From news@ra.nrl.navy.mil Tue Feb 5 22:49:48 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id WAA15748 for ; Tue, 5 Feb 2002 22:49:48 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id WAA04610 for ; Tue, 5 Feb 2002 22:49:47 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g163Z8l10268 for kerberos@MIT.EDU; Tue, 5 Feb 2002 22:35:08 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: KERB V5 + SEGV_MAPERR From: Christopher Burke References: <15456.35709.443260.168630@imus.ms.com> Message-ID: Date: Wed, 06 Feb 2002 03:37:42 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in news:15456.35709.443260.168630@imus.ms.com: > > I gather your application is multithreaded, or at least built > with threads in mind ... > > You should build your kerberos libs with -D_REENTRANT. Yes my application is multi-threaded however I do have a mutex around the entire call to the kerberos stuff ... shouldn't that help ? -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From cesarg@ms.com Wed Feb 6 08:42:49 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id IAA18842 for ; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id IAA22494 for ; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 62C2AA30C; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id 48870A936; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id IAA15033; Wed, 6 Feb 2002 08:42:47 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id IAA11266; Wed, 6 Feb 2002 08:42:47 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15457.13015.509560.428762@imus.ms.com> Date: Wed, 6 Feb 2002 08:42:47 -0500 (EST) From: Cesar Garcia To: Christopher Burke Cc: kerberos@mit.edu Subject: Re: KERB V5 + SEGV_MAPERR In-Reply-To: References: <15456.35709.443260.168630@imus.ms.com> X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: The mutex keeps multiple threads from simultaneously entering a mutexed code segment. This problem has more to do with how errno is defined. Keep in mind that most system calls (e.g., stat, fork, open, etc) set errno on failure (this is done implicitly, since errno is not passed in as an argument to the system call). In non-multithreaded apps, it's reasonable for errno to be defined as a global variable, since it's not possible for multiple systems calls to be invoked concurrently. In multithreaded apps, this is a problem. Since your libs are not build with -D_REENTRANT, the kerberos libs are referencing the global errno, instead of the thread specific errno which stat is actually using. Hence your problem. >>>>> "Christopher" == Christopher Burke writes: Christopher> Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in Christopher> news:15456.35709.443260.168630@imus.ms.com: >> >> I gather your application is multithreaded, or at least built >> with threads in mind ... >> >> You should build your kerberos libs with -D_REENTRANT. Christopher> Yes my application is multi-threaded however I do have a mutex around the Christopher> entire call to the kerberos stuff ... shouldn't that help ? Christopher> -- Christopher> --- Christopher> /* Christopher Burke - Spam Mail to craznar@hotmail.com Christopher> |* www.craznar.com - Christopher> \* Real mail to cburke(at)craznar(dot)com Christopher> _______________________________________________ Christopher> Kerberos mailing list Christopher> Kerberos@mit.edu Christopher> http://mailman.mit.edu/mailman/listinfo/kerberos From turbo@bayour.com Wed Feb 6 09:48:10 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA19083 for ; Wed, 6 Feb 2002 09:48:10 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA15739 for ; Wed, 6 Feb 2002 09:48:09 -0500 (EST) Received: (qmail-ldap/ctrl 6355 invoked by uid 1000); 6 Feb 2002 14:48:07 -0000 To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: Why don't you ever enter and CONTESTS, Marvin?? Don't you know your own ZIPCODE? Date: 06 Feb 2002 15:48:06 +0100 In-Reply-To: <87elk11sko.fsf@papadoc.bayour.com> Message-ID: <871yfyfyzd.fsf@papadoc.bayour.com> Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoting Turbo Fredriksson : > turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > Authenticating as principal turbo@BAYOUR.COM with password. > kadmin.local: Permission denied while initializing kadmin.local interface Does anyone have a suggestion why this is happening? Khaddafi colonel Kennedy [Hello to all my fans in domestic surveillance] kibo cracking BATF North Korea SEAL Team 6 counter-intelligence Peking explosion Legion of Doom FBI Delta Force [See http://www.aclu.org/echelonwatch/index.html for more about this] From kenh@cmf.nrl.navy.mil Wed Feb 6 11:17:36 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA19363 for ; Wed, 6 Feb 2002 11:17:35 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA01374 for ; Wed, 6 Feb 2002 11:17:35 -0500 (EST) Received: from cmf.nrl.navy.mil (elvis.cmf.nrl.navy.mil [134.207.10.38]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g16GHHG01243; Wed, 6 Feb 2002 11:17:17 -0500 (EST) Message-Id: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> To: Turbo Fredriksson cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface In-reply-to: Your message of "06 Feb 2002 15:48:06 +0100." <871yfyfyzd.fsf@papadoc.bayour.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Wed, 06 Feb 2002 11:17:16 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >Quoting Turbo Fredriksson : > >> turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM >> Authenticating as principal turbo@BAYOUR.COM with password. >> kadmin.local: Permission denied while initializing kadmin.local interface > >Does anyone have a suggestion why this is happening? Now that I think about it ... why on earth are you giving a principal name to kadmin.local? --Ken From andreas@conectiva.com.br Wed Feb 6 11:49:06 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA19506 for ; Wed, 6 Feb 2002 11:49:06 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA08201 for ; Wed, 6 Feb 2002 11:49:02 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id B272938D00 for ; Wed, 6 Feb 2002 13:48:57 -0300 (EST) Received: (qmail 14773 invoked by uid 0); 6 Feb 2001 16:49:13 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 6 Feb 2001 16:49:13 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g16Gn1306496 for kerberos@mit.edu; Wed, 6 Feb 2002 14:49:01 -0200 Date: Wed, 6 Feb 2002 14:49:01 -0200 From: Andreas Hasenack To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020206164901.GA3038@conectiva.com.br> References: <871yfyfyzd.fsf@papadoc.bayour.com> <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Wed, Feb 06, 2002 at 11:17:16AM -0500, Ken Hornstein escreveu: > >> turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > >> Authenticating as principal turbo@BAYOUR.COM with password. > >> kadmin.local: Permission denied while initializing kadmin.local interface > > > >Does anyone have a suggestion why this is happening? > > Now that I think about it ... why on earth are you giving a principal name > to kadmin.local? I think it doesn't matter: # kadmin.local -p bla@IDFODF.AKDLS Authenticating as principal bla@IDFODF.AKDLS with password. kadmin.local: From news@ra.nrl.navy.mil Wed Feb 6 12:34:53 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA19737 for ; Wed, 6 Feb 2002 12:34:53 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA08177 for ; Wed, 6 Feb 2002 12:34:52 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g16HTEr23581 for kerberos@MIT.EDU; Wed, 6 Feb 2002 12:29:14 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: KERB V5 + SEGV_MAPERR From: Christopher Burke References: <15456.35709.443260.168630@imus.ms.com> <15457.13015.509560.428762@imus.ms.com> Message-ID: Date: Wed, 06 Feb 2002 17:31:14 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in news:15457.13015.509560.428762@imus.ms.com: > This problem has more to do with how errno is defined. Keep in mind > that most system calls (e.g., stat, fork, open, etc) set errno on > failure (this is done implicitly, since errno is not passed in as > an argument to the system call). Thank you, between my last message and now - our kerberos administrator has recompiled K5 with '-mt' and now our directory administrator (me) has a working Directory Server 5.1 kerberos authentication plugin. Now for some load testing .... -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From andreas@conectiva.com.br Wed Feb 6 12:35:41 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA19762 for ; Wed, 6 Feb 2002 12:35:41 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA08514 for ; Wed, 6 Feb 2002 12:35:30 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id 575FD38C66 for ; Wed, 6 Feb 2002 14:35:27 -0300 (EST) Received: (qmail 21026 invoked by uid 0); 6 Feb 2001 17:35:42 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 6 Feb 2001 17:35:42 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g16HZSc06819; Wed, 6 Feb 2002 15:35:28 -0200 Date: Wed, 6 Feb 2002 15:35:28 -0200 From: Andreas Hasenack To: Turbo Fredriksson Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020206173528.GC3038@conectiva.com.br> References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <871yfyfyzd.fsf@papadoc.bayour.com> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Wed, Feb 06, 2002 at 03:48:06PM +0100, Turbo Fredriksson escreveu: > Quoting Turbo Fredriksson : > > > turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > > Authenticating as principal turbo@BAYOUR.COM with password. > > kadmin.local: Permission denied while initializing kadmin.local interface > > Does anyone have a suggestion why this is happening? Hmm, you are running kadmin.local as root, aren't you? From bundu100@eudoramail.com Wed Feb 6 20:58:55 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA21517 for ; Wed, 6 Feb 2002 20:58:54 -0500 (EST) Received: from eudoramail.com (host-64-110-31-18.interpacket.net [64.110.31.18]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id UAA03547 for ; Wed, 6 Feb 2002 20:58:51 -0500 (EST) Message-Id: <200202070158.UAA03547@pacific-carrier-annex.mit.edu> From: "dr.mrs.marian abacha" To: Subject: urgent assistance Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 7 Feb 2002 03:00:45 -0800 Reply-To: "dr.mrs.marian abacha" Content-Transfer-Encoding: 8bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ATTN: THE PRESIDENT/CEO Dear Sir / Madam, I am Dr. Mrs. Marian Abacha, wife to the late Nigerian Head of state, General Sani Abacha who died on the 8th of June 1998 while still on active service for our Country. I am contacting you with the hope that you will be of great assistance to me, I currently have within my reach the sum of 76MILLION U.S dollars cash which l intend to use for investment purposes outside Nigeria. This money came as a result of a payback contract deal between my husband and a Russian firm in our country's multi-billion dollar Ajaokuta steel plant. The Russian partners returned my husband's share being the above sum after his death. Presently, the new civilian Government has intensified their probe into my husband's financial resources, which has led to the freezing of all our accounts, local and foreign, the revoking of all our business licenses and the arrest of my First son. In view of this I acted very fast to withdraw this money from one of our finance houses before it was closed down. I have deposited the money in a security vault for safe keeping with the help of very loyal officials of my late husband. No record is known about this fund by the government because there is no documentation showing that we received such funds. Due to the current situation in the country and government attitude to my financial affairs, I cannot make use of this money within. Bearing in mind that you may assist me, 20% of the total amount will be paid to you for your assistance, while 5% will be set aside for expenses incurred by the parties involved and this will be paid before sharing. Half of my75% will be paid in to my account on your instruction once the money hits your account, while the other half will be invested by your humble self in any viable business venture you deem fit, with you as manager of the invested funds. Remunerations, during the investment period will be on a 50/50 basis. Your URGENT response is needed. All correspondence must be through mylawyer,fax:234-1-7594494. Attentioned to my attorney (abbas bundu). Please do not forget to include your direct tel/fax line for easy reach. I hope I can trust you with my family's last financial hope.Regards Dr. Mrs. Marian Sani Abacha. C/o abbas bundu (counsel) From Thomas.Huang@jpl.nasa.gov Wed Feb 6 21:33:25 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA21664 for ; Wed, 6 Feb 2002 21:33:24 -0500 (EST) Received: from mipl.jpl.nasa.gov (mipl.jpl.nasa.gov [137.78.38.32]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id VAA11774 for ; Wed, 6 Feb 2002 21:33:24 -0500 (EST) Received: from hotshot.jpl.nasa.gov (hotshot.jpl.nasa.gov [137.78.73.96]) by mipl.jpl.nasa.gov (8.9.3/8.9.3) with ESMTP id SAA04119 for ; Wed, 6 Feb 2002 18:33:23 -0800 (PST) Message-Id: <5.0.2.1.0.20020206183222.00aa6190@mipl.jpl.nasa.gov> X-Sender: txh@mipl.jpl.nasa.gov X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 06 Feb 2002 18:36:07 -0800 To: kerberos@MIT.EDU From: Thomas Huang Subject: Changing host name and address Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi, My group is planning to relocate our KDC host. This also means changing the IP address and the host name. Do we need to recreate the host key after the relocation? Will we have to reconfigure the existing KDC after the relocation (i.e. dumping and reloading the database)? thanks, Thomas. From csri@sonata-software.com Wed Feb 6 22:51:10 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id WAA21909 for ; Wed, 6 Feb 2002 22:51:09 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id WAA01438 for ; Wed, 6 Feb 2002 22:51:05 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <1NSLJ7QN>; Thu, 7 Feb 2002 09:24:16 +0530 Message-ID: <60A02294BABED411BAC30000F80167CC031885DB@BG1MAIL> From: Srinivas Cheruku To: kerberos@MIT.EDU Subject: Credential Cache Types Date: Thu, 7 Feb 2002 09:24:16 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi all, Please can any one of you give me the information. What types of Credentials Cache does MIT Support? Will it support Microsoft Credentail Cache on Win2k? Can a gss application developed using MIT GSS will be able to read the credentials from the microsoft credential cache? What are the implications if these cache types when clients are on XP? Thanks a lot, Srini ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From turbo@bayour.com Thu Feb 7 04:24:50 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA22985 for ; Thu, 7 Feb 2002 04:24:50 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id EAA21148 for ; Thu, 7 Feb 2002 04:24:49 -0500 (EST) Received: (qmail-ldap/ctrl 29906 invoked by uid 1000); 7 Feb 2002 09:24:47 -0000 To: Ken Hornstein Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: I have the power to HALT PRODUCTION on all TEENAGE SEX COMEDIES!! Date: 07 Feb 2002 10:24:46 +0100 In-Reply-To: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> Message-ID: <87ofj1eja9.fsf@papadoc.bayour.com> Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoting Ken Hornstein : > >Quoting Turbo Fredriksson : > > > >> turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > >> Authenticating as principal turbo@BAYOUR.COM with password. > >> kadmin.local: Permission denied while initializing kadmin.local interface > > > >Does anyone have a suggestion why this is happening? > > Now that I think about it ... why on earth are you giving a principal name > to kadmin.local? [papadoc.pts/3]$ kadmin.local Authenticating as principal turbo/admin@BAYOUR.COM with password. kadmin.local: Permission denied while initializing kadmin.local interface That principal don't exist... $400 million in gold bullion Iran Serbian SDI pits Marxist PLO Ortega cryptographic explosion president radar iodine spy CIA [See http://www.aclu.org/echelonwatch/index.html for more about this] From turbo@bayour.com Thu Feb 7 04:26:13 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA23011 for ; Thu, 7 Feb 2002 04:26:13 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id EAA24421 for ; Thu, 7 Feb 2002 04:26:13 -0500 (EST) Received: (qmail-ldap/ctrl 30761 invoked by uid 1000); 7 Feb 2002 09:26:11 -0000 To: Andreas Hasenack Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: Do you have exactly what I want in a plaid poindexter bar bat?? Date: 07 Feb 2002 10:26:10 +0100 In-Reply-To: <20020206173528.GC3038@conectiva.com.br> Message-ID: <87k7tpej7x.fsf@papadoc.bayour.com> Lines: 20 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoting Andreas Hasenack : > Em Wed, Feb 06, 2002 at 03:48:06PM +0100, Turbo Fredriksson escreveu: > > Quoting Turbo Fredriksson : > > > > > turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > > > Authenticating as principal turbo@BAYOUR.COM with password. > > > kadmin.local: Permission denied while initializing kadmin.local interface > > > > Does anyone have a suggestion why this is happening? > > Hmm, you are running kadmin.local as root, aren't you? No, that's the whole point... If using sudo/su/ksu, then it works. But I have two 'help admins' (ie, ordinary users which help out with bits and pieces) that I don't want to give sudo/su rights to... Rule Psix BATF Uzi explosion ammunition subway supercomputer SDI Iran Delta Force nitrate Qaddafi plutonium Peking radar [See http://www.aclu.org/echelonwatch/index.html for more about this] From andreas@conectiva.com.br Thu Feb 7 07:56:11 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id HAA23623 for ; Thu, 7 Feb 2002 07:56:11 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id HAA13543 for ; Thu, 7 Feb 2002 07:56:04 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id 6CF2C38CA7 for ; Thu, 7 Feb 2002 09:55:55 -0300 (EST) Received: (qmail 7445 invoked by uid 0); 7 Feb 2001 12:56:10 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 7 Feb 2001 12:56:10 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g17Cu0b02307; Thu, 7 Feb 2002 10:56:00 -0200 Date: Thu, 7 Feb 2002 10:56:00 -0200 From: Andreas Hasenack To: Turbo Fredriksson Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020207125559.GC1156@conectiva.com.br> References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87k7tpej7x.fsf@papadoc.bayour.com> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Thu, Feb 07, 2002 at 10:26:10AM +0100, Turbo Fredriksson escreveu: > > Hmm, you are running kadmin.local as root, aren't you? > > No, that's the whole point... If using sudo/su/ksu, then it works. But I have two > 'help admins' (ie, ordinary users which help out with bits and pieces) that I don't > want to give sudo/su rights to... Then you can't use kdamin.local, just kadmin. Have them use kadmin and it will work just fine. From turbo@bayour.com Thu Feb 7 08:29:12 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id IAA23737 for ; Thu, 7 Feb 2002 08:29:12 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id IAA20764 for ; Thu, 7 Feb 2002 08:29:11 -0500 (EST) Received: (qmail-ldap/ctrl 26644 invoked by uid 1000); 7 Feb 2002 13:29:06 -0000 To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> <20020207125559.GC1156@conectiva.com.br> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: It's the RINSE CYCLE!! They've ALL IGNORED the RINSE CYCLE!! Date: 07 Feb 2002 14:29:06 +0100 In-Reply-To: <20020207125559.GC1156@conectiva.com.br> Message-ID: <87pu3h8lp9.fsf@papadoc.bayour.com> Lines: 29 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Andreas" == Andreas Hasenack writes: Andreas> Em Thu, Feb 07, 2002 at 10:26:10AM +0100, Turbo Andreas> Fredriksson escreveu: >> > Hmm, you are running kadmin.local as root, aren't you? >> >> No, that's the whole point... If using sudo/su/ksu, then it >> works. But I have two 'help admins' (ie, ordinary users which >> help out with bits and pieces) that I don't want to give >> sudo/su rights to... Andreas> Then you can't use kdamin.local, just kadmin. Have them Andreas> use kadmin and it will work just fine. Hmmm... I'm _QUITE_ sure I tried that, but... [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM Authenticating as principal turbo@BAYOUR.COM with password. Enter password: kadmin: Is there any way 'kadmin' can honnor my ticket? cryptographic DES domestic disruption World Trade Center North Korea Khaddafi Marxist killed CIA Honduras bomb tritium Iran genetic NSA [See http://www.aclu.org/echelonwatch/index.html for more about this] From andreas@conectiva.com.br Thu Feb 7 09:08:21 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA23884 for ; Thu, 7 Feb 2002 09:08:21 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA02398 for ; Thu, 7 Feb 2002 09:08:17 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id 6B6B338D06 for ; Thu, 7 Feb 2002 11:08:10 -0300 (EST) Received: (qmail 17018 invoked by uid 0); 7 Feb 2001 14:08:25 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 7 Feb 2001 14:08:25 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g17E8Ev08397; Thu, 7 Feb 2002 12:08:14 -0200 Date: Thu, 7 Feb 2002 12:08:14 -0200 From: Andreas Hasenack To: Turbo Fredriksson Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020207140814.GF1156@conectiva.com.br> References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> <20020207125559.GC1156@conectiva.com.br> <87pu3h8lp9.fsf@papadoc.bayour.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87pu3h8lp9.fsf@papadoc.bayour.com> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Thu, Feb 07, 2002 at 02:29:06PM +0100, Turbo Fredriksson escreveu: > [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM > Authenticating as principal turbo@BAYOUR.COM with password. > Enter password: > kadmin: > Is there any way 'kadmin' can honnor my ticket? You mean, by not having to enter a password and using the tgt your principal already has? According to the man page, yes, if you have a ticket for kadmin/admin. From kenh@cmf.nrl.navy.mil Thu Feb 7 09:10:38 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA23924 for ; Thu, 7 Feb 2002 09:10:38 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA03176 for ; Thu, 7 Feb 2002 09:10:38 -0500 (EST) Received: from cmf.nrl.navy.mil (pendragon.cmf.nrl.navy.mil [134.207.5.3]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g17EAXG20942; Thu, 7 Feb 2002 09:10:33 -0500 (EST) Message-Id: <200202071410.g17EAXG20942@ginger.cmf.nrl.navy.mil> To: Turbo Fredriksson cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface In-reply-to: Your message of "07 Feb 2002 14:29:06 +0100." <87pu3h8lp9.fsf@papadoc.bayour.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Thu, 07 Feb 2002 09:10:34 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: > >> No, that's the whole point... If using sudo/su/ksu, then it > >> works. But I have two 'help admins' (ie, ordinary users which > >> help out with bits and pieces) that I don't want to give > >> sudo/su rights to... > > Andreas> Then you can't use kdamin.local, just kadmin. Have them > Andreas> use kadmin and it will work just fine. One thing that's important to understand is that kadmin.local accesses the database directly, instead of going through kadmind. So it needs permission to read/write the database file ... which is why you were getting "Permission denied" (I think that's a bug that it says "Authenticating as principal ..." when using kadmin.local). >Hmmm... I'm _QUITE_ sure I tried that, but... > > >[papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM >Authenticating as principal turbo@BAYOUR.COM with password. >Enter password: >kadmin: I don't understand ... this looks like it works to me. --Ken From kenh@cmf.nrl.navy.mil Thu Feb 7 09:40:30 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24043 for ; Thu, 7 Feb 2002 09:40:30 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA21065 for ; Thu, 7 Feb 2002 09:40:30 -0500 (EST) Received: from cmf.nrl.navy.mil (pendragon.cmf.nrl.navy.mil [134.207.5.3]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g17EeRG21221 for ; Thu, 7 Feb 2002 09:40:27 -0500 (EST) Message-Id: <200202071440.g17EeRG21221@ginger.cmf.nrl.navy.mil> To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface In-reply-to: Your message of "Thu, 07 Feb 2002 12:08:14 -0200." <20020207140814.GF1156@conectiva.com.br> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Thu, 07 Feb 2002 09:40:28 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >Em Thu, Feb 07, 2002 at 02:29:06PM +0100, Turbo Fredriksson escreveu: >> [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM >> Authenticating as principal turbo@BAYOUR.COM with password. >> Enter password: >> kadmin: >> Is there any way 'kadmin' can honnor my ticket? > >You mean, by not having to enter a password and using the tgt your >principal already has? According to the man page, yes, if you have >a ticket for kadmin/admin. You'll have to do some digging to discover it, but kadmin/admin is marked in the default database configuration as a principal that requires an initial request to get a service ticket for it ... which means you _can't_ get it with your TGT, which means you need to enter in your password to get it. If you think about it, this is a good thing. You can use the "-S" flag to kinit to get a ticket for it, but you can't use this ticket for anything else. --Ken From turbo@bayour.com Thu Feb 7 09:40:44 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24049 for ; Thu, 7 Feb 2002 09:40:44 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA21160 for ; Thu, 7 Feb 2002 09:40:44 -0500 (EST) Received: (qmail-ldap/ctrl 28127 invoked by uid 1000); 7 Feb 2002 14:40:42 -0000 To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> <20020207125559.GC1156@conectiva.com.br> <87pu3h8lp9.fsf@papadoc.bayour.com> <20020207140814.GF1156@conectiva.com.br> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: Yow! STYROFOAM.. Date: 07 Feb 2002 15:40:42 +0100 In-Reply-To: <20020207140814.GF1156@conectiva.com.br> Message-ID: <87lme58idx.fsf@papadoc.bayour.com> Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Andreas" == Andreas Hasenack writes: Andreas> Em Thu, Feb 07, 2002 at 02:29:06PM +0100, Turbo Andreas> Fredriksson escreveu: >> [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM Authenticating as >> principal turbo@BAYOUR.COM with password. Enter password: >> kadmin: Is there any way 'kadmin' can honnor my ticket? Andreas> You mean, by not having to enter a password and using the Andreas> tgt your principal already has? According to the man Andreas> page, yes, if you have a ticket for kadmin/admin. Bummer. Ah, well. Close enough for what I want to do. Thanx. tritium FBI Mossad Serbian Cocaine toluene CIA Cuba domestic disruption FSF munitions assassination smuggle radar Uzi [See http://www.aclu.org/echelonwatch/index.html for more about this] From hartmans@MIT.EDU Thu Feb 7 09:45:14 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24129 for ; Thu, 7 Feb 2002 09:45:14 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA16375; Thu, 7 Feb 2002 09:45:14 -0500 (EST) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA13434; Thu, 7 Feb 2002 09:45:13 -0500 (EST) Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id JAA18088; Thu, 7 Feb 2002 09:45:13 -0500 (EST) Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3) id JAA24238; Thu, 7 Feb 2002 09:45:12 -0500 (EST) To: Thomas Huang Cc: kerberos@MIT.EDU Subject: Re: Changing host name and address References: <5.0.2.1.0.20020206183222.00aa6190@mipl.jpl.nasa.gov> From: Sam Hartman Date: 07 Feb 2002 09:45:12 -0500 In-Reply-To: Thomas Huang's message of "Wed, 06 Feb 2002 18:36:07 -0800" Message-ID: Lines: 15 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Thomas" == Thomas Huang writes: Thomas> Hi, Thomas> My group is planning to relocate our KDC host. This also means changing Thomas> the IP address and the host name. Do we need to recreate the host key Thomas> after the relocation? Will we have to reconfigure the existing KDC after Thomas> the relocation (i.e. dumping and reloading the database)? The canonical hostname is part of the key, so if this changes a new key is needed. That should be all that needs to change. From bbense@shred.stanford.edu Thu Feb 7 09:50:02 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24175 for ; Thu, 7 Feb 2002 09:50:01 -0500 (EST) Received: from shred.stanford.edu (shred.Stanford.EDU [171.64.13.91]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA25321 for ; Thu, 7 Feb 2002 09:50:01 -0500 (EST) Received: from localhost (bbense@localhost) by shred.stanford.edu (8.11.6.Beta0/8.10.0.PreAlpha1) with ESMTP id g17Enxj10511; Thu, 7 Feb 2002 06:49:59 -0800 (PST) Date: Thu, 7 Feb 2002 06:49:59 -0800 (PST) From: "Booker C. Bense" To: Thomas Huang cc: kerberos@mit.edu Subject: Re: Changing host name and address In-Reply-To: <5.0.2.1.0.20020206183222.00aa6190@mipl.jpl.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Wed, 6 Feb 2002, Thomas Huang wrote: > > Hi, > > My group is planning to relocate our KDC host. This also means changing > the IP address and the host name. - Changing the IP address is a minor problem. Depending on your setup users may need to get new tgt's after the swap. - Changing the hostname is a slightly bigger one. Depending on your foresight in making CNAME records of the names in krb5.conf you might have a minor or a big problem. If I were you I'd really try and set things up so you don't have to change the DNS name from what's in the krb5.conf files you've distributed. > Do we need to recreate the host key > after the relocation? - You need to create a new host/new.dns.name keytab for the KDC and you'll need to change acl's on slave kdc's. > Will we have to reconfigure the existing KDC after > the relocation (i.e. dumping and reloading the database)? > - It wouldn't be a bad idea to do this anyway, in case something goes wrong. But if you don't change the software you shouldn't need to reload the database. - Booker C. Bense From news@ra.nrl.navy.mil Thu Feb 7 16:50:02 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA25487 for ; Thu, 7 Feb 2002 16:50:01 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id QAA19690 for ; Thu, 7 Feb 2002 16:50:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g17Lc4u21544 for kerberos@MIT.EDU; Thu, 7 Feb 2002 16:38:04 -0500 (EST) From: steiner@bakerst.rutgers.edu (Dave Steiner) X-Newsgroups: comp.protocols.kerberos Subject: question about KRB5_KDB_DISALLOW_ALL_TIX attribute Date: 7 Feb 2002 13:38:53 -0800 Organization: http://groups.google.com/ Message-ID: <3b609da.0202071338.43b27abc@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: We've been running Kerberos here at the University for a number of years. We've made a few changes to the code over that time and one of the changes is that we don't lockout principals after N failed attempts. We are now going to start using the lockout code that's in the kdc but we'd like some way to identify the people who are locked out (so we can either contact them, semi-automate a +allow_tix, etc). Unfortunately, I haven't found any easy way of getting a list of locked out people except to do a dump of the database and check the attributes of each entry in the dump. Does anyone have an easier way to get this information or am I stuck with the dump method? thanks, -ds From Nicolas.Williams@ubsw.com Thu Feb 7 16:59:26 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA25542 for ; Thu, 7 Feb 2002 16:59:22 -0500 (EST) Received: from gate.stm.swissbank.com (gate.stm.ubswarburg.com [151.191.1.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA10481 for ; Thu, 7 Feb 2002 16:59:22 -0500 (EST) Received: (from smap@localhost) by gate.stm.swissbank.com (8.8.8/8.8.8) id RAA15012; Thu, 7 Feb 2002 17:02:20 -0500 (EST) Received: from (eight.ubswarburg.com [192.168.0.3]) by gate via smap (V2.0) id xma014108; Thu, 7 Feb 2002 17:01:26 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan1 [192.168.0.3]) by virscan1.swissbank.com (8.8.8/8.8.8) with ESMTP id QAA09305; Thu, 7 Feb 2002 16:56:49 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id QAA26738; Thu, 7 Feb 2002 16:58:14 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id QAA28214; Thu, 7 Feb 2002 16:57:18 -0500 (EST) Date: Thu, 7 Feb 2002 16:57:18 -0500 From: Nicolas Williams To: Dave Steiner Cc: kerberos@mit.edu Subject: Re: question about KRB5_KDB_DISALLOW_ALL_TIX attribute Message-ID: <20020207165717.N27171@sm2p1386swk.wdr.com> Mail-Followup-To: Dave Steiner , kerberos@mit.edu References: <3b609da.0202071338.43b27abc@posting.google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <3b609da.0202071338.43b27abc@posting.google.com>; from steiner@bakerst.rutgers.edu on Thu, Feb 07, 2002 at 01:38:53PM -0800 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: The kadmin protocol doesn't have a search function AFAICT. And the KDB is indexed only by name, so you can't search it without traversing it entirely anyways. Nico On Thu, Feb 07, 2002 at 01:38:53PM -0800, Dave Steiner wrote: > We've been running Kerberos here at the University for a number of > years. We've made a few changes to the code over that time and one of > the changes is that we don't lockout principals after N failed > attempts. > > We are now going to start using the lockout code that's in the kdc but > we'd like some way to identify the people who are locked out (so we > can either contact them, semi-automate a +allow_tix, etc). > Unfortunately, I haven't found any easy way of getting a list of > locked out people except to do a dump of the database and check the > attributes of each entry in the dump. > > Does anyone have an easier way to get this information or am I stuck > with the dump method? > > thanks, > -ds > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Thu Feb 7 17:20:01 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id RAA25640 for ; Thu, 7 Feb 2002 17:20:01 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id RAA19094 for ; Thu, 7 Feb 2002 17:20:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g17MArU22125 for kerberos@MIT.EDU; Thu, 7 Feb 2002 17:10:53 -0500 (EST) Message-ID: <3C62FB0C.7143EDAC@cats.ucsc.edu> Date: Thu, 07 Feb 2002 14:09:16 -0800 From: John Rudd Organization: CATS, UC Santa Cruz X-Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos http authentication References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Booker C. Bense" wrote: > > We have a proxy-like fallback to the > webauth system that creates cookies that look a lot like service > tickets. Is your module for doing that publicly available? I'd love to look at it. From cesarg@ms.com Fri Feb 8 10:33:13 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA28649 for ; Fri, 8 Feb 2002 10:33:13 -0500 (EST) Received: from hqvsbh1.ms.com (hqvsbh1-x0.ms.com [205.228.12.101]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA06864 for ; Fri, 8 Feb 2002 10:33:13 -0500 (EST) Received: from hqvsbh1-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh1.ms.com (Postfix) with SMTP id 1AF7620A7F for ; Fri, 8 Feb 2002 10:33:13 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by hqvsbh1-idmz.ms.com (Postfix) with ESMTP id E689D205AD for ; Fri, 8 Feb 2002 10:33:12 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id KAA10987; Fri, 8 Feb 2002 10:33:12 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id KAA06437; Fri, 8 Feb 2002 10:33:12 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15459.61368.330902.672691@imus.ms.com> Date: Fri, 8 Feb 2002 10:33:12 -0500 (EST) From: Cesar Garcia To: kerberos@mit.edu Subject: Ticket forwarding and IP addresses X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I've been working with 1.2.2 for a some months now, and only recently have attempted to get the rcmds working, mainly in an effort to better understand how ticket forwarding works, since we have a need to do this in a homegrown application. The behavior that I see is that when I invoke ticket forwarding, the "forwarded" tickets contain only a single IP address. After walking through some of the code, it appears that the client, via krb5_fwd_tgt_creds, determines the target's IP address via a host lookup using gethostbyname(), as implemented in krb5_os_hostaddr(). Since we use NIS as the primary source for hostname resolution, all host lookups render a single IP address, even for multihomed machines. Moving to DNS is not an option at the moment. Additionally, we use Veritas VCS and other similar clustering facilities. These hosts will have additional IP addresses that are not associated with the real hostname, but with service names for a particular cluster/application. So even if were to switch to DNS, the client would not be able to determine all the IP addresses for a given target host via the hostname lookup that it uses today. That said (barring hacks to application protocols that would allow target hosts to send IP addresses back to the source host, then having the client embed the full set of tickets), the way to address this would be to have the target host obtain new tickets will a full set of IP addresses. 1 - is this possible? 2 - is it within the limits of the specification? If so, has anyone has implemented this for 1.2.2 or any releases of MIT krb5. From news@ra.nrl.navy.mil Fri Feb 8 10:55:27 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA28738 for ; Fri, 8 Feb 2002 10:55:27 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA14894 for ; Fri, 8 Feb 2002 10:55:26 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18Fpcu16622 for kerberos@MIT.EDU; Fri, 8 Feb 2002 10:51:38 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Error "24" returned from INIT_CONTEXT under load From: Christopher Burke Message-ID: Date: Fri, 08 Feb 2002 15:54:08 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: We are getting an error 24 (integer value of 24) returned from the init_context routine when I call it very frequently (sequentially - just 1 at a time). Given all the error numbers are big -ve number, what is this error and what might be causing it. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From kenh@cmf.nrl.navy.mil Fri Feb 8 11:10:18 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA28819 for ; Fri, 8 Feb 2002 11:10:17 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA20489 for ; Fri, 8 Feb 2002 11:10:17 -0500 (EST) Received: from cmf.nrl.navy.mil (elvis.cmf.nrl.navy.mil [134.207.10.38]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g18GA8G04136; Fri, 8 Feb 2002 11:10:09 -0500 (EST) Message-Id: <200202081610.g18GA8G04136@ginger.cmf.nrl.navy.mil> To: Cesar Garcia cc: kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-reply-to: Your message of "Fri, 08 Feb 2002 10:33:12 EST." <15459.61368.330902.672691@imus.ms.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Fri, 08 Feb 2002 11:10:08 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >Since we use NIS as the primary source for hostname >resolution, all host lookups render a single IP address, >even for multihomed machines. Moving to DNS is not an >option at the moment. I have to ask ... you're STILL using NIS for hostname resolution? Ouch. >That said (barring hacks to application protocols that >would allow target hosts to send IP addresses back to >the source host, then having the client embed the full set >of tickets), the way to address this would be to have >the target host obtain new tickets will a full set of >IP addresses. > >1 - is this possible? The trick here is that one of the IP addresses in the target ticket _must_ be the IP address used to talk to the KDC; otherwise, you're outta luck. >2 - is it within the limits of the specification? Yes. It occurs to me that you could save yourself some pain and simply get a completely addressless ticket. There is a school of thought in the Kerberos world that suggests IP addresses in tickets are not that useful. --Ken From news@ra.nrl.navy.mil Fri Feb 8 11:10:27 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA28824 for ; Fri, 8 Feb 2002 11:10:27 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA02667 for ; Fri, 8 Feb 2002 11:10:26 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18FvRc16650 for kerberos@MIT.EDU; Fri, 8 Feb 2002 10:57:27 -0500 (EST) From: ; X-Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos http authentication Date: 8 Feb 2002 15:53:23 GMT Organization: Stanford University Message-ID: References: <3C62FB0C.7143EDAC@cats.ucsc.edu> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: -----BEGIN PGP SIGNED MESSAGE----- In article <3C62FB0C.7143EDAC@cats.ucsc.edu>, John Rudd wrote: >"Booker C. Bense" wrote: >> >> We have a proxy-like fallback to the >> webauth system that creates cookies that look a lot like service >> tickets. > >Is your module for doing that publicly available? I'd love to look at >it. - - It's something we keep talking about, but we never seem to get the tuit's available to make happen. - - At best I might be able to make a snapshot available, but it would be with the caveat that asking questions is verbotten. - - Booker C. Bense -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPGP0cwD83u1ILnWNAQGXlwP/UotiQTsyNxmyyt/NUJ7JtfMzbkRFgVqt os53kyjeSo/Wc972ExuQNarv+6X/UlXKvCzfPi0vonMM7k4vFMQgDJqvfPZYsgfF qtvThJqZs4pHztclFo5WH4yk684W/TUh2c0ERKj5EPVhiYLtRbTC5KtU3qBrdrk/ 8nyEMb5BySY= =nvU1 -----END PGP SIGNATURE----- -- From ggsr@sonata-software.com Fri Feb 8 11:24:31 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA28972 for ; Fri, 8 Feb 2002 11:24:30 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA09964 for ; Fri, 8 Feb 2002 11:24:28 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <1NSLKKC3>; Fri, 8 Feb 2002 21:57:47 +0530 Message-ID: <60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL> From: Sreedhar Gupta To: Christopher Burke , kerberos@mit.edu Subject: RE: Error "24" returned from INIT_CONTEXT under load Date: Fri, 8 Feb 2002 21:57:45 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi, Error 24 (integer value)means, Preauthentication failed. Sreedhar Gupta -----Original Message----- From: Christopher Burke [mailto:craznar@hotmail.com] Sent: Friday, February 08, 2002 9:24 PM To: kerberos@mit.edu Subject: Error "24" returned from INIT_CONTEXT under load We are getting an error 24 (integer value of 24) returned from the init_context routine when I call it very frequently (sequentially - just 1 at a time). Given all the error numbers are big -ve number, what is this error and what might be causing it. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com _______________________________________________ Kerberos mailing list Kerberos@mit.edu http://mailman.mit.edu/mailman/listinfo/kerberos ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From Nicolas.Williams@ubsw.com Fri Feb 8 11:35:44 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA29095 for ; Fri, 8 Feb 2002 11:35:44 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA14866 for ; Fri, 8 Feb 2002 11:35:44 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id LAA01940; Fri, 8 Feb 2002 11:35:37 -0500 (EST) Received: from (thirteen.ubswarburg.com [192.168.0.7]) by gate2 via smap (V2.0/ubsw) id xma001772; Fri, 8 Feb 2002 11:35:29 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan4 [192.168.0.7]) by virscan4.swissbank.com (8.8.8/8.8.8) with ESMTP id LAA20594; Fri, 8 Feb 2002 11:37:34 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id LAA16031; Fri, 8 Feb 2002 11:35:29 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id LAA03006; Fri, 8 Feb 2002 11:34:33 -0500 (EST) Date: Fri, 8 Feb 2002 11:34:33 -0500 From: Nicolas Williams To: Christopher Burke Cc: kerberos@mit.edu Subject: Re: Error "24" returned from INIT_CONTEXT under load Message-ID: <20020208113432.V27171@sm2p1386swk.wdr.com> Mail-Followup-To: Christopher Burke , kerberos@mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from craznar@hotmail.com on Fri, Feb 08, 2002 at 03:54:08PM +0000 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Positive errors are system errors (see intro(2) and your system's errno.h). It's most likely this: you process ran out of file descriptors. I.e., error 24 is EMFILE. On Solaris you can get EMFILE from fopen() even though you process is not out of file descriptors when: you process is 32-bits and all file descriptors < 256 are taken. Cheers, Nico On Fri, Feb 08, 2002 at 03:54:08PM +0000, Christopher Burke wrote: > We are getting an error 24 (integer value of 24) returned from the > init_context routine when I call it very frequently (sequentially - just 1 at > a time). > > Given all the error numbers are big -ve number, what is this error and what > might be causing it. > > -- > --- > /* Christopher Burke - Spam Mail to craznar@hotmail.com > |* www.craznar.com - > \* Real mail to cburke(at)craznar(dot)com > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Fri Feb 8 11:40:27 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA29141 for ; Fri, 8 Feb 2002 11:40:27 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA17078 for ; Fri, 8 Feb 2002 11:40:26 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18GQrT17200 for kerberos@MIT.EDU; Fri, 8 Feb 2002 11:26:53 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: RE: Error "24" returned from INIT_CONTEXT under load From: Christopher Burke References: <60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL> Message-ID: Date: Fri, 08 Feb 2002 16:29:26 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Any ideas why I would be getting it when I call it too often ? ggsr@sonata-software.com (Sreedhar Gupta) wrote in news:60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL: > Hi, > Error 24 (integer value)means, Preauthentication failed. > > Sreedhar Gupta > > > -----Original Message----- > From: Christopher Burke [mailto:craznar@hotmail.com] > Sent: Friday, February 08, 2002 9:24 PM > To: kerberos@mit.edu > Subject: Error "24" returned from INIT_CONTEXT under load > > > We are getting an error 24 (integer value of 24) returned from the > init_context routine when I call it very frequently (sequentially - just > 1 at > a time). > > Given all the error numbers are big -ve number, what is this error and > what might be causing it. > -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From deengert@anl.gov Fri Feb 8 12:03:12 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29238 for ; Fri, 8 Feb 2002 12:03:12 -0500 (EST) Received: from dns2.anl.gov (dns2.anl.gov [146.139.254.3]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA15397 for ; Fri, 8 Feb 2002 12:03:11 -0500 (EST) Received: from anl.gov (atalanta.ctd.anl.gov [146.137.64.60]) by dns2.anl.gov (8.9.1a/8.9.1) with ESMTP id LAA22125; Fri, 8 Feb 2002 11:03:10 -0600 (CST) Message-ID: <3C6404CC.B4A4E789@anl.gov> Date: Fri, 08 Feb 2002 11:03:08 -0600 From: "Douglas E. Engert" X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: kerberos@mit.edu CC: Cesar Garcia Subject: Re: Ticket forwarding and IP addresses References: <15459.61368.330902.672691@imus.ms.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Since the kinit has a -A noaddresses option, can this be caried forward to forwardable tickets? i.e. if the TGT used to get a forwardable ticket does not have addresses, don't request addresses in a forwardable ticket. This looks like an easy change to krb5_fwd_tgt_creds. Has anyone done this? Cesar Garcia wrote: > > I've been working with 1.2.2 for a some months now, and only > recently have attempted to get the rcmds working, mainly in > an effort to better understand how ticket forwarding works, > since we have a need to do this in a homegrown application. > > The behavior that I see is that when I invoke ticket > forwarding, the "forwarded" tickets contain only a single > IP address. > > After walking through some of the code, it appears that > the client, via krb5_fwd_tgt_creds, determines the target's > IP address via a host lookup using gethostbyname(), as > implemented in krb5_os_hostaddr(). > > Since we use NIS as the primary source for hostname > resolution, all host lookups render a single IP address, > even for multihomed machines. Moving to DNS is not an > option at the moment. Additionally, we use Veritas VCS > and other similar clustering facilities. These hosts > will have additional IP addresses that are not associated > with the real hostname, but with service names for a > particular cluster/application. So even if were to switch > to DNS, the client would not be able to determine all the > IP addresses for a given target host via the hostname > lookup that it uses today. > > That said (barring hacks to application protocols that > would allow target hosts to send IP addresses back to > the source host, then having the client embed the full set > of tickets), the way to address this would be to have > the target host obtain new tickets will a full set of > IP addresses. > > 1 - is this possible? > 2 - is it within the limits of the specification? > > If so, has anyone has implemented this for 1.2.2 or any > releases of MIT krb5. > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Nicolas.Williams@ubsw.com Fri Feb 8 12:12:31 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29295 for ; Fri, 8 Feb 2002 12:12:30 -0500 (EST) Received: from gate.stm.swissbank.com (gate.stm.ubswarburg.com [151.191.1.10]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA19406 for ; Fri, 8 Feb 2002 12:12:30 -0500 (EST) Received: (from smap@localhost) by gate.stm.swissbank.com (8.8.8/8.8.8) id MAA17312; Fri, 8 Feb 2002 12:15:33 -0500 (EST) Received: from (twelve.ubswarburg.com [192.168.0.6]) by gate via smap (V2.0) id xma017079; Fri, 8 Feb 2002 12:15:07 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan3 [192.168.0.6]) by virscan3.swissbank.com (8.8.8/8.8.8) with ESMTP id MAA07120; Fri, 8 Feb 2002 12:11:27 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id MAA22896; Fri, 8 Feb 2002 12:11:59 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id MAA03652; Fri, 8 Feb 2002 12:11:04 -0500 (EST) Date: Fri, 8 Feb 2002 12:11:04 -0500 From: Nicolas Williams To: "Douglas E. Engert" Cc: kerberos@mit.edu, Cesar Garcia Subject: Re: Ticket forwarding and IP addresses Message-ID: <20020208121103.Y27171@sm2p1386swk.wdr.com> Mail-Followup-To: "Douglas E. Engert" , kerberos@mit.edu, Cesar Garcia References: <15459.61368.330902.672691@imus.ms.com> <3C6404CC.B4A4E789@anl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <3C6404CC.B4A4E789@anl.gov>; from deengert@anl.gov on Fri, Feb 08, 2002 at 11:03:08AM -0600 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 08, 2002 at 11:03:08AM -0600, Douglas E. Engert wrote: > Since the kinit has a -A noaddresses option, can this be > caried forward to forwardable tickets? i.e. if the TGT used > to get a forwardable ticket does not have addresses, don't > request addresses in a forwardable ticket. > > This looks like an easy change to krb5_fwd_tgt_creds. > Has anyone done this? An addressless TGT can be forwarded anywhere. As such there should probably just be a shortcut if (is_addressless(TGT)) { forwarded_TGT = TGT; return; } Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From cesarg@ms.com Fri Feb 8 12:17:59 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29342 for ; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA06657 for ; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 52D55ACF6; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id 36B4DACF5; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id MAA07477; Fri, 8 Feb 2002 12:17:57 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id MAA06690; Fri, 8 Feb 2002 12:17:57 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15460.2117.576657.866559@imus.ms.com> Date: Fri, 8 Feb 2002 12:17:57 -0500 (EST) From: Cesar Garcia To: Ken Hornstein Cc: Cesar Garcia , kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-Reply-To: <200202081610.g18GA8G04136@ginger.cmf.nrl.navy.mil> References: <15459.61368.330902.672691@imus.ms.com> <200202081610.g18GA8G04136@ginger.cmf.nrl.navy.mil> X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Ken" == Ken Hornstein writes: >> Since we use NIS as the primary source for hostname >> resolution, all host lookups render a single IP address, >> even for multihomed machines. Moving to DNS is not an >> option at the moment. Ken> I have to ask ... you're STILL using NIS for hostname resolution? Ouch. Thanks for the sympathy. Unfortunately, in our case, migrating to DNS is not a trivial effort, but let's not go there. >> That said (barring hacks to application protocols that >> would allow target hosts to send IP addresses back to >> the source host, then having the client embed the full set >> of tickets), the way to address this would be to have >> the target host obtain new tickets will a full set of >> IP addresses. >> >> 1 - is this possible? Ken> The trick here is that one of the IP addresses in the target ticket Ken> _must_ be the IP address used to talk to the KDC; otherwise, you're Ken> outta luck. >> 2 - is it within the limits of the specification? Ken> Yes. Ken> It occurs to me that you could save yourself some pain and simply get Ken> a completely addressless ticket. There is a school of thought in the Ken> Kerberos world that suggests IP addresses in tickets are not that useful. OK. let's reset a bit. What I neglected to mention was that we are a former CyberSafe customer, with remnants of CyberSafe code still in production. (Now I'll be getting pity, not sympathy.) Since the move to MIT has also been driven by the deployment of platforms not supported by CyberSafe (e.g., linux), we have focused primarily on application infrastructure. That said, the core CyberSafe KDCs are still in place, in addition to a variety of other KDC based services, either homegrown or adopted to work with a CyberSafe KDB. Admittedly, I'll have to assess the current dependencies that we have on IP addresses. The implementation of krb524d that we currently use requires IP addresses, or it barfs. This may well be the only dependency that we really have. Client krb524 code has already been migrated to MIT. That said, I'll investigate if we have any more dependencies on IP addresses in tickets and start working on porting krb524d to the CyberSafe KDB. Unfortunately, I can't use it as is for now, until we migrate the all the KDC services to MIT krb5 (or perhaps Heimdal, since incremental propagation is a must have). Nonetheless, we have all sorts of applications that obtain initial credentials (various homegrown apps, PAM modules, sitecheck binaries for irix) which would need to "corrected". Ticket forwarding was my immediate objective. But I'll submit I was looking for the lazy way out. Ken> --Ken From deengert@anl.gov Fri Feb 8 12:48:22 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29480 for ; Fri, 8 Feb 2002 12:48:22 -0500 (EST) Received: from dns2.anl.gov (dns2.anl.gov [146.139.254.3]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA19310 for ; Fri, 8 Feb 2002 12:48:21 -0500 (EST) Received: from anl.gov (atalanta.ctd.anl.gov [146.137.64.60]) by dns2.anl.gov (8.9.1a/8.9.1) with ESMTP id LAA02044; Fri, 8 Feb 2002 11:48:18 -0600 (CST) Message-ID: <3C640F5F.498F79EE@anl.gov> Date: Fri, 08 Feb 2002 11:48:15 -0600 From: "Douglas E. Engert" X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Nicolas Williams , kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses References: <15459.61368.330902.672691@imus.ms.com> <3C6404CC.B4A4E789@anl.gov> <20020208121103.Y27171@sm2p1386swk.wdr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Nicolas Williams wrote: > > On Fri, Feb 08, 2002 at 11:03:08AM -0600, Douglas E. Engert wrote: > > Since the kinit has a -A noaddresses option, can this be > > caried forward to forwardable tickets? i.e. if the TGT used > > to get a forwardable ticket does not have addresses, don't > > request addresses in a forwardable ticket. > > > > This looks like an easy change to krb5_fwd_tgt_creds. > > Has anyone done this? > > An addressless TGT can be forwarded anywhere. As such there should > probably just be a shortcut > > if (is_addressless(TGT)) { > forwarded_TGT = TGT; > return; > } Not in all cases. But It might be you are using a forwardable TGT to forward a none forwardable TGT, so the options might be different. Times could also be different... > > Nico > -- > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > -to a public e-mail mailing list I hereby grant permission to distribute- > -and copy this message.- > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From kenh@cmf.nrl.navy.mil Fri Feb 8 13:23:23 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA29600 for ; Fri, 8 Feb 2002 13:23:23 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA17489 for ; Fri, 8 Feb 2002 13:23:23 -0500 (EST) Received: from cmf.nrl.navy.mil (elvis.cmf.nrl.navy.mil [134.207.10.38]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g18INGG05696; Fri, 8 Feb 2002 13:23:17 -0500 (EST) Message-Id: <200202081823.g18INGG05696@ginger.cmf.nrl.navy.mil> To: Cesar Garcia cc: kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-reply-to: Your message of "Fri, 08 Feb 2002 12:17:57 EST." <15460.2117.576657.866559@imus.ms.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Fri, 08 Feb 2002 13:23:15 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >What I neglected to mention was that we are a former CyberSafe >customer, with remnants of CyberSafe code still in production. >(Now I'll be getting pity, not sympathy.) You poor bastard :-/ >Admittedly, I'll have to assess the current dependencies that >we have on IP addresses. The implementation of krb524d that >we currently use requires IP addresses, or it barfs. This may >well be the only dependency that we really have. Client krb524 >code has already been migrated to MIT. Oh! Shoot, that's an easy fix ... I did that a long time ago. Contact me privately if you want the fix for that. --Ken From wyllys.ingersoll@sun.com Fri Feb 8 14:05:25 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA29741 for ; Fri, 8 Feb 2002 14:05:25 -0500 (EST) Received: from pheriche.sun.com (pheriche.sun.com [192.18.98.34]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id OAA18598 for ; Fri, 8 Feb 2002 14:05:25 -0500 (EST) Received: from sunmail1.Sun.COM ([129.145.1.2]) by pheriche.sun.com (8.9.3+Sun/8.9.3) with ESMTP id MAA06337; Fri, 8 Feb 2002 12:05:23 -0700 (MST) Received: from jurassic.eng.sun.com (jurassic.Eng.Sun.COM [129.146.85.105]) by sunmail1.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1-Sun.COM.mod.2) with ESMTP id LAA00222; Fri, 8 Feb 2002 11:07:03 -0800 (PST) Received: from sun.com (vpn-129-148-152-40.East.Sun.COM [129.148.152.40]) by jurassic.eng.sun.com (8.12.2+Sun/8.12.2) with ESMTP id g18J5JAJ612522; Fri, 8 Feb 2002 11:05:20 -0800 (PST) Message-ID: <3C642289.5010006@sun.com> Date: Fri, 08 Feb 2002 14:10:01 -0500 From: Wyllys Ingersoll User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:0.9.7) Gecko/20011221 X-Accept-Language: en-us MIME-Version: 1.0 To: "Douglas E. Engert" CC: kerberos@mit.edu, Cesar Garcia Subject: Re: Ticket forwarding and IP addresses References: <15459.61368.330902.672691@imus.ms.com> <3C6404CC.B4A4E789@anl.gov> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I think I raised this same issue back in November (11-19-01 is the last email on it that I have saved). Anyway, below was my suggestion, but I never followed up on it at the time. It seems similar to what Nico just suggested. --- > Douglas E. Engert wrote: > >>>> >>>Should the last line be only: >>> >>> FWD_TGT.addresses = Remote Host addr. >>> >>>as the forwarded TGT should only be usable from the remote host. >>> >>> >>I was thinking that if someone explicitly put in a list of addresses >>in their TGT (not sure if anyone would actually do that), then that >>list would probably want to be maintained after forwarding. >> > > > I would say no. The intent of the addresses was to limit the > usefullness of a ticket to a specific machine i.e. detect if it had > been stolen. So when you get a new forwardable TGT it should be > useable only from the machine to which it is to be forwarded. Well, that makes the fix easier. But, do you agree that the forwarded ticket should be addressless if the original ticket was addressless also? The fix I have in mind is this (in fwd_tgt.c): if TGT.addresses == FWD_TGT.addresses = else FWD_TGT.addresses = rhost address. -Wyllys Douglas E. Engert wrote: > Since the kinit has a -A noaddresses option, can this be > caried forward to forwardable tickets? i.e. if the TGT used > to get a forwardable ticket does not have addresses, don't > request addresses in a forwardable ticket. > > This looks like an easy change to krb5_fwd_tgt_creds. > Has anyone done this? > > > > Cesar Garcia wrote: > >>I've been working with 1.2.2 for a some months now, and only >>recently have attempted to get the rcmds working, mainly in >>an effort to better understand how ticket forwarding works, >>since we have a need to do this in a homegrown application. >> >>The behavior that I see is that when I invoke ticket >>forwarding, the "forwarded" tickets contain only a single >>IP address. >> >>After walking through some of the code, it appears that >>the client, via krb5_fwd_tgt_creds, determines the target's >>IP address via a host lookup using gethostbyname(), as >>implemented in krb5_os_hostaddr(). >> >>Since we use NIS as the primary source for hostname >>resolution, all host lookups render a single IP address, >>even for multihomed machines. Moving to DNS is not an >>option at the moment. Additionally, we use Veritas VCS >>and other similar clustering facilities. These hosts >>will have additional IP addresses that are not associated >>with the real hostname, but with service names for a >>particular cluster/application. So even if were to switch >>to DNS, the client would not be able to determine all the >>IP addresses for a given target host via the hostname >>lookup that it uses today. >> >>That said (barring hacks to application protocols that >>would allow target hosts to send IP addresses back to >>the source host, then having the client embed the full set >>of tickets), the way to address this would be to have >>the target host obtain new tickets will a full set of >>IP addresses. >> >>1 - is this possible? >>2 - is it within the limits of the specification? >> >>If so, has anyone has implemented this for 1.2.2 or any >>releases of MIT krb5. >>_______________________________________________ >>Kerberos mailing list >>Kerberos@mit.edu >>http://mailman.mit.edu/mailman/listinfo/kerberos >> > From news@ra.nrl.navy.mil Fri Feb 8 15:55:34 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA00175 for ; Fri, 8 Feb 2002 15:55:33 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA15342 for ; Fri, 8 Feb 2002 15:55:27 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18Kej021120 for kerberos@MIT.EDU; Fri, 8 Feb 2002 15:40:45 -0500 (EST) From: Dan Riley X-Newsgroups: comp.protocols.kerberos Subject: Re: Error "24" returned from INIT_CONTEXT under load Date: 08 Feb 2002 15:43:22 -0500 Organization: LNS, Cornell U., Ithaca, NY 14853 Message-ID: References: <60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ggsr@sonata-software.com (Sreedhar Gupta) writes: > Error 24 (integer value)means, Preauthentication failed. Error 24 is preauth failed in KRB_ERROR protocol messages, but *not* in a library return value. Library return values have their own error table distinct from the KRB_ERROR protocol, and, as Nico said, positive library return values are system errno's, Kerberos errors are large (in magnitude) negative numbers. -- Dan Riley dsr@mail.lns.cornell.edu "Mr. Ellison is presently the sole member of the Plan Committee. The Plan Committee did not meet during fiscal year 2001, and during that same period, acted 46 times by unanimous written consent." From news@ra.nrl.navy.mil Fri Feb 8 16:40:29 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA00418 for ; Fri, 8 Feb 2002 16:40:28 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id QAA02749 for ; Fri, 8 Feb 2002 16:40:28 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18LOe121595 for kerberos@MIT.EDU; Fri, 8 Feb 2002 16:24:40 -0500 (EST) From: "vkd" X-Newsgroups: comp.protocols.kerberos Subject: pam_krb5 for solaris Message-ID: Date: Fri, 08 Feb 2002 21:27:05 GMT Organization: Excite@Home - The Leader in Broadband http://home.com/faster To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Where can I get proper pam_krb5 source that works on solaris? I got one from this site: http://www.fcusack.com but get this error message: Feb 8 15:50:11 dot2 sshd[5445]: fatal: PAM initialisation failed[4]: System error Feb 8 15:50:46 dot2 sshd[5448]: load_modules: can not open module /usr/lib/security/pam_krb5.so.1 Now, just a check: ---------------------------------------- $ ls -la /usr/lib/security/pam_krb5.so.1 -rwxr-xr-x 1 root other 724852 Feb 8 15:46 /usr/lib/security/pam_krb5.so.1* $ ldd /usr/lib/security/pam_krb5.so.1 libpam.so.1 => /usr/lib/libpam.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1 $ file /usr/lib/security/pam_krb5.so.1 /usr/lib/security/pam_krb5.so.1: ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not stripped ---------------------------------------- Here is how I modified the Makefile: CC = gcc CFLAGS = -O2 -fPIC #LDFLAGS = -shared LDFLAGS = -G DESTDIR = /usr/lib/security MANDIR = /usr/local/man/man5 OSLIBS = -lpam -lnsl -lsocket KRB5LIBS = -L/usr/kerberos/lib -R/usr/kerberos/lib -lkrb5 -lk5crypto -lcom_err LIBS = $(OSLIBS) $(KRB5LIBS) INC = -I/usr/include -I/usr/kerberos/include -I/usr/local/include The version of Kerberos installed into /usr/kerberos is MIT (latest stable release). I didn't know of any other Kerberos distros. Are there any? How do they compare? Any ideas? How should one properly set up Kerberos into PAM? Here is my SSH config in pam.conf: ###################################################################### # SSH ###################################################################### #sshd auth sufficient /usr/lib/security/pam_krb5.so.1 try_first_pass sshd auth required /usr/lib/security/pam_unix.so.1 sshd account required /usr/lib/security/pam_unix.so.1 sshd session required /usr/lib/security/pam_unix.so.1 #sshd session optional /usr/lib/security/pam_krb5.so.1 I commented it out for now (since it doesn't work) but that's what I used. From news@ra.nrl.navy.mil Fri Feb 8 17:25:28 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id RAA00578 for ; Fri, 8 Feb 2002 17:25:28 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id RAA10118 for ; Fri, 8 Feb 2002 17:25:28 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18ML4G22517 for kerberos@MIT.EDU; Fri, 8 Feb 2002 17:21:04 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: Error "24" returned from INIT_CONTEXT under load From: Christopher Burke References: <20020208113432.V27171@sm2p1386swk.wdr.com> Message-ID: Date: Fri, 08 Feb 2002 22:23:37 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Nicolas.Williams@ubsw.com (Nicolas Williams) wrote in news:20020208113432.V27171@sm2p1386swk.wdr.com: > Positive errors are system errors (see intro(2) and your system's > errno.h). > > It's most likely this: you process ran out of file descriptors. I.e., > error 24 is EMFILE. > > On Solaris you can get EMFILE from fopen() even though you process is > not out of file descriptors when: you process is 32-bits and all file > descriptors < 256 are taken. But it only gets called one at a time, and I remove/free both the context and the credential cache.... -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From chama0@eudoramail.com Sat Feb 9 00:27:17 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id AAA01832 for ; Sat, 9 Feb 2002 00:27:15 -0500 (EST) Received: from eudoramail.com (host-64-110-31-18.interpacket.net [64.110.31.18]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id AAA21807 for ; Sat, 9 Feb 2002 00:27:10 -0500 (EST) Message-Id: <200202090527.AAA21807@pacific-carrier-annex.mit.edu> From: "dr.mrs.marian abacha" To: Subject: urgent assistance Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Fri, 8 Feb 2002 06:27:55 +0100 Reply-To: "dr.mrs.marian abacha" Content-Transfer-Encoding: 8bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ATTN: THE PRESIDENT/CEO Dear Sir / Madam, I am Dr. Mrs. Marian Abacha, wife to the late Nigerian Head of state, General Sani Abacha who died on the 8th of June 1998 while still on active service for our Country. I am contacting you with the hope that you will be of great assistance to me, I currently have within my reach the sum of 76MILLION U.S dollars cash which l intend to use for investment purposes outside Nigeria. This money came as a result of a payback contract deal between my husband and a Russian firm in our country's multi-billion dollar Ajaokuta steel plant. The Russian partners returned my husband's share being the above sum after his death. Presently, the new civilian Government has intensified their probe into my husband's financial resources, which has led to the freezing of all our accounts, local and foreign, the revoking of all our business licenses and the arrest of my First son. In view of this I acted very fast to withdraw this money from one of our finance houses before it was closed down. I have deposited the money in a security vault for safe keeping with the help of very loyal officials of my late husband. No record is known about this fund by the government because there is no documentation showing that we received such funds. Due to the current situation in the country and government attitude to my financial affairs, I cannot make use of this money within. Bearing in mind that you may assist me, 20% of the total amount will be paid to you for your assistance, while 5% will be set aside for expenses incurred by the parties involved and this will be paid before sharing. Half of my75% will be paid in to my account on your instruction once the money hits your account, while the other half will be invested by your humble self in any viable business venture you deem fit, with you as manager of the invested funds. Remunerations, during the investment period will be on a 50/50 basis. Your URGENT response is needed. All correspondence must be through mylawyer,fax:234-1-7594494. Attentioned to my attorney (abbas bundu). Please do not forget to include your direct tel/fax line for easy reach. I hope I can trust you with my family's last financial hope.Regards Dr. Mrs. Marian Sani Abacha. C/o abbas bundu (counsel) From news@ra.nrl.navy.mil Sat Feb 9 12:10:34 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA03846 for ; Sat, 9 Feb 2002 12:10:31 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA24085 for ; Sat, 9 Feb 2002 12:10:31 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g19GuNR10959 for kerberos@MIT.EDU; Sat, 9 Feb 2002 11:56:23 -0500 (EST) From: nijsure@cs.unt.edu (Sandeep) X-Newsgroups: comp.protocols.kerberos Subject: MD5 passwords possible with Kerberos? Date: 9 Feb 2002 08:59:01 -0800 Organization: http://groups.google.com/ Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi all, I am kinda new to Kerberos, but I have read that one of the biggest drawbacks of Kerberos is that the passwords need to be stored cleartext on the master server, a BIG security risk.. Just like Unix passwords are never stored cleartext, but always hashed, why not do the same thing with Kerberos? Store MD5 passwords on the master server, and use them for encrypting the TGT. So the Kerberized login will first compute the MD5 hash, and then decode the initial TGT. Is this already done in Kerberos? if yes, what is the version that supports this? Thanks a lot Sandeep From news@ra.nrl.navy.mil Sat Feb 9 21:40:33 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA05754 for ; Sat, 9 Feb 2002 21:40:33 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id VAA25354 for ; Sat, 9 Feb 2002 21:40:33 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1A2V1L20059 for kerberos@MIT.EDU; Sat, 9 Feb 2002 21:31:01 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: MD5 passwords possible with Kerberos? From: Christopher Burke References: Message-ID: Date: Sun, 10 Feb 2002 02:33:38 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: nijsure@cs.unt.edu (Sandeep) wrote in news:b04cb7e1.0202090859.3d9370b3 @posting.google.com: > I am kinda new to Kerberos, but I have read that one of the biggest > drawbacks of Kerberos is that the passwords need to be stored > cleartext on the master server, a BIG security risk.. > I don't think so ... I am sure our K4 passwords are hashed on the server. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From mdw@umich.edu Sat Feb 9 21:59:15 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA05839 for ; Sat, 9 Feb 2002 21:59:15 -0500 (EST) Received: from quince.ifs.umich.edu (quince.ifs.umich.edu [141.213.229.138]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id VAA18111 for ; Sat, 9 Feb 2002 21:59:15 -0500 (EST) Received: from pepper-pot (pepper-pot.ifs.umich.edu [141.213.229.91]) by quince.ifs.umich.edu (8.6.13/8.6.12) with ESMTP id VAA11501; Sat, 9 Feb 2002 21:59:13 -0500 Message-Id: <200202100259.VAA11501@quince.ifs.umich.edu> To: nijsure@cs.unt.edu (Sandeep) cc: kerberos@mit.edu Subject: Re: MD5 passwords possible with Kerberos? In-reply-to: Your message of "09 Feb 2002 08:59:01 PST." Date: Sat, 09 Feb 2002 21:59:13 -0500 From: Marcus Watts Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: nijsure@cs.unt.edu (Sandeep) writes: > Hi all, > > I am kinda new to Kerberos, but I have read that one of the biggest > drawbacks of Kerberos is that the passwords need to be stored > cleartext on the master server, a BIG security risk.. > > Just like Unix passwords are never stored cleartext, but always > hashed, why not do the same thing with Kerberos? Store MD5 passwords > on the master server, and use them for encrypting the TGT. So the > Kerberized login will first compute the MD5 hash, and then decode the > initial TGT. > > Is this already done in Kerberos? if yes, what is the version that > supports this? The MIT KDC does not store passwords in the clear. It stores keys derived via a one-way algorithm from the user's password. For further security, these keys are also encrypted once more using a "master secret" key, which can be stored offline if desired. The "master secret" stuff is all described in the kerberos documentation - administration and installation. In kerberos, the one-way algorithm is called the "string to key" function. I believe current versions of MIT support 3 basic "string to key" algorithms, which could be called "des", "afs", and "n-fold" (used for des3). All of these have theoretical disadvantages. It's been proposed to use pkdbf2 (from PKCS #5) with AES - which is sorta based on the MD5 Unix crypt function. That has its own issues. All of these issues pale in comparison to some much more fundemental problems with using Kerberos securely - while this is a good theoretical area to investigate, if you're interested in practical security there's a bunch of other things that are *far* more important to solve first. Here is an incomplete list of weaknesses that you might find more useful to consider: (1) Most production kerberos realms still use regular DES and no preauth. This means they should not be used to protect any secret worth more than $100,000. (2) If you can somehow compromise an operational KDC, you can very likely get a copy of everyone's key. If you know the key, you don't *need* to know the password; the key is good enough to impersonate the person. It is *MUCH* more important to protect a KDC key database than it is to protect a regular Unix password database. Fortunately, it is also easier to do this, because a KDC should not be accessible by regular users and should be providing as few services as possible. The practical use of the "master secret" is to make kerberos database backups useless to an attacker. There *are* ways to make even complete knowlege of what's in a KDC database "less" useful. Stanford's SRP is one attempt to do this. There are some computational scaling issues to doing this in a large KDC. (3) Most humans can only remember a plaintext password containing about 40 bits of entropy. Even using DES3 won't fix this problem. Preauth with some additional secret is probably the only real fix for this. Some people claim additional computational complexity in the string to key function will fix this, but I think this is only a placebo -- see (6). (4) It would be worth changing the key for krbtgt and other important security principals on a regular basis. This is especially important for DES. I don't know of any simple way to make this automatically happen in MIT K5. This is one of the areas where Transarc's kaserver was actually stronger. (5) A crucial weakness in many