Folks,
my compiler tells me:
> /opt/aCC/bin/aCC -Ae -DHAVE_CONFIG_H -DUSE_AUTOCONF_H -I../../include
> -I../../include -I./../../lib/gssapi/mechglue -I./../../lib/gssapi/krb5
> -I./../../lib/gssapi/generic -I../../lib/gssapi/krb5
> -I../../lib/gssapi/generic -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE
Am 2021-04-09 um 20:24 schrieb Greg Hudson:
> On 4/9/21 11:35 AM, Osipov, Michael (LDA IT PLM) wrote:
>> I am quite sure that this is a race condition where stat() is performed,
>> file does not exist, open() with write is performed, in parallel it is
>> already created and t
Am 2021-04-06 um 19:28 schrieb Greg Hudson:
> On 4/6/21 11:48 AM, Osipov, Michael (LDA IT PLM) wrote:
>> gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor
>> code may provide more information, Minor (11): Failed to store
>> credentials: Inter
Am 2021-04-06 um 19:28 schrieb Greg Hudson:
> On 4/6/21 11:48 AM, Osipov, Michael (LDA IT PLM) wrote:
>> gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor
>> code may provide more information, Minor (11): Failed to store
>> credentials: Inter
Hi,
based on some debugging issues it would be really helpful to see after
[] also the [] in KRB5_TRACE output. As far as I can see it is
printed in krb5int_trace(). Unfortunately, there is no portable (POSIX)
way to retrieve to retrieve it. Luckily, I have extended some code in
Tomcat Native
Hi,
we do experience some weird concurrency issues with FILE: based
credential caches.
One Python application uses tens (mostly 16 to 24) of concurrent threads
to access resources via py-requests and py-requests-gssapi on top of
Debian 10 with MIT Kerberos 1.17 (GitLab Runner) and FreeBSD 12-ST
Folks,
please find a patch to fix a simple typo in configure.in:
--- configure.in.orig 2019-05-27 12:59:00 +
+++ configure.in2019-05-27 12:59:06 +
@@ -1110,7 +1110,7 @@
# For Python tests.
AC_CHECK_PROG(PYTHON,python3,python3)
-if text x"$PYTHON" = x; then
+if test x"$PYTHON
Am 2018-09-26 um 18:43 schrieb Robbie Harwood:
> "Osipov, Michael" writes:
>
>> Am 2018-09-25 um 19:25 schrieb Robbie Harwood:
>>> "Osipov, Michael" writes:
>>>
>>>> Hi folks,
>>>>
>>>> I have recentl
Am 2018-09-25 um 19:25 schrieb Robbie Harwood:
> "Osipov, Michael" writes:
>
>> Hi folks,
>>
>> I have recently compiled MIT Kerberos 1.16.1 on HP-UX and yacc failed with:
>>
>>> "./kadmin/cli/getdate.y", line 180: fatal e
Am 2018-09-25 um 19:23 schrieb Greg Hudson:
> On 09/25/2018 06:46 AM, Osipov, Michael wrote:
>> I have recently compiled MIT Kerberos 1.16.1 on HP-UX and yacc failed
>> with:
>>
>>> "./kadmin/cli/getdate.y", line 180: fatal error: invalid escap
Hi folks,
I have recently compiled MIT Kerberos 1.16.1 on HP-UX and yacc failed with:
> "./kadmin/cli/getdate.y", line 180: fatal error: invalid escape, or illegal
> reserved word: expect
Change introduced in
https://github.com/krb5/krb5/commit/28fd0a934cdc7b3b42ce213c6d334d4edf1ab591#diff-db7
> Hi All ,
>
> This is my setup .
>
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
>
> I generate keytab for SPN using this command :
>
> ktpass -princ host/@domain name -mapuser user pass> pass -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -
> o
> On 03/15/2017 11:39 AM, Osipov, Michael wrote:
> > So there is basically no way to tell MIT Kerberos if you home realm is
> > unable to route the request, it should try other realms, correct?
>
> No; we have a fallback realm mechanism in the TGS client code, but it
&
> On Mar 15, 2017, at 10:56 AM, Osipov, Michael
> wrote:
> >
> > Both aren't an option:
> >
> > 1. TXT records are unknown to Windows are all host to realm maping is
> > performed by the domain controller by querying the global catalog
>
> But
> On 03/15/2017 10:56 AM, Osipov, Michael wrote:
> >> * The host-based service referrals mechanism also seems promising, and
> >> you're certainly running a new enough version of Kerberos to
> accommodate
> >> it. I have not personally used it (yet), but it m
> On Mar 15, 2017, at 8:15 AM, Osipov, Michael
> wrote:
> >
> > Hi folks,
> >
> > we are experiencing a problem with an insufficient Kerberos setup on
> Active Directory
> > side which can be solved on Windows-side with Kerberos Forest Search
> Order
Hi folks,
we are experiencing a problem with an insufficient Kerberos setup on Active
Directory
side which can be solved on Windows-side with Kerberos Forest Search Order [1].
What Windows basically does is to traverse a list of Kerberos realms to obtain a
service ticket for a specific SPN where
> And not just for the server, on the user side too as a lot of client
> applications do not even check if the reply from the server is genuine
> (completing the context establishment phase for mutual authentication)
> and just accept the 200 OK code as it comes
This is actually the most importan
; Sent: Wednesday, August 17, 2016 8:20 AM
> To: Osipov, Michael; kerberos@mit.edu
> Subject: Re: Avoiding "KDC has no support for encryption type while
> getting initial credentials" by pinning selected KDC
>
> On 08/17/2016 08:51 AM, Osipov, Michael wrote:
> > Th
Hi Todd,
> Michael,
>
> This does not fix your issue, its more for clarification of discussion.
>
> The "domain functional level" should be dictating the behavior of the
> aggregate AD environment. You can control the preference for encryption
> type in the krb5.conf's [libdefaults] enctype sett
> On 08/17/2016 08:51 AM, Osipov, Michael wrote:
> > The keytab contains three keys for one principal: RC4, AES128, AES256.
> > Our home realm is backed up by 80 to 100 KDCs of various Windows Server
> > versions, not all support AES. KDC lookups rely on DNS only and we
Hi folks,
we are experiencing an issue where we don't know this is a bug or missing
feature in MIT Kerberos. I tend to a bug.
We have a headless service which relies on a client keytab to perform some
HTTP calls from within a C application with libcurl. Once in a while these
calls fail due to: "K
> Hi, I would get advice on using AppacheDS kerberos server, which is a java
> implementation of krb5.
> Is that production ready? Anyone has use it in prod? Is it 100% compatible
> with KDC servers. That is, existing KDC clients will continue to work?
> Thanks a lot.
Wrong mailing list, this i
> Hi folks,
>
> are there any plans to support RFC 5178 [1], 5179 [2]?
>
> Those domain-based SPNs are very often used in Active Directory,
> especially for LDAP
> services. I have justed kvno(1) for fake TGS requests for this. It works
> to some extent
> but NT_PRINCINAL is provided over the wir
Hi folks,
are there any plans to support RFC 5178 [1], 5179 [2]?
Those domain-based SPNs are very often used in Active Directory, especially for
LDAP
services. I have justed kvno(1) for fake TGS requests for this. It works to
some extent
but NT_PRINCINAL is provided over the wire and not at lea
> On 07/29/2015 07:43 AM, Osipov, Michael wrote:
> > add_entry -password -p osipo...@comapny.net -k 1 -e
> > aes256-cts-hmac-sha1-96 add_entry -password -p osipo...@comapny.net -k
> > 1 -e aes128-cts-hmac-sha1-96 add_entry -password -p
> > osipo...@comap
> On 07/29/2015 07:43 AM, Osipov, Michael wrote:
> > add_entry -password -p osipo...@comapny.net -k 1 -e
> > aes256-cts-hmac-sha1-96 add_entry -password -p osipo...@comapny.net -k
> > 1 -e aes128-cts-hmac-sha1-96 add_entry -password -p
> > osipo...@comap
> Have you enabled AES Encryption for the account in AD?
> http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
Hi Todd,
the flag is not set on my account though the registry key on my machine is set
to 0x7fff. Thoug
Hi,
I have created a client keytab with ktutil:
add_entry -password -p osipo...@comapny.net -k 1 -e aes256-cts-hmac-sha1-96
add_entry -password -p osipo...@comapny.net -k 1 -e aes128-cts-hmac-sha1-96
add_entry -password -p osipo...@comapny.net -k 1 -e arcfour-hmac
then trying to obtain a TGT wit
I have made some further investigations on the issue.
Compiled Perl 5.22.0 myself on one server (with -Dusethreads).
Installed the Perl GSSAPI module. Same thing, crash.
I think something is really wrong how Perl is loading modules,
or the XSLoader itself which loads shared objects for C to Perl
b
Hi Ben,
thanks for the quick response.
>
> On Wed, 24 Jun 2015, Osipov, Michael wrote:
>
> > Hi folks,
> >
> > we are trying to perform some LDAP requests with Perl against Active
> Directory
> > with Kerberos auth by MIT Kerberos.
> > A core file
> From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf
> Of Albert C. Baker III
> Sent: Wednesday, June 24, 2015 8:08 PM
> To: kerberos@mit.edu
> Subject: Kerberos Authentication question(s)
> [...]
> Any leads on how to figure this out would be greatly appreciated!
Hi Albert
Hi folks,
we are trying to perform some LDAP requests with Perl against Active Directory
with Kerberos auth by MIT Kerberos.
A core file is dumped and following written to stderr:
$ ./ldap.pl
Assertion failed: __thread_init == NULL, file
../../../../../core/libs/libc/shared_em_32_perf/../core/thr
33 matches
Mail list logo