Kerberos 1.3.6 appears to build just fine using CC=/usr/vacpp/bin/cc
and --enable-shared, but I only end up with .a libraries.
Any thoughts? Unfortunately I'm not too familiar with the AIX
environment, but I'd be happy
---
Mike Dopheide[EMAIL PROTECTED]
Research Programmer217-244-0299
National Center for Supercomputing Applications
Previous post regarding same issue:
From: Leonard J. Peirce ([EMAIL PROTECTED])
Subject: Double log entries for V5 1.2.4 on Solaris
22 matches
Mail list logo