From naveen.bn at globaledgesoft.com  Fri Aug  1 01:28:54 2008
From: naveen.bn at globaledgesoft.com (naveen.bn)
Date: Fri, 01 Aug 2008 10:58:54 +0530
Subject: certificates and keys.
Message-ID: <48929F16.4060309@globaledgesoft.com>

Hi All,
Can any body guide me in converting a PEM/DER formate private key to a 
PKCS#8 or PKCS#1 format.

Thank you

With regards
naveen


From abhishek.brave at gmail.com  Mon Aug  4 08:29:37 2008
From: abhishek.brave at gmail.com (Abhishek Chowdhury)
Date: Mon, 4 Aug 2008 05:29:37 -0700 (PDT)
Subject: SSH configuration
In-Reply-To: <20080729084900.750@usenet.piggo.com>
References: <18707809.post@talk.nabble.com>
	<694F45BD-AED4-4143-ADC9-0D98CBB4A82B@tpg.com.au>
	<20080729084900.750@usenet.piggo.com>
Message-ID: <18810359.post@talk.nabble.com>




> I am getting "No Valid Key Exchange Context" 
> 

Seb-27 wrote:
> 
> On 2008-07-29, bodik <bodik at civ.zcu.cz> wrote:
>> *  sshd_config
>> KerberosAuthentication yes
>> KerberosOrLocalPasswd yes
>> KerberosTicketCleanup yes
> 
> that's for Kerberos 4; for version 5 you need:
> 
>   GSSAPIAuthentication yes
>   GSSAPICleanupCredentials yes
> 
> Cheers,
> 
> --Seb
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/SSH-configuration-tp18707809p18810359.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From discoveravinash at gmail.com  Mon Aug  4 05:46:32 2008
From: discoveravinash at gmail.com (Avinash S)
Date: Mon, 4 Aug 2008 15:16:32 +0530
Subject: How to upgrade to krb5 1..6.3 krb5lib for STIG
Message-ID: <be11de440808040246j630728c1vce657ee96a7e6d88@mail.gmail.com>

Hi All,
We need a help in understanding the upgrading procedure ...
1. Our Linux boxes use RPC and postgres along with other services but we do
not use kerberos. Do we actually need to upgrade the kerberos from older
version to 1.6.3 to comply with STIG standards?

2. If Answer to my above question is Yes. I got a krb5 lib 1.6.3  source RPM
and compiled on my older 2.2 kernel Linux. Now how shall I upgrade?  Shall I
remove the existing package and reinstall? I do not know what are all the
libs and bins shall I replace/upgrade with so that our linux boxes get STIG
compliant. Again we do not use kerberos for our webservers and other Linux
boxes but we cannot remove libkrb5 package as it has lots of dependencies
with postgres and RPC.

Please help us asap if you have any idea as its urgent for us...



Thanx a lot in Advance,
Avinash

From momo_tene at yahoo.fr  Sat Aug  2 06:03:56 2008
From: momo_tene at yahoo.fr (kisito)
Date: Sat, 2 Aug 2008 03:03:56 -0700 (PDT)
Subject: Kerboros explain
Message-ID: <18787840.post@talk.nabble.com>


Hi

In the operation of the Kerberos protocol, why Authentication Server , when
delivering the TGT, does not directly issued the service ticket? (so I do
not see why have complicated the protocol by introducing the TGS)
-- 
View this message in context: http://www.nabble.com/Kerboros-explain-tp18787840p18787840.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From suruchi.86 at gmail.com  Mon Aug  4 01:15:12 2008
From: suruchi.86 at gmail.com (Suruchi)
Date: Sun, 3 Aug 2008 22:15:12 -0700 (PDT)
Subject: Accessing AFP service through command line?
Message-ID: <18805768.post@talk.nabble.com>


hi

i am using kerberos V5 MAC OS X 10.5.2

i want to access AFP service which is running on some server through command
line and not through GUI.
can anyone tell what is the command to access it?

Any pointers in this regard will be very helpful.
-- 
View this message in context: http://www.nabble.com/Accessing-AFP-service-through-command-line--tp18805768p18805768.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From raeburn at MIT.EDU  Mon Aug  4 12:19:31 2008
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 4 Aug 2008 12:19:31 -0400
Subject: Kerboros explain
In-Reply-To: <18787840.post@talk.nabble.com>
References: <18787840.post@talk.nabble.com>
Message-ID: <CBDD588E-62CD-4752-A247-3A36C5716C95@mit.edu>

On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication  
> Server , when
> delivering the TGT, does not directly issued the service ticket? (so  
> I do
> not see why have complicated the protocol by introducing the TGS)

If you're going to contact a dozen services during your login session,  
the TGT will let you get service tickets for them without asking for  
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them  
all at once and prompt for the password only once, but that only works  
if you know what all of them are when you log in; for a realm with  
possibly thousands of servers, you can't practically get Kerberos  
style credentials (dependent on shared secrets between the KDC and  
each individual service, hence needing different credentials for each  
service) for all of them at login time just in case you might want to  
talk to them later.  It also doesn't help in the cross-realm  
authentication case, where you need credentials to send to some other  
site's KDC, so it can issue you credentials to talk to one or more  
services at that site; this is also done with a kind of TGT issued by  
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get  
additional tickets as you need them during your session, without  
having to decide up front.

Ken

From paul.moore at centrify.com  Mon Aug  4 12:31:54 2008
From: paul.moore at centrify.com (Paul Moore)
Date: Mon, 4 Aug 2008 09:31:54 -0700
Subject: Kerboros explain
In-Reply-To: <CBDD588E-62CD-4752-A247-3A36C5716C95@mit.edu>
References: <18787840.post@talk.nabble.com>
	<CBDD588E-62CD-4752-A247-3A36C5716C95@mit.edu>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D01D5334C@exch-one.centrify.com>

Note that you *can* get a service ticket when you authenticate. In fact
this is required by some highly secure service such as kpasswd. But this
is exceptional 

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Ken Raeburn
Sent: Monday, August 04, 2008 9:20 AM
To: kisito
Cc: kerberos at MIT.EDU
Subject: Re: Kerboros explain

On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication Server ,

> when delivering the TGT, does not directly issued the service ticket? 
> (so I do not see why have complicated the protocol by introducing the 
> TGS)

If you're going to contact a dozen services during your login session,
the TGT will let you get service tickets for them without asking for
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them
all at once and prompt for the password only once, but that only works
if you know what all of them are when you log in; for a realm with
possibly thousands of servers, you can't practically get Kerberos style
credentials (dependent on shared secrets between the KDC and each
individual service, hence needing different credentials for each
service) for all of them at login time just in case you might want to
talk to them later.  It also doesn't help in the cross-realm
authentication case, where you need credentials to send to some other
site's KDC, so it can issue you credentials to talk to one or more
services at that site; this is also done with a kind of TGT issued by
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get
additional tickets as you need them during your session, without having
to decide up front.

Ken
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


From vas at mpeks.no-spam-here.tomsk.su  Tue Aug  5 00:44:54 2008
From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov)
Date: Tue, 5 Aug 2008 04:44:54 +0000 (UTC)
Subject: ktutil get
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
Message-ID: <g78ls6$2f4j$2@relay.tomsk.ru>

Victor Sudakov wrote:

> > There is a very useful command "ktutil get" in Heimdal. It allows to
> > conveniently join a host into a Kerberos domain, without bothering
> > about transferring the keytab.

> > What is the analogous command in the Solaris Kerberos implementation?

> No Solaris Kerberos experts here? Well, what is the analogous command
> in MIT Kerberos?

Am I asking something stupid? How do you securely transfer a keytab
for the host principal to the host? "ktutil get" does just that.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

From jason at rampaginggeek.com  Tue Aug  5 16:28:06 2008
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Tue, 05 Aug 2008 16:28:06 -0400
Subject: ktutil get
In-Reply-To: <g78ls6$2f4j$2@relay.tomsk.ru>
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
Message-ID: <4898B7D6.6070109@rampaginggeek.com>

Victor Sudakov wrote:
> Victor Sudakov wrote:
>
>   
>>> There is a very useful command "ktutil get" in Heimdal. It allows to
>>> conveniently join a host into a Kerberos domain, without bothering
>>> about transferring the keytab.
>>>       
>
>   
>>> What is the analogous command in the Solaris Kerberos implementation?
>>>       
>
>   
>> No Solaris Kerberos experts here? Well, what is the analogous command
>> in MIT Kerberos?
>>     
>
> Am I asking something stupid? How do you securely transfer a keytab
> for the host principal to the host? "ktutil get" does just that.
>
>
>   
Is 'kadmin -q "ktadd /tmp/keytab"  '  what you're looking for?

Jason

From Nicolas.Williams at sun.com  Tue Aug  5 16:29:22 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Tue, 5 Aug 2008 15:29:22 -0500
Subject: ktutil get
In-Reply-To: <g78ls6$2f4j$2@relay.tomsk.ru>
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
Message-ID: <20080805202922.GJ25547@Sun.COM>

On Tue, Aug 05, 2008 at 04:44:54AM +0000, Victor Sudakov wrote:
> Victor Sudakov wrote:
> 
> > > There is a very useful command "ktutil get" in Heimdal. It allows to
> > > conveniently join a host into a Kerberos domain, without bothering
> > > about transferring the keytab.
> 
> > > What is the analogous command in the Solaris Kerberos implementation?
> 
> > No Solaris Kerberos experts here? Well, what is the analogous command
> > in MIT Kerberos?
> 
> Am I asking something stupid? How do you securely transfer a keytab
> for the host principal to the host? "ktutil get" does just that.

kadmin(1M) is the tool to use to set principal keys and maintain keytab
files.  The kadmin protocol uses RPCSEC_GSS and Kerberos for transport
protection.

If you want to move keytab files around securely then use ssh/sftp or
any other secure file transfer or remote filesystem protocol.

Nico
-- 

From javiplx at gmail.com  Tue Aug  5 17:49:44 2008
From: javiplx at gmail.com (Javier Palacios)
Date: Tue, 5 Aug 2008 23:49:44 +0200
Subject: ktutil get
In-Reply-To: <4898B7D6.6070109@rampaginggeek.com>
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru> <4898B7D6.6070109@rampaginggeek.com>
Message-ID: <a64bf030808051449o20db59ecsb9b88615495910e9@mail.gmail.com>

>>
>> Am I asking something stupid? How do you securely transfer a keytab
>> for the host principal to the host? "ktutil get" does just that.
>>
> Is 'kadmin -q "ktadd /tmp/keytab"  '  what you're looking for?

I think what Victor actually ask is a single command to do something like
kadmin -q "addprinc -randkey `hostname -f`" && kadmin -q "ktadd `hostame -f`"

Javier Palacios

From vas at mpeks.no-spam-here.tomsk.su  Tue Aug  5 22:38:39 2008
From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov)
Date: Wed, 6 Aug 2008 02:38:39 +0000 (UTC)
Subject: ktutil get
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru> <4898B7D6.6070109@rampaginggeek.com>
	<mailman.50.1217972997.3905.kerberos@mit.edu>
Message-ID: <g7b2rf$21n6$1@relay.tomsk.ru>

Javier Palacios wrote:
> >>
> >> Am I asking something stupid? How do you securely transfer a keytab
> >> for the host principal to the host? "ktutil get" does just that.
> >>
> > Is 'kadmin -q "ktadd /tmp/keytab"  '  what you're looking for?

> I think what Victor actually ask is a single command to do something like
> kadmin -q "addprinc -randkey `hostname -f`" && kadmin -q "ktadd `hostame -f`"

http://www.freebsd.org/cgi/man.cgi?query=ktutil
You run "ktutil get host/A" on host A and it does the following in one
step:

1. Contacts the remote kadmind, creates the principal host/A there
with a random key.
2. Securely transfers the keys back to host A.
3. Installs them in host A's keytab.

which is a very convenient way of joining a host into a Kerberos
domain. This method does not require any external means to transfer a
keytab (like ssh or floppy).

 From your replies I guess that this convenient feature is totally
missing from MIT Kerberos :(( or is implemented in a totally different
manner.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

From vas at mpeks.no-spam-here.tomsk.su  Tue Aug  5 22:54:02 2008
From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov)
Date: Wed, 6 Aug 2008 02:54:02 +0000 (UTC)
Subject: ktutil get
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
	<mailman.48.1217968132.3905.kerberos@mit.edu>
Message-ID: <g7b3oa$23a9$1@relay.tomsk.ru>

Jason Edgecombe wrote:
> >   
> >>> There is a very useful command "ktutil get" in Heimdal. It allows to
> >>> conveniently join a host into a Kerberos domain, without bothering
> >>> about transferring the keytab.
> >>>       
> >
> >   
> >>> What is the analogous command in the Solaris Kerberos implementation?
> >>>       
> >
> >   
> >> No Solaris Kerberos experts here? Well, what is the analogous command
> >> in MIT Kerberos?
> >>     
> >
> > Am I asking something stupid? How do you securely transfer a keytab
> > for the host principal to the host? "ktutil get" does just that.
> >
> >
> >   
> Is 'kadmin -q "ktadd /tmp/keytab"  '  what you're looking for?

I think so, at least according to kadmin(1M) it must be what I am
looking for. 

It is a pity I cannot check it out because Solaris' kadmin seems to be
incompatible with FreeBSD's kadmind:
$ kadmin
kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU
$ cat /etc/krb5/krb5.conf
# by VAS

[libdefaults]
        default_realm = SIBPTUS.TOMSK.RU
        dns_lookup_kdc = yes
$
$ host -t srv _kerberos-adm._tcp.sibptus.tomsk.ru
_kerberos-adm._tcp.sibptus.tomsk.ru has SRV record 0 0 749 big.sibptus.tomsk.ru.
$



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

From vas at mpeks.no-spam-here.tomsk.su  Tue Aug  5 22:57:54 2008
From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov)
Date: Wed, 6 Aug 2008 02:57:54 +0000 (UTC)
Subject: ktutil get
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
	<mailman.49.1217968201.3905.kerberos@mit.edu>
Message-ID: <g7b3vi$23a9$2@relay.tomsk.ru>

Nicolas Williams wrote:

> If you want to move keytab files around securely then use ssh/sftp or
> any other secure file transfer or remote filesystem protocol.

I was looking for a method of secure key transfer from the kdc to the
host's keytab without any external means like ssh/sftp/floppy.

It seems that "kadmin ktadd" could do this for me if only it were
compatible with Heimdal's kadmind.

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

From vas at mpeks.no-spam-here.tomsk.su  Tue Aug  5 23:38:27 2008
From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov)
Date: Wed, 6 Aug 2008 03:38:27 +0000 (UTC)
Subject: ktutil get
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
	<mailman.48.1217968132.3905.kerberos@mit.edu>
	<g7b3oa$23a9$1@relay.tomsk.ru>
Message-ID: <g7b6bj$28bf$1@relay.tomsk.ru>

Victor Sudakov wrote:

> It is a pity I cannot check it out because Solaris' kadmin seems to be
> incompatible with FreeBSD's kadmind:
> $ kadmin
> kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU

I see, Solaris kadmin looks for _kerberos-adm._udp.SIBPTUS.TOMSK.RU
What gives? FreeBSD's kadmind (Heimdal) does not listen on udp, it
uses 749/tcp.

Is there a way to make them work together, or is it hopeless?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

From jaltman at secure-endpoints.com  Wed Aug  6 09:02:46 2008
From: jaltman at secure-endpoints.com (Jeffrey Altman)
Date: Wed, 06 Aug 2008 09:02:46 -0400
Subject: ktutil get
In-Reply-To: <g7b3vi$23a9$2@relay.tomsk.ru>
References: <g6jca4$2nsv$1@relay.tomsk.ru>
	<g6oi41$1bte$2@relay.tomsk.ru>	<g78ls6$2f4j$2@relay.tomsk.ru>	<mailman.49.1217968201.3905.kerberos@mit.edu>
	<g7b3vi$23a9$2@relay.tomsk.ru>
Message-ID: <4899A0F6.7040409@secure-endpoints.com>

Victor Sudakov wrote:
>
> It seems that "kadmin ktadd" could do this for me if only it were
> compatible with Heimdal's kadmind.
>
>   
If you are using a Heimdal server, than you must use Heimdal's tools.
The kadmin protocol for each of Solaris, MIT, Heimdal, AD, ... are all 
different
and incompatible.   Simply build the Heimdal tools for each platform you 
wish
to use ktutil on.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080806/721155c7/smime-0001.bin

From Nicolas.Williams at sun.com  Wed Aug  6 11:18:01 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Wed, 6 Aug 2008 10:18:01 -0500
Subject: ktutil get
In-Reply-To: <g7b6bj$28bf$1@relay.tomsk.ru>
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
	<mailman.48.1217968132.3905.kerberos@mit.edu>
	<g7b3oa$23a9$1@relay.tomsk.ru> <g7b6bj$28bf$1@relay.tomsk.ru>
Message-ID: <20080806151801.GZ25547@Sun.COM>

On Wed, Aug 06, 2008 at 03:38:27AM +0000, Victor Sudakov wrote:
> Victor Sudakov wrote:
> 
> > It is a pity I cannot check it out because Solaris' kadmin seems to be
> > incompatible with FreeBSD's kadmind:
> > $ kadmin
> > kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU
> 
> I see, Solaris kadmin looks for _kerberos-adm._udp.SIBPTUS.TOMSK.RU
> What gives? FreeBSD's kadmind (Heimdal) does not listen on udp, it
> uses 749/tcp.
> 
> Is there a way to make them work together, or is it hopeless?

The kadmin protocol is not standard.

Heimdal's kadmin protocol and MIT's (from which Solaris' derives) are
incompatible.  That said, later today I'll send out program source that
might help you.

Nico
-- 

From Nicolas.Williams at sun.com  Wed Aug  6 18:17:23 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Wed, 6 Aug 2008 17:17:23 -0500
Subject: ktutil get
In-Reply-To: <20080806151801.GZ25547@Sun.COM>
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
	<mailman.48.1217968132.3905.kerberos@mit.edu>
	<g7b3oa$23a9$1@relay.tomsk.ru> <g7b6bj$28bf$1@relay.tomsk.ru>
	<20080806151801.GZ25547@Sun.COM>
Message-ID: <20080806221722.GR25547@Sun.COM>

On Wed, Aug 06, 2008 at 10:18:01AM -0500, Nicolas Williams wrote:
> On Wed, Aug 06, 2008 at 03:38:27AM +0000, Victor Sudakov wrote:
> > Victor Sudakov wrote:
> > 
> > > It is a pity I cannot check it out because Solaris' kadmin seems to be
> > > incompatible with FreeBSD's kadmind:
> > > $ kadmin
> > > kadmin: unable to get host based service name for realm SIBPTUS.TOMSK.RU
> > 
> > I see, Solaris kadmin looks for _kerberos-adm._udp.SIBPTUS.TOMSK.RU
> > What gives? FreeBSD's kadmind (Heimdal) does not listen on udp, it
> > uses 749/tcp.
> > 
> > Is there a way to make them work together, or is it hopeless?
> 
> The kadmin protocol is not standard.
> 
> Heimdal's kadmin protocol and MIT's (from which Solaris' derives) are
> incompatible.  That said, later today I'll send out program source that
> might help you.

A while back I wrote a utility for building keytab files when using
Active Directory as the KDC; it uses the RFC3244 protocol to set the
"password" of the given principal, so it should work with Heimdal.

You can find it here:

http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp

Nico
-- 

From javiplx at gmail.com  Thu Aug  7 03:20:56 2008
From: javiplx at gmail.com (Javier Palacios)
Date: Thu, 7 Aug 2008 09:20:56 +0200
Subject: ktutil get
In-Reply-To: <20080806221722.GR25547@Sun.COM>
References: <g6jca4$2nsv$1@relay.tomsk.ru> <g6oi41$1bte$2@relay.tomsk.ru>
	<g78ls6$2f4j$2@relay.tomsk.ru>
	<mailman.48.1217968132.3905.kerberos@mit.edu>
	<g7b3oa$23a9$1@relay.tomsk.ru> <g7b6bj$28bf$1@relay.tomsk.ru>
	<20080806151801.GZ25547@Sun.COM> <20080806221722.GR25547@Sun.COM>
Message-ID: <a64bf030808070020v10bf592fl66b51d96d2ea5ee0@mail.gmail.com>

> A while back I wrote a utility for building keytab files when using
> Active Directory as the KDC; it uses the RFC3244 protocol to set the
> "password" of the given principal, so it should work with Heimdal.

It's nice to see a source code sample for this. Up to now I did use
the binary-only adkadmin from Certified Security Solutions.

Have anybody tried with the 'Active Directory' mode of heimdal's kadmin ?

By the way, my tests with W3K R2 Enterprise did show that neither SFU
nor the Identity management for Unix (which I didn't know) are
strictly required. The unix schema is actually there, and if you are
ready for some debugging loops you can do everything with ldapmodify
from the unix (fedora/ubuntu) box. And as far as I remember, you don't
need to fix a NIS domain attribute.

Javier Palacios

From abhishek.brave at gmail.com  Thu Aug  7 08:49:48 2008
From: abhishek.brave at gmail.com (Abhishek Chowdhury)
Date: Thu, 7 Aug 2008 05:49:48 -0700 (PDT)
Subject: Cross Realm Not working for SSH
Message-ID: <18869731.post@talk.nabble.com>


hi
i am using kerberos V5 and MAC OS X 10.5.2

i have configured 2 realms and established cross realm trust between them.

i have to use SSH service.

When i am doing SSH in simple authentication, it is working fine ie not
asking any password.
but password is being asked for Cross realm.

suppose UserA is in REALMA and SSH server serverB in REALMB

ServerB has an account for UserB(UserB is its admin)

when i do kinit  UserA at REALMA, i get the initial ticket
krbtgt/REALMA at REALMA.
now when i am doing ssh UserB at serverB.com it is asking for password.

According to my understanding USERA should be allowed to  access USERB's
account on SERVERB for passwrodless ssh.
How to set USERA's access in serverB?
or is there any other method?

any pointers will be appreciated.



-- 
View this message in context: http://www.nabble.com/Cross-Realm-Not-working-for-SSH-tp18869731p18869731.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From SBuckley at MIT.EDU  Thu Aug  7 10:40:17 2008
From: SBuckley at MIT.EDU (Stephen C. Buckley)
Date: Thu, 7 Aug 2008 10:40:17 -0400
Subject: "The Role of Kerberos in Modern Information Systems" white paper
	available
Message-ID: <683478D0-549E-4196-BF69-734E9457B1BC@MIT.EDU>


A new draft white paper entitled "The Role of Kerberos in Modern  
Information Systems" is now available at:

http://www.kerberos.org/software/rolekerberos.pdf

This document takes an architectural look at security, but it is not  
a reference manual for security architects. Instead, it focuses on  
the role of the Kerberos authentication system as part of the overall  
ecosystem of security technologies, services, and software components  
likely to be encountered in a typical modern distributed-systems  
environment.

It is intended for those who design, build, and manage enterprise  
computing infrastructure, as well as for those who develop software  
intended to operate in such environments. This document should,  
ideally, answer many of the questions about how Kerberos fits into  
modern information systems, and how it relates to other vital system  
services.

Additional white papers and specifications are available at:

http://www.kerberos.org/software/whitepapers.html

Thank you for your support of the Kerberos Consortium

s

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Stephen C. Buckley
Executive Director
Kerberos Consortium
Massachusetts Institute of Technology
Cambridge, Massachusetts
web: http://www.kerberos.org


To subscribe to our announcement list, visit: http://mailman.mit.edu/ 
mailman/listinfo/mitkc-announce



From dakoner at gmail.com  Thu Aug  7 12:08:37 2008
From: dakoner at gmail.com (David Konerding)
Date: Thu, 7 Aug 2008 09:08:37 -0700
Subject: Kerberos through a load balancer
In-Reply-To: <4840669A.6030202@anl.gov>
References: <4f0f0cb0805301010w7491dd82sa0eff1db86d32b0d@mail.gmail.com>
	<4840669A.6030202@anl.gov>
Message-ID: <4f0f0cb0808070908n230785b2nda56071273e3bdd4@mail.gmail.com>

Previously, I wrote to the Kerberos list with a problem:


>>
>> We also have a BigIP load balancer that has a name; when people ssh or web
>> access that name, they get round-robin distributed across the cluster.
>> The LB supports Layer 3 and Layer 5 transparent proxying to the back end.
>>
>> We have noticed that if people log into nodes with their real hostname,
>> or web access a url using the real hostname of the server, everything
>> works as expected.
>> However, attempting to ssh into the load balancer address typically gives:
>>
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,keyboard-interactive
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Delegating credentials
>> debug1: Miscellaneous failure
>> Unknown code
>>
>> debug1: Trying to start again
>>
>
Douglas Engert added some comments:


>
> What version of SSH?
> What version of Kerberos?
> What OS? Some vendors might have a mod like I described above.
>

I've finally got a chance to get the system under test in a good state to
debug this.
Specifically, I am running on SuSE Linux Enterprise 10 SP1.  The Kerberos is
krb5-1.4.3-19.17 (RPM from SLES10SP1).  I built my own openssh, 5.1p1, but
the problem is the same with the SLES10SP1 included openssh.

I traced through the code and this time, the tcpdump and debugging code is
more useful.
Specifically, I am ssh'ing into a hostname/IP "bldtst-corp-lb" (the load
balancer's IP and hostname),
which is L2 forwarding my session onto an actual host, bldtst-corp.

The specific problem I see is what when "ssh_gssapi_check_mechanism" calls
into
ssh_gssapi_init_ctx, it first calls
"ssh_gssapi_import_name" with the hostname passed to ssh.  So in this case,
it's bldtst-corp-lb.  it seems the KDC responds with "PRINCIPAL UNKNOWN"
because
we never created a server key for that hostname.

As far as we can tell this is all normal behavior.  What we don't know is if
we can salvage
this- IE, by adding a server key for bldtst-corp-lb and placing it on
bldtst-corp.

Dave

From deengert at anl.gov  Thu Aug  7 13:20:05 2008
From: deengert at anl.gov (Douglas E. Engert)
Date: Thu, 07 Aug 2008 12:20:05 -0500
Subject: Cross Realm Not working for SSH
In-Reply-To: <18869731.post@talk.nabble.com>
References: <18869731.post@talk.nabble.com>
Message-ID: <489B2EC5.8030806@anl.gov>

UserB needs a ~.k5login file with
UserA at RealmA

Abhishek Chowdhury wrote:
> hi
> i am using kerberos V5 and MAC OS X 10.5.2
> 
> i have configured 2 realms and established cross realm trust between them.
> 
> i have to use SSH service.
> 
> When i am doing SSH in simple authentication, it is working fine ie not
> asking any password.
> but password is being asked for Cross realm.
> 
> suppose UserA is in REALMA and SSH server serverB in REALMB
> 
> ServerB has an account for UserB(UserB is its admin)
> 
> when i do kinit  UserA at REALMA, i get the initial ticket
> krbtgt/REALMA at REALMA.
> now when i am doing ssh UserB at serverB.com it is asking for password.
> 
> According to my understanding USERA should be allowed to  access USERB's
> account on SERVERB for passwrodless ssh.
> How to set USERA's access in serverB?
> or is there any other method?
> 
> any pointers will be appreciated.
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From jake.carroll at uq.edu.au  Sun Aug 10 06:58:52 2008
From: jake.carroll at uq.edu.au (Jake Carroll)
Date: Sun, 10 Aug 2008 20:28:52 +0930
Subject: User authenticates as "nobody" on subsequent mounts despite having
	krb ticket
Message-ID: <5B8CB450-58FB-4244-B514-B7FBCD2B721A@uq.edu.au>

Hi all,

I have, what I think is a relatively simple kerberos problem that I am  
not seeing the obvious side to. I'll explain the scenario.

I have an OpenLDAP KDC. For the purposes of this conversation, it is  
the authentication server, and the bit that grants/hands out all the  
ticket information. I have a Solaris 10 system running the default Sun  
shipped Samba 3.0.28 (/usr/sfw/sbin/smbd).

This Solaris fileserver is connected via LDAP to the OpenLDAP master  
and has an appropriate /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab  
installed.

In my /etc/sfw/smb.conf, I have the simple "magic lines" to connect my  
samba service to Kerberos as follows in the [global] section:

password server = somehost.somewhere.nowhere.interesting.here
workgroup = STAFF
realm = somehost.somewhere.nowhere.interesting.here
netbios name = somehost.somewhere.nowhere.interesting.here
netbios aliases = SUN SAM-FS HSM
security = SERVER
use kerberos keytab = yes
encrypt passwords = yes

So, once I have created some shares, all seems to go swimmingly. Users  
connect using their SSO credentials, they are passed a ticket through  
the TGT process and they are then allowed to write to the share/ 
directory/wherever I have specified.

The problem is, when my user decideds he/she/it has had enough of that  
network mounted volume, they eject it. No big deal there - however,  
when they REMOUNT the volume with their Kerberos ticket in-tact  
(default ticket time out is 10 hours in my policy), they for SOME  
reason authenticate as the "nobody" user - and as a result, get denied  
access:

Some logs. A "healthy" connection to the service:

[2008/08/09 09:43:18, 1, pid=3893] smbd/service.c:(1033)
   aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) connect to service group_IT  
initially as user zebra (uid=1027, gid=1028) (pid 3893)

Now, lets disconnect the share on the desktop:

[2008/08/09 09:46:50, 1, pid=3893] smbd/service.c:(1230)
   aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) closed connection to service group_IT

Now, lets try reconnecting with our kerberos ticket in-tact and see  
what happens:

[2008/08/09 09:53:16, 4, pid=3953] smbd/reply.c:(506)
   Client requested device type [A:] for share [GROUP_IT]
[2008/08/09 09:53:16, 5, pid=3953] smbd/service.c:(1205)
   making a connection to 'normal' service group_it
[2008/08/09 09:53:16, 2, pid=3953] smbd/service.c:(605)
   *guest user (from session setup) not permitted to access this share  
(group_IT)*
*[2008/08/09 09:53:16, 3, pid=3953] smbd/error.c:(106)*
   *error packet at smbd/reply.c(514) cmd=117 (SMBtconX)  
NT_STATUS_ACCESS_DENIED*
[2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(484)
[2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(494)
   size=35
   smb_com=0x75
   smb_rcls=34
   smb_reh=0
   smb_err=49152
   smb_flg=136
   smb_flg2=49153
   smb_tid=65535
   smb_pid=1
   smb_uid=100
   smb_mid=8
   smt_wct=0
   smb_bcc=0
[2008/08/09 09:53:20, 3, pid=3953] smbd/process.c:(1068)
   Transaction 9 of length 43
[2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(484)
[2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(494)
   size=39
   smb_com=0x74
   smb_rcls=0
   smb_reh=0
   smb_err=0
   smb_flg=8
   smb_flg2=49153
   smb_tid=65535
   smb_pid=1
   smb_uid=100
   smb_mid=9
   smt_wct=2
   smb_vwv[ 0]=  255 (0xFF)
   smb_vwv[ 1]=    0 (0x0)
   smb_bcc=0

What the? I've got a legit ticket:

zebra:~ zebra$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: zebra at somehost.somewhere.nowhere.interesting.here

Valid Starting     Expires            Service Principal
08/09/08 09:42:32  08/09/08 19:42:32  krbtgt/somehost.somewhere.nowhere.interesting.here at somehost.somewhere.nowhere.interesting.here
	renew until 08/16/08 09:42:32

Frustratingly, if I to a kdestroy on my ticket, then remount the share  
(and in the process, have to provide my SSO credentials again),  
everything is perfect - I am the correct user, and all goes according  
to plan again.

What on earth could be going wrong? Has anyone ever come up against  
such issues? Could it be specific to the client type, or is this a  
server side issue?

Thanks for your time.

JC


From ssorce at redhat.com  Sun Aug 10 09:40:56 2008
From: ssorce at redhat.com (Simo Sorce)
Date: Sun, 10 Aug 2008 09:40:56 -0400
Subject: User authenticates as "nobody" on subsequent mounts despite
	having krb ticket
In-Reply-To: <5B8CB450-58FB-4244-B514-B7FBCD2B721A@uq.edu.au>
References: <5B8CB450-58FB-4244-B514-B7FBCD2B721A@uq.edu.au>
Message-ID: <1218375656.2991.26.camel@localhost.localdomain>

With 99% certainty this is not a kerberos issue and I can tell that your
samba configuration is quite "interesting". I suggest you seek for help
on samba at samba.org

Simo.

On Sun, 2008-08-10 at 20:28 +0930, Jake Carroll wrote:
> Hi all,
> 
> I have, what I think is a relatively simple kerberos problem that I am  
> not seeing the obvious side to. I'll explain the scenario.
> 
> I have an OpenLDAP KDC. For the purposes of this conversation, it is  
> the authentication server, and the bit that grants/hands out all the  
> ticket information. I have a Solaris 10 system running the default Sun  
> shipped Samba 3.0.28 (/usr/sfw/sbin/smbd).
> 
> This Solaris fileserver is connected via LDAP to the OpenLDAP master  
> and has an appropriate /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab  
> installed.
> 
> In my /etc/sfw/smb.conf, I have the simple "magic lines" to connect my  
> samba service to Kerberos as follows in the [global] section:
> 
> password server = somehost.somewhere.nowhere.interesting.here
> workgroup = STAFF
> realm = somehost.somewhere.nowhere.interesting.here
> netbios name = somehost.somewhere.nowhere.interesting.here
> netbios aliases = SUN SAM-FS HSM
> security = SERVER
> use kerberos keytab = yes
> encrypt passwords = yes
> 
> So, once I have created some shares, all seems to go swimmingly. Users  
> connect using their SSO credentials, they are passed a ticket through  
> the TGT process and they are then allowed to write to the share/ 
> directory/wherever I have specified.
> 
> The problem is, when my user decideds he/she/it has had enough of that  
> network mounted volume, they eject it. No big deal there - however,  
> when they REMOUNT the volume with their Kerberos ticket in-tact  
> (default ticket time out is 10 hours in my policy), they for SOME  
> reason authenticate as the "nobody" user - and as a result, get denied  
> access:
> 
> Some logs. A "healthy" connection to the service:
> 
> [2008/08/09 09:43:18, 1, pid=3893] smbd/service.c:(1033)
>    aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) connect to service group_IT  
> initially as user zebra (uid=1027, gid=1028) (pid 3893)
> 
> Now, lets disconnect the share on the desktop:
> 
> [2008/08/09 09:46:50, 1, pid=3893] smbd/service.c:(1230)
>    aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) closed connection to service group_IT
> 
> Now, lets try reconnecting with our kerberos ticket in-tact and see  
> what happens:
> 
> [2008/08/09 09:53:16, 4, pid=3953] smbd/reply.c:(506)
>    Client requested device type [A:] for share [GROUP_IT]
> [2008/08/09 09:53:16, 5, pid=3953] smbd/service.c:(1205)
>    making a connection to 'normal' service group_it
> [2008/08/09 09:53:16, 2, pid=3953] smbd/service.c:(605)
>    *guest user (from session setup) not permitted to access this share  
> (group_IT)*
> *[2008/08/09 09:53:16, 3, pid=3953] smbd/error.c:(106)*
>    *error packet at smbd/reply.c(514) cmd=117 (SMBtconX)  
> NT_STATUS_ACCESS_DENIED*
> [2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(484)
> [2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(494)
>    size=35
>    smb_com=0x75
>    smb_rcls=34
>    smb_reh=0
>    smb_err=49152
>    smb_flg=136
>    smb_flg2=49153
>    smb_tid=65535
>    smb_pid=1
>    smb_uid=100
>    smb_mid=8
>    smt_wct=0
>    smb_bcc=0
> [2008/08/09 09:53:20, 3, pid=3953] smbd/process.c:(1068)
>    Transaction 9 of length 43
> [2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(484)
> [2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(494)
>    size=39
>    smb_com=0x74
>    smb_rcls=0
>    smb_reh=0
>    smb_err=0
>    smb_flg=8
>    smb_flg2=49153
>    smb_tid=65535
>    smb_pid=1
>    smb_uid=100
>    smb_mid=9
>    smt_wct=2
>    smb_vwv[ 0]=  255 (0xFF)
>    smb_vwv[ 1]=    0 (0x0)
>    smb_bcc=0
> 
> What the? I've got a legit ticket:
> 
> zebra:~ zebra$ klist
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: zebra at somehost.somewhere.nowhere.interesting.here
> 
> Valid Starting     Expires            Service Principal
> 08/09/08 09:42:32  08/09/08 19:42:32  krbtgt/somehost.somewhere.nowhere.interesting.here at somehost.somewhere.nowhere.interesting.here
> 	renew until 08/16/08 09:42:32
> 
> Frustratingly, if I to a kdestroy on my ticket, then remount the share  
> (and in the process, have to provide my SSO credentials again),  
> everything is perfect - I am the correct user, and all goes according  
> to plan again.
> 
> What on earth could be going wrong? Has anyone ever come up against  
> such issues? Could it be specific to the client type, or is this a  
> server side issue?
> 
> Thanks for your time.
> 
> JC
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


From vladimirt at PartyGaming.com  Mon Aug 11 02:57:51 2008
From: vladimirt at PartyGaming.com (Vladimir Terziev)
Date: Mon, 11 Aug 2008 09:57:51 +0300
Subject: User authenticates as "nobody" on subsequent mounts despite
	havingkrb ticket
In-Reply-To: <5B8CB450-58FB-4244-B514-B7FBCD2B721A@uq.edu.au>
References: <5B8CB450-58FB-4244-B514-B7FBCD2B721A@uq.edu.au>
Message-ID: <1218437871.40137.0.camel@daemon2.partygaming.local>

This is a samba issue/behavior with certainty 100%. Check samba docs for
clues.

Regards,

   Vladimir


On Sun, 2008-08-10 at 20:28 +0930, Jake Carroll wrote:
> Hi all,
> 
> I have, what I think is a relatively simple kerberos problem that I am  
> not seeing the obvious side to. I'll explain the scenario.
> 
> I have an OpenLDAP KDC. For the purposes of this conversation, it is  
> the authentication server, and the bit that grants/hands out all the  
> ticket information. I have a Solaris 10 system running the default Sun  
> shipped Samba 3.0.28 (/usr/sfw/sbin/smbd).
> 
> This Solaris fileserver is connected via LDAP to the OpenLDAP master  
> and has an appropriate /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab  
> installed.
> 
> In my /etc/sfw/smb.conf, I have the simple "magic lines" to connect my  
> samba service to Kerberos as follows in the [global] section:
> 
> password server = somehost.somewhere.nowhere.interesting.here
> workgroup = STAFF
> realm = somehost.somewhere.nowhere.interesting.here
> netbios name = somehost.somewhere.nowhere.interesting.here
> netbios aliases = SUN SAM-FS HSM
> security = SERVER
> use kerberos keytab = yes
> encrypt passwords = yes
> 
> So, once I have created some shares, all seems to go swimmingly. Users  
> connect using their SSO credentials, they are passed a ticket through  
> the TGT process and they are then allowed to write to the share/ 
> directory/wherever I have specified.
> 
> The problem is, when my user decideds he/she/it has had enough of that  
> network mounted volume, they eject it. No big deal there - however,  
> when they REMOUNT the volume with their Kerberos ticket in-tact  
> (default ticket time out is 10 hours in my policy), they for SOME  
> reason authenticate as the "nobody" user - and as a result, get denied  
> access:
> 
> Some logs. A "healthy" connection to the service:
> 
> [2008/08/09 09:43:18, 1, pid=3893] smbd/service.c:(1033)
>    aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) connect to service group_IT  
> initially as user zebra (uid=1027, gid=1028) (pid 3893)
> 
> Now, lets disconnect the share on the desktop:
> 
> [2008/08/09 09:46:50, 1, pid=3893] smbd/service.c:(1230)
>    aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) closed connection to service group_IT
> 
> Now, lets try reconnecting with our kerberos ticket in-tact and see  
> what happens:
> 
> [2008/08/09 09:53:16, 4, pid=3953] smbd/reply.c:(506)
>    Client requested device type [A:] for share [GROUP_IT]
> [2008/08/09 09:53:16, 5, pid=3953] smbd/service.c:(1205)
>    making a connection to 'normal' service group_it
> [2008/08/09 09:53:16, 2, pid=3953] smbd/service.c:(605)
>    *guest user (from session setup) not permitted to access this share  
> (group_IT)*
> *[2008/08/09 09:53:16, 3, pid=3953] smbd/error.c:(106)*
>    *error packet at smbd/reply.c(514) cmd=117 (SMBtconX)  
> NT_STATUS_ACCESS_DENIED*
> [2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(484)
> [2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(494)
>    size=35
>    smb_com=0x75
>    smb_rcls=34
>    smb_reh=0
>    smb_err=49152
>    smb_flg=136
>    smb_flg2=49153
>    smb_tid=65535
>    smb_pid=1
>    smb_uid=100
>    smb_mid=8
>    smt_wct=0
>    smb_bcc=0
> [2008/08/09 09:53:20, 3, pid=3953] smbd/process.c:(1068)
>    Transaction 9 of length 43
> [2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(484)
> [2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(494)
>    size=39
>    smb_com=0x74
>    smb_rcls=0
>    smb_reh=0
>    smb_err=0
>    smb_flg=8
>    smb_flg2=49153
>    smb_tid=65535
>    smb_pid=1
>    smb_uid=100
>    smb_mid=9
>    smt_wct=2
>    smb_vwv[ 0]=  255 (0xFF)
>    smb_vwv[ 1]=    0 (0x0)
>    smb_bcc=0
> 
> What the? I've got a legit ticket:
> 
> zebra:~ zebra$ klist
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: zebra at somehost.somewhere.nowhere.interesting.here
> 
> Valid Starting     Expires            Service Principal
> 08/09/08 09:42:32  08/09/08 19:42:32  krbtgt/somehost.somewhere.nowhere.interesting.here at somehost.somewhere.nowhere.interesting.here
> 	renew until 08/16/08 09:42:32
> 
> Frustratingly, if I to a kdestroy on my ticket, then remount the share  
> (and in the process, have to provide my SSO credentials again),  
> everything is perfect - I am the correct user, and all goes according  
> to plan again.
> 
> What on earth could be going wrong? Has anyone ever come up against  
> such issues? Could it be specific to the client type, or is this a  
> server side issue?
> 
> Thanks for your time.
> 
> JC
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

From dakoner at gmail.com  Tue Aug 12 12:19:56 2008
From: dakoner at gmail.com (David Konerding)
Date: Tue, 12 Aug 2008 09:19:56 -0700
Subject: kerberos authentication failing through load balancer
Message-ID: <4f0f0cb0808120919y58db0754n8b834dcd9997c47b@mail.gmail.com>

Hi,

We are doing ssh load balancing to a cluster through a load balancer that
forwards port 22.
"host" bldtst-corp-lb round-robin distributes sessions to backend hosts like
"bldtst-corp-1", etc.

When we try to use Kerberos authentication for passwordless ssh, it works
fine if we ssh straight to a host,
but if we go through the load balancer we have a problem- ssh reports
"Unknown code- miscellaneous faillure".

I traced this deep into the code.  The problem is that the server, during
ssh_gssapi_accept_ctx, calls into GSSAPI,
which in Kerberos compares the principles.  The compare that fails and
returns an error code back to ssh
appears to be "bldtst-corp-lb" vs. bldtst-corp-1.  If I force
krb5_princ_compare to return true instead
of false, the server accepts the client's creds and the user can log in with
no password.
I imagine this check is on purpose for the server to ensure that it has a
valid service key for the hostname
being contacted.

We have installed keys for the server, as well as the hostname of the load
balancer, into the target node.

Here is the traceback into Kerberos which is where the auth fails:
#0  krb5_principal_compare (context=0x582e40, princ1=0x583f40,
princ2=0x5845e0) at princ_comp.c:102
#1  0x00002b03996bbead in krb5_rd_req_decoded_opt (context=0x582e40,
auth_context=0x7fff11e6db78, req=0x584690, server=0x583f40, keytab=0x582f00,
ap_req_options=0x0, ticket=0x7fff11e6db70,
    check_valid_flag=1) at rd_req_dec.c:95
#2  0x00002b03996bc5f9 in krb5_rd_req_decoded (context=0x582e40,
auth_context=0x7fff11e6db78, req=0x584690, server=0x583f40, keytab=0x582f00,
ap_req_options=0x0, ticket=0x7fff11e6db70)
    at rd_req_dec.c:343
#3  0x00002b03996bbd63 in krb5_rd_req (context=0x582e40,
auth_context=0x7fff11e6db78, inbuf=0x7fff11e6dbf0, server=0x583f40,
keytab=0x582f00, ap_req_options=0x0, ticket=0x7fff11e6db70)
    at rd_req.c:101
#4  0x00002b039954032f in krb5_gss_accept_sec_context
(minor_status=0x582274, context_handle=0x582278,
verifier_cred_handle=0x583f90, input_token=0x7fff11e6ddb0,
input_chan_bindings=0x0,
    src_name=0x582298, mech_type=0x7fff11e6dd60,
output_token=0x7fff11e6ddc0, ret_flags=0x7fff11e6dda8, time_rec=0x0,
delegated_cred_handle=0x5822a0) at accept_sec_context.c:405
#5  0x00002b039954ceeb in gss_accept_sec_context (minor_status=0x582274,
context_handle=0x582278, verifier_cred_handle=0x583f90,
input_token=0x7fff11e6ddb0, input_chan_bindings=0x0,
    src_name=0x582298, mech_type=0x7fff11e6dd60,
output_token=0x7fff11e6ddc0, ret_flags=0x7fff11e6dda8, time_rec=0x0,
delegated_cred_handle=0x5822a0) at krb5_gss_glue.c:45
#6  0x00000000004257d4 in ssh_gssapi_accept_ctx (ctx=0x582270,
recv_tok=0x7fff11e6ddb0, send_tok=0x7fff11e6ddc0, flags=0x7fff11e6dda8) at
gss-serv.c:155
#7  0x0000000000425089 in input_gssapi_token (type=61, plen=7,
ctxt=0x57dfa0) at auth2-gss.c:151
#8  0x0000000000441726 in dispatch_run (mode=0, done=0x57dfa0,
ctxt=0x57dfa0) at dispatch.c:99
#9  0x0000000000414c17 in do_authentication2 (authctxt=0x57dfa0) at
auth2.c:169
#10 0x000000000040a41a in main (ac=5, av=0x572030) at sshd.c:1860

From beoweolf at pacbell.net  Tue Aug 12 10:53:01 2008
From: beoweolf at pacbell.net (beoweolf)
Date: Tue, 12 Aug 2008 07:53:01 -0700
Subject: Kerboros explain
In-Reply-To: <mailman.44.1217865479.3905.kerberos@mit.edu>
References: <mailman.44.1217865479.3905.kerberos@mit.edu>
Message-ID: <Dshok.16981$xZ.10899@nlpi070.nbdc.sbc.com>

Its a mater of "cost". Authentication of a server, service, any entity 
requires system resources, it is expensive in time as well as cup cycles, 
system memory, setup cost, etc.

a reasonable comparison is found in computational differences in sending 
encryption. A lot of upfront effort is invested in protecting key 
distribution, but once done the actual transmission of encrypted data can be 
accomplished at greatly reduced "cost" based on preexisting session or 
historical identity.

Renewing TGT/TGS is much faster than the initial setup.

"kisito" <momo_tene at yahoo.fr> wrote in message 
news:mailman.44.1217865479.3905.kerberos at mit.edu...
>
> Hi
>
> In the operation of the Kerberos protocol, why Authentication Server , 
> when
> delivering the TGT, does not directly issued the service ticket? (so I do
> not see why have complicated the protocol by introducing the TGS)
> -- 
> View this message in context: 
> http://www.nabble.com/Kerboros-explain-tp18787840p18787840.html
> Sent from the Kerberos - General mailing list archive at Nabble.com.
> 


From jblaine at kickflop.net  Tue Aug 12 17:06:52 2008
From: jblaine at kickflop.net (Jeff Blaine)
Date: Tue, 12 Aug 2008 17:06:52 -0400
Subject: Cannot contact any KDC for requested realm while getting initial
	credentials
Message-ID: <48A1FB6C.9000302@kickflop.net>

Hi all, I'm having a very strange problem below that I
cannot figure out.  Any advice would be great to hear.

First a block showing the problem, then a block showing
that a different machine works perfectly fine (and others
I've tested but not showing here for briefness).

Basically, the master KDC, rcf-kdc1.foo.com, can't seem
to do jack.

============================================================
rcf-kdc1# grep hosts /etc/nsswitch.conf
hosts:      files dns
rcf-kdc1#

rcf-kdc1# cat /etc/krb5.conf
[libdefaults]
     default_realm = RCF.FOO.COM
     forwardable = yes
     ticket_lifetime = 7d

[appdefaults]
     forwardable = yes

[domain_realm]
     .foo.com = RCF.FOO.COM

[realms]
     RCF.FOO.COM = {
         kdc = rcf-kdc1.foo.com
         kdc = rcf-kdc2.foo.com
         kdc = rcf-kdc3.foo.com
         admin_server = rcf-kdc1.foo.com
}

[logging]
         kdc = FILE:/var/adm/krb5kdc.log
         admin_server = FILE:/var/adm/kadmin.log
         default = FILE:/var/adm/krb5lib.log

rcf-kdc1# uname -n
rcf-kdc1.foo.com

rcf-kdc1# nslookup rcf-kdc1.foo.com
Server:         1xx.xx.xx.xxx
Address:        1xx.xx.xx.xxx#53

Name:   rcf-kdc1.foo.com
Address: 1xx.xx.xx.yyy

rcf-kdc1# kinit -p jblaine
kinit(v5): Cannot contact any KDC for realm 'RCF.FOO.COM' while getting
initial credentials

rcf-kdc1# ps -ef | grep krb5kdc
root      6837     1  0 13:21 ?        00:00:00
/var/rcf-kdc1-krb5/sbin/krb5kdc
root     14166  2856  0 16:57 pts/0    00:00:00 grep krb5kdc

rcf-kdc1# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
rcf-kdc1#

============================================================

~:cairo> cat /etc/krb5.conf
[libdefaults]
     default_realm = RCF.FOO.COM
     forwardable = yes
     ticket_lifetime = 7d

[appdefaults]
     forwardable = yes

[domain_realm]
     .foo.com = RCF.FOO.COM

[realms]
     RCF.FOO.COM = {
         kdc = rcf-kdc1.foo.com
         kdc = rcf-kdc2.foo.com
         kdc = rcf-kdc3.foo.com
         admin_server = rcf-kdc1.foo.com
}

[logging]
         kdc = FILE:/var/adm/krb5kdc.log
         admin_server = FILE:/var/adm/kadmin.log
         default = FILE:/var/adm/krb5lib.log

~:cairo> kinit -p jblaine
Password for jblaine at RCF.FOO.COM:
~:cairo>


From raeburn at MIT.EDU  Wed Aug 13 09:47:27 2008
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Wed, 13 Aug 2008 09:47:27 -0400
Subject: "Stealing" the credential cache
In-Reply-To: <slrnfbtflukga5iu8.656a.p2h56vc7@pax07e3.mipool.uni-jena.de>
References: <slrnfbtflukga5iu8.656a.p2h56vc7@pax07e3.mipool.uni-jena.de>
Message-ID: <7B51DE8A-E0F0-4348-BD24-DBA2AFB6BD1E@mit.edu>

On Aug 13, 2008, at 07:55, E. Braun wrote:
> Is this the expected behaviour, that the root user of a client (the  
> user has
> no interactive access to the Kerberos and AFS servers) can use a  
> copy of the
> credentials cache for getting an afs token?

Yes.  Finding a place where the superuser cannot access a user's  
credentials (either directly or by changing uid to the user, or in an  
extreme case, attach a user's process via ptrace or whatever, as if  
under a debugger, and extract the authentication info from the user's  
process) is a system-specific problem and not always possible; it  
requires that the OS enforce restrictions on a superuser account.

I'm not familiar with whether the keyring code in Linux (optionally  
used in recent MIT Kerberos releases) enforces such restrictions.  If  
we could hook into AFS process authentication groups, that might help  
raise the bar as well, to prevent casual copying but not the ptrace  
attack, but only on systems where AFS is installed (specifically  
implementations with PAGs).  Ken Hornstein has patches around to use  
an extra, high-numbered file descriptor inherited across processes,  
with the process fd limit lowered to just below that fd, which  
restricts access to a login session (aside from the ptrace attack),  
but requires modifications to the login process to set up this file  
descriptor, and requires that no process close all the high-numbered  
file descriptors (which I gather is actually fairly uncommon to do  
above the lowered file descriptor limit).

BTW, comp.protocols.kerberos is relayed to/from a mailing list;  
directing followups to a different newsgroup is not going to work for  
some readers.

Ken

From rra at stanford.edu  Wed Aug 13 14:21:18 2008
From: rra at stanford.edu (Russ Allbery)
Date: Wed, 13 Aug 2008 11:21:18 -0700
Subject: "Stealing" the credential cache
In-Reply-To: <7B51DE8A-E0F0-4348-BD24-DBA2AFB6BD1E@mit.edu> (Ken Raeburn's
	message of "Wed\, 13 Aug 2008 09\:47\:27 -0400")
References: <slrnfbtflukga5iu8.656a.p2h56vc7@pax07e3.mipool.uni-jena.de>
	<7B51DE8A-E0F0-4348-BD24-DBA2AFB6BD1E@mit.edu>
Message-ID: <87iqu4u675.fsf@windlord.stanford.edu>

Ken Raeburn <raeburn at MIT.EDU> writes:

> I'm not familiar with whether the keyring code in Linux (optionally  
> used in recent MIT Kerberos releases) enforces such restrictions.

You would probably need to also run something like SELinux to limit the
capabilities of root, if my understanding of how the authorization model
in the kernel works is correct.

> If we could hook into AFS process authentication groups, that might help
> raise the bar as well, to prevent casual copying but not the ptrace
> attack, but only on systems where AFS is installed (specifically
> implementations with PAGs).  Ken Hornstein has patches around to use an
> extra, high-numbered file descriptor inherited across processes, with
> the process fd limit lowered to just below that fd, which restricts
> access to a login session (aside from the ptrace attack), but requires
> modifications to the login process to set up this file descriptor, and
> requires that no process close all the high-numbered file descriptors
> (which I gather is actually fairly uncommon to do above the lowered file
> descriptor limit).

This too only protects against casual attacks, since root can still get
access to this ticket cache by trying hard enough.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From kenh at cmf.nrl.navy.mil  Wed Aug 13 14:36:59 2008
From: kenh at cmf.nrl.navy.mil (Ken Hornstein)
Date: Wed, 13 Aug 2008 14:36:59 -0400
Subject: "Stealing" the credential cache 
In-Reply-To: <87iqu4u675.fsf@windlord.stanford.edu> 
Message-ID: <200808131837.m7DIaxTM029740@hedwig.cmf.nrl.navy.mil>

>[...]
>This too only protects against casual attacks, since root can still get
>access to this ticket cache by trying hard enough.

It's all about what you define as "casual".  Just opening files in
/proc will not work; your best bet is to ptrace() one of the existing
processes that has the credential cache descriptor available (or simply
attack via ptrace() the credential manager process itself).  From what
I've seen of existing ptrace()-based attack tools this technique
requires some skill and would involve some work.  I prefer to use the
term "unsophisticated" attacks when describing what this credential
cache protects against.  Kernel keyrings are better, of course, but
they're not available everywhere.

I don't think there is a complete solution if you posit an attacker having
root access to a client workstation.  And that old joke who's punchline
is, "I don't have to run faster than the bear, I just have to run faster
than you," comes to mind.

--Ken

From simo at redhat.com  Wed Aug 13 10:07:24 2008
From: simo at redhat.com (Simo Sorce)
Date: Wed, 13 Aug 2008 10:07:24 -0400
Subject: "Stealing" the credential cache
In-Reply-To: <7B51DE8A-E0F0-4348-BD24-DBA2AFB6BD1E@mit.edu>
References: <slrnfbtflukga5iu8.656a.p2h56vc7@pax07e3.mipool.uni-jena.de>
	<7B51DE8A-E0F0-4348-BD24-DBA2AFB6BD1E@mit.edu>
Message-ID: <1218636444.2991.84.camel@localhost.localdomain>

On Wed, 2008-08-13 at 09:47 -0400, Ken Raeburn wrote:
> On Aug 13, 2008, at 07:55, E. Braun wrote:
> > Is this the expected behaviour, that the root user of a client (the  
> > user has
> > no interactive access to the Kerberos and AFS servers) can use a  
> > copy of the
> > credentials cache for getting an afs token?
> 
> Yes.  Finding a place where the superuser cannot access a user's  
> credentials (either directly or by changing uid to the user, or in an  
> extreme case, attach a user's process via ptrace or whatever, as if  
> under a debugger, and extract the authentication info from the user's  
> process) is a system-specific problem and not always possible; it  
> requires that the OS enforce restrictions on a superuser account.

You should be able to use SELinux to achieve this goal, not sure how
hard would it be to build the policy though.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York


From yabadi at checkpoint.com  Sun Aug 17 03:26:55 2008
From: yabadi at checkpoint.com (yuval)
Date: Sun, 17 Aug 2008 10:26:55 +0300
Subject: user name in ticket
In-Reply-To: <a64bf030807290318k620503fcha2afc7911132e33d@mail.gmail.com>
References: <18707098.post@talk.nabble.com>
	<a64bf030807290318k620503fcha2afc7911132e33d@mail.gmail.com>
Message-ID: <003201c9003a$a0c22130$7b2e1dc2@ad.checkpoint.com>


Hi All

I have AD environment with IE and apache web server.
The web server configure (web server have AD user with keytab) to required
IE clients to be authenticate.
The client sends to the web server krb ticket. This ticket includes the
client name.
According to RFC4120 section 5.3 it should have.
My question is: what is the source of the name? It is taken from the TGT,
when the user logged on to AD? Or it taken from the user name in request
from AD for this specific ticket (The client sends it name in clear with the
request)? 


Regards

Yuval
Abadi


From yabadi at checkpoint.com  Sun Aug 17 03:35:48 2008
From: yabadi at checkpoint.com (yuval)
Date: Sun, 17 Aug 2008 10:35:48 +0300
Subject: spnego
In-Reply-To: <a64bf030807290318k620503fcha2afc7911132e33d@mail.gmail.com>
References: <18707098.post@talk.nabble.com>
	<a64bf030807290318k620503fcha2afc7911132e33d@mail.gmail.com>
Message-ID: <003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com>

Hi All

I have web server that required authentication.
It does so by returning 401 www-authenticate: negotiate.
IE (FF too) sends Kerberos ticket to authenticate.

When client (or client machine) is not from domain, IE popup for credential
and create NTLMSSP blob.

Is any way to continue the negotiation with the IE before it pops up the
NTLM credential to user? May be by sending spengo option?


Best Regards

Yuval 
Abadi




From ioplex at gmail.com  Sun Aug 17 11:08:08 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Sun, 17 Aug 2008 11:08:08 -0400
Subject: spnego
In-Reply-To: <003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com>
References: <18707098.post@talk.nabble.com>
	<a64bf030807290318k620503fcha2afc7911132e33d@mail.gmail.com>
	<003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com>
Message-ID: <78c6bd860808170808l1f58dfcfn39916c58c1f4c5e9@mail.gmail.com>

On Sun, Aug 17, 2008 at 3:35 AM, yuval <yabadi at checkpoint.com> wrote:
> Hi All
>
> I have web server that required authentication.
> It does so by returning 401 www-authenticate: negotiate.
> IE (FF too) sends Kerberos ticket to authenticate.
>
> When client (or client machine) is not from domain, IE popup for credential
> and create NTLMSSP blob.
>
> Is any way to continue the negotiation with the IE before it pops up the
> NTLM credential to user? May be by sending spengo option?

See "Issue 3" in the Plexcel Operators Manual on the Support page of
the website in my signature. It outlines all of the reasons for
browsers not doing Kerberos (obviously if you are not using Plexcel
you will need to ignore any product specific references but getting
browsers to do Kerberos is pretty much the same regardless of what you
are using on the server side).

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

From c.mills at colyer.co.uk  Tue Aug 19 06:55:18 2008
From: c.mills at colyer.co.uk (COLsupp)
Date: Tue, 19 Aug 2008 03:55:18 -0700 (PDT)
Subject: Group permissions on OS X volume ignored by Kerberos since Server
	crash
Message-ID: <19048061.post@talk.nabble.com>


I have an 10.4 OS X Server running OD that is integrated with a Win AD
Kerberos system.

Shares are connected to the OSX Server via SCSI RAID, Groups are managed
through OD and the users imported into the groups from AD. All was working
fine until the OSX Server crashed and a forced shut down.

On restart the primary HD was not recognised and the Mac server booted to a
secondary volume, intended as a disaster recovery volume only and not
properly configured (i suspect this is the root of the problem).

Server was then rebooted again off the correct volume. Since then, POSIX
Group permissions just don't work. Owner and Everyone is fine, but Group is
simply ignored.
 
I know this is a Kerberos issue because if the ticket is destroyed and AFP
is used there is no problem. I've unbound the OSX server, re-bound and
checked that all is well in the krb5 keytab and that all services point to
the correct realm. 


Help!
-- 
View this message in context: http://www.nabble.com/Group-permissions-on-OS-X-volume-ignored-by-Kerberos-since-Server-crash-tp19048061p19048061.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From abhishek.brave at gmail.com  Wed Aug 20 00:55:14 2008
From: abhishek.brave at gmail.com (Abhishek Chowdhury)
Date: Tue, 19 Aug 2008 21:55:14 -0700 (PDT)
Subject: NFS configuration
Message-ID: <19062930.post@talk.nabble.com>


hi ,
I want to configure NFS for kerberos.But before setting up for kerberos I
want to configure simple NFS.
On the server machine I created the file /etc/exports with entry 
/etc/NFSClient 10.95.77.62(ro)

then verified rpcinfo -p 10.95.77.57 
it shows
program vers proto   port
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100011    1   udp    749  rquotad
100011    2   udp    749  rquotad
100005    1   udp    759  mountd
100005    1   tcp    761  mountd
100005    2   udp    764  mountd
100005    2   tcp    766  mountd
100005    3   udp    769  mountd
100005    3   tcp    771  mountd
100003    2   udp   2049  nfs
100003    3   udp   2049  nfs
300019    1   tcp    830  amd
300019    1   udp    831  amd
100024    1   udp    944  status
100024    1   tcp    946  status
100021    1   udp   1042  nlockmgr
100021    3   udp   1042  nlockmgr
100021    4   udp   1042  nlockmgr
100021    1   tcp   1629  nlockmgr
100021    3   tcp   1629  nlockmgr
100021    4   tcp   1629  nlockmgr

Then on client machine when I am trying to mount using following command
mount 10.95.77.57:/etc/NFSClient /NFSTest.
I am getting 
can't access/etc/NFSClient No such file or Directory. 
IS there any other configuration need to be done.
I am working on Mac 10.5.

Any pointer will be very helpful:working:
-- 
View this message in context: http://www.nabble.com/NFS-configuration-tp19062930p19062930.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From tuomaksen.spammiposti at gmail.com  Wed Aug 20 12:32:22 2008
From: tuomaksen.spammiposti at gmail.com (Tuomas)
Date: Wed, 20 Aug 2008 19:32:22 +0300
Subject: spnego
In-Reply-To: <mailman.70.1218985757.3905.kerberos@mit.edu>
References: <18707098.post@talk.nabble.com>	<a64bf030807290318k620503fcha2afc7911132e33d@mail.gmail.com>	<003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com>
	<mailman.70.1218985757.3905.kerberos@mit.edu>
Message-ID: <qGXqk.53083$_03.38954@reader1.news.saunalahti.fi>

Michael B Allen wrote:
> On Sun, Aug 17, 2008 at 3:35 AM, yuval <yabadi at checkpoint.com> wrote:
>> Hi All
>>
>> I have web server that required authentication.
>> It does so by returning 401 www-authenticate: negotiate.
>> IE (FF too) sends Kerberos ticket to authenticate.
>>
>> When client (or client machine) is not from domain, IE popup for credential
>> and create NTLMSSP blob.
>>
>> Is any way to continue the negotiation with the IE before it pops up the
>> NTLM credential to user? May be by sending spengo option?
> 
> See "Issue 3" in the Plexcel Operators Manual on the Support page of
> the website in my signature. It outlines all of the reasons for
> browsers not doing Kerberos (obviously if you are not using Plexcel
> you will need to ignore any product specific references but getting
> browsers to do Kerberos is pretty much the same regardless of what you
> are using on the server side).
> 
> Mike
> 
Hi!

I have been struggling with the same problem (with apache & 
mod_auth_kerb). For me it seems that there really isn't a foolproof way 
to completely avoid getting NTLMSSP blobs from clients.

I wonder is there a way to perform the login using NTLMSSP data?

Cheers,
Tuomas

From ssorce at redhat.com  Wed Aug 20 16:21:36 2008
From: ssorce at redhat.com (Simo Sorce)
Date: Wed, 20 Aug 2008 20:21:36 +0000
Subject: spnego
In-Reply-To: <qGXqk.53083$_03.38954@reader1.news.saunalahti.fi>
References: <18707098.post@talk.nabble.com>
	<a64bf030807290318k620503fcha2afc7911132e33d@mail.gmail.com>
	<003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com>
	<mailman.70.1218985757.3905.kerberos@mit.edu>
	<qGXqk.53083$_03.38954@reader1.news.saunalahti.fi>
Message-ID: <1219263696.15642.128.camel@localhost.localdomain>

On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote:

> I have been struggling with the same problem (with apache & 
> mod_auth_kerb). For me it seems that there really isn't a foolproof
> way 
> to completely avoid getting NTLMSSP blobs from clients.
> 
> I wonder is there a way to perform the login using NTLMSSP data?

You can try with mod-auth-ntlm-winbind:
http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet

-- 
Simo Sorce * Red Hat, Inc * New York


From abhishek.brave at gmail.com  Thu Aug 21 02:00:14 2008
From: abhishek.brave at gmail.com (Abhishek Chowdhury)
Date: Wed, 20 Aug 2008 23:00:14 -0700 (PDT)
Subject: Configuring client for NFS
Message-ID: <19082820.post@talk.nabble.com>


I want to set up NFS for kerberos authentication.
I have created all the required principals and keytabs correctly and made an
entry in etc/exports as 
/mount 17.224.21.59 -sec=krb5 -ro

Now on client side after successful kinit  i get the initial krbtgt ticket .
after that when i am trying to run the command 
mount 17.201.112.127:/mount /home/mount 
I am getting permission denied and not getting the ticket for nfs .
Is there any step to enable nfs for kerberos at client side.
Any pointer will be very helpful.  :working:

-- 
View this message in context: http://www.nabble.com/Configuring-client-for-NFS-tp19082820p19082820.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From msimovic at concurrent-thinking.com  Thu Aug 21 07:27:18 2008
From: msimovic at concurrent-thinking.com (Martin Simovic)
Date: Thu, 21 Aug 2008 12:27:18 +0100
Subject: Configuring client for NFS
In-Reply-To: <7a0e8c200808210408p72fb2094w24152e676ae0bf51@mail.gmail.com>
References: <19082820.post@talk.nabble.com>
	<1219309502.7753.5.camel@precision.lan.streamline-computing.com>
	<7a0e8c200808210408p72fb2094w24152e676ae0bf51@mail.gmail.com>
Message-ID: <1219318038.7753.12.camel@precision.lan.streamline-computing.com>

looks like you are forgetting -t nfs4 ?

mount -t nfs4 -o sec=krb 17.201.112.127:/mount /home/mount

also, how does your /etc/exports look like?
the way NFS4 exports work have been changed dramatically (regardless of
kerberos in place or not)

mine /etc/exports looks like this

# NFS4 exports
/export         gss/krb5(ro,fsid=0,no_subtree_check,crossmnt)
/export/home    gss/krb5(rw,no_subtree_check)

furthermore mounts need to be something like this

/dev/mapper/data-home		/home		ext3
defaults,noexec,nosuid,nodev,usrquota,grpquota    0       3

/home		/export/home	none		bind	0	0


Martin.

On Thu, 2008-08-21 at 16:38 +0530, abhishek chowdhury wrote:
> Now i am getting the ticket for nfs service also after re creating the
> pricncipals and keytab but still i am getting authentication error
> after the command
> mount -o sec=krb5 17.201.112.127:/mount /home/mount
> 
> and according to the link
> (https://help.ubuntu.com/community/NFSv4Howto) i need to have only one
> entry for des but that is required only if client in non MAC ,in my
> case client is MAC , so i don\'t think there is any problem with
> entries for des.
> 
> 
> 
> On 8/21/08, Martin Simovic <msimovic at concurrent-thinking.com> wrote:
> On Wed, 2008-08-20 at 23:00 -0700, Abhishek Chowdhury wrote:
> > > I want to set up NFS for kerberos authentication.
> > > I have created all the required principals and keytabs correctly and made an
> > > entry in etc/exports as
> > > /mount 17.224.21.59 -sec=krb5 -ro
> > >
> > > Now on client side after successful kinit  i get the initial krbtgt ticket .
> > > after that when i am trying to run the command
> > > mount 17.201.112.127:/mount /home/mount
> > > I am getting permission denied and not getting the ticket for nfs .
> > > Is there any step to enable nfs for kerberos at client side.
> > > Any pointer will be very helpful.  :working:
> > >
> >
> > Might help if I point you to this docs
> > https://help.ubuntu.com/community/NFSv4Howto
> >
> > will work for most recent distributions that do support NFS4
> > the problem where i was getting stuck was the fact that the
> > nfs/host.domain.com at REALM.TLD principal has to be extracted to the
> > keytab with the des encryption only (by default there is des and 3des -
> > won\'t work)
> >
> > M.
> >
> >
> 
> --
> Regards
> 
> Abhishek Chowdhury


From abhishek.brave at gmail.com  Thu Aug 21 08:23:32 2008
From: abhishek.brave at gmail.com (Abhishek Chowdhury)
Date: Thu, 21 Aug 2008 05:23:32 -0700 (PDT)
Subject: Configuring client for NFS
In-Reply-To: <1219318038.7753.12.camel@precision.lan.streamline-computing.com>
References: <19082820.post@talk.nabble.com>
	<1219318038.7753.12.camel@precision.lan.streamline-computing.com>
Message-ID: <19087623.post@talk.nabble.com>




> when i am trying mount -t nfs4 -o sec=krb5 17.201.112.127:/mount
> /home/mount 
> i am getting /home/mount no such directory 
> earlier the error was authentication error when i am not writin -t nfs4
> 
> my exports look like
> /home/mount/ 17.224.114.139 -sec=krb5 -ro
> 
> nothing extra then this.
> what changes i need to do in the exports
> 

-- 
View this message in context: http://www.nabble.com/Configuring-client-for-NFS-tp19082820p19087623.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From msimovic at concurrent-thinking.com  Thu Aug 21 08:46:03 2008
From: msimovic at concurrent-thinking.com (Martin Simovic)
Date: Thu, 21 Aug 2008 13:46:03 +0100
Subject: Configuring client for NFS
In-Reply-To: <19087623.post@talk.nabble.com>
References: <19082820.post@talk.nabble.com>
	<1219318038.7753.12.camel@precision.lan.streamline-computing.com>
	<19087623.post@talk.nabble.com>
Message-ID: <1219322763.7753.16.camel@precision.lan.streamline-computing.com>

you need to export NFS4 with fsid=0 option (this becomes your NFS"root")
and export everything else underneeth that directory.

just read the quide I sent you carefully, everything is there. don't
forget about the options for NFS daemon NEED_IDMAPD,etc...

M.

On Thu, 2008-08-21 at 05:23 -0700, Abhishek Chowdhury wrote:
> 
> 
> > when i am trying mount -t nfs4 -o sec=krb5 17.201.112.127:/mount
> > /home/mount 
> > i am getting /home/mount no such directory 
> > earlier the error was authentication error when i am not writin -t nfs4
> > 
> > my exports look like
> > /home/mount/ 17.224.114.139 -sec=krb5 -ro
> > 
> > nothing extra then this.
> > what changes i need to do in the exports
> > 
> 


From abhishek.brave at gmail.com  Thu Aug 21 09:29:28 2008
From: abhishek.brave at gmail.com (Abhishek Chowdhury)
Date: Thu, 21 Aug 2008 06:29:28 -0700 (PDT)
Subject: Configuring client for NFS
In-Reply-To: <1219322763.7753.16.camel@precision.lan.streamline-computing.com>
References: <19082820.post@talk.nabble.com>
	<1219318038.7753.12.camel@precision.lan.streamline-computing.com>
	<19087623.post@talk.nabble.com>
	<1219322763.7753.16.camel@precision.lan.streamline-computing.com>
Message-ID: <19088813.post@talk.nabble.com>





> According to the guide 
> https://help.ubuntu.com/community/NFSv4Howto#Create%20and%20distribute%20credentials
> I have to create /etc/default/nfs-kernel-server
> and /etc/default/nfs-common on the server and /etc/default/nfs-common in
> the client.
> But these files are not available on my mac.
> Are the configurations given in the link above are for mac.
> 
> I followed this link http://docs.info.apple.com/article.html?artnum=306694
> for the configuration of kerberized nfs
> 
> 
-- 
View this message in context: http://www.nabble.com/Configuring-client-for-NFS-tp19082820p19088813.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From msimovic at concurrent-thinking.com  Thu Aug 21 09:40:36 2008
From: msimovic at concurrent-thinking.com (Martin Simovic)
Date: Thu, 21 Aug 2008 14:40:36 +0100
Subject: Configuring client for NFS
In-Reply-To: <19088813.post@talk.nabble.com>
References: <19082820.post@talk.nabble.com>
	<1219318038.7753.12.camel@precision.lan.streamline-computing.com>
	<19087623.post@talk.nabble.com>
	<1219322763.7753.16.camel@precision.lan.streamline-computing.com>
	<19088813.post@talk.nabble.com>
Message-ID: <1219326036.7753.26.camel@precision.lan.streamline-computing.com>



On Thu, 2008-08-21 at 06:29 -0700, Abhishek Chowdhury wrote:
> 
> 
> 
> > According to the guide 
> > https://help.ubuntu.com/community/NFSv4Howto#Create%20and%20distribute%20credentials
> > I have to create /etc/default/nfs-kernel-server
> > and /etc/default/nfs-common on the server and /etc/default/nfs-common in
> > the client.
> > But these files are not available on my mac.
> > Are the configurations given in the link above are for mac.
> > 
> > I followed this link http://docs.info.apple.com/article.html?artnum=306694
> > for the configuration of kerberized nfs
> > 

ah,....

thought you are connecting mac client to a linux NFS server.....
no idea how to set up NFS server on MAC :(

> > 


From pgnet.trash at gmail.com  Thu Aug 21 16:55:54 2008
From: pgnet.trash at gmail.com (pgnet trash)
Date: Thu, 21 Aug 2008 13:55:54 -0700
Subject: integrating ldap & krb5 for Apache auth -- which comes first?
Message-ID: <dbd51810808211355o28e49ed0k2a547d2f364951cf@mail.gmail.com>

i'm integrating apache + kerberos5 + openldap, with the goal of using
kerberos credentials to authenticate web app access.

krb5 & openldap are both up-n-running standalone, as is apache.

for apache auth, i've read through the OpenLdap & Krb5 SysAdm guides and,
iiuc, i can either

 (a) use mod_auth_ldap for auth, with ldap pointed at a krb5 keytab
containing authorized principals' credentials,

or,

 (b) use mod_auth_krb5 for auth, with ldap setup as krb5's backend db, e.g.,
dbmodule:db_library = kldap

if, in fact, both are options, which usage is recommended?

From javiplx at gmail.com  Fri Aug 22 03:34:11 2008
From: javiplx at gmail.com (Javier Palacios)
Date: Fri, 22 Aug 2008 09:34:11 +0200
Subject: integrating ldap & krb5 for Apache auth -- which comes first?
In-Reply-To: <dbd51810808211355o28e49ed0k2a547d2f364951cf@mail.gmail.com>
References: <dbd51810808211355o28e49ed0k2a547d2f364951cf@mail.gmail.com>
Message-ID: <a64bf030808220034y21c1c7aer43af49c917d21fb7@mail.gmail.com>

>  (a) use mod_auth_ldap for auth, with ldap pointed at a krb5 keytab
> containing authorized principals' credentials,
>
> or,
>
>  (b) use mod_auth_krb5 for auth, with ldap setup as krb5's backend db, e.g.,
> dbmodule:db_library = kldap

auth_ldap does not give you credential but password authentication,
and does not require a keytab.

auth_krb5 allows you password and credential (GSSAPI) auth. password
auth does not strictly require a keytab (you need do disable kdcverify
option or a similar one). GSSAPI auth is probably what you want, as
gives secure auth without SSL, and allows real single sign on. But you
need to configure the browsers. For IE, you must add the site to
"Intranet sites" (or something alike), and with firefox you need to go
through the about:config, searching for negotiate.

Hope this helps,

JaviP

P.S.: You don't strictly require ldap for this setup. Is at your
option to backend kerberos on LDAP, but if your next step is to use
ldap group membership for authorization, I didn't try that

From suruchi.86 at gmail.com  Mon Aug 25 02:01:57 2008
From: suruchi.86 at gmail.com (Suruchi)
Date: Sun, 24 Aug 2008 23:01:57 -0700 (PDT)
Subject: NFS Error: gssd port not valid
Message-ID: <19138339.post@talk.nabble.com>


hi i am using Mac OS X(leopard)

i have configured kerberized NFS service.
my /etc/exports file contains

/nfstest abcd.com 

on client abcd.com when i try to use nfs through:
mount -v -o vers=4.0alpha -o sec=krb5 server:/nfstest /nfstest

i am getting following error in system log:

Aug 24 22:46:06 abcd kernel[0]: nfs_gss_clnt_gssd_upcall: gssd port not
valid
Aug 24 22:46:06 abcd kernel[0]: nfs4_setclientid failed, 80

why is this problem occuring? is there any way i can change the port no.?

Any pointers plz?
-- 
View this message in context: http://www.nabble.com/NFS-Error%3A-gssd-port-not-valid-tp19138339p19138339.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From suruchi.86 at gmail.com  Mon Aug 25 02:26:24 2008
From: suruchi.86 at gmail.com (Suruchi)
Date: Sun, 24 Aug 2008 23:26:24 -0700 (PDT)
Subject: NFS Error: gssd port not valid
In-Reply-To: <19138339.post@talk.nabble.com>
References: <19138339.post@talk.nabble.com>
Message-ID: <19138522.post@talk.nabble.com>




Suruchi wrote:
> 
> hi i am using Mac OS X(leopard)
> 
> i have configured kerberized NFS service.
> my /etc/exports file contains
> 
> /nfstest abcd.com
> 
> on client abcd.com when i try to use nfs through:
> mount -v -o vers=4.0alpha -o sec=krb5 server:/nfstest /nfstest
> 
> i am getting following error in system log:
> 
> Aug 24 22:46:06 abcd kernel[0]: nfs_gss_clnt_gssd_upcall: gssd port not
> valid
> Aug 24 22:46:06 abcd kernel[0]: nfs4_setclientid failed, 80
> 
> why is this problem occuring? is there any way i can change the port no.?
> 
> Any pointers plz?
> 

i forgot to write complete exports file contents. these are:

/nfstest abcd.com -sec=krb5 -ro
-- 
View this message in context: http://www.nabble.com/NFS-Error%3A-gssd-port-not-valid-tp19138339p19138522.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


From dsycho at gmail.com  Fri Aug 22 20:15:32 2008
From: dsycho at gmail.com (Danny Cho)
Date: Fri, 22 Aug 2008 20:15:32 -0400
Subject: Java GSSAPI Kerberos question
Message-ID: <e19694910808221715u781522c2r8a847c006d9db745@mail.gmail.com>

I am hoping that someone here can help me.  I have a problem with Java
GSSAPI that I don't know how to solve.  I have written a test Java server which
acts as a Kerberos service that uses GSSAPI to authenticate users connect to
the service. Here is my gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
isInitiator=false
storeKey=true
keyTab="/home/danny/temp/GSSKerberosServer/kserver.keytab"
doNotPrompt=true
useKeyTab=true
principal="kserver/danny.com"
debug=true;
};

Everything works fine. But then I tried making the server runtime reload the
keytab by manually (physically) overwritten the keytab file but noticed that
the new file doesn't get read (it still uses the old key) when a new
GSSCredential is created.  Can someone please tell me how to tell GSSAPI to
re-read the keytab?  I can post my test server code if anyone wants to see
it.

From melissa.collins at vordel.com  Mon Aug 25 07:44:15 2008
From: melissa.collins at vordel.com (Melissa Collins)
Date: Mon, 25 Aug 2008 12:44:15 +0100
Subject: Java GSSAPI Kerberos question
In-Reply-To: <e19694910808221715u781522c2r8a847c006d9db745@mail.gmail.com>
Message-ID: <000c01c906a7$e6fa7ad0$2300a8c0@vordel.com>

Try adding...

   refreshKrb5Config = true

to the props you have below

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Danny Cho
Sent: 23 August 2008 01:16
To: kerberos at mit.edu
Subject: Java GSSAPI Kerberos question


I am hoping that someone here can help me.  I have a problem with Java
GSSAPI that I don't know how to solve.  I have written a test Java
server which acts as a Kerberos service that uses GSSAPI to authenticate
users connect to the service. Here is my gss.conf:
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
isInitiator=false
storeKey=true keyTab="/home/danny/temp/GSSKerberosServer/kserver.keytab"
doNotPrompt=true
useKeyTab=true
principal="kserver/danny.com"
debug=true;
};

Everything works fine. But then I tried making the server runtime reload
the keytab by manually (physically) overwritten the keytab file but
noticed that the new file doesn't get read (it still uses the old key)
when a new GSSCredential is created.  Can someone please tell me how to
tell GSSAPI to re-read the keytab?  I can post my test server code if
anyone wants to see it. ________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



From dsycho at gmail.com  Mon Aug 25 12:02:40 2008
From: dsycho at gmail.com (Danny Cho)
Date: Mon, 25 Aug 2008 12:02:40 -0400
Subject: Java GSSAPI Kerberos question
In-Reply-To: <000c01c906a7$e6fa7ad0$2300a8c0@vordel.com>
References: <e19694910808221715u781522c2r8a847c006d9db745@mail.gmail.com>
	<000c01c906a7$e6fa7ad0$2300a8c0@vordel.com>
Message-ID: <e19694910808250902m7204c1dbla98399983eca86eb@mail.gmail.com>

Great, it works, Thx.

On Mon, Aug 25, 2008 at 7:44 AM, Melissa Collins <melissa.collins at vordel.com
> wrote:

> Try adding...
>
>   refreshKrb5Config = true
>
> to the props you have below
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Danny Cho
> Sent: 23 August 2008 01:16
> To: kerberos at mit.edu
> Subject: Java GSSAPI Kerberos question
>
>
> I am hoping that someone here can help me.  I have a problem with Java
> GSSAPI that I don't know how to solve.  I have written a test Java
> server which acts as a Kerberos service that uses GSSAPI to authenticate
> users connect to the service. Here is my gss.conf:
> com.sun.security.jgss.accept {
> com.sun.security.auth.module.Krb5LoginModule
> required
> isInitiator=false
> storeKey=true keyTab="/home/danny/temp/GSSKerberosServer/kserver.keytab"
> doNotPrompt=true
> useKeyTab=true
> principal="kserver/danny.com"
> debug=true;
> };
>
> Everything works fine. But then I tried making the server runtime reload
> the keytab by manually (physically) overwritten the keytab file but
> noticed that the new file doesn't get read (it still uses the old key)
> when a new GSSCredential is created.  Can someone please tell me how to
> tell GSSAPI to re-read the keytab?  I can post my test server code if
> anyone wants to see it. ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>

From rok.papez at arnes.si  Tue Aug 26 03:30:33 2008
From: rok.papez at arnes.si (Rok =?utf-8?q?Pape=C5=BE?=)
Date: Tue, 26 Aug 2008 09:30:33 +0200
Subject: S4U extensions in MIT Kerberos?
Message-ID: <200808260930.33771.rok.papez@arnes.si>

Hello dear Kerberos gurus!

For some project I need to use S4U extensions in Kerberos. We've already 
implemented this using Heimdal API however the target platform is 
unfortunately CentOS/RHEL which uses MIT Kerberos.

Does MIT Kerberos API support S4U extensions? I need to implement
both S4U2Self and S4U2proxy. If yes, is there any documentation/examples
how to use those in MIT Kerberos API?

Reference for S4U:
http://msdn.microsoft.com/en-us/magazine/cc188757.aspx

I already tried googling for MIT Kerberos and S4U however I always
find just the Microsoft pages :(. Grepping through MIT sources
also didn't help me much -- but then again I wasn't sure what to
look for ;).

-- 
Best regards,
Rok Pape?.


From ricurtis at gmail.com  Tue Aug 26 14:35:55 2008
From: ricurtis at gmail.com (Richard Curtis)
Date: Tue, 26 Aug 2008 19:35:55 +0100
Subject: pamkrbval: KDC policy rejects request for this entry
Message-ID: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>

Hi,
  I am trying to get an HPUX 11i box to authenticate against our
active directory (Windows 2003r2) domain with kerberos but I am
getting nowhere fast.

As per the docs I have, I have created a user account in active
directory, then used "ktpass -princ
host/unix_client.domain.host.com at DOMAIN.HOST.COM -mapuser unix_lient
-pass <pass> -out c:\krb5.keytab"
The keytab looks fine when I used ktutil, but I cannot do a kinit... I
keep getting "KDC policy rejects request for this entry"

I am guessing this is more of a Windows/AD config issue, but thougt
someone here might have seen this?

cat /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.HOST.COM
default_tgs_enctypes = DES-CBC-CRC
default_tkt_enctypes = DES-CBC-CRC
ccache_type = 2
ticket_liftetime = 24000
#dns_lookup_kdc = true

[realms]
DOMAIN.HOST.COM = {
kdc = 2003_dc.domain.host.com
kpasswd_server = 2003_dc.domain.host.com:464
}

[domain_realm]
domain.host.com = DOMAIN.HOST.COM
.domain.host.com = DOMAIN.HOST.COM

[logging]
default = FILE:/var/adm/krb5lib.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kKDCmind.log

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

unix_client:/var/adm/syslog >pamkrbval -v

 Validating the pam configuration files
 ---------- --- --- ------------- -----

 Validating the /etc/pam.conf file
[LOG] : The /etc/pam.conf files permissions are fine
[LOG] : Opened : /etc/pam.conf

[PASS] : The validation of config file: /etc/pam.conf passed

[NOTICE] : The validation of config file: /etc/pam_user.conf is not done
           as libpam_updbe library is not configured

 Validating the kerberos config file
 ---------- --- -------- ------ -----
[PASS] : Initialization of kerberos passed

 Connecting to default Realm
 ---------- -- ------- -----
[LOG] : The default realm is : DOMAIN.HOST.COM
[LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
[LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
[LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
[PASS] : Default Realm is issuing tickets

 Validating the keytab entry for the host service principal
 ---------- --- ------ ----- --- --- ---- ------- ---------
[LOG] : Host unix_client,  aka unix_client.domain.host.com.
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
Keytab entry
Principal: host
Host     : unix_client.domain.host.com
Realm    : DOMAIN.HOST.COM
Version  : 23
[LOG] : Pinging KDC to verify whether
host/unix_client.domain.host.com at DOMAIN.HOST.COM exists
pamkrbval: KDC policy rejects request for this entry
[WARNING] : The keytab entry for the host service principal
host/unix_client.domain.host.com at DOMAIN.HOST.COM is invalid
[FAIL] : The keytab validation failed

 Validating the rc_host file for ownership
-------- ------ ---- -------- ------ -----
[LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
[PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful

unix_client:/var/adm/syslog >ktutil -i
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1   23 host/unix_client.domain at DOMAIN.HOST.COM
ktutil:
ktutil:  unix_client:/var/adm/syslog >


unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
host/unix_client.domain.host.com
kinit(v5): KDC policy rejects request while getting initial credentials

Thanks in advance for any help

Regards

Richard

From huaraz at moeller.plus.com  Tue Aug 26 15:00:43 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Tue, 26 Aug 2008 20:00:43 +0100
Subject: pamkrbval: KDC policy rejects request for this entry
In-Reply-To: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
Message-ID: <g91jsv$97c$1@ger.gmane.org>

Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration 
assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based  on 
MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES 
only.  Secondly did you change the password of the unix_client user ? If not 
please try to change the password once and re-extract the keytab.

Markus

"Richard Curtis" <ricurtis at gmail.com> wrote in message 
news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
> Hi,
>  I am trying to get an HPUX 11i box to authenticate against our
> active directory (Windows 2003r2) domain with kerberos but I am
> getting nowhere fast.
>
> As per the docs I have, I have created a user account in active
> directory, then used "ktpass -princ
> host/unix_client.domain.host.com at DOMAIN.HOST.COM -mapuser unix_lient
> -pass <pass> -out c:\krb5.keytab"
> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> keep getting "KDC policy rejects request for this entry"
>
> I am guessing this is more of a Windows/AD config issue, but thougt
> someone here might have seen this?
>
> cat /etc/krb5.conf
> [libdefaults]
> default_realm = DOMAIN.HOST.COM
> default_tgs_enctypes = DES-CBC-CRC
> default_tkt_enctypes = DES-CBC-CRC
> ccache_type = 2
> ticket_liftetime = 24000
> #dns_lookup_kdc = true
>
> [realms]
> DOMAIN.HOST.COM = {
> kdc = 2003_dc.domain.host.com
> kpasswd_server = 2003_dc.domain.host.com:464
> }
>
> [domain_realm]
> domain.host.com = DOMAIN.HOST.COM
> .domain.host.com = DOMAIN.HOST.COM
>
> [logging]
> default = FILE:/var/adm/krb5lib.log
> kdc = FILE:/var/adm/krb5kdc.log
> admin_server = FILE:/var/adm/kKDCmind.log
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> unix_client:/var/adm/syslog >pamkrbval -v
>
> Validating the pam configuration files
> ---------- --- --- ------------- -----
>
> Validating the /etc/pam.conf file
> [LOG] : The /etc/pam.conf files permissions are fine
> [LOG] : Opened : /etc/pam.conf
>
> [PASS] : The validation of config file: /etc/pam.conf passed
>
> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
>           as libpam_updbe library is not configured
>
> Validating the kerberos config file
> ---------- --- -------- ------ -----
> [PASS] : Initialization of kerberos passed
>
> Connecting to default Realm
> ---------- -- ------- -----
> [LOG] : The default realm is : DOMAIN.HOST.COM
> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
> [PASS] : Default Realm is issuing tickets
>
> Validating the keytab entry for the host service principal
> ---------- --- ------ ----- --- --- ---- ------- ---------
> [LOG] : Host unix_client,  aka unix_client.domain.host.com.
> [LOG] : The default keytab name is : /etc/krb5.keytab
> [LOG] : Keytab file /etc/krb5.keytab is present
> [LOG] : Permissions on /etc/krb5.keytab are correct.
> Keytab entry
> Principal: host
> Host     : unix_client.domain.host.com
> Realm    : DOMAIN.HOST.COM
> Version  : 23
> [LOG] : Pinging KDC to verify whether
> host/unix_client.domain.host.com at DOMAIN.HOST.COM exists
> pamkrbval: KDC policy rejects request for this entry
> [WARNING] : The keytab entry for the host service principal
> host/unix_client.domain.host.com at DOMAIN.HOST.COM is invalid
> [FAIL] : The keytab validation failed
>
> Validating the rc_host file for ownership
> -------- ------ ---- -------- ------ -----
> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>
> unix_client:/var/adm/syslog >ktutil -i
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>   1   23 host/unix_client.domain at DOMAIN.HOST.COM
> ktutil:
> ktutil:  unix_client:/var/adm/syslog >
>
>
> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
> host/unix_client.domain.host.com
> kinit(v5): KDC policy rejects request while getting initial credentials
>
> Thanks in advance for any help
>
> Regards
>
> Richard
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From deengert at anl.gov  Tue Aug 26 15:17:31 2008
From: deengert at anl.gov (Douglas E. Engert)
Date: Tue, 26 Aug 2008 14:17:31 -0500
Subject: pamkrbval: KDC policy rejects request for this entry
In-Reply-To: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
Message-ID: <48B456CB.9070408@anl.gov>



Richard Curtis wrote:
> Hi,
>   I am trying to get an HPUX 11i box to authenticate against our
> active directory (Windows 2003r2) domain with kerberos but I am
> getting nowhere fast.
> 
> As per the docs I have, I have created a user account in active
> directory, then used "ktpass -princ
> host/unix_client.domain.host.com at DOMAIN.HOST.COM -mapuser unix_lient
> -pass <pass> -out c:\krb5.keytab"
> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> keep getting "KDC policy rejects request for this entry"
> 
> I am guessing this is more of a Windows/AD config issue, but thougt
> someone here might have seen this?

Your krb5.conf is saying use DES-CBC-CRC

You did not specify -DesOnly on the ktpass,
so I bet the krb5.keytab has a RC4-HMAC-NT type key.
If the HP can use RC4, try without the default_*_enctypes
Do you really need the ccache_type = 2 also?

The kvno is 23, so you must have been trying this for a while.
Did the keytabs get out of sync?

> 
> cat /etc/krb5.conf
> [libdefaults]
> default_realm = DOMAIN.HOST.COM
> default_tgs_enctypes = DES-CBC-CRC
> default_tkt_enctypes = DES-CBC-CRC
> ccache_type = 2
> ticket_liftetime = 24000
> #dns_lookup_kdc = true
> 
> [realms]
> DOMAIN.HOST.COM = {
> kdc = 2003_dc.domain.host.com
> kpasswd_server = 2003_dc.domain.host.com:464
> }
> 
> [domain_realm]
> domain.host.com = DOMAIN.HOST.COM
> .domain.host.com = DOMAIN.HOST.COM
> 
> [logging]
> default = FILE:/var/adm/krb5lib.log
> kdc = FILE:/var/adm/krb5kdc.log
> admin_server = FILE:/var/adm/kKDCmind.log
> 
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
> 
> unix_client:/var/adm/syslog >pamkrbval -v
> 
>  Validating the pam configuration files
>  ---------- --- --- ------------- -----
> 
>  Validating the /etc/pam.conf file
> [LOG] : The /etc/pam.conf files permissions are fine
> [LOG] : Opened : /etc/pam.conf
> 
> [PASS] : The validation of config file: /etc/pam.conf passed
> 
> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
>            as libpam_updbe library is not configured
> 
>  Validating the kerberos config file
>  ---------- --- -------- ------ -----
> [PASS] : Initialization of kerberos passed
> 
>  Connecting to default Realm
>  ---------- -- ------- -----
> [LOG] : The default realm is : DOMAIN.HOST.COM
> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
> [PASS] : Default Realm is issuing tickets
> 
>  Validating the keytab entry for the host service principal
>  ---------- --- ------ ----- --- --- ---- ------- ---------
> [LOG] : Host unix_client,  aka unix_client.domain.host.com.
> [LOG] : The default keytab name is : /etc/krb5.keytab
> [LOG] : Keytab file /etc/krb5.keytab is present
> [LOG] : Permissions on /etc/krb5.keytab are correct.
> Keytab entry
> Principal: host
> Host     : unix_client.domain.host.com
> Realm    : DOMAIN.HOST.COM
> Version  : 23
> [LOG] : Pinging KDC to verify whether
> host/unix_client.domain.host.com at DOMAIN.HOST.COM exists
> pamkrbval: KDC policy rejects request for this entry
> [WARNING] : The keytab entry for the host service principal
> host/unix_client.domain.host.com at DOMAIN.HOST.COM is invalid
> [FAIL] : The keytab validation failed
> 
>  Validating the rc_host file for ownership
> -------- ------ ---- -------- ------ -----
> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
> 
> unix_client:/var/adm/syslog >ktutil -i
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  list
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
>    1   23 host/unix_client.domain at DOMAIN.HOST.COM
> ktutil:
> ktutil:  unix_client:/var/adm/syslog >
> 
> 
> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
> host/unix_client.domain.host.com
> kinit(v5): KDC policy rejects request while getting initial credentials
> 
> Thanks in advance for any help
> 
> Regards
> 
> Richard
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From ricurtis at gmail.com  Tue Aug 26 15:32:28 2008
From: ricurtis at gmail.com (Richard Curtis)
Date: Tue, 26 Aug 2008 20:32:28 +0100
Subject: pamkrbval: KDC policy rejects request for this entry
In-Reply-To: <g91jsv$97c$1@ger.gmane.org>
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
	<g91jsv$97c$1@ger.gmane.org>
Message-ID: <5745a7060808261232q4f47206ai4fab1dc1211bc6b9@mail.gmail.com>

According to the HP release notes (I have Kerberos Client C.1.3.5.05):

The client libraries are based on MIT Kerberos V5 1.3.5 release. The
KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
RFC 1510 of the IETF. This release of Kerberos Client is interoperable
with Microsoft Windows  2000 and 2003.

I will try tomorrow when I am back in the office by setting the
default_*_enctypes to RC4-HMAC... the strange thing is, the HP
configuration guide I am following has a sample krb5.conf and only
mentions DES... http://docs.hp.com/en/J4269-90076/index.html - there
is no mention of RC4 in the whole document.
I will try removing default_*_enctypes altogether aswell, and failing
that, will have a go with DEC encryption only..

If this turns out to be the solution, I will be over the moon... this
has been dragging on for some time :)

I will post back tomorrow with my results.. thanks for the replies so far guys.

Regards

Richard

On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration
> assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based  on
> MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES
> only.  Secondly did you change the password of the unix_client user ? If not
> please try to change the password once and re-extract the keytab.
>
> Markus
>
> "Richard Curtis" <ricurtis at gmail.com> wrote in message
> news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
>> Hi,
>>  I am trying to get an HPUX 11i box to authenticate against our
>> active directory (Windows 2003r2) domain with kerberos but I am
>> getting nowhere fast.
>>
>> As per the docs I have, I have created a user account in active
>> directory, then used "ktpass -princ
>> host/unix_client.domain.host.com at DOMAIN.HOST.COM -mapuser unix_lient
>> -pass <pass> -out c:\krb5.keytab"
>> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
>> keep getting "KDC policy rejects request for this entry"
>>
>> I am guessing this is more of a Windows/AD config issue, but thougt
>> someone here might have seen this?
>>
>> cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = DOMAIN.HOST.COM
>> default_tgs_enctypes = DES-CBC-CRC
>> default_tkt_enctypes = DES-CBC-CRC
>> ccache_type = 2
>> ticket_liftetime = 24000
>> #dns_lookup_kdc = true
>>
>> [realms]
>> DOMAIN.HOST.COM = {
>> kdc = 2003_dc.domain.host.com
>> kpasswd_server = 2003_dc.domain.host.com:464
>> }
>>
>> [domain_realm]
>> domain.host.com = DOMAIN.HOST.COM
>> .domain.host.com = DOMAIN.HOST.COM
>>
>> [logging]
>> default = FILE:/var/adm/krb5lib.log
>> kdc = FILE:/var/adm/krb5kdc.log
>> admin_server = FILE:/var/adm/kKDCmind.log
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> unix_client:/var/adm/syslog >pamkrbval -v
>>
>> Validating the pam configuration files
>> ---------- --- --- ------------- -----
>>
>> Validating the /etc/pam.conf file
>> [LOG] : The /etc/pam.conf files permissions are fine
>> [LOG] : Opened : /etc/pam.conf
>>
>> [PASS] : The validation of config file: /etc/pam.conf passed
>>
>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
>>           as libpam_updbe library is not configured
>>
>> Validating the kerberos config file
>> ---------- --- -------- ------ -----
>> [PASS] : Initialization of kerberos passed
>>
>> Connecting to default Realm
>> ---------- -- ------- -----
>> [LOG] : The default realm is : DOMAIN.HOST.COM
>> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
>> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
>> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
>> [PASS] : Default Realm is issuing tickets
>>
>> Validating the keytab entry for the host service principal
>> ---------- --- ------ ----- --- --- ---- ------- ---------
>> [LOG] : Host unix_client,  aka unix_client.domain.host.com.
>> [LOG] : The default keytab name is : /etc/krb5.keytab
>> [LOG] : Keytab file /etc/krb5.keytab is present
>> [LOG] : Permissions on /etc/krb5.keytab are correct.
>> Keytab entry
>> Principal: host
>> Host     : unix_client.domain.host.com
>> Realm    : DOMAIN.HOST.COM
>> Version  : 23
>> [LOG] : Pinging KDC to verify whether
>> host/unix_client.domain.host.com at DOMAIN.HOST.COM exists
>> pamkrbval: KDC policy rejects request for this entry
>> [WARNING] : The keytab entry for the host service principal
>> host/unix_client.domain.host.com at DOMAIN.HOST.COM is invalid
>> [FAIL] : The keytab validation failed
>>
>> Validating the rc_host file for ownership
>> -------- ------ ---- -------- ------ -----
>> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
>> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>>
>> unix_client:/var/adm/syslog >ktutil -i
>> ktutil:  rkt /etc/krb5.keytab
>> ktutil:  list
>> slot KVNO Principal
>> ---- ---- ---------------------------------------------------------------------
>>   1   23 host/unix_client.domain at DOMAIN.HOST.COM
>> ktutil:
>> ktutil:  unix_client:/var/adm/syslog >
>>
>>
>> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
>> host/unix_client.domain.host.com
>> kinit(v5): KDC policy rejects request while getting initial credentials
>>
>> Thanks in advance for any help
>>
>> Regards
>>
>> Richard
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


From neelsmail at rediffmail.com  Wed Aug 27 04:53:46 2008
From: neelsmail at rediffmail.com (neelsmail@rediffmail.com)
Date: Wed, 27 Aug 2008 01:53:46 -0700 (PDT)
Subject: Using GSSAPI to Authenticate to AD
Message-ID: <24ceb2f4-891a-45f0-9f4b-27f338938512@1g2000pre.googlegroups.com>

Hi,

I want to authenticate an Active Directory User using GSSAPI. The code
would be in C++. To be specific here is the scenario:

1] End user adopts/creates one or more Active Directory users using
any of the AD integration packages on Linux.
2] In my executable, which would be always running as root, I find out
that I need to use AD user and authenticate using GSSAPI
3] I cannot impersonate as the user because that would change user
context of whole process.
4] Therefore, I need to somehow find out whether there is already a
ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
GSSAPI: GSSAPI::Name->import?)
5] If not, process would obtain one.
6] Get the ticket and initialize the security context (Win32SDK:
InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
7] Get the token and send it for authentication

If the process is running in the user context which needs to be
authenticated, it's easier and I have perl implemenation of it. But in
this case, since process will always be running as root, I don't know
if there is a way I can know/get ticket for authentication.

Is there a sample/example that can, at least in parts if not
completely, illustrate how this can be done using C/C++ somewhere?

I found one link on MSDN but don't know whether that's the entire flow/
applicable: http://msdn.microsoft.com/en-us/library/ms995352.aspx

Any comments would be welcome.

Thanks in advance,
-Neel.

From neelsmail at rediffmail.com  Wed Aug 27 09:30:13 2008
From: neelsmail at rediffmail.com (neelsmail@rediffmail.com)
Date: Wed, 27 Aug 2008 06:30:13 -0700 (PDT)
Subject: Using GSSAPI to Authenticate to AD
References: <24ceb2f4-891a-45f0-9f4b-27f338938512@1g2000pre.googlegroups.com>
Message-ID: <3da9a2b7-aa41-40be-a42c-82cc430caeee@k36g2000pri.googlegroups.com>

On Aug 27, 1:53?pm, neelsm... at rediffmail.com wrote:
> Hi,
>
> I want to authenticate an Active Directory User using GSSAPI. The code
> would be in C++. To be specific here is the scenario:
>
> 1] End user adopts/creates one or more Active Directory users using
> any of the AD integration packages on Linux.
> 2] In my executable, which would be always running as root, I find out
> that I need to use AD user and authenticate using GSSAPI
> 3] I cannot impersonate as the user because that would change user
> context of whole process.
> 4] Therefore, I need to somehow find out whether there is already a
> ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
> GSSAPI: GSSAPI::Name->import?)
> 5] If not, process would obtain one.
> 6] Get the ticket and initialize the security context (Win32SDK:
> InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
> 7] Get the token and send it for authentication
>
> If the process is running in the user context which needs to be
> authenticated, it's easier and I have perl implemenation of it. But in
> this case, since process will always be running as root, I don't know
> if there is a way I can know/get ticket for authentication.
>
> Is there a sample/example that can, at least in parts if not
> completely, illustrate how this can be done using C/C++ somewhere?
>
> I found one link on MSDN but don't know whether that's the entire flow/
> applicable:http://msdn.microsoft.com/en-us/library/ms995352.aspx
>
> Any comments would be welcome.
>
> Thanks in advance,
> -Neel.


After searching for the answer, I believe the question above can be
shortened to:
How can I acquire handle to credentials of a different user than the
one process running as, without impersonating that user?

I found this post:
http://groups.google.co.in/group/comp.protocols.kerberos/browse_thread/thread/2c9a3e5f2d38ef86/5c09a9d4ee799b04?hl=en&lnk=st&q=gss_init_sec_context+%22KRB5CCNAME%22#5c09a9d4ee799b04

It mentions about setting KRB5CCNAME before calling gss_acquire_cred
which may be simple but that raises couple of questions:
- If I running a multi threaded application each thread needing to set
KRB5CCNAME so that it can call gss_acquire_cred, it will affect the
application. Is there a way to let gss_acquire_cred/
gss_init_sec_context know which credential cache to use without
blocking the whole app?

- Even though I can specify which credential cache file name to use
from within my app, any external "kinit" calls will still create
different files. Is there an api where I can specify what user I need
to get ticket of if already created?

Again, any comments will be welcome.

Thanks,
-Neel.

From ricurtis at gmail.com  Wed Aug 27 04:59:38 2008
From: ricurtis at gmail.com (ricurtis@gmail.com)
Date: Wed, 27 Aug 2008 01:59:38 -0700 (PDT)
Subject: pamkrbval: KDC policy rejects request for this entry
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com> 
	<g91jsv$97c$1@ger.gmane.org>
	<mailman.20.1219779192.4454.kerberos@mit.edu>
Message-ID: <fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com>

I have tried everyones suggestions, but no joy - although I think I
can narrow down the problem somewhat...

After changing the default_t*_enctypes to be "RC4-HMAC" (and also
removing the lines altogether), I still get the same error...

In the Windows security log on the domain controller, I have a Failure
Audit with a result code from the request of 0xC which from some
searching at Microsoft suggests:
    Requested start time is later than end time
or Workstation login restrictions..

From a packet capture using Wireshark, the AS-REQ packet there is an
entry "till: 1970-01-01 00:00:00 (UTC)"
It looks as though the requested lifetime of the packet here is in the
past...

Any suggestions around that?

Regards

Richard



On 26 Aug, 20:32, "Richard Curtis" <ricur... at gmail.com> wrote:
> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
>
> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
> with Microsoft Windows ? 2000 and 2003.
>
> I will try tomorrow when I am back in the office by setting the
> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
> configuration guide I am following has a sample krb5.conf and only
> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
> is no mention of RC4 in the whole document.
> I will try removing default_*_enctypes altogether aswell, and failing
> that, will have a go with DEC encryption only..
>
> If this turns out to be the solution, I will be over the moon... this
> has been dragging on for some time :)
>
> I will post back tomorrow with my results.. thanks for the replies so far guys.
>
> Regards
>
> Richard
>
>
>
> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua... at moeller.plus.com> wrote:
> > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your configuration
> > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based ?on
> > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be DES
> > only. ?Secondly did you change the password of the unix_client user ? If not
> > please try to change the password once and re-extract the keytab.
>
> > Markus
>
> > "Richard Curtis" <ricur... at gmail.com> wrote in message
> >news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
> >> Hi,
> >> ?I am trying to get an HPUX 11i box to authenticate against our
> >> active directory (Windows 2003r2) domain with kerberos but I am
> >> getting nowhere fast.
>
> >> As per the docs I have, I have created a user account in active
> >> directory, then used "ktpass -princ
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM -mapuser unix_lient
> >> -pass <pass> -out c:\krb5.keytab"
> >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> >> keep getting "KDC policy rejects request for this entry"
>
> >> I am guessing this is more of a Windows/AD config issue, but thougt
> >> someone here might have seen this?
>
> >> cat /etc/krb5.conf
> >> [libdefaults]
> >> default_realm = DOMAIN.HOST.COM
> >> default_tgs_enctypes = DES-CBC-CRC
> >> default_tkt_enctypes = DES-CBC-CRC
> >> ccache_type = 2
> >> ticket_liftetime = 24000
> >> #dns_lookup_kdc = true
>
> >> [realms]
> >> DOMAIN.HOST.COM = {
> >> kdc = 2003_dc.domain.host.com
> >> kpasswd_server = 2003_dc.domain.host.com:464
> >> }
>
> >> [domain_realm]
> >> domain.host.com = DOMAIN.HOST.COM
> >> .domain.host.com = DOMAIN.HOST.COM
>
> >> [logging]
> >> default = FILE:/var/adm/krb5lib.log
> >> kdc = FILE:/var/adm/krb5kdc.log
> >> admin_server = FILE:/var/adm/kKDCmind.log
>
> >> [appdefaults]
> >> pam = {
> >> debug = false
> >> ticket_lifetime = 36000
> >> renew_lifetime = 36000
> >> forwardable = true
> >> krb4_convert = false
> >> }
>
> >> unix_client:/var/adm/syslog >pamkrbval -v
>
> >> Validating the pam configuration files
> >> ---------- --- --- ------------- -----
>
> >> Validating the /etc/pam.conf file
> >> [LOG] : The /etc/pam.conf files permissions are fine
> >> [LOG] : Opened : /etc/pam.conf
>
> >> [PASS] : The validation of config file: /etc/pam.conf passed
>
> >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not done
> >> ? ? ? ? ? as libpam_updbe library is not configured
>
> >> Validating the kerberos config file
> >> ---------- --- -------- ------ -----
> >> [PASS] : Initialization of kerberos passed
>
> >> Connecting to default Realm
> >> ---------- -- ------- -----
> >> [LOG] : The default realm is : DOMAIN.HOST.COM
> >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
> >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
> >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
> >> [PASS] : Default Realm is issuing tickets
>
> >> Validating the keytab entry for the host service principal
> >> ---------- --- ------ ----- --- --- ---- ------- ---------
> >> [LOG] : Host unix_client, ?aka unix_client.domain.host.com.
> >> [LOG] : The default keytab name is : /etc/krb5.keytab
> >> [LOG] : Keytab file /etc/krb5.keytab is present
> >> [LOG] : Permissions on /etc/krb5.keytab are correct.
> >> Keytab entry
> >> Principal: host
> >> Host ? ? : unix_client.domain.host.com
> >> Realm ? ?: DOMAIN.HOST.COM
> >> Version ?: 23
> >> [LOG] : Pinging KDC to verify whether
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM exists
> >> pamkrbval: KDC policy rejects request for this entry
> >> [WARNING] : The keytab entry for the host service principal
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM is invalid
> >> [FAIL] : The keytab validation failed
>
> >> Validating the rc_host file for ownership
> >> -------- ------ ---- -------- ------ -----
> >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
> >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>
> >> unix_client:/var/adm/syslog >ktutil -i
> >> ktutil: ?rkt /etc/krb5.keytab
> >> ktutil: ?list
> >> slot KVNO Principal
> >> ---- ---- ---------------------------------------------------------------------
> >> ? 1 ? 23 host/unix_client.dom... at DOMAIN.HOST.COM
> >> ktutil:
> >> ktutil: ?unix_client:/var/adm/syslog >
>
> >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
> >> host/unix_client.domain.host.com
> >> kinit(v5): KDC policy rejects request while getting initial credentials
>
> >> Thanks in advance for any help
>
> >> Regards
>
> >> Richard
> >> ________________________________________________
> >> Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
>
> > ________________________________________________
> > Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
>
> - Show quoted text -


From ioplex at gmail.com  Wed Aug 27 12:39:55 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Wed, 27 Aug 2008 12:39:55 -0400
Subject: Using GSSAPI to Authenticate to AD
In-Reply-To: <24ceb2f4-891a-45f0-9f4b-27f338938512@1g2000pre.googlegroups.com>
References: <24ceb2f4-891a-45f0-9f4b-27f338938512@1g2000pre.googlegroups.com>
Message-ID: <78c6bd860808270939i518d5e6dideeec831cfa8b1c3@mail.gmail.com>

On Wed, Aug 27, 2008 at 4:53 AM,  <neelsmail at rediffmail.com> wrote:
> Hi,
>
> I want to authenticate an Active Directory User using GSSAPI. The code
> would be in C++. To be specific here is the scenario:
>
> 1] End user adopts/creates one or more Active Directory users using
> any of the AD integration packages on Linux.
> 2] In my executable, which would be always running as root, I find out
> that I need to use AD user and authenticate using GSSAPI
> 3] I cannot impersonate as the user because that would change user
> context of whole process.
> 4] Therefore, I need to somehow find out whether there is already a
> ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
> GSSAPI: GSSAPI::Name->import?)
> 5] If not, process would obtain one.
> 6] Get the ticket and initialize the security context (Win32SDK:
> InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
> 7] Get the token and send it for authentication
>
> If the process is running in the user context which needs to be
> authenticated, it's easier and I have perl implemenation of it. But in
> this case, since process will always be running as root, I don't know
> if there is a way I can know/get ticket for authentication.
>
> Is there a sample/example that can, at least in parts if not
> completely, illustrate how this can be done using C/C++ somewhere?
>
> I found one link on MSDN but don't know whether that's the entire flow/
> applicable: http://msdn.microsoft.com/en-us/library/ms995352.aspx
>
> Any comments would be welcome.

GSSAPI just handles authentication. That's not terribly difficult to
do in C++ but it's not clear how you get from GSSAPI authentication to
creating users "using any of the AD integration packages on Linux".
There are a lot of details to creating an application like that in
Linux. It's a lot harder than it looks.

Incidentally there is a product called Plexcel that has worked out all
of these details (see the link in my signature - it's also free for up
to 25 users). With the Plexcel PHP extension you can easily create a
web page that will authenticate someone using SPNEGO (or explicit
Kerberos login) and then use the delegated credential to create users,
change passwords, etc [1]. Or you can do it from the commandline. In
fact I have a very nice little Plexcel commandline script for creating
users that a wrote for someone else that I would be happy to give you.
If you want a copy, or if you have any questions about Plexcel feel
free to contact me directly through IOPLEX Software support.

Mike

[1] To give you an idea of what the code would look like look at the
example on this page:
http://www.ioplex.com/api/plexcel_add_object.html

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

From huaraz at moeller.plus.com  Wed Aug 27 14:30:32 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Wed, 27 Aug 2008 19:30:32 +0100
Subject: pamkrbval: KDC policy rejects request for this entry
In-Reply-To: <fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com>
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
	<g91jsv$97c$1@ger.gmane.org><mailman.20.1219779192.4454.kerberos@mit.edu>
	<fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com>
Message-ID: <g946rn$kfb$1@ger.gmane.org>

Can you check that AD and your HP system are time synchronised ?  Can you do 
a kinit unix_client with the correct password ? Do you have the kvno binary 
on the HP platform ? If so can you do a kvno 
host/unix_client.domain.host.com and compare the number with the one in the 
keytab ?

Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?

Regards
Markus


<ricurtis at gmail.com> wrote in message 
news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668 at 56g2000hsm.googlegroups.com...
I have tried everyones suggestions, but no joy - although I think I
can narrow down the problem somewhat...

After changing the default_t*_enctypes to be "RC4-HMAC" (and also
removing the lines altogether), I still get the same error...

In the Windows security log on the domain controller, I have a Failure
Audit with a result code from the request of 0xC which from some
searching at Microsoft suggests:
    Requested start time is later than end time
or Workstation login restrictions..

>From a packet capture using Wireshark, the AS-REQ packet there is an
entry "till: 1970-01-01 00:00:00 (UTC)"
It looks as though the requested lifetime of the packet here is in the
past...

Any suggestions around that?

Regards

Richard



On 26 Aug, 20:32, "Richard Curtis" <ricur... at gmail.com> wrote:
> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
>
> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
> with Microsoft Windows 2000 and 2003.
>
> I will try tomorrow when I am back in the office by setting the
> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
> configuration guide I am following has a sample krb5.conf and only
> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
> is no mention of RC4 in the whole document.
> I will try removing default_*_enctypes altogether aswell, and failing
> that, will have a go with DEC encryption only..
>
> If this turns out to be the solution, I will be over the moon... this
> has been dragging on for some time :)
>
> I will post back tomorrow with my results.. thanks for the replies so far 
> guys.
>
> Regards
>
> Richard
>
>
>
> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua... at moeller.plus.com> 
> wrote:
> > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your 
> > configuration
> > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based 
> > on
> > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be 
> > DES
> > only. Secondly did you change the password of the unix_client user ? If 
> > not
> > please try to change the password once and re-extract the keytab.
>
> > Markus
>
> > "Richard Curtis" <ricur... at gmail.com> wrote in message
> >news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
> >> Hi,
> >> I am trying to get an HPUX 11i box to authenticate against our
> >> active directory (Windows 2003r2) domain with kerberos but I am
> >> getting nowhere fast.
>
> >> As per the docs I have, I have created a user account in active
> >> directory, then used "ktpass -princ
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM -mapuser unix_lient
> >> -pass <pass> -out c:\krb5.keytab"
> >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> >> keep getting "KDC policy rejects request for this entry"
>
> >> I am guessing this is more of a Windows/AD config issue, but thougt
> >> someone here might have seen this?
>
> >> cat /etc/krb5.conf
> >> [libdefaults]
> >> default_realm = DOMAIN.HOST.COM
> >> default_tgs_enctypes = DES-CBC-CRC
> >> default_tkt_enctypes = DES-CBC-CRC
> >> ccache_type = 2
> >> ticket_liftetime = 24000
> >> #dns_lookup_kdc = true
>
> >> [realms]
> >> DOMAIN.HOST.COM = {
> >> kdc = 2003_dc.domain.host.com
> >> kpasswd_server = 2003_dc.domain.host.com:464
> >> }
>
> >> [domain_realm]
> >> domain.host.com = DOMAIN.HOST.COM
> >> .domain.host.com = DOMAIN.HOST.COM
>
> >> [logging]
> >> default = FILE:/var/adm/krb5lib.log
> >> kdc = FILE:/var/adm/krb5kdc.log
> >> admin_server = FILE:/var/adm/kKDCmind.log
>
> >> [appdefaults]
> >> pam = {
> >> debug = false
> >> ticket_lifetime = 36000
> >> renew_lifetime = 36000
> >> forwardable = true
> >> krb4_convert = false
> >> }
>
> >> unix_client:/var/adm/syslog >pamkrbval -v
>
> >> Validating the pam configuration files
> >> ---------- --- --- ------------- -----
>
> >> Validating the /etc/pam.conf file
> >> [LOG] : The /etc/pam.conf files permissions are fine
> >> [LOG] : Opened : /etc/pam.conf
>
> >> [PASS] : The validation of config file: /etc/pam.conf passed
>
> >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not 
> >> done
> >> as libpam_updbe library is not configured
>
> >> Validating the kerberos config file
> >> ---------- --- -------- ------ -----
> >> [PASS] : Initialization of kerberos passed
>
> >> Connecting to default Realm
> >> ---------- -- ------- -----
> >> [LOG] : The default realm is : DOMAIN.HOST.COM
> >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
> >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
> >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
> >> [PASS] : Default Realm is issuing tickets
>
> >> Validating the keytab entry for the host service principal
> >> ---------- --- ------ ----- --- --- ---- ------- ---------
> >> [LOG] : Host unix_client, aka unix_client.domain.host.com.
> >> [LOG] : The default keytab name is : /etc/krb5.keytab
> >> [LOG] : Keytab file /etc/krb5.keytab is present
> >> [LOG] : Permissions on /etc/krb5.keytab are correct.
> >> Keytab entry
> >> Principal: host
> >> Host : unix_client.domain.host.com
> >> Realm : DOMAIN.HOST.COM
> >> Version : 23
> >> [LOG] : Pinging KDC to verify whether
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM exists
> >> pamkrbval: KDC policy rejects request for this entry
> >> [WARNING] : The keytab entry for the host service principal
> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM is invalid
> >> [FAIL] : The keytab validation failed
>
> >> Validating the rc_host file for ownership
> >> -------- ------ ---- -------- ------ -----
> >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
> >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>
> >> unix_client:/var/adm/syslog >ktutil -i
> >> ktutil: rkt /etc/krb5.keytab
> >> ktutil: list
> >> slot KVNO Principal
> >> ---- ---- ---------------------------------------------------------------------
> >> 1 23 host/unix_client.dom... at DOMAIN.HOST.COM
> >> ktutil:
> >> ktutil: unix_client:/var/adm/syslog >
>
> >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
> >> host/unix_client.domain.host.com
> >> kinit(v5): KDC policy rejects request while getting initial credentials
>
> >> Thanks in advance for any help
>
> >> Regards
>
> >> Richard
> >> ________________________________________________
> >> Kerberos mailing list Kerbe... at mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
>
> > ________________________________________________
> > Kerberos mailing list Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
>
> - Show quoted text -

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



From deengert at anl.gov  Wed Aug 27 15:30:36 2008
From: deengert at anl.gov (Douglas E. Engert)
Date: Wed, 27 Aug 2008 14:30:36 -0500
Subject: pamkrbval: KDC policy rejects request for this entry
In-Reply-To: <g946rn$kfb$1@ger.gmane.org>
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>	<g91jsv$97c$1@ger.gmane.org><mailman.20.1219779192.4454.kerberos@mit.edu>	<fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com>
	<g946rn$kfb$1@ger.gmane.org>
Message-ID: <48B5AB5C.6060707@anl.gov>



Markus Moeller wrote:
> Can you check that AD and your HP system are time synchronised ?  Can you do 
> a kinit unix_client with the correct password ? Do you have the kvno binary 
> on the HP platform ? If so can you do a kvno 
> host/unix_client.domain.host.com and compare the number with the one in the 
> keytab ?
> 
> Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?

This could also be something to do with the use of the 197001010000Z
in the till field if the AS_REQ This was not in RFC 1510, but is in 4120.
It looks like the HP is adding this. AD 2003 may not accept it. I don't
have any client test code to see if this is an AD problem.

> 
> Regards
> Markus
> 
> 
> <ricurtis at gmail.com> wrote in message 
> news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668 at 56g2000hsm.googlegroups.com...
> I have tried everyones suggestions, but no joy - although I think I
> can narrow down the problem somewhat...
> 
> After changing the default_t*_enctypes to be "RC4-HMAC" (and also
> removing the lines altogether), I still get the same error...
> 
> In the Windows security log on the domain controller, I have a Failure
> Audit with a result code from the request of 0xC which from some
> searching at Microsoft suggests:
>     Requested start time is later than end time
> or Workstation login restrictions..
> 
>>From a packet capture using Wireshark, the AS-REQ packet there is an
> entry "till: 1970-01-01 00:00:00 (UTC)"
> It looks as though the requested lifetime of the packet here is in the
> past...
> 
> Any suggestions around that?
> 
> Regards
> 
> Richard
> 
> 
> 
> On 26 Aug, 20:32, "Richard Curtis" <ricur... at gmail.com> wrote:
>> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
>>
>> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
>> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
>> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
>> with Microsoft Windows 2000 and 2003.
>>
>> I will try tomorrow when I am back in the office by setting the
>> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
>> configuration guide I am following has a sample krb5.conf and only
>> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
>> is no mention of RC4 in the whole document.
>> I will try removing default_*_enctypes altogether aswell, and failing
>> that, will have a go with DEC encryption only..
>>
>> If this turns out to be the solution, I will be over the moon... this
>> has been dragging on for some time :)
>>
>> I will post back tomorrow with my results.. thanks for the replies so far 
>> guys.
>>
>> Regards
>>
>> Richard
>>
>>
>>
>> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua... at moeller.plus.com> 
>> wrote:
>>> Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your 
>>> configuration
>>> assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based 
>>> on
>>> MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be 
>>> DES
>>> only. Secondly did you change the password of the unix_client user ? If 
>>> not
>>> please try to change the password once and re-extract the keytab.
>>> Markus
>>> "Richard Curtis" <ricur... at gmail.com> wrote in message
>>> news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
>>>> Hi,
>>>> I am trying to get an HPUX 11i box to authenticate against our
>>>> active directory (Windows 2003r2) domain with kerberos but I am
>>>> getting nowhere fast.
>>>> As per the docs I have, I have created a user account in active
>>>> directory, then used "ktpass -princ
>>>> host/unix_client.domain.host.... at DOMAIN.HOST.COM -mapuser unix_lient
>>>> -pass <pass> -out c:\krb5.keytab"
>>>> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
>>>> keep getting "KDC policy rejects request for this entry"
>>>> I am guessing this is more of a Windows/AD config issue, but thougt
>>>> someone here might have seen this?
>>>> cat /etc/krb5.conf
>>>> [libdefaults]
>>>> default_realm = DOMAIN.HOST.COM
>>>> default_tgs_enctypes = DES-CBC-CRC
>>>> default_tkt_enctypes = DES-CBC-CRC
>>>> ccache_type = 2
>>>> ticket_liftetime = 24000
>>>> #dns_lookup_kdc = true
>>>> [realms]
>>>> DOMAIN.HOST.COM = {
>>>> kdc = 2003_dc.domain.host.com
>>>> kpasswd_server = 2003_dc.domain.host.com:464
>>>> }
>>>> [domain_realm]
>>>> domain.host.com = DOMAIN.HOST.COM
>>>> .domain.host.com = DOMAIN.HOST.COM
>>>> [logging]
>>>> default = FILE:/var/adm/krb5lib.log
>>>> kdc = FILE:/var/adm/krb5kdc.log
>>>> admin_server = FILE:/var/adm/kKDCmind.log
>>>> [appdefaults]
>>>> pam = {
>>>> debug = false
>>>> ticket_lifetime = 36000
>>>> renew_lifetime = 36000
>>>> forwardable = true
>>>> krb4_convert = false
>>>> }
>>>> unix_client:/var/adm/syslog >pamkrbval -v
>>>> Validating the pam configuration files
>>>> ---------- --- --- ------------- -----
>>>> Validating the /etc/pam.conf file
>>>> [LOG] : The /etc/pam.conf files permissions are fine
>>>> [LOG] : Opened : /etc/pam.conf
>>>> [PASS] : The validation of config file: /etc/pam.conf passed
>>>> [NOTICE] : The validation of config file: /etc/pam_user.conf is not 
>>>> done
>>>> as libpam_updbe library is not configured
>>>> Validating the kerberos config file
>>>> ---------- --- -------- ------ -----
>>>> [PASS] : Initialization of kerberos passed
>>>> Connecting to default Realm
>>>> ---------- -- ------- -----
>>>> [LOG] : The default realm is : DOMAIN.HOST.COM
>>>> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
>>>> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
>>>> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
>>>> [PASS] : Default Realm is issuing tickets
>>>> Validating the keytab entry for the host service principal
>>>> ---------- --- ------ ----- --- --- ---- ------- ---------
>>>> [LOG] : Host unix_client, aka unix_client.domain.host.com.
>>>> [LOG] : The default keytab name is : /etc/krb5.keytab
>>>> [LOG] : Keytab file /etc/krb5.keytab is present
>>>> [LOG] : Permissions on /etc/krb5.keytab are correct.
>>>> Keytab entry
>>>> Principal: host
>>>> Host : unix_client.domain.host.com
>>>> Realm : DOMAIN.HOST.COM
>>>> Version : 23
>>>> [LOG] : Pinging KDC to verify whether
>>>> host/unix_client.domain.host.... at DOMAIN.HOST.COM exists
>>>> pamkrbval: KDC policy rejects request for this entry
>>>> [WARNING] : The keytab entry for the host service principal
>>>> host/unix_client.domain.host.... at DOMAIN.HOST.COM is invalid
>>>> [FAIL] : The keytab validation failed
>>>> Validating the rc_host file for ownership
>>>> -------- ------ ---- -------- ------ -----
>>>> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
>>>> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>>>> unix_client:/var/adm/syslog >ktutil -i
>>>> ktutil: rkt /etc/krb5.keytab
>>>> ktutil: list
>>>> slot KVNO Principal
>>>> ---- ---- ---------------------------------------------------------------------
>>>> 1 23 host/unix_client.dom... at DOMAIN.HOST.COM
>>>> ktutil:
>>>> ktutil: unix_client:/var/adm/syslog >
>>>> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
>>>> host/unix_client.domain.host.com
>>>> kinit(v5): KDC policy rejects request while getting initial credentials
>>>> Thanks in advance for any help
>>>> Regards
>>>> Richard
>>>> ________________________________________________
>>>> Kerberos mailing list Kerbe... at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>> ________________________________________________
>>> Kerberos mailing list Kerbe... at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
>> - Show quoted text -
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From ricurtis at gmail.com  Wed Aug 27 15:35:11 2008
From: ricurtis at gmail.com (Richard Curtis)
Date: Wed, 27 Aug 2008 20:35:11 +0100
Subject: pamkrbval: KDC policy rejects request for this entry
In-Reply-To: <g946rn$kfb$1@ger.gmane.org>
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
	<g91jsv$97c$1@ger.gmane.org>
	<mailman.20.1219779192.4454.kerberos@mit.edu>
	<fb4cbb61-7eef-419a-a7ba-61c2bb3ce668@56g2000hsm.googlegroups.com>
	<g946rn$kfb$1@ger.gmane.org>
Message-ID: <5745a7060808271235u37034d19jf286f934b3888b33@mail.gmail.com>

I can get and provide the AS_REQ and AS_REP details tomorrow...
I have removed all the lifetime entries and tried with having enctypes
of just RC4-HMAC, and also having RC4-HMAC, DES-CBC-CRC

One thing about the time differences.. the HPUX host is on GMT, but
the AD host is on BST... so the clocks are both 1 hour apart (exactly
1 hour)..
Unfortunately the UNIX hosts ave to remain on GMT year round.
I assume the actual timezone shift is not an issue here ?

kinit unix_client prompts for the password then returns with "KDC
policy rejects request while getting initial credentials"


On Wed, Aug 27, 2008 at 7:30 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> Can you check that AD and your HP system are time synchronised ?  Can you do
> a kinit unix_client with the correct password ? Do you have the kvno binary
> on the HP platform ? If so can you do a kvno
> host/unix_client.domain.host.com and compare the number with the one in the
> keytab ?
>
> Do you have the AS_REQ and AS_REP details (e.g. a wireshark capture) ?
>
> Regards
> Markus
>
>
> <ricurtis at gmail.com> wrote in message
> news:fb4cbb61-7eef-419a-a7ba-61c2bb3ce668 at 56g2000hsm.googlegroups.com...
> I have tried everyones suggestions, but no joy - although I think I
> can narrow down the problem somewhat...
>
> After changing the default_t*_enctypes to be "RC4-HMAC" (and also
> removing the lines altogether), I still get the same error...
>
> In the Windows security log on the domain controller, I have a Failure
> Audit with a result code from the request of 0xC which from some
> searching at Microsoft suggests:
>    Requested start time is later than end time
> or Workstation login restrictions..
>
> >From a packet capture using Wireshark, the AS-REQ packet there is an
> entry "till: 1970-01-01 00:00:00 (UTC)"
> It looks as though the requested lifetime of the packet here is in the
> past...
>
> Any suggestions around that?
>
> Regards
>
> Richard
>
>
>
> On 26 Aug, 20:32, "Richard Curtis" <ricur... at gmail.com> wrote:
>> According to the HP release notes (I have Kerberos Client C.1.3.5.05):
>>
>> The client libraries are based on MIT Kerberos V5 1.3.5 release. The
>> KRB5-Client libraries support DES, 3DES, RC4, and AES, as specified in
>> RFC 1510 of the IETF. This release of Kerberos Client is interoperable
>> with Microsoft Windows 2000 and 2003.
>>
>> I will try tomorrow when I am back in the office by setting the
>> default_*_enctypes to RC4-HMAC... the strange thing is, the HP
>> configuration guide I am following has a sample krb5.conf and only
>> mentions DES...http://docs.hp.com/en/J4269-90076/index.html- there
>> is no mention of RC4 in the whole document.
>> I will try removing default_*_enctypes altogether aswell, and failing
>> that, will have a go with DEC encryption only..
>>
>> If this turns out to be the solution, I will be over the moon... this
>> has been dragging on for some time :)
>>
>> I will post back tomorrow with my results.. thanks for the replies so far
>> guys.
>>
>> Regards
>>
>> Richard
>>
>>
>>
>> On Tue, Aug 26, 2008 at 8:00 PM, Markus Moeller <hua... at moeller.plus.com>
>> wrote:
>> > Two comments. Firstly use RC4 (e.g. RC4-HMAC) not DES in your
>> > configuration
>> > assuming you have a MIT Kerberos version > 1.3 (is HPUX 11i still based
>> > on
>> > MIT 1.1.1 ?). If not you need to set the AD entry for unix_client to be
>> > DES
>> > only. Secondly did you change the password of the unix_client user ? If
>> > not
>> > please try to change the password once and re-extract the keytab.
>>
>> > Markus
>>
>> > "Richard Curtis" <ricur... at gmail.com> wrote in message
>> >news:5745a7060808261135s26134f5bg495452c33920af1f at mail.gmail.com...
>> >> Hi,
>> >> I am trying to get an HPUX 11i box to authenticate against our
>> >> active directory (Windows 2003r2) domain with kerberos but I am
>> >> getting nowhere fast.
>>
>> >> As per the docs I have, I have created a user account in active
>> >> directory, then used "ktpass -princ
>> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM -mapuser unix_lient
>> >> -pass <pass> -out c:\krb5.keytab"
>> >> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
>> >> keep getting "KDC policy rejects request for this entry"
>>
>> >> I am guessing this is more of a Windows/AD config issue, but thougt
>> >> someone here might have seen this?
>>
>> >> cat /etc/krb5.conf
>> >> [libdefaults]
>> >> default_realm = DOMAIN.HOST.COM
>> >> default_tgs_enctypes = DES-CBC-CRC
>> >> default_tkt_enctypes = DES-CBC-CRC
>> >> ccache_type = 2
>> >> ticket_liftetime = 24000
>> >> #dns_lookup_kdc = true
>>
>> >> [realms]
>> >> DOMAIN.HOST.COM = {
>> >> kdc = 2003_dc.domain.host.com
>> >> kpasswd_server = 2003_dc.domain.host.com:464
>> >> }
>>
>> >> [domain_realm]
>> >> domain.host.com = DOMAIN.HOST.COM
>> >> .domain.host.com = DOMAIN.HOST.COM
>>
>> >> [logging]
>> >> default = FILE:/var/adm/krb5lib.log
>> >> kdc = FILE:/var/adm/krb5kdc.log
>> >> admin_server = FILE:/var/adm/kKDCmind.log
>>
>> >> [appdefaults]
>> >> pam = {
>> >> debug = false
>> >> ticket_lifetime = 36000
>> >> renew_lifetime = 36000
>> >> forwardable = true
>> >> krb4_convert = false
>> >> }
>>
>> >> unix_client:/var/adm/syslog >pamkrbval -v
>>
>> >> Validating the pam configuration files
>> >> ---------- --- --- ------------- -----
>>
>> >> Validating the /etc/pam.conf file
>> >> [LOG] : The /etc/pam.conf files permissions are fine
>> >> [LOG] : Opened : /etc/pam.conf
>>
>> >> [PASS] : The validation of config file: /etc/pam.conf passed
>>
>> >> [NOTICE] : The validation of config file: /etc/pam_user.conf is not
>> >> done
>> >> as libpam_updbe library is not configured
>>
>> >> Validating the kerberos config file
>> >> ---------- --- -------- ------ -----
>> >> [PASS] : Initialization of kerberos passed
>>
>> >> Connecting to default Realm
>> >> ---------- -- ------- -----
>> >> [LOG] : The default realm is : DOMAIN.HOST.COM
>> >> [LOG] : KDC hosts for realm DOMAIN.HOST.COM :2003_dc.domain.host.com
>> >> [LOG] : Trying to contact KDC for realm DOMAIN.HOST.COM...
>> >> [LOG] : Realm DOMAIN.HOST.COM is answering ticket requests
>> >> [PASS] : Default Realm is issuing tickets
>>
>> >> Validating the keytab entry for the host service principal
>> >> ---------- --- ------ ----- --- --- ---- ------- ---------
>> >> [LOG] : Host unix_client, aka unix_client.domain.host.com.
>> >> [LOG] : The default keytab name is : /etc/krb5.keytab
>> >> [LOG] : Keytab file /etc/krb5.keytab is present
>> >> [LOG] : Permissions on /etc/krb5.keytab are correct.
>> >> Keytab entry
>> >> Principal: host
>> >> Host : unix_client.domain.host.com
>> >> Realm : DOMAIN.HOST.COM
>> >> Version : 23
>> >> [LOG] : Pinging KDC to verify whether
>> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM exists
>> >> pamkrbval: KDC policy rejects request for this entry
>> >> [WARNING] : The keytab entry for the host service principal
>> >> host/unix_client.domain.host.... at DOMAIN.HOST.COM is invalid
>> >> [FAIL] : The keytab validation failed
>>
>> >> Validating the rc_host file for ownership
>> >> -------- ------ ---- -------- ------ -----
>> >> [LOG] : rc_host file /usr/tmp/rc_host_0 is not present on the system
>> >> [PASS] :The Validation of rc_host file:/usr/tmp/rc_host_0 is successful
>>
>> >> unix_client:/var/adm/syslog >ktutil -i
>> >> ktutil: rkt /etc/krb5.keytab
>> >> ktutil: list
>> >> slot KVNO Principal
>> >> ---- ---- ---------------------------------------------------------------------
>> >> 1 23 host/unix_client.dom... at DOMAIN.HOST.COM
>> >> ktutil:
>> >> ktutil: unix_client:/var/adm/syslog >
>>
>> >> unix_client:/var/adm/syslog >kinit -kt /etc/krb5.keytab
>> >> host/unix_client.domain.host.com
>> >> kinit(v5): KDC policy rejects request while getting initial credentials
>>
>> >> Thanks in advance for any help
>>
>> >> Regards
>>
>> >> Richard
>> >> ________________________________________________
>> >> Kerberos mailing list Kerbe... at mit.edu
>> >>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> > ________________________________________________
>> > Kerberos mailing list Kerbe... at mit.edu
>> >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text -
>>
>> - Show quoted text -
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

From tlyu at MIT.EDU  Wed Aug 27 15:49:10 2008
From: tlyu at MIT.EDU (Tom Yu)
Date: Wed, 27 Aug 2008 15:49:10 -0400
Subject: pamkrbval: KDC policy rejects request for this entry
In-Reply-To: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
	(Richard Curtis's message of "Tue, 26 Aug 2008 19:35:55 +0100")
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com>
Message-ID: <ldvr68aw85l.fsf@cathode-dark-space.mit.edu>

"Richard Curtis" <ricurtis at gmail.com> writes:

> Hi,
>   I am trying to get an HPUX 11i box to authenticate against our
> active directory (Windows 2003r2) domain with kerberos but I am
> getting nowhere fast.
>
> As per the docs I have, I have created a user account in active
> directory, then used "ktpass -princ
> host/unix_client.domain.host.com at DOMAIN.HOST.COM -mapuser unix_lient
> -pass <pass> -out c:\krb5.keytab"
> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> keep getting "KDC policy rejects request for this entry"

It may be that the AD server is forbidding the use of the
"host/unix_client.domain.host.com" principal as a client principal.

From avocat at novell.com  Thu Aug 28 12:08:21 2008
From: avocat at novell.com (Andrin Vocat)
Date: Thu, 28 Aug 2008 17:08:21 +0100
Subject: Windows Client resolve Realm KDC over DNS
Message-ID: <48B6E994.90C0.0063.0@novell.com>

Hello
 
I read some threads with the same problem but without any solution, so I will try it again.
 
Today we have four completely separated Active Directory with thousands of clients.
I implemented a MIT KDC to build a shared resource Realm for SSO.
 
Now I want to deploy that to all client. 
 
The client send a TGS to his AD Controller, the DC sends a referral with the resource Realm.
 
At this point the client needs to evaluate what KDC is responsible for the Realm. 
 
Easiest way is to configure it on client (ksetup /AddKdc [Realm] [KDC]). If there is no configuration the client try to
resolve the KDC over DNS (SVR _kerberos._tcp.dc._msdcs.[domain]).
 
ksetup on each client would take a long time and be a lot of work. I add this DNS settings entry with a pointer to the
KDC. 
The client resolved it successfully and does a CLDAP query  ?> No Response (or icmp). 
 
I read CLDAP query is something like a AD ping, to check if the AD is responsible for the domain and available.
 
Is there a way to switch this setting off (CLDAP Query)? Or could I emulate the required response, for example with
Samba?
 
Any Ideas?
 
Regards
Andrin Vocat

From neelsmail at rediffmail.com  Thu Aug 28 09:12:15 2008
From: neelsmail at rediffmail.com (neelsmail@rediffmail.com)
Date: Thu, 28 Aug 2008 06:12:15 -0700 (PDT)
Subject: Using GSSAPI to Authenticate to AD
References: <24ceb2f4-891a-45f0-9f4b-27f338938512@1g2000pre.googlegroups.com> 
	<mailman.21.1219855251.4454.kerberos@mit.edu>
Message-ID: <fcebe992-e339-4960-8c39-38e3f8ab4781@p31g2000prf.googlegroups.com>

On Aug 27, 9:39?pm, "Michael B Allen" <iop... at gmail.com> wrote:
> On Wed, Aug 27, 2008 at 4:53 AM, ?<neelsm... at rediffmail.com> wrote:
> > Hi,
>
> > I want to authenticate an Active Directory User using GSSAPI. The code
> > would be in C++. To be specific here is the scenario:
>
> > 1] End user adopts/creates one or more Active Directory users using
> > any of the AD integration packages on Linux.
> > 2] In my executable, which would be always running as root, I find out
> > that I need to use AD user and authenticate using GSSAPI
> > 3] I cannot impersonate as the user because that would change user
> > context of whole process.
> > 4] Therefore, I need to somehow find out whether there is already a
> > ticket for that user available (Win32 SDK: AcquireCredentialsHandle,
> > GSSAPI: GSSAPI::Name->import?)
> > 5] If not, process would obtain one.
> > 6] Get the ticket and initialize the security context (Win32SDK:
> > InitializeSecurityContext, GSSAPI: GSSAPI::Context::init?)
> > 7] Get the token and send it for authentication
>
> > If the process is running in the user context which needs to be
> > authenticated, it's easier and I have perl implemenation of it. But in
> > this case, since process will always be running as root, I don't know
> > if there is a way I can know/get ticket for authentication.
>
> > Is there a sample/example that can, at least in parts if not
> > completely, illustrate how this can be done using C/C++ somewhere?
>
> > I found one link on MSDN but don't know whether that's the entire flow/
> > applicable:http://msdn.microsoft.com/en-us/library/ms995352.aspx
>
> > Any comments would be welcome.
>
> GSSAPI just handles authentication. That's not terribly difficult to
> do in C++ but it's not clear how you get from GSSAPI authentication to
> creating users "using any of the AD integration packages on Linux".
> There are a lot of details to creating an application like that in
> Linux. It's a lot harder than it looks.

Thanks for responding. I think I couldn't explain very clearly. The
actual importing of AD users to Linux is done by other applications
and there are lot of them out there. My question was about post user
import. For example:

- If there are already userA, userB and userC created on the linux
machine which map to AD users (I do not need to know the mechanism how
but just that they do map to AD users)
- Now, how do I initialize the security context for userB if my
process is running in root's context?

I found one more thread about this :
http://groups.google.co.in/group/comp.protocols.kerberos/browse_thread/thread/434a62ca2c65876d/9d3d8914af3befd4?hl=en&lnk=st&q=%22gss_krb5_ccache_name%22#9d3d8914af3befd4

As mentioned in the thread above, it is possible to switch to
different user security context using gss_krb5_ccache_name. There are
problems there as well though:

- If you want switch user contexts multiple times, in multiple
threads, application's performance gets affected because initializing
security context (or one of the steps in it) is a lengthy operation -
on my setup it takes almost 5 seconds.
- I believe the switch has to be synchronized so that unless
gss_init_sec_context in one thread completes, I cannot call
gss_krb5_ccache_name from anywhere else in my application - that
increases the delay in multi threaded application even more.

That was the reason why I wanted to know whether gss_init_sec_context
somehow accepts a local parameter so that initializing security
contexts of different users can be indepenent of each other.

Thanks again,
-Neel.

>
> Incidentally there is a product called Plexcel that has worked out all
> of these details (see the link in my signature - it's also free for up
> to 25 users). With the Plexcel PHP extension you can easily create a
> web page that will authenticate someone using SPNEGO (or explicit
> Kerberos login) and then use the delegated credential to create users,
> change passwords, etc [1]. Or you can do it from the commandline. In
> fact I have a very nice little Plexcel commandline script for creating
> users that a wrote for someone else that I would be happy to give you.
> If you want a copy, or if you have any questions about Plexcel feel
> free to contact me directly through IOPLEX Software support.
>
> Mike
>
> [1] To give you an idea of what the code would look like look at the
> example on this page:http://www.ioplex.com/api/plexcel_add_object.html
>
> --
> Michael B Allen
> PHP Active Directory SPNEGO SSOhttp://www.ioplex.com/- Hide quoted text -
>
> - Show quoted text -


From ioplex at gmail.com  Thu Aug 28 15:55:27 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Thu, 28 Aug 2008 15:55:27 -0400
Subject: Using GSSAPI to Authenticate to AD
In-Reply-To: <fcebe992-e339-4960-8c39-38e3f8ab4781@p31g2000prf.googlegroups.com>
References: <24ceb2f4-891a-45f0-9f4b-27f338938512@1g2000pre.googlegroups.com>
	<mailman.21.1219855251.4454.kerberos@mit.edu>
	<fcebe992-e339-4960-8c39-38e3f8ab4781@p31g2000prf.googlegroups.com>
Message-ID: <78c6bd860808281255y6a7f3a32of82a31507d472609@mail.gmail.com>

On Thu, Aug 28, 2008 at 9:12 AM,  <neelsmail at rediffmail.com> wrote:
> - Now, how do I initialize the security context for userB if my
> process is running in root's context?
>
> I found one more thread about this :
> http://groups.google.co.in/group/comp.protocols.kerberos/browse_thread/thread/434a62ca2c65876d/9d3d8914af3befd4?hl=en&lnk=st&q=%22gss_krb5_ccache_name%22#9d3d8914af3befd4
>
> As mentioned in the thread above, it is possible to switch to
> different user security context using gss_krb5_ccache_name. There are
> problems there as well though:
>
> - If you want switch user contexts multiple times, in multiple
> threads, application's performance gets affected because initializing
> security context (or one of the steps in it) is a lengthy operation -
> on my setup it takes almost 5 seconds.
> - I believe the switch has to be synchronized so that unless
> gss_init_sec_context in one thread completes, I cannot call
> gss_krb5_ccache_name from anywhere else in my application - that
> increases the delay in multi threaded application even more.
>
> That was the reason why I wanted to know whether gss_init_sec_context
> somehow accepts a local parameter so that initializing security
> contexts of different users can be indepenent of each other.

The gss_init_sec_context function accepts a gss_cred_id_t parameter
that represents the initiator credential. This credential can be
obtained for an arbitrary account using the gss_acquire_cred function
provided a credential for the desired account is available for the
target mechanism.

There is no need to change your identity with setuid unless you will
be performing local operations that require the identity be a certain
local account. GSSAPI has no knowledge of local accounts and never
looks at the default identity of the user (however if no gss_cred_id_t
is supplied at all, the underlying mechanism may use the local
identity to guess where it might find credentials).

Meaning, you want to export the KRB5CCNAME environment variable to
point to a ccache file with credentials for the desired account. This
assumes of course that there is such a credential. Unfortunately
GSSAPI does not define how to acquire initial credentials. Like I said
- there are a lot of details that are not handled by GSSAPI alone.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

From tpmetz at ucdavis.edu  Fri Aug 29 14:28:34 2008
From: tpmetz at ucdavis.edu (Tim Metz)
Date: Fri, 29 Aug 2008 11:28:34 -0700
Subject: password character class definitions
Message-ID: <48B83FD2.4000404@ucdavis.edu>


Greetings,

As I understand it, MIT Kerberos provides for the following password 
metrics:

(1) The length of the password
(2) The number of character classes it contains, where available 
character classes are
- Lowercase letters
- Uppercase letters
- Numbers
- Punctuation
- Other Characters

I'm interested in exactly what characters comprise the Punctuation and 
Other Characters classes.

I would assume the the Punctuation class is explicitly defined in a 
source file, though I haven't had any luck tracking down which source file.
Is this accurate? and if so, which source file?

Is the Other Characters class also explicitly defined?  or is it just 
any character that is not included in one of the other four classes?
If the latter, is there any restriction on what characters can/cannot be 
included in a password?

The underlying question I'm looking into is "Which special characters 
are allowed in passwords?

Thanks,

  - Tim Metz


From 160335 at student.pwr.wroc.pl  Fri Aug 29 03:10:38 2008
From: 160335 at student.pwr.wroc.pl (Kamil =?UTF-8?Q?Weso=C5=82owski?=)
Date: Fri, 29 Aug 2008 09:10:38 +0200
Subject: Server session dump
Message-ID: <fbbbe179659b.48b7bd0e@student.pwr.wroc.pl>

Hi,

I looking for dump of authentication session of Kerberos system on server side. I'd like to ask you is there any possibility to receive from you this dump. I need it for my semester project. I'll be grateful for any help.

From ricurtis at gmail.com  Fri Aug 29 06:39:59 2008
From: ricurtis at gmail.com (ricurtis@gmail.com)
Date: Fri, 29 Aug 2008 03:39:59 -0700 (PDT)
Subject: pamkrbval: KDC policy rejects request for this entry
References: <5745a7060808261135s26134f5bg495452c33920af1f@mail.gmail.com> 
	<mailman.25.1219866554.4454.kerberos@mit.edu>
Message-ID: <5239109a-54e0-4d4c-ae5f-3352d5711e16@c65g2000hsa.googlegroups.com>

I am making some progress with this and no longer believe it to be a
Kerberos issue (not directly)..

Our windows admins have enabled enhanced logging of the KDC service in
Windows, and now instead of Just a straight "0xC: KDC Policy rejects
this request", we still get the 0xC error, but we get enhanced info
stating "NT Status: STATUS_INVALID_WORKSTATION (0xc0000070)"

If anyone want to know the registry keys changed to get this logging,
it was HKLM\SYSTEM\CurrentControlSet\Services\KDC, then kdcdebuglevel
(DWORD, value=0x10000000) and kdcextraloglevel (DWORD, 0x00000004)

It looks as though the request is being rejected because AD expects to
find some form of workstation entry for this host.  I thought the
ktpass side should cater for this, but obvjously I am wrong.

I will continue to investigate this with our Windows admins and will
post back if I fix it.

On 27 Aug, 20:49, Tom Yu <t... at MIT.EDU> wrote:
> "Richard Curtis" <ricur... at gmail.com> writes:
> > Hi,
> > ? I am trying to get an HPUX 11i box to authenticate against our
> > active directory (Windows 2003r2) domain with kerberos but I am
> > getting nowhere fast.
>
> > As per the docs I have, I have created a user account in active
> > directory, then used "ktpass -princ
> > host/unix_client.domain.host.... at DOMAIN.HOST.COM -mapuser unix_lient
> > -pass <pass> -out c:\krb5.keytab"
> > The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> > keep getting "KDC policy rejects request for this entry"
>
> It may be that the AD server is forbidding the use of the
> "host/unix_client.domain.host.com" principal as a client principal.