Folks,
my compiler tells me:
> /opt/aCC/bin/aCC -Ae -DHAVE_CONFIG_H -DUSE_AUTOCONF_H -I../../include
> -I../../include -I./../../lib/gssapi/mechglue -I./../../lib/gssapi/krb5
> -I./../../lib/gssapi/generic -I../../lib/gssapi/krb5
> -I../../lib/gssapi/generic -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE
Am 2021-04-09 um 20:24 schrieb Greg Hudson:
> On 4/9/21 11:35 AM, Osipov, Michael (LDA IT PLM) wrote:
>> I am quite sure that this is a race condition where stat() is performed,
>> file does not exist, open() with write is performed, in parallel it is
>> already created and t
Am 2021-04-06 um 19:28 schrieb Greg Hudson:
> On 4/6/21 11:48 AM, Osipov, Michael (LDA IT PLM) wrote:
>> gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor
>> code may provide more information, Minor (11): Failed to store
>> credentials: Inter
Am 2021-04-06 um 19:28 schrieb Greg Hudson:
> On 4/6/21 11:48 AM, Osipov, Michael (LDA IT PLM) wrote:
>> gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor
>> code may provide more information, Minor (11): Failed to store
>> credentials: Inter
Hi,
based on some debugging issues it would be really helpful to see after
[] also the [] in KRB5_TRACE output. As far as I can see it is
printed in krb5int_trace(). Unfortunately, there is no portable (POSIX)
way to retrieve to retrieve it. Luckily, I have extended some code in
Tomcat Native
Hi,
we do experience some weird concurrency issues with FILE: based
credential caches.
One Python application uses tens (mostly 16 to 24) of concurrent threads
to access resources via py-requests and py-requests-gssapi on top of
Debian 10 with MIT Kerberos 1.17 (GitLab Runner) and FreeBSD
Folks,
please find a patch to fix a simple typo in configure.in:
--- configure.in.orig 2019-05-27 12:59:00 +
+++ configure.in2019-05-27 12:59:06 +
@@ -1110,7 +1110,7 @@
# For Python tests.
AC_CHECK_PROG(PYTHON,python3,python3)
-if text x"$PYTHON" = x; then
+if test
Am 2018-09-26 um 18:43 schrieb Robbie Harwood:
> "Osipov, Michael" writes:
>
>> Am 2018-09-25 um 19:25 schrieb Robbie Harwood:
>>> "Osipov, Michael" writes:
>>>
>>>> Hi folks,
>>>>
>>>> I have recentl
Am 2018-09-25 um 19:25 schrieb Robbie Harwood:
> "Osipov, Michael" writes:
>
>> Hi folks,
>>
>> I have recently compiled MIT Kerberos 1.16.1 on HP-UX and yacc failed with:
>>
>>> "./kadmin/cli/getdate.y", line 180: fatal e
Am 2018-09-25 um 19:23 schrieb Greg Hudson:
> On 09/25/2018 06:46 AM, Osipov, Michael wrote:
>> I have recently compiled MIT Kerberos 1.16.1 on HP-UX and yacc failed
>> with:
>>
>>> "./kadmin/cli/getdate.y", line 180: fatal error: invalid escap
Hi folks,
I have recently compiled MIT Kerberos 1.16.1 on HP-UX and yacc failed with:
> "./kadmin/cli/getdate.y", line 180: fatal error: invalid escape, or illegal
> reserved word: expect
Change introduced in
> Hi All ,
>
> This is my setup .
>
> windows 8.1 64 bit
> windows 2012 R2 server AD and KDC .
> BS2000 with MIT kerberos 1.13.2
>
> I generate keytab for SPN using this command :
>
> ktpass -princ host/@domain name -mapuser user pass> pass -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -
>
> On 03/15/2017 10:56 AM, Osipov, Michael wrote:
> >> * The host-based service referrals mechanism also seems promising, and
> >> you're certainly running a new enough version of Kerberos to
> accommodate
> >> it. I have not personally used it (yet), but it mainta
> On Mar 15, 2017, at 8:15 AM, Osipov, Michael <michael.osi...@siemens.com>
> wrote:
> >
> > Hi folks,
> >
> > we are experiencing a problem with an insufficient Kerberos setup on
> Active Directory
> > side which can be solved on Windows-side with
Hi folks,
we are experiencing a problem with an insufficient Kerberos setup on Active
Directory
side which can be solved on Windows-side with Kerberos Forest Search Order [1].
What Windows basically does is to traverse a list of Kerberos realms to obtain a
service ticket for a specific SPN where
> And not just for the server, on the user side too as a lot of client
> applications do not even check if the reply from the server is genuine
> (completing the context establishment phase for mutual authentication)
> and just accept the 200 OK code as it comes
This is actually the most
; Sent: Wednesday, August 17, 2016 8:20 AM
> To: Osipov, Michael; kerberos@mit.edu
> Subject: Re: Avoiding "KDC has no support for encryption type while
> getting initial credentials" by pinning selected KDC
>
> On 08/17/2016 08:51 AM, Osipov, Michael wrote:
> > Th
Hi Todd,
> Michael,
>
> This does not fix your issue, its more for clarification of discussion.
>
> The "domain functional level" should be dictating the behavior of the
> aggregate AD environment. You can control the preference for encryption
> type in the krb5.conf's [libdefaults] enctype
> On 08/17/2016 08:51 AM, Osipov, Michael wrote:
> > The keytab contains three keys for one principal: RC4, AES128, AES256.
> > Our home realm is backed up by 80 to 100 KDCs of various Windows Server
> > versions, not all support AES. KDC lookups rely on DNS only and
Hi folks,
we are experiencing an issue where we don't know this is a bug or missing
feature in MIT Kerberos. I tend to a bug.
We have a headless service which relies on a client keytab to perform some
HTTP calls from within a C application with libcurl. Once in a while these
calls fail due to:
> Hi, I would get advice on using AppacheDS kerberos server, which is a java
> implementation of krb5.
> Is that production ready? Anyone has use it in prod? Is it 100% compatible
> with KDC servers. That is, existing KDC clients will continue to work?
> Thanks a lot.
Wrong mailing list, this
> Hi folks,
>
> are there any plans to support RFC 5178 [1], 5179 [2]?
>
> Those domain-based SPNs are very often used in Active Directory,
> especially for LDAP
> services. I have justed kvno(1) for fake TGS requests for this. It works
> to some extent
> but NT_PRINCINAL is provided over the
Hi folks,
are there any plans to support RFC 5178 [1], 5179 [2]?
Those domain-based SPNs are very often used in Active Directory, especially for
LDAP
services. I have justed kvno(1) for fake TGS requests for this. It works to
some extent
but NT_PRINCINAL is provided over the wire and not at
On 07/29/2015 07:43 AM, Osipov, Michael wrote:
add_entry -password -p osipo...@comapny.net -k 1 -e
aes256-cts-hmac-sha1-96 add_entry -password -p osipo...@comapny.net -k
1 -e aes128-cts-hmac-sha1-96 add_entry -password -p
osipo...@comapny.net -k 1 -e arcfour-hmac
[...]
kinit: Invalid
On 07/29/2015 07:43 AM, Osipov, Michael wrote:
add_entry -password -p osipo...@comapny.net -k 1 -e
aes256-cts-hmac-sha1-96 add_entry -password -p osipo...@comapny.net -k
1 -e aes128-cts-hmac-sha1-96 add_entry -password -p
osipo...@comapny.net -k 1 -e arcfour-hmac
[...]
kinit: Invalid
Have you enabled AES Encryption for the account in AD?
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
Hi Todd,
the flag is not set on my account though the registry key on my machine is set
to 0x7fff. Though
Hi,
I have created a client keytab with ktutil:
add_entry -password -p osipo...@comapny.net -k 1 -e aes256-cts-hmac-sha1-96
add_entry -password -p osipo...@comapny.net -k 1 -e aes128-cts-hmac-sha1-96
add_entry -password -p osipo...@comapny.net -k 1 -e arcfour-hmac
then trying to obtain a TGT
I have made some further investigations on the issue.
Compiled Perl 5.22.0 myself on one server (with -Dusethreads).
Installed the Perl GSSAPI module. Same thing, crash.
I think something is really wrong how Perl is loading modules,
or the XSLoader itself which loads shared objects for C to Perl
Hi Ben,
thanks for the quick response.
On Wed, 24 Jun 2015, Osipov, Michael wrote:
Hi folks,
we are trying to perform some LDAP requests with Perl against Active
Directory
with Kerberos auth by MIT Kerberos.
A core file is dumped and following written to stderr:
$ ./ldap.pl
Hi folks,
we are trying to perform some LDAP requests with Perl against Active Directory
with Kerberos auth by MIT Kerberos.
A core file is dumped and following written to stderr:
$ ./ldap.pl
Assertion failed: __thread_init == NULL, file
30 matches
Mail list logo