s_union_name_t, and just used krb5_principal as a return parameter
from gss_accept_sec_context(). Anyways, I hacked the thing and got it
working which is good enough for me now - I will post this information
over at the openssh mailing list to see what they think.
Eric wrote:
>
> I am trying to get kerbero
t; source package is one that I found on Suse's
website. I found the source RPM and unpacked so that I could build a
debug version of the thing and properly step in. The Suse 10 box
actually uses somewhat older binaries:
babel-vm-suse2:/home/eric/bin # rpm -qi libgssapi-
Jeffrey Altman wrote:
>
> What is gss_union_name_t defined as? This is not a GSS type.
>
> gss_accept_sec_context() exports a gss_name_t object and
> gss_export_name() takes a gss_name_t as input. gss_name_t when produced
> by a krb5 gss mechanism will be a krb5_principal. However, gss_name_t
Jeffrey Altman wrote:
> Perhaps your ssh was built with one libgss and is linking to another.
>
> Jeffrey Altman
I would have asked what other libgss could there possibly be. But then
someone on the openssh mailing list pointed out that I should just
bypass the libgssapi-0.7 stuff enti
clients
I thank you for your comments and suggestions they are most welcome,
~eric
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Any help is appreciated. Pleae reply to me directly.
e any help on how to do this? Macromedia's website has
offered little help.
Eric Puidokas
Web Programmer
Eli Broad College of Business
[EMAIL PROTECTED]
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/m
: Leaving directory `/usr/local/src/krb5-1.4.1/src/lib'
> make: *** [all-recurse] Error 1
>
>
> Two questions :
>
> 1. Is my attempt to build everything in src/ (instead of just
> src/clients)
> an overkill ?
>
> 2. What is going wrong above ?
>
> Thanks.
My guess would be that by including "--with-system-db" to the
configure command, your make process is using an incompatible libdb
(the Berkeley DB that is found on your system).
MIT Kerberos comes with it's own libdb, why don't you just use that?
Cheers, Eric
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ect performance?
Our server might experience 1000s of context negotiation requests at the
same time, so the above performance problem looks serious to us.
Thanks a lot for any help!
Eric
Kerberos mailing list Kerberos@mit.edu
https
ses would probably deal better with the fsync calls.
Thanks a lot Ken. 1.4.2 indeed support KRB5RCACHETYPE=none. I enable it
and rewrite the test as multi-processes. Now the server could handle at
least 600/s now.
Thanks again!
Eric
Kerberos m
[EMAIL PROTECTED] wrote:
> GSSAPI is an IETF standard. If your GSSAPI library doesn't allow
> gss_export_name to be called with the client name returned by
> gss_accept_sec_context then it is broken. The type of the client name
> is, as others have noted on the Kerberos mailing list, opaque. A
Good day,
Is it possible to detect whether Kerberos is present on a network? If
so, how?
Thank you,
Eric Berg
Phase Forward
Systems Engineer
Ph 781-902-4762
Fx 781-890-4848
"Vikings? What vikings? We are but poor, simple farmers. The village was
burning when we got
When attempting to join an Active Directory I get the following error: I
cannot find any information on what this is.
Nov 6 15:17:58 usra1itest01 net[22944]: [ID 702911 user.error]
ads_connect: Illegal byte sequence
Eric Decker
Server/Network/Voice
tyco /ELECTRONICS
8000 Purfoy
share a
contiguous name space. As son as we place the target SPN on a sub-domain
account only users from that domain can authenticate... all other domains
cannot.
Any help would be appreciated.
Thanks!
Eric Schwarz
MCSE, MCT, Security+
Server/ Active Directory- Team Lead
Windows Security
.EXAMPLE.COM AD domain?
Is this correct?
-
I cannot express enough gratitude for the assistance!
Eric Schwarz
MCSE, MCT, Security+
Server/ Active Directory- Team Lead
Windows Security Services C01910
Systems Technology
phone- (309) 763-2873
mobile
:)
Eric Schwarz
MCSE, MCT, Security+
Server/ Active Directory- Team Lead
Windows Security Services C01910
Systems Technology
phone- (309) 763-2873
mobile- (309) 319-3238
email-[EMAIL PROTECTED]
hpsd-SERVER-WINSECURITY (WG2716)
WinSecurity Change Management (WG2811
Thanks so much for the assistance. We got it to work with no CAPATH...
The administrators of the iBM WebSEAL device that is leveraging the
keytab file did not have the correct configuration. Your assistance was
key to making this happen and I greatly appreciate your help!
Eric Schwarz
MCSE
odule source.
For a solid and supported solution, you should check the SAP certified
verndor list for licensed SNC providers:
http://www.sap.com/partners/directories/SearchSolution.epx
"Secure Network Communications"
Eric Labiner
SAP NetWeaver solution architect
On 6/15/07, Gokul, Polasani &l
ime I attempted to add it as a
replica to my Mac Open Directory setup. Since then I have shortened it to less
than 32 and it joined without incident.
Thanks for any insight into this issue.
--
Eric Browning
Systems Administrator
801-984-7623
Skaggs Catholic Center
Juan Diego Catholic High School
St.
B will not accept inbound
sessions without a Kerberos ticket, and it is impossible
for a root user on system A to gain a TGT for the user without knowing the
users' credentials.
Eric
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
KerbNet I see two frames, presumably the AS-REQ and REP. The
first octet is 6A and 6B. These constants don't seem to be defined in the
RFC, can anyone tell me what these identifier octets are?
Eric
-Original Message-
From: Roberto Hiribarne Guedes [mailto:[EMAIL PROTECTED]
Sent: Februa
Hi All,
Can anyone tell me what the AP and AS message size maximums would be and
what factor are to be considered?
I'm using PKINIT so I know my AS request will be rather large due to the
certificate.
Thank!
Eric Naud
Software Development Engineer, Ottawa Design Center
Imedia Semicond
Hi Tim,
Thanks for the quick response, but concerning the sizes are we talking 500
bytes, 1k, 2k? Statically allocating 4k on an embedded system is a little
heavy so I'd like get a ballpark idea for the upper boudries on the reply
messages.
What are the largest numbers you've see
Hi Tim,
This is for Cablehome, it borrows much from the packetCable spec. What are
the sizes you've seen for this context?
As for the UDP upper limit ;) I don't it would be wise to grab that much
memory on this embedded device.
Eric Naud
Software Development Engineer, Ottawa Des
ue:
publickey,gssapi-with-mic,password,keyboard-interactive
| debug1: Next authentication method: gssapi-with-mic
| debug1: Delegating credentials
| debug1: Delegating credentials
| debug1: Authentication succeeded (gssapi-with-mic).
| debug1: channel 0: new [client-session]
| debug1: Entering interactive sess
On Tue 11 May 2004 12:49, Vladimir Terziev
<[EMAIL PROTECTED]> writes:
> Do you use the same version of OpenSSH on both OS X and FreeBSD
> machines ?
It's Kerberos V on both machines. Heimdal 0.6 on FreeBSD and MIT
Kerberos for Macintosh 5.0 on the other side.
-Eric
--
Macintosh 5.0 on the other side.
>
> :) Read my question again, please!
Oops, sorry! Yes, except for the OpenSSL it is the same OpenSSH
version on both systems:
"OpenSSH_3.8.1p1, OpenSSL 0.9.7c 30 Sep 2003" on FreeBSD
"OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003" o
3:45:10 krbtgt/[EMAIL PROTECTED]
| renew until 05/17/04 07:51:10, FPRIT
| 05/11/04 14:31:01 05/11/04 23:45:10 host/[EMAIL PROTECTED]
| renew until 05/17/04 07:51:10, FPRT
| 05/11/04 14:37:48 05/11/04 23:45:10 host/[EMAIL PROTECTED]
| renew until 05/17/04 07:51:10, FPRT
`
marked as optional. Does this mean that if starttime
was kept from the initial TGT that the renewals would work as I
expect, or do renewals use 'endtime-authtime'?
Thanks,
Eric Andresen
Systems Administrator
Mars Space Flight Facility
Arizona State University
[EMAIL PRO
marked as optional. Does this mean that if starttime
was kept from the initial TGT that the renewals would work as I
expect, or do renewals use 'endtime-authtime'?
Thanks,
--
Eric Andresen
Systems Administrator
Mars Space Flight Facility
Arizona State University
[EMAIL P
The renewal times on the tickets in question are in excess of a week.
On Mon, 2004-08-16 at 13:35, Sam Hartman wrote:
> Your problem description seems problematic because it does not include
> the renewable time of the tickets involved. Without that information
> I cannot evaluate whether the sof
Yes, the forwarded ticket shows the same renewal time as the initial
did.
On Mon, 2004-08-16 at 14:05, Sam Hartman wrote:
> >>>>> "Eric" == Eric Andresen <[EMAIL PROTECTED]> writes:
>
> Eric> The renewal times on the tickets in question are in exces
glanced at.
>
> I did. I stripped krb5.conf down and tried again... same thing.
Try adding this small patch to your krb5 distribution -- it enables
kinit to look up default values for lifetime, renew lifetime, and
forwardable from the kinit and libdefaults sections.
--
Eric Andresen
On Mon, 2004-10-25 at 13:35, Phil Dibowitz wrote:
> On Mon, Oct 25, 2004 at 01:28:32PM -0700, Eric Andresen wrote:
> >
> > Try adding this small patch to your krb5 distribution -- it enables
> > kinit to look up default values for lifetime, renew lifetime, and
> > for
the importance of changing the maximum life on
the above tickets as well as the kdc, which I've done.
Is there something obvious I'm missing, or someplace I should look for
more data? Also, is there someplace I can set the "24h" to be the maximum
lifetime for all tickets created in
s a named pipe
connection to the server, and a thread running ImpersonateNamedPipeClient on
the server-side to handle requests on behalf of the
user.
Microsoft may or may not use Kerberos to authenticate the pipe.
Eric
Kerberos mailing list
For that matter, I could probably shut down the Linux box
for a few weeks to see whether the KVNO bumps happen without the machine
being up or not.
Does anyone have anything else to suggest for what I should
be looking for?
-Eric
___
ssary configuration I use.
Can anyone point out any parts I goes wrong?
Thanks very much.
Regards,
Eric
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp/usr/libexec/openssh/sftp-server
==Client klist output==
[eric...@client1 ~]$ kinit -f
Password for eric...@herdingcat.internal:
[eric...@client1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: eric
Thanks mate. Is there anything wrong with my configuration file? And
furthermore, how do you create your keytab?
Eric
On Tue, Jan 4, 2011 at 5:28 PM, Brian Candler wrote:
> On Mon, Jan 03, 2011 at 02:31:55PM -0800, Russ Allbery wrote:
>> > Any idea about the Debian-derivatives?
Hi mate, I have pasted the configuration file already. Here's the
link: http://mailman.mit.edu/pipermail/kerberos/2011-January/016849.html.
Thanks.
Eric
On Tue, Jan 4, 2011 at 6:01 PM, Brian Candler wrote:
> On Tue, Jan 04, 2011 at 05:43:22PM +0800, Lee Eric wrote:
>> Thanks
ab:
-r. 1 root root 526 Jan 3 00:58 /etc/krb5.keytab
What I suppose that is is there any sshd_config entry I need to setup
to indicate the path of keytab?
Thanks.
Eric
On Tue, Jan 4, 2011 at 6:23 PM, Brian Candler wrote:
> On Tue, Jan 04, 2011 at 06:05:46PM +0800, Lee Eric wrote:
>
/ns.herdingcat.inter...@herdingcat.internal (DES with HMAC/sha1)
62 host/ns.herdingcat.inter...@herdingcat.internal (DES cbc
mode with RSA-MD5)
ktutil: [r...@herdingcat ericlee]#
Yes, it was copy-pasted. So is there anything wrong?
Eric
On Tue, Jan 4, 2011 at 7:16 PM, Brian Candler wrote:
> On Tue, Jan
So how do I know what client/server gets the idea of the server host
name? It looks like reverse map works well and they can get the same
IP/Address.
Eric
On Tue, Jan 4, 2011 at 7:24 PM, Simon Wilkinson wrote:
>
> On 4 Jan 2011, at 10:57, Lee Eric wrote:
>
>> debug1: Unspecif
Thanks, Brian. It looks like it was a host name problem. And I have
correct that. It works well.
Regards,
Eric
On Tue, Jan 4, 2011 at 8:17 PM, Brian Candler wrote:
> On Tue, Jan 04, 2011 at 07:31:37PM +0800, Lee Eric wrote:
>> So how do I know what client/server gets the idea of t
Hi all,
Is there any special advantage to use ksu? And what kind of
situation/environment is good to use ksu? I think if yes I need a good
reason to replace the traditional su command.
Thanks very much.
Eric
Kerberos mailing list
Thanks Russ. So it looks like I don't need to leak my root password to
client users, right?
Eric
On Sat, Jan 8, 2011 at 1:52 AM, Russ Allbery wrote:
> Lee Eric writes:
>
>> Is there any special advantage to use ksu?
>
> The main reason why we use ksu instead of su is b
Thanks Russ, that's very clear. BTW, I think client users shall use
ksu under local machine, not remote machines. Because I notice that
ksu will prompt me that it's unsafe if I type Kerberos password under
insecure connection.
Eric
On Sat, Jan 8, 2011 at 12:36 PM, Russ Allbery wrote:
Thanks Russ. It's very clear.
Regards,
Eric
On Sat, Jan 8, 2011 at 2:11 PM, Russ Allbery wrote:
> Lee Eric writes:
>
>> Thanks Russ, that's very clear. BTW, I think client users shall use
>> ksu under local machine, not remote machines. Because I notice that
>
Hi,
I'm just thinking why SSL must be enabled when using mod_auth_kerb in
httpd. Because password will be transferred in encryption by Kerberos.
So is SSL used to proect the tickets or anything else?
Thanks.
Eric
Kerberos mailing
Thanks mate. So it looks like there's no obvious reason to use SSL
when using Kerberos. But I saw the sample configuration of
mod_auth_kerb module that indicates "SSLRequireSSL" should be set up
by using this module. So I want to know what part SSL protects indeed.
Thanks very much
Thanks mate. But I am still a little confused. what kind of Negotiate
information will be transferred in the HTTP header? I thought the
replay shall be encrypted also.
Thanks.
Eric
On Sun, Mar 6, 2011 at 1:39 AM, Glenn Machin wrote:
> You might want to take a look at whether replay is a fac
use when user login?
Thanks very much.
Regards,
Eric
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ault=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
So could you tell me how do I modify that file?
Thanks very much.
Eric
On Sun, Jun 5, 2011 at 2:31 AM, Russ Allbery wrote:
> Lee Eric writes:
>
>> Hi all,
>
>> I have set up a Kerbe
debug1: Next authentication method: password
huli@submit's password:
Then the sever sill asks me to provide the password. As I suppose I
shall login the server without password. Could anyone help me to
figure it out?
Thanks very much.
Eric
Sorry, it was caused by the client is lacking of keytab file.
Eric
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
:
Permission denied
-bash: /afs/herdingcat.internal/home/huli/.bash_profile: Permission denied
-bash-4.1$
Thanks very much.
Eric
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Thanks mate. Here's the /etc/pam.d/sshd file contents, could you tell
me which part I can add pam_afs_session module?
Thanks very much.
Eric
On Sat, Jun 11, 2011 at 9:05 PM, Jason Edgecombe
wrote:
> On 06/11/2011 08:31 AM, Lee Eric wrote:
>>
>> Hi,
>>
>> The sys
password-auth
Eric
On Sat, Jun 11, 2011 at 9:35 PM, Lee Eric wrote:
> Thanks mate. Here's the /etc/pam.d/sshd file contents, could you tell
> me which part I can add pam_afs_session module?
>
> Thanks very much.
>
> Eric
>
> On Sat, Jun 11, 2011 at 9:05 PM, Ja
Thanks all mates. It's fixed now.
Eric
On Sat, Jun 11, 2011 at 10:20 PM, Booker Bense wrote:
>
> For various reasons[1] I've found that the pam solution doesn't cover all
> bases and I've resorted to putting aklog in
>
> /etc/ssh/sshrc
>
> If you have
Thanks mate. And btw, I use pam_afs_session in OpenSSH pam
configuration, so do I have to comment out UsePAM?
Eric
On Sun, Jun 12, 2011 at 1:09 AM, Brian Candler wrote:
> On Sat, Jun 11, 2011 at 02:18:57PM +0800, Lee Eric wrote:
>> # Kerberos options
>> KerberosAuthenticatio
Thanks very much, mate.
Eric
On Sun, Jun 12, 2011 at 3:17 PM, Brian Candler wrote:
> On Sun, Jun 12, 2011 at 10:55:04AM +0800, Lee Eric wrote:
>> Thanks mate. And btw, I use pam_afs_session in OpenSSH pam
>> configuration, so do I have to comment out UsePAM?
>
> Ah right, s
eros Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms HERDINGCAT.INTERNAL
Krb5KeyTab /etc/krb5.keytab
require valid-user
Can anyone show me how to fix that?
Thanks.
Eric Lee
Kerberos mailing list Kerbero
be stored by LDAP.
Thanks.
Eric
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Thanks mate. So could users under Linux to use Kerberos to log in the
Samba server? Any docs here?
Eric
On Fri, Oct 14, 2011 at 3:18 AM, Mantas M. wrote:
> On 13/10/11 17:59, Lee Eric wrote:
>> Hi,
>>
>> Can Samba use Kerberos for authentication directly? I read a
{1}) 192.168.122.17: ISSUE: authtime 1318744910,
etypes {rep=18 tkt=1 ses=1}, amy@HERDINGCAT.INTERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL
I'm very curious why the system is going to try afs there. I have
defined the home dirs in NFS shares.
Could anyone help me to figure i
TERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL
Why it will try to get OpenAFS stuff? That really makes me confused.
Thanks.
Eric
On Sun, Oct 16, 2011 at 7:48 PM, Mehta, Rohit wrote:
> Hi eric have you configured auto.home for -t nfs4?
>
> Lee Eric wrote:
>
>
> Hi al
optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
Obviously I'm using NFS/AFS mixed environment the
emd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
Eric
On Tue, Oct 18, 2011 at 11:41 AM, Russ Allbery wrote:
> Lee Eric writes:
>
>> Thanks mate. I use pam_afs_se
and Chrome can do this to clean active logins.
Just don't know how to do that.
Here's my Kerberos configs in httpd.
AuthType Kerberos
AuthName "Kerberos Login"
require valid-user
KrbMethodNegotiate On
KrbAuthRealms GARFIELD.INTERNAL
Krb5Keytab "/etc
ain.
I checked the log in ssl_error_log I found following details.
[Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6]
krb5_get_init_creds_password() failed: Cannot contact any KDC for
requested realm
But user can get his principal in the server by kinit w/o any issue.
Hi,
The user did not run kinit because when user access the website it
will prompt user to input kerberos username/password. In the web
server, kinit works well.
Do you have any idea?
Thanks.
On Tue, Jun 25, 2013 at 2:29 AM, Benjamin Kaduk wrote:
> On Mon, 24 Jun 2013, Lee Eric wrote:
>
This has been posted to an Apple forum with no response.
https://discussions.apple.com/message/22340802#22340802
I am working on having our Mountain Lion clients use Kerberos security to
access data on a NetApp filer. The Kerberos realm is Active Directory at
Server 2003 functional level. Th
ere's a solution to
the principal that works for the user but can't be dumped with a new key.
--
--
Eric Hattemer
Engineer
Identity and Access Management
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
the
user typed in the correct password. But the only case we could make
work was if the account was expired (different from pw_expired).
--
Eric Hattemer
Engineer
Identity and Access Management
Kerberos mailing list Kerbero
The install guide for Kerberos Release 1.2 (Documentation version 1.1)
makes reference to krb5-1.2.crypto.tar.gz.
I didn't get this in my tar when I downloaded it from MIT.
So is the doc wrong, or is the tar wrong?
ERX
Kerberos mailing list
Well, I read the
same 150 piece of garbage you're probably referring to and I know what you
mean.
The book that I
learned the most about Kerberos from was "Windows 2000 Security" by Roberta
Bragg (New Riders Publishing). While this book is Windows oriented, it does a
very good job of exp
>- s n i p -
>rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
>Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23
>-133 -128 3 1 24 -135}) (88):
>NEEDED_PREAUTH: turbo@ for
>krbtgt/@, Additional pre-authentication required
Well, my interpretation of this is that the Win
How about the encryption types? Windows only supports 2 types of encryption.
I didn't mention it before because I think one of them is the default for MIT
Kerberos.
Let's see... DES-CBC-CRC and DES-CBC-MD5 according to the "step by step"
guide.
Can you try removing all other encryption types from
79 matches
Mail list logo
