On 2007-11-21 14:48:25 +0100, Amir Saad <[EMAIL PROTECTED]> said:
> Both machines have host/FQDN principal and I can kinit and login to
> them successfully using Kerberos.
So did you export the host principal to the main keytab file (krb5.keytab)?
--
Sensei
There is no re
nctions on postgresql that fetches the corresponding password for a
> username and can create new user entries on kerberos.
> Is there any way to this?
>
> Many thanks
> Rainer Sigl
You can look at the Kerberos APIs directly, SASL and GSSAPI (which
include a Kerberos interface among ot
about and tell me
> if this will remain the requirements in the future.
>
> Thanks.
> Ryan Schultz
> Fermilab
You should ask your system administrators: they set the policies.
--
Sensei <[EMAIL PROTECTED]'s mail>
Research (n.): a discovery already published by a chines
os for Windows? Have you tried the 2.x series
which is known to work fine (with leash)?
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
t; # default_domain = borsen-online.dk
> kpasswd_protocol= SET_CHANGE
> }
>
> [domain_realm]
> .borsen-online.dk = BORSEN-ONLINE.DK
> # borsen-online.dk= BORSEN-ONLINE.DK
Depending on what software you are using, domain_realm c
If you can work and
you're not kicked out, then kinit to a principal, noting what klist
(klist -aef --- if you want).
Then, if you /can/ kinit /and/ work with a local user, post the pam and
kerberos configuration files.
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks
collecting logs.
Make clear what you mean by ``hangs for 30 secs''. Do you mean that it
actually *freezes*? Can you type in the console?
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all possible worlds
getting
> initial credentials
> [EMAIL PROTECTED] log]#
>
> Is there something wrong with using localhost & LOCALHOST as my domain &
> realm?
You need a FQDN and a realm name, kerberos relies on these.
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is
to use that as the default ccache for the user
> I am sure you will see the tickets.
Jeffery, I will investigate this, but it seems that even the TGT isn't
there (using API: cache). I will take a look asap.
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all
ain user with a roaming profile. Still leash doesn't
show any ticket, but only the AFS token. Note that I'm not running
kaserver, but a pure MIT KDC.
Am I missing something really obvious?
Thanks to anyone!
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all
ser/j/a/jaltman/Public/KFW/kfw-3.1-alpha/
>
> along with a matching NetIDMgr AFS plugin. Feel free to evaluate
> the code to ensure it works in your environment but please do not
> distribute it to end users.
Thanks Jeffrey. I will test the new 3.1 alpha, and 2.6 as you suggested
for `
.
Why don't you just ask the net admins?
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
Kerberos mailing list Kerberos
t.example.com""
Is this *really* the command line? If so, you might take care of quoting:
# ssh krb 'kadmin ..."ktadd ..."'
Read more about the *SH usage and quotes.
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all possible worlds
hout having to erase and restore. Thank you.
Something screwed your hd probably. Did you try the Disk Utility on a
working mac while the other is connected in firewire mode? Did you try
to look at the logs on the working drive (in /Applications/Utilities)?
Anyway, try those things.
--
Sen
aptures it appear to do an IPv6 lookup and then
> gives up. If it had tried a standard lookup it would have found the name.
What version of OSX? How did you enable kerberos? Can you kinit on the mac?
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this
min start', kpasswd will trigger the error
> 'insufficient access to database'. If I start kerberos using 'kadmin'
> directly, kpasswd will succeed. [...]
You solved the problem.
Sorry, if I had noticed SElinux you'd solved the problem really soon.
Anyway good for
*/admin *
Should do the work.
Can you check the file owner/group and permissions for all the kerberos
files? DB, directories and stuff... UID of the daemons... any other
information since I read your post on starting kadmind dire
"kpasswd: Connection timed out changing password"
>
> In any case, if a user cannot execute kpasswd, it's almost impractical
> to use kerberos.
>
> I tend to believe that something is wrong with my kerberos setup. It's
> strange because II followed the introductio
e to put your
new realms. Anyway, take a look at the documentation, you may need it.
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
here is that an ntpdate at
boot solution is not good, since it can produce large time drifts if
you don't reboot the clients often. A cron job was my solution.
Just my 2 cents... I hope it will help!
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all possible worlds.
The pessimist fears it is true. [J. Robert Oppenheimer]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
nce?
> I am not quite sure whether this is a PAM or a pam_krb5 issue. Does
> anyone have any suggestions or ideas how to solve this?
Post more informations, pam settings, krb5.conf on both sides, ...
--
Sensei <[EMAIL PROTECTED]>
The optimist thinks this is the best of all pos
ou need
other kerberized services.
If you need help, the samba mailing list is a good place to start. The
mails you'll receive are quite a lot, so take care.
--
Sensei <[EMAIL PROTECTED]>
Part of the inhumanity of the computer is that, once it is competently
programmed and workin
ackup the kerberos database?
--
Sensei <[EMAIL PROTECTED]>
Part of the inhumanity of the computer is that, once it is competently
programmed and working smoothly, it is completely honest. (Isaac Asimov)
Kerberos mailing list
e password is in LDAP, you have NO credentials
upon login. SASL/GSSAPI are meant to be used against kerberos granting
access to some resources like ldap entries, not to obtain a ticket...
--
Sensei <[EMAIL PROTECTED]>
Part of the inhumanity of the computer is that, once it is compete
L PROTECTED]
service/[EMAIL PROTECTED] (like ldap/ldap.mydomain.com/MYDOMAIN.COM).
You said SSO works right?
--
Sensei <[EMAIL PROTECTED]>
Part of the inhumanity of the computer is that, once it is competently
programmed and working smoothly, it is completely honest. (Isaac Asimo
On 2005-08-05 05:44:09 +0200, [EMAIL PROTECTED] (Daniel Savard) said:
> 2005/8/4, Sensei <[EMAIL PROTECTED]>:
>> On 2005-07-31 19:28:10 +0200, [EMAIL PROTECTED] (Daniel Savard) said:
>>
> (...)
>>
>>
>> If I remember right, those databases should be c
On 2005-07-31 19:28:10 +0200, [EMAIL PROTECTED] (Daniel Savard) said:
> I think I sent it directly to sensei instead to the list. I apologize.
>
> Also, I am running mit-kerberos version 1.4.1. I think previous
> version was 1.3.6. I just read I was supposed to backup my datab
se name to
> /etc/krb5kdc/principal for realm CIDS.CA
>
>
> I am running a Gentoo/Linux distro on this server.
>
> Any hints?
>
Yes, post more info!
Logs, kdc configuration, all you can find. What is
/etc/krb5kdc/principal? Is the principal databa
de. Thank you in advance and I look
> forward to hearing from you.
>
Where are the home directories? How can you make a user home withou
AFS, NFS or other means AND without using local directories?
--
Sensei <[EMAIL PROTECTED]>
cd /pub
more beer
__
help me? Documents on
AIX are not so easy to find.
--
Sensei <mailto:[EMAIL PROTECTED]>
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi.
I'm beginning to experiment suse linux on the client side. Differently
from all other clients we have, suse uses Heimdal kerberos and
pam_krb5afs.so --- We have MIT KDCs and a full experience with mit and
aklog. Can anyone point me possible problems with this interaction?
Thx!
--
S
saying that you succeeded in making windows use an external kdc
to authenticate, storing windows profiles on the user's volume? All this
things without creating a local profile for each user (principal) and
without using AD in X-realm? If so, how did you get that? Samba in some
weird mode? L
ature without any
additional sw, but I won't use it...
Second, no, samba is a NT domain, while XP defaults to AD, so LDAP plus
kerberos.
There are some documents on MS's site.
--
Sensei <mailto:[EMAIL PROTECTED]>
The optimist says "Tomorrow is sunday".
The pes
generation complete.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 284
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
--
Sensei <
beros and afs... and
that's _sure_. The last post is about something really strange on debian
stable: it always worked and now I don't see why it shows the strange
message about the kerberos library... I didn't change anything. Anyway,
it's just the slave kdc, not the ma
Sensei wrote:
>
> *NO* other output than that. What is it?
>
It happens also when running alone
# krb5kdc
or
# krb524d
What's the problem??? Please, I find it REALLY strange! It worked since
two/three weeks ago!
--
Sensei <mailto:[EMAIL PROTECTED]>
The optimist says
ng Kerberos KDC: krb5kdc: cannot initialize realm DIA.UNIROMA3.IT
krb5kdckrb524d: Invalid argument initializing kadm5 library
krb524d.
plm:~#
*NO* other output than that. What is it?
--
Sensei <mailto:[EMAIL PROTECTED]>
The optimist says "Tomorrow is sunday".
The pessimist says &q
quite
bored of seeing openssh treated as a dumb guy since version 3.4 --- it
was perfect and it worked. It's a shame it does not work except for
debian stable.
Can you tell me how?
--
Sensei <mailto:[EMAIL PROTECTED]>
The optimist says "Tomorrow is sunday".
The pess
.
I don't have an idea. I waited till ssh 3.9, but nothing.
Has anyone *EVER* succeeded in using passwordless ssh with kerberos and afs?
--
Sensei <mailto:[EMAIL PROTECTED]>
The optimist says "Tomorrow is sunday".
The pessimist says "The day after to
rberosTicketCleanup yes
KerberosTgtPassing yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIUseSessionCredCache yes
=== ssh 3.4p1 ssh_config excerpt:
KerberosAuthentication yes
KerberosTGTPassing yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
--
Sensei&
bian,
but I need to create some ebuilds for gentoo...
Is there someone who knows how to build it?
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard not found. Press F1 to continue...
Kerberos mailing list
Ryan M Bergmann wrote:
> Are there any alternatives to Eudora for reading email?
You can try the GSSAPI layer.
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard not found. Press F1 to continue...
Kerbero
> sort of configuration for my kdc that will allow this to work?
I don't think so.
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard not found. Press F1 to continue...
Kerberos mailing list [EMA
thout entering again principal and pwd) the tickets?
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard not found. Press F1 to continue...
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailm
cate and work. Login can work fine, even without
the home directory, which can reside on the other server. How can I do
this?
Do not bother about afs. I'm dealing now with all the kerberos issues.
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard
d leave the way without
asking any password.
Is it possible?
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard not found. Press F1 to continue...
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
t /lib/security/pam_unix.so use_first_pass likeauth nullok
--
Sensei<mailto:[EMAIL PROTECTED]>
A)bort, R)etry, I)nfluence with large hammer.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
is about the MINIMAL requirements for
making all this stuff work.
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard not found. Press F1 to continue...
Kerberos mailing list [EMAIL PROTECTED]
https://mailma
Hi.
I'd like to have a krb5 admin to login from a console, using just the
principal name without /admin.
In other words, I'd like the principal ``admin'' to login as admin but
gaining tickets like he was the admin/admin principal.
How can I do that?
--
Sensei<
pplications and authentication without the host principals?
And would you do that?
--
Sensei<mailto:[EMAIL PROTECTED]>
Error: Keyboard not found. Press F1 to continue...
Kerberos mailing list [EMAIL PROTECTED]
ht
ate users on the AD if I'm right.
Any useful link? AFS is mandatory...
--
Sensei<mailto:[EMAIL PROTECTED]>
A)bort, R)etry, I)nfluence with large hammer.
Kerberos mailing list [EMAIL PROTECTED]
Brian Davidson wrote:
> As Jeffrey said,
> MIT + standalone windows works if you map Kerb principal to user on the
> Windows box.
This means adding users on the windows clients... just the thing I want
to avoid :)
> MIT + AD also works, if you set up cross-realm auth (AD trusts MIT, MIT
> does
nd ad can
be really mad... Moreover, I didn't find anything about afs home
directories, and all the users should mount their afs homes...
Any hint?
--
Sensei<mailto:[EMAIL PROTECTED]>
A)bort, R)etry, I)nfluence w
e
someone at the ibm can help me...
--
Sensei
f u cn rd ths u r usng unx
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
with the same time server.
Sencond, all the principals are correclty set. Third, we exported the
needed keytabs. Last, we controlled the aix fixpacks and we have the
latest fixes...
Please help me, I can't figure out what happens here... and we need a
workin
.. handful?
--
Sensei<mailto:[EMAIL PROTECTED]>
A)bort, R)etry, I)nfluence with large hammer.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
e to login *only* from a particular lab,
using the central kerberos auth, and should *not* be able to do so from
an ip beloging to another lab. Note that we have all static ips and names.
Any hint?
--
Sensei
f u cn rd ths u r usng unx
Kerberos ma
Can you help me? Can you point me to a simple document on this issues?
--
Sensei
f u cn rd ths u r usng unx
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
eros
Give me some hints... I cannot find anything in the aix redbooks, on
google, and even in the ibm support.
It seems anyone uses ldap authentication to get a kerberos ticket, but I
want kerberos authentication as the main method.
--
Sensei
f u cn rd ths u
On Wed, 21 Jan 2004 15:50:26 +, Sam Hartman wrote:
> Would you mind giving us pointers to where you got your Kerberos for
> AIX and where you found the manual?
There are some ibm redbooks and of course, the aix bonus/expansion packs
(aix 5.2).
--
Sensei
f u cn rd ths u r us
.
On login, the AIX system says "KRB5" cannot be loaded and it falls back
on the standard AIX login.
Why? KRB5 is r/x for all, and using kinit I can get the ticket... I
really don't know why... Someone can help me?
--
Sensei <mailto:senseiwa:tin.it>
But still I fear, and sti
61 matches
Mail list logo