>I've fine combed the 'Net for anything that can do this,
>but can't find anything.
>
>Haven't anyone written a MSGINA replacement that allow
>authentication against a MIT Kerberos KDC?
If you are using Windows 2000, you can use ksetup to configure
authentication against a non-Windows KDC, with
>In any case, a GINA is not the correct place to hook in support for
>additional authentication providers; it only deals with interactive,
>not network, authentication. Existing GINAs that create temporary
To clarify further, even then, only _graphical_ interactive
authentication (ie. Winlogon),
Quoting "Paul B. Hill" <[EMAIL PROTECTED]>:
> For which version of Windows?
Preferably all of them. But at the moment I'm working on 2k and XP.
But I also have a 98 that I would like to connect to this...
> Please read their whitepapers for the information.
I skimmed through them (if you're
[let's keep this on the list]
Quoting "Eric Lee Steadle" <[EMAIL PROTECTED]>:
> Did you read this MS document?
> [...]
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
Yes, I found that eventually.
> I've followed the steps and it definitely works.
It only half
>But as the KDC logs show, it seems like the login was successful. Do I have
>to
>have something more (Samba comes to mind)?
SAMBA does not support the additional RPCs necessary for native Windows
2000 domain logon, so no, this won't help.
Did you map your account to a local account with ksetup
>- s n i p -
>rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
>Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23
>-133 -128 3 1 24 -135}) (88):
>NEEDED_PREAUTH: turbo@ for
>krbtgt/@, Additional pre-authentication required
Well, my interpretation of this is that the Win
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
>> But as the KDC logs show, it seems like the login was
>> successful. Do I have to have something more (Samba comes to
>> mind)?
Luke> SAMBA does not support the additional RPCs necessary for
Luke> native Windows 2000
>Just thinking that it might be a little like NSS/PAM. In Linux
>I need Lib{PAM,NSS}-LDAP for uid/gid number mapping etc (authorization)
>and LibPAM-Krb5 for password (authentication)...
The Windows "solution" is, as previously mentioned, to have a local or
Active Directory account for the user.
> "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes:
Eric> Tell us more about your Windows client. Version, Service
Eric> Pack, etc. Does it participate in a domain? Have any
Eric> registry settings been adjusted? etc.
Windows 2000 5.00.2195, Service Pack 3.
>> Sep 26 15
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
Luke> The Windows "solution" is, as previously mentioned, to have
Luke> a local or Active Directory account for the user. That's
Luke> where the authorization information comes from (in an AD
Luke> domain it is included in th
>'a local or AD account'. I don't have AD, but I _DO_ have a local
>account.
So, according to Microsoft's documentation, it should "just work".
>- s n i p -
>Sep 26 08:02:19 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24
>-135})
>(88): UNKNOWN_SERVER: authtime 10330
> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes:
> "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes:
Eric> Tell us more about your Windows client. Version, Service
Eric> Pack, etc. Does it participate in a domain? Have any
Eric> registry settings been adjusted?
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
>> 'a local or AD account'. I don't have AD, but I _DO_ have a
>> local account.
Luke> So, according to Microsoft's documentation, it should "just
Luke> work".
Exactly. Dang, I hate when it (software) does this! :)
>>
> "John" == John Green <[EMAIL PROTECTED]> writes:
John> I don't know if you're aware of this utility, and forgive me
John> if I'm speaking the obvious, but this is on the Win2K cd-rom
John> (extract /support/tools/support.cab) . It's called ksetup.
John> It will have the mac
Definately remove the "REQUIRES_PRE_AUTH" flag from the principal for
majorskan (which is your windows 2000 machine, if I'm not mistaken). When
the KDC is forcing the WIN2K client to generate PRE_AUTH data the client
includes additional information (I think it's SID) in the
Authorization_Data fie
> "Steve" == Steve Harper <[EMAIL PROTECTED]> writes:
Steve> Definately remove the "REQUIRES_PRE_AUTH" flag from the
Steve> principal for majorskan (which is your windows 2000
Steve> machine, if I'm not mistaken).
Steve> kadmin: modify_principal -requires_preauth
Steve> h
Thursday, September 26, 2002 1:51 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Win logon to a MIT Kerberos V KDC?
>
>
>>>>>> "Steve" == Steve Harper <[EMAIL PROTECTED]> writes:
>
>Steve> Definately remove the "REQUIRES_PRE_AUTH" flag fr
Turbo Fredriksson wrote:
>
> > "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes:
>
> > "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes:
> Eric> Tell us more about your Windows client. Version, Service
> Eric> Pack, etc. Does it participate in a domain? Have any
>
> "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:
Douglas> Check that under the System Properities->Network
Douglas> Identification->Proprities->More the "Change primary DNS
Douglas> suffix when domain membership changes" is not checked.
'NOT checked'!? I thought it sai
Turbo Fredriksson wrote:
>
> > "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:
>
> Douglas> Check that under the System Properities->Network
> Douglas> Identification->Proprities->More the "Change primary DNS
> Douglas> suffix when domain membership changes" is not ch
> "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes:
Eric> Do you have Ethereal and/or Netmon installed? Can you get a
Eric> packet trace of the login attempt? That might be helpful.
Not sure if I use tcpdump correctly, but this is what it tells me:
Meduza is the firewall at hom
> "Eric" == Eric Lee Steadle <[EMAIL PROTECTED]> writes:
Eric> Let's see... DES-CBC-CRC and DES-CBC-MD5 according to the
Eric> "step by step" guide. Can you try removing all other
Eric> encryption types from your KDC and trying again?
'remove all other encryption types from the
Steve Harper wrote:
> Definately remove the "REQUIRES_PRE_AUTH" flag from the principal for
> majorskan (which is your windows 2000 machine, if I'm not mistaken). When
> the KDC is forcing the WIN2K client to generate PRE_AUTH data the client
> includes additional information (I think it's SID) i
> "Wyllys" == Wyllys Ingersoll <[EMAIL PROTECTED]> writes:
Wyllys> If the KDC is non-MS and the client is MS, it is safe to
Wyllys> use pre-auth. The default pre-auth type is TIMESTAMP,
Wyllys> which MIT supports just fine.
How do I set it to be TIMESTAMP? It don't say what it u
Just for the record, a Windows 2000 client will send some preauth data
requesting that the PAC be included (this is described in John Brezak's
IETF draft specifying the PAC format). That may be what was being
referred to in previous mails. The default is to include the PAC,
but it might be sensi
I got it working! It was the encryption keys that where at fault!!
Starting kadmin with '-e des-cbc-crc:normal' and then recreated
the principal solved the problem. Wee, nice one folks. Thanx for all
the help I got about this.
Tried again, this time with all the principals having +require_preau
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
Luke> Adding support to a KDC for the PAC is not that difficult if
Luke> you have a sensible architecture (for example, an integrated
Luke> directory backend for the KDC). The difficulty lies in some
Luke> of the other, unpub
>Luke> Adding support to a KDC for the PAC is not that difficult if
>Luke> you have a sensible architecture (for example, an integrated
>Luke> directory backend for the KDC). The difficulty lies in some
>Luke> of the other, unpublished, protocols which are necessary to
>Luke>
> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes:
Turbo> Tried again, this time with all the principals having
Turbo> +require_preauth. Still work. Now I'm happy!
This was even a requirenment! My girlfriend tried to login, didn't
work. What differed was that I had REQUIRES_
On Fri, 27 Sep 2002 13:47:47 +, Turbo Fredriksson wrote:
>> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes:
>
> Turbo> Tried again, this time with all the principals having
> Turbo> +require_preauth. Still work. Now I'm happy!
>
> This was even a requirenment! My girlf
> "Tony" == Tony Hoyle <[EMAIL PROTECTED]> writes:
Tony> On Fri, 27 Sep 2002 13:47:47 +, Turbo Fredriksson wrote:
>>> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes:
>>
Turbo> Tried again, this time with all the principals having
Turbo> +require_preauth.
On Sat, 28 Sep 2002 06:43:24 +, Turbo Fredriksson wrote:
> Deleting it again, and creating it again, this time with the
> command line:
>
> [snip]
>
> This will allow me to login without rebooting the win host.
> Now, it's important that 'SECRET' is used with the win
> command (th
Quoting Luke Howard <[EMAIL PROTECTED]>:
> >Luke> Adding support to a KDC for the PAC is not that difficult if
> >Luke> you have a sensible architecture (for example, an integrated
> >Luke> directory backend for the KDC). The difficulty lies in some
> >Luke> of the other, unpublis
>> You will need to execute a non-disclosure agreement before they will
>> disclose the licensing terms.
>
>Which means you/we can't use them to something OpenSource if I'm not
>mistaken(?).
Probably, I haven't seen the license schedule, so I don't know (and I
couldn't tell you if I had).
>> >A
On Sat, 28 Sep 2002 12:45:53 +0100, Tony Hoyle wrote:
> I've tried that... no help. I'm beginning to suspect the KDC is stuffed
> anyway... The Win MIT Kerberos client can't authenticate to it either,
> so there's something badly wrong somewhere (apart from it being Windows
> :-)
OK I found my
Em Mon, Sep 30, 2002 at 10:26:17PM +0100, Tony Hoyle escreveu:
> With no preauthentication login succeeds.
It could have nothing to do with it, but at one time I had such a problem
with krb5 on linux and win2k as a kdc, and it turned out to be a time
offset problem (since preauth is basically tim
k [mailto:[EMAIL PROTECTED]]
> Sent: Monday, September 30, 2002 3:27 PM
> To: Tony Hoyle
> Cc: [EMAIL PROTECTED]
> Subject: Re: Win logon to a MIT Kerberos V KDC?
>
>
> Em Mon, Sep 30, 2002 at 10:26:17PM +0100, Tony Hoyle escreveu:
> > With no preauthentication login succ
00 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Win logon to a MIT Kerberos V KDC?
>
>
> On Fri, 27 Sep 2002 13:47:47 +, Turbo Fredriksson wrote:
>
> >>>>>> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes:
> >
> > Turb
> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
Luke> Last time I looked into it, the MIT backend API was nowhere
Luke> near as simple as Heimdal's. So, we are very unlikely to do
Luke> so.
Chicken :)
I doubt that I have the time to take a look at it, but any quick
pointers
> "Tony" == Tony Hoyle <[EMAIL PROTECTED]> writes:
Tony> Win2k still doesn't connect directly at all:
Did you recreate the 'host/data.nodomain.org' principal (so that
it only have ONE key)?
Tony> Perhaps it's the client/server versions?
Tony> The Win2k client is Win2k SP3 w/256
> "Actually" == Actually davidchr <[EMAIL PROTECTED]> writes:
Actually> Win2k does support encrypted timestamp preauth, as your
Actually> kdc software would require.
I'm using (successfully) pre-auth on MY KDC (in all three principals
involved).
However, my host/ principal is differ
They probably weren't, but it wasn't very clear at first sight. As soon
as I disabled "automatic daylight savings" in the win2k machine it started
to work.
Em Mon, Sep 30, 2002 at 06:22:44PM -0700, Actually davidchr escreveu:
> The Kerberos protocol uses GMT, so as long as your timezones are corr
On Tue, 01 Oct 2002 05:44:05 +, Turbo Fredriksson wrote:
>> "Tony" == Tony Hoyle <[EMAIL PROTECTED]> writes:
>
> Tony> Win2k still doesn't connect directly at all:
>
> Did you recreate the 'host/data.nodomain.org' principal (so that
> it only have ONE key)?
>
Yes. More details...
OK I think I've found a problem. I found out how to enable logging
on the Win2k sid and got:
The function LogonUser received a Kerberos Error Message:
on logon session NODOMAIN.ORG\tmh
Client Time: 13:30:11. 11/2/1989 Z
Server Time: 20:49:3. 10/2/2002 (null)
Error Code: 0x19
Read that log again carefully. It's saying that the >client< time is 1989, not the
server time...
Clint (JOATMON) Chaplin
>>> "Tony Hoyle" <[EMAIL PROTECTED]> 10/2/02 13:59:03 >>>
OK I think I've found a problem. I found out how to enable logging
on the Win2k sid and got:
The function LogonU
> "Clint" == Clint Chaplin <[EMAIL PROTECTED]> writes:
Clint> Now I need to sync the Win2k kerberos client with the rest
Clint> of Win2k - obviously it's not automatic. The Win2k clock
Clint> is correct & synced with win32time. Any ideas on how to do
Clint> this?
- s n
On Wed, 2 Oct 2002 21:58:00 + (UTC), [EMAIL PROTECTED]
("Clint Chaplin") wrote:
>Read that log again carefully. It's saying that the >client< time is 1989, not the
>server time...
>
Windows is the client. The server is a Linux KDC.
Tony
Ke
On Thu, 3 Oct 2002 05:17:46 + (UTC), [EMAIL PROTECTED] (Turbo
Fredriksson) wrote:
>> "Clint" == Clint Chaplin <[EMAIL PROTECTED]> writes:
>
>Clint> Now I need to sync the Win2k kerberos client with the rest
>Clint> of Win2k - obviously it's not automatic. The Win2k clock
>Cli
> "Tony" == Tony Hoyle <[EMAIL PROTECTED]> writes:
Tony> Already done that. The system clock on Windows is correct
Tony> (to the nearest second). The windows kerberos clock is
Tony> incorrect. How do I make them equal?
To my knowledge (I also think I've read something about th
On Thu, 3 Oct 2002 11:22:38 + (UTC), [EMAIL PROTECTED] (Turbo
Fredriksson) wrote:
>1. Installed W2k Pro
>2. Installed SP3
>a. Auth to non-M$ KDC requires SP2 or greater!
> SP3 is the latest from M$.
>3. Executed the 'ksetup.exe' comman
Apparently there's a but in MIT Kerberos 1.2.3-1.2.6 that breaks
Microsoft clients
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=162794&repeatmerged=yes).
The version I'm using seems to have had the first part of the patch
merged but not the second part - although looking at the code I can't
s
> From: Turbo Fredriksson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 03, 2002 4:23 AM
[...]
> 1. Installed W2k Pro
> 2. Installed SP3
> a. Auth to non-M$ KDC requires SP2 or greater!
>SP3 is the latest from M$.
Clarification:
No
> "Actually" == Actually davidchr <[EMAIL PROTECTED]> writes:
>> 1. Installed W2k Pro 2. Installed SP3 a. Auth to non-M$ KDC
>> requires SP2 or greater! SP3 is the latest from M$.
Actually> Clarification:
Actually> No service pack is required to make Win2K authenticate
>> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
>
>Luke> Last time I looked into it, the MIT backend API was nowhere
>Luke> near as simple as Heimdal's. So, we are very unlikely to do
>Luke> so.
>
>Chicken :)
Well, why don't you just use Heimdal? Unless you are a vendor with
Quoting Luke Howard <[EMAIL PROTECTED]>:
> >> "Luke" == Luke Howard <[EMAIL PROTECTED]> writes:
> >
> >Luke> Last time I looked into it, the MIT backend API was nowhere
> >Luke> near as simple as Heimdal's. So, we are very unlikely to do
> >Luke> so.
> >
> >Chicken :)
>
> Well, w
Em Mon, Oct 07, 2002 at 06:01:06AM +1000, Luke Howard escreveu:
> Well, why don't you just use Heimdal? Unless you are a vendor with
> an existing investment in MIT Kerberos, I would not expect this to
> be a major problem; you can still keep your MIT clients. :-)
Unfortunately there are interope
>> We don't actively maintain this backend; we have an internal
>> LDAP KDC backend that uses a different schema, and that's
>> where our efforts are focused at present.
>
>And this is based on Heimdal?
Yes. (We added support for dynamically loadable backends to
Heimdal.)
-- Luke
--
Luke Howard
ses of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request. I retaliate
viciously against spammers and spam sites.
> -Original Message-
> From: Turbo Fredriksson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 03, 2002 10:42 PM
> To: [EM
58 matches
Mail list logo
