From news@ra.nrl.navy.mil Tue Feb 5 22:49:48 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id WAA15748 for ; Tue, 5 Feb 2002 22:49:48 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id WAA04610 for ; Tue, 5 Feb 2002 22:49:47 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g163Z8l10268 for kerberos@MIT.EDU; Tue, 5 Feb 2002 22:35:08 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: KERB V5 + SEGV_MAPERR From: Christopher Burke References: <15456.35709.443260.168630@imus.ms.com> Message-ID: Date: Wed, 06 Feb 2002 03:37:42 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in news:15456.35709.443260.168630@imus.ms.com: > > I gather your application is multithreaded, or at least built > with threads in mind ... > > You should build your kerberos libs with -D_REENTRANT. Yes my application is multi-threaded however I do have a mutex around the entire call to the kerberos stuff ... shouldn't that help ? -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From cesarg@ms.com Wed Feb 6 08:42:49 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id IAA18842 for ; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id IAA22494 for ; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 62C2AA30C; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id 48870A936; Wed, 6 Feb 2002 08:42:48 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id IAA15033; Wed, 6 Feb 2002 08:42:47 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id IAA11266; Wed, 6 Feb 2002 08:42:47 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15457.13015.509560.428762@imus.ms.com> Date: Wed, 6 Feb 2002 08:42:47 -0500 (EST) From: Cesar Garcia To: Christopher Burke Cc: kerberos@mit.edu Subject: Re: KERB V5 + SEGV_MAPERR In-Reply-To: References: <15456.35709.443260.168630@imus.ms.com> X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: The mutex keeps multiple threads from simultaneously entering a mutexed code segment. This problem has more to do with how errno is defined. Keep in mind that most system calls (e.g., stat, fork, open, etc) set errno on failure (this is done implicitly, since errno is not passed in as an argument to the system call). In non-multithreaded apps, it's reasonable for errno to be defined as a global variable, since it's not possible for multiple systems calls to be invoked concurrently. In multithreaded apps, this is a problem. Since your libs are not build with -D_REENTRANT, the kerberos libs are referencing the global errno, instead of the thread specific errno which stat is actually using. Hence your problem. >>>>> "Christopher" == Christopher Burke writes: Christopher> Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in Christopher> news:15456.35709.443260.168630@imus.ms.com: >> >> I gather your application is multithreaded, or at least built >> with threads in mind ... >> >> You should build your kerberos libs with -D_REENTRANT. Christopher> Yes my application is multi-threaded however I do have a mutex around the Christopher> entire call to the kerberos stuff ... shouldn't that help ? Christopher> -- Christopher> --- Christopher> /* Christopher Burke - Spam Mail to craznar@hotmail.com Christopher> |* www.craznar.com - Christopher> \* Real mail to cburke(at)craznar(dot)com Christopher> _______________________________________________ Christopher> Kerberos mailing list Christopher> Kerberos@mit.edu Christopher> http://mailman.mit.edu/mailman/listinfo/kerberos From turbo@bayour.com Wed Feb 6 09:48:10 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA19083 for ; Wed, 6 Feb 2002 09:48:10 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA15739 for ; Wed, 6 Feb 2002 09:48:09 -0500 (EST) Received: (qmail-ldap/ctrl 6355 invoked by uid 1000); 6 Feb 2002 14:48:07 -0000 To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: Why don't you ever enter and CONTESTS, Marvin?? Don't you know your own ZIPCODE? Date: 06 Feb 2002 15:48:06 +0100 In-Reply-To: <87elk11sko.fsf@papadoc.bayour.com> Message-ID: <871yfyfyzd.fsf@papadoc.bayour.com> Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoting Turbo Fredriksson : > turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > Authenticating as principal turbo@BAYOUR.COM with password. > kadmin.local: Permission denied while initializing kadmin.local interface Does anyone have a suggestion why this is happening? Khaddafi colonel Kennedy [Hello to all my fans in domestic surveillance] kibo cracking BATF North Korea SEAL Team 6 counter-intelligence Peking explosion Legion of Doom FBI Delta Force [See http://www.aclu.org/echelonwatch/index.html for more about this] From kenh@cmf.nrl.navy.mil Wed Feb 6 11:17:36 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA19363 for ; Wed, 6 Feb 2002 11:17:35 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA01374 for ; Wed, 6 Feb 2002 11:17:35 -0500 (EST) Received: from cmf.nrl.navy.mil (elvis.cmf.nrl.navy.mil [134.207.10.38]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g16GHHG01243; Wed, 6 Feb 2002 11:17:17 -0500 (EST) Message-Id: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> To: Turbo Fredriksson cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface In-reply-to: Your message of "06 Feb 2002 15:48:06 +0100." <871yfyfyzd.fsf@papadoc.bayour.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Wed, 06 Feb 2002 11:17:16 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >Quoting Turbo Fredriksson : > >> turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM >> Authenticating as principal turbo@BAYOUR.COM with password. >> kadmin.local: Permission denied while initializing kadmin.local interface > >Does anyone have a suggestion why this is happening? Now that I think about it ... why on earth are you giving a principal name to kadmin.local? --Ken From andreas@conectiva.com.br Wed Feb 6 11:49:06 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA19506 for ; Wed, 6 Feb 2002 11:49:06 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA08201 for ; Wed, 6 Feb 2002 11:49:02 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id B272938D00 for ; Wed, 6 Feb 2002 13:48:57 -0300 (EST) Received: (qmail 14773 invoked by uid 0); 6 Feb 2001 16:49:13 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 6 Feb 2001 16:49:13 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g16Gn1306496 for kerberos@mit.edu; Wed, 6 Feb 2002 14:49:01 -0200 Date: Wed, 6 Feb 2002 14:49:01 -0200 From: Andreas Hasenack To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020206164901.GA3038@conectiva.com.br> References: <871yfyfyzd.fsf@papadoc.bayour.com> <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Wed, Feb 06, 2002 at 11:17:16AM -0500, Ken Hornstein escreveu: > >> turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > >> Authenticating as principal turbo@BAYOUR.COM with password. > >> kadmin.local: Permission denied while initializing kadmin.local interface > > > >Does anyone have a suggestion why this is happening? > > Now that I think about it ... why on earth are you giving a principal name > to kadmin.local? I think it doesn't matter: # kadmin.local -p bla@IDFODF.AKDLS Authenticating as principal bla@IDFODF.AKDLS with password. kadmin.local: From news@ra.nrl.navy.mil Wed Feb 6 12:34:53 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA19737 for ; Wed, 6 Feb 2002 12:34:53 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA08177 for ; Wed, 6 Feb 2002 12:34:52 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g16HTEr23581 for kerberos@MIT.EDU; Wed, 6 Feb 2002 12:29:14 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: KERB V5 + SEGV_MAPERR From: Christopher Burke References: <15456.35709.443260.168630@imus.ms.com> <15457.13015.509560.428762@imus.ms.com> Message-ID: Date: Wed, 06 Feb 2002 17:31:14 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in news:15457.13015.509560.428762@imus.ms.com: > This problem has more to do with how errno is defined. Keep in mind > that most system calls (e.g., stat, fork, open, etc) set errno on > failure (this is done implicitly, since errno is not passed in as > an argument to the system call). Thank you, between my last message and now - our kerberos administrator has recompiled K5 with '-mt' and now our directory administrator (me) has a working Directory Server 5.1 kerberos authentication plugin. Now for some load testing .... -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From andreas@conectiva.com.br Wed Feb 6 12:35:41 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA19762 for ; Wed, 6 Feb 2002 12:35:41 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA08514 for ; Wed, 6 Feb 2002 12:35:30 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id 575FD38C66 for ; Wed, 6 Feb 2002 14:35:27 -0300 (EST) Received: (qmail 21026 invoked by uid 0); 6 Feb 2001 17:35:42 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 6 Feb 2001 17:35:42 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g16HZSc06819; Wed, 6 Feb 2002 15:35:28 -0200 Date: Wed, 6 Feb 2002 15:35:28 -0200 From: Andreas Hasenack To: Turbo Fredriksson Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020206173528.GC3038@conectiva.com.br> References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <871yfyfyzd.fsf@papadoc.bayour.com> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Wed, Feb 06, 2002 at 03:48:06PM +0100, Turbo Fredriksson escreveu: > Quoting Turbo Fredriksson : > > > turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > > Authenticating as principal turbo@BAYOUR.COM with password. > > kadmin.local: Permission denied while initializing kadmin.local interface > > Does anyone have a suggestion why this is happening? Hmm, you are running kadmin.local as root, aren't you? From bundu100@eudoramail.com Wed Feb 6 20:58:55 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA21517 for ; Wed, 6 Feb 2002 20:58:54 -0500 (EST) Received: from eudoramail.com (host-64-110-31-18.interpacket.net [64.110.31.18]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id UAA03547 for ; Wed, 6 Feb 2002 20:58:51 -0500 (EST) Message-Id: <200202070158.UAA03547@pacific-carrier-annex.mit.edu> From: "dr.mrs.marian abacha" To: Subject: urgent assistance Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 7 Feb 2002 03:00:45 -0800 Reply-To: "dr.mrs.marian abacha" Content-Transfer-Encoding: 8bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ATTN: THE PRESIDENT/CEO Dear Sir / Madam, I am Dr. Mrs. Marian Abacha, wife to the late Nigerian Head of state, General Sani Abacha who died on the 8th of June 1998 while still on active service for our Country. I am contacting you with the hope that you will be of great assistance to me, I currently have within my reach the sum of 76MILLION U.S dollars cash which l intend to use for investment purposes outside Nigeria. This money came as a result of a payback contract deal between my husband and a Russian firm in our country's multi-billion dollar Ajaokuta steel plant. The Russian partners returned my husband's share being the above sum after his death. Presently, the new civilian Government has intensified their probe into my husband's financial resources, which has led to the freezing of all our accounts, local and foreign, the revoking of all our business licenses and the arrest of my First son. In view of this I acted very fast to withdraw this money from one of our finance houses before it was closed down. I have deposited the money in a security vault for safe keeping with the help of very loyal officials of my late husband. No record is known about this fund by the government because there is no documentation showing that we received such funds. Due to the current situation in the country and government attitude to my financial affairs, I cannot make use of this money within. Bearing in mind that you may assist me, 20% of the total amount will be paid to you for your assistance, while 5% will be set aside for expenses incurred by the parties involved and this will be paid before sharing. Half of my75% will be paid in to my account on your instruction once the money hits your account, while the other half will be invested by your humble self in any viable business venture you deem fit, with you as manager of the invested funds. Remunerations, during the investment period will be on a 50/50 basis. Your URGENT response is needed. All correspondence must be through mylawyer,fax:234-1-7594494. Attentioned to my attorney (abbas bundu). Please do not forget to include your direct tel/fax line for easy reach. I hope I can trust you with my family's last financial hope.Regards Dr. Mrs. Marian Sani Abacha. C/o abbas bundu (counsel) From Thomas.Huang@jpl.nasa.gov Wed Feb 6 21:33:25 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA21664 for ; Wed, 6 Feb 2002 21:33:24 -0500 (EST) Received: from mipl.jpl.nasa.gov (mipl.jpl.nasa.gov [137.78.38.32]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id VAA11774 for ; Wed, 6 Feb 2002 21:33:24 -0500 (EST) Received: from hotshot.jpl.nasa.gov (hotshot.jpl.nasa.gov [137.78.73.96]) by mipl.jpl.nasa.gov (8.9.3/8.9.3) with ESMTP id SAA04119 for ; Wed, 6 Feb 2002 18:33:23 -0800 (PST) Message-Id: <5.0.2.1.0.20020206183222.00aa6190@mipl.jpl.nasa.gov> X-Sender: txh@mipl.jpl.nasa.gov X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Wed, 06 Feb 2002 18:36:07 -0800 To: kerberos@MIT.EDU From: Thomas Huang Subject: Changing host name and address Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi, My group is planning to relocate our KDC host. This also means changing the IP address and the host name. Do we need to recreate the host key after the relocation? Will we have to reconfigure the existing KDC after the relocation (i.e. dumping and reloading the database)? thanks, Thomas. From csri@sonata-software.com Wed Feb 6 22:51:10 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id WAA21909 for ; Wed, 6 Feb 2002 22:51:09 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id WAA01438 for ; Wed, 6 Feb 2002 22:51:05 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <1NSLJ7QN>; Thu, 7 Feb 2002 09:24:16 +0530 Message-ID: <60A02294BABED411BAC30000F80167CC031885DB@BG1MAIL> From: Srinivas Cheruku To: kerberos@MIT.EDU Subject: Credential Cache Types Date: Thu, 7 Feb 2002 09:24:16 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi all, Please can any one of you give me the information. What types of Credentials Cache does MIT Support? Will it support Microsoft Credentail Cache on Win2k? Can a gss application developed using MIT GSS will be able to read the credentials from the microsoft credential cache? What are the implications if these cache types when clients are on XP? Thanks a lot, Srini ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From turbo@bayour.com Thu Feb 7 04:24:50 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA22985 for ; Thu, 7 Feb 2002 04:24:50 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id EAA21148 for ; Thu, 7 Feb 2002 04:24:49 -0500 (EST) Received: (qmail-ldap/ctrl 29906 invoked by uid 1000); 7 Feb 2002 09:24:47 -0000 To: Ken Hornstein Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: I have the power to HALT PRODUCTION on all TEENAGE SEX COMEDIES!! Date: 07 Feb 2002 10:24:46 +0100 In-Reply-To: <200202061617.g16GHHG01243@ginger.cmf.nrl.navy.mil> Message-ID: <87ofj1eja9.fsf@papadoc.bayour.com> Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoting Ken Hornstein : > >Quoting Turbo Fredriksson : > > > >> turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > >> Authenticating as principal turbo@BAYOUR.COM with password. > >> kadmin.local: Permission denied while initializing kadmin.local interface > > > >Does anyone have a suggestion why this is happening? > > Now that I think about it ... why on earth are you giving a principal name > to kadmin.local? [papadoc.pts/3]$ kadmin.local Authenticating as principal turbo/admin@BAYOUR.COM with password. kadmin.local: Permission denied while initializing kadmin.local interface That principal don't exist... $400 million in gold bullion Iran Serbian SDI pits Marxist PLO Ortega cryptographic explosion president radar iodine spy CIA [See http://www.aclu.org/echelonwatch/index.html for more about this] From turbo@bayour.com Thu Feb 7 04:26:13 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA23011 for ; Thu, 7 Feb 2002 04:26:13 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id EAA24421 for ; Thu, 7 Feb 2002 04:26:13 -0500 (EST) Received: (qmail-ldap/ctrl 30761 invoked by uid 1000); 7 Feb 2002 09:26:11 -0000 To: Andreas Hasenack Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: Do you have exactly what I want in a plaid poindexter bar bat?? Date: 07 Feb 2002 10:26:10 +0100 In-Reply-To: <20020206173528.GC3038@conectiva.com.br> Message-ID: <87k7tpej7x.fsf@papadoc.bayour.com> Lines: 20 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoting Andreas Hasenack : > Em Wed, Feb 06, 2002 at 03:48:06PM +0100, Turbo Fredriksson escreveu: > > Quoting Turbo Fredriksson : > > > > > turbo@papadoc:~$ kadmin.local -p turbo@BAYOUR.COM > > > Authenticating as principal turbo@BAYOUR.COM with password. > > > kadmin.local: Permission denied while initializing kadmin.local interface > > > > Does anyone have a suggestion why this is happening? > > Hmm, you are running kadmin.local as root, aren't you? No, that's the whole point... If using sudo/su/ksu, then it works. But I have two 'help admins' (ie, ordinary users which help out with bits and pieces) that I don't want to give sudo/su rights to... Rule Psix BATF Uzi explosion ammunition subway supercomputer SDI Iran Delta Force nitrate Qaddafi plutonium Peking radar [See http://www.aclu.org/echelonwatch/index.html for more about this] From andreas@conectiva.com.br Thu Feb 7 07:56:11 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id HAA23623 for ; Thu, 7 Feb 2002 07:56:11 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id HAA13543 for ; Thu, 7 Feb 2002 07:56:04 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id 6CF2C38CA7 for ; Thu, 7 Feb 2002 09:55:55 -0300 (EST) Received: (qmail 7445 invoked by uid 0); 7 Feb 2001 12:56:10 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 7 Feb 2001 12:56:10 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g17Cu0b02307; Thu, 7 Feb 2002 10:56:00 -0200 Date: Thu, 7 Feb 2002 10:56:00 -0200 From: Andreas Hasenack To: Turbo Fredriksson Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020207125559.GC1156@conectiva.com.br> References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87k7tpej7x.fsf@papadoc.bayour.com> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Thu, Feb 07, 2002 at 10:26:10AM +0100, Turbo Fredriksson escreveu: > > Hmm, you are running kadmin.local as root, aren't you? > > No, that's the whole point... If using sudo/su/ksu, then it works. But I have two > 'help admins' (ie, ordinary users which help out with bits and pieces) that I don't > want to give sudo/su rights to... Then you can't use kdamin.local, just kadmin. Have them use kadmin and it will work just fine. From turbo@bayour.com Thu Feb 7 08:29:12 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id IAA23737 for ; Thu, 7 Feb 2002 08:29:12 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id IAA20764 for ; Thu, 7 Feb 2002 08:29:11 -0500 (EST) Received: (qmail-ldap/ctrl 26644 invoked by uid 1000); 7 Feb 2002 13:29:06 -0000 To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> <20020207125559.GC1156@conectiva.com.br> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: It's the RINSE CYCLE!! They've ALL IGNORED the RINSE CYCLE!! Date: 07 Feb 2002 14:29:06 +0100 In-Reply-To: <20020207125559.GC1156@conectiva.com.br> Message-ID: <87pu3h8lp9.fsf@papadoc.bayour.com> Lines: 29 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Andreas" == Andreas Hasenack writes: Andreas> Em Thu, Feb 07, 2002 at 10:26:10AM +0100, Turbo Andreas> Fredriksson escreveu: >> > Hmm, you are running kadmin.local as root, aren't you? >> >> No, that's the whole point... If using sudo/su/ksu, then it >> works. But I have two 'help admins' (ie, ordinary users which >> help out with bits and pieces) that I don't want to give >> sudo/su rights to... Andreas> Then you can't use kdamin.local, just kadmin. Have them Andreas> use kadmin and it will work just fine. Hmmm... I'm _QUITE_ sure I tried that, but... [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM Authenticating as principal turbo@BAYOUR.COM with password. Enter password: kadmin: Is there any way 'kadmin' can honnor my ticket? cryptographic DES domestic disruption World Trade Center North Korea Khaddafi Marxist killed CIA Honduras bomb tritium Iran genetic NSA [See http://www.aclu.org/echelonwatch/index.html for more about this] From andreas@conectiva.com.br Thu Feb 7 09:08:21 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA23884 for ; Thu, 7 Feb 2002 09:08:21 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA02398 for ; Thu, 7 Feb 2002 09:08:17 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id 6B6B338D06 for ; Thu, 7 Feb 2002 11:08:10 -0300 (EST) Received: (qmail 17018 invoked by uid 0); 7 Feb 2001 14:08:25 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 7 Feb 2001 14:08:25 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g17E8Ev08397; Thu, 7 Feb 2002 12:08:14 -0200 Date: Thu, 7 Feb 2002 12:08:14 -0200 From: Andreas Hasenack To: Turbo Fredriksson Cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface Message-ID: <20020207140814.GF1156@conectiva.com.br> References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> <20020207125559.GC1156@conectiva.com.br> <87pu3h8lp9.fsf@papadoc.bayour.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87pu3h8lp9.fsf@papadoc.bayour.com> User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Thu, Feb 07, 2002 at 02:29:06PM +0100, Turbo Fredriksson escreveu: > [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM > Authenticating as principal turbo@BAYOUR.COM with password. > Enter password: > kadmin: > Is there any way 'kadmin' can honnor my ticket? You mean, by not having to enter a password and using the tgt your principal already has? According to the man page, yes, if you have a ticket for kadmin/admin. From kenh@cmf.nrl.navy.mil Thu Feb 7 09:10:38 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA23924 for ; Thu, 7 Feb 2002 09:10:38 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA03176 for ; Thu, 7 Feb 2002 09:10:38 -0500 (EST) Received: from cmf.nrl.navy.mil (pendragon.cmf.nrl.navy.mil [134.207.5.3]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g17EAXG20942; Thu, 7 Feb 2002 09:10:33 -0500 (EST) Message-Id: <200202071410.g17EAXG20942@ginger.cmf.nrl.navy.mil> To: Turbo Fredriksson cc: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface In-reply-to: Your message of "07 Feb 2002 14:29:06 +0100." <87pu3h8lp9.fsf@papadoc.bayour.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Thu, 07 Feb 2002 09:10:34 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: > >> No, that's the whole point... If using sudo/su/ksu, then it > >> works. But I have two 'help admins' (ie, ordinary users which > >> help out with bits and pieces) that I don't want to give > >> sudo/su rights to... > > Andreas> Then you can't use kdamin.local, just kadmin. Have them > Andreas> use kadmin and it will work just fine. One thing that's important to understand is that kadmin.local accesses the database directly, instead of going through kadmind. So it needs permission to read/write the database file ... which is why you were getting "Permission denied" (I think that's a bug that it says "Authenticating as principal ..." when using kadmin.local). >Hmmm... I'm _QUITE_ sure I tried that, but... > > >[papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM >Authenticating as principal turbo@BAYOUR.COM with password. >Enter password: >kadmin: I don't understand ... this looks like it works to me. --Ken From kenh@cmf.nrl.navy.mil Thu Feb 7 09:40:30 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24043 for ; Thu, 7 Feb 2002 09:40:30 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA21065 for ; Thu, 7 Feb 2002 09:40:30 -0500 (EST) Received: from cmf.nrl.navy.mil (pendragon.cmf.nrl.navy.mil [134.207.5.3]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g17EeRG21221 for ; Thu, 7 Feb 2002 09:40:27 -0500 (EST) Message-Id: <200202071440.g17EeRG21221@ginger.cmf.nrl.navy.mil> To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface In-reply-to: Your message of "Thu, 07 Feb 2002 12:08:14 -0200." <20020207140814.GF1156@conectiva.com.br> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Thu, 07 Feb 2002 09:40:28 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >Em Thu, Feb 07, 2002 at 02:29:06PM +0100, Turbo Fredriksson escreveu: >> [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM >> Authenticating as principal turbo@BAYOUR.COM with password. >> Enter password: >> kadmin: >> Is there any way 'kadmin' can honnor my ticket? > >You mean, by not having to enter a password and using the tgt your >principal already has? According to the man page, yes, if you have >a ticket for kadmin/admin. You'll have to do some digging to discover it, but kadmin/admin is marked in the default database configuration as a principal that requires an initial request to get a service ticket for it ... which means you _can't_ get it with your TGT, which means you need to enter in your password to get it. If you think about it, this is a good thing. You can use the "-S" flag to kinit to get a ticket for it, but you can't use this ticket for anything else. --Ken From turbo@bayour.com Thu Feb 7 09:40:44 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24049 for ; Thu, 7 Feb 2002 09:40:44 -0500 (EST) Received: from papadoc.bayour.com (papadoc.bayour.com [195.163.1.190]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA21160 for ; Thu, 7 Feb 2002 09:40:44 -0500 (EST) Received: (qmail-ldap/ctrl 28127 invoked by uid 1000); 7 Feb 2002 14:40:42 -0000 To: kerberos@mit.edu Subject: Re: Permission denied while initializing kadmin.local interface References: <87elk11sko.fsf@papadoc.bayour.com> <871yfyfyzd.fsf@papadoc.bayour.com> <20020206173528.GC3038@conectiva.com.br> <87k7tpej7x.fsf@papadoc.bayour.com> <20020207125559.GC1156@conectiva.com.br> <87pu3h8lp9.fsf@papadoc.bayour.com> <20020207140814.GF1156@conectiva.com.br> X-PGP-Fingerprint: B7 92 93 0E 06 94 D6 22 98 1F 0B 5B FE 33 A1 0B X-PGP-Key-ID: 0x788CD1A9 X-URL: http://www.nocrew.org/~turbo/ From: Turbo Fredriksson Organization: Bah! X-Yow: Yow! STYROFOAM.. Date: 07 Feb 2002 15:40:42 +0100 In-Reply-To: <20020207140814.GF1156@conectiva.com.br> Message-ID: <87lme58idx.fsf@papadoc.bayour.com> Lines: 19 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Andreas" == Andreas Hasenack writes: Andreas> Em Thu, Feb 07, 2002 at 02:29:06PM +0100, Turbo Andreas> Fredriksson escreveu: >> [papadoc.pts/3]$ kadmin -p turbo@BAYOUR.COM Authenticating as >> principal turbo@BAYOUR.COM with password. Enter password: >> kadmin: Is there any way 'kadmin' can honnor my ticket? Andreas> You mean, by not having to enter a password and using the Andreas> tgt your principal already has? According to the man Andreas> page, yes, if you have a ticket for kadmin/admin. Bummer. Ah, well. Close enough for what I want to do. Thanx. tritium FBI Mossad Serbian Cocaine toluene CIA Cuba domestic disruption FSF munitions assassination smuggle radar Uzi [See http://www.aclu.org/echelonwatch/index.html for more about this] From hartmans@MIT.EDU Thu Feb 7 09:45:14 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24129 for ; Thu, 7 Feb 2002 09:45:14 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA16375; Thu, 7 Feb 2002 09:45:14 -0500 (EST) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA13434; Thu, 7 Feb 2002 09:45:13 -0500 (EST) Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id JAA18088; Thu, 7 Feb 2002 09:45:13 -0500 (EST) Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3) id JAA24238; Thu, 7 Feb 2002 09:45:12 -0500 (EST) To: Thomas Huang Cc: kerberos@MIT.EDU Subject: Re: Changing host name and address References: <5.0.2.1.0.20020206183222.00aa6190@mipl.jpl.nasa.gov> From: Sam Hartman Date: 07 Feb 2002 09:45:12 -0500 In-Reply-To: Thomas Huang's message of "Wed, 06 Feb 2002 18:36:07 -0800" Message-ID: Lines: 15 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Thomas" == Thomas Huang writes: Thomas> Hi, Thomas> My group is planning to relocate our KDC host. This also means changing Thomas> the IP address and the host name. Do we need to recreate the host key Thomas> after the relocation? Will we have to reconfigure the existing KDC after Thomas> the relocation (i.e. dumping and reloading the database)? The canonical hostname is part of the key, so if this changes a new key is needed. That should be all that needs to change. From bbense@shred.stanford.edu Thu Feb 7 09:50:02 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA24175 for ; Thu, 7 Feb 2002 09:50:01 -0500 (EST) Received: from shred.stanford.edu (shred.Stanford.EDU [171.64.13.91]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA25321 for ; Thu, 7 Feb 2002 09:50:01 -0500 (EST) Received: from localhost (bbense@localhost) by shred.stanford.edu (8.11.6.Beta0/8.10.0.PreAlpha1) with ESMTP id g17Enxj10511; Thu, 7 Feb 2002 06:49:59 -0800 (PST) Date: Thu, 7 Feb 2002 06:49:59 -0800 (PST) From: "Booker C. Bense" To: Thomas Huang cc: kerberos@mit.edu Subject: Re: Changing host name and address In-Reply-To: <5.0.2.1.0.20020206183222.00aa6190@mipl.jpl.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Wed, 6 Feb 2002, Thomas Huang wrote: > > Hi, > > My group is planning to relocate our KDC host. This also means changing > the IP address and the host name. - Changing the IP address is a minor problem. Depending on your setup users may need to get new tgt's after the swap. - Changing the hostname is a slightly bigger one. Depending on your foresight in making CNAME records of the names in krb5.conf you might have a minor or a big problem. If I were you I'd really try and set things up so you don't have to change the DNS name from what's in the krb5.conf files you've distributed. > Do we need to recreate the host key > after the relocation? - You need to create a new host/new.dns.name keytab for the KDC and you'll need to change acl's on slave kdc's. > Will we have to reconfigure the existing KDC after > the relocation (i.e. dumping and reloading the database)? > - It wouldn't be a bad idea to do this anyway, in case something goes wrong. But if you don't change the software you shouldn't need to reload the database. - Booker C. Bense From news@ra.nrl.navy.mil Thu Feb 7 16:50:02 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA25487 for ; Thu, 7 Feb 2002 16:50:01 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id QAA19690 for ; Thu, 7 Feb 2002 16:50:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g17Lc4u21544 for kerberos@MIT.EDU; Thu, 7 Feb 2002 16:38:04 -0500 (EST) From: steiner@bakerst.rutgers.edu (Dave Steiner) X-Newsgroups: comp.protocols.kerberos Subject: question about KRB5_KDB_DISALLOW_ALL_TIX attribute Date: 7 Feb 2002 13:38:53 -0800 Organization: http://groups.google.com/ Message-ID: <3b609da.0202071338.43b27abc@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: We've been running Kerberos here at the University for a number of years. We've made a few changes to the code over that time and one of the changes is that we don't lockout principals after N failed attempts. We are now going to start using the lockout code that's in the kdc but we'd like some way to identify the people who are locked out (so we can either contact them, semi-automate a +allow_tix, etc). Unfortunately, I haven't found any easy way of getting a list of locked out people except to do a dump of the database and check the attributes of each entry in the dump. Does anyone have an easier way to get this information or am I stuck with the dump method? thanks, -ds From Nicolas.Williams@ubsw.com Thu Feb 7 16:59:26 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA25542 for ; Thu, 7 Feb 2002 16:59:22 -0500 (EST) Received: from gate.stm.swissbank.com (gate.stm.ubswarburg.com [151.191.1.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA10481 for ; Thu, 7 Feb 2002 16:59:22 -0500 (EST) Received: (from smap@localhost) by gate.stm.swissbank.com (8.8.8/8.8.8) id RAA15012; Thu, 7 Feb 2002 17:02:20 -0500 (EST) Received: from (eight.ubswarburg.com [192.168.0.3]) by gate via smap (V2.0) id xma014108; Thu, 7 Feb 2002 17:01:26 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan1 [192.168.0.3]) by virscan1.swissbank.com (8.8.8/8.8.8) with ESMTP id QAA09305; Thu, 7 Feb 2002 16:56:49 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id QAA26738; Thu, 7 Feb 2002 16:58:14 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id QAA28214; Thu, 7 Feb 2002 16:57:18 -0500 (EST) Date: Thu, 7 Feb 2002 16:57:18 -0500 From: Nicolas Williams To: Dave Steiner Cc: kerberos@mit.edu Subject: Re: question about KRB5_KDB_DISALLOW_ALL_TIX attribute Message-ID: <20020207165717.N27171@sm2p1386swk.wdr.com> Mail-Followup-To: Dave Steiner , kerberos@mit.edu References: <3b609da.0202071338.43b27abc@posting.google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <3b609da.0202071338.43b27abc@posting.google.com>; from steiner@bakerst.rutgers.edu on Thu, Feb 07, 2002 at 01:38:53PM -0800 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: The kadmin protocol doesn't have a search function AFAICT. And the KDB is indexed only by name, so you can't search it without traversing it entirely anyways. Nico On Thu, Feb 07, 2002 at 01:38:53PM -0800, Dave Steiner wrote: > We've been running Kerberos here at the University for a number of > years. We've made a few changes to the code over that time and one of > the changes is that we don't lockout principals after N failed > attempts. > > We are now going to start using the lockout code that's in the kdc but > we'd like some way to identify the people who are locked out (so we > can either contact them, semi-automate a +allow_tix, etc). > Unfortunately, I haven't found any easy way of getting a list of > locked out people except to do a dump of the database and check the > attributes of each entry in the dump. > > Does anyone have an easier way to get this information or am I stuck > with the dump method? > > thanks, > -ds > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Thu Feb 7 17:20:01 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id RAA25640 for ; Thu, 7 Feb 2002 17:20:01 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id RAA19094 for ; Thu, 7 Feb 2002 17:20:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g17MArU22125 for kerberos@MIT.EDU; Thu, 7 Feb 2002 17:10:53 -0500 (EST) Message-ID: <3C62FB0C.7143EDAC@cats.ucsc.edu> Date: Thu, 07 Feb 2002 14:09:16 -0800 From: John Rudd Organization: CATS, UC Santa Cruz X-Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos http authentication References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Booker C. Bense" wrote: > > We have a proxy-like fallback to the > webauth system that creates cookies that look a lot like service > tickets. Is your module for doing that publicly available? I'd love to look at it. From cesarg@ms.com Fri Feb 8 10:33:13 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA28649 for ; Fri, 8 Feb 2002 10:33:13 -0500 (EST) Received: from hqvsbh1.ms.com (hqvsbh1-x0.ms.com [205.228.12.101]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA06864 for ; Fri, 8 Feb 2002 10:33:13 -0500 (EST) Received: from hqvsbh1-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh1.ms.com (Postfix) with SMTP id 1AF7620A7F for ; Fri, 8 Feb 2002 10:33:13 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by hqvsbh1-idmz.ms.com (Postfix) with ESMTP id E689D205AD for ; Fri, 8 Feb 2002 10:33:12 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id KAA10987; Fri, 8 Feb 2002 10:33:12 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id KAA06437; Fri, 8 Feb 2002 10:33:12 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15459.61368.330902.672691@imus.ms.com> Date: Fri, 8 Feb 2002 10:33:12 -0500 (EST) From: Cesar Garcia To: kerberos@mit.edu Subject: Ticket forwarding and IP addresses X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I've been working with 1.2.2 for a some months now, and only recently have attempted to get the rcmds working, mainly in an effort to better understand how ticket forwarding works, since we have a need to do this in a homegrown application. The behavior that I see is that when I invoke ticket forwarding, the "forwarded" tickets contain only a single IP address. After walking through some of the code, it appears that the client, via krb5_fwd_tgt_creds, determines the target's IP address via a host lookup using gethostbyname(), as implemented in krb5_os_hostaddr(). Since we use NIS as the primary source for hostname resolution, all host lookups render a single IP address, even for multihomed machines. Moving to DNS is not an option at the moment. Additionally, we use Veritas VCS and other similar clustering facilities. These hosts will have additional IP addresses that are not associated with the real hostname, but with service names for a particular cluster/application. So even if were to switch to DNS, the client would not be able to determine all the IP addresses for a given target host via the hostname lookup that it uses today. That said (barring hacks to application protocols that would allow target hosts to send IP addresses back to the source host, then having the client embed the full set of tickets), the way to address this would be to have the target host obtain new tickets will a full set of IP addresses. 1 - is this possible? 2 - is it within the limits of the specification? If so, has anyone has implemented this for 1.2.2 or any releases of MIT krb5. From news@ra.nrl.navy.mil Fri Feb 8 10:55:27 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA28738 for ; Fri, 8 Feb 2002 10:55:27 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA14894 for ; Fri, 8 Feb 2002 10:55:26 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18Fpcu16622 for kerberos@MIT.EDU; Fri, 8 Feb 2002 10:51:38 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Error "24" returned from INIT_CONTEXT under load From: Christopher Burke Message-ID: Date: Fri, 08 Feb 2002 15:54:08 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: We are getting an error 24 (integer value of 24) returned from the init_context routine when I call it very frequently (sequentially - just 1 at a time). Given all the error numbers are big -ve number, what is this error and what might be causing it. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From kenh@cmf.nrl.navy.mil Fri Feb 8 11:10:18 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA28819 for ; Fri, 8 Feb 2002 11:10:17 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA20489 for ; Fri, 8 Feb 2002 11:10:17 -0500 (EST) Received: from cmf.nrl.navy.mil (elvis.cmf.nrl.navy.mil [134.207.10.38]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g18GA8G04136; Fri, 8 Feb 2002 11:10:09 -0500 (EST) Message-Id: <200202081610.g18GA8G04136@ginger.cmf.nrl.navy.mil> To: Cesar Garcia cc: kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-reply-to: Your message of "Fri, 08 Feb 2002 10:33:12 EST." <15459.61368.330902.672691@imus.ms.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Fri, 08 Feb 2002 11:10:08 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >Since we use NIS as the primary source for hostname >resolution, all host lookups render a single IP address, >even for multihomed machines. Moving to DNS is not an >option at the moment. I have to ask ... you're STILL using NIS for hostname resolution? Ouch. >That said (barring hacks to application protocols that >would allow target hosts to send IP addresses back to >the source host, then having the client embed the full set >of tickets), the way to address this would be to have >the target host obtain new tickets will a full set of >IP addresses. > >1 - is this possible? The trick here is that one of the IP addresses in the target ticket _must_ be the IP address used to talk to the KDC; otherwise, you're outta luck. >2 - is it within the limits of the specification? Yes. It occurs to me that you could save yourself some pain and simply get a completely addressless ticket. There is a school of thought in the Kerberos world that suggests IP addresses in tickets are not that useful. --Ken From news@ra.nrl.navy.mil Fri Feb 8 11:10:27 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA28824 for ; Fri, 8 Feb 2002 11:10:27 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA02667 for ; Fri, 8 Feb 2002 11:10:26 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18FvRc16650 for kerberos@MIT.EDU; Fri, 8 Feb 2002 10:57:27 -0500 (EST) From: ; X-Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos http authentication Date: 8 Feb 2002 15:53:23 GMT Organization: Stanford University Message-ID: References: <3C62FB0C.7143EDAC@cats.ucsc.edu> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: -----BEGIN PGP SIGNED MESSAGE----- In article <3C62FB0C.7143EDAC@cats.ucsc.edu>, John Rudd wrote: >"Booker C. Bense" wrote: >> >> We have a proxy-like fallback to the >> webauth system that creates cookies that look a lot like service >> tickets. > >Is your module for doing that publicly available? I'd love to look at >it. - - It's something we keep talking about, but we never seem to get the tuit's available to make happen. - - At best I might be able to make a snapshot available, but it would be with the caveat that asking questions is verbotten. - - Booker C. Bense -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPGP0cwD83u1ILnWNAQGXlwP/UotiQTsyNxmyyt/NUJ7JtfMzbkRFgVqt os53kyjeSo/Wc972ExuQNarv+6X/UlXKvCzfPi0vonMM7k4vFMQgDJqvfPZYsgfF qtvThJqZs4pHztclFo5WH4yk684W/TUh2c0ERKj5EPVhiYLtRbTC5KtU3qBrdrk/ 8nyEMb5BySY= =nvU1 -----END PGP SIGNATURE----- -- From ggsr@sonata-software.com Fri Feb 8 11:24:31 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA28972 for ; Fri, 8 Feb 2002 11:24:30 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA09964 for ; Fri, 8 Feb 2002 11:24:28 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <1NSLKKC3>; Fri, 8 Feb 2002 21:57:47 +0530 Message-ID: <60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL> From: Sreedhar Gupta To: Christopher Burke , kerberos@mit.edu Subject: RE: Error "24" returned from INIT_CONTEXT under load Date: Fri, 8 Feb 2002 21:57:45 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi, Error 24 (integer value)means, Preauthentication failed. Sreedhar Gupta -----Original Message----- From: Christopher Burke [mailto:craznar@hotmail.com] Sent: Friday, February 08, 2002 9:24 PM To: kerberos@mit.edu Subject: Error "24" returned from INIT_CONTEXT under load We are getting an error 24 (integer value of 24) returned from the init_context routine when I call it very frequently (sequentially - just 1 at a time). Given all the error numbers are big -ve number, what is this error and what might be causing it. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com _______________________________________________ Kerberos mailing list Kerberos@mit.edu http://mailman.mit.edu/mailman/listinfo/kerberos ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From Nicolas.Williams@ubsw.com Fri Feb 8 11:35:44 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA29095 for ; Fri, 8 Feb 2002 11:35:44 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA14866 for ; Fri, 8 Feb 2002 11:35:44 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id LAA01940; Fri, 8 Feb 2002 11:35:37 -0500 (EST) Received: from (thirteen.ubswarburg.com [192.168.0.7]) by gate2 via smap (V2.0/ubsw) id xma001772; Fri, 8 Feb 2002 11:35:29 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan4 [192.168.0.7]) by virscan4.swissbank.com (8.8.8/8.8.8) with ESMTP id LAA20594; Fri, 8 Feb 2002 11:37:34 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id LAA16031; Fri, 8 Feb 2002 11:35:29 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id LAA03006; Fri, 8 Feb 2002 11:34:33 -0500 (EST) Date: Fri, 8 Feb 2002 11:34:33 -0500 From: Nicolas Williams To: Christopher Burke Cc: kerberos@mit.edu Subject: Re: Error "24" returned from INIT_CONTEXT under load Message-ID: <20020208113432.V27171@sm2p1386swk.wdr.com> Mail-Followup-To: Christopher Burke , kerberos@mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from craznar@hotmail.com on Fri, Feb 08, 2002 at 03:54:08PM +0000 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Positive errors are system errors (see intro(2) and your system's errno.h). It's most likely this: you process ran out of file descriptors. I.e., error 24 is EMFILE. On Solaris you can get EMFILE from fopen() even though you process is not out of file descriptors when: you process is 32-bits and all file descriptors < 256 are taken. Cheers, Nico On Fri, Feb 08, 2002 at 03:54:08PM +0000, Christopher Burke wrote: > We are getting an error 24 (integer value of 24) returned from the > init_context routine when I call it very frequently (sequentially - just 1 at > a time). > > Given all the error numbers are big -ve number, what is this error and what > might be causing it. > > -- > --- > /* Christopher Burke - Spam Mail to craznar@hotmail.com > |* www.craznar.com - > \* Real mail to cburke(at)craznar(dot)com > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Fri Feb 8 11:40:27 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA29141 for ; Fri, 8 Feb 2002 11:40:27 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA17078 for ; Fri, 8 Feb 2002 11:40:26 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18GQrT17200 for kerberos@MIT.EDU; Fri, 8 Feb 2002 11:26:53 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: RE: Error "24" returned from INIT_CONTEXT under load From: Christopher Burke References: <60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL> Message-ID: Date: Fri, 08 Feb 2002 16:29:26 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Any ideas why I would be getting it when I call it too often ? ggsr@sonata-software.com (Sreedhar Gupta) wrote in news:60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL: > Hi, > Error 24 (integer value)means, Preauthentication failed. > > Sreedhar Gupta > > > -----Original Message----- > From: Christopher Burke [mailto:craznar@hotmail.com] > Sent: Friday, February 08, 2002 9:24 PM > To: kerberos@mit.edu > Subject: Error "24" returned from INIT_CONTEXT under load > > > We are getting an error 24 (integer value of 24) returned from the > init_context routine when I call it very frequently (sequentially - just > 1 at > a time). > > Given all the error numbers are big -ve number, what is this error and > what might be causing it. > -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From deengert@anl.gov Fri Feb 8 12:03:12 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29238 for ; Fri, 8 Feb 2002 12:03:12 -0500 (EST) Received: from dns2.anl.gov (dns2.anl.gov [146.139.254.3]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA15397 for ; Fri, 8 Feb 2002 12:03:11 -0500 (EST) Received: from anl.gov (atalanta.ctd.anl.gov [146.137.64.60]) by dns2.anl.gov (8.9.1a/8.9.1) with ESMTP id LAA22125; Fri, 8 Feb 2002 11:03:10 -0600 (CST) Message-ID: <3C6404CC.B4A4E789@anl.gov> Date: Fri, 08 Feb 2002 11:03:08 -0600 From: "Douglas E. Engert" X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: kerberos@mit.edu CC: Cesar Garcia Subject: Re: Ticket forwarding and IP addresses References: <15459.61368.330902.672691@imus.ms.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Since the kinit has a -A noaddresses option, can this be caried forward to forwardable tickets? i.e. if the TGT used to get a forwardable ticket does not have addresses, don't request addresses in a forwardable ticket. This looks like an easy change to krb5_fwd_tgt_creds. Has anyone done this? Cesar Garcia wrote: > > I've been working with 1.2.2 for a some months now, and only > recently have attempted to get the rcmds working, mainly in > an effort to better understand how ticket forwarding works, > since we have a need to do this in a homegrown application. > > The behavior that I see is that when I invoke ticket > forwarding, the "forwarded" tickets contain only a single > IP address. > > After walking through some of the code, it appears that > the client, via krb5_fwd_tgt_creds, determines the target's > IP address via a host lookup using gethostbyname(), as > implemented in krb5_os_hostaddr(). > > Since we use NIS as the primary source for hostname > resolution, all host lookups render a single IP address, > even for multihomed machines. Moving to DNS is not an > option at the moment. Additionally, we use Veritas VCS > and other similar clustering facilities. These hosts > will have additional IP addresses that are not associated > with the real hostname, but with service names for a > particular cluster/application. So even if were to switch > to DNS, the client would not be able to determine all the > IP addresses for a given target host via the hostname > lookup that it uses today. > > That said (barring hacks to application protocols that > would allow target hosts to send IP addresses back to > the source host, then having the client embed the full set > of tickets), the way to address this would be to have > the target host obtain new tickets will a full set of > IP addresses. > > 1 - is this possible? > 2 - is it within the limits of the specification? > > If so, has anyone has implemented this for 1.2.2 or any > releases of MIT krb5. > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Nicolas.Williams@ubsw.com Fri Feb 8 12:12:31 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29295 for ; Fri, 8 Feb 2002 12:12:30 -0500 (EST) Received: from gate.stm.swissbank.com (gate.stm.ubswarburg.com [151.191.1.10]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA19406 for ; Fri, 8 Feb 2002 12:12:30 -0500 (EST) Received: (from smap@localhost) by gate.stm.swissbank.com (8.8.8/8.8.8) id MAA17312; Fri, 8 Feb 2002 12:15:33 -0500 (EST) Received: from (twelve.ubswarburg.com [192.168.0.6]) by gate via smap (V2.0) id xma017079; Fri, 8 Feb 2002 12:15:07 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan3 [192.168.0.6]) by virscan3.swissbank.com (8.8.8/8.8.8) with ESMTP id MAA07120; Fri, 8 Feb 2002 12:11:27 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id MAA22896; Fri, 8 Feb 2002 12:11:59 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id MAA03652; Fri, 8 Feb 2002 12:11:04 -0500 (EST) Date: Fri, 8 Feb 2002 12:11:04 -0500 From: Nicolas Williams To: "Douglas E. Engert" Cc: kerberos@mit.edu, Cesar Garcia Subject: Re: Ticket forwarding and IP addresses Message-ID: <20020208121103.Y27171@sm2p1386swk.wdr.com> Mail-Followup-To: "Douglas E. Engert" , kerberos@mit.edu, Cesar Garcia References: <15459.61368.330902.672691@imus.ms.com> <3C6404CC.B4A4E789@anl.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <3C6404CC.B4A4E789@anl.gov>; from deengert@anl.gov on Fri, Feb 08, 2002 at 11:03:08AM -0600 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 08, 2002 at 11:03:08AM -0600, Douglas E. Engert wrote: > Since the kinit has a -A noaddresses option, can this be > caried forward to forwardable tickets? i.e. if the TGT used > to get a forwardable ticket does not have addresses, don't > request addresses in a forwardable ticket. > > This looks like an easy change to krb5_fwd_tgt_creds. > Has anyone done this? An addressless TGT can be forwarded anywhere. As such there should probably just be a shortcut if (is_addressless(TGT)) { forwarded_TGT = TGT; return; } Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From cesarg@ms.com Fri Feb 8 12:17:59 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29342 for ; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA06657 for ; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 52D55ACF6; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id 36B4DACF5; Fri, 8 Feb 2002 12:17:58 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id MAA07477; Fri, 8 Feb 2002 12:17:57 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id MAA06690; Fri, 8 Feb 2002 12:17:57 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15460.2117.576657.866559@imus.ms.com> Date: Fri, 8 Feb 2002 12:17:57 -0500 (EST) From: Cesar Garcia To: Ken Hornstein Cc: Cesar Garcia , kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-Reply-To: <200202081610.g18GA8G04136@ginger.cmf.nrl.navy.mil> References: <15459.61368.330902.672691@imus.ms.com> <200202081610.g18GA8G04136@ginger.cmf.nrl.navy.mil> X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Ken" == Ken Hornstein writes: >> Since we use NIS as the primary source for hostname >> resolution, all host lookups render a single IP address, >> even for multihomed machines. Moving to DNS is not an >> option at the moment. Ken> I have to ask ... you're STILL using NIS for hostname resolution? Ouch. Thanks for the sympathy. Unfortunately, in our case, migrating to DNS is not a trivial effort, but let's not go there. >> That said (barring hacks to application protocols that >> would allow target hosts to send IP addresses back to >> the source host, then having the client embed the full set >> of tickets), the way to address this would be to have >> the target host obtain new tickets will a full set of >> IP addresses. >> >> 1 - is this possible? Ken> The trick here is that one of the IP addresses in the target ticket Ken> _must_ be the IP address used to talk to the KDC; otherwise, you're Ken> outta luck. >> 2 - is it within the limits of the specification? Ken> Yes. Ken> It occurs to me that you could save yourself some pain and simply get Ken> a completely addressless ticket. There is a school of thought in the Ken> Kerberos world that suggests IP addresses in tickets are not that useful. OK. let's reset a bit. What I neglected to mention was that we are a former CyberSafe customer, with remnants of CyberSafe code still in production. (Now I'll be getting pity, not sympathy.) Since the move to MIT has also been driven by the deployment of platforms not supported by CyberSafe (e.g., linux), we have focused primarily on application infrastructure. That said, the core CyberSafe KDCs are still in place, in addition to a variety of other KDC based services, either homegrown or adopted to work with a CyberSafe KDB. Admittedly, I'll have to assess the current dependencies that we have on IP addresses. The implementation of krb524d that we currently use requires IP addresses, or it barfs. This may well be the only dependency that we really have. Client krb524 code has already been migrated to MIT. That said, I'll investigate if we have any more dependencies on IP addresses in tickets and start working on porting krb524d to the CyberSafe KDB. Unfortunately, I can't use it as is for now, until we migrate the all the KDC services to MIT krb5 (or perhaps Heimdal, since incremental propagation is a must have). Nonetheless, we have all sorts of applications that obtain initial credentials (various homegrown apps, PAM modules, sitecheck binaries for irix) which would need to "corrected". Ticket forwarding was my immediate objective. But I'll submit I was looking for the lazy way out. Ken> --Ken From deengert@anl.gov Fri Feb 8 12:48:22 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA29480 for ; Fri, 8 Feb 2002 12:48:22 -0500 (EST) Received: from dns2.anl.gov (dns2.anl.gov [146.139.254.3]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA19310 for ; Fri, 8 Feb 2002 12:48:21 -0500 (EST) Received: from anl.gov (atalanta.ctd.anl.gov [146.137.64.60]) by dns2.anl.gov (8.9.1a/8.9.1) with ESMTP id LAA02044; Fri, 8 Feb 2002 11:48:18 -0600 (CST) Message-ID: <3C640F5F.498F79EE@anl.gov> Date: Fri, 08 Feb 2002 11:48:15 -0600 From: "Douglas E. Engert" X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Nicolas Williams , kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses References: <15459.61368.330902.672691@imus.ms.com> <3C6404CC.B4A4E789@anl.gov> <20020208121103.Y27171@sm2p1386swk.wdr.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Nicolas Williams wrote: > > On Fri, Feb 08, 2002 at 11:03:08AM -0600, Douglas E. Engert wrote: > > Since the kinit has a -A noaddresses option, can this be > > caried forward to forwardable tickets? i.e. if the TGT used > > to get a forwardable ticket does not have addresses, don't > > request addresses in a forwardable ticket. > > > > This looks like an easy change to krb5_fwd_tgt_creds. > > Has anyone done this? > > An addressless TGT can be forwarded anywhere. As such there should > probably just be a shortcut > > if (is_addressless(TGT)) { > forwarded_TGT = TGT; > return; > } Not in all cases. But It might be you are using a forwardable TGT to forward a none forwardable TGT, so the options might be different. Times could also be different... > > Nico > -- > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > -to a public e-mail mailing list I hereby grant permission to distribute- > -and copy this message.- > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From kenh@cmf.nrl.navy.mil Fri Feb 8 13:23:23 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA29600 for ; Fri, 8 Feb 2002 13:23:23 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA17489 for ; Fri, 8 Feb 2002 13:23:23 -0500 (EST) Received: from cmf.nrl.navy.mil (elvis.cmf.nrl.navy.mil [134.207.10.38]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g18INGG05696; Fri, 8 Feb 2002 13:23:17 -0500 (EST) Message-Id: <200202081823.g18INGG05696@ginger.cmf.nrl.navy.mil> To: Cesar Garcia cc: kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-reply-to: Your message of "Fri, 08 Feb 2002 12:17:57 EST." <15460.2117.576657.866559@imus.ms.com> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Fri, 08 Feb 2002 13:23:15 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >What I neglected to mention was that we are a former CyberSafe >customer, with remnants of CyberSafe code still in production. >(Now I'll be getting pity, not sympathy.) You poor bastard :-/ >Admittedly, I'll have to assess the current dependencies that >we have on IP addresses. The implementation of krb524d that >we currently use requires IP addresses, or it barfs. This may >well be the only dependency that we really have. Client krb524 >code has already been migrated to MIT. Oh! Shoot, that's an easy fix ... I did that a long time ago. Contact me privately if you want the fix for that. --Ken From wyllys.ingersoll@sun.com Fri Feb 8 14:05:25 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA29741 for ; Fri, 8 Feb 2002 14:05:25 -0500 (EST) Received: from pheriche.sun.com (pheriche.sun.com [192.18.98.34]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id OAA18598 for ; Fri, 8 Feb 2002 14:05:25 -0500 (EST) Received: from sunmail1.Sun.COM ([129.145.1.2]) by pheriche.sun.com (8.9.3+Sun/8.9.3) with ESMTP id MAA06337; Fri, 8 Feb 2002 12:05:23 -0700 (MST) Received: from jurassic.eng.sun.com (jurassic.Eng.Sun.COM [129.146.85.105]) by sunmail1.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1-Sun.COM.mod.2) with ESMTP id LAA00222; Fri, 8 Feb 2002 11:07:03 -0800 (PST) Received: from sun.com (vpn-129-148-152-40.East.Sun.COM [129.148.152.40]) by jurassic.eng.sun.com (8.12.2+Sun/8.12.2) with ESMTP id g18J5JAJ612522; Fri, 8 Feb 2002 11:05:20 -0800 (PST) Message-ID: <3C642289.5010006@sun.com> Date: Fri, 08 Feb 2002 14:10:01 -0500 From: Wyllys Ingersoll User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:0.9.7) Gecko/20011221 X-Accept-Language: en-us MIME-Version: 1.0 To: "Douglas E. Engert" CC: kerberos@mit.edu, Cesar Garcia Subject: Re: Ticket forwarding and IP addresses References: <15459.61368.330902.672691@imus.ms.com> <3C6404CC.B4A4E789@anl.gov> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I think I raised this same issue back in November (11-19-01 is the last email on it that I have saved). Anyway, below was my suggestion, but I never followed up on it at the time. It seems similar to what Nico just suggested. --- > Douglas E. Engert wrote: > >>>> >>>Should the last line be only: >>> >>> FWD_TGT.addresses = Remote Host addr. >>> >>>as the forwarded TGT should only be usable from the remote host. >>> >>> >>I was thinking that if someone explicitly put in a list of addresses >>in their TGT (not sure if anyone would actually do that), then that >>list would probably want to be maintained after forwarding. >> > > > I would say no. The intent of the addresses was to limit the > usefullness of a ticket to a specific machine i.e. detect if it had > been stolen. So when you get a new forwardable TGT it should be > useable only from the machine to which it is to be forwarded. Well, that makes the fix easier. But, do you agree that the forwarded ticket should be addressless if the original ticket was addressless also? The fix I have in mind is this (in fwd_tgt.c): if TGT.addresses == FWD_TGT.addresses = else FWD_TGT.addresses = rhost address. -Wyllys Douglas E. Engert wrote: > Since the kinit has a -A noaddresses option, can this be > caried forward to forwardable tickets? i.e. if the TGT used > to get a forwardable ticket does not have addresses, don't > request addresses in a forwardable ticket. > > This looks like an easy change to krb5_fwd_tgt_creds. > Has anyone done this? > > > > Cesar Garcia wrote: > >>I've been working with 1.2.2 for a some months now, and only >>recently have attempted to get the rcmds working, mainly in >>an effort to better understand how ticket forwarding works, >>since we have a need to do this in a homegrown application. >> >>The behavior that I see is that when I invoke ticket >>forwarding, the "forwarded" tickets contain only a single >>IP address. >> >>After walking through some of the code, it appears that >>the client, via krb5_fwd_tgt_creds, determines the target's >>IP address via a host lookup using gethostbyname(), as >>implemented in krb5_os_hostaddr(). >> >>Since we use NIS as the primary source for hostname >>resolution, all host lookups render a single IP address, >>even for multihomed machines. Moving to DNS is not an >>option at the moment. Additionally, we use Veritas VCS >>and other similar clustering facilities. These hosts >>will have additional IP addresses that are not associated >>with the real hostname, but with service names for a >>particular cluster/application. So even if were to switch >>to DNS, the client would not be able to determine all the >>IP addresses for a given target host via the hostname >>lookup that it uses today. >> >>That said (barring hacks to application protocols that >>would allow target hosts to send IP addresses back to >>the source host, then having the client embed the full set >>of tickets), the way to address this would be to have >>the target host obtain new tickets will a full set of >>IP addresses. >> >>1 - is this possible? >>2 - is it within the limits of the specification? >> >>If so, has anyone has implemented this for 1.2.2 or any >>releases of MIT krb5. >>_______________________________________________ >>Kerberos mailing list >>Kerberos@mit.edu >>http://mailman.mit.edu/mailman/listinfo/kerberos >> > From news@ra.nrl.navy.mil Fri Feb 8 15:55:34 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA00175 for ; Fri, 8 Feb 2002 15:55:33 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA15342 for ; Fri, 8 Feb 2002 15:55:27 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18Kej021120 for kerberos@MIT.EDU; Fri, 8 Feb 2002 15:40:45 -0500 (EST) From: Dan Riley X-Newsgroups: comp.protocols.kerberos Subject: Re: Error "24" returned from INIT_CONTEXT under load Date: 08 Feb 2002 15:43:22 -0500 Organization: LNS, Cornell U., Ithaca, NY 14853 Message-ID: References: <60A02294BABED411BAC30000F80167CC031D5353@BG1MAIL> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ggsr@sonata-software.com (Sreedhar Gupta) writes: > Error 24 (integer value)means, Preauthentication failed. Error 24 is preauth failed in KRB_ERROR protocol messages, but *not* in a library return value. Library return values have their own error table distinct from the KRB_ERROR protocol, and, as Nico said, positive library return values are system errno's, Kerberos errors are large (in magnitude) negative numbers. -- Dan Riley dsr@mail.lns.cornell.edu "Mr. Ellison is presently the sole member of the Plan Committee. The Plan Committee did not meet during fiscal year 2001, and during that same period, acted 46 times by unanimous written consent." From news@ra.nrl.navy.mil Fri Feb 8 16:40:29 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA00418 for ; Fri, 8 Feb 2002 16:40:28 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id QAA02749 for ; Fri, 8 Feb 2002 16:40:28 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18LOe121595 for kerberos@MIT.EDU; Fri, 8 Feb 2002 16:24:40 -0500 (EST) From: "vkd" X-Newsgroups: comp.protocols.kerberos Subject: pam_krb5 for solaris Message-ID: Date: Fri, 08 Feb 2002 21:27:05 GMT Organization: Excite@Home - The Leader in Broadband http://home.com/faster To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Where can I get proper pam_krb5 source that works on solaris? I got one from this site: http://www.fcusack.com but get this error message: Feb 8 15:50:11 dot2 sshd[5445]: fatal: PAM initialisation failed[4]: System error Feb 8 15:50:46 dot2 sshd[5448]: load_modules: can not open module /usr/lib/security/pam_krb5.so.1 Now, just a check: ---------------------------------------- $ ls -la /usr/lib/security/pam_krb5.so.1 -rwxr-xr-x 1 root other 724852 Feb 8 15:46 /usr/lib/security/pam_krb5.so.1* $ ldd /usr/lib/security/pam_krb5.so.1 libpam.so.1 => /usr/lib/libpam.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1 $ file /usr/lib/security/pam_krb5.so.1 /usr/lib/security/pam_krb5.so.1: ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not stripped ---------------------------------------- Here is how I modified the Makefile: CC = gcc CFLAGS = -O2 -fPIC #LDFLAGS = -shared LDFLAGS = -G DESTDIR = /usr/lib/security MANDIR = /usr/local/man/man5 OSLIBS = -lpam -lnsl -lsocket KRB5LIBS = -L/usr/kerberos/lib -R/usr/kerberos/lib -lkrb5 -lk5crypto -lcom_err LIBS = $(OSLIBS) $(KRB5LIBS) INC = -I/usr/include -I/usr/kerberos/include -I/usr/local/include The version of Kerberos installed into /usr/kerberos is MIT (latest stable release). I didn't know of any other Kerberos distros. Are there any? How do they compare? Any ideas? How should one properly set up Kerberos into PAM? Here is my SSH config in pam.conf: ###################################################################### # SSH ###################################################################### #sshd auth sufficient /usr/lib/security/pam_krb5.so.1 try_first_pass sshd auth required /usr/lib/security/pam_unix.so.1 sshd account required /usr/lib/security/pam_unix.so.1 sshd session required /usr/lib/security/pam_unix.so.1 #sshd session optional /usr/lib/security/pam_krb5.so.1 I commented it out for now (since it doesn't work) but that's what I used. From news@ra.nrl.navy.mil Fri Feb 8 17:25:28 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id RAA00578 for ; Fri, 8 Feb 2002 17:25:28 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id RAA10118 for ; Fri, 8 Feb 2002 17:25:28 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g18ML4G22517 for kerberos@MIT.EDU; Fri, 8 Feb 2002 17:21:04 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: Error "24" returned from INIT_CONTEXT under load From: Christopher Burke References: <20020208113432.V27171@sm2p1386swk.wdr.com> Message-ID: Date: Fri, 08 Feb 2002 22:23:37 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Nicolas.Williams@ubsw.com (Nicolas Williams) wrote in news:20020208113432.V27171@sm2p1386swk.wdr.com: > Positive errors are system errors (see intro(2) and your system's > errno.h). > > It's most likely this: you process ran out of file descriptors. I.e., > error 24 is EMFILE. > > On Solaris you can get EMFILE from fopen() even though you process is > not out of file descriptors when: you process is 32-bits and all file > descriptors < 256 are taken. But it only gets called one at a time, and I remove/free both the context and the credential cache.... -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From chama0@eudoramail.com Sat Feb 9 00:27:17 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id AAA01832 for ; Sat, 9 Feb 2002 00:27:15 -0500 (EST) Received: from eudoramail.com (host-64-110-31-18.interpacket.net [64.110.31.18]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id AAA21807 for ; Sat, 9 Feb 2002 00:27:10 -0500 (EST) Message-Id: <200202090527.AAA21807@pacific-carrier-annex.mit.edu> From: "dr.mrs.marian abacha" To: Subject: urgent assistance Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Fri, 8 Feb 2002 06:27:55 +0100 Reply-To: "dr.mrs.marian abacha" Content-Transfer-Encoding: 8bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ATTN: THE PRESIDENT/CEO Dear Sir / Madam, I am Dr. Mrs. Marian Abacha, wife to the late Nigerian Head of state, General Sani Abacha who died on the 8th of June 1998 while still on active service for our Country. I am contacting you with the hope that you will be of great assistance to me, I currently have within my reach the sum of 76MILLION U.S dollars cash which l intend to use for investment purposes outside Nigeria. This money came as a result of a payback contract deal between my husband and a Russian firm in our country's multi-billion dollar Ajaokuta steel plant. The Russian partners returned my husband's share being the above sum after his death. Presently, the new civilian Government has intensified their probe into my husband's financial resources, which has led to the freezing of all our accounts, local and foreign, the revoking of all our business licenses and the arrest of my First son. In view of this I acted very fast to withdraw this money from one of our finance houses before it was closed down. I have deposited the money in a security vault for safe keeping with the help of very loyal officials of my late husband. No record is known about this fund by the government because there is no documentation showing that we received such funds. Due to the current situation in the country and government attitude to my financial affairs, I cannot make use of this money within. Bearing in mind that you may assist me, 20% of the total amount will be paid to you for your assistance, while 5% will be set aside for expenses incurred by the parties involved and this will be paid before sharing. Half of my75% will be paid in to my account on your instruction once the money hits your account, while the other half will be invested by your humble self in any viable business venture you deem fit, with you as manager of the invested funds. Remunerations, during the investment period will be on a 50/50 basis. Your URGENT response is needed. All correspondence must be through mylawyer,fax:234-1-7594494. Attentioned to my attorney (abbas bundu). Please do not forget to include your direct tel/fax line for easy reach. I hope I can trust you with my family's last financial hope.Regards Dr. Mrs. Marian Sani Abacha. C/o abbas bundu (counsel) From news@ra.nrl.navy.mil Sat Feb 9 12:10:34 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA03846 for ; Sat, 9 Feb 2002 12:10:31 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA24085 for ; Sat, 9 Feb 2002 12:10:31 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g19GuNR10959 for kerberos@MIT.EDU; Sat, 9 Feb 2002 11:56:23 -0500 (EST) From: nijsure@cs.unt.edu (Sandeep) X-Newsgroups: comp.protocols.kerberos Subject: MD5 passwords possible with Kerberos? Date: 9 Feb 2002 08:59:01 -0800 Organization: http://groups.google.com/ Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi all, I am kinda new to Kerberos, but I have read that one of the biggest drawbacks of Kerberos is that the passwords need to be stored cleartext on the master server, a BIG security risk.. Just like Unix passwords are never stored cleartext, but always hashed, why not do the same thing with Kerberos? Store MD5 passwords on the master server, and use them for encrypting the TGT. So the Kerberized login will first compute the MD5 hash, and then decode the initial TGT. Is this already done in Kerberos? if yes, what is the version that supports this? Thanks a lot Sandeep From news@ra.nrl.navy.mil Sat Feb 9 21:40:33 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA05754 for ; Sat, 9 Feb 2002 21:40:33 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id VAA25354 for ; Sat, 9 Feb 2002 21:40:33 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1A2V1L20059 for kerberos@MIT.EDU; Sat, 9 Feb 2002 21:31:01 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: MD5 passwords possible with Kerberos? From: Christopher Burke References: Message-ID: Date: Sun, 10 Feb 2002 02:33:38 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: nijsure@cs.unt.edu (Sandeep) wrote in news:b04cb7e1.0202090859.3d9370b3 @posting.google.com: > I am kinda new to Kerberos, but I have read that one of the biggest > drawbacks of Kerberos is that the passwords need to be stored > cleartext on the master server, a BIG security risk.. > I don't think so ... I am sure our K4 passwords are hashed on the server. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From mdw@umich.edu Sat Feb 9 21:59:15 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA05839 for ; Sat, 9 Feb 2002 21:59:15 -0500 (EST) Received: from quince.ifs.umich.edu (quince.ifs.umich.edu [141.213.229.138]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id VAA18111 for ; Sat, 9 Feb 2002 21:59:15 -0500 (EST) Received: from pepper-pot (pepper-pot.ifs.umich.edu [141.213.229.91]) by quince.ifs.umich.edu (8.6.13/8.6.12) with ESMTP id VAA11501; Sat, 9 Feb 2002 21:59:13 -0500 Message-Id: <200202100259.VAA11501@quince.ifs.umich.edu> To: nijsure@cs.unt.edu (Sandeep) cc: kerberos@mit.edu Subject: Re: MD5 passwords possible with Kerberos? In-reply-to: Your message of "09 Feb 2002 08:59:01 PST." Date: Sat, 09 Feb 2002 21:59:13 -0500 From: Marcus Watts Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: nijsure@cs.unt.edu (Sandeep) writes: > Hi all, > > I am kinda new to Kerberos, but I have read that one of the biggest > drawbacks of Kerberos is that the passwords need to be stored > cleartext on the master server, a BIG security risk.. > > Just like Unix passwords are never stored cleartext, but always > hashed, why not do the same thing with Kerberos? Store MD5 passwords > on the master server, and use them for encrypting the TGT. So the > Kerberized login will first compute the MD5 hash, and then decode the > initial TGT. > > Is this already done in Kerberos? if yes, what is the version that > supports this? The MIT KDC does not store passwords in the clear. It stores keys derived via a one-way algorithm from the user's password. For further security, these keys are also encrypted once more using a "master secret" key, which can be stored offline if desired. The "master secret" stuff is all described in the kerberos documentation - administration and installation. In kerberos, the one-way algorithm is called the "string to key" function. I believe current versions of MIT support 3 basic "string to key" algorithms, which could be called "des", "afs", and "n-fold" (used for des3). All of these have theoretical disadvantages. It's been proposed to use pkdbf2 (from PKCS #5) with AES - which is sorta based on the MD5 Unix crypt function. That has its own issues. All of these issues pale in comparison to some much more fundemental problems with using Kerberos securely - while this is a good theoretical area to investigate, if you're interested in practical security there's a bunch of other things that are *far* more important to solve first. Here is an incomplete list of weaknesses that you might find more useful to consider: (1) Most production kerberos realms still use regular DES and no preauth. This means they should not be used to protect any secret worth more than $100,000. (2) If you can somehow compromise an operational KDC, you can very likely get a copy of everyone's key. If you know the key, you don't *need* to know the password; the key is good enough to impersonate the person. It is *MUCH* more important to protect a KDC key database than it is to protect a regular Unix password database. Fortunately, it is also easier to do this, because a KDC should not be accessible by regular users and should be providing as few services as possible. The practical use of the "master secret" is to make kerberos database backups useless to an attacker. There *are* ways to make even complete knowlege of what's in a KDC database "less" useful. Stanford's SRP is one attempt to do this. There are some computational scaling issues to doing this in a large KDC. (3) Most humans can only remember a plaintext password containing about 40 bits of entropy. Even using DES3 won't fix this problem. Preauth with some additional secret is probably the only real fix for this. Some people claim additional computational complexity in the string to key function will fix this, but I think this is only a placebo -- see (6). (4) It would be worth changing the key for krbtgt and other important security principals on a regular basis. This is especially important for DES. I don't know of any simple way to make this automatically happen in MIT K5. This is one of the areas where Transarc's kaserver was actually stronger. (5) A crucial weakness in many security systems is the random number generator. MIT K5 has gotten better, but I don't know that this is entirely fixed yet. (6) Salts have some interesting properties. In Unix, the salt is generally regarded as a "secret", which can be securely commmunicated to the login application. In Kerberos, the salt is public information. Worse yet, the client doesn't generally have any good way to securely acquire the salt, which means an active attacker can supply bogus salt. This means the active attacker can very likely dramatically simplify a dictionary attack by forcing clients to use one chosen salt. (7) Most existing kerberos realms have production practices that make most of the above moot. This includes services that support or even require clear text passwords, services that don't check the integrity of the session, weaknesses in the human components that deliver initial passwords or handle password resets, &etc. Web authentication is one area that is generally particularly hard to do "right". In any real security system, there are interesting tradeoffs between security and utility. It's hard to do a really good job with either. Even kerberos is not a panacea here. When you say "md5", there are actually 2 things you could mean. You could mean the MD5 hash algorithm, as described in RFC 1321, or you could mean a common Unix "crypt" function replacement, which I *think* was first done by Poul-Henning Kamp for freebsd, which is based on md5 but includes an additional layer of nested computational complexity on top of that. The "computational complexity" part is already obselete - computers are now fast enough that this is not nearly as large a barrier to a dictionary attack. The interesting thing, though, is that md5 does in fact represent a reasonably large active population of 128 bit keys with associated passwords stored in meatware. It would be attractive to be able to leverage this installed base. I have, in fact, been able to do just this on an experimental basis: I've been able to take a Unix password file containing "md5" hashed passwords, dump them into a kerberos database, and use those passwords and keys with K5. There's a ways to go from my experimental code to actual practical production code--among other things, I ended up using RC6, which lost in the AES competition. There are efforts to define the use of rijndael with K5, which seem to have gotten bogged down - too much of what's been proposed seems to only exist in people's heads right now. If this pans out right, though, it may well someday be practical to dump a Unix shadow file with md5 hashed passwords into K5 and to use it with AES. -Marcus Watts UM ITCS Umich Systems Group From news@ra.nrl.navy.mil Sun Feb 10 06:10:36 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id GAA07205 for ; Sun, 10 Feb 2002 06:10:36 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA13766 for ; Sun, 10 Feb 2002 06:10:35 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1AAvqh26821 for kerberos@MIT.EDU; Sun, 10 Feb 2002 05:57:53 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Cross-realm authentication (Win2k - SEAM) Date: Sun, 10 Feb 2002 11:50:01 +0100 Organization: ENSEIRB Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi ! I've come across a little problem, while trying to authenticate on a Windows 2000 KDC for using Solaris SEAM services with a trust relationship. Here are the two realms : 1) KERBYKB.LOCAL is the W2k domain. It trusts and is trusted by the other one : THOTKB 2) THOTKB is a SEAM realm. Here is what I can do on a client : - "kinit " works with KERBYKB.LOCAL : I get a krbtgt/KERBYKB.LOCAL@KERBYKB.LOCAL ticket (type = des-cbc-crc), given by the W2k KDC - then I want a TGT for the other realm : "kgetcred krbtgt/THOTKB@KERBYKB.LOCAL" works : I get a krbtgt/THOTKB@KERBYKB.LOCAL ticket (etype: des-cbc-crc) given by the W2k KDC - lastly, I ask for a service ticket of the second realm (from the SEAM KDC) : "kgetcred host/thot.mds@THOTKB" does NOT work, the server says (both in its logs and on the client's console) "KDC has no support for checksum type" All my krb5.conf and kdc.conf files ask for des-cbc-crc. What did I do wrong ? Where could the problem come from ? Thank you ! Philippe Perrin From news@ra.nrl.navy.mil Sun Feb 10 13:55:36 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA08494 for ; Sun, 10 Feb 2002 13:55:36 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA01842 for ; Sun, 10 Feb 2002 13:55:35 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1AIrl607400 for kerberos@MIT.EDU; Sun, 10 Feb 2002 13:53:48 -0500 (EST) From: steiner@bakerst.rutgers.edu (Dave Steiner) X-Newsgroups: comp.protocols.kerberos Subject: RFC: perl modules for Kerberos database parsing Date: 10 Feb 2002 10:53:35 -0800 Organization: http://groups.google.com/ Message-ID: <3b609da.0202101053.78fd4574@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: In a previous message I mentioned that I needed to generate a list of all principals that have the KRB5_KDB_DISALLOW_ALL_TIX attribute set. So I need to parse the Kerberos database. I've written a prototype perl module to parse the Kerberos database, either from a dumped file or directly from Kerberos (via "krb5_edit -r dump |"). I want to know if people would find something like this interesting and useful. Should I work this up into a full/complete module and post it to CPAN? If so, what features would people like? After some thinking about it, here's a preliminary design to give you an idea of what I'm talking about. There would be two levels of perl modules: 1. Deal with the database itself but would not parse the actual entries. You can load the data in one of two modes: (1) You can read the records one at a time and process as you go along, or (2) you can read in all the records without processing them but saving the data in the database object and them process them. This module supplies a database object and the following methods: new() - open the database, either from a file or from a pipe. Examine the header to decide what version of dump format this is. Load in the appropriate module(s) to parse the principal and policy records. Return a database object. Various options will allow you to set the level of data consistancy checking, the kerberos realm, etc. next() - return the next record in the input stream as an object. This will either be a principal or policy object, depending on what was found (see below). read() - read and parse all records and stores them in the database object (for large databases this will take up a lot more memory than the above method). Returns true on success and undef on failure. principals() - returns a reference to an array of principal objects (loaded in from the read() method). policies() - returns a reference to an array of policy objects (loaded in from the read() method). close() - close the input stream and report any errors. 2. Modules to parse database records and return them as either principal or policy objects. Generally you wouldn't have to create the principal or policy objects yourself as database methods would do that for you but the constructors are new_princ() and new_policy(). There are accessor methods for all fields plus some additional ones (like parsed date fields and a object type). All versions of dump formats would eventually be supported and the database module would load the appropriate dump format module for you. So the code to implement my needs is (along with some additional info printed out): #!/usr/local/bin/perl -w use strict; use Kerberos::KDB; my $db = Kerberos::KDB->new( file => 'slave_trans' ); while (my $p = $db->next) { if ($p->type eq 'princ') { # value of KRB5_KDB_DISALLOW_ALL_TIX # from /usr/local/include/krb5/kdb.h if ($p->attributes & 0x00000040) { print $p->name, ": attributes: ", $p->attributes, " [DISALLOW_ALL_TIX]\n"; } if ($p->fail_auth_count > 5) { print $p->name, ": fail_auth_count: ", $p->fail_auth_count, "\n"; } } if ($p->type eq 'policy') { print "Found policy '", $p->name, "'\n"; } } $db->close; So, would people find something like this useful? If so, what other kind of features would you like to see? -ds From news@ra.nrl.navy.mil Mon Feb 11 00:36:10 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id AAA10376 for ; Mon, 11 Feb 2002 00:36:10 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id AAA23590 for ; Mon, 11 Feb 2002 00:36:09 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1B5QNs08690 for kerberos@MIT.EDU; Mon, 11 Feb 2002 00:26:23 -0500 (EST) From: "Mnemosyne" X-Newsgroups: comp.protocols.kerberos Subject: Fail to build cyrus-sasl with kerberos Date: Mon, 11 Feb 2002 12:40:32 +0800 Organization: Another Netscape Collabra Server User Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi all, i have try to build kerberos(1.2.3, 1.2.2) and cyrus-sasl(1.5.27) from source, it always fail when building the dbconverter, did anyone can build it? From kenh@cmf.nrl.navy.mil Mon Feb 11 01:00:46 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id BAA10503 for ; Mon, 11 Feb 2002 01:00:46 -0500 (EST) Received: from ginger.cmf.nrl.navy.mil (ginger.cmf.nrl.navy.mil [134.207.12.161]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id BAA27107 for ; Mon, 11 Feb 2002 01:00:46 -0500 (EST) Received: from cmf.nrl.navy.mil (pendragon.cmf.nrl.navy.mil [134.207.5.3]) (authenticated) by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id g1B60SG22698; Mon, 11 Feb 2002 01:00:28 -0500 (EST) Message-Id: <200202110600.g1B60SG22698@ginger.cmf.nrl.navy.mil> To: Marcus Watts cc: kerberos@mit.edu Subject: Re: MD5 passwords possible with Kerberos? In-reply-to: Your message of "Sat, 09 Feb 2002 21:59:13 EST." <200202100259.VAA11501@quince.ifs.umich.edu> X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4 WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d gD\SW #]iN_U0 KUmOR.P<|um5yPkEpSD@*e` Date: Mon, 11 Feb 2002 01:00:27 -0500 From: Ken Hornstein Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >(6) Salts have some interesting properties. In Unix, the salt is generally > regarded as a "secret", which can be securely commmunicated to > the login application. In Kerberos, the salt is public > information. Worse yet, the client doesn't generally have any > good way to securely acquire the salt, which means an active > attacker can supply bogus salt. This means the active attacker > can very likely dramatically simplify a dictionary attack by > forcing clients to use one chosen salt. I think I'm missing some piece of the puzzle here. The default V5 salt is the complete principal name ... which a client already knows. But even if you manage to spoof the AS_REP and fool the client into using another salt ... he's just decrypting data on his end. How does that help you? (And won't KRB-ERROR checksums prevent this attack as well?) --Ken From Nicolas.Williams@ubsw.com Mon Feb 11 09:19:52 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA12108 for ; Mon, 11 Feb 2002 09:19:52 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA20765 for ; Mon, 11 Feb 2002 09:19:51 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id JAA16446; Mon, 11 Feb 2002 09:19:36 -0500 (EST) Received: from (thirteen.ubswarburg.com [192.168.0.7]) by gate2 via smap (V2.0/ubsw) id xma016097; Mon, 11 Feb 2002 09:19:17 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan4 [192.168.0.7]) by virscan4.swissbank.com (8.8.8/8.8.8) with ESMTP id JAA11785; Mon, 11 Feb 2002 09:20:20 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id JAA02798; Mon, 11 Feb 2002 09:18:14 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id JAA12500; Mon, 11 Feb 2002 09:17:11 -0500 (EST) Date: Mon, 11 Feb 2002 09:17:11 -0500 From: Nicolas Williams To: Christopher Burke Cc: kerberos@mit.edu Subject: Re: Error "24" returned from INIT_CONTEXT under load Message-ID: <20020211091710.E27171@sm2p1386swk.wdr.com> Mail-Followup-To: Christopher Burke , kerberos@mit.edu References: <20020208113432.V27171@sm2p1386swk.wdr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from craznar@hotmail.com on Fri, Feb 08, 2002 at 10:23:37PM +0000 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 08, 2002 at 10:23:37PM +0000, Christopher Burke wrote: > But it only gets called one at a time, and I remove/free both the context and > the credential cache.... Something's leaking file descriptors then. Either your code or MIT krb5. Use lsof/strace/truss/pfiles/whatever to examine the process and the accumulation of file descriptors. Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams@ubsw.com Mon Feb 11 10:24:39 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA12323 for ; Mon, 11 Feb 2002 10:24:38 -0500 (EST) Received: from gate.stm.swissbank.com (gate.stm.ubswarburg.com [151.191.1.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id KAA28476 for ; Mon, 11 Feb 2002 10:24:38 -0500 (EST) Received: (from smap@localhost) by gate.stm.swissbank.com (8.8.8/8.8.8) id KAA15973; Mon, 11 Feb 2002 10:27:43 -0500 (EST) Received: from (eight.ubswarburg.com [192.168.0.3]) by gate via smap (V2.0) id xma012813; Mon, 11 Feb 2002 10:23:37 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan1 [192.168.0.3]) by virscan1.swissbank.com (8.8.8/8.8.8) with ESMTP id KAA02486; Mon, 11 Feb 2002 10:18:45 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id KAA27869; Mon, 11 Feb 2002 10:20:10 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id KAA13210; Mon, 11 Feb 2002 10:19:08 -0500 (EST) Date: Mon, 11 Feb 2002 10:19:07 -0500 From: Nicolas Williams To: Dave Steiner Cc: kerberos@mit.edu Subject: Re: RFC: perl modules for Kerberos database parsing Message-ID: <20020211101906.H27171@sm2p1386swk.wdr.com> Mail-Followup-To: Dave Steiner , kerberos@mit.edu References: <3b609da.0202101053.78fd4574@posting.google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <3b609da.0202101053.78fd4574@posting.google.com>; from steiner@bakerst.rutgers.edu on Sun, Feb 10, 2002 at 10:53:35AM -0800 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I would certainly find that useful. I may contribute a library version of kdb5_util. The idea being to be able to perform partial dumps and loads from a larger program, possibly written in Perl. Looks like fairly few changes to get that going. Backending the KDB with (ugh) LDAP would be better (it has been done for Heimdal, BTW). And the whole KDB interface needs re-doing. It looks awful. But it's what we have to play with... Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Mon Feb 11 11:36:13 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA12589 for ; Mon, 11 Feb 2002 11:36:13 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id LAA28978 for ; Mon, 11 Feb 2002 11:36:13 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BGLVh18816 for kerberos@MIT.EDU; Mon, 11 Feb 2002 11:21:31 -0500 (EST) From: "Joel D. Kraft" X-Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos http authentication Date: Mon, 11 Feb 2002 11:19:05 -0500 Organization: Case Western Reserve University, Cleveland, OH, USA Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Donn Cave" wrote in message news:a3p7uh$2a5g$1@nntp6.u.washington.edu... > Quoth bbense@networking.stanford.edu ("Booker C. Bense"): >|>- The proxy method: a web server that acts as the kerberos proxy and holds >|> the tickets, and then hands out cookies or certificates to the browsers > > Only inasmuch as the Kerberos authentication server can be used to > validate passwords. The proxy, if that's the right term, can get > a Kerberos ticket, and throw it away. The browser's host doesn't > ever see any of that, Kerberos credentials there are irrelevant. > The question would be not how well it integrates, rather what it > means to integrate - if you want a Kerberos application, it isn't, > but if you only want it to work at a site that has only Kerberos > passwords, it does. The rest is about cookies. > Does anyone know of anything that will perform this function under IIS? We have an existing system with our own session management already set up. Currently most of the authentication takes place against a database... but we want to add kerberos to that. I'm only looking for authentication of username and password, so this situation where the server simply tries to obtain the tickets and discards them is perfect. Something ActiveX would be a godsend. Thanks! Joel Joel D. Kraft Assistant Director of Housing -- ------------------------------------------------------------------------ housing@po.cwru.edu | Case Western Reserve University Phone 216-368-3780 | Department of Housing & Residence Life FAX 216-368-6658 | http://housing.cwru.edu/ ------------------------------------------------------------------------ From news@ra.nrl.navy.mil Mon Feb 11 11:51:13 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id LAA12670 for ; Mon, 11 Feb 2002 11:51:13 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA00518 for ; Mon, 11 Feb 2002 11:51:12 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BGgr119177 for kerberos@MIT.EDU; Mon, 11 Feb 2002 11:42:53 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: [MIT] Simple telnet question Date: Mon, 11 Feb 2002 17:31:30 +0100 Organization: ENSEIRB Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello I was trying to test telnet compatibility between the MIT V5 Kerberos and Heimdal (succesfully) when I came accross a strange question. The 3 tests below work correctly : 1) MIT Server with Heimdal Client 2) Heimdal Server with MIT Client 3) Heimdal Server with Heimdal Client (!) But what doesn't work is : 4) MIT Server with MIT Client (!) Any idea of why I can't make the MIT client work with its own server ? I don't think either or them has a problem, since they both interoperate with Heimdal correctly. Any hint about the command line switches or configuration files ? Philippe From news@ra.nrl.navy.mil Mon Feb 11 13:17:00 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA12959 for ; Mon, 11 Feb 2002 13:17:00 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA13283 for ; Mon, 11 Feb 2002 13:16:59 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BIDWo00730 for kerberos@MIT.EDU; Mon, 11 Feb 2002 13:13:32 -0500 (EST) From: "Donn Cave" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: 11 Feb 2002 17:42:36 GMT Organization: University of Washington Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoth "Philippe Perrin" : | I forgot to mention the behavior of the telnet client : once the TGT is | acquired, I run the client, and the server asks for a password. I exit the | client, and klist shows me that no host/... ticket has been asked to the | KDC. Here are the places I know to look for more information: - telnet "authdebug": $ telnet -a telnet> toggle authdebug auth debugging enabled telnet> open whereitsat ... - KDC syslog output. Search for IP address of the local (client) host. Donn Cave, donn@u.washington.edu From news@ra.nrl.navy.mil Mon Feb 11 13:17:00 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA12966 for ; Mon, 11 Feb 2002 13:17:00 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA13287 for ; Mon, 11 Feb 2002 13:17:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BI3XP00469 for kerberos@MIT.EDU; Mon, 11 Feb 2002 13:03:33 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: Mon, 11 Feb 2002 17:56:55 +0100 Organization: ENSEIRB Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I forgot to mention the behavior of the telnet client : once the TGT is acquired, I run the client, and the server asks for a password. I exit the client, and klist shows me that no host/... ticket has been asked to the KDC. So the problem is that the client does NOT ask for a ticket to the KDC. But it does with other telnet servers ! What went wrong ? (let me remind you that this MIT telnet server worked fine with other clients, so I don't think it can be its fault) Philippe "Philippe Perrin" a écrit dans le message de news: a48rm4$ub1$1@news.u-bordeaux.fr... > Hello > > I was trying to test telnet compatibility between the MIT V5 Kerberos and > Heimdal (succesfully) when I came accross a strange question. The 3 tests > below work correctly : > 1) MIT Server with Heimdal Client > 2) Heimdal Server with MIT Client > 3) Heimdal Server with Heimdal Client (!) > But what doesn't work is : > 4) MIT Server with MIT Client (!) > > Any idea of why I can't make the MIT client work with its own server ? I > don't think either or them has a problem, since they both interoperate with > Heimdal correctly. Any hint about the command line switches or configuration > files ? > > Philippe > > From news@ra.nrl.navy.mil Mon Feb 11 14:17:01 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA13186 for ; Mon, 11 Feb 2002 14:17:00 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id OAA06972 for ; Mon, 11 Feb 2002 14:17:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BJAMp01694 for kerberos@MIT.EDU; Mon, 11 Feb 2002 14:10:22 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: Mon, 11 Feb 2002 20:04:07 +0100 Organization: ENSEIRB Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Thanks for the advice. Here is the output, after a successful call to kinit : Philippe root@thot:/# telnet -a telnet> toggle authdebug auth debugging enabled telnet> open thot.mds Trying 172.16.8.136... Connected to thot (172.16.8.136). Escape character is '^]'. >>>TELNET: I support auth type 2 6 >>>TELNET: I support auth type 2 2 >>>TELNET: I support auth type 2 0 >>>TELNET: I support auth type 1 2 >>>TELNET: I support auth type 1 0 >>>TELNET: auth_send got: 02 06 02 02 02 00 >>>TELNET: He supports 2 >>>TELNET: He supports 2 >>>TELNET: Trying 2 2 telnet: Kerberos V5: failure on credentials(Server not found in Kerberos database) >>>TELNET: He supports 2 >>>TELNET: Trying 2 0 telnet: Kerberos V5: failure on credentials(Server not found in Kerberos database) >>>TELNET: Sent failure message Password for root: "Donn Cave" a écrit dans le message de news: a48vqc$mlg$1@nntp6.u.washington.edu... > Quoth "Philippe Perrin" : > | I forgot to mention the behavior of the telnet client : once the TGT is > | acquired, I run the client, and the server asks for a password. I exit the > | client, and klist shows me that no host/... ticket has been asked to the > | KDC. > > Here are the places I know to look for more information: > > - telnet "authdebug": > $ telnet -a > telnet> toggle authdebug > auth debugging enabled > telnet> open whereitsat > ... > > - KDC syslog output. Search for IP address of the local (client) host. > > Donn Cave, donn@u.washington.edu From news@ra.nrl.navy.mil Mon Feb 11 15:02:00 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA13376 for ; Mon, 11 Feb 2002 15:02:00 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id PAA26954 for ; Mon, 11 Feb 2002 15:01:59 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BK1Ft02562 for kerberos@MIT.EDU; Mon, 11 Feb 2002 15:01:15 -0500 (EST) From: "Donn Cave" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: 11 Feb 2002 19:45:46 GMT Organization: University of Washington Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Quoth "Philippe Perrin" : | Thanks for the advice. Here is the output, after a successful call to kinit ... | >>>TELNET: Trying 2 2 | telnet: Kerberos V5: failure on credentials(Server not found in Kerberos | database) | >>>TELNET: Trying 2 0 | telnet: Kerberos V5: failure on credentials(Server not found in Kerberos | database) | >>>TELNET: Sent failure message OK, that's good, but it means you must check the second place I suggested. When it says "server not found", it means telnet has picked a service name that doesn't match the one your site supports. There are three places to go wrong - the service, the host instance, and the realm. The most likely is your host goes by several addresses and the service principal assigned by your site doesn't use the canonical host name. Whatever, look in that syslog and you will see this failure and see what principal it was actually looking for. If you don't have access to the log, enlist the cooperation of your site administrator. |> - KDC syslog output. Search for IP address of the local (client) host. Donn Cave, donn@u.washington.edu From news@ra.nrl.navy.mil Mon Feb 11 15:32:00 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA13496 for ; Mon, 11 Feb 2002 15:32:00 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA09739 for ; Mon, 11 Feb 2002 15:31:59 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BKUhu03093 for kerberos@MIT.EDU; Mon, 11 Feb 2002 15:30:43 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: Mon, 11 Feb 2002 21:27:03 +0100 Organization: ENSEIRB Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Actually, the KDC is a Windows 2000 server, so no "syslog" :) I checked its logs, and noticed the following : - at the initial kinit, the KDC grants the krbtgt/KERBYKB.LOCAL@KERBYKB.LOCAL ticket (TGT) - when running telnet on the MIT server, it does NOT try to get any ticket before prompting for a password. when typying the real password, I see that another TGT was delivered to the host, and running klist in the telnet session makes it appear. - when running telnet to another server (Heimdal), I see that the client asks for the right host/...@KERBYKB.LOCAL ticket So I don't think the Windows KDC is the cause. What I don't understand is why the SAME MIT telnet client asks for the ticket in one case (Heimdal server) and NOT in another (MIT server)... Philippe "Donn Cave" a écrit dans le message de news: a4971a$1bfm$1@nntp6.u.washington.edu... > Quoth "Philippe Perrin" : > | Thanks for the advice. Here is the output, after a successful call to kinit > ... > | >>>TELNET: Trying 2 2 > | telnet: Kerberos V5: failure on credentials(Server not found in Kerberos > | database) > | >>>TELNET: Trying 2 0 > | telnet: Kerberos V5: failure on credentials(Server not found in Kerberos > | database) > | >>>TELNET: Sent failure message > > OK, that's good, but it means you must check the second place I suggested. > When it says "server not found", it means telnet has picked a service > name that doesn't match the one your site supports. There are three > places to go wrong - the service, the host instance, and the realm. The > most likely is your host goes by several addresses and the service principal > assigned by your site doesn't use the canonical host name. Whatever, look > in that syslog and you will see this failure and see what principal it was > actually looking for. If you don't have access to the log, enlist the > cooperation of your site administrator. > > |> - KDC syslog output. Search for IP address of the local (client) host. > > Donn Cave, donn@u.washington.edu From Nicolas.Williams@ubsw.com Mon Feb 11 15:46:01 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA13576 for ; Mon, 11 Feb 2002 15:46:01 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA16680 for ; Mon, 11 Feb 2002 15:46:00 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id PAA26331; Mon, 11 Feb 2002 15:45:52 -0500 (EST) Received: from (nine.ubswarburg.com [192.168.0.4]) by gate2 via smap (V2.0/ubsw) id xma026233; Mon, 11 Feb 2002 15:45:31 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan2 [192.168.0.4]) by virscan2.swissbank.com (8.8.8/8.8.8) with ESMTP id PAA26998; Mon, 11 Feb 2002 15:42:06 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id PAA02934; Mon, 11 Feb 2002 15:45:33 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id PAA15679; Mon, 11 Feb 2002 15:44:31 -0500 (EST) Date: Mon, 11 Feb 2002 15:44:31 -0500 From: Nicolas Williams To: Philippe Perrin Cc: kerberos@mit.edu Subject: Re: [MIT] Simple telnet question Message-ID: <20020211154430.P27171@sm2p1386swk.wdr.com> Mail-Followup-To: Philippe Perrin , kerberos@mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from philippeperrin@yahoo.com on Mon, Feb 11, 2002 at 09:27:03PM +0100 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Domain name -> realm name mapping problems? Bogus TXT RRs in DNS for the MIT box? Are you alternating running the MIT and Heimdal telnetd on the same host? or Are you running the two things on different hosts? Cheers, Nico On Mon, Feb 11, 2002 at 09:27:03PM +0100, Philippe Perrin wrote: > So I don't think the Windows KDC is the cause. What I don't understand is > why the SAME MIT telnet client asks for the ticket in one case (Heimdal > server) and NOT in another (MIT server)... > > Philippe -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Mon Feb 11 15:47:00 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA13583 for ; Mon, 11 Feb 2002 15:47:00 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id PAA16922 for ; Mon, 11 Feb 2002 15:47:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BKexY03279 for kerberos@MIT.EDU; Mon, 11 Feb 2002 15:40:59 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: Mon, 11 Feb 2002 21:38:18 +0100 Organization: ENSEIRB Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Add-on to my previous message. Since no ticket-request failure was logged on the KDC, I used tcpdump to see what was going on there. And I noticed that the client did not ask for the principal "host/thot.mds" as it should, but "host/thot" (notice the missing "mds"). It seems that the client drops the domain name (the client and the server are on the same host, thot.mds).... How can I correct this ?? Here are parts of my krb5.conf : KERBYKB.LOCAL = { kdc = kerby.mds:88 default_domain = mds # DOMAIN admin_server = kerby.mds } [domain_realm] .mds = KERBYKB.LOCAL mds = KERBYKB.LOCAL Philippe "Donn Cave" a écrit dans le message de news: a4971a$1bfm$1@nntp6.u.washington.edu... > Quoth "Philippe Perrin" : > | Thanks for the advice. Here is the output, after a successful call to kinit > ... > | >>>TELNET: Trying 2 2 > | telnet: Kerberos V5: failure on credentials(Server not found in Kerberos > | database) > | >>>TELNET: Trying 2 0 > | telnet: Kerberos V5: failure on credentials(Server not found in Kerberos > | database) > | >>>TELNET: Sent failure message > > OK, that's good, but it means you must check the second place I suggested. > When it says "server not found", it means telnet has picked a service > name that doesn't match the one your site supports. There are three > places to go wrong - the service, the host instance, and the realm. The > most likely is your host goes by several addresses and the service principal > assigned by your site doesn't use the canonical host name. Whatever, look > in that syslog and you will see this failure and see what principal it was > actually looking for. If you don't have access to the log, enlist the > cooperation of your site administrator. > > |> - KDC syslog output. Search for IP address of the local (client) host. > > Donn Cave, donn@u.washington.edu From Nicolas.Williams@ubsw.com Mon Feb 11 15:57:28 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA13671 for ; Mon, 11 Feb 2002 15:57:27 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id PAA21631 for ; Mon, 11 Feb 2002 15:57:27 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id PAA02074; Mon, 11 Feb 2002 15:57:20 -0500 (EST) Received: from (nine.ubswarburg.com [192.168.0.4]) by gate2 via smap (V2.0/ubsw) id xma001864; Mon, 11 Feb 2002 15:57:00 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan2 [192.168.0.4]) by virscan2.swissbank.com (8.8.8/8.8.8) with ESMTP id PAA01636; Mon, 11 Feb 2002 15:53:35 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id PAA09145; Mon, 11 Feb 2002 15:57:02 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id PAA15874; Mon, 11 Feb 2002 15:56:00 -0500 (EST) Date: Mon, 11 Feb 2002 15:56:00 -0500 From: Nicolas Williams To: Philippe Perrin Cc: kerberos@mit.edu Subject: Re: [MIT] Simple telnet question Message-ID: <20020211155559.Q27171@sm2p1386swk.wdr.com> Mail-Followup-To: Philippe Perrin , kerberos@mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from philippeperrin@yahoo.com on Mon, Feb 11, 2002 at 09:38:18PM +0100 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Mon, Feb 11, 2002 at 09:38:18PM +0100, Philippe Perrin wrote: > Add-on to my previous message. > Since no ticket-request failure was logged on the KDC, I used tcpdump to see > what was going on there. And I noticed that the client did not ask for the > principal "host/thot.mds" as it should, but "host/thot" (notice the missing > "mds"). It seems that the client drops the domain name (the client and the > server are on the same host, thot.mds).... How can I correct this ?? Check out your /etc/hosts file. > Philippe Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Mon Feb 11 16:02:00 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA13712 for ; Mon, 11 Feb 2002 16:02:00 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA23680 for ; Mon, 11 Feb 2002 16:02:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1BL0DG03662 for kerberos@MIT.EDU; Mon, 11 Feb 2002 16:00:13 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: Mon, 11 Feb 2002 21:57:16 +0100 Organization: ENSEIRB Message-ID: References: <20020211154430.P27171@sm2p1386swk.wdr.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: MIT runs on host thot.mds (Solaris) Heimdal runs on host amon.mds (Linux) If you check my last message, you'll see that the domain name seems to be the cause (the ".mds" disappears from "thot.mds"). How can I fix this ? Thanks, Philippe "Nicolas Williams" a écrit dans le message de news: 20020211154430.P27171@sm2p1386swk.wdr.com... > Domain name -> realm name mapping problems? Bogus TXT RRs in DNS for the > MIT box? > > Are you alternating running the MIT and Heimdal telnetd on the same > host? or Are you running the two things on different hosts? > > Cheers, > > Nico > > > On Mon, Feb 11, 2002 at 09:27:03PM +0100, Philippe Perrin wrote: > > So I don't think the Windows KDC is the cause. What I don't understand is > > why the SAME MIT telnet client asks for the ticket in one case (Heimdal > > server) and NOT in another (MIT server)... > > > > Philippe > -- > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > -to a public e-mail mailing list I hereby grant permission to distribute- > -and copy this message.- > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos > From news@ra.nrl.navy.mil Mon Feb 11 19:02:01 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA14279 for ; Mon, 11 Feb 2002 19:02:01 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id TAA00411 for ; Mon, 11 Feb 2002 19:02:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1C01uA06770 for kerberos@MIT.EDU; Mon, 11 Feb 2002 19:01:56 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Getting kerberos to use fds > 256 From: Christopher Burke Message-ID: Date: Tue, 12 Feb 2002 00:01:51 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: OK I am very clear now on why Kerberos is failing here ... I am calling from inside another application (same process). I have no control over the parent application and it creates lots (up to 6000) of simulateous open files and associated file descriptors. The problem is - once it goes past 256 open files/fds kerberos no longer works as it cannot use a fd above 256. It gives me the EMFILE (24) from init_context. So how do I convince the kerberos library to use the fds above 256 ? -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From cesarg@ms.com Mon Feb 11 19:14:33 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA14342 for ; Mon, 11 Feb 2002 19:14:33 -0500 (EST) Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id TAA04038 for ; Mon, 11 Feb 2002 19:14:33 -0500 (EST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id E0FD8ABCA; Mon, 11 Feb 2002 19:14:32 -0500 (EST) Received: from sasmh1.morgan.com (unknown [144.14.19.186]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id C68A3ABC9; Mon, 11 Feb 2002 19:14:32 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh1.morgan.com (8.8.5/hub+ldap v2.4) with ESMTP id TAA16231; Mon, 11 Feb 2002 19:14:32 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id TAA08676; Mon, 11 Feb 2002 19:14:31 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15464.24167.753532.322011@imus.ms.com> Date: Mon, 11 Feb 2002 19:14:31 -0500 (EST) From: Cesar Garcia To: Christopher Burke Cc: kerberos@mit.edu Subject: Re: Getting kerberos to use fds > 256 In-Reply-To: References: X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: You might want to initialize the context when you application starts up and reuse the same context. This would be more efficient as well. >>>>> "Christopher" == Christopher Burke writes: Christopher> OK I am very clear now on why Kerberos is failing here ... I am calling from Christopher> inside another application (same process). Christopher> I have no control over the parent application and it creates lots (up to Christopher> 6000) of simulateous open files and associated file descriptors. Christopher> The problem is - once it goes past 256 open files/fds kerberos no longer Christopher> works as it cannot use a fd above 256. Christopher> It gives me the EMFILE (24) from init_context. Christopher> So how do I convince the kerberos library to use the fds above 256 ? Christopher> -- Christopher> --- Christopher> /* Christopher Burke - Spam Mail to craznar@hotmail.com Christopher> |* www.craznar.com - Christopher> \* Real mail to cburke(at)craznar(dot)com Christopher> _______________________________________________ Christopher> Kerberos mailing list Christopher> Kerberos@mit.edu Christopher> http://mailman.mit.edu/mailman/listinfo/kerberos From news@ra.nrl.navy.mil Mon Feb 11 19:32:01 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA14421 for ; Mon, 11 Feb 2002 19:32:01 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id TAA10419 for ; Mon, 11 Feb 2002 19:32:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1C0Kfr07139 for kerberos@MIT.EDU; Mon, 11 Feb 2002 19:20:41 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: Getting kerberos to use fds > 256 From: Christopher Burke References: <15464.24167.753532.322011@imus.ms.com> Message-ID: Date: Tue, 12 Feb 2002 00:20:35 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in news:15464.24167.753532.322011@imus.ms.com: > You might want to initialize the context when you application starts > up and reuse the same context. This would be more efficient as well. Thanks, it seems so obvious I don't know why I didn't think of it. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From news@ra.nrl.navy.mil Mon Feb 11 19:47:06 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA14492 for ; Mon, 11 Feb 2002 19:47:06 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id TAA13291 for ; Mon, 11 Feb 2002 19:47:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1C0hBN07486 for kerberos@MIT.EDU; Mon, 11 Feb 2002 19:43:11 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: Getting kerberos to use fds > 256 From: Christopher Burke References: <15464.24167.753532.322011@imus.ms.com> Message-ID: Date: Tue, 12 Feb 2002 00:43:11 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in news:15464.24167.753532.322011@imus.ms.com: > You might want to initialize the context when you application starts > up and reuse the same context. This would be more efficient as well. THanks again ... kerberos no longer seems to be the limiting factor - now I am getting error 22 returned after alot heavier load. -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From news@ra.nrl.navy.mil Mon Feb 11 19:47:07 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA14497 for ; Mon, 11 Feb 2002 19:47:06 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id TAA13319 for ; Mon, 11 Feb 2002 19:47:06 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1C0eDM07480 for kerberos@MIT.EDU; Mon, 11 Feb 2002 19:40:13 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: [MIT] Simple telnet question Date: Tue, 12 Feb 2002 01:35:21 +0100 Organization: ENSEIRB Message-ID: References: <20020211155559.Q27171@sm2p1386swk.wdr.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Thanks a lot, that was the problem. I simply added ".mds" near "thot" and all works :) Philippe (happier :-) "Nicolas Williams" a écrit dans le message de news: 20020211155559.Q27171@sm2p1386swk.wdr.com... > On Mon, Feb 11, 2002 at 09:38:18PM +0100, Philippe Perrin wrote: > > Add-on to my previous message. > > Since no ticket-request failure was logged on the KDC, I used tcpdump to see > > what was going on there. And I noticed that the client did not ask for the > > principal "host/thot.mds" as it should, but "host/thot" (notice the missing > > "mds"). It seems that the client drops the domain name (the client and the > > server are on the same host, thot.mds).... How can I correct this ?? > > Check out your /etc/hosts file. > > > Philippe > > > Cheers, > > Nico > -- > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > -to a public e-mail mailing list I hereby grant permission to distribute- > -and copy this message.- > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos > From tlyu@MIT.EDU Mon Feb 11 20:10:08 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA14617 for ; Mon, 11 Feb 2002 20:10:08 -0500 (EST) Received: from saint-elmos-fire.mit.edu (SAINT-ELMOS-FIRE.MIT.EDU [18.18.0.248]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id UAA18567 for ; Mon, 11 Feb 2002 20:10:08 -0500 (EST) Received: (from tlyu@localhost) by saint-elmos-fire.mit.edu (8.9.3) id UAA18643; Mon, 11 Feb 2002 20:10:03 -0500 (EST) To: Christopher Burke Cc: kerberos@MIT.EDU Subject: Re: Getting kerberos to use fds > 256 References: <15464.24167.753532.322011@imus.ms.com> From: Tom Yu Date: 11 Feb 2002 20:10:03 -0500 In-Reply-To: Message-ID: Lines: 20 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "craznar" == Christopher Burke writes: craznar> Cesar.Garcia@morganstanley.com (Cesar Garcia) wrote in craznar> news:15464.24167.753532.322011@imus.ms.com: >> You might want to initialize the context when you application >> starts up and reuse the same context. This would be more efficient >> as well. This may be a bad idea in a multi-threaded application. craznar> THanks again ... kerberos no longer seems to be the limiting craznar> factor - now I am getting error 22 returned after alot craznar> heavier load. This _may_ be because libkrb5 is not thread-safe... this is a multi-threaded application, right? It may be best to use a big lock around all calls into libkrb5. ---Tom From news@ra.nrl.navy.mil Mon Feb 11 20:32:01 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA14805 for ; Mon, 11 Feb 2002 20:32:01 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id UAA24063 for ; Mon, 11 Feb 2002 20:32:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1C1S5308182 for kerberos@MIT.EDU; Mon, 11 Feb 2002 20:28:05 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: Getting kerberos to use fds > 256 From: Christopher Burke References: <15464.24167.753532.322011@imus.ms.com> Message-ID: Date: Tue, 12 Feb 2002 01:28:05 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: tlyu@mit.edu (Tom Yu) wrote in news:ldveljr33pw.fsf@saint-elmos- fire.mit.edu: >>> You might want to initialize the context when you application >>> starts up and reuse the same context. This would be more efficient >>> as well. > > This may be a bad idea in a multi-threaded application. Multi threaded - yes, but all my kerberos calls are made within a single mutex protected block.... > > craznar> THanks again ... kerberos no longer seems to be the limiting > craznar> factor - now I am getting error 22 returned after alot > craznar> heavier load. > > This _may_ be because libkrb5 is not thread-safe... this is a > multi-threaded application, right? It may be best to use a big lock > around all calls into libkrb5. Already done ... -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From csri@sonata-software.com Tue Feb 12 00:27:44 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id AAA15459 for ; Tue, 12 Feb 2002 00:27:43 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id AAA23202 for ; Tue, 12 Feb 2002 00:27:40 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <1YPM4G0L>; Tue, 12 Feb 2002 11:00:17 +0530 Message-ID: From: Srinivas Cheruku To: kerberos@mit.edu Subject: Does MIT support Microsoft Credential Cache Date: Tue, 12 Feb 2002 11:00:17 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi all, Please can any one of you give me the information. What types of Credentials Cache does MIT Support? Will it support Microsoft Credentail Cache on Win2k? Can a gss application developed using MIT GSS will be able to read the credentials from the microsoft credential cache? What are the implications if these cache types when clients are on XP? Thanks a lot, Srini ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From news@ra.nrl.navy.mil Tue Feb 12 10:17:05 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA17227 for ; Tue, 12 Feb 2002 10:17:05 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id KAA20817 for ; Tue, 12 Feb 2002 10:17:04 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1CF25H21472 for kerberos@MIT.EDU; Tue, 12 Feb 2002 10:02:05 -0500 (EST) From: Paul Johnson X-Newsgroups: comp.protocols.kerberos Subject: Re: MD5 passwords possible with Kerberos? Organization: Marconi Laboratories, Cambridge Message-ID: References: Date: Tue, 12 Feb 2002 15:00:00 GMT To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Sandeep wrote: > Just like Unix passwords are never stored cleartext, but always > hashed, why not do the same thing with Kerberos? Because Kerberos does not actually do password authentication. It sets up a secure link between the two principles. Suppose Alice and Bob want to communicate. They need to share a secret key. (This ignores public key crypto, which is a completely different way of doing things.) Alice talks to Kerberos using a previously agreed secret key (which is in fact the MD5 hash of her password). Kerberos sends here a "ticket" which contains both a new randomly generated secret key and the same key encrypted with Bob's secret key (which is also the MD5 hash of his password). Now Alice and Bob share a key and can use it to communicate. To acheive this Kerberos has to store the secret keys of all the principals. If you get hold of a Kerberos database you won't see the passwords, you will see the hashes (aka secret keys). But that isn't a problem if you want to impersonate Alice or Bob because Kerberos never sees the passwords. It sees messages encrypted with the keys. So if you can get the Kerberos database and want to impersonate Alice you just start a Kerberos session using her secret key. Kerberos assumes that since you evidently know Alice's key you must be her. Paul. From Nicolas.Williams@ubsw.com Tue Feb 12 15:47:31 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA18270 for ; Tue, 12 Feb 2002 15:47:31 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA21155 for ; Tue, 12 Feb 2002 15:47:31 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id PAA12564; Tue, 12 Feb 2002 15:47:24 -0500 (EST) Received: from (nine.ubswarburg.com [192.168.0.4]) by gate2 via smap (V2.0/ubsw) id xma012446; Tue, 12 Feb 2002 15:47:10 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan2 [192.168.0.4]) by virscan2.swissbank.com (8.8.8/8.8.8) with ESMTP id PAA14136; Tue, 12 Feb 2002 15:43:45 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id PAA01733; Tue, 12 Feb 2002 15:47:13 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id PAA21560; Tue, 12 Feb 2002 15:46:09 -0500 (EST) Date: Tue, 12 Feb 2002 15:46:09 -0500 From: Nicolas Williams To: Christopher Burke Cc: kerberos@mit.edu Subject: Re: Getting kerberos to use fds > 256 Message-ID: <20020212154608.T27171@sm2p1386swk.wdr.com> Mail-Followup-To: Christopher Burke , kerberos@mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from craznar@hotmail.com on Tue, Feb 12, 2002 at 12:01:51AM +0000 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: This is the Solaris 32-bit stdio is limited to 256 file descriptors. A typical solution that works is to dup2() new fildes up above 256 for fildes that need not be used with stdio, thus reserving the first 256 fildes for things that need stdio. This is a very app-specific hack, but it can be generalized into an LD_PRELOADable library that more generally solves the problem(*). Another typical solution is to use the 64-bit Solaris environment. (*) This is left as an exercise for the reader. Nico On Tue, Feb 12, 2002 at 12:01:51AM +0000, Christopher Burke wrote: > OK I am very clear now on why Kerberos is failing here ... I am calling from > inside another application (same process). > > I have no control over the parent application and it creates lots (up to > 6000) of simulateous open files and associated file descriptors. > > The problem is - once it goes past 256 open files/fds kerberos no longer > works as it cannot use a fd above 256. > > It gives me the EMFILE (24) from init_context. > > So how do I convince the kerberos library to use the fds above 256 ? > > -- > --- > /* Christopher Burke - Spam Mail to craznar@hotmail.com > |* www.craznar.com - > \* Real mail to cburke(at)craznar(dot)com > _______________________________________________ > Kerberos mailing list > Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Tue Feb 12 16:32:05 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA18457 for ; Tue, 12 Feb 2002 16:32:04 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA09925 for ; Tue, 12 Feb 2002 16:32:04 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1CLVKE28114 for kerberos@MIT.EDU; Tue, 12 Feb 2002 16:31:20 -0500 (EST) From: "François Lopitaux" X-Newsgroups: comp.protocols.kerberos Subject: Search Server ftp, telnet for Windows Date: Tue, 12 Feb 2002 22:20:04 +0100 Organization: Universite Bordeaux I Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello, I research Server ftp or telnet compatible Kerberos V5 for Windows. Thanks you. François From news@ra.nrl.navy.mil Tue Feb 12 20:02:06 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA19142 for ; Tue, 12 Feb 2002 20:02:06 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id UAA20999 for ; Tue, 12 Feb 2002 20:02:05 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1D0po801614 for kerberos@MIT.EDU; Tue, 12 Feb 2002 19:51:50 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Cross-realm trust Date: Wed, 13 Feb 2002 01:47:05 +0100 Organization: ENSEIRB Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello I'm now willing to allow users authenticated in REALM1 to use services of REALM2. I configured everything as I think I should have, and then I made a user authenticate in REALM1, and used a telnet server in REALM2. The only way I found to make it work was to add a ~/.k5login file containing "user@REALM1" on the server. How could I avoid writing such files for every user ? Can I make this server (of REALM2) accept users of REALM1 directly ? (if I don't use this .k5login file, the telnet server prompts for the user's password) BTW, I'm working with MIT Kerberos 5. Thank you Philippe From cesarg@ms.com Tue Feb 12 21:41:35 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA19443 for ; Tue, 12 Feb 2002 21:41:35 -0500 (EST) Received: from pivsbh1.ms.com (pivsbh1-x0.ms.com [199.89.64.101]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id VAA13455 for ; Tue, 12 Feb 2002 21:41:35 -0500 (EST) Received: from pivsbh1-idmz.ms.com (localhost [127.0.0.1]) by pivsbh1.ms.com (Postfix) with SMTP id 324BD2141E for ; Tue, 12 Feb 2002 21:41:35 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by pivsbh1-idmz.ms.com (Postfix) with ESMTP id 19A8820E04 for ; Tue, 12 Feb 2002 21:41:35 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id VAA06229; Tue, 12 Feb 2002 21:41:34 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id VAA19663; Tue, 12 Feb 2002 21:41:34 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15465.53854.333272.215183@imus.ms.com> Date: Tue, 12 Feb 2002 21:41:34 -0500 (EST) From: Cesar Garcia To: Cesar Garcia Cc: kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-Reply-To: <15459.61368.330902.672691@imus.ms.com> References: <15459.61368.330902.672691@imus.ms.com> X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: This is not exactly a Kerberos specific issue, but perhaps the folks on this mailing list might have some insight. I decided for now to go with Ken's suggestion that I simply remove the IP addresses from my V5 tickets, and do ticket forwarding sans IP addresses. It appears that the one dependency we have on IP addresses is k524. Our client code is modern and works fine. It's an old krb524d which we currently run on a CyberSafe KDC that requires IP addresses in the requesting ticket. So thanks to Doug Engert, we have a -k option that allows one to run the MIT krb524d with a keytab, which handles null IP addresses just fine - and I don't immediately, or perhaps ever, have to solve the problem of writing the glue to get it to work the CyberSafe KDB. Simply extracting all the necessary keys to a keytab file suffices. I then add the following keys to a keytab file: 1 - krbtgt/k5realm@k5realm 2 - afs@k5realm (*) (*) An aside - this predates me, so I'm not sure what all the reasons were) Since all of our AFS cells use the same server principal, we don't have afs/afscellname@k5realm for each of our cells, just one principal afs@k5realm (one k5realm) for all cells. Not sure how/if this is relevant, but it is different. The basic algorithm for obtaining tokens for all cells follows: 1 - using V5 TGS, obtain a ticket V5 ticket for afs@k5realm (this ticket get's cached) 2 - using k524 and V5 ticket for afs@k5realm, obtain a V4 ticket for afs@k5realm 3 - foreach cell, invoke ktc_SetToken, passing in the V4 cred obtained in step 2. This code is implemented in a lib/app we call ak5log and works with the cybersafe based krb524d, with either the cybersafe based k524 client or the MIT based k524 client. When we try to run either the cybersafe or MIT based client against the MIT krb524d (using -k), the ak5log code completes, but I get the following messages in syslog: ---- Feb 12 21:05:09 imus afs: [ID 255639 kern.notice] afs: Tokens for user of AFS id 4843 for cell w.ny.ms.com are discarded (rxkad error=19270408) ---- with a similar error going to my console. krb524init itself seems to work fine against the same MIT krb524d with the keytab. That is the I can V4 tgt and run my v4 apps with no problem. The error apparently corresponds to "Unknown key". I've verified the key and kvno for afs@k5realm that was extracted to the keytab file, and it appears to be correct. I assume I would have failed earlier had that not been the case. When I list my tokens, the listing looks normal.t The tokens themselves, however, are worthless. We're running various versions of transarc afs (3.5, 3.6) on our solaris machines, openafs 1.2.2 on our linux boxes. AFS servers are solaris. Before I go digging into this problem some more, I was wondering if anyone might have some insight on this one. Thanks in advance. >>>>> "Cesar" == Cesar Garcia writes: Cesar> I've been working with 1.2.2 for a some months now, and only Cesar> recently have attempted to get the rcmds working, mainly in Cesar> an effort to better understand how ticket forwarding works, Cesar> since we have a need to do this in a homegrown application. Cesar> The behavior that I see is that when I invoke ticket Cesar> forwarding, the "forwarded" tickets contain only a single Cesar> IP address. Cesar> After walking through some of the code, it appears that Cesar> the client, via krb5_fwd_tgt_creds, determines the target's Cesar> IP address via a host lookup using gethostbyname(), as Cesar> implemented in krb5_os_hostaddr(). Cesar> Since we use NIS as the primary source for hostname Cesar> resolution, all host lookups render a single IP address, Cesar> even for multihomed machines. Moving to DNS is not an Cesar> option at the moment. Additionally, we use Veritas VCS Cesar> and other similar clustering facilities. These hosts Cesar> will have additional IP addresses that are not associated Cesar> with the real hostname, but with service names for a Cesar> particular cluster/application. So even if were to switch Cesar> to DNS, the client would not be able to determine all the Cesar> IP addresses for a given target host via the hostname Cesar> lookup that it uses today. Cesar> That said (barring hacks to application protocols that Cesar> would allow target hosts to send IP addresses back to Cesar> the source host, then having the client embed the full set Cesar> of tickets), the way to address this would be to have Cesar> the target host obtain new tickets will a full set of Cesar> IP addresses. Cesar> 1 - is this possible? Cesar> 2 - is it within the limits of the specification? Cesar> If so, has anyone has implemented this for 1.2.2 or any Cesar> releases of MIT krb5. From cesarg@ms.com Tue Feb 12 22:24:05 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id WAA19605 for ; Tue, 12 Feb 2002 22:24:05 -0500 (EST) Received: from pivsbh1.ms.com (pivsbh1-x0.ms.com [199.89.64.101]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id WAA24879 for ; Tue, 12 Feb 2002 22:24:05 -0500 (EST) Received: from pivsbh1-idmz.ms.com (localhost [127.0.0.1]) by pivsbh1.ms.com (Postfix) with SMTP id DE468204A0 for ; Tue, 12 Feb 2002 22:24:04 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by pivsbh1-idmz.ms.com (Postfix) with ESMTP id C979820497 for ; Tue, 12 Feb 2002 22:24:04 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id WAA13523; Tue, 12 Feb 2002 22:24:04 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id WAA21181; Tue, 12 Feb 2002 22:24:04 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15465.56403.936552.993225@imus.ms.com> Date: Tue, 12 Feb 2002 22:24:03 -0500 (EST) From: Cesar Garcia To: Cesar Garcia Cc: kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-Reply-To: <15465.53854.333272.215183@imus.ms.com> References: <15459.61368.330902.672691@imus.ms.com> <15465.53854.333272.215183@imus.ms.com> X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: OK. I may have figured the error. Although the the key version number for my afs principal is 1, the 1.2.2 krb524d (using -k) returns a V4 cred with a kvno of 0. I determined this on the client side, I'll have to walk through the server code to see why the cred is returned with a kvno of 0. >>>>> "Cesar" == Cesar Garcia writes: Cesar> This is not exactly a Kerberos specific issue, but perhaps Cesar> the folks on this mailing list might have some insight. Cesar> I decided for now to go with Ken's suggestion that I simply Cesar> remove the IP addresses from my V5 tickets, and do ticket Cesar> forwarding sans IP addresses. Cesar> It appears that the one dependency we have on IP addresses Cesar> is k524. Our client code is modern and works fine. It's an Cesar> old krb524d which we currently run on a CyberSafe KDC that Cesar> requires IP addresses in the requesting ticket. Cesar> So thanks to Doug Engert, we have a -k option that allows Cesar> one to run the MIT krb524d with a keytab, which handles Cesar> null IP addresses just fine - and I don't immediately, or Cesar> perhaps ever, have to solve the problem of writing the glue Cesar> to get it to work the CyberSafe KDB. Simply extracting all Cesar> the necessary keys to a keytab file suffices. Cesar> I then add the following keys to a keytab file: Cesar> 1 - krbtgt/k5realm@k5realm Cesar> 2 - afs@k5realm (*) Cesar> (*) An aside - this predates me, so I'm not sure what all Cesar> the reasons were) Since all of our AFS cells use the same Cesar> server principal, we don't have afs/afscellname@k5realm Cesar> for each of our cells, just one principal afs@k5realm Cesar> (one k5realm) for all cells. Not sure how/if this is Cesar> relevant, but it is different. Cesar> The basic algorithm for obtaining tokens for all cells follows: Cesar> 1 - using V5 TGS, obtain a ticket V5 ticket for afs@k5realm Cesar> (this ticket get's cached) Cesar> 2 - using k524 and V5 ticket for afs@k5realm, obtain a V4 ticket Cesar> for afs@k5realm Cesar> 3 - foreach cell, invoke ktc_SetToken, passing in the V4 cred Cesar> obtained in step 2. Cesar> This code is implemented in a lib/app we call ak5log and works Cesar> with the cybersafe based krb524d, with either the cybersafe Cesar> based k524 client or the MIT based k524 client. Cesar> When we try to run either the cybersafe or MIT based client Cesar> against the MIT krb524d (using -k), the ak5log code completes, Cesar> but I get the following messages in syslog: Cesar> ---- Cesar> Feb 12 21:05:09 imus afs: [ID 255639 kern.notice] afs: Tokens for user of AFS id 4843 for cell w.ny.ms.com are discarded (rxkad error=19270408) Cesar> ---- Cesar> with a similar error going to my console. Cesar> krb524init itself seems to work fine against the same MIT Cesar> krb524d with the keytab. That is the I can V4 tgt and run Cesar> my v4 apps with no problem. Cesar> The error apparently corresponds to "Unknown key". I've verified Cesar> the key and kvno for afs@k5realm that was extracted to the Cesar> keytab file, and it appears to be correct. I assume I would Cesar> have failed earlier had that not been the case. Cesar> When I list my tokens, the listing looks normal.t The Cesar> tokens themselves, however, are worthless. Cesar> We're running various versions of transarc afs (3.5, 3.6) Cesar> on our solaris machines, openafs 1.2.2 on our linux boxes. Cesar> AFS servers are solaris. Cesar> Before I go digging into this problem some more, I was wondering Cesar> if anyone might have some insight on this one. Cesar> Thanks in advance. >>>>> "Cesar" == Cesar Garcia writes: Cesar> I've been working with 1.2.2 for a some months now, and only Cesar> recently have attempted to get the rcmds working, mainly in Cesar> an effort to better understand how ticket forwarding works, Cesar> since we have a need to do this in a homegrown application. Cesar> The behavior that I see is that when I invoke ticket Cesar> forwarding, the "forwarded" tickets contain only a single Cesar> IP address. Cesar> After walking through some of the code, it appears that Cesar> the client, via krb5_fwd_tgt_creds, determines the target's Cesar> IP address via a host lookup using gethostbyname(), as Cesar> implemented in krb5_os_hostaddr(). Cesar> Since we use NIS as the primary source for hostname Cesar> resolution, all host lookups render a single IP address, Cesar> even for multihomed machines. Moving to DNS is not an Cesar> option at the moment. Additionally, we use Veritas VCS Cesar> and other similar clustering facilities. These hosts Cesar> will have additional IP addresses that are not associated Cesar> with the real hostname, but with service names for a Cesar> particular cluster/application. So even if were to switch Cesar> to DNS, the client would not be able to determine all the Cesar> IP addresses for a given target host via the hostname Cesar> lookup that it uses today. Cesar> That said (barring hacks to application protocols that Cesar> would allow target hosts to send IP addresses back to Cesar> the source host, then having the client embed the full set Cesar> of tickets), the way to address this would be to have Cesar> the target host obtain new tickets will a full set of Cesar> IP addresses. Cesar> 1 - is this possible? Cesar> 2 - is it within the limits of the specification? Cesar> If so, has anyone has implemented this for 1.2.2 or any Cesar> releases of MIT krb5. Cesar> _______________________________________________ Cesar> Kerberos mailing list Cesar> Kerberos@mit.edu Cesar> http://mailman.mit.edu/mailman/listinfo/kerberos From mdw@umich.edu Wed Feb 13 04:35:24 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA20894 for ; Wed, 13 Feb 2002 04:35:23 -0500 (EST) Received: from quince.ifs.umich.edu (quince.ifs.umich.edu [141.213.229.138]) by fort-point-station.mit.edu (8.9.2/8.9.2) with SMTP id EAA01472 for ; Wed, 13 Feb 2002 04:35:23 -0500 (EST) Received: from pepper-pot (pepper-pot.ifs.umich.edu [141.213.229.91]) by quince.ifs.umich.edu (8.6.13/8.6.12) with ESMTP id EAA11317; Wed, 13 Feb 2002 04:35:22 -0500 Message-Id: <200202130935.EAA11317@quince.ifs.umich.edu> To: "vkd" cc: kerberos@mit.edu Subject: Re: pam_krb5 for solaris In-reply-to: Your message of "Fri, 08 Feb 2002 21:27:05 GMT." Date: Wed, 13 Feb 2002 04:35:22 -0500 From: Marcus Watts Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "vkd" sends: > From: "vkd" > Subject: pam_krb5 for solaris > Message-ID: > To: kerberos@mit.edu > Date: Fri, 08 Feb 2002 21:27:05 GMT > > Where can I get proper pam_krb5 source that works on solaris? > > I got one from this site: http://www.fcusack.com > but get this error message: > > Feb 8 15:50:11 dot2 sshd[5445]: fatal: PAM initialisation failed[4]: System > error > Feb 8 15:50:46 dot2 sshd[5448]: load_modules: can not open module > /usr/lib/security/pam_krb5.so.1 > > Now, just a check: > > ---------------------------------------- > > $ ls -la /usr/lib/security/pam_krb5.so.1 > -rwxr-xr-x 1 root other 724852 Feb 8 15:46 /usr/lib/security/pam_krb5.so.1* > > $ ldd /usr/lib/security/pam_krb5.so.1 > libpam.so.1 => /usr/lib/libpam.so.1 > libnsl.so.1 => /usr/lib/libnsl.so.1 > libsocket.so.1 => /usr/lib/libsocket.so.1 > libc.so.1 => /usr/lib/libc.so.1 > libdl.so.1 => /usr/lib/libdl.so.1 > libmp.so.2 => /usr/lib/libmp.so.2 > /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1 > > $ file /usr/lib/security/pam_krb5.so.1 > /usr/lib/security/pam_krb5.so.1: ELF 32-bit MSB dynamic lib SPARC Version 1, > dynamically linked, not stripped > > ---------------------------------------- > > Here is how I modified the Makefile: > > CC = gcc > CFLAGS = -O2 -fPIC > #LDFLAGS = -shared > LDFLAGS = -G > > DESTDIR = /usr/lib/security > MANDIR = /usr/local/man/man5 > > OSLIBS = -lpam -lnsl -lsocket > KRB5LIBS > = -L/usr/kerberos/lib -R/usr/kerberos/lib -lkrb5 -lk5crypto -lcom_err > > LIBS = $(OSLIBS) $(KRB5LIBS) > > INC = -I/usr/include -I/usr/kerberos/include -I/usr/local/include > > The version of Kerberos installed into /usr/kerberos is MIT (latest stable > release). I didn't know of any other Kerberos distros. Are there any? How do > they compare? > > Any ideas? How should one properly set up Kerberos into PAM? > > Here is my SSH config in pam.conf: > ###################################################################### > # SSH > ###################################################################### > #sshd auth sufficient /usr/lib/security/pam_krb5.so.1 > try_first_pass > sshd auth required /usr/lib/security/pam_unix.so.1 > sshd account required /usr/lib/security/pam_unix.so.1 > sshd session required /usr/lib/security/pam_unix.so.1 > #sshd session optional /usr/lib/security/pam_krb5.so.1 > > I commented it out for now (since it doesn't work) but that's what I used. Taking a complete stab into the dark -- are you sure your pam_krb5 isn't trying to make linux-PAM specific calls? More generally, while you've provided an admirable amount of detail for diagnosing ld problems, especially for someone who has your exact software, you haven't provided enough information for someone who hasn't got your exact software to diagnose shared library problems, which is unfortunately what you appear to be asking. Moreover I'm not sure why you think anyone here will have any better insight into this than fcusack. I'll try to think of what I would do if I had to solve your problem, although I really am shooting in the dark... The simple thing you might try doing is to do a "nm" command on pam_krb5.so, and look for linux-PAM specific functions, or anyting else weird. (How do you recognize linux-PAM specific functions? Uhh... You could do a "nm" command on libpam on solaris & libpam on linux, then look for functions present in only one, to get a list of entry points that could be problems.) You might also check out any notes that come with fcusack to see if this is discussed. I'm guessing that you think ldd will catch undefined symbols, and maybe it will, although I can never remember just what the rules for this kind of logic is on different platforms (AIX 3, AIX 4, sunOS 4, solaris 2, linux, openbsd, & rhapsody are all unique and different, although some look superficially alike.) Another different possibility is it's obvious you've built this with gcc. If your copy of sshd wasn't build with gcc, then you may have some libgcc functions missing and that could cause problems. That's something else you can check out with "nm". You could fix this by either building with the sun C compiler, linking against libgcc.a, or if you only plan to use this with sshd, building sshd with gcc also. There are plenty of other weird exciting issues that could be happening - if your sshd was linked against a different copy of kerberos or des, you could be running into subtle shared library fun there. Generally, this is more likely to cause run-time weirdness, but a missing symbol is probably also possible, especially if you're not using shared library versioning. Since you're using solaris, you have another interesting resource; the run-time dynamic linker, ld.so.1, actually supports some interesting run-time debugging. "man ld.so.1" will tell you about the main ones, of which the perhaps the first one you should try is "LD_DEBUG"; setenv LD_DEBUG help /bin/cat read the output, then maybe try: setenv LD_DEBUG basic,detail,libs,symbols setenv LD_DEBUG_OUT /tmp/sshd.out sshd -d unsetenv LD_DEBUG unsetenv LD_DEBUG_OUT This can spit out a ton of stuff. Good luck interpreting it all. It appears from above that your copy of pam_krb5 was linked against static k5 libraries. In solaris, there's magic you can do to avoid exporting any k5 functions to any other shared libraries, which may or may not be useful (using -M mapfile to read in special loader directives, I believe). Something else that could be happening is that if you're reading in a static copy of the kerberos libraries, they're probably not compiled -fPIC. If they're not compiled as position independent code, the loader would have to do ugly things to resolve the text relocations at run-time. It may not be willing to do that (this is *very* OS and hardware specific), in which case it probably would refuse to load your module. More likely, it will grudgingly do this, but run much slower, take up more memory, and possibly spit lots of complaints out stderr onto your ssh connection, where bad things may then happen. I think MIT has at least 5 "stable" versions of "MIT kerberos". Oh yeah, the version of solaris, & the version of gcc may be somewhat interesting as well. Maybe the version of sshd, and how it was compiled too. There's lots of pieces here, from at least 4 different places. An opportunity for distributed blame? But really, the big thing is you need to figure out how to poke at your system to get some more specific detail on *why* sshd won't load your shared library. There ain't no mind readers here on the list. -Marcus Watts UM ITCS Umich Systems Group From news@ra.nrl.navy.mil Wed Feb 13 09:47:09 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA21797 for ; Wed, 13 Feb 2002 09:47:08 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA01085 for ; Wed, 13 Feb 2002 09:47:08 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1DEZEJ15545 for kerberos@MIT.EDU; Wed, 13 Feb 2002 09:35:15 -0500 (EST) From: ali_m_000@hotmail.com (Alistair Mackay) X-Newsgroups: comp.protocols.kerberos Subject: BUG: kinit coredumps when changing expired password, potentially kpasswd as well Date: 13 Feb 2002 06:32:21 -0800 Organization: http://groups.google.com/ Message-ID: <477e51d4.0202130632.250c0213@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Version: kerberos V 1.2.3 Location: src/lib/krb5/krb/gic_pwd.c line 271 Platform: Solaris 2.6 (though by its nature, should affect all) Description: When attempting to aquire a TGT from a server that has "User must change password at next logon" set, if a new password is entered that does not meet the password requirements for the server a seg fault occurs when the "Password Change Rejected. Please Try Again message" is printed. The reason being is that result_string.length is zero (OK) but the pointer result_string.data is NULL - kerrrunch! As you can see, the same could be possible with code_string so the same action is taken Resolution: Existing code: sprintf(banner, "%.*s%s%.*s. Please try again.\n", code_string.length, code_string.data, result_string.length?": ":"", result_string.length, result_string.data); Suggested fix: sprintf(banner, "%.*s%s%.*s. Please try again.\n", code_string.length, code_string.data ? code_string.data : "", result_string.length?": ":"", result_string.length, result_string.data ? result_string.data : "" ); After grepping the source, I find the same may occur at the following locations requiring the same action... src/clients/kpasswd/kpasswd.c line 137 src/mac/kpasswd.c line 139 src/windows/cns/kpasswd/c line 82 And possibly in the macro SAMDATA in src/lib/krb5/krb/preauth2.c line 220 ...though unless it breaks for me, I can't be bothered to pick apart the macro :-) Regards, Alistair Mackay (Has also been posted to krb5-bugs@mit.edu) From kerberos@northsailor.de Wed Feb 13 10:46:00 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA21998 for ; Wed, 13 Feb 2002 10:46:00 -0500 (EST) Received: from post.webmailer.de (natwar.webmailer.de [192.67.198.70]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA25030 for ; Wed, 13 Feb 2002 10:46:00 -0500 (EST) Received: from klaas (pD9E35D32.dip.t-dialin.net [217.227.93.50]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id QAA13169 for ; Wed, 13 Feb 2002 16:45:55 +0100 (MET) Message-ID: <008d01c1b4a5$847be480$2b03a8c0@mummert.priv> From: "Klaas Hagemann" To: Subject: single sign-on with kerberos V5 and ldap Date: Wed, 13 Feb 2002 16:45:48 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_008A_01C1B4AD.E366EDC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: This is a multi-part message in MIME format. ------=_NextPart_000_008A_01C1B4AD.E366EDC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hi there, i have still a problem with kerberos and ldap. i have got a ldap v3 directory (netscape iplanet) with all my user = information. now i want to make singel sign on using kerberos V.=20 how can i make kerberos storing all the keys in the ldap directory? the user should log on using kerberos, kerberos should ask the ldap = directory for this user. thanks a lot, klaas ------=_NextPart_000_008A_01C1B4AD.E366EDC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
hi there,
 
i have still a problem with kerberos = and=20 ldap.
 
i have got a ldap v3 directory = (netscape=20 iplanet) with all my user information.
now i want to make singel sign on using = kerberos V.=20
how can i make kerberos storing all the = keys in the=20 ldap directory?
 
the user should log on using kerberos, = kerberos=20 should ask the ldap directory for this user.
 
thanks a lot, = klaas
------=_NextPart_000_008A_01C1B4AD.E366EDC0-- From smeyer@gpcc.itd.umich.edu Wed Feb 13 14:06:51 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA22687 for ; Wed, 13 Feb 2002 14:06:51 -0500 (EST) Received: from berzerk.gpcc.itd.umich.edu (berzerk.gpcc.itd.umich.edu [141.211.2.162]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id OAA23448 for ; Wed, 13 Feb 2002 14:06:50 -0500 (EST) Received: from gpcc.itd.umich.edu (smtp@metacortex.gpcc.itd.umich.edu [141.213.230.75]) by berzerk.gpcc.itd.umich.edu (8.8.8/4.3-mailhub) with ESMTP id OAA06197; Wed, 13 Feb 2002 14:06:50 -0500 (EST) Received: (from smeyer@localhost) by gpcc.itd.umich.edu (8.9.1a/4.9.1-cyrus) id OAA13321; Wed, 13 Feb 2002 14:06:50 -0500 (EST) Message-Id: <200202131906.OAA13321@gpcc.itd.umich.edu> to: "vkd" cc: Marcus Watts , kerberos@mit.edu From: Seth Meyer Subject: Re: pam_krb5 for solaris In-reply-to: Your message of "Wed, 13 Feb 2002 04:35:22 EST." <200202130935.EAA11317@quince.ifs.umich.edu> Date: Wed, 13 Feb 2002 14:06:49 -0500 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: > From: Seth Meyer : Marcus Watts > To: "vkd" Does your krb5 library build have these features enabled: --enable-dns build in support for Kerberos-related DNS lookups --enable-dns-for-kdc enable DNS lookups of Kerberos KDCs (default=YES) --enable-dns-for-realm enable DNS lookups of Kerberos realm names ? From looking at: > > > > $ ldd /usr/lib/security/pam_krb5.so.1 > > libpam.so.1 => /usr/lib/libpam.so.1 > > libnsl.so.1 => /usr/lib/libnsl.so.1 > > libsocket.so.1 => /usr/lib/libsocket.so.1 > > libc.so.1 => /usr/lib/libc.so.1 > > libdl.so.1 => /usr/lib/libdl.so.1 > > libmp.so.2 => /usr/lib/libmp.so.2 > > /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1 my stab in the dark is that you are missing /usr/lib/libresolv.so.1 append -lresolv to: KRB5LIBS = -L/usr/kerberos/lib -R/usr/kerberos/lib -lkrb5 -lk5crypto -lcom_err and relink. Good luck. Seth Meyer From ray@hackfoo.net Wed Feb 13 16:12:11 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA23094 for ; Wed, 13 Feb 2002 16:12:11 -0500 (EST) Received: from zuse.hackfoo.net (zuse.hackfoo.org [216.181.159.139] (may be forged)) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id QAA17699 for ; Wed, 13 Feb 2002 16:12:11 -0500 (EST) Received: (from ray@localhost) by zuse.hackfoo.net (8.11.2/8.11.2) id g1DL0UX18740 for kerberos@mit.edu; Wed, 13 Feb 2002 16:00:30 -0500 (EST) Date: Wed, 13 Feb 2002 16:00:30 -0500 From: Ray Schneider To: kerberos@mit.edu Subject: krb5-1.2.4-beta1 compile Message-ID: <20020213160030.A21904@hackfoo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ok.. ive been playing with the beta... ive tried various things, im trying to configure and compile under solaris 8...on an ultra5, the following seems to occur no matter what... (excuse the length) ./configure (i have put options here as well, or no options doesnt matter) bash-2.03# make making all in util... make[1]: Entering directory `/usr/local/src/krb5-1.2.4-beta1/src/util' echo libpath /usr/local/lib:`pwd`/../lib:/usr/lib:/lib >aix.bincmds rm -f libupdate libupdate.tmp sed -e 's,@''ARADD''@,false,g' -e 's,@''ARCHIVE''@,false,g' ./libupdate.sh > libupdate.tmp && chmod +x libupdate.tmp && mv libupdate.tmp libupdate rm -f makeshlib makeshlib.tmp sed -e 's,@''CC''@,/usr/local/bin/gcc,g' -e 's,@''HOST_TYPE''@,sparc-sun-solaris2.8,g' -e 's,@''HAVE_GCC''@,yes,g' ./makeshlib.sh >makeshlib.tmp&&chmod a+x makeshlib.tmp&&mv makeshlib.tmp makeshlib making all in util/et... make[2]: Entering directory `/usr/local/src/krb5-1.2.4-beta1/src/util/et' /usr/local/bin/gcc -DHAVE_LIBNSL=1 -DHAVE_LIBSOCKET=1 -DKRB5_DNS_LOOKUP_KDC=1 -DKRB5_DNS_LOOKUP=1 -DNO_YYLINENO=1 -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 -DHAVE_STRERROR=1 -DHAVE_STDARG_H=1 -DHAVE_STDLIB_H=1 -DKRB5_KRB4_COMPAT -I../../include -I./../../include -I../../include/krb5 -I./../../include/krb5 -I. -I. -c error_message.c /usr/local/bin/gcc -DHAVE_LIBNSL=1 -DHAVE_LIBSOCKET=1 -DKRB5_DNS_LOOKUP_KDC=1 -DKRB5_DNS_LOOKUP=1 -DNO_YYLINENO=1 -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 -DHAVE_STRERROR=1 -DHAVE_STDARG_H=1 -DHAVE_STDLIB_H=1 -DKRB5_KRB4_COMPAT -I../../include -I./../../include -I../../include/krb5 -I./../../include/krb5 -I. -I. -c et_name.c /usr/local/bin/gcc -DHAVE_LIBNSL=1 -DHAVE_LIBSOCKET=1 -DKRB5_DNS_LOOKUP_KDC=1 -DKRB5_DNS_LOOKUP=1 -DNO_YYLINENO=1 -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 -DHAVE_STRERROR=1 -DHAVE_STDARG_H=1 -DHAVE_STDLIB_H=1 -DKRB5_KRB4_COMPAT -I../../include -I./../../include -I../../include/krb5 -I./../../include/krb5 -I. -I. -c init_et.c /usr/local/bin/gcc -DHAVE_LIBNSL=1 -DHAVE_LIBSOCKET=1 -DKRB5_DNS_LOOKUP_KDC=1 -DKRB5_DNS_LOOKUP=1 -DNO_YYLINENO=1 -DHAVE_SYS_ERRLIST=1 -DNEED_SYS_ERRLIST=1 -DHAVE_STRERROR=1 -DHAVE_STDARG_H=1 -DHAVE_STDLIB_H=1 -DKRB5_KRB4_COMPAT -I../../include -I./../../include -I../../include/krb5 -I./../../include/krb5 -I. -I. -c com_err.c rm -f libcom_err.a building static com_err library make[2]: *** [libcom_err.a] Error 255 make[2]: Leaving directory `/usr/local/src/krb5-1.2.4-beta1/src/util/et' make[1]: *** [all-recurse] Error 1 make[1]: Leaving directory `/usr/local/src/krb5-1.2.4-beta1/src/util' make: *** [all-recurse] Error 1 Now, if i go in and say, touch libcom_err.a, and then make again, i will make it a directory further along and then it will happen again? Anyone seen this behaviour? Im curious about it, wondering what stupid thing Im forgeting or whatever... Thanks, -ray btw- Im getting the same thing when configuring and make 1.2.3 as well. -- ------------------------------------------------ http://hackfoo.net From kovert@omniscient.com Wed Feb 13 17:33:06 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id RAA23370 for ; Wed, 13 Feb 2002 17:33:05 -0500 (EST) Received: from guiness.omniscient.com (guiness.omniscient.com [64.134.101.78]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id RAA22410 for ; Wed, 13 Feb 2002 17:33:03 -0500 (EST) Received: from guiness.omniscient.com (localhost [127.0.0.1]) by guiness.omniscient.com (8.12.1/8.12.1) with ESMTP id g1DMUtmO025236 for ; Wed, 13 Feb 2002 17:30:55 -0500 (EST) Message-Id: <200202132230.g1DMUtmO025236@guiness.omniscient.com> To: kerberos@mit.edu Subject: KfW and triple des problems Date: Wed, 13 Feb 2002 17:30:55 -0500 From: Todd Kover Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: is anyone aware of problems with KfW 2.1.2 and triple des encryption? [ This is all krb5. I have no krb4 support turned on anymore. ] I'm attempting to get WinCVS/cvs working with gserver against the 2.1.2 sdk and have been successful using keys in my age-old kdc (migrated over from v4) which only has a des-cbc-crc key for the relevent service principal: kadmin: getprinc cvs/saidin.omniscient.com [ ... ] Number of keys: 1 Key: vno 2, DES cbc mode with CRC-32, no salt (The kdc is running 1.2.2 now but that's a change since the abovementioned principal was created). I'm able to interact with a cvs server linked against 1.2.2 sources using this service key just fine. Using the same cvs binary, but against a relatively newly configured cvs server (initially installed under 1.2) the service side is complaining: "could not verify credentials" with a cvs server similiarly linked against 1.2.2 libraries but with a cvs/hostname principal in the kdc with key types: Number of keys: 2 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt The odd thing is that when I have the windows box's krb5.ini file set with: default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc I can kinit against it fine from the windows box. If I change this to: default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc kinit's fail. This leads me to believe something is awry with the des3-hmac-sha1 support. It seems that the .ini file is ignored when grabbing service tickets because the credentials cache on the windows box has both keys in it when I attempt to use cvs, regardless of the config file. (this isn't surprising). Does this ring any bells for anyone? I haven't dug deeply into the code just yet. I figured I'd ask before I started to try to parse it and get the encryption-induced headache I expect. :-) windows 2000+sp2 if that makes a difference. Everything's built with Visual C++&&sp5. thanks, -Todd From cesarg@ms.com Wed Feb 13 23:49:12 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id XAA24521 for ; Wed, 13 Feb 2002 23:49:12 -0500 (EST) Received: from hqvsbh1.ms.com (hqvsbh1-x0.ms.com [205.228.12.101]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA27020 for ; Wed, 13 Feb 2002 23:49:11 -0500 (EST) Received: from hqvsbh1-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh1.ms.com (Postfix) with SMTP id 9262E2065D for ; Wed, 13 Feb 2002 23:49:11 -0500 (EST) Received: from sasmh3.ms.com (unknown [144.14.193.98]) by hqvsbh1-idmz.ms.com (Postfix) with ESMTP id 7AC5F2065A for ; Wed, 13 Feb 2002 23:49:11 -0500 (EST) Received: from imus.morgan.com (imus.morgan.com [144.14.15.156]) by sasmh3.ms.com (8.8.5/imap+ldap v2.4) with ESMTP id XAA13648; Wed, 13 Feb 2002 23:49:11 -0500 (EST) Received: (cesarg@localhost) by imus.morgan.com (8.8.5/sendmail.cf.client v1.05) id XAA14609; Wed, 13 Feb 2002 23:49:10 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15467.16838.50176.101120@imus.ms.com> Date: Wed, 13 Feb 2002 23:49:10 -0500 (EST) From: Cesar Garcia To: Cesar Garcia Cc: kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses In-Reply-To: <15465.56403.936552.993225@imus.ms.com> References: <15459.61368.330902.672691@imus.ms.com> <15465.53854.333272.215183@imus.ms.com> <15465.56403.936552.993225@imus.ms.com> X-Mailer: VM 6.72 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: FYI, For those interested, here's a very simple patch to krb524d.c (release 1.2.2): Basically, the when looking up the key that krb524d will use to build the response, the key version number is not being assigned when using the keytab option. The code looks OK when using the KDB. I'll have to hammer away at this server. What's the story with the alpa status of k524? Are folks using this in production environments, despite the recommendation in the README against doing so? Thanks again for the pointers. *** krb524d.c.orig Wed Feb 13 22:34:06 2002 --- krb524d.c Wed Feb 13 23:41:34 2002 *************** *** 393,398 **** --- 393,400 ---- if ((ret = krb5_kt_get_entry(context, kt, p, kvno, ktype, &entry))) return ret; memcpy(key, (char *) &entry.key, sizeof(krb5_keyblock)); + if(kvnop) + *kvnop = entry.vno; return 0; } else if (use_master) { return kdc_get_server_key(context, p, key, kvnop, ktype, kvno); >>>>> "Cesar" == Cesar Garcia writes: Cesar> OK. I may have figured the error. Cesar> Although the the key version number for my afs principal is 1, Cesar> the 1.2.2 krb524d (using -k) returns a V4 cred with a kvno of 0. Cesar> I determined this on the client side, I'll have to walk through the Cesar> server code to see why the cred is returned with a kvno of 0. >>>>> "Cesar" == Cesar Garcia writes: Cesar> This is not exactly a Kerberos specific issue, but perhaps Cesar> the folks on this mailing list might have some insight. Cesar> I decided for now to go with Ken's suggestion that I simply Cesar> remove the IP addresses from my V5 tickets, and do ticket Cesar> forwarding sans IP addresses. Cesar> It appears that the one dependency we have on IP addresses Cesar> is k524. Our client code is modern and works fine. It's an Cesar> old krb524d which we currently run on a CyberSafe KDC that Cesar> requires IP addresses in the requesting ticket. Cesar> So thanks to Doug Engert, we have a -k option that allows Cesar> one to run the MIT krb524d with a keytab, which handles Cesar> null IP addresses just fine - and I don't immediately, or Cesar> perhaps ever, have to solve the problem of writing the glue Cesar> to get it to work the CyberSafe KDB. Simply extracting all Cesar> the necessary keys to a keytab file suffices. Cesar> I then add the following keys to a keytab file: Cesar> 1 - krbtgt/k5realm@k5realm Cesar> 2 - afs@k5realm (*) Cesar> (*) An aside - this predates me, so I'm not sure what all Cesar> the reasons were) Since all of our AFS cells use the same Cesar> server principal, we don't have afs/afscellname@k5realm Cesar> for each of our cells, just one principal afs@k5realm Cesar> (one k5realm) for all cells. Not sure how/if this is Cesar> relevant, but it is different. Cesar> The basic algorithm for obtaining tokens for all cells follows: Cesar> 1 - using V5 TGS, obtain a ticket V5 ticket for afs@k5realm Cesar> (this ticket get's cached) Cesar> 2 - using k524 and V5 ticket for afs@k5realm, obtain a V4 ticket Cesar> for afs@k5realm Cesar> 3 - foreach cell, invoke ktc_SetToken, passing in the V4 cred Cesar> obtained in step 2. Cesar> This code is implemented in a lib/app we call ak5log and works Cesar> with the cybersafe based krb524d, with either the cybersafe Cesar> based k524 client or the MIT based k524 client. Cesar> When we try to run either the cybersafe or MIT based client Cesar> against the MIT krb524d (using -k), the ak5log code completes, Cesar> but I get the following messages in syslog: Cesar> ---- Cesar> Feb 12 21:05:09 imus afs: [ID 255639 kern.notice] afs: Tokens for user of AFS id 4843 for cell w.ny.ms.com are discarded (rxkad error=19270408) Cesar> ---- Cesar> with a similar error going to my console. Cesar> krb524init itself seems to work fine against the same MIT Cesar> krb524d with the keytab. That is the I can V4 tgt and run Cesar> my v4 apps with no problem. Cesar> The error apparently corresponds to "Unknown key". I've verified Cesar> the key and kvno for afs@k5realm that was extracted to the Cesar> keytab file, and it appears to be correct. I assume I would Cesar> have failed earlier had that not been the case. Cesar> When I list my tokens, the listing looks normal.t The Cesar> tokens themselves, however, are worthless. Cesar> We're running various versions of transarc afs (3.5, 3.6) Cesar> on our solaris machines, openafs 1.2.2 on our linux boxes. Cesar> AFS servers are solaris. Cesar> Before I go digging into this problem some more, I was wondering Cesar> if anyone might have some insight on this one. Cesar> Thanks in advance. >>>>> "Cesar" == Cesar Garcia writes: Cesar> I've been working with 1.2.2 for a some months now, and only Cesar> recently have attempted to get the rcmds working, mainly in Cesar> an effort to better understand how ticket forwarding works, Cesar> since we have a need to do this in a homegrown application. Cesar> The behavior that I see is that when I invoke ticket Cesar> forwarding, the "forwarded" tickets contain only a single Cesar> IP address. Cesar> After walking through some of the code, it appears that Cesar> the client, via krb5_fwd_tgt_creds, determines the target's Cesar> IP address via a host lookup using gethostbyname(), as Cesar> implemented in krb5_os_hostaddr(). Cesar> Since we use NIS as the primary source for hostname Cesar> resolution, all host lookups render a single IP address, Cesar> even for multihomed machines. Moving to DNS is not an Cesar> option at the moment. Additionally, we use Veritas VCS Cesar> and other similar clustering facilities. These hosts Cesar> will have additional IP addresses that are not associated Cesar> with the real hostname, but with service names for a Cesar> particular cluster/application. So even if were to switch Cesar> to DNS, the client would not be able to determine all the Cesar> IP addresses for a given target host via the hostname Cesar> lookup that it uses today. Cesar> That said (barring hacks to application protocols that Cesar> would allow target hosts to send IP addresses back to Cesar> the source host, then having the client embed the full set Cesar> of tickets), the way to address this would be to have Cesar> the target host obtain new tickets will a full set of Cesar> IP addresses. Cesar> 1 - is this possible? Cesar> 2 - is it within the limits of the specification? Cesar> If so, has anyone has implemented this for 1.2.2 or any Cesar> releases of MIT krb5. Cesar> _______________________________________________ Cesar> Kerberos mailing list Cesar> Kerberos@mit.edu Cesar> http://mailman.mit.edu/mailman/listinfo/kerberos From ggsr@sonata-software.com Thu Feb 14 00:08:15 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id AAA24616 for ; Thu, 14 Feb 2002 00:08:15 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id AAA26479 for ; Thu, 14 Feb 2002 00:08:12 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <1YPM4X3R>; Thu, 14 Feb 2002 10:41:00 +0530 Message-ID: From: Sreedhar Gupta To: "Kerberos (E-mail)" Subject: Proxiable Date: Thu, 14 Feb 2002 10:40:57 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi all, Can any one explain me, what is the difference between Forwardable Flag and Proxiable Flag and in which real time scenario Proxiable option will be used. Thanks in advance. Sreedhar Gupta ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From dalmeida@MIT.EDU Thu Feb 14 13:49:29 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA27072 for ; Thu, 14 Feb 2002 13:49:29 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA21298; Thu, 14 Feb 2002 13:49:21 -0500 (EST) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA00205; Thu, 14 Feb 2002 13:49:19 -0500 (EST) Received: from perseverance (PERSEVERANCE.MIT.EDU [18.18.1.27]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id NAA14891; Thu, 14 Feb 2002 13:48:12 -0500 (EST) From: "Danilo Almeida" To: "'Srinivas Cheruku'" Cc: Subject: RE: Does MIT support Microsoft Credential Cache Date: Thu, 14 Feb 2002 13:49:07 -0500 Message-ID: <00ee01c1b588$48b55e70$1b011212@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I am not sure whether we will be able to plug into the MS cache directly. There are some patches for doing that, but they require some reworking to integrate well into the code. In any case, there is the ms2mit utility which allows you to grab creds from the MS cache into an MIT cache. - Danilo -----Original Message----- From: kerberos-admin@MIT.EDU [mailto:kerberos-admin@MIT.EDU] On Behalf Of Srinivas Cheruku Sent: Tuesday, February 12, 2002 12:30 AM To: kerberos@mit.edu Subject: Does MIT support Microsoft Credential Cache Hi all, Please can any one of you give me the information. What types of Credentials Cache does MIT Support? Will it support Microsoft Credentail Cache on Win2k? Can a gss application developed using MIT GSS will be able to read the credentials from the microsoft credential cache? What are the implications if these cache types when clients are on XP? Thanks a lot, Srini ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* _______________________________________________ Kerberos mailing list Kerberos@mit.edu http://mailman.mit.edu/mailman/listinfo/kerberos From rlmorgan@washington.edu Thu Feb 14 19:05:06 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA28033 for ; Thu, 14 Feb 2002 19:05:06 -0500 (EST) Received: from mxout2.cac.washington.edu (mxout2.cac.washington.edu [140.142.33.4]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id TAA28580 for ; Thu, 14 Feb 2002 19:05:05 -0500 (EST) Received: from mailscan-out2.cac.washington.edu (mailscan-out2.cac.washington.edu [140.142.33.17]) by mxout2.cac.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with SMTP id g1F055eH026334 for ; Thu, 14 Feb 2002 16:05:05 -0800 Received: FROM smtp.washington.edu BY mailscan-out2.cac.washington.edu ; Thu Feb 14 16:05:04 2002 -0800 Received: from D-140-142-21-42.dhcp2.washington.edu (D-140-142-21-42.dhcp2.washington.edu [140.142.21.42]) (authenticated bits=0) by smtp.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with ESMTP id g1F054jv021346 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 14 Feb 2002 16:05:04 -0800 Date: Thu, 14 Feb 2002 16:06:12 -0800 (PST) From: "RL 'Bob' Morgan" X-X-Sender: rlmorgan@perx.cac.washington.edu To: "Joel D. Kraft" cc: kerberos@mit.edu Subject: Re: Kerberos http authentication In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Mon, 11 Feb 2002, Joel D. Kraft wrote: > "Donn Cave" wrote > ... > > Only inasmuch as the Kerberos authentication server can be used to > > validate passwords. The proxy, if that's the right term, can get > > a Kerberos ticket, and throw it away. The browser's host doesn't > > ever see any of that, Kerberos credentials there are irrelevant. > > The question would be not how well it integrates, rather what it > > means to integrate - if you want a Kerberos application, it isn't, > > but if you only want it to work at a site that has only Kerberos > > passwords, it does. The rest is about cookies. > > Does anyone know of anything that will perform this function under > IIS? We have an existing system with our own session management > already set up. Currently most of the authentication takes place > against a database... but we want to add kerberos to that. The pubcookie package that Booker mentioned is available from the University of Washington, and includes a filter for IIS. The weblogin service has only been deployed on unix/apache, but it's a cgi so theoretically could be made to work on Windows/IIS. Internet2 is hosting a multi-university project: http://middleware.internet2.edu/webiso/ to develop this architecture and secondarily the pubcookie software as a sharable version of the weblogin one-offs produced by so many places. There's a link on that page to get the pubcookie distribution. Project participation is welcomed ... - RL "Bob" Morgan University of Washington From tlyu@MIT.EDU Thu Feb 14 21:39:28 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id VAA28467 for ; Thu, 14 Feb 2002 21:39:27 -0500 (EST) Received: from saint-elmos-fire.mit.edu (SAINT-ELMOS-FIRE.MIT.EDU [18.18.0.248]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id VAA25788 for ; Thu, 14 Feb 2002 21:39:27 -0500 (EST) Received: (from tlyu@localhost) by saint-elmos-fire.mit.edu (8.9.3) id VAA12005; Thu, 14 Feb 2002 21:39:26 -0500 (EST) To: Ray Schneider Cc: kerberos@MIT.EDU Subject: Re: krb5-1.2.4-beta1 compile References: <20020213160030.A21904@hackfoo.net> From: Tom Yu Date: 14 Feb 2002 21:39:26 -0500 In-Reply-To: <20020213160030.A21904@hackfoo.net> Message-ID: Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "ray" == Ray Schneider writes: ray> ok.. ive been playing with the beta... ive tried various things, ray> im trying to configure and compile under solaris 8...on an ray> ultra5, the following seems to occur no matter what... [...] ray> make[1]: Entering directory `/usr/local/src/krb5-1.2.4-beta1/src/util' ray> echo libpath /usr/local/lib:`pwd`/../lib:/usr/lib:/lib >aix.bincmds ray> rm -f libupdate libupdate.tmp ray> sed -e 's,@''ARADD''@,false,g' -e 's,@''ARCHIVE''@,false,g' ./libupdate.sh > libupdate.tmp && chmod +x libupdate.tmp && mv libupdate.tmp libupdate [...] ray> rm -f libcom_err.a ray> building static com_err library ray> make[2]: *** [libcom_err.a] Error 255 This looks like you're missing the "ar" program. Is /usr/ccs/bin in your $PATH when you run ./configure? ---Tom From csri@sonata-software.com Thu Feb 14 22:46:49 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id WAA28710 for ; Thu, 14 Feb 2002 22:46:48 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id WAA09253; Thu, 14 Feb 2002 22:46:43 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <1YPM495N>; Fri, 15 Feb 2002 09:19:36 +0530 Message-ID: From: Srinivas Cheruku To: Danilo Almeida Cc: kerberos@MIT.EDU Subject: RE: Does MIT support Microsoft Credential Cache Date: Fri, 15 Feb 2002 09:19:28 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I understand from your mail that this utility will read the MS cache and make a copy of credentials into the MIT cache. Is this right?? Please can you tell me where can i find this utility. Thanks and Regards, Srini -----Original Message----- From: Danilo Almeida [mailto:dalmeida@MIT.EDU] Sent: Friday, February 15, 2002 12:19 AM To: 'Srinivas Cheruku' Cc: kerberos@MIT.EDU Subject: RE: Does MIT support Microsoft Credential Cache I am not sure whether we will be able to plug into the MS cache directly. There are some patches for doing that, but they require some reworking to integrate well into the code. In any case, there is the ms2mit utility which allows you to grab creds from the MS cache into an MIT cache. - Danilo -----Original Message----- From: kerberos-admin@MIT.EDU [mailto:kerberos-admin@MIT.EDU] On Behalf Of Srinivas Cheruku Sent: Tuesday, February 12, 2002 12:30 AM To: kerberos@mit.edu Subject: Does MIT support Microsoft Credential Cache Hi all, Please can any one of you give me the information. What types of Credentials Cache does MIT Support? Will it support Microsoft Credentail Cache on Win2k? Can a gss application developed using MIT GSS will be able to read the credentials from the microsoft credential cache? What are the implications if these cache types when clients are on XP? Thanks a lot, Srini ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* _______________________________________________ Kerberos mailing list Kerberos@mit.edu http://mailman.mit.edu/mailman/listinfo/kerberos ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From dalmeida@MIT.EDU Fri Feb 15 01:59:29 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id BAA29247 for ; Fri, 15 Feb 2002 01:59:29 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id BAA20750; Fri, 15 Feb 2002 01:59:21 -0500 (EST) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id BAA15749; Fri, 15 Feb 2002 01:59:19 -0500 (EST) Received: from perseverance (PERSEVERANCE.MIT.EDU [18.18.1.27]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id BAA05399; Fri, 15 Feb 2002 01:54:38 -0500 (EST) From: "Danilo Almeida" To: "'Srinivas Cheruku'" Cc: Subject: RE: Does MIT support Microsoft Credential Cache Date: Fri, 15 Feb 2002 01:55:31 -0500 Message-ID: <015b01c1b5ed$c38e15f0$1b011212@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: It is part of MIT krb5 1.2.3 and KfW 2.1.2. - Danilo -----Original Message----- From: Srinivas Cheruku [mailto:csri@sonata-software.com] Sent: Thursday, February 14, 2002 10:49 PM To: Danilo Almeida Cc: kerberos@MIT.EDU Subject: RE: Does MIT support Microsoft Credential Cache I understand from your mail that this utility will read the MS cache and make a copy of credentials into the MIT cache. Is this right?? Please can you tell me where can i find this utility. Thanks and Regards, Srini -----Original Message----- From: Danilo Almeida [mailto:dalmeida@MIT.EDU] Sent: Friday, February 15, 2002 12:19 AM To: 'Srinivas Cheruku' Cc: kerberos@MIT.EDU Subject: RE: Does MIT support Microsoft Credential Cache I am not sure whether we will be able to plug into the MS cache directly. There are some patches for doing that, but they require some reworking to integrate well into the code. In any case, there is the ms2mit utility which allows you to grab creds from the MS cache into an MIT cache. - Danilo -----Original Message----- From: kerberos-admin@MIT.EDU [mailto:kerberos-admin@MIT.EDU] On Behalf Of Srinivas Cheruku Sent: Tuesday, February 12, 2002 12:30 AM To: kerberos@mit.edu Subject: Does MIT support Microsoft Credential Cache Hi all, Please can any one of you give me the information. What types of Credentials Cache does MIT Support? Will it support Microsoft Credentail Cache on Win2k? Can a gss application developed using MIT GSS will be able to read the credentials from the microsoft credential cache? What are the implications if these cache types when clients are on XP? Thanks a lot, Srini ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* _______________________________________________ Kerberos mailing list Kerberos@mit.edu http://mailman.mit.edu/mailman/listinfo/kerberos ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From iteducation@frontier.co.kr Fri Feb 15 03:02:44 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id DAA29466 for ; Fri, 15 Feb 2002 03:02:40 -0500 (EST) From: iteducation@frontier.co.kr Received: from dsjang.frontier.co.kr ([211.255.227.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id DAA00461 for ; Fri, 15 Feb 2002 03:02:38 -0500 (EST) Received: from localhost.localdomain (IDENT:root@dsjang.frontier.co.kr [127.0.0.1]) by dsjang.frontier.co.kr (8.11.5/8.11.5) with ESMTP id g1F7t3Y21234; Fri, 15 Feb 2002 16:55:03 +0900 Date: Fri, 15 Feb 2002 16:55:03 +0900 Message-ID: <3784466.1013759703320.JavaMail.root@localhost.localdomain> To: mahallkita@hanmail.net, nicehhe@hanmail.net, jejuscuba@hanmail.net, gwchu@hyowon.cc.pusan.ac.kr, Kim@yahoo.com, ccsakura@thrunet.com, kerberos@MIT.EDU, mudo@oktown.net, tkpark@cristy.postech.ac.kr, phones2@juno.com Subject: =?euc-kr?B?KluxpCCw7V0qILOqtMIgwd+xub+hvK0gucy3obimIMHYuvHH0bTZLiA=?= Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by pch.mit.edu id DAA29466 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: [ Á¦2±â Áß±¹ ÇöÁö Áß±¹¾î & IT µ¿½Ã ±³À°°úÁ¤ ¿¬¼ö»ý ¼±¹ß ] Áß±¹ ¿ä³ç¼º Á¤ºÎ ÈÄ¿øÀ¸·Î ÇÁ·ÐƼ¾î½Ã½ºÅÛ(ÁÖ)´Â Áß±¹ ½É¾ç´ëÇб³¿Í ÇÔ²² Áß±¹ITÀü¹®°¡ °úÁ¤À» ¸ðÁýÇÕ´Ï´Ù. »çÁøÀÚ·á,°ü·Ã±â»ç ¹× ÀÚ¼¼ÇÑ ÀÚ·á´Â http://www.frontier.co.kr À» Âü°íÇϽʽÿÀ. ¸ðÁýÀοø 80¸í (20¸íÀÌ 1°³¹ÝÀ¸·Î½á 4°³¹Ý ¼±Âø¼ø ¸ðÁý) ¿¬¼ö±â°£ 6°³¿ù (2002³â 2¿ù 28ÀϺÎÅÍ 2002³â 8¿ù 29ÀϱîÁö) ¿¬¼ö°ú¸ñ Áß±¹¾î, Áß±¹¾î ȸȭ, Áß±¹ÇÐ, ÄÄÇ»ÅÍ ±âÃÊ, Java ÇÁ·Î±×·¡¹Ö ¿¬¼ö³»¿ë ¡¡ 2002. 2. 28~2002. 8. 29 - Áß±¹¾î ±âÃÊ~Áß±Þ°úÁ¤ - ½Ç¿ë Ç¥ÁØÁß±¹¾î, ȸȭ, ¹®¹ý, ÀÛ¹® - HSK½ÃÇè(ñéÏÐùÓåÞâ©øÁÍÅãË) 1ÀÏ 4½Ã°£ (¿ÀÀü) 2002. 2. 28~2002. 5. 30 - Áß±¹ÇÐ °­ÀÇ(¿ª»ç, Áö¸®, °æÁ¦, ¹®È­, ¹ý·ü, ±³À°µî) - ½É¾ç´ëÇб³ Ãßõ ´ëÇлý°ú Free Talking 1ÀÏ 2½Ã°£ (¿ÀÈÄ) 2002. 5. 31~2002. 8. 30 - ÄÄÇ»ÅÍ ±âÃʱ³À° (Áß±¹ ÄÄÇ»ÅÍ È¯°æ¼÷Áö) - JAVA Programming (SCJP°úÁ¤) 1ÀÏ 2½Ã°£ (¿ÀÈÄ) ¡¡ 2002. 7 - Áß±¹¹®È­ À¯ÀûÁö Ž¹æ (4¹Ú5ÀÏ) ¹è³¶¿©Çà(±³Åë, ¼÷½ÄÁ¦°ø) ¿¬¼ö±Ý¾× 420¸¸¿ø (½Äºñ, ±â¼÷»çºñ, ºñÇà±âÇ¥ , ºñÀÚ, ½Åü°Ë»ç, °øÇ×ÀÌ¿ë·á, HSKÀÀ½Ã·á, Áß±¹¹®È­ Ž¹æ¿©Çà °æºñ ÀÏü Æ÷ÇÔ. º»ÀÎÀÌ ºñÀÚ, ½Åü°Ë»ç¼­¸¦ ÁغñÇÒ °æ¿ì¿¡´Â 15¸¸¿øÀ» Á¦ÇÏ¿© µå¸³´Ï´Ù.) Á¦Ãâ¼­·ù ¿©±Ç(ºñÀڹ߱޽à ÇÊ¿ä), Áֹεî·Ïµîº» 3Åë, ¿©±Ç»çÁø 5Àå ¿¬¼ö½Åû ¹× ¿¬¼öºñ ³³ºÎ 2002³â 1¿ù 3ÀϺÎÅÍ 2002³â 2¿ù 20ÀϱîÁö <°èÁ¹øÈ£ : ÇѺûÀºÇà 169-148429-13-101 ¿¹±ÝÁÖ: ÇÁ·ÐƼ¾î½Ã½ºÅÛ¢ß> ±âŸ - ¹æ°úÈÄ ½É¾ç´ëÇб³ Çлý°ú 2ÀÎ1Á¶ ´ëÈ­¸¦ ÅëÇÑ ½ÇÁúÀû ±³À°±âȸ Á¦°ø(½É¾ç´ëÇÐ Ãø¿¡¼­ ÃßõÇÑ ¹ßÀ½ÀÌ Á¤È®ÇÏ°í Ç¥Áؾ ±¸»çÇÏ´Â ½É¾ç´ë Çлý°ú ÇÔ²² »ì¾ÆÀÖ´Â ÇöÁö Áß±¹¾î ¹× Áß±¹ ¹®È­¸¦ ½ÀµæÇÒ ¼ö ÀÖ´Â ÁÁÀº ±âȸÀÔ´Ï´Ù.) - Àü¿ø ±â¼÷»ç¿¡¼­ ¼÷½Ä (2001³â11¿ù¿¡ ÁØ°øÇÑ ÃÖ½Å½Ä ¾ÆÆÄÆ®ÇüÀ¸·Î 2ÀÎ1½Ç) - 6°³¿ù ¿¬¼ö ÈÄ ½É¾ç´ëÇб³¿¡¼­ ¼ö·áÁõ ¹ß±Þ - Áß±¹¹®È­ À¯ÀûÁö Ž¹æ 4¹Ú5ÀÏ ¿©Çà Á¦°ø - HSK ½ÃÇè(ñéÏÐùÓåÞâ©øÁÍÅãË) Áß±¹ÇöÁö¿¡¼­ ÀÀ½Ã - Java ÇÁ·Î±×·¥ ¿¬¼ö ÈÄ Sun Certified Java Programmer ÀڰݽÃÇèÀÀ½Ã°¡´É - ¿¬¸»¿¬½Ã ¿¬ÈÞ °ü°è·Î ºñÀÚ ¹ß±Þ µî¿¡ ¸¸ÀüÀ» ±âÇϱâ À§ÇØ Èñ¸ÁÀÚ´Â ¹Ì¸® ½ÅûÇÏ¿© Áֽñ⠹ٶø´Ï´Ù. - ºñÀÚ ¹ß±Þ, ½Åü°Ë»ç ÀýÂ÷ ´ëÇàÇÔ. - ±³À° ¼ö·áÈÄ ´ë±â¾÷,Áß¼Ò±â¾÷ ¹× º¥Ã³±â¾÷ Áß±¹ ´ã´çÀÚ·Î Ãë¾÷ Ãßõ ÁÖ¿ä±³À°´ë»ó - Áß±¹À¯ÇÐÀ» ÁغñÇÏ´Â ¼öÇè»ý (Áß±¹¾î Ãʺ¸ÀÚ °¡´É) - Áß±¹¾î ¾îÇп¬¼ö Èñ¸Á ´ëÇлý - Áß±¹°ü·Ã »ç¾÷°èȹÁßÀÎ ±â¾÷ü ÀÓÁ÷¿ø ÀÏÁ¤°èȹ 2002³â 2¿ù 20ÀÏ Á¢¼ö¸¶°¨ (¿¬¼ö±Ý, Áֹεî·Ïµîº» 3Åë, ¹Ý¸íÇÔÆÇ »çÁø5¸Å, µµÀå) 2002³â 2¿ù 25ÀÏ ºñÀڹ߱Þ, ½Åü°Ë»ç ¿Ï·á 2002³â 2¿ù 26ÀÏ Ãâ±¹ ¿¹ºñ¼ÒÁý (´ç»ç ȸÀǽǿ¡¼­ ¿©±Ç/ºñÀÚ µå¸²) 2002³â 2¿ù 28ÀÏ 12:30 ÀÎõ±¹Á¦°øÇ׿¡¼­ Áß±¹ ½É¾çÀ¸·Î Ãâ±¹ (Áß±¹ºÏ¹æÇ×°ø) 14:30 ½É¾ç´ëÇб³ ±â¼÷»ç ÀÔ¼Ò ¹× ¿À¸®¿£Å×ÀÌ¼Ç 2002³â 7¿ù Áß±¹¹®È­ À¯ÀûÁö Ž¹æ (4¹Ú5ÀÏ) 2002³â 8¿ù HSK ½ÃÇè(ñéÏÐùÓåÞâ©øÁÍÅãË) ÀÀ½Ã 2002³â 8¿ù28ÀÏ Á¾°­ ¹× ¼ö·á½Ä 2002³â 8¿ù29ÀÏ Áß±¹ ½É¾ç¿¡¼­ ÀÎõ±¹Á¦°øÇ×À¸·Î ±Í±¹ ¹®ÀÇó - ÇÁ·ÐƼ¾î½Ã½ºÅÛ(ÁÖ) ¼­¿ï½Ã ¼­Ãʱ¸ ¼­Ãʵ¿ 1554-1 (°æÁߺôµù3Ãþ) (ÀüÈ­ : 02-3473-3910, Æѽº : 02-3473-3990, ȨÆäÀÌÁö: www.frontier.co.kr) - Áß±¹½É¾ç´ëÇб³ : ½É¾ç½Ã ´ëµ¿±¸ ¿¬ÇÕ·Î 54È£ ½É¾ç´ëÇб³ ¿Ü»çó (ÀüÈ­ : 024-8850-6607, Æѽº : 024-8852-3363) - ÁÖÃÖ:ÇÁ·ÐƼ¾î½Ã½ºÅÛ(ÁÖ) ÁÖ°ü: Áß±¹ ½É¾ç´ëÇб³ - ÈÄ¿ø: Áß±¹ Á¤ºÎ±â°ü(¿ä·É¼º) (ÁÖ)Ä·ÆÛ½º³Ý www.campus.co.kr From news@ra.nrl.navy.mil Fri Feb 15 04:26:27 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA29767 for ; Fri, 15 Feb 2002 04:26:27 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id EAA27916 for ; Fri, 15 Feb 2002 04:26:26 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1F9DMA19586 for kerberos@MIT.EDU; Fri, 15 Feb 2002 04:13:22 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Problems compiling krb5-1.2.3 From: Dirk Heinrichs Organization: QIS Systemhaus GmbH Message-ID: Date: Fri, 15 Feb 2002 09:10:37 GMT To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello, I found nothing on google about this so I ask here. I compiled krb5-1.2.3 on Linux (m68k). I finally got it to compile but had to do some Makefile changes in some places (lib/krb5/ccache/file/Makefile is one of them). Every now and then during compilation I got some kind of identifier not declared or undefined reference message. In every case it was "-DHAVE_NETINET_IN_H=1" missing in the CFLAGS macro in the Makefile. In config.cache in can find a corresponding line for netinet/in.h which is set to "no", but watching the output of a configure run, the presence of netinet/in.h is never tested. Am I missing something? Bye... Dirk -- Dirk Heinrichs | Tel: +49 (0)241 413 260 Configuration Manager | Fax: +49 (0)241 413 2640 QIS Systemhaus GmbH | Mail: dheinrichs@qis-systemhaus.de Jülicher Str. 338b | Web: http://www.qis-systemhaus.de D-52070 Aachen | ICQ#: 110037733 From iteducation@frontier.co.kr Fri Feb 15 09:47:53 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA00710 for ; Fri, 15 Feb 2002 09:47:48 -0500 (EST) From: iteducation@frontier.co.kr Received: from dsjang.frontier.co.kr ([211.255.227.72]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA22357 for ; Fri, 15 Feb 2002 09:47:46 -0500 (EST) Received: from localhost.localdomain (IDENT:root@dsjang.frontier.co.kr [127.0.0.1]) by dsjang.frontier.co.kr (8.11.5/8.11.5) with ESMTP id g1FEd5Y05290; Fri, 15 Feb 2002 23:39:05 +0900 Date: Fri, 15 Feb 2002 23:39:05 +0900 Message-ID: <6330011.1013783945806.JavaMail.root@localhost.localdomain> To: gospelok@hanmail.net, traianing@rapra.net, yunisolo@hanmail.net, fedsrus@telus.net, poul1111@hanmail.net, dandy@sungrak.or.kr, meforu@kebi.com, pkr6907@hanmail.net, kerberos@MIT.EDU, hasell@com.ne.kr Subject: =?euc-kr?B?KluxpCCw7V0qILOqtMIgwd+xub+hvK0gucy3obimIMHYuvHH0bTZLiA=?= Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by pch.mit.edu id JAA00710 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: [ Á¦2±â Áß±¹ ÇöÁö Áß±¹¾î & IT µ¿½Ã ±³À°°úÁ¤ ¿¬¼ö»ý ¼±¹ß ] Áß±¹ ¿ä³ç¼º Á¤ºÎ ÈÄ¿øÀ¸·Î ÇÁ·ÐƼ¾î½Ã½ºÅÛ(ÁÖ)´Â Áß±¹ ½É¾ç´ëÇб³¿Í ÇÔ²² Áß±¹ITÀü¹®°¡ °úÁ¤À» ¸ðÁýÇÕ´Ï´Ù. »çÁøÀÚ·á,°ü·Ã±â»ç ¹× ÀÚ¼¼ÇÑ ÀÚ·á´Â http://www.frontier.co.kr À» Âü°íÇϽʽÿÀ. ¸ðÁýÀοø 80¸í (20¸íÀÌ 1°³¹ÝÀ¸·Î½á 4°³¹Ý ¼±Âø¼ø ¸ðÁý) ¿¬¼ö±â°£ 6°³¿ù (2002³â 2¿ù 28ÀϺÎÅÍ 2002³â 8¿ù 29ÀϱîÁö) ¿¬¼ö°ú¸ñ Áß±¹¾î, Áß±¹¾î ȸȭ, Áß±¹ÇÐ, ÄÄÇ»ÅÍ ±âÃÊ, Java ÇÁ·Î±×·¡¹Ö ¿¬¼ö³»¿ë ¡¡ 2002. 2. 28~2002. 8. 29 - Áß±¹¾î ±âÃÊ~Áß±Þ°úÁ¤ - ½Ç¿ë Ç¥ÁØÁß±¹¾î, ȸȭ, ¹®¹ý, ÀÛ¹® - HSK½ÃÇè(ñéÏÐùÓåÞâ©øÁÍÅãË) 1ÀÏ 4½Ã°£ (¿ÀÀü) 2002. 2. 28~2002. 5. 30 - Áß±¹ÇÐ °­ÀÇ(¿ª»ç, Áö¸®, °æÁ¦, ¹®È­, ¹ý·ü, ±³À°µî) - ½É¾ç´ëÇб³ Ãßõ ´ëÇлý°ú Free Talking 1ÀÏ 2½Ã°£ (¿ÀÈÄ) 2002. 5. 31~2002. 8. 30 - ÄÄÇ»ÅÍ ±âÃʱ³À° (Áß±¹ ÄÄÇ»ÅÍ È¯°æ¼÷Áö) - JAVA Programming (SCJP°úÁ¤) 1ÀÏ 2½Ã°£ (¿ÀÈÄ) ¡¡ 2002. 7 - Áß±¹¹®È­ À¯ÀûÁö Ž¹æ (4¹Ú5ÀÏ) ¹è³¶¿©Çà(±³Åë, ¼÷½ÄÁ¦°ø) ¿¬¼ö±Ý¾× 420¸¸¿ø (½Äºñ, ±â¼÷»çºñ, ºñÇà±âÇ¥ , ºñÀÚ, ½Åü°Ë»ç, °øÇ×ÀÌ¿ë·á, HSKÀÀ½Ã·á, Áß±¹¹®È­ Ž¹æ¿©Çà °æºñ ÀÏü Æ÷ÇÔ. º»ÀÎÀÌ ºñÀÚ, ½Åü°Ë»ç¼­¸¦ ÁغñÇÒ °æ¿ì¿¡´Â 15¸¸¿øÀ» Á¦ÇÏ¿© µå¸³´Ï´Ù.) Á¦Ãâ¼­·ù ¿©±Ç(ºñÀڹ߱޽à ÇÊ¿ä), Áֹεî·Ïµîº» 3Åë, ¿©±Ç»çÁø 5Àå ¿¬¼ö½Åû ¹× ¿¬¼öºñ ³³ºÎ 2002³â 1¿ù 3ÀϺÎÅÍ 2002³â 2¿ù 20ÀϱîÁö <°èÁ¹øÈ£ : ÇѺûÀºÇà 169-148429-13-101 ¿¹±ÝÁÖ: ÇÁ·ÐƼ¾î½Ã½ºÅÛ¢ß> ±âŸ - ¹æ°úÈÄ ½É¾ç´ëÇб³ Çлý°ú 2ÀÎ1Á¶ ´ëÈ­¸¦ ÅëÇÑ ½ÇÁúÀû ±³À°±âȸ Á¦°ø(½É¾ç´ëÇÐ Ãø¿¡¼­ ÃßõÇÑ ¹ßÀ½ÀÌ Á¤È®ÇÏ°í Ç¥Áؾ ±¸»çÇÏ´Â ½É¾ç´ë Çлý°ú ÇÔ²² »ì¾ÆÀÖ´Â ÇöÁö Áß±¹¾î ¹× Áß±¹ ¹®È­¸¦ ½ÀµæÇÒ ¼ö ÀÖ´Â ÁÁÀº ±âȸÀÔ´Ï´Ù.) - Àü¿ø ±â¼÷»ç¿¡¼­ ¼÷½Ä (2001³â11¿ù¿¡ ÁØ°øÇÑ ÃÖ½Å½Ä ¾ÆÆÄÆ®ÇüÀ¸·Î 2ÀÎ1½Ç) - 6°³¿ù ¿¬¼ö ÈÄ ½É¾ç´ëÇб³¿¡¼­ ¼ö·áÁõ ¹ß±Þ - Áß±¹¹®È­ À¯ÀûÁö Ž¹æ 4¹Ú5ÀÏ ¿©Çà Á¦°ø - HSK ½ÃÇè(ñéÏÐùÓåÞâ©øÁÍÅãË) Áß±¹ÇöÁö¿¡¼­ ÀÀ½Ã - Java ÇÁ·Î±×·¥ ¿¬¼ö ÈÄ Sun Certified Java Programmer ÀڰݽÃÇèÀÀ½Ã°¡´É - ¿¬¸»¿¬½Ã ¿¬ÈÞ °ü°è·Î ºñÀÚ ¹ß±Þ µî¿¡ ¸¸ÀüÀ» ±âÇϱâ À§ÇØ Èñ¸ÁÀÚ´Â ¹Ì¸® ½ÅûÇÏ¿© Áֽñ⠹ٶø´Ï´Ù. - ºñÀÚ ¹ß±Þ, ½Åü°Ë»ç ÀýÂ÷ ´ëÇàÇÔ. - ±³À° ¼ö·áÈÄ ´ë±â¾÷,Áß¼Ò±â¾÷ ¹× º¥Ã³±â¾÷ Áß±¹ ´ã´çÀÚ·Î Ãë¾÷ Ãßõ ÁÖ¿ä±³À°´ë»ó - Áß±¹À¯ÇÐÀ» ÁغñÇÏ´Â ¼öÇè»ý (Áß±¹¾î Ãʺ¸ÀÚ °¡´É) - Áß±¹¾î ¾îÇп¬¼ö Èñ¸Á ´ëÇлý - Áß±¹°ü·Ã »ç¾÷°èȹÁßÀÎ ±â¾÷ü ÀÓÁ÷¿ø ÀÏÁ¤°èȹ 2002³â 2¿ù 20ÀÏ Á¢¼ö¸¶°¨ (¿¬¼ö±Ý, Áֹεî·Ïµîº» 3Åë, ¹Ý¸íÇÔÆÇ »çÁø5¸Å, µµÀå) 2002³â 2¿ù 25ÀÏ ºñÀڹ߱Þ, ½Åü°Ë»ç ¿Ï·á 2002³â 2¿ù 26ÀÏ Ãâ±¹ ¿¹ºñ¼ÒÁý (´ç»ç ȸÀǽǿ¡¼­ ¿©±Ç/ºñÀÚ µå¸²) 2002³â 2¿ù 28ÀÏ 12:30 ÀÎõ±¹Á¦°øÇ׿¡¼­ Áß±¹ ½É¾çÀ¸·Î Ãâ±¹ (Áß±¹ºÏ¹æÇ×°ø) 14:30 ½É¾ç´ëÇб³ ±â¼÷»ç ÀÔ¼Ò ¹× ¿À¸®¿£Å×ÀÌ¼Ç 2002³â 7¿ù Áß±¹¹®È­ À¯ÀûÁö Ž¹æ (4¹Ú5ÀÏ) 2002³â 8¿ù HSK ½ÃÇè(ñéÏÐùÓåÞâ©øÁÍÅãË) ÀÀ½Ã 2002³â 8¿ù28ÀÏ Á¾°­ ¹× ¼ö·á½Ä 2002³â 8¿ù29ÀÏ Áß±¹ ½É¾ç¿¡¼­ ÀÎõ±¹Á¦°øÇ×À¸·Î ±Í±¹ ¹®ÀÇó - ÇÁ·ÐƼ¾î½Ã½ºÅÛ(ÁÖ) ¼­¿ï½Ã ¼­Ãʱ¸ ¼­Ãʵ¿ 1554-1 (°æÁߺôµù3Ãþ) (ÀüÈ­ : 02-3473-3910, Æѽº : 02-3473-3990, ȨÆäÀÌÁö: www.frontier.co.kr) - Áß±¹½É¾ç´ëÇб³ : ½É¾ç½Ã ´ëµ¿±¸ ¿¬ÇÕ·Î 54È£ ½É¾ç´ëÇб³ ¿Ü»çó (ÀüÈ­ : 024-8850-6607, Æѽº : 024-8852-3363) - ÁÖÃÖ:ÇÁ·ÐƼ¾î½Ã½ºÅÛ(ÁÖ) ÁÖ°ü: Áß±¹ ½É¾ç´ëÇб³ - ÈÄ¿ø: Áß±¹ Á¤ºÎ±â°ü(¿ä·É¼º) (ÁÖ)Ä·ÆÛ½º³Ý www.campus.co.kr From news@ra.nrl.navy.mil Fri Feb 15 12:51:42 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA01255 for ; Fri, 15 Feb 2002 12:51:42 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA25827 for ; Fri, 15 Feb 2002 12:51:41 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1FHe6001657 for kerberos@MIT.EDU; Fri, 15 Feb 2002 12:40:06 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: W2K Kerberized file sharing Date: Fri, 15 Feb 2002 18:30:43 +0100 Organization: ENSEIRB Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello I have to questions : 1) Is the Windows 2000 file sharing service Kerberized ? 2) If it is, do you know of a kerberized UNIX client to access these files ? Thanks ! Philippe From Nicolas.Williams@ubsw.com Fri Feb 15 13:00:39 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01312 for ; Fri, 15 Feb 2002 13:00:39 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA29140 for ; Fri, 15 Feb 2002 13:00:38 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id NAA00079; Fri, 15 Feb 2002 13:00:32 -0500 (EST) Received: from (nine.ubswarburg.com [192.168.0.4]) by gate2 via smap (V2.0/ubsw) id xma029589; Fri, 15 Feb 2002 13:00:06 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan2 [192.168.0.4]) by virscan2.swissbank.com (8.8.8/8.8.8) with ESMTP id MAA02289; Fri, 15 Feb 2002 12:56:41 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id NAA21333; Fri, 15 Feb 2002 13:00:07 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id MAA08112; Fri, 15 Feb 2002 12:58:58 -0500 (EST) Date: Fri, 15 Feb 2002 12:58:58 -0500 From: Nicolas Williams To: Philippe Perrin Cc: kerberos@mit.edu Subject: Re: W2K Kerberized file sharing Message-ID: <20020215125857.M27171@sm2p1386swk.wdr.com> Mail-Followup-To: Philippe Perrin , kerberos@mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: ; from philippeperrin@yahoo.com on Fri, Feb 15, 2002 at 06:30:43PM +0100 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 15, 2002 at 06:30:43PM +0100, Philippe Perrin wrote: > Hello > > I have to questions : > 1) Is the Windows 2000 file sharing service Kerberized ? Yes. > 2) If it is, do you know of a kerberized UNIX client to access these files ? *shrug* Check out Samba, maybe they support kerberized CIFS now... http://samba.org/ > Thanks ! > > Philippe Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From hartmans@MIT.EDU Fri Feb 15 13:15:22 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01408 for ; Fri, 15 Feb 2002 13:15:22 -0500 (EST) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA04721; Fri, 15 Feb 2002 13:15:22 -0500 (EST) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA00501; Fri, 15 Feb 2002 13:15:21 -0500 (EST) Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id NAA16086; Fri, 15 Feb 2002 13:15:20 -0500 (EST) Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3) id NAA28240; Fri, 15 Feb 2002 13:15:20 -0500 (EST) To: Dirk Heinrichs Cc: kerberos@MIT.EDU Subject: Re: Problems compiling krb5-1.2.3 References: From: Sam Hartman Date: 15 Feb 2002 13:15:20 -0500 In-Reply-To: Dirk Heinrichs's message of "Fri, 15 Feb 2002 09:10:37 GMT" Message-ID: Lines: 16 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Dirk" == Dirk Heinrichs writes: Dirk> Hello, Dirk> I found nothing on google about this so I ask here. Dirk> I compiled krb5-1.2.3 on Linux (m68k). I finally got it to compile but had Dirk> to do some Makefile changes in some places (lib/krb5/ccache/file/Makefile Dirk> is one of them). Every now and then during compilation I got some kind of The problem is on your system. I'm the Kerberos maintainer for Debian. Debian supports m68k, and our automated build system has had no problem with Kerberos on m68k Linux. --Sam From hartmans@MIT.EDU Fri Feb 15 13:21:40 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01456 for ; Fri, 15 Feb 2002 13:21:40 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA07015; Fri, 15 Feb 2002 13:21:39 -0500 (EST) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA27590; Fri, 15 Feb 2002 13:21:39 -0500 (EST) Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id NAA16434; Fri, 15 Feb 2002 13:21:39 -0500 (EST) Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3) id NAA28243; Fri, 15 Feb 2002 13:21:38 -0500 (EST) To: "Klaas Hagemann" Cc: Subject: Re: single sign-on with kerberos V5 and ldap References: <008d01c1b4a5$847be480$2b03a8c0@mummert.priv> From: Sam Hartman Date: 15 Feb 2002 13:21:38 -0500 In-Reply-To: "Klaas Hagemann"'s message of "Wed, 13 Feb 2002 16:45:48 +0100" Message-ID: Lines: 22 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Klaas" == Klaas Hagemann writes: Klaas> hi there, Klaas> i have still a problem with kerberos and ldap. Klaas> i have got a ldap v3 directory (netscape iplanet) with all my user = Klaas> information. Klaas> now i want to make singel sign on using kerberos V.=20 Klaas> how can i make kerberos storing all the keys in the ldap directory? Klaas> the user should log on using kerberos, kerberos should ask the ldap = Klaas> directory for this user. Briefly, you don't actually want this configuration; it is not necessary for single sign-on, and adds your LDAP database to your security authentication/auditing domain. With most configurations it also significantly increases how paranoid you need to be about LDAP backups. From hartmans@MIT.EDU Fri Feb 15 13:24:48 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01491 for ; Fri, 15 Feb 2002 13:24:48 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA08177; Fri, 15 Feb 2002 13:24:47 -0500 (EST) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA28315; Fri, 15 Feb 2002 13:24:47 -0500 (EST) Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id NAA29380; Fri, 15 Feb 2002 13:24:47 -0500 (EST) Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3) id NAA28249; Fri, 15 Feb 2002 13:24:46 -0500 (EST) To: "Philippe Perrin" Cc: kerberos@MIT.EDU Subject: Re: Cross-realm trust References: From: Sam Hartman Date: 15 Feb 2002 13:24:46 -0500 In-Reply-To: "Philippe Perrin"'s message of "Wed, 13 Feb 2002 01:47:05 +0100" Message-ID: Lines: 21 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Philippe" == Philippe Perrin writes: Philippe> Hello Philippe> I'm now willing to allow users authenticated in REALM1 to use services of Philippe> REALM2. I configured everything as I think I should have, and then I made a Philippe> user authenticate in REALM1, and used a telnet server in REALM2. The only Philippe> way I found to make it work was to add a ~/.k5login file containing Philippe> "user@REALM1" on the server. Philippe> How could I avoid writing such files for every user ? Can I make this server That's how it should work. Cross realm keys only enable authentication between the two realms; they say nothing about authorization. There's a function called krb5_aname_to_lname that maps principals into local user names. You might be able to configure this function to do what you need. Unfortunately, I forget how this function is configured. I'm not sure if there is any better documentation than the source; look at src/lib/krb5/os/an_to_ln.c. From darryl@convsys.com Fri Feb 15 13:32:45 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01551 for ; Fri, 15 Feb 2002 13:32:43 -0500 (EST) Received: from mail.nameflow.com (cvg-65-27-166-211.cinci.rr.com [65.27.166.211]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA10399; Fri, 15 Feb 2002 13:32:40 -0500 (EST) Received: from mail.nameflow.com (localhost.nameflow.com [127.0.0.1]) by mail.nameflow.com (Conversant) with SMTP id ACS03654 (AUTH darryl); Fri, 15 Feb 2002 13:32:39 -0500 (EST) Message-Id: <200202151832.ACS03654@mail.nameflow.com> Received: from 63.107.133.64 by mail.nameflow.com with HTTP/1.1; Fri, 15 Feb 2002 13:30:27 -0500 Date: Fri, 15 Feb 2002 13:30:27 -0500 From: Darryl C Price Subject: Re: single sign-on with kerberos V5 and ldap To: Sam Hartman Cc: Klaas Hagemann , kerberos@mit.edu X-Mailer: Mirapoint Webmail Direct 0.5.15457 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: You should check the iplanet rootdse ... AFAIK they don't support the SASL GSSAPI mechanism, although PADL software has a plugin that they will sell you ... I think it's 2K per server. ==D ---- Original message ---- >Date: 15 Feb 2002 13:21:38 -0500 >From: Sam Hartman >Subject: Re: single sign-on with kerberos V5 and ldap >To: "Klaas Hagemann" >Cc: > >>>>>> "Klaas" == Klaas Hagemann writes: > > Klaas> hi there, > > Klaas> i have still a problem with kerberos and ldap. > > Klaas> i have got a ldap v3 directory (netscape iplanet) with all my user = > Klaas> information. > Klaas> now i want to make singel sign on using kerberos V.=20 > Klaas> how can i make kerberos storing all the keys in the ldap directory? > > Klaas> the user should log on using kerberos, kerberos should ask the ldap = > Klaas> directory for this user. > > >Briefly, you don't actually want this configuration; it is not >necessary for single sign-on, and adds your LDAP database to your >security authentication/auditing domain. With most configurations it >also significantly increases how paranoid you need to be about LDAP >backups. > > >_______________________________________________ >Kerberos mailing list >Kerberos@mit.edu >http://mailman.mit.edu/mailman/listinfo/kerberos Darryl C Price Conversant Systems, LLC Email: darryl@convsys.com Phone: (513)768-3120 Fax: (513)984-3947 Web: http://www.convsys.com From vorlon@dodds.net Fri Feb 15 13:36:28 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01590 for ; Fri, 15 Feb 2002 13:36:28 -0500 (EST) Received: from norad.dodds.net (webmail.dodds.net [64.22.192.148]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA11684 for ; Fri, 15 Feb 2002 13:36:28 -0500 (EST) Received: by norad.dodds.net (Postfix, from userid 504) id 8E6C5100211; Fri, 15 Feb 2002 12:36:27 -0600 (CST) Date: Fri, 15 Feb 2002 12:36:27 -0600 From: Steve Langasek To: Philippe Perrin , kerberos@mit.edu Subject: Re: W2K Kerberized file sharing Message-ID: <20020215183624.GA20227@dodds.net> References: <20020215125857.M27171@sm2p1386swk.wdr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020215125857.M27171@sm2p1386swk.wdr.com> User-Agent: Mutt/1.3.27i X-message-flag: Outlook: A program to spread viruses that can do email too. Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 15, 2002 at 12:58:58PM -0500, Nicolas Williams wrote: > On Fri, Feb 15, 2002 at 06:30:43PM +0100, Philippe Perrin wrote: > > Hello > > I have to questions : > > 1) Is the Windows 2000 file sharing service Kerberized ? > Yes. > > 2) If it is, do you know of a kerberized UNIX client to access these files ? > *shrug* > Check out Samba, maybe they support kerberized CIFS now... http://samba.org/ They do if you're using the 3.0 CVS branch. Steve Langasek postmodern programmer From vorlon@dodds.net Fri Feb 15 13:38:41 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01623 for ; Fri, 15 Feb 2002 13:38:41 -0500 (EST) Received: from norad.dodds.net (webmail.dodds.net [64.22.192.148]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA22444; Fri, 15 Feb 2002 13:38:40 -0500 (EST) Received: by norad.dodds.net (Postfix, from userid 504) id 38805100211; Fri, 15 Feb 2002 12:38:40 -0600 (CST) Date: Fri, 15 Feb 2002 12:38:39 -0600 From: Steve Langasek To: Sam Hartman Cc: Dirk Heinrichs , kerberos@mit.edu Subject: Re: Problems compiling krb5-1.2.3 Message-ID: <20020215183837.GB20227@dodds.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-message-flag: Outlook: A program to spread viruses that can do email too. Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 15, 2002 at 01:15:20PM -0500, Sam Hartman wrote: > >>>>> "Dirk" == Dirk Heinrichs writes: > Dirk> Hello, > Dirk> I found nothing on google about this so I ask here. > Dirk> I compiled krb5-1.2.3 on Linux (m68k). I finally got it to compile but had > Dirk> to do some Makefile changes in some places (lib/krb5/ccache/file/Makefile > Dirk> is one of them). Every now and then during compilation I got some kind of > The problem is on your system. I'm the Kerberos maintainer for > Debian. Debian supports m68k, and our automated build system has had > no problem with Kerberos on m68k Linux. Yes, and although the idea of Kerberized telnet running on a 68030 w/ no FPU is a somewhat frightening thing, I can confirm that the resulting binaries do in fact work, as well... Steve Langasek postmodern programmer From news@ra.nrl.navy.mil Fri Feb 15 13:51:43 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01705 for ; Fri, 15 Feb 2002 13:51:42 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA27079 for ; Fri, 15 Feb 2002 13:51:41 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1FIfiX02770 for kerberos@MIT.EDU; Fri, 15 Feb 2002 13:41:44 -0500 (EST) Message-ID: <3C6D538B.C1871BC4@cs.rit.edu> Date: Fri, 15 Feb 2002 13:29:31 -0500 From: James M Craig X-Newsgroups: comp.protocols.kerberos Subject: suid problems Organization: RIT, Department of Computer Science To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Our department is planning on implementing kerberos v5 soon, and I have to assess what changes will be needed in our department for this to work. We are running Solaris 8, and I am installing SEAM 1.0.1 The first problem that I am faced with is dealing with scripts that are suid and access files over nfs. The way things work now, a student runs a program to submit their coursework. This program is suid to a 'submit' uid, and this submit uid is allowed to dump files into the grader accounts, compile and run the projects, and provide feedback to the students. In my test Realm, I have noticed that if I run a program that is suid to another user, and attempt to write a file to an NFS mounted directory (exported with sec=krb5i), it doesn't work. My understanding is that the process, which is now owned by someone else, does NOT have any credentials to manipulate the NFS mounted directory... Has anyone else had to deal with this? What sort of changes are necessary? Jim Craig jmc@cs.rit.edu From Nicolas.Williams@ubsw.com Fri Feb 15 13:58:09 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA01751 for ; Fri, 15 Feb 2002 13:58:08 -0500 (EST) Received: from gate.stm.swissbank.com (gate.stm.ubswarburg.com [151.191.1.10]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA18365; Fri, 15 Feb 2002 13:58:08 -0500 (EST) Received: (from smap@localhost) by gate.stm.swissbank.com (8.8.8/8.8.8) id NAA26278; Fri, 15 Feb 2002 13:55:39 -0500 (EST) Received: from (eight.ubswarburg.com [192.168.0.3]) by gate via smap (V2.0) id xma026272; Fri, 15 Feb 2002 13:55:31 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan1 [192.168.0.3]) by virscan1.swissbank.com (8.8.8/8.8.8) with ESMTP id NAA20682; Fri, 15 Feb 2002 13:50:52 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id NAA12890; Fri, 15 Feb 2002 13:52:18 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id NAA08593; Fri, 15 Feb 2002 13:51:09 -0500 (EST) Date: Fri, 15 Feb 2002 13:51:09 -0500 From: Nicolas Williams To: Steve Langasek Cc: Sam Hartman , Dirk Heinrichs , kerberos@mit.edu Subject: Re: Problems compiling krb5-1.2.3 Message-ID: <20020215135107.P27171@sm2p1386swk.wdr.com> Mail-Followup-To: Steve Langasek , Sam Hartman , Dirk Heinrichs , kerberos@mit.edu References: <20020215183837.GB20227@dodds.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <20020215183837.GB20227@dodds.net>; from vorlon@dodds.net on Fri, Feb 15, 2002 at 12:38:39PM -0600 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 15, 2002 at 12:38:39PM -0600, Steve Langasek wrote: > On Fri, Feb 15, 2002 at 01:15:20PM -0500, Sam Hartman wrote: > > The problem is on your system. I'm the Kerberos maintainer for > > Debian. Debian supports m68k, and our automated build system has had > > no problem with Kerberos on m68k Linux. > > Yes, and although the idea of Kerberized telnet running on a 68030 w/ no > FPU is a somewhat frightening thing, I can confirm that the resulting > binaries do in fact work, as well... You're just spoiled by today's CPUs, Steve, that's all :) > Steve Langasek > postmodern programmer Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mooney@dogbert.cc.ndsu.NoDak.edu Fri Feb 15 14:02:09 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA01795 for ; Fri, 15 Feb 2002 14:02:09 -0500 (EST) Received: from dogbert.cc.ndsu.NoDak.edu (dogbert.cc.ndsu.NoDak.edu [134.129.106.23]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA20273 for ; Fri, 15 Feb 2002 14:02:09 -0500 (EST) Received: from localhost (mooney@localhost) by dogbert.cc.ndsu.NoDak.edu (8.11.0/8.11.0) with ESMTP id g1FJ28c62798; Fri, 15 Feb 2002 13:02:08 -0600 (CST) Date: Fri, 15 Feb 2002 13:02:08 -0600 (CST) From: Tim Mooney To: kerberos@mit.edu cc: Philippe Perrin Subject: Re: Cross-realm trust In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: In regard to: Re: Cross-realm trust, Sam Hartman said (at 1:24pm on Feb 15,...: >>>>>> "Philippe" == Philippe Perrin writes: > > Philippe> Hello > Philippe> I'm now willing to allow users authenticated in REALM1 to use services of > Philippe> REALM2. I configured everything as I think I should have, and then I made a > Philippe> user authenticate in REALM1, and used a telnet server in REALM2. The only > Philippe> way I found to make it work was to add a ~/.k5login file containing > Philippe> "user@REALM1" on the server. > Philippe> How could I avoid writing such files for every user ? Can I make this server > >That's how it should work. Cross realm keys only enable >authentication between the two realms; they say nothing about >authorization. I asked basically this same question (why does cross realm require .k5login for each user) back in mid-September of 2000. A fairly long thread evolved out of the question, with some great information by Ken Hornstein and others. Philippe, the reason this is required is that Kerberos doesn't assume that the local account for bob (on a machine in REALM1) is the same person as bob@REALM2. With cross realm, it could easily be the case that `bob@REALM2' should really map to `jimbob' on the local machine. That's why the .k5login is required. In my case (and apparently in yours) I *can* guarantee that usernames on machines always exactly match the principal, no matter what realm they're in (so bob@REALM2 should be able to log into the `bob' account on a machine that's in REALM1). Ken Hornstein suggested looking into the k5userok() function. See the thread in September of 2000 for more info. Tim -- Tim Mooney mooney@dogbert.cc.ndsu.NoDak.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From Nicolas.Williams@ubsw.com Fri Feb 15 14:11:56 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA01857 for ; Fri, 15 Feb 2002 14:11:56 -0500 (EST) Received: from gate2.stm.ubswarburg.com (gate2.stm.ubswarburg.com [151.191.1.12]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA25203 for ; Fri, 15 Feb 2002 14:11:56 -0500 (EST) Received: (from smap@localhost) by gate2.stm.ubswarburg.com (8.8.8/8.8.8) id OAA13147; Fri, 15 Feb 2002 14:11:49 -0500 (EST) Received: from (nine.ubswarburg.com [192.168.0.4]) by gate2 via smap (V2.0/ubsw) id xma013021; Fri, 15 Feb 2002 14:11:38 -0500 Received: from sm0p9035pos.stm.swissbank.com (virscan2 [192.168.0.4]) by virscan2.swissbank.com (8.8.8/8.8.8) with ESMTP id OAA03019; Fri, 15 Feb 2002 14:08:10 -0500 (EST) Received: from sm2p1386swk.stm.swissbank.com (sm2p1386swk.stm.swissbank.com [151.191.93.86]) by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id OAA26631; Fri, 15 Feb 2002 14:11:37 -0500 (EST) Received: (willian@localhost) by sm2p1386swk.stm.swissbank.com (8.9.3+Sun/8.6.12) id OAA08737; Fri, 15 Feb 2002 14:10:28 -0500 (EST) Date: Fri, 15 Feb 2002 14:10:28 -0500 From: Nicolas Williams To: James M Craig Cc: kerberos@mit.edu Subject: Re: suid problems Message-ID: <20020215141027.Q27171@sm2p1386swk.wdr.com> Mail-Followup-To: James M Craig , kerberos@mit.edu References: <3C6D538B.C1871BC4@cs.rit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0us In-Reply-To: <3C6D538B.C1871BC4@cs.rit.edu>; from jmc@cs.rit.edu on Fri, Feb 15, 2002 at 01:29:31PM -0500 Precedence: list X-WDR-Disclaimer: Version $Revision: 1.15 $ Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Fri, Feb 15, 2002 at 01:29:31PM -0500, James M Craig wrote: > The first problem that I am faced with is dealing with > scripts that are suid and access files over nfs. The way things work > now, a student runs a program to submit their coursework. This program > is suid to a 'submit' uid, and this submit uid is allowed to dump files > into the grader accounts, compile and run the projects, and provide > feedback to the students. Create a students-writeable, students-not-readable submission directory and use that instead of a suid program. > In my test Realm, I have noticed that if I run a program that is suid > to another user, and attempt to write a file to an NFS mounted directory > (exported with sec=krb5i), it doesn't work. My understanding is that > the process, which is now owned by someone else, does NOT have any > credentials to manipulate the NFS mounted directory... Right. > Has anyone else had to deal with this? What sort of changes are > necessary? See above. The good news is that with SecureNFS the server does all the authorization checks, so you can rely on your files'/directories' ACLs. > Jim Craig > jmc@cs.rit.edu Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From news@ra.nrl.navy.mil Fri Feb 15 15:52:03 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA02221 for ; Fri, 15 Feb 2002 15:51:57 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA05146 for ; Fri, 15 Feb 2002 15:51:42 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1FKo5a05134 for kerberos@MIT.EDU; Fri, 15 Feb 2002 15:50:06 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: Cross-realm trust Date: Fri, 15 Feb 2002 21:41:39 +0100 Organization: ENSEIRB Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Tim Mooney" a écrit dans le message de news: Pine.OSF.4.44.0202151249300.62473-100000@dogbert.cc.ndsu.NoDak.edu... > In regard to: Re: Cross-realm trust, Sam Hartman said (at 1:24pm on Feb 15,...: > > >>>>>> "Philippe" == Philippe Perrin writes: > > > > Philippe> Hello > > Philippe> I'm now willing to allow users authenticated in REALM1 to use services of > > Philippe> REALM2. I configured everything as I think I should have, and then I made a > > Philippe> user authenticate in REALM1, and used a telnet server in REALM2. The only > > Philippe> way I found to make it work was to add a ~/.k5login file containing > > Philippe> "user@REALM1" on the server. > > Philippe> How could I avoid writing such files for every user ? Can I make this server > > > >That's how it should work. Cross realm keys only enable > >authentication between the two realms; they say nothing about > >authorization. OK, that's a clear answer. It's almost the conclusion I had come to. > I asked basically this same question (why does cross realm require > .k5login for each user) back in mid-September of 2000. A fairly long > thread evolved out of the question, with some great information by > Ken Hornstein and others. I've just gone through it : an interesting thread, thank you (I like the example of the boss username added to the trusted realm...). Now I even understand why the things are this way :) > Philippe, the reason this is required is that Kerberos doesn't assume that > the local account for bob (on a machine in REALM1) is the same person > as bob@REALM2. With cross realm, it could easily be the case that > `bob@REALM2' should really map to `jimbob' on the local machine. > That's why the .k5login is required. > > In my case (and apparently in yours) I *can* guarantee that usernames > on machines always exactly match the principal, no matter what realm > they're in (so bob@REALM2 should be able to log into the `bob' account > on a machine that's in REALM1). I'm actually running interoperability tests among different Kerberos solutions (W2K, MIT, SEAM, Heimdal...). So it can be said that the usernames of my realms match the policies of my choice. > Ken Hornstein suggested looking into the k5userok() function. See > the thread in September of 2000 for more info. > > Tim Now I know where to look if I want the name matching mechanisms to behave like your "bob" examples (the k5userok() function), thank you. Did you try to alter this function in the way you described in September 2000 (with LDAP ACLs) ? Philippe From news@ra.nrl.navy.mil Fri Feb 15 16:06:58 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA02276 for ; Fri, 15 Feb 2002 16:06:52 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA23002 for ; Fri, 15 Feb 2002 16:06:42 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1FL02605304 for kerberos@MIT.EDU; Fri, 15 Feb 2002 16:00:02 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: Re: W2K Kerberized file sharing Date: Fri, 15 Feb 2002 21:53:59 +0100 Organization: ENSEIRB Message-ID: References: <20020215125857.M27171@sm2p1386swk.wdr.com> <20020215183624.GA20227@dodds.net> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Steve Langasek" a écrit dans le message de news: 20020215183624.GA20227@dodds.net... > On Fri, Feb 15, 2002 at 12:58:58PM -0500, Nicolas Williams wrote: > > On Fri, Feb 15, 2002 at 06:30:43PM +0100, Philippe Perrin wrote: > > > Hello > > > > I have to questions : > > > 1) Is the Windows 2000 file sharing service Kerberized ? > > > Yes. > > > > 2) If it is, do you know of a kerberized UNIX client to access these files ? > > > *shrug* > > > Check out Samba, maybe they support kerberized CIFS now... http://samba.org/ I tried it some time ago, but it didn't work. > They do if you're using the 3.0 CVS branch. Thank you, I'll try this, then. Philippe From csri@sonata-software.com Fri Feb 15 23:58:33 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id XAA03868 for ; Fri, 15 Feb 2002 23:58:18 -0500 (EST) Received: from bg1mail.sonata-software.com ([164.164.142.10]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id XAA26969 for ; Fri, 15 Feb 2002 23:58:00 -0500 (EST) Received: by BG1MAIL with Internet Mail Service (5.5.2653.19) id <10TL9BYQ>; Sat, 16 Feb 2002 10:30:50 +0530 Message-ID: From: Srinivas Cheruku To: Cesar Garcia Cc: kerberos@mit.edu Subject: RE: Ticket forwarding and IP addresses Date: Sat, 16 Feb 2002 10:30:50 +0530 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Cesar, FYI - Did you know that CyberSafe are still supporting this product and also MIT code - see http://www.cybersafe.ltd.uk " Now, I dont think you'll be getting pity or sympathy. Srini -----Original Message----- From: Cesar Garcia [mailto:Cesar.Garcia@morganstanley.com] Sent: Friday, February 08, 2002 10:48 PM To: Ken Hornstein Cc: Cesar Garcia; kerberos@mit.edu Subject: Re: Ticket forwarding and IP addresses >>>>> "Ken" == Ken Hornstein writes: >> Since we use NIS as the primary source for hostname >> resolution, all host lookups render a single IP address, >> even for multihomed machines. Moving to DNS is not an >> option at the moment. Ken> I have to ask ... you're STILL using NIS for hostname resolution? Ouch. Thanks for the sympathy. Unfortunately, in our case, migrating to DNS is not a trivial effort, but let's not go there. >> That said (barring hacks to application protocols that >> would allow target hosts to send IP addresses back to >> the source host, then having the client embed the full set >> of tickets), the way to address this would be to have >> the target host obtain new tickets will a full set of >> IP addresses. >> >> 1 - is this possible? Ken> The trick here is that one of the IP addresses in the target ticket Ken> _must_ be the IP address used to talk to the KDC; otherwise, you're Ken> outta luck. >> 2 - is it within the limits of the specification? Ken> Yes. Ken> It occurs to me that you could save yourself some pain and simply get Ken> a completely addressless ticket. There is a school of thought in the Ken> Kerberos world that suggests IP addresses in tickets are not that useful. OK. let's reset a bit. What I neglected to mention was that we are a former CyberSafe customer, with remnants of CyberSafe code still in production. (Now I'll be getting pity, not sympathy.) Since the move to MIT has also been driven by the deployment of platforms not supported by CyberSafe (e.g., linux), we have focused primarily on application infrastructure. That said, the core CyberSafe KDCs are still in place, in addition to a variety of other KDC based services, either homegrown or adopted to work with a CyberSafe KDB. Admittedly, I'll have to assess the current dependencies that we have on IP addresses. The implementation of krb524d that we currently use requires IP addresses, or it barfs. This may well be the only dependency that we really have. Client krb524 code has already been migrated to MIT. That said, I'll investigate if we have any more dependencies on IP addresses in tickets and start working on porting krb524d to the CyberSafe KDB. Unfortunately, I can't use it as is for now, until we migrate the all the KDC services to MIT krb5 (or perhaps Heimdal, since incremental propagation is a must have). Nonetheless, we have all sorts of applications that obtain initial credentials (various homegrown apps, PAM modules, sitecheck binaries for irix) which would need to "corrected". Ticket forwarding was my immediate objective. But I'll submit I was looking for the lazy way out. Ken> --Ken _______________________________________________ Kerberos mailing list Kerberos@mit.edu http://mailman.mit.edu/mailman/listinfo/kerberos ********************************************************************* Disclaimer: The information in this e-mail and any attachments is confidential / privileged. It is intended solely for the addressee or addressees. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. ********************************************************************* From news@ra.nrl.navy.mil Sat Feb 16 12:07:07 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA05934 for ; Sat, 16 Feb 2002 12:07:02 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA20104 for ; Sat, 16 Feb 2002 12:06:46 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1GH3UD16323 for kerberos@MIT.EDU; Sat, 16 Feb 2002 12:03:30 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: kgetcred for MIT Kerberos ? Date: Sat, 16 Feb 2002 16:12:38 +0100 Organization: ENSEIRB Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello With heimdal, I can use the "kgetcred" command to ask tickets to the KDC. For example : kgetcred host/thot.mds@THOTKB will grant me this ticket if I already have a TGT (it will appear in "klist"). Is there such a mechanism with the MIT Kerberos 1.2.3 ? Philippe From eichin-krb@thok.org Sat Feb 16 13:13:52 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA06168 for ; Sat, 16 Feb 2002 13:13:47 -0500 (EST) From: eichin-krb@thok.org Received: from swat.thok.org (swat.thok.org [4.36.43.84]) by fort-point-station.mit.edu (8.9.2/8.9.2) with SMTP id NAA28190 for ; Sat, 16 Feb 2002 13:13:32 -0500 (EST) Received: (qmail 29887 invoked by uid 3382); 16 Feb 2002 18:13:30 -0000 To: Steve Langasek Cc: kerberos@mit.edu Subject: Re: Problems compiling krb5-1.2.3 References: <20020215183837.GB20227@dodds.net> Date: 16 Feb 2002 13:13:30 -0500 In-Reply-To: Steve Langasek's message of "Fri, 15 Feb 2002 12:38:39 -0600" Message-ID: Lines: 9 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: > Yes, and although the idea of Kerberized telnet running on a 68030 w/ no > FPU is a somewhat frightening thing, I can confirm that the resulting > binaries do in fact work, as well... bah. Nothing in the kerberos code uses an FPU (certainly nothing in the crypto -- only things in gssftp, for example, to print transfer speeds as bytes/second.) And as for 68030, well, the *idea* may frighten you, but the actual performance hit (especially with a human typing) is surprisingly small... From news@ra.nrl.navy.mil Sat Feb 16 15:07:07 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA06535 for ; Sat, 16 Feb 2002 15:07:02 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id PAA01379 for ; Sat, 16 Feb 2002 15:06:46 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1GK3Rt19570 for kerberos@MIT.EDU; Sat, 16 Feb 2002 15:03:27 -0500 (EST) From: Marc Horowitz X-Newsgroups: comp.protocols.kerberos Subject: Re: kgetcred for MIT Kerberos ? References: Date: 16 Feb 2002 15:03:22 -0500 Message-ID: Organization: none To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Philippe Perrin" writes: >> Hello >> >> With heimdal, I can use the "kgetcred" command to ask tickets to the KDC. >> For example : >> kgetcred host/thot.mds@THOTKB >> will grant me this ticket if I already have a TGT (it will appear in >> "klist"). >> >> Is there such a mechanism with the MIT Kerberos 1.2.3 ? The kvno command will get you a particular ticket, and display the version number of the key. Marc From Julie.Harper100@virgin.net Sat Feb 16 20:34:02 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA07620 for ; Sat, 16 Feb 2002 20:33:52 -0500 (EST) Received: from mail12.svr.pol.co.uk (mail12.svr.pol.co.uk [195.92.193.215]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id UAA17148 for ; Sat, 16 Feb 2002 20:33:36 -0500 (EST) Received: from [195.92.67.23] (helo=mail18.svr.pol.co.uk) by mail12.svr.pol.co.uk with esmtp (Exim 3.13 #0) id 16cGCu-00045R-00 for kerberos@mit.edu; Sun, 17 Feb 2002 01:33:36 +0000 Received: from modem-71.blue-spotted-wrasse.dialup.pol.co.uk ([62.136.239.71] helo=PACIFIC-CARRIER-ANNEX.mit.edu) by mail18.svr.pol.co.uk with smtp (Exim 3.13 #0) id 16cGCl-00008x-00 for kerberos@mit.edu; Sun, 17 Feb 2002 01:33:30 +0000 From: "Juile Harper" Date: Sun, 17 Feb 2002 01:33:22 To: kerberos@mit.edu Subject: hello MIME-Version: 1.0 Content-Type: text/plain;charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I'll make you a promise. READ THIS E-MAIL TO THE END! - follow what it says to the letter - and you will not worry whether a RECESSION is coming or not, who is President, or whether you keep your current job or not. Yes, I know what you are thinking. I never responded to one of these before either. One day though, something just said "you throw away $25.00 going to a movie for 2 hours with your wife". "What the heck." Believe me, no matter where you believe "those feelings" come from, I thank goodness every day that I had that feeling.I cannot imagine where I would be or what I would be doing had Inot. Read on. It's true. Every word of it. It is legal. I checked. Simply because you are buying and selling something of value. AS SEEN ON NATIONAL TV: Making over half million dollars every 4 to 5 months from your home. THANK'S TO THE COMPUTER AGE AND THE INTERNET ! ================================================== BE AN INTERNET MILLIONAIRE LIKE OTHERS WITHIN A YEAR!!! Before you say ''Bull'', please read the following. This is the letter you have been hearing about on the news lately. Due to the popularity of this letter on the Internet, a national weekly news program recently devoted an entire show to the investigation of this program described below, to see if it really can make people money. The show also investigated whether or not the program was legal. Their findings proved once and for all that there are ''absolutely NO Laws prohibiting the participation in the program and if people can "follow the simple instruction" they are bound to make some mega bucks with only $25 out of pocket cost''. DUE TO THE RECENT INCREASE OF POPULARITY & RESPECT THIS PROGRAM HAS ATTAINED, IT IS CURRENTLY WORKING BETTER THAN EVER. This is what one had to say: '' Thanks to this profitable opportunity". I was approached many times before but each time I passed on it. I am so glad I finally joined just to see what one could expect in return for the minimal effort and money required. To my astonishment, I received a total $ 610,470.00 in 21 weeks, with money still coming in''. Pam Hedland, Fort Lee, New Jersey. ================================================== Another said: "this program has been around for a long time but I never believed in it. But one day when I received this again in the mail I decided to gamble my $25 on it. I followed the simple instructions and walaa ..... 3 weeks later the money started to come in. First month I only made $240.00 but the next 2 months after that I made a total of $290,000.00. So far, in the past 8 months by re-entering the program, I have made over $710,000.00 and I am playing it again. The key to success in this program is to follow the simple steps and NOT change anything." More testimonials later but first, ======= ==== PRINT THIS NOW FOR YOUR FUTURE REFERENCE ==== $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ If you would like to make at least $500,000 every 4 to 5 months easily and comfortably, please read the following...THEN READ IT AGAIN and AGAIN !!! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ FOLLOW THE SIMPLE INSTRUCTION BELOW AND YOUR FINANCIAL DREAMS WILL COME TRUE, GUARANTEED! INSTRUCTIONS: =====Order all 5 reports shown on the list below ===== For each report, send $5 CASH, THE NAME & NUMBER OF THE REPORT YOU ARE ORDERING and YOUR E-MAIL ADDRESS to the person whose name appears ON THAT LIST next to the report. MAKE SURE YOUR RETURN ADDRESS IS ON YOUR ENVELOPE TOP LEFT CORNER in case of any mail problems. ===WHEN YOU PLACE YOUR ORDER, MAKE SURE === ===YOU ORDER EACH OF THE 5 REPORTS! === You will need all 5 reports so that you can save them on your computer and resell them. YOUR TOTAL COST $5 X 5 = $25.00. Within a few days you will receive, via e-mail, each of the 5 reports from these 5 different individuals. Save them on your computer so they will be accessible for you to send to the 1,000's of people who will order them from you. Also make a floppy of these reports and keep it on your desk in case something happens to your computer. IMPORTANT - DO NOT alter the names of the people who are listed next to each report, or their sequence on the list, in any way other than what is instructed below in step '' 1 through 6 '' or you will loose out on the majority of your profits. Once you understand the way this works, you will also see how it does not work if you change it. Remember, this method has been tested, and if you alter it, it will NOT work !!! People have tried to put their friends/relatives names on all five thinking they could get all the money. But it does not work this way. Believe us, some have tried to be greedy and then nothing happened. So Do Not try to change anything other than what is instructed. Because if you do, it will not work for you. Remember, honesty reaps the reward!!! This IS a legitimate BUSINESS. You are offering a product for sale and getting paid for it. Treat it as such and you will be VERY profitable in a short period of time. 1.. After you have ordered all 5 reports, take this advertisement and REMOVE the name & address of the person in REPORT # 5. This person has made it through the cycle and is no doubt counting their fortune. 2..Move the name & address in REPORT # 4 down TO REPORT # 5. 3.. Move the name & address in REPORT # 3 down TO REPORT # 4. 4.. Move the name & address in REPORT # 2 down TO REPORT # 3. 5.. Move the name & address in REPORT # 1 down TO REPORT # 2 6.... Insert YOUR name & address in the REPORT # 1 Position. PLEASE MAKE SURE you copy every name & address ACCURATELY! This is critical to YOUR success. ================================================== **** Take this entire letter, with the modified list of names, and save it on your computer. DO NOT MAKE ANY OTHER CHANGES. **** Save this on a disk as well just in case if you loose any data. To assist you with marketing your business on the internet, the 5 reports you purchase will provide you with invaluable marketing information which includes how to send bulk e-mails legally, where to find thousands of free classified ads and much more. There are 2 Primary methods to get this venture going: METHOD # 1: BY SENDING BULK E-MAIL LEGALLY ================================================== Let's say that you decide to start small, just to see how it goes, and we will assume You and those involved send out only 5,000 e-mails each. Let's also assume that the mailing receive only a 0.2% (2/10 of 1%) response (the response could be much better but lets just say it is only 0.2%). Also many people will send out hundreds of thousands e-mails instead of only 5,000 each). Continuing with this example, you send out only 5,000 e-mails. With a 0.2% response, that is only 10 orders for report # 1. Those 10 people responded by sending out 5,000 e-mail each for a total of 50,000. Out of those 50,000 e-mails only 0.2% responded with orders. That's=100 people responded and ordered Report # 2. Those 100 people mail out 5,000 e-mails each for a total of 500,000 e-mails. The 0.2% response to that is 1000 orders for Report # 3. Those 1000 people send 5,000 e-mail each for a total of 5 million e-mail sent out. The 0.2% response is 10,000 orders for Report # 4. Those 10,000 people send out 5,000 e-mails each for a total of 50,000,000 (50 million) e-mails. The 0.2% response to that is 100,000 orders for Report # 5. THAT'S 100,000 ORDERS TIMES $5 EACH = $500,000.00 (half a million dollars). Your total income in this example is: 1..... $50 + 2..... $500 + 3..... $5,000 + 4..... $50,000 + 5.... $500,000 .... Grand Total=$555,550.00 NUMBERS DO NOT LIE. GET A PENCIL & PAPER AND FIGURE OUT THE WORST POSSIBLE RESPONSES AND NO MATTER HOW YOU CALCULATE IT, YOU WILL STILL MAKE A LOT OF MONEY! ================================================== REMEMBER FRIEND, THIS IS ASSUMING ONLY 10 PEOPLE ORDERING OUT OF 5,000 YOU MAILED TO. Dare to think for a moment what would happen if everyone or half or even one 4th of those people mailed 100,000 e-mails each or more? There are over 150 million people on the Internet worldwide and counting, with thousands more coming on line every day. Believe me, many people will do just that, and more! METHOD # 2: BY PLACING FREE ADS ON THE INTERNET ================================================== Advertising on the net is very, very inexpensive and there are hundreds of FREE places to advertise. Placing a lot of free ads on the Internet will easily get a larger response. We strongly suggest you start with Method # 1 and add METHOD #2 as you go along. For every $5 you receive, all you must do is e-mail them the Report they ordered. That's it. Always provide same day service on all orders. This will guarantee that the e-mail they send out, with your name and address on it, will be prompt because they can not advertise until they receive the report. ===========AVAILABLE REPORTS ==================== The reason for the "cash" is not because this is illegal or somehow "wrong". It is simply about time. Time for checks or credit cards to be cleared or approved, etc. Concealing it is simply so no one can SEE there is money in the envelope and steal it before it gets to you. ORDER EACH REPORT BY ITS NUMBER & NAME ONLY. Notes: Always send $5 cash (U.S. CURRENCY) for each Report. Checks NOT accepted. Make sure the cash is concealed by wrapping it in at least 2 sheets of paper. On one of those sheets of paper, Write the NUMBER & the NAME of the Report you are ordering, YOUR E-MAIL ADDRESS and your name and postal address. SO PLACE YOUR ORDER FOR THESE REPORTS NOW : ================================================== REPORT# 1: 'The Insider's Guide To Advertising for Free On The Net' Order Report #1 from: Julie Harper 199 Osborne Road Hornchurch Essex ENGLAND RM11 1HQ _______________________________________________________ REPORT # 2: 'The Insider's Guide To Sending Bulk Email On The Net ' Order Report # 2 from: Wei Huan Chen P.O. Box 6023 Irvine, Ca 92616 USA _______________________________________________________ REPORT # 3: 'Secret To Multilevel Marketing On The Net' Order Report # 3 from: Reshma Nair P.O.Box 25467 Dubai United Arab Emirates ______________________________________________________ REPORT # 4: 'How To Become A Millionaire Using MLM & The Net' Order Report # 4 from: Scott Katip 3110 5th Ave Beaver Falls, Pa 15010 USA _______________________________________________________ REPORT #5: 'How To Send Out One Million Emails For Free' Order Report # 5 From: Chris Rhodes 7915 Kleingreen Spring, Tx 77379 USA _____________________________________________________ $$$$$$$$$ YOUR SUCCESS GUIDELINES $$$$$$$$$$$ Follow these guidelines to guarantee your success: === If you do not receive at least 10 orders for Report #1 within 2 weeks, continue sending e-mails until you do. === After you have received 10 orders, 2 to 3 weeks after that you should receive 100 orders or more for REPORT # 2. If you did not, continue advertising or sending e-mails until you do. **Once you have received 100 or more orders for Report # 2, YOU CAN RELAX, because the system is already working for you, and the cash will continue to roll in ! THIS IS IMPORTANT TO REMEMBER: Every time your name is moved down on the list, you are placed in front of a Different report. You can KEEP TRACK of your PROGRESS by watching which report people are ordering from you. IF YOU WANT TO GENERATE MORE INCOME SEND ANOTHER BATCH OF E-MAILS AND START THE WHOLE PROCESS AGAIN. There is NO LIMIT to the income you can generate from this business !!! ================================================= FOLLOWING IS A NOTE FROM THE ORIGINATOR OF THIS PROGRAM: You have just received information that can give you financial freedom for the rest of your life, with NO RISK and JUST A LITTLE BIT OF EFFORT. You can make more money in the next few weeks and months than you have ever imagined. Follow the program EXACTLY AS INSTRUCTED. Do Not change it in any way. It works exceedingly well as it is now. Remember to e-mail a copy of this exciting report after you have put your name and address in Report #1 and moved others to #2 ...# 5 as instructed above. One of the people you send this to may send out 100,000 or more e-mails and your name will be on every one of them. Remember though, the more you send out the more potential customers you will reach. So my friend, I have given you the ideas, information, materials and opportunity to become financially independent. IT IS UP TO YOU NOW ! =============MORE TESTIMONIALS=============== "My name is Mitchell. My wife, Jody and I live in Chicago. I am an accountant with a major U.S. Corporation and I make pretty good money. When I received this program I grumbled to Jody about receiving 'junk mail'. I made fun of the whole thing, spouting my knowledge of the population and percentages involved. I 'knew' it wouldn't work. Jody totally ignored my supposed intelligence and few days later she jumped in with both feet. I made merciless fun of her, and was ready to lay the old 'I told you so' on her when the thing didn't work. Well, the laugh was on me! Within 3 weeks she had received 50 responses. Within the next 45 days she had received total $ 147,200.00 ........ all cash! I was shocked. I have joined Jodyin her 'hobby'." Mitchell Wolf M.D., Chicago, Illinois ================================================ "Not being the gambling type, it took me several weeks to make up my mind to participate in this plan. But conservative as I am, I decided that the initial investment was so little that there was just no way that I wouldn't get enough orders to at least get my money back. I was surprised when I found my medium size post office box crammed with orders. I made $319,210.00 in the first 12 weeks. The nice thing about this deal is that it does not matter where people live. There simply isn't a better investment with a faster return and so big". Dan Sondstrom, Alberta, Canada ================================================= "I had received this program before. I deleted it, but later I wondered if I should have given it a try. Of course, I had no idea who to contact to get another copy, so I had to wait until I was e-mailed again by someone else.........11 months passed then it luckily came again...... I did not delete this one! I made more than $490,000 on my first try and all the money came within 22 weeks". Susan De Suza, New York, N.Y. ================================================= "It really is a great opportunity to make relatively easy money with little cost to you. I followed the simple instructions carefully and within 10 days the money started to come in. My first month I made $ 20, 560.00 and by the end of third month my total cash count was $ 362,840.00. Life is beautiful, Thanx to internet". Fred Dellaca, Westport, New Zealand ================================================= ORDER YOUR REPORTS TODAY AND GET STARTED ON YOUR ROAD TO FINANCIAL FREEDOM ! If you have any questions regarding this great deal please email me at any_ques@yahoo.com If you wish to be removed from the mailing list please send an email to believe_remove@ziplip.com with the word REMOVE in the subject line. ================================================= If you have any questions of the legality of this program, contact the Office of Associate Director for Marketing Practices, Federal Trade Commission, Bureau of Consumer Protection, Washington, D.C. ================================================= ONE TIME MAILING, NO NEED TO REMOVE ================================================= This message is sent in compliance of the proposed bill SECTION 301, paragraph (a)(2)(C) of S. 1618. further transmission to you by the sender of this email may be stopped by sending a reply to: believe_remove@ziplip.com with the word REMOVE in the subject line. This message is not intended for residents in the State of Washington, screening of addresses has been done to the best of our technical ability. *End* From Emailcenter@163.com Mon Feb 18 00:19:36 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id AAA12255 for ; Mon, 18 Feb 2002 00:19:24 -0500 (EST) Received: from 163.com ([218.6.2.91]) by fort-point-station.mit.edu (8.9.2/8.9.2) with SMTP id AAA08061 for ; Mon, 18 Feb 2002 00:19:03 -0500 (EST) Message-Id: <200202180519.AAA08061@fort-point-station.mit.edu> From: "L.Mi" To: Subject: To Promote Your Business Mime-Version: 1.0 Content-Type: text/html; charset="ISO-8859-1" Date: Mon, 18 Feb 2002 13:18:48 +0800 Reply-To: "L.Mi" Content-Transfer-Encoding: 8bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Dear friend

Dear Friend :

Now there are billions of email users in the world,and this amount is increasing greatly every 
year .  People are now sending informations and conducting the  internet marketing  through
email , because of its cheap cost and fast connection .  If you want to introduce and sell your
product or service ,  it would be the best way  for you  to use the  email to  contact  with  your 
targeted  customers  ( of  course you should be aware of  the  email address of the targeted  
customers  firstly  )  . Targeted  email  is no doubt very effective .  If  you could introduce your 
product or  service  through  email  directly  to  the  customer  who  are interested in them , it 
will bring to you much  more business chance and success.

We,XinLan Internet Marketing Center,have many years of experience in developing & utilizing 
internet resources.We have set up global business email address databases, which  contain
millions  of   email  addresses of  commercial  enterprises and  consumers all over the world. 
These email addresses are sorted by countries and fields. By using  advanced  professional
technology, we also continuously update our databases,add new addresses ,  remove undel-
iverables and unsubscribe addresses.With the cooperation with our partners, We are able to
supply  valid targeted email  addresses  according  to  your  requirements ( for example,  you 
need some email addresses of Importers in the field of auto spare part in England ). With our 
supplied email addresses,you can easily and directly contact your potential customers.

We also supply  a  wide variety  of software. 
For example , WORLDCAST,  the software for  fast-sending emails: this software will enable 
you to send  emails  at  the rate of  over 10,000  pcs  per hour, and to release  information  to 
thousands of people in a short  time.

We are pleased to tell you that we are now offering our best prices :

          Emails  or  Software                                       Remark     Price
100,000 targeted email addresses 
We are  able  to  supply  valid  targeted  email address according to your requirements , which are all compiled  upon your order,such as region / country / occupation / field / Domain Name (like AOL.com or MSN.com) etc.

   USD 30.00 
     623,000 email addresses
                    623,000 email addresses of
     global auto parts  importer/wholesaler/distributors
 		  USD 110.00 
    8 millions email addresses
8 millions global commercial enterprises email addresses
 		  USD 240.00 
        Worldcast software 
Software for fast-sending emails 
 		   USD 39.00 
       Email searcher software  Software for searching email addresses
   USD 68.00 
        Global Trade Poster
Spreading information about your business or products over 3000 trade message boards and newgroups.  
 		  USD 135.00 
       Jet-Hits Plus 2000 Pro 
Software for submitting website to 8000+  search engines 
 		   USD 79.00 


You can order the emails or  softwares  directly  from our website.  We will send the emails 
or softwares to you by email within two working days  when we receive  your order.
For more details , please refer to our website: http://www.biz-help.com  

It is our honour if you are interested in our services or softwares.  Please do not hesitate to
contact us if any queries or concerns. It is always our pleasure to serve you.


Thanks and best regards !

                     K. Peng
Marketing Manager
Marketing@biz-help.com
Http://www.biz-help.com
XinLan Internet Marketing Center

To help your business succeed, biz-help.com

From news@ra.nrl.navy.mil Mon Feb 18 02:22:12 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id CAA12611 for ; Mon, 18 Feb 2002 02:22:06 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id CAA12075 for ; Mon, 18 Feb 2002 02:21:54 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1I7Jhl17946 for kerberos@MIT.EDU; Mon, 18 Feb 2002 02:19:43 -0500 (EST) From: jlamerto@scu.edu.au (Jai) X-Newsgroups: comp.protocols.kerberos Subject: Upgrading kerberos krb5 Date: 17 Feb 2002 23:19:42 -0800 Organization: http://groups.google.com/ Message-ID: <1d44f3ff.0202172319.1393738c@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hi, I have a question regarding an upgrade from krb5-1.0.4 to krb5-1.2.2. In my old db all my princs had 5 keys as below: Number of keys: 5 Key: vno 6, DES cbc mode with CRC-32, no salt Key: vno 6, DES cbc mode with CRC-32, Version 4 Key: vno 6, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 6, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 6, DES cbc mode with RSA-MD5, AFS version 3 Now that I'm using krb5-1.2.2 all new princ and any princ that has had a password change end up with two, as below: Number of keys: 2 Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 3, DES cbc mode with CRC-32, no salt My kdc.conf has entries for the following encryption types: supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des:normal des:v4 des:norealm des:onlyrealm des:afs3 Where did the other 3 keys go? And how come I now have a Triple DES cbc key? Kind Regards, Jai. From news@ra.nrl.navy.mil Mon Feb 18 08:07:17 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id IAA13589 for ; Mon, 18 Feb 2002 08:07:11 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id IAA21568 for ; Mon, 18 Feb 2002 08:06:55 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1ID1tS22949 for kerberos@MIT.EDU; Mon, 18 Feb 2002 08:01:55 -0500 (EST) From: "norman" X-Newsgroups: comp.protocols.kerberos Subject: windows server, newbie Date: Mon, 18 Feb 2002 15:02:33 +0200 Message-ID: <3c718771$1_2@batman.vip-za.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I heard that kerberos will be implemented for windows (not just a client). I presume that must also mean a kerberos server. I have scoured the MIT site etc. the download I got (loaded it twice) fails. The newbie question is: Can windows run such a server and if so where can I get the code (Executables). I would not have posted such a trivial question if I could have found the answer.!!Even I feel lame asking it, but am under pressure to get some answers. regards From news@ra.nrl.navy.mil Mon Feb 18 10:07:17 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA13979 for ; Mon, 18 Feb 2002 10:07:11 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA10972 for ; Mon, 18 Feb 2002 10:06:55 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1IF29Y24742 for kerberos@MIT.EDU; Mon, 18 Feb 2002 10:02:09 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: Problems compiling krb5-1.2.3 From: Dirk Heinrichs References: Organization: QIS Systemhaus GmbH Message-ID: Date: Mon, 18 Feb 2002 15:05:11 GMT To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: hartmans@mit.edu (Sam Hartman) wrote in news:tsly9huk3wn.fsf@tir-na-nogth.mit.edu: > The problem is on your system. I'm the Kerberos maintainer for > Debian. Debian supports m68k, and our automated build system has had > no problem with Kerberos on m68k Linux. Hmm, seems I have to dig a little deeper into the configure script :-( Could you tell me the configure options debian uses and the dependencies? Bye... Dirk -- Dirk Heinrichs | Tel: +49 (0)241 413 260 Configuration Manager | Fax: +49 (0)241 413 2640 QIS Systemhaus GmbH | Mail: dheinrichs@qis-systemhaus.de Jülicher Str. 338b | Web: http://www.qis-systemhaus.de D-52070 Aachen | ICQ#: 110037733 From hartmans@MIT.EDU Mon Feb 18 10:39:56 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA14119 for ; Mon, 18 Feb 2002 10:39:51 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id KAA13094 for ; Mon, 18 Feb 2002 10:39:35 -0500 (EST) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id KAA10643 for ; Mon, 18 Feb 2002 10:39:34 -0500 (EST) Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id KAA11148 for ; Mon, 18 Feb 2002 10:39:34 -0500 (EST) Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3) id KAA29361; Mon, 18 Feb 2002 10:39:34 -0500 (EST) To: kerberos@MIT.EDU Subject: Re: Problems compiling krb5-1.2.3 References: From: Sam Hartman Date: 18 Feb 2002 10:39:34 -0500 In-Reply-To: Dirk Heinrichs's message of "Mon, 18 Feb 2002 15:05:11 GMT" Message-ID: Lines: 14 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Dirk" == Dirk Heinrichs writes: Dirk> Could you tell me the configure options debian uses and the Dirk> dependencies? (cd build; ../src/configure --prefix=/usr --enable-shared \ --with-ccopts="$(CCOPTS) -D_REENTRANT" --localstatedir=/etc \ --mandir=/usr/share/man --without-tcl) Build-Depends: comerr-dev, libncurses5-dev, docbook-to-man, debhelper (>= 2.2.12), bison Note that Debian hacks Kerberos to use the e2fsprogs com_err rather than using the one in util/et. From news@ra.nrl.navy.mil Mon Feb 18 12:37:21 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA14498 for ; Mon, 18 Feb 2002 12:37:14 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA12903 for ; Mon, 18 Feb 2002 12:36:56 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1IHNDA26742 for kerberos@MIT.EDU; Mon, 18 Feb 2002 12:23:13 -0500 (EST) From: "norman" X-Newsgroups: comp.protocols.kerberos Subject: Problem restated Date: Mon, 18 Feb 2002 19:23:30 +0200 Message-ID: <3c71c4aa_1@batman.vip-za.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Thank you for the initial reply from Paul. I should explain that I am asking if it is possible to run the server (not client) on NT. not the windows 2000 support or version, but the full MIT or other version. My background is cryptology and kerberos sounds like a very good alternative to a PKI solution for many reasons. thanks again From itd@umr.edu Mon Feb 18 13:26:59 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA14658 for ; Mon, 18 Feb 2002 13:26:54 -0500 (EST) Received: from fidmail.com (fidmail.com [205.216.200.7]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id NAA26081 for ; Mon, 18 Feb 2002 13:26:39 -0500 (EST) Received: (qmail 11027 invoked from network); 18 Feb 2002 18:26:38 -0000 Received: from cable-mo-218.rolla.fidnet.com (HELO navi.bebop.edu) (216.229.79.218) by mail.fidmail.com with SMTP; 18 Feb 2002 18:26:38 -0000 Date: Mon, 18 Feb 2002 12:26:25 -0600 (CST) From: Ian Downard X-X-Sender: Reply-To: To: Marcus Watts cc: Subject: Re: MD5 passwords possible with Kerberos? In-Reply-To: <200202100259.VAA11501@quince.ifs.umich.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Sat, 9 Feb 2002, Marcus Watts wrote: > Here is an incomplete list of weaknesses that you might find more useful > to consider: > (1) Most production kerberos realms still use regular DES and no preauth. > This means they should not be used to protect any secret > worth more than $100,000. I'm studying Kerberos for my graduate thesis, and I'm having problems understanding the utility in preauthentication. It has been argued that preauthentication helps prevent password guessing attacks (originally: Bellovin, Merritt, "Limitations...", 1991) , but I can't understand how. Here's a quote from Tom Wu's paper (http://theory.stanford.edu/~tjw/krbpass.html): "Kerberos V5? Kerberos V5 introduces preauthentication, which requires the user to provide some evidence that she knows the shared key K before the authentication server will issue a TGT. This evidence comes in the form of an encrypted timestamp t: C --> S: R, E[K](t) C <-- S: E[K](TGT) The server S sends its reply to the client C only if t decrypts to the correct time within some predefined tolerance. Although this prevents an attacker from requesting TGTs, it does not protect against an eavesdropper who captures either E[K](t) or E[K](TGT). Either of those quantities constitutes verifiable plaintext that can be used to mount a dictionary attack. While this is an improvement relative to Kerberos V4, an attacker with a network sniffer can still carry out the same off-line dictionary attack against any authentication requests captured over the network [9]." In addition, I sniffed the initial authentication packets with ethereal on my Linux network, and I see one of the datagrams is sending the Pre-Authentication via "PA-ENC-TIMESTAMP". Pretty neat, but how does it encrypt the timestamp? It must be using a key which is known by the Kerberos server (otherwise, how would it decrypt)? And if it is using the user's password (even before getting a TGT), how does that resist password guessing attacks? Thanks for any help on this. -ian From news@ra.nrl.navy.mil Mon Feb 18 15:52:18 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA15108 for ; Mon, 18 Feb 2002 15:52:12 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id PAA02256 for ; Mon, 18 Feb 2002 15:51:57 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1IKgRg29718 for kerberos@MIT.EDU; Mon, 18 Feb 2002 15:42:27 -0500 (EST) From: Marc Horowitz X-Newsgroups: comp.protocols.kerberos Subject: Re: MD5 passwords possible with Kerberos? References: <200202100259.VAA11501@quince.ifs.umich.edu> Date: 18 Feb 2002 15:42:19 -0500 Message-ID: Organization: none To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: itd@umr.edu (Ian Downard) writes: >> Here's a quote from Tom Wu's paper >> (http://theory.stanford.edu/~tjw/krbpass.html): >> >> "While this is an improvement relative to Kerberos V4, an attacker >> with a network sniffer can still carry out the same off-line >> dictionary attack against any authentication requests captured over >> the network [9]." >> >> In addition, I sniffed the initial authentication packets with ethereal on >> my Linux network, and I see one of the datagrams is sending the >> Pre-Authentication via "PA-ENC-TIMESTAMP". Pretty neat, but how does it >> encrypt the timestamp? It must be using a key which is known by the >> Kerberos server (otherwise, how would it decrypt)? And if it is using the >> user's password (even before getting a TGT), how does that resist password >> guessing attacks? With preauth, you can only attack a password if you can sniff the network the user or kdc is on to get the encrypted padata. Without preauth, you can simply ask the KDC to give you the ciphertext to attack. As the quote from Tom Wu's paper points out, this is an improvement relative to kerberos v4. Nobody ever claimed it was a panacea. That would require the USPTO to get a clue when issuing software patents :-/ I do not speak for the MIT kerberos team, but I'm sure the MIT kerberos team would happily accept patches which fixed this problem (using EKE, SPEKE, SRP, whatever), if it also came with an appropriate patent license.... Marc From youcherry@yahoo.com Mon Feb 18 19:36:48 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA15830 for ; Mon, 18 Feb 2002 19:36:43 -0500 (EST) From: youcherry@yahoo.com Received: from yahoo.com ([203.249.126.11]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id TAA25741 for ; Mon, 18 Feb 2002 19:36:28 -0500 (EST) Message-Id: <200202190036.TAA25741@pacific-carrier-annex.mit.edu> Reply-To: youcherry@yahoo.com To: kerberos@mit.edu Subject: Take me. Date: 19 Feb 2002 01:08:49 GMT MIME-Version: 1.0 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive:


Can you break my cherry?

Click Here and give it a try...

Little sluts are waiting for your big dick!
What are you waiting for?

HERE
















Note: this is not a spam email. This email was sent to you because your email was entered in on a website requesting to be a registered subscriber. If you did not request this email, please just answer on this mail.


From news@ra.nrl.navy.mil Tue Feb 19 02:37:14 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id CAA17136 for ; Tue, 19 Feb 2002 02:37:09 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id CAA16760 for ; Tue, 19 Feb 2002 02:36:59 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1J7YdK09124 for kerberos@MIT.EDU; Tue, 19 Feb 2002 02:34:39 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: Re: Problems compiling krb5-1.2.3 From: Dirk Heinrichs References: Organization: QIS Systemhaus GmbH Message-ID: Date: Tue, 19 Feb 2002 07:31:58 GMT To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: hartmans@mit.edu (Sam Hartman) wrote in news:tslzo26sssp.fsf@tir-na-nogth.mit.edu: > (cd build; ../src/configure --prefix=/usr --enable-shared \ > --with-ccopts="$(CCOPTS) -D_REENTRANT" --localstatedir=/etc \ > --mandir=/usr/share/man --without-tcl) I stopped at --enable-shared. Let's see if it makes a difference. I will also try it on a x86 (RH 7.x) to see if the same problems occurs there, too. Many thanx... Dirk -- Dirk Heinrichs | Tel: +49 (0)241 413 260 Configuration Manager | Fax: +49 (0)241 413 2640 QIS Systemhaus GmbH | Mail: dheinrichs@qis-systemhaus.de Jülicher Str. 338b | Web: http://www.qis-systemhaus.de D-52070 Aachen | ICQ#: 110037733 From news@ra.nrl.navy.mil Tue Feb 19 04:52:15 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id EAA17574 for ; Tue, 19 Feb 2002 04:52:10 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id EAA04405 for ; Tue, 19 Feb 2002 04:51:59 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1J9jZR10910 for kerberos@MIT.EDU; Tue, 19 Feb 2002 04:45:35 -0500 (EST) From: "Mitja" X-Newsgroups: comp.protocols.kerberos Subject: KERBEROS basics Date: Tue, 19 Feb 2002 10:39:38 +0100 Organization: ARNES Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello, how do i enable kerberized login to windows 2000? I have MIT KDC (1.2.3) on Linux x86. When i try to logon to windows 2000 using kerberos realm, i get message that i should check user and password. KDC log says: Feb 18 11:53:48 test krb5kdc[920](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.1.88(88): ISSUE: authtime 1014029628, etypes {rep=3 tkt=16 ses=1}, Administrator@TEST.SI for krbtgt/TEST.SI@TEST.SI Feb 18 11:53:49 test krb5kdc[920](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.1.88(88): ISSUE: authtime 1014029628, etypes {rep=1 tkt=16 ses=1}, Administrator@TEST.SI for host/streamer.test.si@TEST.SI I guess ticket is ok. What do i need to do on windows client? Do i need DC? What i need is to setup windows client, which will be able to get ticket and than access other resources. Help? Mitja From news@ra.nrl.navy.mil Tue Feb 19 07:22:21 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id HAA18093 for ; Tue, 19 Feb 2002 07:22:15 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id HAA16482 for ; Tue, 19 Feb 2002 07:22:00 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1JC7Yt13164 for kerberos@MIT.EDU; Tue, 19 Feb 2002 07:07:34 -0500 (EST) X-Newsgroups: comp.protocols.kerberos Subject: OT: Fluffy From: Christopher Burke Message-ID: Date: Tue, 19 Feb 2002 12:07:20 GMT Organization: BigPond Internet Services (http://www.bigpond.net.au) To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Don't forget to buy your Harry Potter 'Fluffy' toy ... its a great addition to a Kerberos sysadmins desk.... -- --- /* Christopher Burke - Spam Mail to craznar@hotmail.com |* www.craznar.com - \* Real mail to cburke(at)craznar(dot)com From news@ra.nrl.navy.mil Tue Feb 19 12:52:22 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA19151 for ; Tue, 19 Feb 2002 12:52:16 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id MAA15995 for ; Tue, 19 Feb 2002 12:52:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1JHcSc18169 for kerberos@MIT.EDU; Tue, 19 Feb 2002 12:38:28 -0500 (EST) From: steiner@bakerst.rutgers.edu (Dave Steiner) X-Newsgroups: comp.protocols.kerberos Subject: alpha release of Krb5::KDB perl modules Date: 19 Feb 2002 09:38:25 -0800 Organization: http://groups.google.com/ Message-ID: <3b609da.0202190938.3ebfa7c8@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I've an alpha release available for testing of my Krb5::KDB perl modules. These modules will allow you to read and parse Kerberos database dumps, either from a file or directly via "kdb5_util -r dump |". If you are interested in this package, please download it from http://hardees.rutgers.edu/~steiner/Krb5-KDB-0.02.tar.Z and try it out. This is the first alpha release so the interface could change based on your comments. I'm looking for any suggestions, problems, etc before I release a beta version to CPAN. thanks! -ds From news@ra.nrl.navy.mil Tue Feb 19 13:07:21 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA19203 for ; Tue, 19 Feb 2002 13:07:16 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA28357 for ; Tue, 19 Feb 2002 13:07:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1JI21O18484 for kerberos@MIT.EDU; Tue, 19 Feb 2002 13:02:01 -0500 (EST) From: "Rick" X-Newsgroups: comp.protocols.kerberos Subject: service_name ???? Date: Tue, 19 Feb 2002 12:01:50 -0600 Organization: Airnews.net! at Internet America Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I've been asked to integrate Kerberos (via the GSS-API) into an application. Poking around the MIT Kerberos distribution I found /athena/auth/krb5/src/appl/gss-sample. It wants a service name. What's a service name? I presume it's referring to ftp, telnet, etc. What's the syntax? Does the Kerberos server need to be configured for these services before the sample will work? Regardless of what I use I get the following error message: GSS-API error acquiring credentials: Miscellaneous failure GSS-API error acquiring credentials: No such file or directory It appears as if the GSS-API call generally maps to the Kerberos gss_acquire_cred() API. My test program passes null for the 8th parameter (service_name) and it works fine. What gives? retval = krb5_get_init_creds_password(context, &creds, client, "testpass", NULL, 0, opts.starttime, opts.service_name, &options); Many thanks in advance, From ukdinfo@ukdacademy.com Tue Feb 19 14:42:40 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA19526 for ; Tue, 19 Feb 2002 14:42:34 -0500 (EST) Received: from usnt00009.anational.com (post.office.vantas.net [216.73.128.137]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA08933 for ; Tue, 19 Feb 2002 14:42:18 -0500 (EST) Message-Id: <200202191942.OAA08933@fort-point-station.mit.edu> Received: from PO2 ([12.35.193.254]) by usnt00009.anational.com (Post.Office MTA v3.5.1 release 219 ID# 0-65406U500L100S0V35) with SMTP id com for ; Tue, 19 Feb 2002 14:47:09 -0500 Subject: Unique Online Certificates - Sign up NOW! To: kerberos@mit.edu From: "" Content-Type: multipart/related;type="multipart/alternative"; boundary="----=_NextPart_000_0004_01C06B5E.74675200" Date: 2/19/2002 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Spyder Mailer 1.0 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ------=_NextPart_000_0004_01C06B5E.74675200 Subject: Unique Online Certificates - Sign up NOW! To: kerberos@mit.edu From: "" Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C06B5E.74675200" Date: 2/19/2002 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Espyder Mailer 1.0 =0D=0A=0D=0A=0D=0AUntitled=0D=0A=0D=0A=0D=0A=20=0D=0A=20=20=20=20(Removal=20instructions=20at=20the=20bottom)

=0D=0AVirtual=20Competence=20from=20UKD=20Aca= demy!=20=0D=0A 

=0D=0A=20=20=0D= =0A=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20= =20=20=20New=20classes=20begin=20March=201.=20Sign=20Up=20NOW!=20=20=0D= =0A

=0D=0AThe=20Distance=20Education=20&=20=0D=0AeLearning= =20Program=20is=20offered=20in=20partnership=20with=20=20San=20D= iego=20State=20=0D=0AUniversity,=20College=20of=20Extended=20Studies.

=0D=0ACredits=20off= ered!   =20Financi= ng=20=0D=0Aavailable!

=0D=0AVisit=20http://www.ukdacademy.com/=20for=20more=20=0D=0Ainformatio= n.

=0D=0A

=0D=0A=20=0D=0A______= _______________________________________________________________________

=0D= =0A=20=0D=0A<= /I>Programs=20offered:= =20(each=20=0D=0AProgram=20has=20=2010=20courses=20and=20can=20be=20= completed=20in=20=2010=20months)=20

=0D=0A
=0D=0AThe=20Certificate=20in=20= eWork=20=0D=0Ais=20a=20=0D=0Auniq= ue=20program=20with=20its=20focus=20on=20telework=20and=20decentralized=20w= orkplaces.=20As=20an=20=0D=0Aemployer=20you=20will=20quickly=20notice=20a= =20boost=20in=20employee=20productivity=20as=20workers=20=0D=0Awill=20work= =20more=20efficiently=20and=20be=20more=20motivated=20due=20to=20an=20impro= ved=20balance=20=0D=0Abetween=20work=20and=20personal=20life.=20Your=20orga= nization=20will=20enjoy=20lower=20travel=20=0D=0Aexpenses=20and=20overhead= =20costs,=20an=20ability=20to=20retain=20skilled=20workers,=20to=20attract= =20=0D=0Aworldwide=20talent=20and=20to=20improve=20communication=20with=20e= mployees.=20Most=20importantly,=20=0D=0Ayou=20will=20be=20able=20to=20incre= ase=20profitability. =20http://www.ukdacademy.com/ework_courses.htm

=0D=0A2&= nbsp;
=0D=0AThe=20Advanced=20Certificate=20in=20=0D=0ADistance=20Education=20&=20= eLearning=20is=20aimed=20=0D=0Aat= =20professionals=20who=20would=20like=20to=20manage=20eLearning=20within=20= a=20corporation;=20=0D=0Acorporate=20instructors,=20human=20resource=20and= =20training=20managers,=20etc.=20With=20a=20well=20=0D=0Adesigned=20eLearni= ng=20program=20employees=20can=20pursue=20continuous=20training=20without= =20=0D=0Ainterrupting=20their=20work=20day.=20As=20a=20result,=20organizati= ons=20and=20people=20who=20learn=20to=20=0D=0Amaster=20eLearning=20will=20b= e=20able=20to=20remain=20highly=20competitive,=20and=20stay=20ready=20to=20=0D= =0Aface=20the=20challenges=20of=20tomorrow. =20http://www.ukdacademy.com/de= e_courses.htm

=0D=0A


=0D=0AThe=20Professional=20Certificate=20in=20=0D=0AGlobal=20&=20Onli= ne=20Marketing=20is=20=0D=0Adesig= ned=20for=20marketers=20in=20all=20industries=20to=20exploit=20the=20potent= ial=20of=20new=20=0D=0Atechnologies,=20enabling=20them=20to=20reach=20more= =20people,=20more=20quickly=20and=20at=20a=20much=20=0D=0Alower=20cost.=20T= his=20program=20will=20enable=20marketing=20professionals=20to=20understand= =20the=20=0D=0Adifference=20between=20traditional=20and=20online=20marketin= g,=20learn=20how=20to=20develop=20an=20=0D=0Aeffective=20online=20marketing= =20strategy,=20to=20capitalize=20on=20emerging=20global=20markets=20=0D=0Aa= nd=20to=20master=20cultural=20differences=20in=20global=20marketing=20campa= igns.=20http:= //www.ukdacademy.com/gom_courses.htm

=0D=0A

Coming=20=0D=0Asoon...

=0D=0A

The=20=0D=0AVirtual=20= Workforce=20&=20Knowledge=20Management=20Certificate=20=0D=0Ameets= =20the=20needs=20of=20people=20in=20charge=20of=20the=20implementation=20of= =20telecommuting=20=0D=0Aprograms,=20people=20who=20manage=20virtual=20team= s,=20as=20well=20as=20individuals=20in=20a=20mobile=20=0D=0Aworkforce.=

=0D=0A

 

=0D=0A

Make=20no=20mistake=20-=20even=20=0D=0Aif= =20the=20content=20of=20our=20online=20programs=20is=20state-of-the-art,=20= and=20we=20promote=20a=20=0D=0Avirtual=20lifestyle,=20we=20honor=20traditio= nal=20values=20and=20believe=20in=20solutions=20for=20real=20=0D=0Apeople,= =20with=20personal=20support=20and=20assistance=20from=20experienced=20and= =20dedicated=20=0D=0Ainstructors.

=0D=0AVisit=20http://www.ukdacademy.com/=20for=20more=20=0D=0Ainformation.

=0D=0A=0D=0A=0D=0A

&nb= sp;

=0D=0A

=0D=0A

_______________________________________________________= __________________________________________________________

=0D=0A=0D= =0A

Removal=0D=0Ainstructions:

=0D=0A

=20If=20y= ou=20don't=20want=20to=20receive=20any=20more=20e-mails=20from=20us,=20=0D= =0Athen=20please=20send=20an=20e-mail=20to=20the=20address=20below,=20and= =20your=20contact=20information=20will=20=0D=0Abe=20removed=20from=20our=20= list.=0D=0A

=0D=0A

mailto:ukdinfo@ukdacademy.com?subject=3DRemove

=0D= =0Aor=20just= =20reply=20to=20this=20message=20with=20=0D=0A"Remove" =20in=20the=20subject=20line.

=0D= =0A

 =0D=0A

=0D=0A

 =0D=0A

=0D=0A=0D=0A

 

=0D=0A=0D=0A ------=_NextPart_000_0005_01C06B5E.74675200 Content-Type: text/plain (Removal instructions at the bottom)Virtual Competence from UKD Academy! New classes begin March 1. Sign Up NOW! The Distance Education & eLearning Program is offered in partnership with San Diego State University, College of Extended Studies.Credits offered! Financing available!Visit http://www.ukdacademy.com/ for more information. _____________________________________________________________________________ Programs offered: (each Program has 10 courses and can be completed in 10 months) 1 The Certificate in eWork is a unique program with its focus on telework and decentralized workplaces. As an employer you will quickly notice a boost in employee productivity as workers will work more efficiently and be more motivated due to an improved balance between work and personal life. Your organization will enjoy lower travel expenses and overhead costs, an ability to retain skilled workers, to attract worldwide talent and to improve communication with employees. Most importantly, you will be able to increase profitability. http://www.ukdacademy.com/ework_courses.htm2 The Advanced Certificate in Distance Education & eLearning is aimed at professionals who would like to manage eLearning within a corporation; corporate instructors, human resource and training managers, etc. With a well designed eLearning program employees can pursue continuous training without interrupting their work day. As a result, organizations and people who learn to master eLearning will be able to remain highly competitive, and stay ready to face the challenges of tomorrow. http://www.ukdacademy.com/dee_courses.htm 3 The Professional Certificate in Global & Online Marketing is designed for marketers in all industries to exploit the potential of new technologies, enabling them to reach more people, more quickly and at a much lower cost. This program will enable marketing professionals to understand the difference between traditional and online marketing, learn how to develop an effective online marketing strategy, to capitalize on emerging global markets and to master cultural differences in global marketing campaigns. http://www.ukdacademy.com/gom_courses.htm Coming soon... The Virtual Workforce & Knowledge Management Certificate meets the needs of people in charge of the implementation of telecommuting programs, people who manage virtual teams, as well as individuals in a mobile workforce. Make no mistake - even if the content of our online programs is state-of-the-art, and we promote a virtual lifestyle, we honor traditional values and believe in solutions for real people, with personal support and assistance from experienced and dedicated instructors.Visit http://www.ukdacademy.com/ for more information. _________________________________________________________________________________________________________________ Removalinstructions: If you don't want to receive any more e-mails from us, then please send an e-mail to the address below, and your contact information will be removed from our list. mailto:ukdinfo@ukdacademy.com?subject=Removeor just reply to this message with "Remove" in the subject line. ------=_NextPart_000_0005_01C06B5E.74675200 Content-Type: text/html Content-Transfer-Encoding: quoted-printable =0D=0A=0D=0A=0D=0AUntitled=0D=0A=0D=0A=0D=0A=20=0D=0A=20=20=20=20(Removal=20instructions=20at=20the=20bottom)

=0D=0AVirtual=20Competence=20from=20UKD=20Aca= demy!=20=0D=0A 

=0D=0A=20=20=0D= =0A=20=20=20=20=20=20=20=20=20=0D=0A=20=20=20=20= =20=20=20New=20classes=20begin=20March=201.=20Sign=20Up=20NOW!=20=20=0D= =0A

=0D=0AThe=20Distance=20Education=20&=20=0D=0AeLearning= =20Program=20is=20offered=20in=20partnership=20with=20=20San=20D= iego=20State=20=0D=0AUniversity,=20College=20of=20Extended=20Studies.

=0D=0ACredits=20off= ered!   =20Financi= ng=20=0D=0Aavailable!

=0D=0AVisit=20http://www.ukdacademy.com/=20for=20more=20=0D=0Ainformatio= n.

=0D=0A

=0D=0A=20=0D=0A______= _______________________________________________________________________

=0D= =0A=20=0D=0A<= /I>Programs=20offered:= =20(each=20=0D=0AProgram=20has=20=2010=20courses=20and=20can=20be=20= completed=20in=20=2010=20months)=20

=0D=0A
=0D=0AThe=20Certificate=20in=20= eWork=20=0D=0Ais=20a=20=0D=0Auniq= ue=20program=20with=20its=20focus=20on=20telework=20and=20decentralized=20w= orkplaces.=20As=20an=20=0D=0Aemployer=20you=20will=20quickly=20notice=20a= =20boost=20in=20employee=20productivity=20as=20workers=20=0D=0Awill=20work= =20more=20efficiently=20and=20be=20more=20motivated=20due=20to=20an=20impro= ved=20balance=20=0D=0Abetween=20work=20and=20personal=20life.=20Your=20orga= nization=20will=20enjoy=20lower=20travel=20=0D=0Aexpenses=20and=20overhead= =20costs,=20an=20ability=20to=20retain=20skilled=20workers,=20to=20attract= =20=0D=0Aworldwide=20talent=20and=20to=20improve=20communication=20with=20e= mployees.=20Most=20importantly,=20=0D=0Ayou=20will=20be=20able=20to=20incre= ase=20profitability. =20http://www.ukdacademy.com/ework_courses.htm

=0D=0A2&= nbsp;
=0D=0AThe=20Advanced=20Certificate=20in=20=0D=0ADistance=20Education=20&=20= eLearning=20is=20aimed=20=0D=0Aat= =20professionals=20who=20would=20like=20to=20manage=20eLearning=20within=20= a=20corporation;=20=0D=0Acorporate=20instructors,=20human=20resource=20and= =20training=20managers,=20etc.=20With=20a=20well=20=0D=0Adesigned=20eLearni= ng=20program=20employees=20can=20pursue=20continuous=20training=20without= =20=0D=0Ainterrupting=20their=20work=20day.=20As=20a=20result,=20organizati= ons=20and=20people=20who=20learn=20to=20=0D=0Amaster=20eLearning=20will=20b= e=20able=20to=20remain=20highly=20competitive,=20and=20stay=20ready=20to=20=0D= =0Aface=20the=20challenges=20of=20tomorrow. =20http://www.ukdacademy.com/de= e_courses.htm

=0D=0A


=0D=0AThe=20Professional=20Certificate=20in=20=0D=0AGlobal=20&=20Onli= ne=20Marketing=20is=20=0D=0Adesig= ned=20for=20marketers=20in=20all=20industries=20to=20exploit=20the=20potent= ial=20of=20new=20=0D=0Atechnologies,=20enabling=20them=20to=20reach=20more= =20people,=20more=20quickly=20and=20at=20a=20much=20=0D=0Alower=20cost.=20T= his=20program=20will=20enable=20marketing=20professionals=20to=20understand= =20the=20=0D=0Adifference=20between=20traditional=20and=20online=20marketin= g,=20learn=20how=20to=20develop=20an=20=0D=0Aeffective=20online=20marketing= =20strategy,=20to=20capitalize=20on=20emerging=20global=20markets=20=0D=0Aa= nd=20to=20master=20cultural=20differences=20in=20global=20marketing=20campa= igns.=20http:= //www.ukdacademy.com/gom_courses.htm

=0D=0A

Coming=20=0D=0Asoon...

=0D=0A

The=20=0D=0AVirtual=20= Workforce=20&=20Knowledge=20Management=20Certificate=20=0D=0Ameets= =20the=20needs=20of=20people=20in=20charge=20of=20the=20implementation=20of= =20telecommuting=20=0D=0Aprograms,=20people=20who=20manage=20virtual=20team= s,=20as=20well=20as=20individuals=20in=20a=20mobile=20=0D=0Aworkforce.=

=0D=0A

 

=0D=0A

Make=20no=20mistake=20-=20even=20=0D=0Aif= =20the=20content=20of=20our=20online=20programs=20is=20state-of-the-art,=20= and=20we=20promote=20a=20=0D=0Avirtual=20lifestyle,=20we=20honor=20traditio= nal=20values=20and=20believe=20in=20solutions=20for=20real=20=0D=0Apeople,= =20with=20personal=20support=20and=20assistance=20from=20experienced=20and= =20dedicated=20=0D=0Ainstructors.

=0D=0AVisit=20http://www.ukdacademy.com/=20for=20more=20=0D=0Ainformation.

=0D=0A=0D=0A=0D=0A

&nb= sp;

=0D=0A

=0D=0A

_______________________________________________________= __________________________________________________________

=0D=0A=0D= =0A

Removal=0D=0Ainstructions:

=0D=0A

=20If=20y= ou=20don't=20want=20to=20receive=20any=20more=20e-mails=20from=20us,=20=0D= =0Athen=20please=20send=20an=20e-mail=20to=20the=20address=20below,=20and= =20your=20contact=20information=20will=20=0D=0Abe=20removed=20from=20our=20= list.=0D=0A

=0D=0A

mailto:ukdinfo@ukdacademy.com?subject=3DRemove

=0D= =0Aor=20just= =20reply=20to=20this=20message=20with=20=0D=0A"Remove" =20in=20the=20subject=20line.

=0D= =0A

 =0D=0A

=0D=0A

 =0D=0A

=0D=0A=0D=0A

 

=0D=0A=0D=0A ------=_NextPart_000_0005_01C06B5E.74675200-- ------=_NextPart_000_0004_01C06B5E.74675200-- From news@ra.nrl.navy.mil Tue Feb 19 15:07:17 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA19602 for ; Tue, 19 Feb 2002 15:07:11 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id PAA14881 for ; Tue, 19 Feb 2002 15:07:01 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1JK08i20383 for kerberos@MIT.EDU; Tue, 19 Feb 2002 15:00:08 -0500 (EST) From: "Philippe Perrin" X-Newsgroups: comp.protocols.kerberos Subject: [MIT Kerberos] Graphical Single-Sign On Date: Tue, 19 Feb 2002 20:51:46 +0100 Organization: ENSEIRB Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Hello I'm using Solaris 8 and the MIT's Kerberos V5. On such a workstation, I'd like console users to authenticate with their Kerberos name/pass immediatly. As explained in MIT's installation guide, I replaced /bin/login by /local/sbin/login.krb5. Here is the result : - at the end of the computer startup, the graphical login screen appears (as it usual) - if I type my Kerberos name and password, the KDC is *NOT* contacted, and the login fails - if I choose "Command line login" in the options and type the same name/pass, the KDC is contacted and the login works (the TGT and the host/... ticket are available in my cache) How can I make the graphical login work in that way ? Thank you ! Philippe From andreas@conectiva.com.br Tue Feb 19 16:11:28 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA19829 for ; Tue, 19 Feb 2002 16:11:23 -0500 (EST) Received: from perninha.conectiva.com.br (perninha.conectiva.com.br [200.250.58.156]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id QAA12780 for ; Tue, 19 Feb 2002 16:11:01 -0500 (EST) Received: from burns.conectiva (burns.conectiva [10.0.0.4]) by perninha.conectiva.com.br (Postfix) with SMTP id E9F9938CFA for ; Tue, 19 Feb 2002 18:10:55 -0300 (EST) Received: (qmail 14865 invoked by uid 0); 19 Feb 2002 21:10:55 -0000 Received: from pandora.distro.conectiva (10.0.17.30) by burns.conectiva with SMTP; 19 Feb 2002 21:10:55 -0000 Received: (from andreas@localhost) by pandora.distro.conectiva (8.11.6/8.11.6) id g1JLBCe05891; Tue, 19 Feb 2002 18:11:12 -0300 Date: Tue, 19 Feb 2002 18:11:12 -0300 From: Andreas Hasenack To: "Philippe Perrin" Cc: kerberos@mit.edu Subject: Re: [MIT Kerberos] Graphical Single-Sign On Message-ID: <20020219211112.GH18064@conectiva.com.br> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Em Tue, Feb 19, 2002 at 08:51:46PM +0100, Philippe Perrin escreveu: > How can I make the graphical login work in that way ? I never used Solaris, but I think it uses PAM. If your graphical login program uses PAM, then you can use the pam_krb5 module. Check out http://www.nectar.com/krb/ From mdw@umich.edu Tue Feb 19 16:33:40 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA19924 for ; Tue, 19 Feb 2002 16:33:30 -0500 (EST) Received: from quince.ifs.umich.edu (quince.ifs.umich.edu [141.213.229.138]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with SMTP id QAA23963 for ; Tue, 19 Feb 2002 16:33:24 -0500 (EST) Received: from pepper-pot (pepper-pot.ifs.umich.edu [141.213.229.91]) by quince.ifs.umich.edu (8.6.13/8.6.12) with ESMTP id QAA22222 for ; Tue, 19 Feb 2002 16:33:24 -0500 Message-Id: <200202192133.QAA22222@quince.ifs.umich.edu> To: kerberos@mit.edu Subject: Re: [MIT Kerberos] Graphical Single-Sign On In-reply-to: Your message of "Tue, 19 Feb 2002 20:51:46 +0100." Date: Tue, 19 Feb 2002 16:33:24 -0500 From: Marcus Watts Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Philippe Perrin" writes: ... > How can I make the graphical login work in that way ? ... Use a pam module that does k5 authentication, such as fcusack's pam_krb5. Note that if you're using CDE and solaris, there have been a number of security problems, some of which were remotely exploitable. You may want to do some research on this and think very carefully about whatever security risk remains. Personally, I use "xinit". -Marcus Watts UM ITCS Umich Systems Group From news@ra.nrl.navy.mil Wed Feb 20 09:52:26 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA23356 for ; Wed, 20 Feb 2002 09:52:21 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA18157 for ; Wed, 20 Feb 2002 09:52:05 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1KEbNX06785 for kerberos@MIT.EDU; Wed, 20 Feb 2002 09:37:23 -0500 (EST) From: mfrisch@isurfer.ca (Mike Frisch) X-Newsgroups: comp.protocols.kerberos Subject: New cred cache breaks Win2k service Date: 20 Feb 2002 14:37:20 GMT Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: With the recent changes to the Kerberos Credentials Cache, my service on Windows 2000 is now broken. Without being able to use impersonation, how do I allow a Windows 2000 service to perform Kerberos/GSS operations on behalf of other users? Thanks in advance, Mike. From news@ra.nrl.navy.mil Wed Feb 20 10:52:29 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA23560 for ; Wed, 20 Feb 2002 10:52:21 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id KAA05883 for ; Wed, 20 Feb 2002 10:52:05 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1KFhsd07847 for kerberos@MIT.EDU; Wed, 20 Feb 2002 10:43:54 -0500 (EST) From: mfrisch@isurfer.ca X-Newsgroups: comp.protocols.kerberos Subject: cancel Date: 20 Feb 2002 15:43:45 GMT Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ignore Article canceled by slrn 0.9.6.4 From news@ra.nrl.navy.mil Wed Feb 20 10:55:18 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id KAA23575 for ; Wed, 20 Feb 2002 10:55:13 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id KAA05886 for ; Wed, 20 Feb 2002 10:52:06 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1KFjQo07853 for kerberos@MIT.EDU; Wed, 20 Feb 2002 10:45:26 -0500 (EST) From: mfrisch@isurfer.ca (Mike Frisch) X-Newsgroups: comp.protocols.kerberos Subject: MIT Kerberos for Windows 2.1.x cred cache breaks Win2k service Date: 20 Feb 2002 15:45:12 GMT Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: With the recent changes to the Kerberos Credentials Cache in MIT Kerberos for Windows 2.1 and later, my service on Windows 2000 is now broken. Without being able to use impersonation, how do I allow a Windows 2000 service to perform Kerberos/GSS operations on behalf of other users? Mike. From hartmans@MIT.EDU Wed Feb 20 12:27:46 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA23876 for ; Wed, 20 Feb 2002 12:27:41 -0500 (EST) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA28246 for ; Wed, 20 Feb 2002 12:27:30 -0500 (EST) Received: from manawatu-mail-centre.mit.edu (MANAWATU-MAIL-CENTRE.MIT.EDU [18.7.7.71]) by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA19943 for ; Wed, 20 Feb 2002 12:27:30 -0500 (EST) Received: from tir-na-nogth.mit.edu (TIR-NA-NOGTH.MIT.EDU [18.18.1.6]) by manawatu-mail-centre.mit.edu (8.9.2/8.9.2) with ESMTP id MAA02855 for ; Wed, 20 Feb 2002 12:27:30 -0500 (EST) Received: (from hartmans@localhost) by tir-na-nogth.mit.edu (8.9.3) id MAA00705; Wed, 20 Feb 2002 12:27:29 -0500 (EST) To: kerberos@MIT.EDU Subject: Re: New cred cache breaks Win2k service References: From: Sam Hartman Date: 20 Feb 2002 12:27:29 -0500 In-Reply-To: mfrisch@isurfer.ca's message of "20 Feb 2002 14:37:20 GMT" Message-ID: Lines: 12 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: >>>>> "Mike" == Mike Frisch writes: Mike> With the recent changes to the Kerberos Credentials Cache, Mike> my service on Windows 2000 is now broken. Without being Mike> able to use impersonation, how do I allow a Windows 2000 Mike> service to perform Kerberos/GSS operations on behalf of Mike> other users? You have those users forward or proxy tickets to your service. Since you're in W2K land, you probably need to use forwarding at the SSPI/GSSAPI level. From dalmeida@MIT.EDU Wed Feb 20 14:07:07 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA24327 for ; Wed, 20 Feb 2002 14:07:02 -0500 (EST) Received: from central-city-carrier-station.mit.edu (CENTRAL-CITY-CARRIER-STATION.MIT.EDU [18.7.7.72]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA09035; Wed, 20 Feb 2002 14:06:47 -0500 (EST) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by central-city-carrier-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA03638; Wed, 20 Feb 2002 14:06:46 -0500 (EST) Received: from perseverance (PERSEVERANCE.MIT.EDU [18.18.1.27]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id OAA07664; Wed, 20 Feb 2002 14:04:27 -0500 (EST) From: "Danilo Almeida" To: "'Mike Frisch'" Cc: Subject: RE: New cred cache breaks Win2k service Date: Wed, 20 Feb 2002 14:04:26 -0500 Message-ID: <000d01c1ba41$6a916a80$1b011212@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: This is by design. As I recall, the original problem was this: A process doing impersonation cannot start a program as the user being impersonated because the process level tokens are the service's and not the user's. Therefore, the service cannot start the creds cache process. So, if the user does not already have the creds cache process, the service not be able to access the cache. Granted, there are no creds in the cache, but what if the service is trying to stuff some creds in there? In order to avoid any such weirdness as to under what impersonation circumstances the creds cache may or may not work, I chose to circumvent the whole issue by disallowing access to the user's cache when doing impersonation. I can revisit this if someone puts forth a good proposal for how things should work. However, in the meantime, services doing impersonation need to communicate creds via some other mechanism that is appropriate for the service in question (e.g. LRPC). For more information, look at the release notes in the KfW 2.1.2 source distribution. - Danilo -----Original Message----- From: kerberos-admin@MIT.EDU [mailto:kerberos-admin@MIT.EDU] On Behalf Of Mike Frisch Sent: Wednesday, February 20, 2002 9:37 AM To: kerberos@mit.edu Subject: New cred cache breaks Win2k service With the recent changes to the Kerberos Credentials Cache, my service on Windows 2000 is now broken. Without being able to use impersonation, how do I allow a Windows 2000 service to perform Kerberos/GSS operations on behalf of other users? Thanks in advance, Mike. From perrin@enseirb.fr Wed Feb 20 14:30:39 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id OAA24472 for ; Wed, 20 Feb 2002 14:30:34 -0500 (EST) Received: from neouvielle.enseirb.fr (neouvielle.enseirb.fr [147.210.18.138]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA20611 for ; Wed, 20 Feb 2002 14:30:28 -0500 (EST) Received: from horus (perrin.mds [172.16.8.135]) by neouvielle.enseirb.fr (8.11.2/8.11.2) with SMTP id g1KJT3527608; Wed, 20 Feb 2002 20:29:04 +0100 (MET) Message-ID: <006501c1ba44$9b8aec80$870810ac@horus> From: "Philippe Perrin" To: "Andreas Hasenack" Cc: Subject: Re: [MIT Kerberos] Graphical Single-Sign On Date: Wed, 20 Feb 2002 20:27:15 +0100 Organization: ENSEIRB MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Thank you very much for your help. I downloaded and compiled this PAM under Solaris8/intel, with the MIT Kerberos 5 : it works fine. Philippe ----- Original Message ----- From: "Andreas Hasenack" To: "Philippe Perrin" Cc: Sent: Tuesday, February 19, 2002 10:11 PM Subject: Re: [MIT Kerberos] Graphical Single-Sign On > Em Tue, Feb 19, 2002 at 08:51:46PM +0100, Philippe Perrin escreveu: > > How can I make the graphical login work in that way ? > > I never used Solaris, but I think it uses PAM. If your graphical > login program uses PAM, then you can use the pam_krb5 module. Check out > http://www.nectar.com/krb/ > > From news@ra.nrl.navy.mil Wed Feb 20 15:22:27 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id PAA24712 for ; Wed, 20 Feb 2002 15:22:22 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA15762 for ; Wed, 20 Feb 2002 15:22:06 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1KK7WY11951 for kerberos@MIT.EDU; Wed, 20 Feb 2002 15:07:32 -0500 (EST) From: mfrisch@isurfer.ca (Mike Frisch) X-Newsgroups: comp.protocols.kerberos Subject: Re: New cred cache breaks Win2k service Date: 20 Feb 2002 20:07:29 GMT Message-ID: References: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On Wed, 20 Feb 2002 18:20:31 +0000 (UTC), Sam Hartman wrote: >>>>>> "Mike" == Mike Frisch writes: > > Mike> With the recent changes to the Kerberos Credentials Cache, > Mike> my service on Windows 2000 is now broken. Without being > Mike> able to use impersonation, how do I allow a Windows 2000 > Mike> service to perform Kerberos/GSS operations on behalf of > Mike> other users? > >You have those users forward or proxy tickets to your service. Since >you're in W2K land, you probably need to use forwarding at the >SSPI/GSSAPI level. While I understand in theory, I am not well versed in the Kerberos library, so I will have to do a little reading for clarification. AS long as there is a solution, everything will be fine. Thanks for the prompt followup, Mike. From DAVIDCHR@windows.microsoft.com Wed Feb 20 16:54:17 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id QAA25005 for ; Wed, 20 Feb 2002 16:54:12 -0500 (EST) Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id QAA25694; Wed, 20 Feb 2002 16:53:56 -0500 (EST) Received: from inet-vrs-04.redmond.corp.microsoft.com ([157.54.8.154]) by mail4.microsoft.com with Microsoft SMTPSVC(5.0.2195.4617); Wed, 20 Feb 2002 13:53:12 -0800 Received: from 157.54.6.197 by inet-vrs-04.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Wed, 20 Feb 2002 13:53:56 -0800 Received: from red-imc-04.redmond.corp.microsoft.com ([157.54.2.168]) by inet-hub-06.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2966); Wed, 20 Feb 2002 13:53:17 -0800 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-04.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2966); Wed, 20 Feb 2002 13:53:17 -0800 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3588.0); Wed, 20 Feb 2002 13:51:14 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.0.6157.0 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: New cred cache breaks Win2k service Date: Wed, 20 Feb 2002 13:51:14 -0800 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD052DCAA2@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> Thread-Topic: New cred cache breaks Win2k service Thread-Index: AcG6RZWeZpwyeHt0TLmr6lOmMMI/8wAAWXhA From: "David Lawler Christiansen (NT)" To: "Danilo Almeida" , "Mike Frisch" Cc: X-OriginalArrivalTime: 20 Feb 2002 21:51:14.0461 (UTC) FILETIME=[B7AE0CD0:01C1BA58] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id QAA25005 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Below: > -----Original Message----- > From: Danilo Almeida [mailto:dalmeida@mit.edu] > Sent: Wednesday, February 20, 2002 11:04 AM > To: 'Mike Frisch' > Cc: kerberos@mit.edu > Subject: RE: New cred cache breaks Win2k service > > > This is by design. As I recall, the original problem was this: > > A process doing impersonation cannot start a program as the > user being impersonated because the process level tokens are > the service's and not the user's. In Windows, when a process is created, by default it shares the process token of the calling process. However, the server process can duplicate the impersonation token to a primary token and assign this to the process being spawned. See the CreateProcessAsUser API in MSDN for more information. From news@ra.nrl.navy.mil Wed Feb 20 19:07:27 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id TAA25408 for ; Wed, 20 Feb 2002 19:07:22 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id TAA02881 for ; Wed, 20 Feb 2002 19:07:07 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1KNtg715494 for kerberos@MIT.EDU; Wed, 20 Feb 2002 18:55:42 -0500 (EST) From: Kelledin Subject: kpasswd: Authentication error: Failed reading application request X-Newsgroups: comp.protocols.kerberos Message-ID: <%HWc8.393$2Q1.181@rwcrnsc54> Organization: AT&T Broadband Date: Wed, 20 Feb 2002 23:55:39 GMT To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Anyone know why exactly I'm getting this problem? In short, I have a KDC set up on Linux 2.4.7, and I've configured a client's /bin/login to hit the KDC for authentication via pam_krb5.so. Users can log in just fine, but they can't seem to change their password via kpasswd. It goes something like this: [ kelledin@Traveller ~ ] # kpasswd Password for kelledin@SKARPSEY.ATTBI.COM: Enter new password: Enter it again: Authentication error: Failed reading application request The client is running Linux 2.4.17. Both client and KDC are running krb5 v1.2.3. The server's logs record issuing a ticket for kadmin/changepw and that's it. Does anyone have a clue as to what's happening? ---------- Kelledin "If a server crashes in a server farm and no one hears it, does it still cost four figures to fix?" From news@ra.nrl.navy.mil Wed Feb 20 22:22:37 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id WAA25959 for ; Wed, 20 Feb 2002 22:22:32 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id WAA20910 for ; Wed, 20 Feb 2002 22:22:17 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1L3LTa18525 for kerberos@MIT.EDU; Wed, 20 Feb 2002 22:21:29 -0500 (EST) Date: 20 Feb 2002 19:18:36 -0800 Message-ID: <20020221031836.3692.cpmta@c009.snv.cp.net> From: Subject: Kerberos talk, So. CA, USA Organization: mail2news@nym.alias.net X-Newsgroups: comp.protocols.kerberos To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: It doesn't get much better than this! Hear Dr. Brian Tung, the editor of a now-venerable Internet-Draft on integrating public-key cryptography into Kerberos, and author of an introductory book on Kerberos give a presentation on Kerberos. ***NOTICE***: This meeting is on FRIDAY, not Thursday. It's also in room 208, not 102. See linux.usc.edu for more info. See the announcement below: Topic: Kerberos Speaker: Dr. Brian Tung Date and Time: Friday, February 22, 2002, 8-10 pm Location: USC, THH 208 Cost: Free to members and general public Topics: Kerberos is a network authentication system based on the Needham-Schroeder key exchange mechanism. In this talk, I will discuss the evolution and basic principles behind Kerberos, applications of Kerberos, and current and future plans for Kerberos, including the integration of public-key cryptography. Dr. Brian Tung: Brian Tung is a researcher at USC/ISI. His principal areas of interest are intrusion detection and response and self-organizing populations. He is the editor of a now-venerable Internet-Draft on integrating public-key cryptography into Kerberos, and has also written an introductory book on Kerberos. Directions: From the 110 Northbound Exit Adams Take a left onto Adams Take a left onto Figueroa (south) Pass Jefferson and turn right into Gate 3 Park in the parking structure to the left, there is a $6 charge From the 110 Southbound Exit Adams Go straight, you'll hit Figueroa, take a right (south) Pass Adams Pass Jefferson and turn right into Gate 3 Park in the parking structure to the left, there is a $6 charge After you park Once you've parked exit the parking structure the way you came in, and turn left (i.e. away from the gate). Walk along the path and you'll be walking toward three buildings. The one slightly to the left of the end of the path is VKC, it has red brick, and a tall tower on top of the building with a large golden globe on the top of the tower. On the right of VKC is SOS, it's very short, and to the right of that is a very tall building. Right behind these buildings is THH (Taper Hall of Humanities). This is the building you want. It's very long, and L-shaped. Towards the right is an overhand and some glass doors, go in there and and up the stairs. Room 208. Maps USC Campus - http://www.usc.edu/info/maps/UPC-GIF.html Map of the area around USC - http://maps.yahoo.com/py/maps.py?Pyt=Tmap&addr=&city=Los+Angeles&state=CA&slt=34.028099&sln=-118.284401&mlt=34.021100&mln=-118.286100&name=&zip=90007&country=us&BFKey=&BFCat=&BFClient=&mag=8&desc=&cs=7&newmag=9&poititle=&poi= From news@ra.nrl.navy.mil Thu Feb 21 12:07:31 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id MAA28269 for ; Thu, 21 Feb 2002 12:07:26 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA11579 for ; Thu, 21 Feb 2002 12:07:10 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1LGt2Q00474 for kerberos@MIT.EDU; Thu, 21 Feb 2002 11:55:02 -0500 (EST) From: "CCSOITS" X-Newsgroups: comp.protocols.kerberos Subject: Problems Compiling MIT krb5-1.2.3 Date: Thu, 21 Feb 2002 11:47:33 -0500 Organization: Charleston County Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I am trying to compile onto a solaris 8 system. The configure goes thru fine. When I run make, it continuously asks for .a files so it can 'rm -f ' it, then proceed. I have not found any of the files anywhere in the source code distribution. What am I doing wrong. From news@ra.nrl.navy.mil Fri Feb 22 01:07:31 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id BAA00590 for ; Fri, 22 Feb 2002 01:07:30 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id BAA21109 for ; Fri, 22 Feb 2002 01:07:13 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1M5xJ612058 for kerberos@MIT.EDU; Fri, 22 Feb 2002 00:59:19 -0500 (EST) From: "Dr. Jianying Zhou" X-Newsgroups: comp.protocols.kerberos Subject: ICICS 2002 CFP Date: Fri, 22 Feb 2002 13:59:25 +0800 Organization: Singapore Telecommunications Ltd Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ICICS'02 (4th International Conference on Information and Communications Security) will be hosted by Labs for Information Technology, Singapore on 9-12 December, 2002. Original papers on all aspects of information and communications security are solicited for submission. The proceedings of ICICS'02 will be published in Springer-Verlag's Lecture Notes in Computer Science series. Details are available at http://icisa.freewebtools.com/icics.html and http://www.krdl.org.sg/General/conferences/icics/Homepage.html Important Dates Submission 1 July 2002 Acceptance 10 August 2002 Camera ready copy 1 September 2002 From news@ra.nrl.navy.mil Fri Feb 22 01:12:33 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id BAA00610 for ; Fri, 22 Feb 2002 01:12:28 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id BAA21127 for ; Fri, 22 Feb 2002 01:07:15 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1M609O12066 for kerberos@MIT.EDU; Fri, 22 Feb 2002 01:00:09 -0500 (EST) From: "Marc Reyhner" X-Newsgroups: comp.protocols.kerberos Subject: Re: New cred cache breaks Win2k service Date: Thu, 21 Feb 2002 21:57:25 -0800 Message-ID: References: <000d01c1ba41$6a916a80$1b011212@mit.edu> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: ""Danilo Almeida"" wrote in message news:000d01c1ba41$6a916a80$1b011212@mit.edu... > This is by design. As I recall, the original problem was this: > > A process doing impersonation cannot start a program as the user being > impersonated because the process level tokens are the service's and not > the user's. > > Therefore, the service cannot start the creds cache process. So, if the > user does not already have the creds cache process, the service not be > able to access the cache. Granted, there are no creds in the cache, but > what if the service is trying to stuff some creds in there? > > In order to avoid any such weirdness as to under what impersonation > circumstances the creds cache may or may not work, I chose to circumvent > the whole issue by disallowing access to the user's cache when doing > impersonation. > > I can revisit this if someone puts forth a good proposal for how things > should work. > > However, in the meantime, services doing impersonation need to > communicate creds via some other mechanism that is appropriate for the > service in question (e.g. LRPC). > > For more information, look at the release notes in the KfW 2.1.2 source > distribution. I've got a solution more or less working that I've written to support the Stanford S/Ident protocol and to make our Kerberized POP/IMP proxy work in a Terminal Server environment. For our mailproxy we have users set their mail server to be the localhost and then we have a service which proxies there POP or IMAP session to the campus mail servers after first using Kerberos to authenticate the connection. To make this work with Windows Terminal Services (and XP Fast User Switching) we've had to write an NT service which listens on the correct ports and when a connection comes in figure out which user session it belongs to. Once we've figured out which user session it belongs to we connect to the ticket cache for that user and authenticate the connection. If they don't currently have a TGT then we use a COM event sink to get have our client running in the client session prompt them for their credentials. To make this work our NT service needs to be able to switch back and forth between different ticket caches as connections come in. What I did to solve my problem was to add the local system account to the ACL for the kerberos ticket cache and add support into the ticket cache client for talking to a ccache server in a different security context. I did not attempt to solve the impersonation problem since I'm running this service as local system. Local system can already do whatever it wants on the machine so you don't lose any secure by adding it to the ACL for the ticket cache. On the client side I added methods to the krbcc32.dll for disconnecting from the ticket cache RPC server as well as connecting to a server with a specific RPC endpoint name. I also changed krbbc32 to not attempt to connect the RPC server until cc_initialize is called. This serves the double purpose of not starting the RPC server when I start my server process as well as removing the problems we've seen with DllMain calling things that it shouldn't and sometimes causing problems. In krbvrw32.dll I added new entry points for disconnecting and reconnecting from the ticket cache as well as also delaying initializing the ticket cache until its actually needed. Our services are currently Kerberos 4 only so I haven't tested if the krb5 dll works without any modifications. I don't think any modifications to make it work would be that hard since the design is a lot cleaner than the kerb 4 implementation. I'm more than happy to submit my changes back for addition into KfW once I get a chance to clean them up a bit. The code is working fine in my testing though it could do with a bit of polishing up. Marc From dalmeida@MIT.EDU Fri Feb 22 13:57:39 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA02937 for ; Fri, 22 Feb 2002 13:57:34 -0500 (EST) Received: from grand-central-station.mit.edu (GRAND-CENTRAL-STATION.MIT.EDU [18.7.21.82]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA23470; Fri, 22 Feb 2002 13:57:18 -0500 (EST) Received: from melbourne-city-street.mit.edu (MELBOURNE-CITY-STREET.MIT.EDU [18.7.21.86]) by grand-central-station.mit.edu (8.9.2/8.9.2) with ESMTP id NAA11271; Fri, 22 Feb 2002 13:57:18 -0500 (EST) Received: from perseverance (PERSEVERANCE.MIT.EDU [18.18.1.27]) by melbourne-city-street.mit.edu (8.9.2/8.9.2) with ESMTP id NAA15891; Fri, 22 Feb 2002 13:51:53 -0500 (EST) From: "Danilo Almeida" To: "'Marc Reyhner'" Cc: Subject: RE: New cred cache breaks Win2k service Date: Fri, 22 Feb 2002 13:51:45 -0500 Message-ID: <004601c1bbd1$f9f07950$1b011212@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: Marc, Unless I misunderstand your e-mail, the hacking of krbcc that you did is the kind of thing we do not want to see happening. Instead of having your service connect to krbcc32s directly, you should just connect to your client and just have it give creds to the service. However, I am interested in the DllMain() problems you have been seeing. There were fixes to some DllMain() problems in krbcc put into KfW 2.1.1. What version of KfW and which DllMain() are you talking about (krbv4w32 or krbcc)? What problems were you having? - Danilo -----Original Message----- From: kerberos-admin@MIT.EDU [mailto:kerberos-admin@MIT.EDU] On Behalf Of Marc Reyhner Sent: Friday, February 22, 2002 12:57 AM To: kerberos@mit.edu Subject: Re: New cred cache breaks Win2k service ""Danilo Almeida"" wrote in message news:000d01c1ba41$6a916a80$1b011212@mit.edu... > This is by design. As I recall, the original problem was this: > > A process doing impersonation cannot start a program as the user being > impersonated because the process level tokens are the service's and not > the user's. > > Therefore, the service cannot start the creds cache process. So, if the > user does not already have the creds cache process, the service not be > able to access the cache. Granted, there are no creds in the cache, but > what if the service is trying to stuff some creds in there? > > In order to avoid any such weirdness as to under what impersonation > circumstances the creds cache may or may not work, I chose to circumvent > the whole issue by disallowing access to the user's cache when doing > impersonation. > > I can revisit this if someone puts forth a good proposal for how things > should work. > > However, in the meantime, services doing impersonation need to > communicate creds via some other mechanism that is appropriate for the > service in question (e.g. LRPC). > > For more information, look at the release notes in the KfW 2.1.2 source > distribution. I've got a solution more or less working that I've written to support the Stanford S/Ident protocol and to make our Kerberized POP/IMP proxy work in a Terminal Server environment. For our mailproxy we have users set their mail server to be the localhost and then we have a service which proxies there POP or IMAP session to the campus mail servers after first using Kerberos to authenticate the connection. To make this work with Windows Terminal Services (and XP Fast User Switching) we've had to write an NT service which listens on the correct ports and when a connection comes in figure out which user session it belongs to. Once we've figured out which user session it belongs to we connect to the ticket cache for that user and authenticate the connection. If they don't currently have a TGT then we use a COM event sink to get have our client running in the client session prompt them for their credentials. To make this work our NT service needs to be able to switch back and forth between different ticket caches as connections come in. What I did to solve my problem was to add the local system account to the ACL for the kerberos ticket cache and add support into the ticket cache client for talking to a ccache server in a different security context. I did not attempt to solve the impersonation problem since I'm running this service as local system. Local system can already do whatever it wants on the machine so you don't lose any secure by adding it to the ACL for the ticket cache. On the client side I added methods to the krbcc32.dll for disconnecting from the ticket cache RPC server as well as connecting to a server with a specific RPC endpoint name. I also changed krbbc32 to not attempt to connect the RPC server until cc_initialize is called. This serves the double purpose of not starting the RPC server when I start my server process as well as removing the problems we've seen with DllMain calling things that it shouldn't and sometimes causing problems. In krbvrw32.dll I added new entry points for disconnecting and reconnecting from the ticket cache as well as also delaying initializing the ticket cache until its actually needed. Our services are currently Kerberos 4 only so I haven't tested if the krb5 dll works without any modifications. I don't think any modifications to make it work would be that hard since the design is a lot cleaner than the kerb 4 implementation. I'm more than happy to submit my changes back for addition into KfW once I get a chance to clean them up a bit. The code is working fine in my testing though it could do with a bit of polishing up. Marc From news@ra.nrl.navy.mil Sat Feb 23 03:52:44 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id DAA05585 for ; Sat, 23 Feb 2002 03:52:39 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id DAA10993 for ; Sat, 23 Feb 2002 03:52:23 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1N8n8D05320 for kerberos@MIT.EDU; Sat, 23 Feb 2002 03:49:08 -0500 (EST) From: brian-l-smith@uiowa.edu (Brian Smith) X-Newsgroups: comp.protocols.kerberos Subject: GSS_C_HOSTBASED_SERVICE and Windows 2000 Date: 23 Feb 2002 00:48:54 -0800 Organization: http://groups.google.com/ Message-ID: <60360d48.0202230048.59adfc0b@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: CVS uses GSS-API to support Kerberos. I am trying to get CVS to work with MS Active Directory Kerberos. The CVS code I have is using gss_nt_service_name service principal name (SPN) format; i.e. "cvs@hostname.domain". I realize that Active Directory needs a SPN in the form GSS_C_HOSTBASED_SERVICE; i.e. "cvs/hostname.domain". The problem is that when I change gss_nt_service_name to GSS_C_HOSTBASED_SERVICE, the code doesn't compile because GSS_C_HOSTBASED_SERVICE is not defined in the headers. This is on MIT Kerberos for Windows 2.1.2. So, my question is: how do I support GSS_C_HOSTBASED_SERVICE-formatted names using MIT Kerberos for Windows? Thanks, Brian From news@ra.nrl.navy.mil Sat Feb 23 06:37:46 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id GAA06084 for ; Sat, 23 Feb 2002 06:37:41 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA00320 for ; Sat, 23 Feb 2002 06:37:24 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1NBVJd07600 for kerberos@MIT.EDU; Sat, 23 Feb 2002 06:31:20 -0500 (EST) From: "norman" X-Newsgroups: comp.protocols.kerberos Subject: 1)kerberizing an app and 2) the mit kerberos on NT4/w2k executables (server) Date: Sat, 23 Feb 2002 13:32:16 +0200 Message-ID: <3c7809c2_2@batman.vip-za.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: After reading many of the studies and case examples here, it is clear that the W2K version of kerberos has genuine issues and compatibility problems. I am wanting to design an app that is genuinely kerberized and therfeorte want to run the MIT version on a NT or W2K macjine, not using the existing capability supplioed by microsoft. 1)The intention is that the mit dll will be written as a com object and then the project will use this dll to enable the secure comms. I really would like to know that it is feasible and comments are welcome. (the advantages are obvious... a DLL means that we can program in languages like VB for the client). We have already done some investigation and to get the com object looks quite reasonable and low cost development ( ooh that sounds like famous last words if I ever heard:-)) 2) the further issue is the W2K vs MIT. I recognize that it is possible to compile fro W2K and a few examples exist already on the site. Does anyone have a source for the complied executables for win 32 SERVER (not client) From news@ra.nrl.navy.mil Sat Feb 23 06:52:45 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id GAA06136 for ; Sat, 23 Feb 2002 06:52:39 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id GAA01383 for ; Sat, 23 Feb 2002 06:52:23 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1NBgVE07745 for kerberos@MIT.EDU; Sat, 23 Feb 2002 06:42:32 -0500 (EST) From: "norman" X-Newsgroups: comp.protocols.kerberos References: <3c7809c2_2@batman.vip-za.com> Subject: Reposted 1)kerberizing an app and 2) the mit kerberos on NT4/w2k executables (server) Date: Sat, 23 Feb 2002 13:43:03 +0200 Message-ID: <3c780c49_3@batman.vip-za.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: apologies.. corrected spelling and repost After reading many of the studies and case examples here, it is clear that the W2K version of kerberos has genuine issues and compatibility problems. I am wanting to design an app that is genuinely kerberized and therefore want to run the MIT version on a NT or W2K machine, not using the existing capability supplied by Microsoft. 1)The intention is that the mit dll will be written as a com object and then the project will use this dll to enable the secure comms. I really would like to know that it is feasible and comments are welcome. (the advantages are obvious... a DLL means that we can program in languages like VB for the client). We have already done some investigation and to get the com object looks quite reasonable and low cost development ( ooh that sounds like famous last words if I ever heard:-)) 2) the further issue is the W2K vs MIT. I recognize that it is possible to compile fro W2K and a few examples exist already on the site. Does anyone have a source for the complied executables for win 32 SERVER (not client) From bbense@shred.stanford.edu Sat Feb 23 17:41:56 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id RAA08016 for ; Sat, 23 Feb 2002 17:41:51 -0500 (EST) Received: from shred.stanford.edu (shred.Stanford.EDU [171.64.13.91]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id RAA18208 for ; Sat, 23 Feb 2002 17:41:35 -0500 (EST) Received: from localhost (bbense@localhost) by shred.stanford.edu (8.11.6.Beta0/8.10.0.PreAlpha1) with ESMTP id g1NMfXE02440; Sat, 23 Feb 2002 14:41:33 -0800 (PST) Date: Sat, 23 Feb 2002 14:41:33 -0800 (PST) From: "Booker C. Bense" To: Brian Smith cc: kerberos@mit.edu Subject: Re: GSS_C_HOSTBASED_SERVICE and Windows 2000 In-Reply-To: <60360d48.0202230048.59adfc0b@posting.google.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: On 23 Feb 2002, Brian Smith wrote: > CVS uses GSS-API to support Kerberos. I am trying to get CVS to work > with MS Active Directory Kerberos. > > The CVS code I have is using gss_nt_service_name service principal > name (SPN) format; i.e. "cvs@hostname.domain". I realize that Active > Directory needs a SPN in the form GSS_C_HOSTBASED_SERVICE; i.e. > "cvs/hostname.domain". > > The problem is that when I change gss_nt_service_name to > GSS_C_HOSTBASED_SERVICE, the code doesn't compile because > GSS_C_HOSTBASED_SERVICE is not defined in the headers. This is on MIT > Kerberos for Windows 2.1.2. > > So, my question is: how do I support GSS_C_HOSTBASED_SERVICE-formatted > names using MIT Kerberos for Windows? > - I don't think this is actually your problem. The nt_service_name is translated to the kerberos form of the service name by the gssapi library. What errors were you getting with the orginal code ? - Booker C. Bense From news@ra.nrl.navy.mil Sat Feb 23 23:07:33 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id XAA08928 for ; Sat, 23 Feb 2002 23:07:33 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id XAA29404 for ; Sat, 23 Feb 2002 23:07:23 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1O3qiA21721 for kerberos@MIT.EDU; Sat, 23 Feb 2002 22:52:44 -0500 (EST) From: brian-l-smith@uiowa.edu (Brian Smith) X-Newsgroups: comp.protocols.kerberos Subject: Re: GSS_C_HOSTBASED_SERVICE and Windows 2000 Date: 23 Feb 2002 19:52:40 -0800 Organization: http://groups.google.com/ Message-ID: <60360d48.0202231952.556d33f0@posting.google.com> References: <60360d48.0202230048.59adfc0b@posting.google.com> To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: bbense@networking.stanford.edu ("Booker C. Bense") wrote in message news:... > On 23 Feb 2002, Brian Smith wrote: > > CVS uses GSS-API to support Kerberos. I am trying to get CVS to work > > with MS Active Directory Kerberos. > > > > The CVS code I have is using gss_nt_service_name service principal > > name (SPN) format; i.e. "cvs@hostname.domain". I realize that Active > > Directory needs a SPN in the form GSS_C_HOSTBASED_SERVICE; i.e. > > "cvs/hostname.domain". > > - I don't think this is actually your problem. The nt_service_name is > translated to the kerberos form of the service name by the gssapi > library. What errors were you getting with the orginal code ? > > - Booker C. Bense Thanks for the reply. Of course you are correct, and in fact GSS_C_HOSTBASED_SERVICE is the same as gss_c_nt_service (service@hostname.domain). My problem was actually caused by a configuration problem. Thanks, Brian From DAVIDCHR@windows.microsoft.com Mon Feb 25 13:30:46 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id NAA15871 for ; Mon, 25 Feb 2002 13:30:45 -0500 (EST) Received: from mail4.microsoft.com (mail4.microsoft.com [131.107.3.122]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA01305 for ; Mon, 25 Feb 2002 13:30:44 -0500 (EST) Received: from inet-vrs-04.redmond.corp.microsoft.com ([157.54.8.154]) by mail4.microsoft.com with Microsoft SMTPSVC(5.0.2195.4905); Mon, 25 Feb 2002 10:29:55 -0800 Received: from 157.54.8.23 by inet-vrs-04.redmond.corp.microsoft.com (InterScan E-Mail VirusWall NT); Mon, 25 Feb 2002 10:30:43 -0800 Received: from red-imc-02.redmond.corp.microsoft.com ([157.54.9.107]) by inet-hub-01.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2966); Mon, 25 Feb 2002 10:29:40 -0800 Received: from win-imc-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.39]) by red-imc-02.redmond.corp.microsoft.com with Microsoft SMTPSVC(5.0.2195.2966); Mon, 25 Feb 2002 10:29:53 -0800 Received: from win-msg-01.wingroup.windeploy.ntdev.microsoft.com ([157.54.0.52]) by win-imc-01.wingroup.windeploy.ntdev.microsoft.com with Microsoft SMTPSVC(6.0.3588.0); Mon, 25 Feb 2002 10:27:56 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.0.6157.0 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Subject: RE: 1)kerberizing an app and 2) the mit kerberos on NT4/w2k executables (server) Date: Mon, 25 Feb 2002 10:27:56 -0800 Message-ID: <4AEE3169443CDD4796CA8A00B02191CD05553DE4@win-msg-01.wingroup.windeploy.ntdev.microsoft.com> Thread-Topic: 1)kerberizing an app and 2) the mit kerberos on NT4/w2k executables (server) Thread-Index: AcG8Yljfp18e/YiYTRS9aojF6kesmgBxvpNg From: "David Lawler Christiansen (NT)" To: "norman" , X-OriginalArrivalTime: 25 Feb 2002 18:27:56.0985 (UTC) FILETIME=[257BAA90:01C1BE2A] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id NAA15871 Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: I've heard people talking about "compatibility problems" on this list. I don't agree with them, but I can at least understand why people would call the behavior that. I have not heard about the "genuine issues" you describe. Could you enumerate them? If there are "genuine issues" with MS Kerberos, we would obviously like to know about them. Heck, there might even be fixes already. ----- This message or posting is provided "AS IS" with no warranties, and confers no rights. Any opinions or policies stated in this mail are my opinions and do not necessarily constitute those of my employer. Harvesting of this address for purposes of bulk email (including "spam") is prohibited without my expressed prior request. I retaliate viciously against spammers and spam sites. > -----Original Message----- > From: norman [mailto:normang@freemail.absa.co.za] > Sent: Saturday, February 23, 2002 3:32 AM > To: kerberos@mit.edu > Subject: 1)kerberizing an app and 2) the mit kerberos on > NT4/w2k executables (server) > > > After reading many of the studies and case examples here, it > is clear that the W2K version of kerberos has genuine issues > and compatibility problems. I am wanting to design an app > that is genuinely kerberized and therfeorte want to run the > MIT version on a NT or W2K macjine, not using the existing > capability supplioed by microsoft. > > 1)The intention is that the mit dll will be written as a com > object and then the project will use this dll to enable the > secure comms. I really would like to know that it is feasible > and comments are welcome. (the advantages are obvious... a > DLL means that we can program in languages like VB for the > client). We have already done some investigation and to get > the com object looks quite reasonable and low cost > development ( ooh that sounds like famous last words if I > ever heard:-)) > > 2) the further issue is the W2K vs MIT. I recognize that it > is possible to compile fro W2K and a few examples exist > already on the site. Does anyone have a source for the > complied executables for win 32 SERVER (not client) > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > http://mailman.mit.edu/mailman/listinfo/kerberos > From news@ra.nrl.navy.mil Mon Feb 25 17:22:33 2002 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id RAA16555 for ; Mon, 25 Feb 2002 17:22:32 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id RAA26566 for ; Mon, 25 Feb 2002 17:22:32 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1PMBHr28341 for kerberos@MIT.EDU; Mon, 25 Feb 2002 17:11:17 -0500 (EST) From: "Rick" X-Newsgroups: comp.protocols.kerberos Subject: GSS-API win2k/unix need help! Date: Mon, 25 Feb 2002 16:11:24 -0600 Organization: Airnews.net! at Internet America Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: GSS-API I am configuring both Solaris and NT hosts to use a win2k kerberos KDC. I will be running an application which uses the GSS-API between hosts which are not the KDC. Using a microsoft document I was able to make unix work perfectly. Here's basically what I did. On win-2k kdc: 1. ktpass -princ sample/host2.d1.com@D1.COM -mapuser user1 -pass pass1 -out unix1.keytab 2. transfer keytab to unix computer. On unix 1. ktutil 2. rkt unix1.keytab 3. list 4. wkt /etc/krb5.keytab 5. q I ran both the MIT gss-server and gss-client test programs on host2 and they run fine. To try to get it to work in my NT machine I basically did the same thing. On kdc: 1. ktpass -princ tsample/host1.d1.com@D1.COM -mapuser test -pass testpass -out test.keytab 2. transfer keytab to windows computer. There doesn't seem to be a ktutil.exe on windows. I presume I need to get a ticket for 'tsample'. I tried kinit -k -t krb5.keytab -S tsample test. It didn't work. Neither did several other variations. The gss-server sample fails with GSS-API error acquiring credentials: Miscellaneous failure GSS-API error acquiring credentials: No such file or directory What am I doing wrong? Thanks in advance From news@ra.nrl.navy.mil Mon Feb 25 20:22:33 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA17113 for ; Mon, 25 Feb 2002 20:22:33 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id UAA02574 for ; Mon, 25 Feb 2002 20:22:32 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1Q1K6D01126 for kerberos@MIT.EDU; Mon, 25 Feb 2002 20:20:06 -0500 (EST) From: "Salil D" X-Newsgroups: comp.protocols.kerberos Subject: PA-ETYPE-INFO Date: Mon, 25 Feb 2002 17:16:02 -0800 Organization: Unisys - Roseville, MN Message-ID: To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: The section 5.2.7 PA-DATA, defines pa-etype-info as 0x0A (10). The section 8.3 defines PA-ETYPE-INFO as 0x0B (11). Is pa-etype-info same as PA-ETYPE-INFO? Is this an error in the draft? http://www.isi.edu/people/bcn/krb-revisions/krb-clarifications-00-020222.htm l From news@ra.nrl.navy.mil Mon Feb 25 20:22:33 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id UAA17118 for ; Mon, 25 Feb 2002 20:22:33 -0500 (EST) Received: from ra.nrl.navy.mil (ra.nrl.navy.mil [132.250.1.121]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id UAA02576 for ; Mon, 25 Feb 2002 20:22:33 -0500 (EST) Received: (from news@localhost) by ra.nrl.navy.mil (8.10.2+Sun/8.9.3) id g1Q1FPw01117 for kerberos@MIT.EDU; Mon, 25 Feb 2002 20:15:25 -0500 (EST) From: Marc Horowitz X-Newsgroups: comp.protocols.kerberos Subject: Re: GSS-API win2k/unix need help! References: Date: 25 Feb 2002 20:15:21 -0500 Message-ID: Organization: none To: kerberos@MIT.EDU Sender: kerberos-admin@mit.edu Errors-To: kerberos-admin@mit.edu X-BeenThere: kerberos@mit.edu X-Mailman-Version: 2.0 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: The Kerberos Authentication System Mailing List List-Unsubscribe: , List-Archive: "Rick" writes: >> On unix >> 1. ktutil >> 2. rkt unix1.keytab >> 3. list >> 4. wkt /etc/krb5.keytab >> 5. q Is there a reason you did all this instead of "cp"? >> To try to get it to work in my NT machine I basically did the same thing. >> >> On kdc: >> 1. ktpass -princ tsample/host1.d1.com@D1.COM -mapuser test -pass >> testpass -out test.keytab >> 2. transfer keytab to windows computer. >> >> There doesn't seem to be a ktutil.exe on windows. What do you think you need ktutil for? >> I presume I need to get a >> ticket for 'tsample'. I tried kinit -k -t krb5.keytab -S tsample test. >> It didn't work. Neither did several other variations. Why are you giving kinit the -S flag? I do not think it does what you think it does. For that matter, why are you using a keytab at all? It's much easier to create a normal user principal and use kinit to get tickets. If you must use a keytab, the correct invocatrion is "kinit -k -t keytabfile tsample/host1.d1.com@D1.COM". Of course, the last argument should be the actual pr