hursday, May 23, 2002 9:29 AM
> To: [EMAIL PROTECTED]
> Subject: Re: FQDN needed by sasl_gss_client_step or gss_import_name?
>
>
> I agree with what you have said here. There is a need for
> higher degree of
> integration between KDC and DNS. So, how can one implement
> thi
> "peter" == peter huang <[EMAIL PROTECTED]> writes:
peter> I agree with what you have said here. There is a need for
peter> higher degree of integration between KDC and DNS. So, how
peter> can one implement this using the MIT/Heimdal Kerberos with
peter> BIND DNS?
We're
I agree with what you have said here. There is a need for higher degree of
integration between KDC and DNS. So, how can one implement this using the
MIT/Heimdal Kerberos with BIND DNS?It is still not clear to me what
needs to be changed except secure query to DNS server, e.g. are you imply
ealms.
Nico
--
> -Original Message-
> From: Steve Langasek [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 20, 2002 5:19 PM
> To: David Lawler Christiansen (NT)
> Cc: cyrussasl; krb5
> Subject: Re: FQDN needed by sasl_gss_client_step or gss_import_name?
>
>
> On
[EMAIL PROTECTED]]
> > > Sent: Friday, May 17, 2002 7:32 AM
> > > To: Lawrence Greenfield
> > > Cc: Jacques A. Vidrine; Dave Snoopy; cyrussasl; krb5
> > > Subject: Re: FQDN needed by sasl_gss_client_step or
> gss_import_name?
>
> > [...]
>
> &
On Mon, May 20, 2002 at 02:00:21PM -0700, David Lawler Christiansen (NT) wrote:
> > From: Steve Langasek [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, May 17, 2002 7:32 AM
> > To: Lawrence Greenfield
> > Cc: Jacques A. Vidrine; Dave Snoopy; cyrussasl; krb5
> &g
> From: Steve Langasek [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 17, 2002 7:32 AM
> To: Lawrence Greenfield
> Cc: Jacques A. Vidrine; Dave Snoopy; cyrussasl; krb5
> Subject: Re: FQDN needed by sasl_gss_client_step or gss_import_name?
[...]
> > Since DNS is an i
On Fri, 17 May 2002, Dave Snoopy wrote:
> I don't know too much about this, but perhaps I should
> mention that when my ldap client gave its error, it
> hadn't yet done anything with the KDC/PDC besides
> requesting the supported SASL types (I did a network
> trace on all ports with my KDC/PDC).
What kinds of DNS server are you using? If it is win2k DNS, you should
be ok. If it is NT4 DNS, you're in trouble. also tweak your
/etc/krb5.conf or krb5.ini on win32 and your resolv.conf file.
-peter huang
Dave Snoopy wrote:
> I don't know too much about this, but perhaps I should
> mention
I don't know too much about this, but perhaps I should
mention that when my ldap client gave its error, it
hadn't yet done anything with the KDC/PDC besides
requesting the supported SASL types (I did a network
trace on all ports with my KDC/PDC). In other words,
this was a totally internal Kerbero
On Thu, May 16, 2002 at 08:19:14PM -0500, Jacques A. Vidrine wrote:
> On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence Greenfield wrote:
> > Hopefully the Kerberos clarifications in the krb-wg will address this
> > issue and MIT will change their implementation..
>
> Change it how?
At the int
On Thu, May 16, 2002 at 09:32:32PM -0400, Lawrence Greenfield wrote:
>Date: Thu, 16 May 2002 20:19:14 -0500
>From: "Jacques A. Vidrine" <[EMAIL PROTECTED]>
>On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence Greenfield wrote:
>> Hopefully the Kerberos clarifications in the krb-wg
On Thu, May 16, 2002 at 04:40:47PM -0700, Dave Snoopy wrote:
> I am using OpenLDAP's ldapsearch tool, in conjunction
> with Cyrus SASL and MIT Kerberos 5. The tool allows me
> to do LDAP queries against a Microsoft PDC, assuming
> that I have first obtained the ticket from the
> Microsoft KDC. It
Date: Thu, 16 May 2002 20:19:14 -0500
From: "Jacques A. Vidrine" <[EMAIL PROTECTED]>
On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence Greenfield wrote:
> Hopefully the Kerberos clarifications in the krb-wg will address this
> issue and MIT will change their implementation..
On Thu, May 16, 2002 at 09:04:00PM -0400, Lawrence Greenfield wrote:
> Hopefully the Kerberos clarifications in the krb-wg will address this
> issue and MIT will change their implementation..
Change it how?
--
Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/
NTT/Veri
This is a known interoperability problem between MIT Kerberos and
Microsoft Kerberos (and other versions).
Microsoft Kerberos (correctly) does not use DNS to canonicalize. DNS
is insecure and shouldn't be used for this purpose. Unfortunately,
Kerberos implementations have a long history of usin
[EMAIL PROTECTED] (Dave Snoopy) writes:
>> I traced down the error to the Kerberos function
>> "gss_import_name", which is being called from the SASL
>> function sasl_gss_client_step. This problem only
>> happens when the non FQDN kdc name is returned from
>> DNS. Is this a Kerberos or SASL probl
I am using OpenLDAP's ldapsearch tool, in conjunction
with Cyrus SASL and MIT Kerberos 5. The tool allows me
to do LDAP queries against a Microsoft PDC, assuming
that I have first obtained the ticket from the
Microsoft KDC. It works great, except for one
problem...
My DNS server has two entries f
18 matches
Mail list logo
