From punadikar.sachin at gmail.com Mon Dec 1 05:03:57 2008 From: punadikar.sachin at gmail.com (Sachin Punadikar) Date: Mon, 1 Dec 2008 15:33:57 +0530 Subject: kg_ctx_internalize() function in MIT 1.6.3 Message-ID: <9549b1d80812010203k55e379derd0ebe4de35e31202@mail.gmail.com> Hello, I was going through the gssapi MIT krb1.6.3 code and I feel there is a possible bug in kg_ctx_internalize() function defined in src/lib/gssapi/krb5/ser_sctx.c file. As I understand the function should unpack entities in the same order in which they were packed by kg_ctx_externalize() function. But it misses the order while unpacking the last two structure variables as shown below. Since acceptor_subkey_cksumtype was packed before cred_rcache and also occurs before in the _krb5_gss_cred_id_rec structure definition, acceptor_subkey_cksumtype should be unpacked BEFORE cred_rcache, else the values will get swapped. Current Code in kg_ctx_internalize() function: if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->cred_rcache = ibuf; if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->acceptor_subkey_cksumtype = ibuf; Proposed Code in kg_ctx_internalize() function with change in sequence while unpacking: if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->acceptor_subkey_cksumtype = ibuf; if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->cred_rcache = ibuf; Kindly let me know if this is valid. - Sachin From deengert at anl.gov Mon Dec 1 16:31:59 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 01 Dec 2008 15:31:59 -0600 Subject: KVNO/Keytab Question In-Reply-To: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> References: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> Message-ID: <493457CF.4030100@anl.gov> kevin.doran at accenture.com wrote: > Hi, I'm hoping someone can help. > > We are having issues using SPNEGO. Our problem seems to be the one > defined on: > http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=swg21259123&loc=en_US&cs=UTF-8&lang=en > > When we try to login, our browsers pass the following ticket > information: > > Ticket > Tkt-vno: 5 > Realm: DWPPTP.LONDONDC.COM > Server Name (Service and Instance): > HTTP/ettloadbalancer.dwpptp.londondc.com > Name-type: Service and Instance > (2) > Name: HTTP > Name: > ettloadbalancer.dwpptp.londondc.com > enc-part des-cbc-md5 > Encryption type: des-cbc-md5 (3) > Kvno: 4 > enc-part: > 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... > > The Kvno is 4, yet when performing a klist on the keytab file: > > ivmgr at dptettsw02:/var/pdweb/log$ klist -k /var/pdweb/keytab-dptettsw02/ > ettloadbalancer_HTTP.keytab > Keytab name: FILE:/var/pdweb/keytab-dptettsw02/ > ettloadbalancer_HTTP.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 HTTP/ettloadbalancer.dwpptp.londondc.com at DWPPTP.LONDONDC.COM > > We have followed the recommendation of recreating the keytab file and > this has change the KVNO number in the keytab file. However the KVNO > passed by the browser does not matched - how does this value get set? > > Any help is appreciated (Richard Silverman suggested to clean out the client ticket cache, but that may only be part of the problem.) The knvo is usually increased by one each time you change the key in the KDC, so it looks like you did not update the keytab the last time you changed the key. The KDC and keytab need to stay in sync. The client got a ticket with a kvno of 4, but the keytab has a kvno of 3. Do you have more then one copy of the keytab file? I see the word load balancer in you note. Did you update both? Whose KDC are you using, and what tool did you use to create or update the keytab? (The reason for a kvno is that A keytab can have more then one key for a service principal, each with a different kvno. This is done to allow tickets issued with the older kvno to continue to work when a new key and kvno is created in the KDC and keytab. At a later time the keytab can be cleaned up removing the older entry.) > > Regards > > Kev > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ansgar at 2008.43-1.org Mon Dec 1 18:43:28 2008 From: ansgar at 2008.43-1.org (Ansgar Burchardt) Date: Tue, 02 Dec 2008 00:43:28 +0100 Subject: Using Apache with mod_auth_kerb Message-ID: Hi, I have a small problem with mod_auth_kerb and Firefox 3.0: While authenticating via Kerberos works fine from a computer located in the same domain, I cannot get Firefox to authenticate from my home computer. I have a Kerberos ticket and Konqueror handles the Kerberos authentication just fine, but Firefox seems to have problems. So far I have only found that the option network.negotiate-auth.trusted-uris has to be set by me (I set it to `https://example.com', the web server I wish to authenticate to is `https://www.example.com'. I have also tried different combinations). All other `negotiate-auth' related settings still have their default values. I'm using Debian Lenny and the included version of Firefox. I am also not quite sure what the network.negotiate-auth.delegation-uris is supposed to do. Will it pass the TGT to the server? Regards, Ansgar -- PGP: 1024D/595FAD19 739E 2D09 0969 BEA9 9797 B055 DDB0 2FF7 595F AD19 From rra at stanford.edu Mon Dec 1 20:14:08 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 01 Dec 2008 17:14:08 -0800 Subject: Using Apache with mod_auth_kerb In-Reply-To: (Ansgar Burchardt's message of "Tue\, 02 Dec 2008 00\:43\:28 +0100") References: Message-ID: <87vdu3idjz.fsf@windlord.stanford.edu> Ansgar Burchardt writes: > I have a small problem with mod_auth_kerb and Firefox 3.0: While > authenticating via Kerberos works fine from a computer located in the > same domain, I cannot get Firefox to authenticate from my home computer. > > I have a Kerberos ticket and Konqueror handles the Kerberos > authentication just fine, but Firefox seems to have problems. So far I > have only found that the option > network.negotiate-auth.trusted-uris > has to be set by me (I set it to `https://example.com', the web server I > wish to authenticate to is `https://www.example.com'. I have also tried > different combinations). All other `negotiate-auth' related settings > still have their default values. After you try to visit the web site in question, run klist. Does an HTTP/* ticket for the web server show up in your ticket cache? If so, something is going wrong with the Negotiate-Auth part of Firefox's code; if not, you probably have a more basic problem with mapping the web server to an existing Kerberos principal. Make sure that your realm mappings are correct in your /etc/krb5.conf file, for example. That's often the problem. > I am also not quite sure what the network.negotiate-auth.delegation-uris > is supposed to do. Will it pass the TGT to the server? Yes. Be very careful with this, since it gives the server full access to do anything Kerberized as you. -- Russ Allbery (rra at stanford.edu) From howard at cohtech.com Tue Dec 2 05:20:12 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Tue, 02 Dec 2008 10:20:12 +0000 Subject: Valgrind reported problem with ldap_sasl_interactive_bind_s Message-ID: <49350BDC.7050205@cohtech.com> I have been doing some development on the nss_ldap library and have been getting valgrind errors reported. I have managed to reproduce these by running ldapsearch. This system is a Fedora 9 environment patched up to the latest updates as of today! Running the following packages. openldap-2.4.10-2.fc9.i386 cyrus-sasl-2.1.22-15.fc9.i386 krb5-libs-1.6.3-10.fc9.i386 glibc-2.8-8.i686 The output from valgrind is as follows! ==29134== Conditional jump or move depends on uninitialised value(s) ==29134== at 0x5F18CA: k5_arcfour_init (rc4.c:94) ==29134== by 0x5F1AAB: k5_arcfour_docrypt (rc4.c:150) ==29134== by 0x76D332: kg_get_seq_num (util_seqnum.c:74) ==29134== by 0x76D98C: kg_make_seq_num (val_cred.c:56) ==29134== by 0x767BCC: rotate_left (string3.h:52) ==29134== by 0x76B25E: krb5_gss_seal (set_allowable_enctypes.c:104) ==29134== by 0x76A096: gss_krb5_get_tkt_flags (krb5_gss_glue.c:1035) ==29134== by 0x75A739: gss_unseal (g_unseal.c:84) ==29134== by 0x75A796: gss_unwrap (g_unseal.c:119) ==29134== by 0x479F0B8: gssapi_client_mech_step (gssapi.c:1680) ==29134== by 0x14468A: sasl_client_step (client.c:655) ==29134== by 0x3167AB: ldap_int_sasl_bind (cyrus.c:801) ==29134== ==29134== Conditional jump or move depends on uninitialised value(s) ==29134== at 0x5F18CC: k5_arcfour_init (rc4.c:94) ==29134== by 0x5F1AAB: k5_arcfour_docrypt (rc4.c:150) ==29134== by 0x76D332: kg_get_seq_num (util_seqnum.c:74) ==29134== by 0x76D98C: kg_make_seq_num (val_cred.c:56) ==29134== by 0x767BCC: rotate_left (string3.h:52) ==29134== by 0x76B25E: krb5_gss_seal (set_allowable_enctypes.c:104) ==29134== by 0x76A096: gss_krb5_get_tkt_flags (krb5_gss_glue.c:1035) ==29134== by 0x75A739: gss_unseal (g_unseal.c:84) ==29134== by 0x75A796: gss_unwrap (g_unseal.c:119) ==29134== by 0x479F0B8: gssapi_client_mech_step (gssapi.c:1680) ==29134== by 0x14468A: sasl_client_step (client.c:655) ==29134== by 0x3167AB: ldap_int_sasl_bind (cyrus.c:801) ==29134== ==29134== Use of uninitialised value of size 4 ==29134== at 0x5F192B: k5_arcfour_init (rc4.c:109) ==29134== by 0x5F1AAB: k5_arcfour_docrypt (rc4.c:150) ==29134== by 0x76D332: kg_get_seq_num (util_seqnum.c:74) ==29134== by 0x76D98C: kg_make_seq_num (val_cred.c:56) ==29134== by 0x767BCC: rotate_left (string3.h:52) ==29134== by 0x76B25E: krb5_gss_seal (set_allowable_enctypes.c:104) ==29134== by 0x76A096: gss_krb5_get_tkt_flags (krb5_gss_glue.c:1035) ==29134== by 0x75A739: gss_unseal (g_unseal.c:84) ==29134== by 0x75A796: gss_unwrap (g_unseal.c:119) ==29134== by 0x479F0B8: gssapi_client_mech_step (gssapi.c:1680) ==29134== by 0x14468A: sasl_client_step (client.c:655) ==29134== by 0x3167AB: ldap_int_sasl_bind (cyrus.c:801) ==29134== ==29134== Use of uninitialised value of size 4 ==29134== at 0x5F1936: k5_arcfour_init (rc4.c:110) ==29134== by 0x5F1AAB: k5_arcfour_docrypt (rc4.c:150) ==29134== by 0x76D332: kg_get_seq_num (util_seqnum.c:74) ==29134== by 0x76D98C: kg_make_seq_num (val_cred.c:56) ==29134== by 0x767BCC: rotate_left (string3.h:52) ==29134== by 0x76B25E: krb5_gss_seal (set_allowable_enctypes.c:104) ==29134== by 0x76A096: gss_krb5_get_tkt_flags (krb5_gss_glue.c:1035) ==29134== by 0x75A739: gss_unseal (g_unseal.c:84) ==29134== by 0x75A796: gss_unwrap (g_unseal.c:119) ==29134== by 0x479F0B8: gssapi_client_mech_step (gssapi.c:1680) ==29134== by 0x14468A: sasl_client_step (client.c:655) ==29134== by 0x3167AB: ldap_int_sasl_bind (cyrus.c:801) ==29134== ==29134== Syscall param write(buf) points to uninitialised byte(s) ==29134== at 0xC3DF73: __write_nocancel (in /lib/libc-2.8.so) ==29134== by 0x1C83B1: sb_debug_write (sockbuf.c:852) ==29134== by 0x1C8821: ber_int_sb_write (sockbuf.c:445) ==29134== by 0x1C5F23: ber_flush2 (io.c:256) ==29134== by 0x3242C8: ldap_int_flush_request (request.c:152) ==29134== by 0x3246BE: ldap_send_server_request (request.c:348) ==29134== by 0x3248A1: ldap_send_initial_request (request.c:136) ==29134== by 0x318FB1: ldap_sasl_bind (sasl.c:148) ==29134== by 0x319287: ldap_sasl_bind_s (sasl.c:182) ==29134== by 0x316575: ldap_int_sasl_bind (cyrus.c:737) ==29134== by 0x318A15: ldap_sasl_interactive_bind_s (sasl.c:464) ==29134== by 0x804FF62: tool_bind (common.c:1336) ==29134== Address 0x4048e3d is 53 bytes inside a block of size 4,060 alloc'd ==29134== at 0x4006AEE: malloc (vg_replace_malloc.c:207) ==29134== by 0x1C6F3F: ber_memalloc_x (memory.c:226) ==29134== by 0x1C799B: ber_memrealloc_x (memory.c:304) ==29134== by 0x1C6149: ber_realloc (io.c:155) ==29134== by 0x1C6313: ber_write (io.c:114) ==29134== by 0x1C3516: ber_put_tag (encode.c:100) ==29134== by 0x1C3D7F: ber_put_int_or_enum (encode.c:284) ==29134== by 0x1C4B25: ber_printf (encode.c:774) ==29134== by 0x318F45: ldap_sasl_bind (sasl.c:122) ==29134== by 0x319287: ldap_sasl_bind_s (sasl.c:182) ==29134== by 0x316575: ldap_int_sasl_bind (cyrus.c:737) ==29134== by 0x318A15: ldap_sasl_interactive_bind_s (sasl.c:464) Does anybody have any idea where the uninitialised memory is coming from? I have tried to trace backwards from the kerberos libraries but with no real joy! Howard. From kevin.doran at accenture.com Tue Dec 2 07:47:38 2008 From: kevin.doran at accenture.com (kevin.doran@accenture.com) Date: Tue, 2 Dec 2008 04:47:38 -0800 (PST) Subject: KVNO/Keytab Question References: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> Message-ID: <6ba60458-0d8d-4bf1-8550-a4830b86b8a7@13g2000yql.googlegroups.com> On 1 Dec, 21:31, "Douglas E. Engert" wrote: > kevin.do... at accenture.com wrote: > > Hi, I'm hoping someone can help. > > > We are having issues using SPNEGO. Our problem seems to be the one > > defined on: > >http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s... > > > When we try to login, our browsers pass the following ticket > > information: > > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? Ticket > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Tkt-vno: 5 > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Realm: DWPPTP.LONDONDC.COM > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Server Name (Service and Instance): > > HTTP/ettloadbalancer.dwpptp.londondc.com > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Name-type: Service and Instance > > (2) > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Name: HTTP > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Name: > > ettloadbalancer.dwpptp.londondc.com > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? enc-part des-cbc-md5 > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Encryption type: des-cbc-md5 (3) > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Kvno: 4 > > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? enc-part: > > 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... > > > The Kvno is 4, yet when performing a klist on the keytab file: > > > ivmgr at dptettsw02:/var/pdweb/log$ klist -k /var/pdweb/keytab-dptettsw02/ > > ettloadbalancer_HTTP.keytab > > Keytab name: FILE:/var/pdweb/keytab-dptettsw02/ > > ettloadbalancer_HTTP.keytab > > KVNO Principal > > ---- > > -------------------------------------------------------------------------- > > ? ?3 HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM > > > We have followed the recommendation of recreating the keytab file and > > this has change the KVNO number in the keytab file. However the KVNO > > passed by the browser does not matched - how does this value get set? > > > Any help is appreciated > > (Richard Silverman suggested to clean out the client ticket cache, > but that may only be part of the problem.) > > The knvo is usually increased by one each time you change the key in the KDC, > so it looks like you did not update the keytab the last time you changed > the key. The KDC and keytab need to stay in sync. The client got a ticket with > a kvno of 4, but the keytab has a kvno of 3. Do you have more then one copy > of the keytab file? I see the word load balancer in you note. Did you update both? > > Whose KDC are you using, and what tool did you use to create or update the keytab? > > (The reason for a kvno is that A keytab can have more then one key for a > service principal, each with a different kvno. This is done to allow tickets > issued with the older kvno to continue to work when a new key and kvno is > created in the KDC and keytab. At a later time the keytab can be cleaned up > removing the older entry.) > > > > > Regards > > > Kev > > > ________________________________________________ > > Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > ? Douglas E. Engert ? > ? Argonne National Laboratory > ? 9700 South Cass Avenue > ? Argonne, Illinois ?60439 > ? (630) 252-5444- Hide quoted text - > > - Show quoted text - Hi Douglas, thanks for you response. ktpass was used to create the keytab. The KDC is maintained by our local service unit. We're really scratching our heads at the moment, it seems that each time we create a new keytab file shortly afterwards the KVNO in the client ticket changes. I've no idea why they are out of sync. What changes etc could cause the KVNO to increment on the KDC? Thanks Kev From jaltman at secure-endpoints.com Tue Dec 2 10:44:45 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 02 Dec 2008 10:44:45 -0500 Subject: KVNO/Keytab Question In-Reply-To: <6ba60458-0d8d-4bf1-8550-a4830b86b8a7@13g2000yql.googlegroups.com> References: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> <6ba60458-0d8d-4bf1-8550-a4830b86b8a7@13g2000yql.googlegroups.com> Message-ID: <493557ED.7080501@secure-endpoints.com> kevin.doran at accenture.com wrote: > Hi Douglas, thanks for you response. > > ktpass was used to create the keytab. The KDC is maintained by our > local service unit. > > We're really scratching our heads at the moment, it seems that each > time we create a new keytab file shortly afterwards the KVNO in the > client ticket changes. I've no idea why they are out of sync. What > changes etc could cause the KVNO to increment on the KDC? > > Thanks > > Kev > Everytime you generate a new keytab with ktpass the key is replaced in the KDC. Generate the keytab once with ktpass and then distribute it to your service ASAP. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081202/b4b52354/smime.bin From res at qoxp.net Tue Dec 2 11:56:01 2008 From: res at qoxp.net (Richard E. Silverman) Date: Tue, 02 Dec 2008 11:56:01 -0500 Subject: KVNO/Keytab Question References: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> <6ba60458-0d8d-4bf1-8550-a4830b86b8a7@13g2000yql.googlegroups.com> Message-ID: >>>>> "KD" == kevin doran writes: KD> On 1 Dec, 21:31, "Douglas E. Engert" wrote: >> kevin.do... at accenture.com wrote: > > Hi, I'm hoping someone can help. >> >> > We are having issues using SPNEGO. Our problem seems to be the >> one > defined on: >> >http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s... >> >> > When we try to login, our browsers pass the following ticket > >> information: >> >> > ? ? ? ? ? ? ? ? ? ? ? ? ? ? Ticket > ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> ? ? Tkt-vno: 5 > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Realm: >> DWPPTP.LONDONDC.COM > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Server Name >> (Service and Instance): > HTTP/ettloadbalancer.dwpptp.londondc.com >> > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Name-type: Service and >> Instance > (2) > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Name: HTTP > ? >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Name: > >> ettloadbalancer.dwpptp.londondc.com > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> ? enc-part des-cbc-md5 > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> Encryption type: des-cbc-md5 (3) > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> ? ? Kvno: 4 > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? enc-part: > >> 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... >> >> > The Kvno is 4, yet when performing a klist on the keytab file: >> >> > ivmgr at dptettsw02:/var/pdweb/log$ klist -k >> /var/pdweb/keytab-dptettsw02/ > ettloadbalancer_HTTP.keytab > >> Keytab name: FILE:/var/pdweb/keytab-dptettsw02/ > >> ettloadbalancer_HTTP.keytab > KVNO Principal > ---- > >> -------------------------------------------------------------------------- >> > ? ?3 HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM >> >> > We have followed the recommendation of recreating the keytab file >> and > this has change the KVNO number in the keytab file. However >> the KVNO > passed by the browser does not matched - how does this >> value get set? >> >> > Any help is appreciated >> >> (Richard Silverman suggested to clean out the client ticket cache, >> but that may only be part of the problem.) >> >> The knvo is usually increased by one each time you change the key >> in the KDC, so it looks like you did not update the keytab the last >> time you changed the key. The KDC and keytab need to stay in >> sync. The client got a ticket with a kvno of 4, but the keytab has >> a kvno of 3. Do you have more then one copy of the keytab file? I >> see the word load balancer in you note. Did you update both? >> >> Whose KDC are you using, and what tool did you use to create or >> update the keytab? >> >> (The reason for a kvno is that A keytab can have more then one key >> for a service principal, each with a different kvno. This is done >> to allow tickets issued with the older kvno to continue to work >> when a new key and kvno is created in the KDC and keytab. At a >> later time the keytab can be cleaned up removing the older entry.) >> >> >> >> > Regards >> >> > Kev >> >> > ________________________________________________ > Kerberos >> mailing list ? ? ? ? ? Kerbe... at mit.edu >> >https://mailman.mit.edu/mailman/listinfo/kerberos >> >> -- >> >> ? Douglas E. Engert ? ? Argonne National >> Laboratory ? 9700 South Cass Avenue ? Argonne, Illinois ?60439 ? >> (630) 252-5444- Hide quoted text - >> >> - Show quoted text - KD> Hi Douglas, thanks for you response. KD> ktpass was used to create the keytab. The KDC is maintained by our KD> local service unit. KD> We're really scratching our heads at the moment, it seems that KD> each time we create a new keytab file shortly afterwards the KVNO KD> in the client ticket changes. I've no idea why they are out of KD> sync. What changes etc could cause the KVNO to increment on the KD> KDC? Extracting the key (ktadd) does that, itself -- you get a *new* key when you use ktadd. It's important to never do ktadd without also updating any keytabs which contain the key. In particular, if there are multiple keytabs, then you can't just use kadmin/ktadd to update them all; you have to extract the key once and then insert it separately into the remaining keytabs, e.g. with ktutil. KD> Thanks KD> Kev -- Richard Silverman res at qoxp.net From neralla1 at us.ibm.com Tue Dec 2 15:20:44 2008 From: neralla1 at us.ibm.com (Murali Neralla) Date: Tue, 2 Dec 2008 14:20:44 -0600 Subject: krb5 v1.6.3 link error Message-ID: Hello, I'm having a problem building krb5 v 1.6.3 on AIX 5.3 using gcc 4.3.1. configure runs OK, but make stops with the following error: gcc -L../../../lib -Wl,-blibpath:/usr/local/lib::/usr/lib:/lib -g -O2 -W all -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedant ic -D_THREAD_SAFE -o client client.o rpc_test_clnt.o -lgssrpc -lgssapi_krb5 - lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. collect2: ld returned 255 exit status make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Is this just an environment issue? If so, please can someone suggest a possible solution. Regards, -Murali From ansgar at 2008.43-1.org Tue Dec 2 16:50:03 2008 From: ansgar at 2008.43-1.org (Ansgar Burchardt) Date: Tue, 02 Dec 2008 22:50:03 +0100 Subject: [solved] Using Apache with mod_auth_kerb References: <87vdu3idjz.fsf@windlord.stanford.edu> Message-ID: Hi, Russ Allbery writes: > Ansgar Burchardt writes: >> I have a small problem with mod_auth_kerb and Firefox 3.0: While >> authenticating via Kerberos works fine from a computer located in the >> same domain, I cannot get Firefox to authenticate from my home computer. > > After you try to visit the web site in question, run klist. Does an > HTTP/* ticket for the web server show up in your ticket cache? If so, > something is going wrong with the Negotiate-Auth part of Firefox's code; > if not, you probably have a more basic problem with mapping the web server > to an existing Kerberos principal. I have found the problem: Firefox seems to require that the Kerberos service principal matches the domain name entered in the address bar, while Konqueror was satisfied with the service principal matching the host name of the server. I added another service principal "HTTP/www.example.com" (only had "HTTP/server.example.com" before) and put "KrbServiceName Any" in the Apache configuration and everything works now. > Make sure that your realm mappings are correct in your /etc/krb5.conf > file, for example. That's often the problem. The krb5.conf only has the default_realm, all other options can be obtained via DNS here. This makes using Kerberos from home much easier to set up. Regards, Ansgar -- PGP: 1024D/595FAD19 739E 2D09 0969 BEA9 9797 B055 DDB0 2FF7 595F AD19 From rra at stanford.edu Tue Dec 2 19:20:50 2008 From: rra at stanford.edu (Russ Allbery) Date: Tue, 02 Dec 2008 16:20:50 -0800 Subject: [solved] Using Apache with mod_auth_kerb In-Reply-To: (Ansgar Burchardt's message of "Tue\, 02 Dec 2008 22\:50\:03 +0100") References: <87vdu3idjz.fsf@windlord.stanford.edu> Message-ID: <874p1mglct.fsf@windlord.stanford.edu> Ansgar Burchardt writes: > I have found the problem: Firefox seems to require that the Kerberos > service principal matches the domain name entered in the address bar, > while Konqueror was satisfied with the service principal matching the > host name of the server. > > I added another service principal "HTTP/www.example.com" (only had > "HTTP/server.example.com" before) and put "KrbServiceName Any" in the > Apache configuration and everything works now. Yeah, common problem (and why KrbServiceName any is there). > The krb5.conf only has the default_realm, all other options can be > obtained via DNS here. This makes using Kerberos from home much easier > to set up. Note that domain to realm mappings via TXT records aren't enabled by default for MIT Kerberos because it has security implications. -- Russ Allbery (rra at stanford.edu) From jsanders at TechFak.Uni-Bielefeld.DE Wed Dec 3 12:26:28 2008 From: jsanders at TechFak.Uni-Bielefeld.DE (Jan Sanders) Date: Wed, 03 Dec 2008 18:26:28 +0100 Subject: using k5start Message-ID: <4936C144.4050400@TechFak.Uni-Bielefeld.DE> Hello list, may be s.o. can help me out. I have a home directory that comes from an nfs server. I get a ticket on login using pam. If it expires I sue kinit. The probelm is that I would like to let processes run (wo/constantly kinit-ing) with access to my home that run longer that the ticket lifetime. k5start seems to be promising. But in order to start a process k5start needs a keytab. If I create a keytab for my pricipal I can no longer use my password to get a ticket from the KDC. I have the nagging feeling I am missing something. TIA Jan From rohitm at engr.uconn.edu Wed Dec 3 12:42:09 2008 From: rohitm at engr.uconn.edu (Rohit Kumar Mehta) Date: Wed, 03 Dec 2008 12:42:09 -0500 Subject: using k5start In-Reply-To: <4936C144.4050400@TechFak.Uni-Bielefeld.DE> References: <4936C144.4050400@TechFak.Uni-Bielefeld.DE> Message-ID: <4936C4F1.9040909@engr.uconn.edu> Maybe krenew would be helpful? http://www.eyrie.org/~eagle/software/kstart/krenew.html Rohit Jan Sanders wrote: > Hello list, > > may be s.o. can help me out. > > I have a home directory that comes from an nfs server. I get a ticket on > login using pam. If it expires I sue kinit. The probelm is that I would > like to let processes run (wo/constantly kinit-ing) with access to my > home that run longer that the ticket lifetime. > k5start seems to be promising. But in order to start a process k5start > needs a keytab. If I create a keytab for my pricipal I can no longer use > my password to get a ticket from the KDC. > I have the nagging feeling I am missing something. > > TIA > > Jan > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Rohit Mehta Computer Engineer University of Connecticut Engineering Computing Services 371 Fairfield Road Unit 2031 Storrs, CT 06269-2031 Office: (860) 486 - 2331 Fax: (860) 486 - 1273 From Tim.Jandt at dedicatedcomputing.com Wed Dec 3 13:32:16 2008 From: Tim.Jandt at dedicatedcomputing.com (Tim Jandt) Date: Wed, 3 Dec 2008 12:32:16 -0600 Subject: FIPS compliance Message-ID: <578733DCD150CA49998643114458BACB1892F6641F@OPTIMUS.omnitechcorp.com> Hello, I found a post in which you mentioned: "FIPS compliance is something you get by going through a very particular governmental certification process, which normally does not deal with generic standards, but instead deals with specific and particular implementations. Standards are described, but the compliance aspect is to show that a particular implementation meets that standard." Would you by chance have links to any government agencies or test labs web sites that describe the FIPS certification process in more detail? Thanks, Tim From mdw at umich.edu Wed Dec 3 14:37:17 2008 From: mdw at umich.edu (Marcus Watts) Date: Wed, 03 Dec 2008 14:37:17 -0500 Subject: FIPS compliance In-Reply-To: <578733DCD150CA49998643114458BACB1892F6641F@OPTIMUS.omnitechcorp.com> References: <578733DCD150CA49998643114458BACB1892F6641F@OPTIMUS.omnitechcorp.com> Message-ID: You wrote: > Date: Wed, 03 Dec 2008 12:32:16 CST > To: "kerberos at mit.edu" > From: Tim Jandt > Subject: FIPS compliance > > Hello, > > I found a post in which you mentioned: > > > "FIPS compliance is something you get by going through a very particular govern > mental certification process, which normally does not deal with generic standar > ds, but instead deals with specific and particular implementations. Standards > are described, but the compliance aspect is to show that a particular implement > ation meets that standard." > > Would you by chance have links to any government agencies or test labs web site > s that describe the FIPS certification process in more detail? > > Thanks, > Tim "You" here is a very vague word. There are about 4 messages in the thread you appear to reference, from different folks. Just on the off-chance you mean me, here are some links: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf http://en.wikipedia.org/wiki/FIPS_140-2 https://wiki.mozilla.org/FIPS_Validation The 1st is the standard proper. At 69 pages, it's not exactly light reading, but it could be a *lot* worse. Beware, this may not describe actual practice, particularly for software. The 3rd describes the actual experience of one open source project. The 2nd & 3rd have pointers to additional resources. You can find lots more with google. -Marcus Watts From Tim.Jandt at dedicatedcomputing.com Wed Dec 3 14:50:07 2008 From: Tim.Jandt at dedicatedcomputing.com (Tim Jandt) Date: Wed, 3 Dec 2008 13:50:07 -0600 Subject: FIPS compliance In-Reply-To: References: <578733DCD150CA49998643114458BACB1892F6641F@OPTIMUS.omnitechcorp.com> Message-ID: <578733DCD150CA49998643114458BACB1892F6645E@OPTIMUS.omnitechcorp.com> The thread to which I'm referring can be found here: http://mailman.mit.edu/pipermail/kerberos/2006-November/010870.html Since your name and e-mail is at the top, and you signed the post, I felt the assumption that "You" posted this was most likely correct. I appreciate your response, and in doing some further research did find a couple of independent labs that can verify compliance to the FIPS 140-2 standard, but have not found any that mention FIPS 197. The two labs I found were: http://www.corsec.com/index.php?option=com_frontpage&Itemid=1 and http://www.rycombe.com/ Unfortunately, I feel no closer to determining how, exactly, I would prepare the product we are being asked to produce for compliance. Guess it's on with the reading glasses and a snifter of fine single malt scotch for a trip through http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf tonight... Cheers, Tim -----Original Message----- From: Marcus Watts [mailto:mdw at umich.edu] Sent: Wednesday, December 03, 2008 1:37 PM To: Tim Jandt Cc: kerberos at mit.edu Subject: Re: FIPS compliance You wrote: > Date: Wed, 03 Dec 2008 12:32:16 CST > To: "kerberos at mit.edu" > From: Tim Jandt > Subject: FIPS compliance > > Hello, > > I found a post in which you mentioned: > > > "FIPS compliance is something you get by going through a very particular govern > mental certification process, which normally does not deal with generic standar > ds, but instead deals with specific and particular implementations. Standards > are described, but the compliance aspect is to show that a particular implement > ation meets that standard." > > Would you by chance have links to any government agencies or test labs web site > s that describe the FIPS certification process in more detail? > > Thanks, > Tim "You" here is a very vague word. There are about 4 messages in the thread you appear to reference, from different folks. Just on the off-chance you mean me, here are some links: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf http://en.wikipedia.org/wiki/FIPS_140-2 https://wiki.mozilla.org/FIPS_Validation The 1st is the standard proper. At 69 pages, it's not exactly light reading, but it could be a *lot* worse. Beware, this may not describe actual practice, particularly for software. The 3rd describes the actual experience of one open source project. The 2nd & 3rd have pointers to additional resources. You can find lots more with google. -Marcus Watts From nagendra.gs at gmail.com Fri Dec 5 04:01:41 2008 From: nagendra.gs at gmail.com (Nagendra G S) Date: Fri, 5 Dec 2008 14:31:41 +0530 Subject: LDAP bind() versus Kerberos authentication (performance perspective) Message-ID: <69d5b7150812050101v341f7ab1r1376d471cc7e8ed0@mail.gmail.com> Anyone have any information about the relative merits ( w.r.t performance ) of using Kerberos authentication instead of LDAP bind() for authentication in a large environment ? (around 30 authns per second) thanks, Nagendra From rra at stanford.edu Fri Dec 5 05:00:21 2008 From: rra at stanford.edu (Russ Allbery) Date: Fri, 05 Dec 2008 02:00:21 -0800 Subject: LDAP bind() versus Kerberos authentication (performance perspective) In-Reply-To: <69d5b7150812050101v341f7ab1r1376d471cc7e8ed0@mail.gmail.com> (Nagendra G. S.'s message of "Fri\, 5 Dec 2008 14\:31\:41 +0530") References: <69d5b7150812050101v341f7ab1r1376d471cc7e8ed0@mail.gmail.com> Message-ID: <87bpvr3psa.fsf@windlord.stanford.edu> "Nagendra G S" writes: > Anyone have any information about the relative merits ( w.r.t performance ) > of using Kerberos authentication instead of LDAP bind() for authentication > in a large environment ? (around 30 authns per second) You'll have a hard time finding a server slow enough to have difficulty doing that authentication load using Kerberos. Kerberos is significantly more efficient for authentication than LDAP binds. -- Russ Allbery (rra at stanford.edu) From Dennis.Putnam at aimaudit.com Fri Dec 5 07:15:26 2008 From: Dennis.Putnam at aimaudit.com (Dennis Putnam) Date: Fri, 5 Dec 2008 07:15:26 -0500 Subject: Credentials Cache File Problem Running with 'cron' Message-ID: <4E27DD07-683D-499E-B948-D89DB58BDA40@aimaudit.com> I have what I thought was a perl problem using Kerberos authentication. However, after many emails with perl experts, the consensus is that this is really a problem with the Kerberos library. Hopefully, someone on this list will recognize the problem an can suggest a solution. This particular script runs fine when executed from the command line (I'm using OS X 10.4.11). When the same command is run from 'cron' or 'at' the following error occurs: Credentials cache I/O operation failed XXX I am told that this error indicates there was a problem writing the credentials cache file. The first thought was that it had to do with permissions but the script does the same thing even running as root. The second thought was that it had to do with an environment variable but again that is not the case since perl runs in its own environment so the variables are identical running from command line or 'cron'. At that point, the author of the perl interface said that all his code does is make standard Kerberos library calls. Since Apple uses the standard MIT libraries, the conclusion is that this must be something specific to the library rather then perl or the OS. Can anyone help? TIA. From lxs at MIT.EDU Fri Dec 5 08:53:16 2008 From: lxs at MIT.EDU (Alexandra Ellwood) Date: Fri, 5 Dec 2008 08:53:16 -0500 Subject: Credentials Cache File Problem Running with 'cron' In-Reply-To: <4E27DD07-683D-499E-B948-D89DB58BDA40@aimaudit.com> References: <4E27DD07-683D-499E-B948-D89DB58BDA40@aimaudit.com> Message-ID: <37372AFF-0D5A-40F0-992D-028EEB0E2AFC@mit.edu> On Dec 5, 2008, at 7:15 AM, Dennis Putnam wrote: > I have what I thought was a perl problem using Kerberos > authentication. However, after many emails with perl experts, the > consensus is that this is really a problem with the Kerberos library. > Hopefully, someone on this list will recognize the problem an can > suggest a solution. > > This particular script runs fine when executed from the command line > (I'm using OS X 10.4.11). When the same command is run from 'cron' or > 'at' the following error occurs: > > Credentials cache I/O operation failed XXX > > I am told that this error indicates there was a problem writing the > credentials cache file. The first thought was that it had to do with > permissions but the script does the same thing even running as root. > The second thought was that it had to do with an environment variable > but again that is not the case since perl runs in its own environment > so the variables are identical running from command line or 'cron'. At > that point, the author of the perl interface said that all his code > does is make standard Kerberos library calls. Since Apple uses the > standard MIT libraries, the conclusion is that this must be something > specific to the library rather then perl or the OS. Can anyone help? > TIA. By default Kerberos on Mac OS X uses the API credentials cache format to store credentials. This credentials cache is only available from user sessions, not from daemon sessions like the one used by cron. I recommend using the environment variable KRB5CCNAME to specify a FILE credentials cache format and storing your tickets in that (eg: KRB5CCNAME=FILE:/tmp/tickets). Using the same FILE ccache from your perl script should work. --lxs Alexandra Ellwood MIT Information Services & Technology From Dennis.Putnam at aimaudit.com Fri Dec 5 11:37:10 2008 From: Dennis.Putnam at aimaudit.com (Dennis Putnam) Date: Fri, 5 Dec 2008 11:37:10 -0500 Subject: Credentials Cache File Problem Running with 'cron' In-Reply-To: <37372AFF-0D5A-40F0-992D-028EEB0E2AFC@mit.edu> References: <4E27DD07-683D-499E-B948-D89DB58BDA40@aimaudit.com> <37372AFF-0D5A-40F0-992D-028EEB0E2AFC@mit.edu> Message-ID: <1ED560EB-A9B0-4F68-93DE-CC7C96499F29@aimaudit.com> Thanks for the reply. That was suggested also but it appeared that the OS X implementation did not use that variable. However, your format is different then what was suggested. Specifically, the 'FILE:'. While that variable does not exist I assumed when I created it and got the same error it was because this implementation ignored it. Perhaps it was because of my incorrect format. I'll give it a try when I can and get back to you. On Dec 5, 2008, at 8:53 AM, Alexandra Ellwood wrote: > > > By default Kerberos on Mac OS X uses the API credentials cache > format to store credentials. This credentials cache is only > available from user sessions, not from daemon sessions like the one > used by cron. I recommend using the environment variable KRB5CCNAME > to specify a FILE credentials cache format and storing your tickets > in that (eg: KRB5CCNAME=FILE:/tmp/tickets). Using the same FILE > ccache from your perl script should work. > > > --lxs > > Alexandra Ellwood > MIT Information Services & Technology > > > > From eirvine at tpg.com.au Sun Dec 7 21:58:26 2008 From: eirvine at tpg.com.au (Edward Irvine) Date: Mon, 8 Dec 2008 13:58:26 +1100 Subject: Solaris 10 client, MIT 1.6 server, kpasswd command Message-ID: <4CA134A5-FDA7-4E35-8DDD-83BA7C319B7C@tpg.com.au> Hi Folks, Has anyone else had trouble changing passwords from a Solaris client? I'm using the Solaris 10 version of kpasswd: /bin/kpasswd unsername kpasswd: Changing password for username at EXAMPLE.COM. Old password: kpasswd: Cannot establis a session with the Kerberos administrative server for realm EXAMPLE.COM. Database error! Required KADM5 principal missing. This works fine when I use the MIT Kerberos version of kpasswd. Suggestions appreciated. Ta Eddie From cclausen at acm.org Sun Dec 7 23:04:54 2008 From: cclausen at acm.org (Christopher D. Clausen) Date: Sun, 7 Dec 2008 22:04:54 -0600 Subject: Solaris 10 client, MIT 1.6 server, kpasswd command References: <4CA134A5-FDA7-4E35-8DDD-83BA7C319B7C@tpg.com.au> Message-ID: <745127AEBF074C4EA2181537A182B415@CDCHOME> Edward Irvine wrote: > Has anyone else had trouble changing passwords from a Solaris client? > > I'm using the Solaris 10 version of kpasswd: > > /bin/kpasswd unsername > kpasswd: Changing password for username at EXAMPLE.COM. > Old password: > kpasswd: Cannot establis a session with the Kerberos administrative > server for realm EXAMPLE.COM. Database error! Required KADM5 > principal missing. > > This works fine when I use the MIT Kerberos version of kpasswd. See: http://docs.sun.com/app/docs/doc/816-5174/krb5.conf-4?a=view krb5.conf -> kpasswd_protocol option: Identifies the protocol to be used when communicating with the server indicated by kpasswd_server. By default, this parameter is defined to be RPCSEC_GSS, which is the protocol used by Solaris-based administration servers. To be able to change a principal's password stored on non-Solaris Kerberos server, such as Microsoft Active Directory or MIT Kerberos, this value should be SET_CHANGE. This indicates that a non-RPC- based protocol is used to communicate the password change request to the server in the kpasswd_server entry. < Hello NG, I have to use Apache2 with module 'mod_auth_kerb' (http://modauthkerb.sourceforge.net/install.html) on Win32 to do SSO. While build/install on Linux with no problems, I can't figure it out on Win32 platform. The only mentionable link I found is http://www.jboss.org/community/docs/DOC-11465/version/11;jsessionid=0CC5375247D48136455B396E34737671 but unfortunately it is incomplete. Could anyone give me an hint how to compile/build 'mod_auth_kerb' for Win32 (.so or .dll) or even better, where to obtain the binary? Any help is really appreciated! Thanks. Marcus From mathew_rowley at cable.comcast.com Tue Dec 9 11:02:18 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Tue, 09 Dec 2008 09:02:18 -0700 Subject: Kerberos + LDAP + RADIUS? Message-ID: We are re-architecting our whole authentication backend, and I am having a hard time trying to understand how Kerberos, LDAP, and RADIUS can all fit together. We currently use RADIUS and LDAP to do AAA, and group based security, but we are going to want to have an SSO functionality (thus introducing kerberos). I think I can see how Kerberos and LDAP fit together, with group based security: A user will authenticate with Kerberos? authentication server, then attempt to be assigned a ticket with the ticket granting server ? the ticket granting server will query LDAP to see if a user has access to the resource, based on the groups that user is a part of. My problem is trying to figure out where RADIUS comes into the mix. It seems like there can be two options, but both seem to have problems: 1. Have authentication point to Kerberos server which will authenticate against radius : but this doesn?t make sense because when you authenticate against Kerberos, there is no password passed from client to server, so how will Kerberos be able to tell if that user/pass is accepted via Radius. 2. Have authentication point to radius, and have it authenticate against Kerberos : this defeats a whole security aspect of Kerberos ? not passing the users password to the server, and how is it possible for the client to have the Kerberos ticket? Maybe I am missing something, or maybe this is just not possible. Any insight/tutorials/etc. would be helpful ? there is not much on this topic available. Thanks. -- MAT From luke.scharf at clusterbee.net Tue Dec 9 12:35:16 2008 From: luke.scharf at clusterbee.net (Luke Scharf) Date: Tue, 09 Dec 2008 11:35:16 -0600 Subject: Kerberos + LDAP + RADIUS? In-Reply-To: References: Message-ID: <493EAC54.3070507@clusterbee.net> Mathew Rowley wrote: > We are re-architecting our whole authentication backend, and I am having a > hard time trying to understand how Kerberos, LDAP, and RADIUS can all fit > together. We currently use RADIUS and LDAP to do AAA, and group based > security, but we are going to want to have an SSO functionality (thus > introducing kerberos). > Are ll of the users who have accounts in Radius also have accounts in Kerberos? Do all of the devices that need authentication services support Kerberos? -Luke -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3319 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081209/d4624c7e/smime.bin From mathew_rowley at cable.comcast.com Tue Dec 9 13:57:17 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Tue, 09 Dec 2008 11:57:17 -0700 Subject: Kerberos + LDAP + RADIUS? In-Reply-To: <493EAC54.3070507@clusterbee.net> Message-ID: On 12/9/08 10:35 AM, "Luke Scharf" wrote: > Are ll of the users who have accounts in Radius also have accounts in > Kerberos? Kerberos is not implemented yet - as of now, all users are in radius. > Do all of the devices that need authentication services support Kerberos? Yes and no - our current focus is unix/linux systems, and - if possible - would like to extend to Cisco. -- MAT From anuraggwl at yahoo.com Tue Dec 9 17:06:50 2008 From: anuraggwl at yahoo.com (Anuraggwl) Date: Tue, 9 Dec 2008 14:06:50 -0800 (PST) Subject: Java GSS-API and kerberos Service Tickets Message-ID: <20924707.post@talk.nabble.com> Can someone please tell me what should be the correct behaviour of Java GSS API if get the service token for Service Principal 1 ( SPN1) and on server accept it using Service Principal 2( SPN2) where both service principal are mapped to single user account in KDC( windows 2003). I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single user account. for example, if my user account is websvr then i run following command setspn to set these SPN's to websvr account. setSPN -A HTTP/SPN1 at MyRealm websvr setSPN -A HTTP/SPN2 at MyRealm websvr I have also mapped SPN1 as primary SPN using ktpass mapuser. In my Java Client program, i request the service ticket for HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have following kerberos config file com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required isInitiator=false storeKey=true doNotPrompt=true useKeyTab=true keyTab="c://websvrKeys.keytab" principal="HTTP/SPN1 at MyRealm" realm="MyRealm" debug=true; }; Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use isInitiator flag to false to avoid contact with KDC for authentication. Is this Principal Name is mandatory attribute here ? Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos config file. I am seeing following behaviour. 1) Java GSS Server code is able to validate the service ticket ( for SPN2) and on server, we still have SPN1 in conf file. is this correct behaviour ? It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ? 2) is it possible to accept kerberos ticket using some other GSSName. for example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 in my server side code like below : GSSName sname = mgr.createName("HTTP/SPN2 at myRealm, null); GSSCredential clientCreds = mgr.createCredential(sname, GSSCredential.DEFAULT_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY); When i do that i get Error "Unable to get kerberos key in keytab." However, i have both SPN1/SPN2 in keytab file. Note that if in my server code, if i put GNAME as null then JAVa GSS API gets GSSName from kerberos config file by reading principal. -- View this message in context: http://www.nabble.com/Java-GSS-API-and-kerberos-Service-Tickets-tp20924707p20924707.html Sent from the Kerberos - General mailing list archive at Nabble.com. From deengert at anl.gov Tue Dec 9 18:12:46 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 09 Dec 2008 17:12:46 -0600 Subject: Java GSS-API and kerberos Service Tickets In-Reply-To: <20924707.post@talk.nabble.com> References: <20924707.post@talk.nabble.com> Message-ID: <493EFB6E.6030102@anl.gov> GSSName takes service at host, not principal. GSSName does not take a realm. The realm is determined internaly to the GSS. So in your case the GSSname would be HTTP at SPN2 (Still don't know why you have to use a single AD account with two SPNs, rather then two separate accounts.) Anuraggwl wrote: > Can someone please tell me what should be the correct behaviour of Java GSS > API if get the service token for Service Principal 1 ( SPN1) and on server > accept it using Service Principal 2( SPN2) where both service principal are > mapped to single user account in KDC( windows 2003). > > I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single > user account. for example, if my user account is websvr then i run following > command setspn to set these SPN's to websvr account. > > setSPN -A HTTP/SPN1 at MyRealm websvr > setSPN -A HTTP/SPN2 at MyRealm websvr > > I have also mapped SPN1 as primary SPN using ktpass mapuser. > > In my Java Client program, i request the service ticket for > HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have > following kerberos config file > > com.sun.security.jgss.accept { > com.sun.security.auth.module.Krb5LoginModule required isInitiator=false > storeKey=true > doNotPrompt=true > useKeyTab=true > keyTab="c://websvrKeys.keytab" > principal="HTTP/SPN1 at MyRealm" > realm="MyRealm" > debug=true; > }; > > Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use > isInitiator flag to false to avoid contact with KDC for authentication. > > Is this Principal Name is mandatory attribute here ? > > Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the > authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos > config file. > > I am seeing following behaviour. > > 1) Java GSS Server code is able to validate the service ticket ( for SPN2) > and on server, we still have SPN1 in conf file. is this correct behaviour ? > > It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ? > > 2) is it possible to accept kerberos ticket using some other GSSName. for > example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 in > my server side code like below : > > GSSName sname = mgr.createName("HTTP/SPN2 at myRealm, null); > > GSSCredential clientCreds = mgr.createCredential(sname, > > GSSCredential.DEFAULT_LIFETIME, > krb5Oid, > GSSCredential.ACCEPT_ONLY); > > When i do that i get Error "Unable to get kerberos key in keytab." However, > i have both SPN1/SPN2 in keytab file. > > Note that if in my server code, if i put GNAME as null then JAVa GSS API > gets GSSName from kerberos config file by reading principal. > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From venkiidotcom at yahoo.com Wed Dec 10 12:16:09 2008 From: venkiidotcom at yahoo.com (Venkatesh Ramamoorthy) Date: Wed, 10 Dec 2008 09:16:09 -0800 (PST) Subject: help required on krb5-server-ldap Message-ID: <844089.81755.qm@web31008.mail.mud.yahoo.com> Hi Wondering any special configuration should go in place for starting krb5kdc service if we have ldap as the back end for Kerberos.Tried all options in krb5kdc .. however it just wouldn't work for me. Advice me Thanks Venki From anuraggwl at yahoo.com Wed Dec 10 15:47:45 2008 From: anuraggwl at yahoo.com (Anuraggwl) Date: Wed, 10 Dec 2008 12:47:45 -0800 (PST) Subject: Java GSS-API and kerberos Service Tickets Message-ID: <20942354.post@talk.nabble.com> To give some background of my application, i am developing web application which will support Kerberos SSO on windows platform. It means that if some user logs in to Windows Client Machine and opens my application then my application will not throw any login screen . It will use Logged-in user credentials to login to my system. >From browser perspective, i am using SPNEGO support to get Kerberos ticket. My Web application can be deployed in reverseProxy or load balanced environments. In addition to that, there is a requirment to support kerberos login even if some end user tries to access internal app server directly i.e. by passing proxy. For example, i have deployed my appllication on node01.mydomain.com and revese proxy url is myapp.mydomain.com. So basically user can use both url to access my application. URL1 : myapp.mydomain.com ( Reverse Proxy ) URL2: node01.mydomain.com ( actual app server ) SInce i am using browser SPNEGO support so browser takes care of creating SPN to get Service Ticket from KDC. For example, if enduser opens URL1 ( myapp.mydomain.com ) then browser create SPN like below: HTTP/myapp.mydomain.com at MYDOMAIN.COM However, if enduser access intenal server URL2 ( node01.mydomain.com ) then browser create SPN like below: HTTP/node01mydomain.com at MYDOMAIN.COM I could register both these service in different accounts in Windows KDC. however, to make things simpler i tried putting all services in same account. However, irrespective of how i create the SPN's in KDC, on my server side code, i can have only one Service which can be either "HTTP/node01.mydomain.com at mydomain.com" or "HTTP/myapp.mydomain.com at mydomain.com" i dont know is there a way in Java GSS API where i can load Java Subject objects with services credentials from multiple keytab file. It seems that Java GSS API reads "principal" property from Kerberos conf file. If map both the URL's to same user account in KDc and then register ""HTTP/myapp.mydomain.com at mydomain.com"" as principal in kerberos configuration file then my server code can accept secuity context with any of the service ticket ( i.e. ( HTTP/myapp.mydomain.com at mydomain.com" Or HTTP/node01.mydomain.com at mydomain.com" I dont know is this the correct behavior where browser request the Service Ticket for different URL URL2( or Service) and server code validates using some other account URL1 ? Is there a way to accept security context by overriding Principal attribute in kerberos conf file? Douglas E. Engert wrote: > > GSSName takes service at host, not principal. > GSSName does not take a realm. The realm is determined > internaly to the GSS. > > So in your case the GSSname would be HTTP at SPN2 > > (Still don't know why you have to use a single AD account with > two SPNs, rather then two separate accounts.) > > Anuraggwl wrote: >> Can someone please tell me what should be the correct behaviour of Java >> GSS >> API if get the service token for Service Principal 1 ( SPN1) and on >> server >> accept it using Service Principal 2( SPN2) where both service principal >> are >> mapped to single user account in KDC( windows 2003). >> >> I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in >> single >> user account. for example, if my user account is websvr then i run >> following >> command setspn to set these SPN's to websvr account. >> >> setSPN -A HTTP/SPN1 at MyRealm websvr >> setSPN -A HTTP/SPN2 at MyRealm websvr >> >> I have also mapped SPN1 as primary SPN using ktpass mapuser. >> >> In my Java Client program, i request the service ticket for >> HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have >> following kerberos config file >> >> com.sun.security.jgss.accept { >> com.sun.security.auth.module.Krb5LoginModule required isInitiator=false >> storeKey=true >> doNotPrompt=true >> useKeyTab=true >> keyTab="c://websvrKeys.keytab" >> principal="HTTP/SPN1 at MyRealm" >> realm="MyRealm" >> debug=true; >> }; >> >> Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use >> isInitiator flag to false to avoid contact with KDC for authentication. >> >> Is this Principal Name is mandatory attribute here ? >> >> Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the >> authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos >> config file. >> >> I am seeing following behaviour. >> >> 1) Java GSS Server code is able to validate the service ticket ( for >> SPN2) >> and on server, we still have SPN1 in conf file. is this correct behaviour >> ? >> >> It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ? >> >> 2) is it possible to accept kerberos ticket using some other GSSName. for >> example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 >> in >> my server side code like below : >> >> GSSName sname = mgr.createName("HTTP/SPN2 at myRealm, >> null); >> >> GSSCredential clientCreds = mgr.createCredential(sname, >> >> GSSCredential.DEFAULT_LIFETIME, >> krb5Oid, >> GSSCredential.ACCEPT_ONLY); >> >> When i do that i get Error "Unable to get kerberos key in keytab." >> However, >> i have both SPN1/SPN2 in keytab file. >> >> Note that if in my server code, if i put GNAME as null then JAVa GSS API >> gets GSSName from kerberos config file by reading principal. >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/Java-GSS-API-and-kerberos-Service-Tickets-tp20924707p20942354.html Sent from the Kerberos - General mailing list archive at Nabble.com. From anuraggwl at yahoo.com Wed Dec 10 14:26:32 2008 From: anuraggwl at yahoo.com (Anuraggwl) Date: Wed, 10 Dec 2008 11:26:32 -0800 (PST) Subject: Java GSS-API and kerberos Service Tickets In-Reply-To: <493EFB6E.6030102@anl.gov> References: <20924707.post@talk.nabble.com> <493EFB6E.6030102@anl.gov> Message-ID: <20942354.post@talk.nabble.com> To give some background of my application, i am developing web application which will support Kerberos SSO on windows platform. It means that if some user logs in to Windows Client Machine and opens my application then my application will not throw any login screen . It will use Logged-in user credentials to login to my system. >From browser perspective, i am using SPNEGO support to get Kerberos ticket. My Web application can be deployed in reverseProxy or load balanced environments. In addition to that, there is a requirment to support kerberos login even if some end user tries to access internal app server directly i.e. by passing proxy. For example, i have deployed my appllication on node01.mydomain.com and revese proxy url is myapp.mydomain.com. So basically user can use both url to access my application. URL1 : myapp.mydomain.com ( Reverse Proxy ) URL2: node01.mydomain.com ( actual app server ) SInce i am using browser SPNEGO support so browser takes care of creating SPN to get Service Ticket from KDC. For example, if enduser opens URL1 ( myapp.mydomain.com ) then browser create SPN like below: HTTP/myapp.mydomain.com at MYDOMAIN.COM However, if enduser access intenal server URL2 ( node01.mydomain.com ) then browser create SPN like below: HTTP/node01mydomain.com at MYDOMAIN.COM I could register both these service in different accounts in Windows KDC. however, to make things simpler i tried putting all services in same account. However, irrespective of how i create the SPN's in KDC, on my server side code, i can have only one Service which can be either "HTTP/node01.mydomain.com at mydomain.com" or "HTTP/myapp.mydomain.com at mydomain.com" i dont know is there a way in Java GSS API where i can load Java Subject objects with services credentials from multiple keytab file. It seems that Java GSS API reads "principal" property from Kerberos conf file. If map both the URL's to same user account in KDc and then register ""HTTP/myapp.mydomain.com at mydomain.com"" as principal in kerberos configuration file then my server code can accept secuity context with any of the service ticket ( i.e. ( HTTP/myapp.mydomain.com at mydomain.com" Or HTTP/node01.mydomain.com at mydomain.com" I dont know is this the correct behavior where browser request the Service Ticket for different URL URL2( or Service) and server code validates using some other account URL1 ? Is there a way to accept security context by overriding Principal attribute in kerberos conf file? Douglas E. Engert wrote: > > GSSName takes service at host, not principal. > GSSName does not take a realm. The realm is determined > internaly to the GSS. > > So in your case the GSSname would be HTTP at SPN2 > > (Still don't know why you have to use a single AD account with > two SPNs, rather then two separate accounts.) > > Anuraggwl wrote: >> Can someone please tell me what should be the correct behaviour of Java >> GSS >> API if get the service token for Service Principal 1 ( SPN1) and on >> server >> accept it using Service Principal 2( SPN2) where both service principal >> are >> mapped to single user account in KDC( windows 2003). >> >> I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in >> single >> user account. for example, if my user account is websvr then i run >> following >> command setspn to set these SPN's to websvr account. >> >> setSPN -A HTTP/SPN1 at MyRealm websvr >> setSPN -A HTTP/SPN2 at MyRealm websvr >> >> I have also mapped SPN1 as primary SPN using ktpass mapuser. >> >> In my Java Client program, i request the service ticket for >> HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have >> following kerberos config file >> >> com.sun.security.jgss.accept { >> com.sun.security.auth.module.Krb5LoginModule required isInitiator=false >> storeKey=true >> doNotPrompt=true >> useKeyTab=true >> keyTab="c://websvrKeys.keytab" >> principal="HTTP/SPN1 at MyRealm" >> realm="MyRealm" >> debug=true; >> }; >> >> Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use >> isInitiator flag to false to avoid contact with KDC for authentication. >> >> Is this Principal Name is mandatory attribute here ? >> >> Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the >> authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos >> config file. >> >> I am seeing following behaviour. >> >> 1) Java GSS Server code is able to validate the service ticket ( for >> SPN2) >> and on server, we still have SPN1 in conf file. is this correct behaviour >> ? >> >> It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ? >> >> 2) is it possible to accept kerberos ticket using some other GSSName. for >> example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 >> in >> my server side code like below : >> >> GSSName sname = mgr.createName("HTTP/SPN2 at myRealm, >> null); >> >> GSSCredential clientCreds = mgr.createCredential(sname, >> >> GSSCredential.DEFAULT_LIFETIME, >> krb5Oid, >> GSSCredential.ACCEPT_ONLY); >> >> When i do that i get Error "Unable to get kerberos key in keytab." >> However, >> i have both SPN1/SPN2 in keytab file. >> >> Note that if in my server code, if i put GNAME as null then JAVa GSS API >> gets GSSName from kerberos config file by reading principal. >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/Java-GSS-API-and-kerberos-Service-Tickets-tp20924707p20942354.html Sent from the Kerberos - General mailing list archive at Nabble.com. From deengert at anl.gov Thu Dec 11 11:10:57 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 11 Dec 2008 10:10:57 -0600 Subject: Java GSS-API and kerberos Service Tickets In-Reply-To: <20942354.post@talk.nabble.com> References: <20942354.post@talk.nabble.com> Message-ID: <49413B91.3020704@anl.gov> Anuraggwl wrote: > To give some background of my application, i am developing web application > which will support Kerberos SSO on windows platform. It means that if some > user logs in to Windows Client Machine and opens my application then my > application will not throw any login screen . It will use Logged-in user > credentials to login to my system. > >>From browser perspective, i am using SPNEGO support to get Kerberos ticket. > My Web application can be deployed in reverseProxy or load balanced > environments. In addition to that, there is a requirment to support kerberos > login even if some end user tries to access internal app server directly > i.e. by passing proxy. > > For example, i have deployed my appllication on node01.mydomain.com and > revese proxy url is myapp.mydomain.com. So basically user can use both url > to access my application. > > URL1 : myapp.mydomain.com ( Reverse Proxy ) > URL2: node01.mydomain.com ( actual app server ) > > SInce i am using browser SPNEGO support so browser takes care of creating > SPN to get Service Ticket from KDC. For example, if enduser opens URL1 ( > myapp.mydomain.com ) then browser create SPN like below: > > HTTP/myapp.mydomain.com at MYDOMAIN.COM > > However, if enduser access intenal server URL2 ( node01.mydomain.com ) then > browser create SPN like below: > > HTTP/node01mydomain.com at MYDOMAIN.COM > > I could register both these service in different accounts in Windows KDC. > however, to make things simpler i tried putting all services in same > account. That does not make it simpler. Keeping keys in sync in much harder then having two accounts... > > However, irrespective of how i create the SPN's in KDC, on my server side > code, i can have only one Service which can be either > "HTTP/node01.mydomain.com at mydomain.com" or > "HTTP/myapp.mydomain.com at mydomain.com" > RFC 2853 GSS-API Java Bindings says: " The creation's of an GSSContext object allows the value of "null" to be specified as the GSSCredential input parameter. This will indicate a desire by the application to act as a default principal." The questing then is how does Java determine the "default principal" on the server side. If they did it the way I think it should have been done, they would accept tickes for any of the principal listed in the keytab file. I don't know if Java does it this way or not. You may have to try it and look at the source. Another approach, If your application knows what URL the user has used, then you could use the GSSname to pass in the GSSContext. > i dont know is there a way in Java GSS API where i can load Java Subject > objects with services credentials from multiple keytab file. Make sure you keytab file has both entries. You can use the ktutil to merge keytab files. > > It seems that Java GSS API reads "principal" property from Kerberos conf > file. No, you passed it in with the GSSname. > If map both the URL's to same user account in KDc mapping in AD has nothing to do with Kerberos protocol. It has to do with using the same passwrod to generate keys for all UPN and SPNs associated with that account. > and then register > ""HTTP/myapp.mydomain.com at mydomain.com"" as principal in kerberos > configuration file That would be the keytab file. > then my server code can accept secuity context with any > of the service ticket ( i.e. ( HTTP/myapp.mydomain.com at mydomain.com" Or > HTTP/node01.mydomain.com at mydomain.com" > I dont know is this the correct behavior where browser request the Service > Ticket for different URL URL2( or Service) and server code validates using > some other account URL1 ? > > Is there a way to accept security context by overriding Principal attribute > in kerberos conf file? > > > > Douglas E. Engert wrote: >> GSSName takes service at host, not principal. >> GSSName does not take a realm. The realm is determined >> internaly to the GSS. >> >> So in your case the GSSname would be HTTP at SPN2 >> >> (Still don't know why you have to use a single AD account with >> two SPNs, rather then two separate accounts.) >> >> Anuraggwl wrote: >>> Can someone please tell me what should be the correct behaviour of Java >>> GSS >>> API if get the service token for Service Principal 1 ( SPN1) and on >>> server >>> accept it using Service Principal 2( SPN2) where both service principal >>> are >>> mapped to single user account in KDC( windows 2003). >>> >>> I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in >>> single >>> user account. for example, if my user account is websvr then i run >>> following >>> command setspn to set these SPN's to websvr account. >>> >>> setSPN -A HTTP/SPN1 at MyRealm websvr >>> setSPN -A HTTP/SPN2 at MyRealm websvr >>> >>> I have also mapped SPN1 as primary SPN using ktpass mapuser. >>> >>> In my Java Client program, i request the service ticket for >>> HTTP/SPN2 at MyRealm and pass it to Java Server code. On Server side, i have >>> following kerberos config file >>> >>> com.sun.security.jgss.accept { >>> com.sun.security.auth.module.Krb5LoginModule required isInitiator=false >>> storeKey=true >>> doNotPrompt=true >>> useKeyTab=true >>> keyTab="c://websvrKeys.keytab" >>> principal="HTTP/SPN1 at MyRealm" Do you really need this principal entry? Is this what is causing it to only use one entry in the keytab??? http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html says: "You can use principal option to set the principal when there are credentials for multiple principals in the keyTab" This sounds like if you don't specify principal, it can use any entry in the keytab, and dont use the GSSname to set the principal. >>> realm="MyRealm" >>> debug=true; >>> }; >>> >>> Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use >>> isInitiator flag to false to avoid contact with KDC for authentication. >>> >>> Is this Principal Name is mandatory attribute here ? >>> >>> Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the >>> authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos >>> config file. >>> >>> I am seeing following behaviour. >>> >>> 1) Java GSS Server code is able to validate the service ticket ( for >>> SPN2) >>> and on server, we still have SPN1 in conf file. is this correct behaviour >>> ? >>> >>> It seems in other Kerberos API,i get "WRONG PRINCIPAL IN REQUEST" ? >>> >>> 2) is it possible to accept kerberos ticket using some other GSSName. for >>> example, my config contains principal as HTTP/SPN1, can i use HTTP/SPN2 >>> in >>> my server side code like below : >>> >>> GSSName sname = mgr.createName("HTTP/SPN2 at myRealm, >>> null); >>> >>> GSSCredential clientCreds = mgr.createCredential(sname, >>> >>> GSSCredential.DEFAULT_LIFETIME, >>> krb5Oid, >>> GSSCredential.ACCEPT_ONLY); >>> >>> When i do that i get Error "Unable to get kerberos key in keytab." >>> However, >>> i have both SPN1/SPN2 in keytab file. >>> >>> Note that if in my server code, if i put GNAME as null then JAVa GSS API >>> gets GSSName from kerberos config file by reading principal. >>> >>> >> -- >> >> Douglas E. Engert >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From res at qoxp.net Thu Dec 11 00:46:28 2008 From: res at qoxp.net (Richard E. Silverman) Date: Thu, 11 Dec 2008 00:46:28 -0500 Subject: Kerberos + LDAP + RADIUS? References: Message-ID: >>>>> "MR" == Mathew Rowley writes: MR> We are re-architecting our whole authentication backend, and I am MR> having a hard time trying to understand how Kerberos, LDAP, and MR> RADIUS can all fit together. We currently use RADIUS and LDAP to MR> do AAA, and group based security, but we are going to want to have MR> an SSO functionality (thus introducing kerberos). MR> I think I can see how Kerberos and LDAP fit together, with group MR> based security: A user will authenticate with Kerberos? MR> authentication server, then attempt to be assigned a ticket with MR> the ticket granting server ? the ticket granting server will query MR> LDAP to see if a user has access to the resource, based on the MR> groups that user is a part of. Not quite -- Kerberos is purely authentication, not authorization.* A ticket doesn't grant access to a resource; it identifies a client to the server of that resource, so that the server can *make* that authorization decision. To do so, it might then in turn query LDAP to find out the client's permissions/rights. * At least traditionally -- though the ticket data structure does have an authorization field, which Microsoft uses to encode a user's rights (group memberships, etc.). MR> My problem is trying to figure out where RADIUS comes into the MR> mix. It seems like there can be two options, but both seem to MR> have problems: 1. Have authentication point to Kerberos server MR> which will authenticate against radius : but this doesn?t make MR> sense because when you authenticate against Kerberos, there is no MR> password passed from client to server, so how will Kerberos be MR> able to tell if that user/pass is accepted via Radius. 2. Have MR> authentication point to radius, and have it authenticate against MR> Kerberos : this defeats a whole security aspect of Kerberos ? not MR> passing the users password to the server, and how is it possible MR> for the client to have the Kerberos ticket? MR> Maybe I am missing something, or maybe this is just not possible. MR> Any insight/tutorials/etc. would be helpful ? there is not much on MR> this topic available. Thanks. MR> -- MAT -- Richard Silverman res at qoxp.net From mathew_rowley at cable.comcast.com Thu Dec 11 15:25:14 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Thu, 11 Dec 2008 13:25:14 -0700 Subject: Redhat Package to get kldap module working? Message-ID: Has anyone used the kldap db module on redhat? I have OpenLDAP and Kerberos installed via redhat packages, but when attempting to start krb5kdc, I get the following error: krb5kdc: Unable to find requested database type - while initializing database for realm BLAH.COM It sounds like the module is not loading properly, or not installed. Any ideas? Here is my krb5.conf additions: [dbdefaults] ldap_kerberos_container_dn = cn=krbcontainer,o=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kerberos_container_dn = cn=krbcontainer,o=com ldap_kdc_dn = "cn=krbadmin,o=com" ldap_kadmind_dn = "cn=krbadmin,o=com" ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldap://ipa01.security.lab.comcast.com ldap_conns_per_server = 5 } -- MAT From mikef at berkeley.edu Thu Dec 11 15:54:23 2008 From: mikef at berkeley.edu (Mike Friedman) Date: Thu, 11 Dec 2008 12:54:23 -0800 (PST) Subject: AS_REQ Return code 60 for principal expired? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've been doing some testing of my programs that use the MIT API against a KDC running 1.6.1 on a Linux system. On all prior systems where I've run a KDC, and according to the Kerberos docs, a principal expired condition should set a return code of 1. But on this test system, it seems I'm getting back a 60, which the docs define as a 'generic error'. Now, I realize I may very well have done something wrong in switching my environment (which I do by pointing to a different krb5.conf file and a different service keytab). When I point my same programs back to the 1.4.2 production system, I do get the return code=1 that I expect. When I unexpire the principal, authentication works correctly on the test system, just as it should. Does anyone know of any reason I should get back a return code of 60, instead of 1, for an expired principal on 1.6.1? Thanks. Mike _________________________________________________________________________ Mike Friedman Information Services & Technology mikef at berkeley.edu 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAklBff8ACgkQFgKSfLOvZ1Rf+QCdF5oVpwJHhajfbUZ773tOQGPq DgAAn14YGwUbd8a/9F/5A+SD3tWV8FEw =Rg4l -----END PGP SIGNATURE----- From mathew_rowley at cable.comcast.com Thu Dec 11 16:29:33 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Thu, 11 Dec 2008 14:29:33 -0700 Subject: Redhat Package to get kldap module working? In-Reply-To: Message-ID: In case someone else runs into this problem, it seems that by default the redhat Kerberos RPM is not installed with LDAP support, there are flags at the top of the spec file to change this: # Define WITH_LDAP to get the krb5-server-ldap subpackage, and define both # WITH_LDAP and ONLY_LDAP to make it the only subpackage. %define WITH_LDAP 1 %define ONLY_LDAP 0 %define WITH_DIRSRV 0 MAT On 12/11/08 1:25 PM, "Mathew Rowley" wrote: > Has anyone used the kldap db module on redhat? I have OpenLDAP and Kerberos > installed via redhat packages, but when attempting to start krb5kdc, I get > the following error: > > krb5kdc: Unable to find requested database type - while initializing > database for realm BLAH.COM > > It sounds like the module is not loading properly, or not installed. Any > ideas? > > Here is my krb5.conf additions: > [dbdefaults] > ldap_kerberos_container_dn = cn=krbcontainer,o=com > [dbmodules] > openldap_ldapconf = { > db_library = kldap > ldap_kerberos_container_dn = cn=krbcontainer,o=com > ldap_kdc_dn = "cn=krbadmin,o=com" > ldap_kadmind_dn = "cn=krbadmin,o=com" > ldap_service_password_file = /etc/kerberos/service.keyfile > ldap_servers = ldap://ipa01.security.lab.comcast.com > ldap_conns_per_server = 5 > } > > -- > MAT > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From mathew_rowley at cable.comcast.com Thu Dec 11 17:25:34 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Thu, 11 Dec 2008 15:25:34 -0700 Subject: Error reading password from stash Message-ID: After uninstalling all krb packages, and reinstalling my newly compiled ones, I cannot seem to do anything. Every command to create a new database, or delete the old one, or start the service gets something to this extent: [root at ipa01 krb5kdc]# kdb5_util destroy kdb5_util: Error reading password from stash: No such file or directory while initializing database [root at ipa01 i386]# kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'IPA.COMCAST.COM', master key name 'K/M at IPA.COMCAST.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: create: Error reading password from stash: No such file or directory while creating database '/var/kerberos/krb5kdc/principal' [root at ipa01 i386]# tail -f /var/log/krb5kdc.log krb5kdc: No such file or directory - while initializing database for realm IPA.COMCAST.COM Is there a way to manually clean out the old db? Or how do I find the old stash, and put it where it needs to be? It looks like its located in the /var/kerberos/krb5kdc/ directory: [root at ipa01 krb5kdc]# ls -lah total 96K drwxr-xr-x 2 root root 4.0K Dec 11 16:21 . drwxr-xr-x 3 root root 4.0K Dec 11 16:10 .. -rw------- 1 root root 30 Dec 11 10:59 .k5.IPA.COMCAST.COM But for some reason the service cannot find it. Thanks. -- MAT From ssorce at redhat.com Fri Dec 12 01:17:10 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 12 Dec 2008 01:17:10 -0500 Subject: Redhat Package to get kldap module working? In-Reply-To: References: Message-ID: <1229062630.10907.51.camel@localhost.localdomain> On Thu, 2008-12-11 at 13:25 -0700, Mathew Rowley wrote: > Has anyone used the kldap db module on redhat? I have OpenLDAP and Kerberos > installed via redhat packages, but when attempting to start krb5kdc, I get > the following error: > > krb5kdc: Unable to find requested database type - while initializing > database for realm BLAH.COM > > It sounds like the module is not loading properly, or not installed. Any > ideas? The ldap module is not built by default in RHEL. Simo. -- Simo Sorce * Red Hat, Inc * New York From nicolas.michel at lemail.be Fri Dec 12 06:33:08 2008 From: nicolas.michel at lemail.be (Nicolas Michel) Date: Fri, 12 Dec 2008 12:33:08 +0100 Subject: Trying to put an Ubuntu laptop into a Windows 2003 domain Message-ID: <1229081588.8367.7.camel@nm-laptop> Hi everyone, I'm trying to put my laptop on Ubuntu into a Microsoft domain. After editing /etc/krb5.conf, I tried to get a ticket with kinit but there is the error message : kinit(v5): KDC reply did not match expectations while getting initial credentials What does this error mean exactly? Here is my krb5.conf (I know the dns is strangly configured, I'm not the one who has configure it ...) : [logging] default = SYSLOG:INFO:DAEMON [libdefaults] ticket_lifetime = 24000 default_realm = PCS default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false [realms] PCS = { kdc = srv01 admin_server = srv01 default_domain = pcs.local } [domain_realm] .pcs.local = PCS pcs.local = PCS I searched on the web but did not found something to solve the problem. A little help could be so nice. Thx. From huaraz at moeller.plus.com Sat Dec 13 19:11:38 2008 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 14 Dec 2008 00:11:38 -0000 Subject: Trying to put an Ubuntu laptop into a Windows 2003 domain In-Reply-To: <1229081588.8367.7.camel@nm-laptop> References: <1229081588.8367.7.camel@nm-laptop> Message-ID: Firstly you should use rc4-hmac as the first encryption method. Secondly what is the AD domain name ? The error you see is usually means that you connect with the wrong domain name to AD. Markus "Nicolas Michel" wrote in message news:1229081588.8367.7.camel at nm-laptop... > Hi everyone, > > I'm trying to put my laptop on Ubuntu into a Microsoft domain. > After editing /etc/krb5.conf, I tried to get a ticket with kinit but > there is the error message : > kinit(v5): KDC reply did not match expectations while getting initial > credentials > > What does this error mean exactly? > > Here is my krb5.conf (I know the dns is strangly configured, I'm not the > one who has configure it ...) : > > [logging] > default = SYSLOG:INFO:DAEMON > > [libdefaults] > ticket_lifetime = 24000 > default_realm = PCS > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > PCS = { > kdc = srv01 > admin_server = srv01 > default_domain = pcs.local > } > > [domain_realm] > .pcs.local = PCS > pcs.local = PCS > > I searched on the web but did not found something to solve the problem. > A little help could be so nice. > Thx. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From brackmeister2 at gmail.com Mon Dec 15 05:28:35 2008 From: brackmeister2 at gmail.com (david bracken) Date: Mon, 15 Dec 2008 11:28:35 +0100 Subject: Missing parameters in krb5.conf required for kadmin client Message-ID: Hello, Before I throw myself off a bridge in frustration, I decided to whip out my laptop and post a message to the kerberos mailing list. I've got a RHEL5 box authenticating against a Win2k3 box. SSO doesn't work though because I can't run kadmin. Normaly AD logins work, just not SSO. Here is what I tried: kadmin addprinc -randkey host/adtest1.test.company Authenticating as principal unixadmin/admin at TEST.COMPANY with password. kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface and here is the relevant part of my krb5.conf: [realms] TEST.COMPANY = { admin_server = intt9dc1.test.company:88 kdc = intt9dc1.test.company:749 master_kdc = intt9dc1.test.company:749 default_domain = test.company } According to the source code, I need the following defined: KADM5_CONFIG_REALM KADM5_CONFIG_ADMIN_SERVER KADM5_CONFIG_KADMIND_PORT I really can't see the problem. Can anyone push me in the right direction? David From james.chavez at sanmina-sci.com Mon Dec 15 11:09:00 2008 From: james.chavez at sanmina-sci.com (James Chavez) Date: Mon, 15 Dec 2008 09:09:00 -0700 Subject: Multiple realms in one krb5.conf Message-ID: <1229357340.4314.16.camel@PHX1AMUX269160.sanmina-sci.com> Hello list, I have a question that I need assistance with. I have a Windows 2003 AD setup. The forest consists of 3 domains. So the we will say the name is example.com and there are 3 domains. america.example.com asia.example.com europe.example.com Is it possible to configure the krb5.conf on a station so that kerberos can service login requests for each of the 3 domains? Is this as simple as adding an entry for each realm in the realms section of the krb5.conf file. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From beoweolf at pacbell.net Sat Dec 13 18:03:51 2008 From: beoweolf at pacbell.net (beoweolf) Date: Sat, 13 Dec 2008 15:03:51 -0800 Subject: Trying to put an Ubuntu laptop into a Windows 2003 domain In-Reply-To: References: Message-ID: <_aX0l.10029$c45.7062@nlpi065.nbdc.sbc.com> You may want to broaden your search. Although I was unable to find specific Ubuntu document regarding Active directory, Kerberos and windows authentication. I was able to find Linux, Kerberos, AD under Windows (2000+) information which details a method that may assist you in your quest. http://technet.microsoft.com/en-us/magazine/dd228986.aspx "Nicolas Michel" wrote in message news:mailman.6.1229082065.15569.kerberos at mit.edu... > Hi everyone, > > I'm trying to put my laptop on Ubuntu into a Microsoft domain. > After editing /etc/krb5.conf, I tried to get a ticket with kinit but > there is the error message : > kinit(v5): KDC reply did not match expectations while getting initial > credentials > > What does this error mean exactly? > > Here is my krb5.conf (I know the dns is strangly configured, I'm not the > one who has configure it ...) : > > [logging] > default = SYSLOG:INFO:DAEMON > > [libdefaults] > ticket_lifetime = 24000 > default_realm = PCS > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > PCS = { > kdc = srv01 > admin_server = srv01 > default_domain = pcs.local > } > > [domain_realm] > .pcs.local = PCS > pcs.local = PCS > > I searched on the web but did not found something to solve the problem. > A little help could be so nice. > Thx. > From deengert at anl.gov Mon Dec 15 11:41:19 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 15 Dec 2008 10:41:19 -0600 Subject: Trying to put an Ubuntu laptop into a Windows 2003 domain In-Reply-To: <1229081588.8367.7.camel@nm-laptop> References: <1229081588.8367.7.camel@nm-laptop> Message-ID: <494688AF.8010609@anl.gov> Nicolas Michel wrote: > Hi everyone, > > I'm trying to put my laptop on Ubuntu into a Microsoft domain. > After editing /etc/krb5.conf, I tried to get a ticket with kinit but > there is the error message : > kinit(v5): KDC reply did not match expectations while getting initial > credentials > > What does this error mean exactly? It says the response from the KDC is not what it expected. > > Here is my krb5.conf (I know the dns is strangly configured, I'm not the > one who has configure it ...) : Kerberos realms are usually based on the upper case name of a DNS domain. This gives uniqueness. Your name is PCS. AD will let you use a short name, but Kerberos wants the full name, like PCS.MYDOMAIN.DE. So you true the full name of the AD domain. So DNS may have resolved the srv01 name to a FQDN, and the request may have been sent using the realm PCS, but I bet the response had something was returned with the realm PCS.MYDOMAIN.DE. Use FQDNs if possible. The pcs.local looks like it is not a FQDN. > > [logging] > default = SYSLOG:INFO:DAEMON > > [libdefaults] > ticket_lifetime = 24000 > default_realm = PCS > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > PCS = { > kdc = srv01 > admin_server = srv01 > default_domain = pcs.local > } > > [domain_realm] > .pcs.local = PCS > pcs.local = PCS > > I searched on the web but did not found something to solve the problem. > A little help could be so nice. > Thx. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Mon Dec 15 11:52:29 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 15 Dec 2008 10:52:29 -0600 Subject: Multiple realms in one krb5.conf In-Reply-To: <1229357340.4314.16.camel@PHX1AMUX269160.sanmina-sci.com> References: <1229357340.4314.16.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <49468B4D.8060707@anl.gov> James Chavez wrote: > Hello list, > > I have a question that I need assistance with. > > I have a Windows 2003 AD setup. > The forest consists of 3 domains. > So the we will say the name is > example.com and there are 3 domains. > > america.example.com > asia.example.com > europe.example.com > > Is it possible to configure the krb5.conf on a station so that kerberos > can service login requests for each of the 3 domains? Maybe, but it is not clear what you mean. > Is this as simple as adding an entry for each realm in the realms > section of the krb5.conf file. That is part of it, although DNS could be used to find the realms. You say logins, so I as assuming that the station is Unix based. Login would use PAM with a pam_krb5, and the station above will need to have a principal in one of the realms and a keytab to match. But if a user is in one AD doamin and the server is in a different AD domain, this would be cross realm and the pam_krb5 would have to so some additional checks. Kerberos only does authentication you still need to authorize the user to login. Start here, as this gives the basic concepts: http://technet.microsoft.com/en-us/library/bb742433.aspx > > > Thank you > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From mvalites at buffalo.edu Mon Dec 15 15:04:02 2008 From: mvalites at buffalo.edu (Mark T. Valites) Date: Mon, 15 Dec 2008 15:04:02 -0500 (EST) Subject: Seeking KDC Priority/Weight Clarification/Recommendation Message-ID: We are using a SUN One Directory Server (LDAP) Authentication plugin as the backend authentication mechanism for users binding to our LDAP servers. It uses the underlying Sun provided SUNWkrbux libraries to act as a proxy to our kerberos servers. We also use cosign as the login mechanism for users authenticating to our shibboleth service. It uses the underlying Red Hat provided krb5-libs to communicate with our kerberos servers. Redunancy/HA for the LDAP and shibboleth/cosign services is acheived by loading balancing behind a set of Cisco content service switches. Our kerberos environment consists of one MIT krb-1.5.x master KDC and three MIT krb-1.5.x slave KDCs. Redundancy is acheived with a _kerberos._udp.ourrealm.edu SRV record that includes all four KDCs, each with the same the same weight and priority, as well as a round robin DNS entry for kerberos.ourdomain.com, which includes the same four KDCs (the realm and domain names match): $ dig _kerberos._udp.ourrealm.edu SRV _kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb1.ourdomain.edu. _kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb2.ourdomain.edu. _kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb3.ourdomain.edu. _kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb4.ourdomain.edu. $ dig kerberos.ourdomain.edu kerberos.ourdomain.edu. 60 IN A kerberos.ourdomain.edu. 60 IN A kerberos.ourdomain.edu. 60 IN A kerberos.ourdomain.edu. 60 IN A The krb5.conf files on the ldap & shibboleth/cosign servers are currently configued with the following: [libdefaults] default_realm = ourrealm.ourdomain.edu [realms] dce.buffalo.edu = { kdc = kerberos.ourdomain.edu admin_server = kadminserver.ourdomain.edu } We recently saw a hardware failure on one our (non-master) KDCs that brought the box completely off line. Even though they are redunant/highly available on their own, the downstream ldap & shibboleth/cosign servers all immeadiately saw issues because of this, exposing the weak link in the chain. The O'Reilly Kerberos (The Definitive Guide) book states that setting the weight to 0 in the SRV record causes clients to choose from equal priority KDCs randomly, but doesn't explicitely say anything about when one of those is not available. The book also indicates that setting priorities on the KDCs will cause the client to try the next highest one if the first is not available, but to me this implies that there would always be one KDC hit hardest. Can the krb5.conf file/SRV record be configued to make the clients fallback to one of the other KDCs if the first one tried is not available, without always favoring the one(s) with the lowest priority numbered one? Andy other thoughts/suggestions on achieving a HA/redundnat kerb seting are welcome. -Mark -- Mark T. Valites Senior Systems Administrator Enterprise Infrastructure Services University at Buffalo From mathew_rowley at cable.comcast.com Mon Dec 15 18:36:13 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Mon, 15 Dec 2008 16:36:13 -0700 Subject: Kerberos auth based on ticket Message-ID: I am having a really hard time finding any documentation about PAM configurations. I want to be able to authenticate an SSH login with a valid Kerberos ticket. What configurations do I need within the /etc/pam.d/system-auth file to allow an authentication to succeed with a valid ticket. Here is what I currently have: Valid ticket: [root at ipa01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mrowley at IPA.COMCAST.COM Valid starting Expires Service principal 12/15/08 18:11:50 12/16/08 18:11:50 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached System-auth will use ?pam_krb5? as sufficient [root at ipa01 ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so Yet, when I attempt to log in, it still asks me for a password ? even though I have a valid ticket... [root at ipa01 ~]# ssh mrowley at localhost mrowley at localhost's password: Any help would be appreciated. Thanks. -- MAT From rra at stanford.edu Mon Dec 15 18:45:55 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 15 Dec 2008 15:45:55 -0800 Subject: Kerberos auth based on ticket In-Reply-To: (Mathew Rowley's message of "Mon\, 15 Dec 2008 16\:36\:13 -0700") References: Message-ID: <871vw9ypcc.fsf@windlord.stanford.edu> Mathew Rowley writes: > I am having a really hard time finding any documentation about PAM > configurations. I want to be able to authenticate an SSH login with a > valid Kerberos ticket. What configurations do I need within the > /etc/pam.d/system-auth file to allow an authentication to succeed with a > valid ticket. You're having a hard time finding that documentation because those are two unrelated things. PAM configuration only affects what one does once one has a password in hand. To authenticate with a Kerberos ticket, you need both an ssh client and an ssh server that support GSSAPI authentication, a keytab for the server, and GSSAPI authentication enabled. PAM is not involved. -- Russ Allbery (rra at stanford.edu) From mathew_rowley at cable.comcast.com Mon Dec 15 18:49:29 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Mon, 15 Dec 2008 16:49:29 -0700 Subject: Kerberos auth based on ticket In-Reply-To: <871vw9ypcc.fsf@windlord.stanford.edu> Message-ID: Well, that would make sense... Looking at the sshd and ssh configurations, it seems to be enabled on both. Is there some configuration I am missing? [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config GSSAPIAuthentication yes [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes MAT On 12/15/08 4:45 PM, "Russ Allbery" wrote: > Mathew Rowley writes: > >> > I am having a really hard time finding any documentation about PAM >> > configurations. I want to be able to authenticate an SSH login with a >> > valid Kerberos ticket. What configurations do I need within the >> > /etc/pam.d/system-auth file to allow an authentication to succeed with a >> > valid ticket. > > You're having a hard time finding that documentation because those are two > unrelated things. PAM configuration only affects what one does once one > has a password in hand. To authenticate with a Kerberos ticket, you need > both an ssh client and an ssh server that support GSSAPI authentication, a > keytab for the server, and GSSAPI authentication enabled. PAM is not > involved. > > -- > Russ Allbery (rra at stanford.edu) > From rra at stanford.edu Mon Dec 15 19:01:17 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 15 Dec 2008 16:01:17 -0800 Subject: Kerberos auth based on ticket In-Reply-To: (Mathew Rowley's message of "Mon\, 15 Dec 2008 16\:49\:29 -0700") References: Message-ID: <87wse1xa2a.fsf@windlord.stanford.edu> Mathew Rowley writes: > Well, that would make sense... Looking at the sshd and ssh configurations, > it seems to be enabled on both. Is there some configuration I am missing? > > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config > GSSAPIAuthentication yes > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config > # GSSAPI options > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes Your original pasted example showed you ssh'ing to user at localhost. Unless you have a key for localhost in your keytab, that probably isn't going to work. ssh authenticates to the hostname that you type on the command line. -- Russ Allbery (rra at stanford.edu) From mathew_rowley at cable.comcast.com Mon Dec 15 19:55:51 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Mon, 15 Dec 2008 17:55:51 -0700 Subject: Kerberos auth based on ticket In-Reply-To: <87wse1xa2a.fsf@windlord.stanford.edu> Message-ID: Ok, using the correct hostname, the same thing happens: [root at ipa01 ~]# ssh mrowley@`hostname` mrowley at ipa01.security.lab.comcast.com's password: Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain **Trying to log in with a valid ticket, but asks for password [mrowley at ipa01 ~]$ ssh mrowley@`hostname` mrowley at ipa01.security.lab.comcast.com's password: **Shows that there is a ticket [mrowley at ipa01 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ Default principal: mrowley at IPA.COMCAST.COM Valid starting Expires Service principal 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM renew until 12/15/08 19:52:10 Kerberos 4 ticket cache: /tmp/tkt502 klist: You have no tickets cached **Showing the kerberos realm is the same as the ssh?ed hostname [mrowley at ipa01 ~]$ cat /etc/krb5.conf ... [realms] IPA.COMCAST.COM = { kdc = ipa01.security.lab.comcast.com:88 admin_server = ipa01.security.lab.comcast.com:749 default_domain = security.lab.comcast.com database_module = openldap_ldapconf } ... MAT On 12/15/08 5:01 PM, "Russ Allbery" wrote: > Mathew Rowley writes: > >> > Well, that would make sense... Looking at the sshd and ssh configurations, >> > it seems to be enabled on both. Is there some configuration I am missing? >> > >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >> > GSSAPIAuthentication yes >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >> > # GSSAPI options >> > GSSAPIAuthentication yes >> > GSSAPICleanupCredentials yes > > Your original pasted example showed you ssh'ing to user at localhost. Unless > you have a key for localhost in your keytab, that probably isn't going to > work. ssh authenticates to the hostname that you type on the command > line. > > -- > Russ Allbery (rra at stanford.edu) > -- MAT From rra at stanford.edu Mon Dec 15 20:07:53 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 15 Dec 2008 17:07:53 -0800 Subject: Kerberos auth based on ticket In-Reply-To: (Mathew Rowley's message of "Mon\, 15 Dec 2008 17\:55\:51 -0700") References: Message-ID: <877i61x6za.fsf@windlord.stanford.edu> Mathew Rowley writes: > **Shows that there is a ticket > [mrowley at ipa01 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ > Default principal: mrowley at IPA.COMCAST.COM > > Valid starting Expires Service principal > 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM > renew until 12/15/08 19:52:10 You have no service ticket for the host, so GSSAPI authentication was never even attempted by the client. ssh -vvv may help in figuring out why that's the case. -- Russ Allbery (rra at stanford.edu) From mathew_rowley at cable.comcast.com Tue Dec 16 06:48:31 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Tue, 16 Dec 2008 04:48:31 -0700 Subject: Kerberos auth based on ticket In-Reply-To: <15164409.184041229389768278.JavaMail.root@mailstore01.gopc.net> Message-ID: [mrowley at ipa01 ~]$ ssh -v mrowley@`hostname` OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ipa01.security.lab.comcast.com [10.252.152.73] port 22. debug1: Connection established. debug1: identity file /home/mrowley/.ssh/identity type -1 debug1: identity file /home/mrowley/.ssh/id_rsa type -1 debug1: identity file /home/mrowley/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'ipa01.security.lab.comcast.com' is known and matches the RSA host key. debug1: Found key in /home/mrowley/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Next authentication method: publickey debug1: Trying private key: /home/mrowley/.ssh/identity debug1: Trying private key: /home/mrowley/.ssh/id_rsa debug1: Trying private key: /home/mrowley/.ssh/id_dsa debug1: Next authentication method: password mrowley at ipa01.security.lab.comcast.com's password: Looks like my problem is ?Server not found in Kerberos database?. So I am assuming that I need the server in the kerberos database as well as the user... Is that done just like adding a principal? Sorry, very new to this. MAT On 12/15/08 6:09 PM, "Chris Hoy Poy" wrote: > What does "ssh -v username@`hostname`"provide? and is hostname the same as the > host principle you set up? SSH -v will tell which ones its trying at least. > > //chris > > ----- Original Message ----- > From: "Mathew Rowley" > To: "Russ Allbery" > Cc: kerberos at mit.edu > Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / > Hong Kong / Urumqi > Subject: Re: Kerberos auth based on ticket > > Ok, using the correct hostname, the same thing happens: > > [root at ipa01 ~]# ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain > > **Trying to log in with a valid ticket, but asks for password > [mrowley at ipa01 ~]$ ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > > **Shows that there is a ticket > [mrowley at ipa01 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ > Default principal: mrowley at IPA.COMCAST.COM > > Valid starting Expires Service principal > 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM > renew until 12/15/08 19:52:10 > > > Kerberos 4 ticket cache: /tmp/tkt502 > klist: You have no tickets cached > > **Showing the kerberos realm is the same as the ssh?ed hostname > [mrowley at ipa01 ~]$ cat /etc/krb5.conf > ... > [realms] > IPA.COMCAST.COM = { > kdc = ipa01.security.lab.comcast.com:88 > admin_server = ipa01.security.lab.comcast.com:749 > default_domain = security.lab.comcast.com > database_module = openldap_ldapconf > } > ... > > > MAT > > > > On 12/15/08 5:01 PM, "Russ Allbery" wrote: > >> > Mathew Rowley writes: >> > >>>> >> > Well, that would make sense... Looking at the sshd and ssh >>>> configurations, >>>> >> > it seems to be enabled on both. Is there some configuration I am >>>> missing? >>>> >> > >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >>>> >> > GSSAPIAuthentication yes >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >>>> >> > # GSSAPI options >>>> >> > GSSAPIAuthentication yes >>>> >> > GSSAPICleanupCredentials yes >> > >> > Your original pasted example showed you ssh'ing to user at localhost. Unless >> > you have a key for localhost in your keytab, that probably isn't going to >> > work. ssh authenticates to the hostname that you type on the command >> > line. >> > >> > -- >> > Russ Allbery (rra at stanford.edu) >> > > > -- > MAT > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ssorce at redhat.com Tue Dec 16 08:36:07 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 16 Dec 2008 08:36:07 -0500 Subject: Kerberos auth based on ticket In-Reply-To: References: Message-ID: <1229434567.3687.76.camel@localhost.localdomain> On Tue, 2008-12-16 at 04:48 -0700, Mathew Rowley wrote: > Looks like my problem is ?Server not found in Kerberos database?. So I am > assuming that I need the server in the kerberos database as well as the > user... Is that done just like adding a principal? > > Sorry, very new to this. Matthwew, yes, as the freeipa.org (or the Red Hat docs) say you have to create a principal for the target machine and obtain a keytab for it. http://freeipa.org/page/ConfiguringRhelClients#Configuring_Client_SSH_Access The 2 commands to use here are: ipa-addservice and ipa-getkeytab, given these are custom commands that work only in an ipa context I suggest you jump on the freeipa-users mailing list if you like. Simo. -- Simo Sorce * Red Hat, Inc * New York From Mathew_Rowley at cable.comcast.com Tue Dec 16 08:37:29 2008 From: Mathew_Rowley at cable.comcast.com (Rowley, Mathew) Date: Tue, 16 Dec 2008 08:37:29 -0500 Subject: Kerberos auth based on ticket Message-ID: <7372D9734C591745A4C1D81017D5ABF6090F6B3C@NJCHLEXCMB01.cable.comcast.com> If you have a kerberos ticket, and ssh to a box that has GSSAPI enabled, will that pass through/disregard the PAM stack? MAT MAT ----- Original Message ----- From: Chris Hoy Poy To: Rowley, Mathew Cc: kerberos at mit.edu Sent: Tue Dec 16 07:19:41 2008 Subject: Re: Kerberos auth based on ticket Hi Matt, ( FYI I used the O'Reilly Kerberos book by Jason Garmon to get my head straight. Lots of little issues like this until you've done it a few times.. ) yes, you need to: If you are using DNS for resolution, make sure your forward and reverse names match as well. -> add a host principle for the server (to the KDC) ( process differs slightly for heimdal and MIT) ( host/`hostname` ) (use a "host/" prefix to define it as a host - not sure if that is just a practice or if thats important. Good practice at the very least I think?) -> export the keytab for the server (to go into /etc/krb5.keytab on the OpenSSH box) (thats got the password to let the SSH server authenticate itself, and perform ticket checks - with Kerberos, the server/service has to participate with the KDC to see if you are really are who you say you are). Again, process differs slightly for MIT vs. Heimdal. I had some issues with some encryptions not being supported by some SSH/GSSAPI clients. you might need to "trim" some of the available keys if it doesn't work. YMMV. //Chris Hoy Poy Senior Infrastructure Engineer GoPC Pty Ltd http://www.gopc.net ----- Original Message ----- From: "Mathew Rowley" To: "Chris Hoy Poy" Cc: kerberos at mit.edu Sent: Tuesday, 16 December, 2008 8:48:31 PM GMT +08:00 Perth Subject: Re: Kerberos auth based on ticket [mrowley at ipa01 ~]$ ssh -v mrowley@`hostname` OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ipa01.security.lab.comcast.com [10.252.152.73] port 22. debug1: Connection established. debug1: identity file /home/mrowley/.ssh/identity type -1 debug1: identity file /home/mrowley/.ssh/id_rsa type -1 debug1: identity file /home/mrowley/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'ipa01.security.lab.comcast.com' is known and matches the RSA host key. debug1: Found key in /home/mrowley/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Next authentication method: publickey debug1: Trying private key: /home/mrowley/.ssh/identity debug1: Trying private key: /home/mrowley/.ssh/id_rsa debug1: Trying private key: /home/mrowley/.ssh/id_dsa debug1: Next authentication method: password mrowley at ipa01.security.lab.comcast.com's password: Looks like my problem is ?Server not found in Kerberos database?. So I am assuming that I need the server in the kerberos database as well as the user... Is that done just like adding a principal? Sorry, very new to this. MAT On 12/15/08 6:09 PM, "Chris Hoy Poy" wrote: > What does "ssh -v username@`hostname`"provide? and is hostname the same as the > host principle you set up? SSH -v will tell which ones its trying at least. > > //chris > > ----- Original Message ----- > From: "Mathew Rowley" > To: "Russ Allbery" > Cc: kerberos at mit.edu > Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / > Hong Kong / Urumqi > Subject: Re: Kerberos auth based on ticket > > Ok, using the correct hostname, the same thing happens: > > [root at ipa01 ~]# ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain > > **Trying to log in with a valid ticket, but asks for password > [mrowley at ipa01 ~]$ ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > > **Shows that there is a ticket > [mrowley at ipa01 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ > Default principal: mrowley at IPA.COMCAST.COM > > Valid starting Expires Service principal > 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM > renew until 12/15/08 19:52:10 > > > Kerberos 4 ticket cache: /tmp/tkt502 > klist: You have no tickets cached > > **Showing the kerberos realm is the same as the ssh?ed hostname > [mrowley at ipa01 ~]$ cat /etc/krb5.conf > ... > [realms] > IPA.COMCAST.COM = { > kdc = ipa01.security.lab.comcast.com:88 > admin_server = ipa01.security.lab.comcast.com:749 > default_domain = security.lab.comcast.com > database_module = openldap_ldapconf > } > ... > > > MAT > > > > On 12/15/08 5:01 PM, "Russ Allbery" wrote: > >> > Mathew Rowley writes: >> > >>>> >> > Well, that would make sense... Looking at the sshd and ssh >>>> configurations, >>>> >> > it seems to be enabled on both. Is there some configuration I am >>>> missing? >>>> >> > >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >>>> >> > GSSAPIAuthentication yes >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >>>> >> > # GSSAPI options >>>> >> > GSSAPIAuthentication yes >>>> >> > GSSAPICleanupCredentials yes >> > >> > Your original pasted example showed you ssh'ing to user at localhost. Unless >> > you have a key for localhost in your keytab, that probably isn't going to >> > work. ssh authenticates to the hostname that you type on the command >> > line. >> > >> > -- >> > Russ Allbery (rra at stanford.edu) >> > > > -- > MAT > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From Mathew_Rowley at cable.comcast.com Tue Dec 16 08:39:37 2008 From: Mathew_Rowley at cable.comcast.com (Rowley, Mathew) Date: Tue, 16 Dec 2008 08:39:37 -0500 Subject: Kerberos auth based on ticket Message-ID: <7372D9734C591745A4C1D81017D5ABF6090F6B3D@NJCHLEXCMB01.cable.comcast.com> The hostname includes 'ipa' in it, but IPA is not installed. Sorry for any confusion - it was a box that did, and out of pure laziness, was never re-named. MAT MAT ----- Original Message ----- From: Simo Sorce To: Rowley, Mathew Cc: kerberos at mit.edu Sent: Tue Dec 16 08:36:07 2008 Subject: Re: Kerberos auth based on ticket On Tue, 2008-12-16 at 04:48 -0700, Mathew Rowley wrote: > Looks like my problem is ?Server not found in Kerberos database?. So I am > assuming that I need the server in the kerberos database as well as the > user... Is that done just like adding a principal? > > Sorry, very new to this. Matthwew, yes, as the freeipa.org (or the Red Hat docs) say you have to create a principal for the target machine and obtain a keytab for it. http://freeipa.org/page/ConfiguringRhelClients#Configuring_Client_SSH_Access The 2 commands to use here are: ipa-addservice and ipa-getkeytab, given these are custom commands that work only in an ipa context I suggest you jump on the freeipa-users mailing list if you like. Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Tue Dec 16 09:11:20 2008 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 16 Dec 2008 09:11:20 -0500 Subject: Kerberos auth based on ticket In-Reply-To: <7372D9734C591745A4C1D81017D5ABF6090F6B3C@NJCHLEXCMB01.cable.comcast.com> References: <7372D9734C591745A4C1D81017D5ABF6090F6B3C@NJCHLEXCMB01.cable.comcast.com> Message-ID: <1229436680.3687.81.camel@localhost.localdomain> On Tue, 2008-12-16 at 08:37 -0500, Rowley, Mathew wrote: > If you have a kerberos ticket, and ssh to a box that has GSSAPI > enabled, will that pass through/disregard the PAM stack? It will skip only the auth target (and there is no other way because you are not providing a password the auth target can use). If you set UsePAM yes it should still go through the account and session targets, so that you can do proper access control/accounting/session handling. Simo. -- Simo Sorce * Red Hat, Inc * New York From simon at sxw.org.uk Tue Dec 16 09:20:35 2008 From: simon at sxw.org.uk (Simon Wilkinson) Date: Tue, 16 Dec 2008 14:20:35 +0000 Subject: Kerberos auth based on ticket In-Reply-To: <7372D9734C591745A4C1D81017D5ABF6090F6B3C@NJCHLEXCMB01.cable.comcast.com> References: <7372D9734C591745A4C1D81017D5ABF6090F6B3C@NJCHLEXCMB01.cable.comcast.com> Message-ID: On 16 Dec 2008, at 13:37, Rowley, Mathew wrote: > If you have a kerberos ticket, and ssh to a box that has GSSAPI > enabled, will that pass through/disregard the PAM stack? With OpenSSH, it will use the setcred bit of the auth stack, and the account and session stacks, but disregard the authentication portion of the auth stack. S. From Mathew_Rowley at cable.comcast.com Tue Dec 16 09:32:54 2008 From: Mathew_Rowley at cable.comcast.com (Rowley, Mathew) Date: Tue, 16 Dec 2008 09:32:54 -0500 Subject: Kerberos auth based on ticket Message-ID: <7372D9734C591745A4C1D81017D5ABF6090F6B3F@NJCHLEXCMB01.cable.comcast.com> My question was more - if you have PAM and GSSAPI both enables, will the ssh client still go through the PAM stack (for authorization purposes). MAT MAT ----- Original Message ----- From: Chris Hoy Poy To: Rowley, Mathew Cc: kerberos at mit.edu Sent: Tue Dec 16 08:57:48 2008 Subject: Re: Kerberos auth based on ticket PAM doesnt come into a GSSAPI passthru, so you just turn on the GSSAPI options in OpenSSH to let them happen. Turn off the openSSH kerberos options (if you want PAM to do the Kerberos ticket requesting) - but turn on the GSSAPI options as OpenSSH needs to handle them if you want to allow forwarded tickets / kerberos-authenticated connections). This (I think) means you can have a box that is only accessible if you've already got a ticket? Never tried it. :P //Chris Hoy Poy Senior Infrastructure Engineer GoPC Pty Ltd http://www.gopc.net ----- Original Message ----- From: "Mathew Rowley" To: kryanth at gopc.net Cc: kerberos at mit.edu Sent: Tuesday, 16 December, 2008 10:37:29 PM GMT +08:00 Perth Subject: Re: Kerberos auth based on ticket If you have a kerberos ticket, and ssh to a box that has GSSAPI enabled, will that pass through/disregard the PAM stack? MAT MAT ----- Original Message ----- From: Chris Hoy Poy To: Rowley, Mathew Cc: kerberos at mit.edu Sent: Tue Dec 16 07:19:41 2008 Subject: Re: Kerberos auth based on ticket Hi Matt, ( FYI I used the O'Reilly Kerberos book by Jason Garmon to get my head straight. Lots of little issues like this until you've done it a few times.. ) yes, you need to: If you are using DNS for resolution, make sure your forward and reverse names match as well. -> add a host principle for the server (to the KDC) ( process differs slightly for heimdal and MIT) ( host/`hostname` ) (use a "host/" prefix to define it as a host - not sure if that is just a practice or if thats important. Good practice at the very least I think?) -> export the keytab for the server (to go into /etc/krb5.keytab on the OpenSSH box) (thats got the password to let the SSH server authenticate itself, and perform ticket checks - with Kerberos, the server/service has to participate with the KDC to see if you are really are who you say you are). Again, process differs slightly for MIT vs. Heimdal. I had some issues with some encryptions not being supported by some SSH/GSSAPI clients. you might need to "trim" some of the available keys if it doesn't work. YMMV. //Chris Hoy Poy Senior Infrastructure Engineer GoPC Pty Ltd http://www.gopc.net ----- Original Message ----- From: "Mathew Rowley" To: "Chris Hoy Poy" Cc: kerberos at mit.edu Sent: Tuesday, 16 December, 2008 8:48:31 PM GMT +08:00 Perth Subject: Re: Kerberos auth based on ticket [mrowley at ipa01 ~]$ ssh -v mrowley@`hostname` OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ipa01.security.lab.comcast.com [10.252.152.73] port 22. debug1: Connection established. debug1: identity file /home/mrowley/.ssh/identity type -1 debug1: identity file /home/mrowley/.ssh/id_rsa type -1 debug1: identity file /home/mrowley/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'ipa01.security.lab.comcast.com' is known and matches the RSA host key. debug1: Found key in /home/mrowley/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Next authentication method: publickey debug1: Trying private key: /home/mrowley/.ssh/identity debug1: Trying private key: /home/mrowley/.ssh/id_rsa debug1: Trying private key: /home/mrowley/.ssh/id_dsa debug1: Next authentication method: password mrowley at ipa01.security.lab.comcast.com's password: Looks like my problem is ?Server not found in Kerberos database?. So I am assuming that I need the server in the kerberos database as well as the user... Is that done just like adding a principal? Sorry, very new to this. MAT On 12/15/08 6:09 PM, "Chris Hoy Poy" wrote: > What does "ssh -v username@`hostname`"provide? and is hostname the same as the > host principle you set up? SSH -v will tell which ones its trying at least. > > //chris > > ----- Original Message ----- > From: "Mathew Rowley" > To: "Russ Allbery" > Cc: kerberos at mit.edu > Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / > Hong Kong / Urumqi > Subject: Re: Kerberos auth based on ticket > > Ok, using the correct hostname, the same thing happens: > > [root at ipa01 ~]# ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain > > **Trying to log in with a valid ticket, but asks for password > [mrowley at ipa01 ~]$ ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > > **Shows that there is a ticket > [mrowley at ipa01 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ > Default principal: mrowley at IPA.COMCAST.COM > > Valid starting Expires Service principal > 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM > renew until 12/15/08 19:52:10 > > > Kerberos 4 ticket cache: /tmp/tkt502 > klist: You have no tickets cached > > **Showing the kerberos realm is the same as the ssh?ed hostname > [mrowley at ipa01 ~]$ cat /etc/krb5.conf > ... > [realms] > IPA.COMCAST.COM = { > kdc = ipa01.security.lab.comcast.com:88 > admin_server = ipa01.security.lab.comcast.com:749 > default_domain = security.lab.comcast.com > database_module = openldap_ldapconf > } > ... > > > MAT > > > > On 12/15/08 5:01 PM, "Russ Allbery" wrote: > >> > Mathew Rowley writes: >> > >>>> >> > Well, that would make sense... Looking at the sshd and ssh >>>> configurations, >>>> >> > it seems to be enabled on both. Is there some configuration I am >>>> missing? >>>> >> > >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >>>> >> > GSSAPIAuthentication yes >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >>>> >> > # GSSAPI options >>>> >> > GSSAPIAuthentication yes >>>> >> > GSSAPICleanupCredentials yes >> > >> > Your original pasted example showed you ssh'ing to user at localhost. Unless >> > you have a key for localhost in your keytab, that probably isn't going to >> > work. ssh authenticates to the hostname that you type on the command >> > line. >> > >> > -- >> > Russ Allbery (rra at stanford.edu) >> > > > -- > MAT > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From simon at sxw.org.uk Tue Dec 16 09:52:31 2008 From: simon at sxw.org.uk (Simon Wilkinson) Date: Tue, 16 Dec 2008 14:52:31 +0000 Subject: Kerberos auth based on ticket In-Reply-To: <7372D9734C591745A4C1D81017D5ABF6090F6B3F@NJCHLEXCMB01.cable.comcast.com> References: <7372D9734C591745A4C1D81017D5ABF6090F6B3F@NJCHLEXCMB01.cable.comcast.com> Message-ID: <42331C1E-751C-4FCA-928E-FB745CD26BB3@sxw.org.uk> On 16 Dec 2008, at 14:32, Rowley, Mathew wrote: > My question was more - if you have PAM and GSSAPI both enables, > will the ssh client still go through the PAM stack (for > authorization purposes). Yes it will. Any authorization rules enforced by the account step, any additional credentials gained by the setcred step, and any session initialisation performed by the session step will all occur for GSSAPI authenticated connections. S. From raeburn at MIT.EDU Mon Dec 15 16:33:22 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 15 Dec 2008 16:33:22 -0500 Subject: Seeking KDC Priority/Weight Clarification/Recommendation In-Reply-To: References: Message-ID: <6751F333-9817-47D4-A7FD-3C2B8EEBCB7E@mit.edu> On Dec 15, 2008, at 15:04, Mark T. Valites wrote: > We recently saw a hardware failure on one our (non-master) KDCs that > brought the box completely off line. Even though they are redunant/ > highly > available on their own, the downstream ldap & shibboleth/cosign > servers > all immeadiately saw issues because of this, exposing the weak link > in the > chain. What sort of issues? > The O'Reilly Kerberos (The Definitive Guide) book states that > setting the > weight to 0 in the SRV record causes clients to choose from equal > priority > KDCs randomly, but doesn't explicitely say anything about when one of > those is not available. The MIT code will pick one KDC address to try contacting, and if it doesn't answer within a second, it will try the next one. (Both the config-file and DNS approaches as you described them would result in a list of four addresses. The library code should randomize the order of all SRV records returned with weights all zero. However, if the config file version is used, the addresses will be tried in the order returned by the getaddrinfo() function, and the hostnames listed in the file, if more than one, are assumed to be in priority order so they're not randomized.) So if you're getting random or rotating ordering of address records returned, then with one server (address) of four unreachable, one quarter of the time you should see a delay of a second. If getaddrinfo() or your DNS cache is being clever and trying to give you an order optimized for proximity or some such, you may see delays more often or less often, but the delay should still be no more than a second. If it is, you could try monitoring the network traffic with tcpdump and see what it's doing in terms of trying to reach the various KDCs. A significantly longer delay should only come up if no KDC is responding. (A minor point: You might want to put a dot at the end of the KDC names in your config file, to prevent the use of domain search paths, just in case.) > The book also indicates that setting priorities on the KDCs will > cause the > client to try the next highest one if the first is not available, > but to > me this implies that there would always be one KDC hit hardest. That's correct. > Can the krb5.conf file/SRV record be configued to make the clients > fallback to one of the other KDCs if the first one tried is not > available, > without always favoring the one(s) with the lowest priority numbered > one? As noted above, that should be the behavior... Ken From kryanth at gopc.net Mon Dec 15 20:09:28 2008 From: kryanth at gopc.net (Chris Hoy Poy) Date: Tue, 16 Dec 2008 09:09:28 +0800 (GMT+08:00) Subject: Kerberos auth based on ticket In-Reply-To: Message-ID: <15164409.184041229389768278.JavaMail.root@mailstore01.gopc.net> What does "ssh -v username@`hostname`"provide? and is hostname the same as the host principle you set up? SSH -v will tell which ones its trying at least. //chris ----- Original Message ----- From: "Mathew Rowley" To: "Russ Allbery" Cc: kerberos at mit.edu Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi Subject: Re: Kerberos auth based on ticket Ok, using the correct hostname, the same thing happens: [root at ipa01 ~]# ssh mrowley@`hostname` mrowley at ipa01.security.lab.comcast.com's password: Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain **Trying to log in with a valid ticket, but asks for password [mrowley at ipa01 ~]$ ssh mrowley@`hostname` mrowley at ipa01.security.lab.comcast.com's password: **Shows that there is a ticket [mrowley at ipa01 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ Default principal: mrowley at IPA.COMCAST.COM Valid starting Expires Service principal 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM renew until 12/15/08 19:52:10 Kerberos 4 ticket cache: /tmp/tkt502 klist: You have no tickets cached **Showing the kerberos realm is the same as the ssh?ed hostname [mrowley at ipa01 ~]$ cat /etc/krb5.conf ... [realms] IPA.COMCAST.COM = { kdc = ipa01.security.lab.comcast.com:88 admin_server = ipa01.security.lab.comcast.com:749 default_domain = security.lab.comcast.com database_module = openldap_ldapconf } ... MAT On 12/15/08 5:01 PM, "Russ Allbery" wrote: > Mathew Rowley writes: > >> > Well, that would make sense... Looking at the sshd and ssh configurations, >> > it seems to be enabled on both. Is there some configuration I am missing? >> > >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >> > GSSAPIAuthentication yes >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >> > # GSSAPI options >> > GSSAPIAuthentication yes >> > GSSAPICleanupCredentials yes > > Your original pasted example showed you ssh'ing to user at localhost. Unless > you have a key for localhost in your keytab, that probably isn't going to > work. ssh authenticates to the hostname that you type on the command > line. > > -- > Russ Allbery (rra at stanford.edu) > -- MAT ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From res at qoxp.net Mon Dec 15 23:15:04 2008 From: res at qoxp.net (Richard E. Silverman) Date: Mon, 15 Dec 2008 23:15:04 -0500 Subject: Missing parameters in krb5.conf required for kadmin client References: Message-ID: >>>>> "DB" == david bracken writes: DB> Hello, Before I throw myself off a bridge in frustration, I DB> decided to whip out my laptop and post a message to the kerberos DB> mailing list. DB> I've got a RHEL5 box authenticating against a Win2k3 box. SSO DB> doesn't work though because I can't run kadmin. Normaly AD logins DB> work, just not SSO. DB> Here is what I tried: DB> kadmin addprinc -randkey host/adtest1.test.company Authenticating DB> as principal unixadmin/admin at TEST.COMPANY with password. kadmin: DB> Missing parameters in krb5.conf required for kadmin client while DB> initializing kadmin interface DB> and here is the relevant part of my krb5.conf: DB> [realms] TEST.COMPANY = { admin_server = intt9dc1.test.company:88 DB> kdc = intt9dc1.test.company:749 master_kdc = DB> intt9dc1.test.company:749 default_domain = test.company DB> } DB> According to the source code, I need the following defined: DB> KADM5_CONFIG_REALM KADM5_CONFIG_ADMIN_SERVER DB> KADM5_CONFIG_KADMIND_PORT DB> I really can't see the problem. Can anyone push me in the right DB> direction? DB> David Perhaps: "kadmin -r TEST.COMPANY" ? -- Richard Silverman res at qoxp.net From nm at pcsol.be Tue Dec 16 04:59:37 2008 From: nm at pcsol.be (Nicolas Michel) Date: Tue, 16 Dec 2008 10:59:37 +0100 Subject: Trying to put an Ubuntu laptop into a Windows 2003 domain In-Reply-To: <1229081588.8367.7.camel@nm-laptop> References: <1229081588.8367.7.camel@nm-laptop> Message-ID: <1229421577.12458.6.camel@nm-laptop> Thanks to beweolf et Markus Moeller for their help. I will try and I tell you if everything works. nm On Fri, 2008-12-12 at 12:33 +0100, Nicolas Michel wrote: > Hi everyone, > > I'm trying to put my laptop on Ubuntu into a Microsoft domain. > After editing /etc/krb5.conf, I tried to get a ticket with kinit but > there is the error message : > kinit(v5): KDC reply did not match expectations while getting initial > credentials > > What does this error mean exactly? > > Here is my krb5.conf (I know the dns is strangly configured, I'm not the > one who has configure it ...) : > > [logging] > default = SYSLOG:INFO:DAEMON > > [libdefaults] > ticket_lifetime = 24000 > default_realm = PCS > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > PCS = { > kdc = srv01 > admin_server = srv01 > default_domain = pcs.local > } > > [domain_realm] > .pcs.local = PCS > pcs.local = PCS > > I searched on the web but did not found something to solve the problem. > A little help could be so nice. > Thx. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From kryanth at gopc.net Tue Dec 16 07:19:41 2008 From: kryanth at gopc.net (Chris Hoy Poy) Date: Tue, 16 Dec 2008 20:19:41 +0800 (GMT+08:00) Subject: Kerberos auth based on ticket In-Reply-To: <15958590.191501229429525723.JavaMail.root@mailstore01.gopc.net> Message-ID: <30645135.191521229429981561.JavaMail.root@mailstore01.gopc.net> Hi Matt, ( FYI I used the O'Reilly Kerberos book by Jason Garmon to get my head straight. Lots of little issues like this until you've done it a few times.. ) yes, you need to: If you are using DNS for resolution, make sure your forward and reverse names match as well. -> add a host principle for the server (to the KDC) ( process differs slightly for heimdal and MIT) ( host/`hostname` ) (use a "host/" prefix to define it as a host - not sure if that is just a practice or if thats important. Good practice at the very least I think?) -> export the keytab for the server (to go into /etc/krb5.keytab on the OpenSSH box) (thats got the password to let the SSH server authenticate itself, and perform ticket checks - with Kerberos, the server/service has to participate with the KDC to see if you are really are who you say you are). Again, process differs slightly for MIT vs. Heimdal. I had some issues with some encryptions not being supported by some SSH/GSSAPI clients. you might need to "trim" some of the available keys if it doesn't work. YMMV. //Chris Hoy Poy Senior Infrastructure Engineer GoPC Pty Ltd http://www.gopc.net ----- Original Message ----- From: "Mathew Rowley" To: "Chris Hoy Poy" Cc: kerberos at mit.edu Sent: Tuesday, 16 December, 2008 8:48:31 PM GMT +08:00 Perth Subject: Re: Kerberos auth based on ticket [mrowley at ipa01 ~]$ ssh -v mrowley@`hostname` OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ipa01.security.lab.comcast.com [10.252.152.73] port 22. debug1: Connection established. debug1: identity file /home/mrowley/.ssh/identity type -1 debug1: identity file /home/mrowley/.ssh/id_rsa type -1 debug1: identity file /home/mrowley/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'ipa01.security.lab.comcast.com' is known and matches the RSA host key. debug1: Found key in /home/mrowley/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Next authentication method: publickey debug1: Trying private key: /home/mrowley/.ssh/identity debug1: Trying private key: /home/mrowley/.ssh/id_rsa debug1: Trying private key: /home/mrowley/.ssh/id_dsa debug1: Next authentication method: password mrowley at ipa01.security.lab.comcast.com's password: Looks like my problem is ?Server not found in Kerberos database?. So I am assuming that I need the server in the kerberos database as well as the user... Is that done just like adding a principal? Sorry, very new to this. MAT On 12/15/08 6:09 PM, "Chris Hoy Poy" wrote: > What does "ssh -v username@`hostname`"provide? and is hostname the same as the > host principle you set up? SSH -v will tell which ones its trying at least. > > //chris > > ----- Original Message ----- > From: "Mathew Rowley" > To: "Russ Allbery" > Cc: kerberos at mit.edu > Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / > Hong Kong / Urumqi > Subject: Re: Kerberos auth based on ticket > > Ok, using the correct hostname, the same thing happens: > > [root at ipa01 ~]# ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain > > **Trying to log in with a valid ticket, but asks for password > [mrowley at ipa01 ~]$ ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > > **Shows that there is a ticket > [mrowley at ipa01 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ > Default principal: mrowley at IPA.COMCAST.COM > > Valid starting Expires Service principal > 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM > renew until 12/15/08 19:52:10 > > > Kerberos 4 ticket cache: /tmp/tkt502 > klist: You have no tickets cached > > **Showing the kerberos realm is the same as the ssh?ed hostname > [mrowley at ipa01 ~]$ cat /etc/krb5.conf > ... > [realms] > IPA.COMCAST.COM = { > kdc = ipa01.security.lab.comcast.com:88 > admin_server = ipa01.security.lab.comcast.com:749 > default_domain = security.lab.comcast.com > database_module = openldap_ldapconf > } > ... > > > MAT > > > > On 12/15/08 5:01 PM, "Russ Allbery" wrote: > >> > Mathew Rowley writes: >> > >>>> >> > Well, that would make sense... Looking at the sshd and ssh >>>> configurations, >>>> >> > it seems to be enabled on both. Is there some configuration I am >>>> missing? >>>> >> > >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >>>> >> > GSSAPIAuthentication yes >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >>>> >> > # GSSAPI options >>>> >> > GSSAPIAuthentication yes >>>> >> > GSSAPICleanupCredentials yes >> > >> > Your original pasted example showed you ssh'ing to user at localhost. Unless >> > you have a key for localhost in your keytab, that probably isn't going to >> > work. ssh authenticates to the hostname that you type on the command >> > line. >> > >> > -- >> > Russ Allbery (rra at stanford.edu) >> > > > -- > MAT > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From kryanth at gopc.net Tue Dec 16 08:57:48 2008 From: kryanth at gopc.net (Chris Hoy Poy) Date: Tue, 16 Dec 2008 21:57:48 +0800 (GMT+08:00) Subject: Kerberos auth based on ticket In-Reply-To: <89471.192061229435523165.JavaMail.root@mailstore01.gopc.net> Message-ID: <20916471.192281229435868563.JavaMail.root@mailstore01.gopc.net> PAM doesnt come into a GSSAPI passthru, so you just turn on the GSSAPI options in OpenSSH to let them happen. Turn off the openSSH kerberos options (if you want PAM to do the Kerberos ticket requesting) - but turn on the GSSAPI options as OpenSSH needs to handle them if you want to allow forwarded tickets / kerberos-authenticated connections). This (I think) means you can have a box that is only accessible if you've already got a ticket? Never tried it. :P //Chris Hoy Poy Senior Infrastructure Engineer GoPC Pty Ltd http://www.gopc.net ----- Original Message ----- From: "Mathew Rowley" To: kryanth at gopc.net Cc: kerberos at mit.edu Sent: Tuesday, 16 December, 2008 10:37:29 PM GMT +08:00 Perth Subject: Re: Kerberos auth based on ticket If you have a kerberos ticket, and ssh to a box that has GSSAPI enabled, will that pass through/disregard the PAM stack? MAT MAT ----- Original Message ----- From: Chris Hoy Poy To: Rowley, Mathew Cc: kerberos at mit.edu Sent: Tue Dec 16 07:19:41 2008 Subject: Re: Kerberos auth based on ticket Hi Matt, ( FYI I used the O'Reilly Kerberos book by Jason Garmon to get my head straight. Lots of little issues like this until you've done it a few times.. ) yes, you need to: If you are using DNS for resolution, make sure your forward and reverse names match as well. -> add a host principle for the server (to the KDC) ( process differs slightly for heimdal and MIT) ( host/`hostname` ) (use a "host/" prefix to define it as a host - not sure if that is just a practice or if thats important. Good practice at the very least I think?) -> export the keytab for the server (to go into /etc/krb5.keytab on the OpenSSH box) (thats got the password to let the SSH server authenticate itself, and perform ticket checks - with Kerberos, the server/service has to participate with the KDC to see if you are really are who you say you are). Again, process differs slightly for MIT vs. Heimdal. I had some issues with some encryptions not being supported by some SSH/GSSAPI clients. you might need to "trim" some of the available keys if it doesn't work. YMMV. //Chris Hoy Poy Senior Infrastructure Engineer GoPC Pty Ltd http://www.gopc.net ----- Original Message ----- From: "Mathew Rowley" To: "Chris Hoy Poy" Cc: kerberos at mit.edu Sent: Tuesday, 16 December, 2008 8:48:31 PM GMT +08:00 Perth Subject: Re: Kerberos auth based on ticket [mrowley at ipa01 ~]$ ssh -v mrowley@`hostname` OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ipa01.security.lab.comcast.com [10.252.152.73] port 22. debug1: Connection established. debug1: identity file /home/mrowley/.ssh/identity type -1 debug1: identity file /home/mrowley/.ssh/id_rsa type -1 debug1: identity file /home/mrowley/.ssh/id_dsa type -1 debug1: loaded 3 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'ipa01.security.lab.comcast.com' is known and matches the RSA host key. debug1: Found key in /home/mrowley/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Next authentication method: publickey debug1: Trying private key: /home/mrowley/.ssh/identity debug1: Trying private key: /home/mrowley/.ssh/id_rsa debug1: Trying private key: /home/mrowley/.ssh/id_dsa debug1: Next authentication method: password mrowley at ipa01.security.lab.comcast.com's password: Looks like my problem is ?Server not found in Kerberos database?. So I am assuming that I need the server in the kerberos database as well as the user... Is that done just like adding a principal? Sorry, very new to this. MAT On 12/15/08 6:09 PM, "Chris Hoy Poy" wrote: > What does "ssh -v username@`hostname`"provide? and is hostname the same as the > host principle you set up? SSH -v will tell which ones its trying at least. > > //chris > > ----- Original Message ----- > From: "Mathew Rowley" > To: "Russ Allbery" > Cc: kerberos at mit.edu > Sent: Tuesday, 16 December, 2008 9:55:51 AM GMT +08:00 Beijing / Chongqing / > Hong Kong / Urumqi > Subject: Re: Kerberos auth based on ticket > > Ok, using the correct hostname, the same thing happens: > > [root at ipa01 ~]# ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > Last login: Mon Dec 15 18:42:09 2008 from localhost.localdomain > > **Trying to log in with a valid ticket, but asks for password > [mrowley at ipa01 ~]$ ssh mrowley@`hostname` > mrowley at ipa01.security.lab.comcast.com's password: > > **Shows that there is a ticket > [mrowley at ipa01 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_502_WaiNgJ > Default principal: mrowley at IPA.COMCAST.COM > > Valid starting Expires Service principal > 12/15/08 19:52:10 12/16/08 05:52:10 krbtgt/IPA.COMCAST.COM at IPA.COMCAST.COM > renew until 12/15/08 19:52:10 > > > Kerberos 4 ticket cache: /tmp/tkt502 > klist: You have no tickets cached > > **Showing the kerberos realm is the same as the ssh?ed hostname > [mrowley at ipa01 ~]$ cat /etc/krb5.conf > ... > [realms] > IPA.COMCAST.COM = { > kdc = ipa01.security.lab.comcast.com:88 > admin_server = ipa01.security.lab.comcast.com:749 > default_domain = security.lab.comcast.com > database_module = openldap_ldapconf > } > ... > > > MAT > > > > On 12/15/08 5:01 PM, "Russ Allbery" wrote: > >> > Mathew Rowley writes: >> > >>>> >> > Well, that would make sense... Looking at the sshd and ssh >>>> configurations, >>>> >> > it seems to be enabled on both. Is there some configuration I am >>>> missing? >>>> >> > >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/ssh_config >>>> >> > GSSAPIAuthentication yes >>>> >> > [root at ipa01 ~]# grep -i GSSAPI /etc/ssh/sshd_config >>>> >> > # GSSAPI options >>>> >> > GSSAPIAuthentication yes >>>> >> > GSSAPICleanupCredentials yes >> > >> > Your original pasted example showed you ssh'ing to user at localhost. Unless >> > you have a key for localhost in your keytab, that probably isn't going to >> > work. ssh authenticates to the hostname that you type on the command >> > line. >> > >> > -- >> > Russ Allbery (rra at stanford.edu) >> > > > -- > MAT > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From commercials at gmx.net Tue Dec 16 13:38:38 2008 From: commercials at gmx.net (Julius) Date: Tue, 16 Dec 2008 19:38:38 +0100 Subject: list_principals not allowed, acl file not opened? Message-ID: <1229452718.23236.6.camel@wf.localdomain.de> /usr/local/var/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 [realms] LOCALDOMAIN.DE = { acl_file = /opt/mit-krb5/var/krb5kdc/kadm5.acl } /opt/mit-krb5/var/krb5kdc/kadm5.acl */admin at LOCALDOMAIN.DE * kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin at LOCALDOMAIN.DE: kadmin: list_principals get_principals: Operation requires ``list'' privilege while retrieving list. strace ./krb5kdc 2>&1 |grep usr does not list kdc.conf file? what is going wrong here? krb5.conf: [libdefaults] default_realm = LOCALDOMAIN.DE [logging] kdc = FILE:/var/log/krb5-kdc.log admin_server = FILE:/var/log/krb5-kadmin.log default = FILE:/var/log/krb5-default.log [realms] LOCALDOMAIN.DE = { admin_server = night_crawler.localdomain.de } greets From commercials at gmx.net Wed Dec 17 12:49:37 2008 From: commercials at gmx.net (Julius) Date: Wed, 17 Dec 2008 18:49:37 +0100 Subject: list_principals not allowed, acl file not opened? In-Reply-To: <1229452718.23236.6.camel@wf.localdomain.de> References: <1229452718.23236.6.camel@wf.localdomain.de> Message-ID: <1229536177.2812.20.camel@wf.localdomain.de> On Tue, 2008-12-16 at 19:38 +0100, Julius wrote: > /usr/local/var/krb5kdc/kdc.conf > [kdcdefaults] > kdc_ports = 750,88 > > [realms] > LOCALDOMAIN.DE = { > acl_file = /opt/mit-krb5/var/krb5kdc/kadm5.acl > } > > > > /opt/mit-krb5/var/krb5kdc/kadm5.acl > */admin at LOCALDOMAIN.DE * > > > > kadmin -p admin/admin > Authenticating as principal admin/admin with password. > Password for admin/admin at LOCALDOMAIN.DE: > kadmin: list_principals > get_principals: Operation requires ``list'' privilege while retrieving > list. > > > strace ./krb5kdc 2>&1 |grep usr does not list kdc.conf file? > > > what is going wrong here? > > > > krb5.conf: > [libdefaults] > default_realm = LOCALDOMAIN.DE > > [logging] > kdc = FILE:/var/log/krb5-kdc.log > admin_server = FILE:/var/log/krb5-kadmin.log > default = FILE:/var/log/krb5-default.log > > [realms] > LOCALDOMAIN.DE = { > admin_server = night_crawler.localdomain.de > } > > > > > > greets package is configured with --localestatedir=/... the kadm5.acl is working from there. On the end of kdc.conf(5) it says: /usr/local/var/krb5kdc/kdc.conf is this path maybe changeable with --prefix=? or why was my kadm5.acl not found? Julius From suewho at ak.net Tue Dec 16 22:51:11 2008 From: suewho at ak.net (Susan Healey) Date: Tue, 16 Dec 2008 18:51:11 -0900 Subject: Simple Kerberos PowerPoint Presentation Message-ID: <000001c95ffa$b4785ee0$1d691ca0$@net> Hello, I am searching for a clear explanation of Kerberos and found you were working on a Powrpoint back in 2006. Did you ever finish it? Is it available to others to study? Thank you much. SDH From mdw at umich.edu Wed Dec 17 14:28:54 2008 From: mdw at umich.edu (Marcus Watts) Date: Wed, 17 Dec 2008 14:28:54 -0500 Subject: list_principals not allowed, acl file not opened? In-Reply-To: <1229536177.2812.20.camel@wf.localdomain.de> References: <1229452718.23236.6.camel@wf.localdomain.de> <1229536177.2812.20.camel@wf.localdomain.de> Message-ID: Julius writes: ... > > kadmin -p admin/admin > > Authenticating as principal admin/admin with password. > > Password for admin/admin at LOCALDOMAIN.DE: > > kadmin: list_principals > > get_principals: Operation requires ``list'' privilege while retrieving > > list. > > > > > > strace ./krb5kdc 2>&1 |grep usr does not list kdc.conf file? > > > > > > what is going wrong here? ... If you're looking for the acl file reference, do strace on kadmind not on krb5kdc. If you're looking for the kdc.conf reference, either krb5kdc or kadmind will work. In this particular case, krb5kdc should fork before trying to read kdc.conf, so it would be very surprising to see kdc.conf in strace's output. Use strace -f to fix that. Better yet, I recommend strace -f -o /tmp/foo.out ... then use grep, vi, or other tools on foo.out. Looking for "kdc.conf" rather than "/usr" is likely to result in easier to understand data that is more relevant. You can also set these environment variables: KRB5_CONFIG=/etc/krb5.conf KRB5_KDC_PROFILE=/usr/krb5/var/krb5kdc/kdc.conf at runtime to tell kadmind|krb5kdc exactly what they should read instead - but you should not need that under ordinary circumstances. My recollection is that you need to restart kadmind before changes in the acl file are recognized - past that, I would hate to speculate just what is going on in your setup. -Marcus Watts From julius.junghans at gmx.de Wed Dec 17 16:23:25 2008 From: julius.junghans at gmx.de (Julius) Date: Wed, 17 Dec 2008 22:23:25 +0100 Subject: list_principals not allowed, acl file not opened? In-Reply-To: <1229452718.23236.6.camel@wf.localdomain.de> References: <1229452718.23236.6.camel@wf.localdomain.de> Message-ID: <1229549005.2812.21.camel@wf.localdomain.de> On Tue, 2008-12-16 at 19:38 +0100, Julius wrote: > /usr/local/var/krb5kdc/kdc.conf > [kdcdefaults] > kdc_ports = 750,88 > > [realms] > LOCALDOMAIN.DE = { > acl_file = /opt/mit-krb5/var/krb5kdc/kadm5.acl > } > > > > /opt/mit-krb5/var/krb5kdc/kadm5.acl > */admin at LOCALDOMAIN.DE * > > > > kadmin -p admin/admin > Authenticating as principal admin/admin with password. > Password for admin/admin at LOCALDOMAIN.DE: > kadmin: list_principals > get_principals: Operation requires ``list'' privilege while retrieving > list. > > > strace ./krb5kdc 2>&1 |grep usr does not list kdc.conf file? > > > what is going wrong here? > > > > krb5.conf: > [libdefaults] > default_realm = LOCALDOMAIN.DE > > [logging] > kdc = FILE:/var/log/krb5-kdc.log > admin_server = FILE:/var/log/krb5-kadmin.log > default = FILE:/var/log/krb5-default.log > > [realms] > LOCALDOMAIN.DE = { > admin_server = night_crawler.localdomain.de > } > > > > > > greets package is configured with --localestatedir=/... the kadm5.acl is working from there. On the end of kdc.conf(5) it says: /usr/local/var/krb5kdc/kdc.conf is this path maybe changeable with --prefix=? or why was my kadm5.acl not found? Julius From mvalites at buffalo.edu Thu Dec 18 10:02:53 2008 From: mvalites at buffalo.edu (Mark T. Valites) Date: Thu, 18 Dec 2008 10:02:53 -0500 (EST) Subject: Seeking KDC Priority/Weight Clarification/Recommendation In-Reply-To: <6751F333-9817-47D4-A7FD-3C2B8EEBCB7E@mit.edu> References: <6751F333-9817-47D4-A7FD-3C2B8EEBCB7E@mit.edu> Message-ID: On Mon, 15 Dec 2008, Ken Raeburn wrote: > On Dec 15, 2008, at 15:04, Mark T. Valites wrote: >> We recently saw a hardware failure on one our (non-master) KDCs that >> brought the box completely off line. Even though they are >> redunant/highly available on their own, the downstream ldap & >> shibboleth/cosign servers all immeadiately saw issues because of this, >> exposing the weak link in the chain. > > What sort of issues? Unfortunately, we were in a rush to restore service & didn't get the opportunity to investigate in depth. The most detailed issue summary I can give is just "users weren't able to log in". I do not have detailed information on the behaviors of each level of our authentication stack, but suspect that we were lucky enough that all the upstream kerb consumers were hitting the downed kdc, only. We also unfortunately don't currently have the resources to dedicate to an appropriate post-mortem investigation. > The MIT code will pick one KDC address to try contacting, and if it > doesn't answer within a second, it will try the next one. (Both the > config-file and DNS approaches as you described them would result in a > list of four addresses. The library code should randomize the order of > all SRV records returned with weights all zero. However, if the config > file version is used, the addresses will be tried in the order returned > by the getaddrinfo() function, and the hostnames listed in the file, if > more than one, are assumed to be in priority order so they're not > randomized.) > > So if you're getting random or rotating ordering of address records > returned, then with one server (address) of four unreachable, one > quarter of the time you should see a delay of a second. If > getaddrinfo() or your DNS cache is being clever and trying to give you > an order optimized for proximity or some such, you may see delays more > often or less often, but the delay should still be no more than a > second. If it is, you could try monitoring the network traffic with > tcpdump and see what it's doing in terms of trying to reach the various > KDCs. In looking at this more, I wonder if having both the default_realm in the libdefault section & a round robin kdc record explicitely defined in the realms section could be problematic - one of our kerb clients doesn't have any kdc entry in their realms section & saw no issues during the hardware failure. I suspect this: [libdefaults] default_realm = ourrealm.ourdomain.edu [realms] dce.buffalo.edu = { kdc = kerberos.ourdomain.edu admin_server = kadminserver.ourdomain.edu } Should really be this: [libdefaults] default_realm = ourrealm.ourdomain.edu [realms] dce.buffalo.edu = { admin_server = kadminserver.ourdomain.edu } Could that make a difference? -- Mark T. Valites Senior Systems Administrator Enterprise Infrastructure Services University at Buffalo From ganesh.tambat at gmail.com Thu Dec 18 11:24:13 2008 From: ganesh.tambat at gmail.com (Kasparov) Date: Thu, 18 Dec 2008 08:24:13 -0800 (PST) Subject: SSPI Kerberos for delegation Message-ID: Hi, We want the authentication to happen without providing credentials anywhere. For this we are planning to use Windows SSPI. Now the problem I am facing is once the authentication from client to server is successful, I want to use the security context created in server to connect back and authenticate to the client. I am trying to find out if this thing is possible with SSPI. For this I have written an application (prototype) with client side and server side. I am connecting to the server and after successfully authentication at the server side I try to connect back (to the server component on the client machine, running in the same process and thread as client) using the same procedure I used in the client side. My understanding is since I have impersonated I will be able to authenticate the same user again. But I always get the error "No credentials are available in the security package" and the credentials might have expired. I have verified that both the user accounts are trusted for delegation and "cannot be delegated" tab is unchcked. Also both the servers are trusted for delegation for any service for Kerberos. I have tried doing this with NTLM and Kerberos. With NTLM it looks like the reverse connection is successful but after impersonation at the client side if I try to print the user name it says "Anonymous Logon". With Kerberos I am getting various errors (not enough memory, credentials are expired etc) and I am still working on that part. The reason I am trying with Kerberos is that I learned from some articles on Net that such a thing (delegation) is possible only with Kerberos. Surprisingly I am not able to find out a single working solution of this kind. I have pasted my entire code below. Can anyone help me on this and advise me on how this can be achieved ? Please see the code samples below: Client (Logged in user: win\gtambat) *************************************************************************************** #include #include #include #include #define SECURITY_WIN32 1 #include #pragma hdrstop // ==================================================================== // IMPORTANT NOTICE -- Check out // http://www.mvps.org/security/sspi.html // for the gory details of how this works // ==================================================================== void auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name = NULL, const char *pwd = NULL, const char *domain = NULL ); PSecurityFunctionTable pf = NULL; void initSecLib( HINSTANCE& hSec ); bool Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& srvCtx ) { int rc; bool haveToken = true; SecPkgInfo *secPackInfo; int bytesReceived = 0, bytesSent = 0; char buf[256]; DWORD bufsiz = sizeof buf; HANDLE threadRet; puts( "auth() entered" ); rc = (pf->QuerySecurityPackageInfo)( "Kerberos", &secPackInfo ); printf( "QSPI(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; TimeStamp useBefore; rc = (pf->AcquireCredentialsHandle)( NULL, "Kerberos", SECPKG_CRED_BOTH, NULL, NULL, NULL, NULL, &cred, &useBefore ); rc = GetLastError(); printf( "ACH(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxAttr; bool haveContext = false; while ( 1 ) { // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the client's POD // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); // if ( rc == SOCKET_ERROR ) // wserr( rc, "recv" ); // if ( rc == 0 ) // wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); // rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, // &ibd, 0, SECURITY_NATIVE_DREP, &srvCtx, &obd, &ctxAttr, // &useBefore ); rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, &ibd, 0, SECURITY_NATIVE_DREP /*SECURITY_NETWORK_DREP*/, &srvCtx, &obd, &ctxAttr, &useBefore ); printf( "ASC(): %08xh\n", rc ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &srvCtx, &obd ); if ( rc == SEC_I_COMPLETE_NEEDED ) rc = SEC_E_OK; else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) rc = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED ) { if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; } if ( rc != SEC_I_CONTINUE_NEEDED ) break; haveContext = true; // loop back for another round puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rc != SEC_E_OK ) { printf( "Oops! ASC() returned %08xh!\n", rc ); haveToken = false; } rc = GetLastError(); GetUserName( buf, &bufsiz ); // now we try to use the context rc = (pf->ImpersonateSecurityContext)( &srvCtx ); printf( "ImpSC(): %08xh\n", rc ); if ( rc != SEC_E_OK ) { printf( "Oops! ImpSC() returns %08xh!\n", rc ); haveToken = false; } else { char buf[256]; DWORD bufsiz = sizeof buf; GetUserName( buf, &bufsiz ); printf( "user name: \"%s\"\n", buf ); (pf->RevertSecurityContext)( &srvCtx ); printf( "RSC(): %08xh\n", rc ); } (pf->FreeContextBuffer)( secPackInfo ); printf( "auth() exiting (%d received, %d sent)\n", bytesReceived, bytesSent ); return haveToken; } int Ganesh_Server_Impl() { int rc, port = 12000, addrlen; bool haveToken; SOCKET sock, s; WSADATA wsadata; PSERVENT pse; SOCKADDR_IN addr; HINSTANCE hSecLib; initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); // wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) { rc = -1; } else { rc = 0; } // wserr( 999, "socket" ); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; // try numeric protocol first if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { } rc = bind( sock, (SOCKADDR *) &addr, sizeof addr ); // wserr( rc, "bind" ); rc = listen( sock, 2 ); // wserr( rc, "listen" ); CredHandle cred; CtxtHandle srvCtx; while ( 1 ) { addrlen = sizeof addr; s = accept( sock, (SOCKADDR *) &addr, &addrlen ); if ( s == INVALID_SOCKET ) { rc = -1; } else { rc = 0; } // wserr( s, "accept" ); haveToken = Ganesh_auth( s, cred, srvCtx ); // now we talk to the client printf( "haveToken = %s\n\n", haveToken? "true": "false" ); send( s, (const char *) &haveToken, sizeof haveToken, 0 ); // clean up (pf->DeleteSecurityContext)( &srvCtx ); (pf->FreeCredentialHandle)( &cred ); closesocket( s ); } } // wserr() displays winsock errors and aborts. No grace there. void wserr( int rc, const char * const funcname ) { if ( rc == 0 ) return; fprintf( stderr, "\nWinsock error %d [gle %d] returned by %s().\n" "Sorry, no bonus!\n", rc, WSAGetLastError(), funcname ); WSACleanup(); exit( rc ); } void auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name /* = NULL */, const char *pwd /* = NULL */, const char *domain /* = NULL */ ) { int rc, rcISC; SecPkgInfo *secPackInfo; SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL; int bytesReceived = 0, bytesSent = 0; puts( "auth() entered" ); // the arguments to ISC() is not const ... for once, I decided // on creating writable copies instead of using a brutalizing cast. char *myTokenSource; myTokenSource = _strdup( tokenSource ); if ( name != NULL ) { nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof SEC_WINNT_AUTH_IDENTITY ); memset( nameAndPwd, '\0', sizeof *nameAndPwd ); nameAndPwd->Domain = (byte *) _strdup( domain? domain: "" ); nameAndPwd->DomainLength = domain? strlen( domain ): 0; nameAndPwd->User = (byte *) _strdup( name? name: "" ); nameAndPwd->UserLength = name? strlen( name ): 0; nameAndPwd->Password = (byte *) _strdup( pwd? pwd: "" ); nameAndPwd->PasswordLength = pwd? strlen( pwd ): 0; nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; } rc = (pf->QuerySecurityPackageInfo)( "Kerberos", &secPackInfo ); printf( "QSPI(): %08xh\n", rc ); TimeStamp useBefore; rc = (pf->AcquireCredentialsHandle)( NULL, "Kerberos", SECPKG_CRED_BOTH, NULL, nameAndPwd, NULL, NULL, &cred, &useBefore ); printf( "ACH(): %08xh\n", rc ); // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxReq, ctxAttr; // from sspi.h: // #define ISC_REQ_DELEGATE 0x00000001 // #define ISC_REQ_MUTUAL_AUTH 0x00000002 // #define ISC_REQ_REPLAY_DETECT 0x00000004 // #define ISC_REQ_SEQUENCE_DETECT 0x00000008 // #define ISC_REQ_CONFIDENTIALITY 0x00000010 // #define ISC_REQ_USE_SESSION_KEY 0x00000020 // #define ISC_REQ_PROMPT_FOR_CREDS 0x00000040 // #define ISC_REQ_USE_SUPPLIED_CREDS 0x00000080 // #define ISC_REQ_ALLOCATE_MEMORY 0x00000100 // #define ISC_REQ_USE_DCE_STYLE 0x00000200 // #define ISC_REQ_DATAGRAM 0x00000400 // #define ISC_REQ_CONNECTION 0x00000800 // #define ISC_REQ_CALL_LEVEL 0x00001000 // #define ISC_REQ_EXTENDED_ERROR 0x00004000 // #define ISC_REQ_STREAM 0x00008000 // #define ISC_REQ_INTEGRITY 0x00010000 ctxReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE; bool haveInbuffer = false; bool haveContext = false; ib.pvBuffer = NULL; while ( 1 ) { obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); rcISC = (pf->InitializeSecurityContext)( &cred, haveContext? &cliCtx: NULL, myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP / *SECURITY_NETWORK_DREP*/, haveInbuffer? &ibd: NULL, 0, &cliCtx, &obd, &ctxAttr, &useBefore ); printf( "ISC(): %08xh\n", rcISC ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &cliCtx, &obd ); if ( rcISC == SEC_I_COMPLETE_NEEDED ) rcISC = SEC_E_OK; else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE ) rcISC = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; if ( rcISC != SEC_I_CONTINUE_NEEDED ) break; // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the server's response // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); if ( rc == SOCKET_ERROR ) wserr( rc, "recv" ); if ( rc == 0 ) wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer and a client context haveInbuffer = true; haveContext = true; // loop back for another round puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rcISC != SEC_E_OK ) printf( "Oops! ISC() returned %08xh!\n", rcISC ); (pf->FreeContextBuffer)( secPackInfo ); printf( "auth() exiting (%d sent, %d received)\n", bytesSent, bytesReceived ); free( myTokenSource ); if ( nameAndPwd != 0 ) { if ( nameAndPwd->Domain != 0 ) free( nameAndPwd->Domain ); if ( nameAndPwd->User != 0 ) free( nameAndPwd->User ); if ( nameAndPwd->Password != 0 ) free( nameAndPwd->Password ); free( nameAndPwd ); } } void initSecLib( HINSTANCE& hSec ) { PSecurityFunctionTable (*pSFT)( void ); hSec = LoadLibrary( "security.dll" ); pSFT = (PSecurityFunctionTable (*)( void )) GetProcAddress( hSec, "InitSecurityInterfaceA" ); if ( pSFT == NULL ) { puts( "security.dll load messed up ..." ); exit( 1 ); } pf = pSFT(); if ( pf == NULL ) { puts( "no function table?!?" ); exit( 1 ); } } int main( int argc, char *argv[] ) { int rc, port, i, errors; HINSTANCE hSecLib; unsigned long naddr; SOCKET sock; WSADATA wsadata; PHOSTENT phe; PSERVENT pse; SOCKADDR_IN addr; //const char *tokenSource = "Authsamp", *server = "server-machine"; const char *tokenSource = "win\\gtambat1", *server = "server- machine"; const char *portstr = "11000", *user = 0, *pwd = 0, *domain = 0; errors = 0; for ( i = 1; i < argc; ++ i ) { if ( argv[i][0] != '-' && argv[i][0] != '/' ) { printf( "\"%s\" is not a valid switch.\n", argv[i] ); ++ errors; continue; } switch ( argv[i][1] ) { case 's': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( server != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else server = argv[++ i]; break; case 'p': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( portstr != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else portstr = argv[++ i]; break; case 't': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( tokenSource != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else tokenSource = argv[++ i]; break; case 'd': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( domain != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else domain = argv[++ i]; break; case 'u': if ( i >= argc - 2 ) { printf( "\"%s\" requires two arguments.\n", argv[i ++] ); ++ errors; } else if ( user != 0 ) { printf( "\"%s\" has already been used.\n", argv[i] ); i += 2; ++ errors; } else { user = argv[++ i]; pwd = argv[++ i]; } break; default: printf( "\"%s\" is not a valid switch.\n", argv[i] ); ++ errors; break; } } if ( server == 0 ) { puts( "A server name or IP address must be specified." ); ++ errors; } if ( portstr == 0 ) { puts( "A port name or port number must be specified." ); ++ errors; } if ( user == 0 && domain != 0 ) puts( "No user name was specified, ignoring the domain." ); if ( errors ) { puts( "\nusage: client -s your.server.com -p serverport" ); puts( " [-t token-source] [-u user pwd [-d domain]]" ); puts( "token-source is _required_ for Kerberos and should be your" ); puts( "current logon name (e.g., \"MYDOMAIN\\felixk\")." ); puts( "If -u is absent, your current credentials will be used." ); return 1; } initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) wserr( 999, "socket" ); addr.sin_family = AF_INET; // try numeric IP address first (inet_addr) naddr = inet_addr( server ); if ( naddr != INADDR_NONE ) { addr.sin_addr.s_addr = naddr; } else { phe = gethostbyname( server ); if ( phe == NULL ) wserr( 1, "gethostbyname" ); addr.sin_addr.s_addr = *( (unsigned long *) (phe->h_addr) ); memcpy( (char *) &addr.sin_addr, phe->h_addr, phe->h_length ); } // try numeric protocol first port = atoi( portstr ); if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { pse = getservbyname( portstr, "tcp" ); if ( pse == NULL ) wserr( 1, "getservbyname" ); addr.sin_port = pse->s_port; } CredHandle cred; CtxtHandle cliCtx; rc = connect( sock, (SOCKADDR *) &addr, sizeof addr ); wserr( rc, "connect" ); struct sockaddr name; int namelen = sizeof name;; rc = getsockname( sock, &name, &namelen ); wserr( rc, "getsockname()" ); printf( "I am %u.%u.%u.%u\n", (unsigned int) (unsigned char) name.sa_data[2], (unsigned int) (unsigned char) name.sa_data[3], (unsigned int) (unsigned char) name.sa_data[4], (unsigned int) (unsigned char) name.sa_data[5] ); auth( sock, cred, cliCtx, tokenSource, user, pwd, server ); // this does the real work // Added by Ganesh //auth( sock, cred, cliCtx, tokenSource, "ganesh", "ganesh", "client- machine" ); // this does the real work // use the authenticated connection here bool haveToken = false; rc = recv( sock, (char *) &haveToken, sizeof haveToken, 0 ); if ( rc != sizeof haveToken ) wserr( 999, "result-recv" ); if ( haveToken ) puts( "That seems to have worked." ); else puts( "Oops! Wrong user name or password?" ); // the server is probably impersonating us by now // this is where the client and server talk business // clean up (pf->DeleteSecurityContext)( &cliCtx ); (pf->FreeCredentialHandle)( &cred ); rc = closesocket( sock ); wserr( rc, "closesocket" ); rc = WSACleanup(); wserr( rc, "WSACleanup" ); int j; puts("/n/n Should I start server implemenation within client ?: "); scanf("%d",&j); rc = Ganesh_Server_Impl(); __try { FreeLibrary( hSecLib ); } __except ( 1 ) { puts( "Freelibrary( security.dll ) caused an access violation. Yuck." ); } return 0; } *************************************************************************************** Server (Logged in user win\gtambat1) *************************************************************************************** #include #include #include #include #define SECURITY_WIN32 1 #include //#include // uncomment if you have an old Platform SDK #pragma hdrstop // ==================================================================== // IMPORTANT NOTICE -- Check out // http://www.mvps.org/security/sspi.html // for the gory details of how this works // ==================================================================== PSecurityFunctionTable pf = NULL; int Ganesh_Client_Impl(CtxtHandle &srvCtx); void initSecLib( HINSTANCE& hSec ); void Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name /* = NULL */, const char *pwd /* = NULL */, const char *domain /* = NULL */ ); void Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name /* = NULL */, const char *pwd /* = NULL */, const char *domain /* = NULL */ ) { int rc, rcISC; SecPkgInfo *secPackInfo; SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL; int bytesReceived = 0, bytesSent = 0; //puts( "auth() entered" ); // the arguments to ISC() is not const ... for once, I decided // on creating writable copies instead of using a brutalizing cast. char *myTokenSource; myTokenSource = _strdup( tokenSource ); if ( name != NULL ) { nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof SEC_WINNT_AUTH_IDENTITY ); memset( nameAndPwd, '\0', sizeof *nameAndPwd ); nameAndPwd->Domain = (byte *) _strdup( domain? domain: "" ); nameAndPwd->DomainLength = domain? strlen( domain ): 0; nameAndPwd->User = (byte *) _strdup( name? name: "" ); nameAndPwd->UserLength = name? strlen( name ): 0; nameAndPwd->Password = (byte *) _strdup( pwd? pwd: "" ); nameAndPwd->PasswordLength = pwd? strlen( pwd ): 0; nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; } rc = (pf->QuerySecurityPackageInfo)( "kerberos", &secPackInfo ); //printf( "QSPI(): %08xh\n", rc ); TimeStamp useBefore; rc = GetLastError(); rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", SECPKG_CRED_BOTH, NULL, nameAndPwd, NULL, NULL, &cred, &useBefore ); //printf( "ACH(): %08xh\n", rc ); rc = GetLastError(); // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxReq, ctxAttr; // from sspi.h: // #define ISC_REQ_DELEGATE 0x00000001 // #define ISC_REQ_MUTUAL_AUTH 0x00000002 // #define ISC_REQ_REPLAY_DETECT 0x00000004 // #define ISC_REQ_SEQUENCE_DETECT 0x00000008 // #define ISC_REQ_CONFIDENTIALITY 0x00000010 // #define ISC_REQ_USE_SESSION_KEY 0x00000020 // #define ISC_REQ_PROMPT_FOR_CREDS 0x00000040 // #define ISC_REQ_USE_SUPPLIED_CREDS 0x00000080 // #define ISC_REQ_ALLOCATE_MEMORY 0x00000100 // #define ISC_REQ_USE_DCE_STYLE 0x00000200 // #define ISC_REQ_DATAGRAM 0x00000400 // #define ISC_REQ_CONNECTION 0x00000800 // #define ISC_REQ_CALL_LEVEL 0x00001000 // #define ISC_REQ_EXTENDED_ERROR 0x00004000 // #define ISC_REQ_STREAM 0x00008000 // #define ISC_REQ_INTEGRITY 0x00010000 ctxReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE; bool haveInbuffer = false; bool haveContext = false; ib.pvBuffer = NULL; while ( 1 ) { obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); rcISC = (pf->InitializeSecurityContext)( &cred, haveContext? &cliCtx: NULL, myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP / *SECURITY_NETWORK_DREP*/, haveInbuffer? &ibd: NULL, 0, &cliCtx, &obd, &ctxAttr, &useBefore ); // printf( "ISC(): %08xh\n", rcISC ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &cliCtx, &obd ); if ( rcISC == SEC_I_COMPLETE_NEEDED ) rcISC = SEC_E_OK; else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE ) rcISC = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; if ( rcISC != SEC_I_CONTINUE_NEEDED ) break; // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the server's response // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) rc = recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); // if ( rc == SOCKET_ERROR ) // wserr( rc, "recv" ); // if ( rc == 0 ) // wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer and a client context haveInbuffer = true; haveContext = true; // loop back for another round // puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rcISC != SEC_E_OK ) { printf( "Oops! ISC() returned %08xh!\n", rcISC ); } (pf->FreeContextBuffer)( secPackInfo ); //printf( "auth() exiting (%d sent, %d received)\n", bytesSent, bytesReceived ); free( myTokenSource ); if ( nameAndPwd != 0 ) { if ( nameAndPwd->Domain != 0 ) free( nameAndPwd->Domain ); if ( nameAndPwd->User != 0 ) free( nameAndPwd->User ); if ( nameAndPwd->Password != 0 ) free( nameAndPwd->Password ); free( nameAndPwd ); } } // wserr() displays winsock errors and aborts. No grace there. void wserr( int rc, const char * const funcname ) { if ( rc == 0 ) return; fprintf( stderr, "\nWinsock error %d [gle %d] returned by %s().\n" "Sorry, no bonus!\n", rc, WSAGetLastError(), funcname ); WSACleanup(); exit( rc ); } bool auth( SOCKET s, CredHandle& cred, CtxtHandle& srvCtx ) { int rc; bool haveToken = true; SecPkgInfo *secPackInfo; int bytesReceived = 0, bytesSent = 0; char buf[256]; DWORD bufsiz = sizeof buf; puts( "auth() entered" ); rc = (pf->QuerySecurityPackageInfo)( "kerberos", &secPackInfo ); printf( "QSPI(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; TimeStamp useBefore; rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", SECPKG_CRED_BOTH, NULL, NULL, NULL, NULL, &cred, &useBefore ); // rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", SECPKG_CRED_BOTH, // NULL, NULL, NULL, NULL, &cred, &useBefore ); printf( "ACH(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxAttr; bool haveContext = false; while ( 1 ) { // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the client's POD // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); if ( rc == SOCKET_ERROR ) wserr( rc, "recv" ); if ( rc == 0 ) wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, &ibd, 0,/* SECURITY_NATIVE_DREP */ SECURITY_NATIVE_DREP / *SECURITY_NETWORK_DREP*/, &srvCtx, &obd, &ctxAttr, &useBefore ); printf( "ASC(): %08xh\n", rc ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &srvCtx, &obd ); if ( rc == SEC_I_COMPLETE_NEEDED ) rc = SEC_E_OK; else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) rc = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED ) { if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; } if ( rc != SEC_I_CONTINUE_NEEDED ) break; haveContext = true; // loop back for another round puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rc != SEC_E_OK ) { printf( "Oops! ASC() returned %08xh!\n", rc ); haveToken = false; } GetUserName( buf, &bufsiz ); // now we try to use the context rc = (pf->ImpersonateSecurityContext)( &srvCtx ); printf( "ImpSC(): %08xh\n", rc ); if ( rc != SEC_E_OK ) { printf( "Oops! ImpSC() returns %08xh!\n", rc ); haveToken = false; } else { char buf[256]; DWORD bufsiz = sizeof buf; printf( "haveToken = %s\n\n", haveToken? "true": "false" ); send( s, (const char *) &haveToken, sizeof haveToken, 0 ); GetUserName( buf, &bufsiz ); printf( "user name: \"%s\"\n", buf ); //(pf->RevertSecurityContext)( &srvCtx ); printf( "RSC(): %08xh\n", rc ); } //(pf->FreeContextBuffer)( secPackInfo ); printf( "auth() exiting (%d received, %d sent)\n", bytesReceived, bytesSent ); return haveToken; } int Ganesh_Client_Impl(CtxtHandle &srvCtx) { char buf[256]; DWORD bufsiz = sizeof buf; int rc = 0; //CtxtHandle tmpCtx = srvCtx; SecPkgContext_Lifespan lspan; rc = (pf->QueryContextAttributes)(&srvCtx, SECPKG_ATTR_LIFESPAN, &lspan); rc = GetLastError(); GetUserName( buf, &bufsiz ); //rc = (pf->ImpersonateSecurityContext)( &srvCtx ); rc = GetLastError(); GetUserName( buf, &bufsiz ); int port, i, errors; unsigned long naddr; SOCKET sock; WSADATA wsadata; PHOSTENT phe; PSERVENT pse; SOCKADDR_IN addr; HINSTANCE hSecLib; const char *tokenSource = "win\\gtambat", *server = "client-machine"; //const char *tokenSource = "PUN\\gtambat"/*"Authsamp"*/, *server = "client-machine"; const char *portstr = "12000", *user = 0, *pwd = 0, *domain = 0; errors = 0; if ( server == 0 ) { //puts( "A server name or IP address must be specified." ); ++ errors; } if ( portstr == 0 ) { //puts( "A port name or port number must be specified." ); ++ errors; } if ( user == 0 && domain != 0 ) { } // puts( "No user name was specified, ignoring the domain." ); if ( errors ) { /* puts( "\nusage: client -s your.server.com -p serverport" ); puts( " [-t token-source] [-u user pwd [-d domain]]" ); puts( "token-source is _required_ for Kerberos and should be your" ); puts( "current logon name (e.g., \"MYDOMAIN\\felixk\")." ); puts( "If -u is absent, your current credentials will be used." );*/ return 1; } initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); //wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) { rc = -1; } else { rc = 0; } addr.sin_family = AF_INET; // try numeric IP address first (inet_addr) naddr = inet_addr( server ); if ( naddr != INADDR_NONE ) { addr.sin_addr.s_addr = naddr; } else { phe = gethostbyname( server ); // if ( phe == NULL ) // wserr( 1, "gethostbyname" ); addr.sin_addr.s_addr = *( (unsigned long *) (phe->h_addr) ); memcpy( (char *) &addr.sin_addr, phe->h_addr, phe->h_length ); } // try numeric protocol first port = atoi( portstr ); if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { pse = getservbyname( portstr, "tcp" ); // if ( pse == NULL ) // wserr( 1, "getservbyname" ); addr.sin_port = pse->s_port; } CredHandle cred; CtxtHandle cliCtx; rc = connect( sock, (SOCKADDR *) &addr, sizeof addr ); //wserr( rc, "connect" ); struct sockaddr name; int namelen = sizeof name;; rc = getsockname( sock, &name, &namelen ); /*wserr( rc, "getsockname()" ); printf( "I am %u.%u.%u.%u\n", (unsigned int) (unsigned char) name.sa_data[2], (unsigned int) (unsigned char) name.sa_data[3], (unsigned int) (unsigned char) name.sa_data[4], (unsigned int) (unsigned char) name.sa_data[5] );*/ Ganesh_auth( sock, cred, cliCtx, tokenSource, user, pwd, domain ); // this does the real work // use the authenticated connection here bool haveToken = false; rc = recv( sock, (char *) &haveToken, sizeof haveToken, 0 ); if ( rc != sizeof haveToken ) { rc = 999; } // wserr( 999, "result-recv" ); if ( haveToken ) puts( "That seems to have worked." ); else puts( "Oops! Wrong user name or password?" ); // the server is probably impersonating us by now // this is where the client and server talk business // clean up (pf->DeleteSecurityContext)( &cliCtx ); (pf->FreeCredentialHandle)( &cred ); rc = closesocket( sock ); wserr( rc, "closesocket" ); rc = WSACleanup(); wserr( rc, "WSACleanup" ); __try { FreeLibrary( hSecLib ); } __except ( 1 ) { // puts( "Freelibrary( security.dll ) caused an access violation. Yuck." ); } return 0; } struct CapName { DWORD bits; const char *name; const char *comment; } capNames[] = { { SECPKG_FLAG_INTEGRITY, "SECPKG_FLAG_INTEGRITY", "Supports integrity on messages" }, { SECPKG_FLAG_PRIVACY, "SECPKG_FLAG_PRIVACY", "Supports privacy (confidentiality)" }, { SECPKG_FLAG_TOKEN_ONLY, "SECPKG_FLAG_TOKEN_ONLY", "Only security token needed" }, { SECPKG_FLAG_DATAGRAM, "SECPKG_FLAG_DATAGRAM", "Datagram RPC support" }, { SECPKG_FLAG_CONNECTION, "SECPKG_FLAG_CONNECTION", "Connection oriented RPC support" }, { SECPKG_FLAG_MULTI_REQUIRED, "SECPKG_FLAG_MULTI_REQUIRED", "Full 3- leg required for re-auth." }, { SECPKG_FLAG_CLIENT_ONLY, "SECPKG_FLAG_CLIENT_ONLY", "Server side functionality not available" }, { SECPKG_FLAG_EXTENDED_ERROR, "SECPKG_FLAG_EXTENDED_ERROR", "Supports extended error msgs" }, { SECPKG_FLAG_IMPERSONATION, "SECPKG_FLAG_IMPERSONATION", "Supports impersonation" }, { SECPKG_FLAG_ACCEPT_WIN32_NAME, "SECPKG_FLAG_ACCEPT_WIN32_NAME", "Accepts Win32 names" }, { SECPKG_FLAG_STREAM, "SECPKG_FLAG_STREAM", "Supports stream semantics" }, { SECPKG_FLAG_NEGOTIABLE, "SECPKG_FLAG_NEGOTIABLE", "Can be used by the negotiate package" }, { SECPKG_FLAG_GSS_COMPATIBLE, "SECPKG_FLAG_GSS_COMPATIBLE", "GSS Compatibility Available" }, { SECPKG_FLAG_LOGON, "SECPKG_FLAG_LOGON", "Supports common LsaLogonUser" }, { SECPKG_FLAG_ASCII_BUFFERS, "SECPKG_FLAG_ASCII_BUFFERS", "Token Buffers are in ASCII" }, { 0xffffffffL, "(fence)", "(fence)" } }; void initSecLib( HINSTANCE& hSec ) { PSecurityFunctionTable (*pSFT)( void ); hSec = LoadLibrary( "security.dll" ); pSFT = (PSecurityFunctionTable (*)( void )) GetProcAddress( hSec, "InitSecurityInterfaceA" ); if ( pSFT == NULL ) { exit( 1 ); } pf = pSFT(); if ( pf == NULL ) { exit( 1 ); } SECURITY_STATUS rc; DWORD numPacks = 0, i, j; SecPkgInfo *pPacks = NULL; rc = (pf->EnumerateSecurityPackages)( &numPacks, &pPacks ); if ( rc != 0 ) { exit( 1 ); } for ( i = 0; i < numPacks; ++ i ) { for ( j = 0; capNames[j].bits != 0xffffffffL; ++ j ) { //if ( ( capNames[j].bits & pPacks[i].fCapabilities ) == capNames [j].bits ) //printf( " %s (%s)\n", capNames[j].name, capNames [j].comment ); } } if ( pPacks != NULL ) (pf->FreeContextBuffer)( pPacks ); } int main( int argc, char *argv[] ) { int rc, port, addrlen; HINSTANCE hSecLib; CtxtHandle srvCtx; bool haveToken; SOCKET sock, s; WSADATA wsadata; PSERVENT pse; SOCKADDR_IN addr; HANDLE threadRet; char buf[256]; DWORD bufsiz = sizeof buf; if ( argc != 2 ) { puts( "usage: server portnumber" ); return 1; } initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) wserr( 999, "socket" ); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; // try numeric protocol first port = atoi( argv[1] ); if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { pse = getservbyname( argv[1], "tcp" ); if ( pse == NULL ) wserr( 1, "getservbyname" ); addr.sin_port = pse->s_port; } rc = bind( sock, (SOCKADDR *) &addr, sizeof addr ); wserr( rc, "bind" ); rc = listen( sock, 2 ); wserr( rc, "listen" ); CredHandle cred; while ( 1 ) { addrlen = sizeof addr; s = accept( sock, (SOCKADDR *) &addr, &addrlen ); if ( s == INVALID_SOCKET ) wserr( s, "accept" ); haveToken = auth( s, cred, srvCtx ); // now we talk to the client printf( "haveToken = %s\n\n", haveToken? "true": "false" ); send( s, (const char *) &haveToken, sizeof haveToken, 0 ); // clean up // Modified by Ganesh /*(pf->DeleteSecurityContext)( &srvCtx ); (pf->FreeCredentialHandle)( &cred ); closesocket( s );*/ break; } int j; puts("/n/n Should I start client implemenation within server ?: "); scanf("%d",&j); LPVOID threadParam = &srvCtx; DWORD threadId; //PROCESS_INFORMATION Pi; //STARTUPINFO Si; //HANDLE hTokenNew = NULL, hTokenDup = NULL; //ZeroMemory( &Pi,sizeof(Pi)); //ZeroMemory( &Si, sizeof( STARTUPINFO ) ); //Si.cb = sizeof( STARTUPINFO ); // Si.lpDesktop = "winsta0\\default"; //GetUserName( buf, &bufsiz ); //rc = (pf->ImpersonateSecurityContext)( &srvCtx ); //rc = GetLastError(); //GetUserName( buf, &bufsiz ); //rc = CreateProcess("C:\\WINDOWS\\system32\\notepad.exe","C:\\WINDOWS \\system32\\notepad.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &Si, &Pi); rc = GetLastError(); //threadRet = CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE) Ganesh_Client_Impl, threadParam, 0, &threadId); j = Ganesh_Client_Impl(srvCtx); WaitForSingleObject(threadRet,INFINITE); CloseHandle( threadRet ); FreeLibrary( hSecLib ); return 0; } *************************************************************************************** From raeburn at MIT.EDU Thu Dec 18 13:56:15 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 18 Dec 2008 13:56:15 -0500 Subject: Seeking KDC Priority/Weight Clarification/Recommendation In-Reply-To: References: <6751F333-9817-47D4-A7FD-3C2B8EEBCB7E@mit.edu> Message-ID: <1FAD2BCB-C4AE-4716-8523-426906F8E795@mit.edu> On Dec 18, 2008, at 10:02, Mark T. Valites wrote: > Unfortunately, we were in a rush to restore service & didn't get the > opportunity to investigate in depth. The most detailed issue summary > I can > give is just "users weren't able to log in". I do not have detailed > information on the behaviors of each level of our authentication > stack, > but suspect that we were lucky enough that all the upstream kerb > consumers > were hitting the downed kdc, only. We also unfortunately don't > currently > have the resources to dedicate to an appropriate post-mortem > investigation. If you've got a particular client machine you know was exhibiting the problem consistently, you may be able to simulate it by adding a firewall or routing table entry just for that machine or subnet, to prevent it from getting packets back from the problematic KDC. Depending on the nature of the setup and the problem you were seeing, you might either need the packets to just disappear without a (visible) response, or you might need a "host unreachable" answer to come back. As I indicated before, if it's just one server offline, the effect ought to be no worse than a one-second delay per exchange (and only 1/ N of the exchanges if you're using equal-weighted SRV records or the addresses for the name in the config file really are returned in round- robin fashion). If it was worse than that -- and "can't log in" sounds worse -- it sounds like there may be issues with the other KDCs as well, like not having the KDC processes actually running, or firewall rules accidentally blocking their traffic (incoming or outgoing), or something like that, so that they couldn't pick up the work when the main KDC went offline. You might also want to experiment with setting a config file to list names for individual KDCs one at a time instead of the shared name with multiple addresses, just to verify that you can get answers back from them. > In looking at this more, I wonder if having both the default_realm > in the > libdefault section & a round robin kdc record explicitely defined in > the > realms section could be problematic - one of our kerb clients > doesn't have > any kdc entry in their realms section & saw no issues during the > hardware > failure. If it really is round-robin, it's probably okay, but I wouldn't assume that multiple A records are handed back in a round-robin fashion without testing it. (And make sure you're testing what getaddrinfo gets back on a machine that may do local caching of DNS data -- if the machine reuses data from the cache in the same order each time, it doesn't matter if the upstream DNS server would have changed the address order on the next query.) For that matter, you could test it out by running tcpdump (or similar tools) and watching what happens as you make multiple requests from your KDC, without needing to simulate a KDC being down. Does it always go to the same KDC address, or does it randomly select between them? That should be easy enough to test quickly, before you have another problem with the main KDC machine. If you don't mind doing a build of the MIT 1.x release -- whatever version is in use on the client -- or fetching and building Red Hat's sources, we've got a test program that prints out the address list that would be used for the KDCs. After building and installing, go into lib/krb5/os and run "make t_locate_kdc". Then you can run that program with the realm name, and it'll print an address list, with a bunch of debug information: $ lib/krb5/os/t_locate_kdc ATHENA.MIT.EDU in module_locate_server ran off end of plugin list module_locate_server returns -1765328135 looking in krb5.conf for realm ATHENA.MIT.EDU entry kdc; ports 88,750 config file lookup failed: Profile relation not found sending DNS SRV query for _kerberos._udp.ATHENA.MIT.EDU. walking answer list: port=88 host=KERBEROS-2.MIT.EDU. adding hostname KERBEROS-2.MIT.EDU., ports 88,0, family 0, socktype 2 setting element 0 count is now 1: port=88 host=KERBEROS.MIT.EDU. adding hostname KERBEROS.MIT.EDU., ports 88,0, family 0, socktype 2 setting element 1 count is now 2: port=88 host=KERBEROS-1.MIT.EDU. adding hostname KERBEROS-1.MIT.EDU., ports 88,0, family 0, socktype 2 setting element 2 count is now 3: [end] sending DNS SRV query for _kerberos._tcp.ATHENA.MIT.EDU. krb5int_locate_server found 3 addresses 3 addresses: 0: address 18.7.7.77 dgram port 88 1: address 18.7.21.144 dgram port 88 2: address 18.7.21.119 dgram port 88 $ Unfortunately the debugging hooks aren't available in the production build. > I suspect this: > > [libdefaults] > default_realm = ourrealm.ourdomain.edu > > [realms] > dce.buffalo.edu = { > kdc = kerberos.ourdomain.edu > admin_server = kadminserver.ourdomain.edu > } > > Should really be this: > > [libdefaults] > default_realm = ourrealm.ourdomain.edu > > [realms] > dce.buffalo.edu = { > admin_server = kadminserver.ourdomain.edu > } > > Could that make a difference? It could, but the way you've described it, I would think both versions would work. And like I said, if you're seeing more than a one-second delay there's probably more going wrong than just ordering of addresses. Ken From deengert at anl.gov Thu Dec 18 16:08:40 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 18 Dec 2008 15:08:40 -0600 Subject: SSPI Kerberos for delegation In-Reply-To: References: Message-ID: <494ABBD8.7000205@anl.gov> Kasparov wrote: > Hi, > > We want the authentication to happen without providing credentials > anywhere. For this we are planning to use Windows SSPI. Now the > problem I am facing is once the authentication from client to server > is successful, I want to use the SSPI is based in the GSSAPI protocols and you can see what is going on if you use a network trace program like Wireshark to see the krb5 and gssapi traffic. But SSPI while authenticating from the client to the server can do mutual authentication so the server is authenticated to the client at the same time. They exchanges a session key which can be used for encrypted traffic. So it is not clear why you need to turn around and do another authentication. The InitializeSecurityContect with the ISC_REQ_MUTUAL_AUTH flag, and a call to QueryContextAttributes can be used to see if it did mutual authentication or not. > > security context created in server to connect back and authenticate to > the client. I am trying to find out if this thing is possible with > SSPI. > It is, but keep in mind that the client is a user using tickets, and the server is using a keytab (actually the key is in the registry somewhere) with the server's principal. What gets delegated is a tgt for the user it can be use with SSPi to authenticat to other servers. But if you try and have the server using the delegated credentials delegate back to the client, the client is running as a user not the LSA and does not have access to its machine's credentials. The client does not have a long term key but does have a TGT, and so you would have to use user2user authentication. Never tried it with SSPI, but see: http://msdn.microsoft.com/en-us/library/ms973911.aspx or Google for AcceptSecurityContext user2user > For this I have written an application (prototype) with client side > and server side. I am connecting to the server and after successfully > authentication at the server side I try to connect back (to the server > component on the client > > machine, running in the same process and thread as client) using the > same procedure I used in the client side. My understanding is since I > have impersonated I will be able to authenticate the same user again. > But I always get the error > > "No credentials are available in the security package" and the > credentials might have expired. I have verified that both the user > accounts are trusted for delegation and "cannot be delegated" tab is > unchcked. Also both the servers are > > trusted for delegation for any service for Kerberos. > > I have tried doing this with NTLM and Kerberos. With NTLM it looks > like the reverse connection is successful but after impersonation at > the client side if I try to print the user name it says "Anonymous > Logon". With Kerberos I am > > getting various errors (not enough memory, credentials are expired > etc) and I am still working on that part. The reason I am trying with > Kerberos is that I learned from some articles on Net that such a thing > (delegation) is possible only > > with Kerberos. > > Surprisingly I am not able to find out a single working solution of > this kind. I have pasted my entire code below. Can anyone help me on > this and advise me on how this can be achieved ? Please see the code > samples below: > > Client (Logged in user: win\gtambat) > *************************************************************************************** > #include > #include > #include > #include > > #define SECURITY_WIN32 1 > #include > > #pragma hdrstop > > // > ==================================================================== > // IMPORTANT NOTICE -- Check out > // http://www.mvps.org/security/sspi.html > // for the gory details of how this works > // > ==================================================================== > > > > void auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, > const char *tokenSource, const char *name = NULL, > const char *pwd = NULL, const char *domain = NULL ); > > PSecurityFunctionTable pf = NULL; > > void initSecLib( HINSTANCE& hSec ); > > bool Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& srvCtx ) > { > int rc; > bool haveToken = true; > SecPkgInfo *secPackInfo; > int bytesReceived = 0, bytesSent = 0; > char buf[256]; > DWORD bufsiz = sizeof buf; > HANDLE threadRet; > > puts( "auth() entered" ); > > rc = (pf->QuerySecurityPackageInfo)( "Kerberos", &secPackInfo ); > printf( "QSPI(): %08xh\n", rc ); > if ( rc != SEC_E_OK ) > haveToken = false; > > TimeStamp useBefore; > > rc = (pf->AcquireCredentialsHandle)( NULL, "Kerberos", > SECPKG_CRED_BOTH, > NULL, NULL, NULL, NULL, &cred, &useBefore ); > > rc = GetLastError(); > > printf( "ACH(): %08xh\n", rc ); > if ( rc != SEC_E_OK ) > haveToken = false; > > // input and output buffers > SecBufferDesc obd, ibd; > SecBuffer ob, ib; > > DWORD ctxAttr; > > bool haveContext = false; > > while ( 1 ) > { > // prepare to get the server's response > ibd.ulVersion = SECBUFFER_VERSION; > ibd.cBuffers = 1; > ibd.pBuffers = &ib; // just one buffer > ib.BufferType = SECBUFFER_TOKEN; // preping a token here > > // receive the client's POD > // MACHINE-DEPENDENT CODE! (Besides, we assume that we > // get the length with a single read, which is not guaranteed) > recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); > bytesReceived += sizeof ib.cbBuffer; > ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); > > char *p = (char *) ib.pvBuffer; > int n = ib.cbBuffer; > while ( n ) > { > rc = recv( s, p, n, 0 ); > // if ( rc == SOCKET_ERROR ) > // wserr( rc, "recv" ); > // if ( rc == 0 ) > // wserr( 999, "recv" ); > bytesReceived += rc; > n -= rc; > p += rc; > } > > // by now we have an input buffer > > obd.ulVersion = SECBUFFER_VERSION; > obd.cBuffers = 1; > obd.pBuffers = &ob; // just one buffer > ob.BufferType = SECBUFFER_TOKEN; // preping a token here > ob.cbBuffer = secPackInfo->cbMaxToken; > ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); > > // rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: > NULL, > // &ibd, 0, SECURITY_NATIVE_DREP, &srvCtx, &obd, &ctxAttr, > // &useBefore ); > > rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, > &ibd, 0, SECURITY_NATIVE_DREP /*SECURITY_NETWORK_DREP*/, &srvCtx, > &obd, &ctxAttr, > &useBefore ); > > printf( "ASC(): %08xh\n", rc ); > > if ( ib.pvBuffer != NULL ) > { > LocalFree( ib.pvBuffer ); > ib.pvBuffer = NULL; > } > > if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == > SEC_I_COMPLETE_NEEDED ) > { > if ( pf->CompleteAuthToken != NULL ) // only if implemented > (pf->CompleteAuthToken)( &srvCtx, &obd ); > if ( rc == SEC_I_COMPLETE_NEEDED ) > rc = SEC_E_OK; > else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) > rc = SEC_I_CONTINUE_NEEDED; > } > > // send the output buffer off to the server > // warning -- this is machine-dependent! FIX IT! > if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED ) > { > if ( ob.cbBuffer != 0 ) > { > send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); > bytesSent += sizeof ob.cbBuffer; > send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); > bytesSent += ob.cbBuffer; > } > LocalFree( ob.pvBuffer ); > ob.pvBuffer = NULL; > } > > if ( rc != SEC_I_CONTINUE_NEEDED ) > break; > > haveContext = true; > > // loop back for another round > puts( "looping" ); > } > > // we arrive here as soon as InitializeSecurityContext() > // returns != SEC_I_CONTINUE_NEEDED. > > if ( rc != SEC_E_OK ) > { > printf( "Oops! ASC() returned %08xh!\n", rc ); > haveToken = false; > } > > rc = GetLastError(); > > GetUserName( buf, &bufsiz ); > > // now we try to use the context > rc = (pf->ImpersonateSecurityContext)( &srvCtx ); > printf( "ImpSC(): %08xh\n", rc ); > if ( rc != SEC_E_OK ) > { > printf( "Oops! ImpSC() returns %08xh!\n", rc ); > haveToken = false; > } > else > { > char buf[256]; > DWORD bufsiz = sizeof buf; > GetUserName( buf, &bufsiz ); > printf( "user name: \"%s\"\n", buf ); > (pf->RevertSecurityContext)( &srvCtx ); > printf( "RSC(): %08xh\n", rc ); > } > > (pf->FreeContextBuffer)( secPackInfo ); > > printf( "auth() exiting (%d received, %d sent)\n", bytesReceived, > bytesSent ); > return haveToken; > } > > int Ganesh_Server_Impl() > { > int rc, port = 12000, addrlen; > bool haveToken; > SOCKET sock, s; > WSADATA wsadata; > PSERVENT pse; > SOCKADDR_IN addr; > HINSTANCE hSecLib; > > initSecLib( hSecLib ); > > rc = WSAStartup( 2, &wsadata ); > // wserr( rc, "WSAStartup" ); > > sock = socket( AF_INET, SOCK_STREAM, 0 ); > if ( sock == INVALID_SOCKET ) > { > rc = -1; > } > else > { > rc = 0; > } > // wserr( 999, "socket" ); > > addr.sin_family = AF_INET; > addr.sin_addr.s_addr = INADDR_ANY; > > // try numeric protocol first > if ( port > 0 && port < 32768 ) > addr.sin_port = htons( (short) port ); > else > { > } > > rc = bind( sock, (SOCKADDR *) &addr, sizeof addr ); > // wserr( rc, "bind" ); > > rc = listen( sock, 2 ); > // wserr( rc, "listen" ); > > CredHandle cred; > CtxtHandle srvCtx; > > while ( 1 ) > { > addrlen = sizeof addr; > s = accept( sock, (SOCKADDR *) &addr, &addrlen ); > if ( s == INVALID_SOCKET ) > { > rc = -1; > } > else > { > rc = 0; > } > // wserr( s, "accept" ); > > haveToken = Ganesh_auth( s, cred, srvCtx ); > > // now we talk to the client > printf( "haveToken = %s\n\n", haveToken? "true": "false" ); > send( s, (const char *) &haveToken, sizeof haveToken, 0 ); > > // clean up > (pf->DeleteSecurityContext)( &srvCtx ); > (pf->FreeCredentialHandle)( &cred ); > closesocket( s ); > } > } > > // wserr() displays winsock errors and aborts. No grace there. > void wserr( int rc, const char * const funcname ) > { > if ( rc == 0 ) > return; > > fprintf( stderr, "\nWinsock error %d [gle %d] returned by %s().\n" > "Sorry, no bonus!\n", rc, WSAGetLastError(), funcname ); > WSACleanup(); > exit( rc ); > } > > > > void auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, > const char *tokenSource, const char *name /* = NULL */, > const char *pwd /* = NULL */, const char *domain /* = NULL */ ) > { > int rc, rcISC; > SecPkgInfo *secPackInfo; > SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL; > int bytesReceived = 0, bytesSent = 0; > > puts( "auth() entered" ); > > // the arguments to ISC() is not const ... for once, I decided > // on creating writable copies instead of using a brutalizing cast. > char *myTokenSource; > myTokenSource = _strdup( tokenSource ); > > if ( name != NULL ) > { > nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof > SEC_WINNT_AUTH_IDENTITY ); > memset( nameAndPwd, '\0', sizeof *nameAndPwd ); > nameAndPwd->Domain = (byte *) _strdup( domain? domain: "" ); > nameAndPwd->DomainLength = domain? strlen( domain ): 0; > nameAndPwd->User = (byte *) _strdup( name? name: "" ); > nameAndPwd->UserLength = name? strlen( name ): 0; > nameAndPwd->Password = (byte *) _strdup( pwd? pwd: "" ); > nameAndPwd->PasswordLength = pwd? strlen( pwd ): 0; > nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; > } > > rc = (pf->QuerySecurityPackageInfo)( "Kerberos", &secPackInfo ); > printf( "QSPI(): %08xh\n", rc ); > > TimeStamp useBefore; > > rc = (pf->AcquireCredentialsHandle)( NULL, "Kerberos", > SECPKG_CRED_BOTH, > NULL, nameAndPwd, NULL, NULL, &cred, &useBefore ); > printf( "ACH(): %08xh\n", rc ); > > // input and output buffers > SecBufferDesc obd, ibd; > SecBuffer ob, ib; > > DWORD ctxReq, ctxAttr; > > // from sspi.h: > // #define ISC_REQ_DELEGATE 0x00000001 > // #define ISC_REQ_MUTUAL_AUTH 0x00000002 > // #define ISC_REQ_REPLAY_DETECT 0x00000004 > // #define ISC_REQ_SEQUENCE_DETECT 0x00000008 > // #define ISC_REQ_CONFIDENTIALITY 0x00000010 > // #define ISC_REQ_USE_SESSION_KEY 0x00000020 > // #define ISC_REQ_PROMPT_FOR_CREDS 0x00000040 > // #define ISC_REQ_USE_SUPPLIED_CREDS 0x00000080 > // #define ISC_REQ_ALLOCATE_MEMORY 0x00000100 > // #define ISC_REQ_USE_DCE_STYLE 0x00000200 > // #define ISC_REQ_DATAGRAM 0x00000400 > // #define ISC_REQ_CONNECTION 0x00000800 > // #define ISC_REQ_CALL_LEVEL 0x00001000 > // #define ISC_REQ_EXTENDED_ERROR 0x00004000 > // #define ISC_REQ_STREAM 0x00008000 > // #define ISC_REQ_INTEGRITY 0x00010000 > ctxReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | > ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE; > > bool haveInbuffer = false; > bool haveContext = false; > ib.pvBuffer = NULL; > > while ( 1 ) > { > obd.ulVersion = SECBUFFER_VERSION; > obd.cBuffers = 1; > obd.pBuffers = &ob; // just one buffer > ob.BufferType = SECBUFFER_TOKEN; // preping a token here > ob.cbBuffer = secPackInfo->cbMaxToken; > ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); > > rcISC = (pf->InitializeSecurityContext)( &cred, haveContext? > &cliCtx: NULL, > myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP / > *SECURITY_NETWORK_DREP*/, haveInbuffer? &ibd: NULL, > 0, &cliCtx, &obd, &ctxAttr, &useBefore ); > printf( "ISC(): %08xh\n", rcISC ); > > if ( ib.pvBuffer != NULL ) > { > LocalFree( ib.pvBuffer ); > ib.pvBuffer = NULL; > } > > if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == > SEC_I_COMPLETE_NEEDED ) > { > if ( pf->CompleteAuthToken != NULL ) // only if implemented > (pf->CompleteAuthToken)( &cliCtx, &obd ); > if ( rcISC == SEC_I_COMPLETE_NEEDED ) > rcISC = SEC_E_OK; > else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE ) > rcISC = SEC_I_CONTINUE_NEEDED; > } > > // send the output buffer off to the server > // warning -- this is machine-dependent! FIX IT! > if ( ob.cbBuffer != 0 ) > { > send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); > bytesSent += sizeof ob.cbBuffer; > send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); > bytesSent += ob.cbBuffer; > } > LocalFree( ob.pvBuffer ); > ob.pvBuffer = NULL; > > if ( rcISC != SEC_I_CONTINUE_NEEDED ) > break; > > // prepare to get the server's response > ibd.ulVersion = SECBUFFER_VERSION; > ibd.cBuffers = 1; > ibd.pBuffers = &ib; // just one buffer > ib.BufferType = SECBUFFER_TOKEN; // preping a token here > > // receive the server's response > // MACHINE-DEPENDENT CODE! (Besides, we assume that we > // get the length with a single read, which is not guaranteed) > recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); > bytesReceived += sizeof ib.cbBuffer; > ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); > > char *p = (char *) ib.pvBuffer; > int n = ib.cbBuffer; > while ( n ) > { > rc = recv( s, p, n, 0 ); > if ( rc == SOCKET_ERROR ) > wserr( rc, "recv" ); > if ( rc == 0 ) > wserr( 999, "recv" ); > bytesReceived += rc; > n -= rc; > p += rc; > } > > // by now we have an input buffer and a client context > > haveInbuffer = true; > haveContext = true; > > // loop back for another round > puts( "looping" ); > } > > // we arrive here as soon as InitializeSecurityContext() > // returns != SEC_I_CONTINUE_NEEDED. > > if ( rcISC != SEC_E_OK ) > printf( "Oops! ISC() returned %08xh!\n", rcISC ); > > (pf->FreeContextBuffer)( secPackInfo ); > printf( "auth() exiting (%d sent, %d received)\n", bytesSent, > bytesReceived ); > free( myTokenSource ); > if ( nameAndPwd != 0 ) > { > if ( nameAndPwd->Domain != 0 ) > free( nameAndPwd->Domain ); > if ( nameAndPwd->User != 0 ) > free( nameAndPwd->User ); > if ( nameAndPwd->Password != 0 ) > free( nameAndPwd->Password ); > free( nameAndPwd ); > } > } > > > > void initSecLib( HINSTANCE& hSec ) > { > PSecurityFunctionTable (*pSFT)( void ); > > hSec = LoadLibrary( "security.dll" ); > pSFT = (PSecurityFunctionTable (*)( void )) GetProcAddress( hSec, > "InitSecurityInterfaceA" ); > if ( pSFT == NULL ) > { > puts( "security.dll load messed up ..." ); > exit( 1 ); > } > > pf = pSFT(); > if ( pf == NULL ) > { > puts( "no function table?!?" ); > exit( 1 ); > } > } > > > > int main( int argc, char *argv[] ) > { > int rc, port, i, errors; > HINSTANCE hSecLib; > > unsigned long naddr; > SOCKET sock; > WSADATA wsadata; > PHOSTENT phe; > PSERVENT pse; > SOCKADDR_IN addr; > //const char *tokenSource = "Authsamp", *server = "server-machine"; > const char *tokenSource = "win\\gtambat1", *server = "server- > machine"; > const char *portstr = "11000", *user = 0, *pwd = 0, *domain = 0; > > errors = 0; > for ( i = 1; i < argc; ++ i ) > { > if ( argv[i][0] != '-' && argv[i][0] != '/' ) > { > printf( "\"%s\" is not a valid switch.\n", argv[i] ); > ++ errors; > continue; > } > > switch ( argv[i][1] ) > { > case 's': > if ( i >= argc - 1 ) > { > printf( "\"%s\" requires an argument.\n", argv[i] ); > ++ errors; > } > else if ( server != 0 ) > { > printf( "\"%s\" has already been used.\n", argv[i ++] ); > ++ errors; > } > else > server = argv[++ i]; > break; > case 'p': > if ( i >= argc - 1 ) > { > printf( "\"%s\" requires an argument.\n", argv[i] ); > ++ errors; > } > else if ( portstr != 0 ) > { > printf( "\"%s\" has already been used.\n", argv[i ++] ); > ++ errors; > } > else > portstr = argv[++ i]; > break; > case 't': > if ( i >= argc - 1 ) > { > printf( "\"%s\" requires an argument.\n", argv[i] ); > ++ errors; > } > else if ( tokenSource != 0 ) > { > printf( "\"%s\" has already been used.\n", argv[i ++] ); > ++ errors; > } > else > tokenSource = argv[++ i]; > break; > case 'd': > if ( i >= argc - 1 ) > { > printf( "\"%s\" requires an argument.\n", argv[i] ); > ++ errors; > } > else if ( domain != 0 ) > { > printf( "\"%s\" has already been used.\n", argv[i ++] ); > ++ errors; > } > else > domain = argv[++ i]; > break; > case 'u': > if ( i >= argc - 2 ) > { > printf( "\"%s\" requires two arguments.\n", argv[i ++] ); > ++ errors; > } > else if ( user != 0 ) > { > printf( "\"%s\" has already been used.\n", argv[i] ); > i += 2; > ++ errors; > } > else > { > user = argv[++ i]; > pwd = argv[++ i]; > } > break; > default: > printf( "\"%s\" is not a valid switch.\n", argv[i] ); > ++ errors; > break; > } > } > > if ( server == 0 ) > { > puts( "A server name or IP address must be specified." ); > ++ errors; > } > > if ( portstr == 0 ) > { > puts( "A port name or port number must be specified." ); > ++ errors; > } > > if ( user == 0 && domain != 0 ) > puts( "No user name was specified, ignoring the domain." ); > > if ( errors ) > { > puts( "\nusage: client -s your.server.com -p serverport" ); > puts( " [-t token-source] [-u user pwd [-d domain]]" ); > puts( "token-source is _required_ for Kerberos and should be > your" ); > puts( "current logon name (e.g., \"MYDOMAIN\\felixk\")." ); > puts( "If -u is absent, your current credentials will be used." ); > return 1; > } > > initSecLib( hSecLib ); > > rc = WSAStartup( 2, &wsadata ); > wserr( rc, "WSAStartup" ); > > sock = socket( AF_INET, SOCK_STREAM, 0 ); > if ( sock == INVALID_SOCKET ) > wserr( 999, "socket" ); > > addr.sin_family = AF_INET; > // try numeric IP address first (inet_addr) > naddr = inet_addr( server ); > if ( naddr != INADDR_NONE ) > { > addr.sin_addr.s_addr = naddr; > } > else > { > phe = gethostbyname( server ); > if ( phe == NULL ) > wserr( 1, "gethostbyname" ); > addr.sin_addr.s_addr = *( (unsigned long *) (phe->h_addr) ); > memcpy( (char *) &addr.sin_addr, phe->h_addr, phe->h_length ); > } > > // try numeric protocol first > port = atoi( portstr ); > if ( port > 0 && port < 32768 ) > addr.sin_port = htons( (short) port ); > else > { > pse = getservbyname( portstr, "tcp" ); > if ( pse == NULL ) > wserr( 1, "getservbyname" ); > addr.sin_port = pse->s_port; > } > > CredHandle cred; > CtxtHandle cliCtx; > > rc = connect( sock, (SOCKADDR *) &addr, sizeof addr ); > wserr( rc, "connect" ); > > struct sockaddr name; > int namelen = sizeof name;; > rc = getsockname( sock, &name, &namelen ); > wserr( rc, "getsockname()" ); > printf( "I am %u.%u.%u.%u\n", (unsigned int) (unsigned char) > name.sa_data[2], > (unsigned int) (unsigned char) name.sa_data[3], (unsigned int) > (unsigned char) name.sa_data[4], > (unsigned int) (unsigned char) name.sa_data[5] ); > > auth( sock, cred, cliCtx, tokenSource, user, pwd, server ); // this > does the real work > // Added by Ganesh > //auth( sock, cred, cliCtx, tokenSource, "ganesh", "ganesh", "client- > machine" ); // this does the real work > > // use the authenticated connection here > bool haveToken = false; > rc = recv( sock, (char *) &haveToken, sizeof haveToken, 0 ); > if ( rc != sizeof haveToken ) > wserr( 999, "result-recv" ); > > if ( haveToken ) > puts( "That seems to have worked." ); > else > puts( "Oops! Wrong user name or password?" ); > > // the server is probably impersonating us by now > // this is where the client and server talk business > > // clean up > (pf->DeleteSecurityContext)( &cliCtx ); > (pf->FreeCredentialHandle)( &cred ); > > rc = closesocket( sock ); > wserr( rc, "closesocket" ); > > rc = WSACleanup(); > wserr( rc, "WSACleanup" ); > > > > > int j; > puts("/n/n Should I start server implemenation within client ?: "); > scanf("%d",&j); > > rc = Ganesh_Server_Impl(); > > __try > { > FreeLibrary( hSecLib ); > } > __except ( 1 ) > { > puts( "Freelibrary( security.dll ) caused an access violation. > Yuck." ); > } > > return 0; > } > > > *************************************************************************************** > > Server (Logged in user win\gtambat1) > *************************************************************************************** > > > #include > #include > #include > #include > > #define SECURITY_WIN32 1 > #include > //#include // uncomment if you have an old Platform SDK > > #pragma hdrstop > > // > ==================================================================== > // IMPORTANT NOTICE -- Check out > // http://www.mvps.org/security/sspi.html > // for the gory details of how this works > // > ==================================================================== > > > PSecurityFunctionTable pf = NULL; > > int Ganesh_Client_Impl(CtxtHandle &srvCtx); > > void initSecLib( HINSTANCE& hSec ); > > void Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, > const char *tokenSource, const char *name /* = NULL */, > const char *pwd /* = NULL */, const char *domain /* = NULL */ ); > > > void Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, > const char *tokenSource, const char *name /* = NULL */, > const char *pwd /* = NULL */, const char *domain /* = NULL */ ) > { > int rc, rcISC; > SecPkgInfo *secPackInfo; > SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL; > int bytesReceived = 0, bytesSent = 0; > > //puts( "auth() entered" ); > > // the arguments to ISC() is not const ... for once, I decided > // on creating writable copies instead of using a brutalizing cast. > char *myTokenSource; > myTokenSource = _strdup( tokenSource ); > > if ( name != NULL ) > { > nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof > SEC_WINNT_AUTH_IDENTITY ); > memset( nameAndPwd, '\0', sizeof *nameAndPwd ); > nameAndPwd->Domain = (byte *) _strdup( domain? domain: "" ); > nameAndPwd->DomainLength = domain? strlen( domain ): 0; > nameAndPwd->User = (byte *) _strdup( name? name: "" ); > nameAndPwd->UserLength = name? strlen( name ): 0; > nameAndPwd->Password = (byte *) _strdup( pwd? pwd: "" ); > nameAndPwd->PasswordLength = pwd? strlen( pwd ): 0; > nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; > } > > rc = (pf->QuerySecurityPackageInfo)( "kerberos", &secPackInfo ); > //printf( "QSPI(): %08xh\n", rc ); > > TimeStamp useBefore; > > rc = GetLastError(); > > rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", > SECPKG_CRED_BOTH, > NULL, nameAndPwd, NULL, NULL, &cred, &useBefore ); > //printf( "ACH(): %08xh\n", rc ); > > rc = GetLastError(); > // input and output buffers > SecBufferDesc obd, ibd; > SecBuffer ob, ib; > > DWORD ctxReq, ctxAttr; > > // from sspi.h: > // #define ISC_REQ_DELEGATE 0x00000001 > // #define ISC_REQ_MUTUAL_AUTH 0x00000002 > // #define ISC_REQ_REPLAY_DETECT 0x00000004 > // #define ISC_REQ_SEQUENCE_DETECT 0x00000008 > // #define ISC_REQ_CONFIDENTIALITY 0x00000010 > // #define ISC_REQ_USE_SESSION_KEY 0x00000020 > // #define ISC_REQ_PROMPT_FOR_CREDS 0x00000040 > // #define ISC_REQ_USE_SUPPLIED_CREDS 0x00000080 > // #define ISC_REQ_ALLOCATE_MEMORY 0x00000100 > // #define ISC_REQ_USE_DCE_STYLE 0x00000200 > // #define ISC_REQ_DATAGRAM 0x00000400 > // #define ISC_REQ_CONNECTION 0x00000800 > // #define ISC_REQ_CALL_LEVEL 0x00001000 > // #define ISC_REQ_EXTENDED_ERROR 0x00004000 > // #define ISC_REQ_STREAM 0x00008000 > // #define ISC_REQ_INTEGRITY 0x00010000 > ctxReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | > ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE; > > bool haveInbuffer = false; > bool haveContext = false; > ib.pvBuffer = NULL; > > while ( 1 ) > { > obd.ulVersion = SECBUFFER_VERSION; > obd.cBuffers = 1; > obd.pBuffers = &ob; // just one buffer > ob.BufferType = SECBUFFER_TOKEN; // preping a token here > ob.cbBuffer = secPackInfo->cbMaxToken; > ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); > > rcISC = (pf->InitializeSecurityContext)( &cred, haveContext? > &cliCtx: NULL, > myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP / > *SECURITY_NETWORK_DREP*/, haveInbuffer? &ibd: NULL, > 0, &cliCtx, &obd, &ctxAttr, &useBefore ); > // printf( "ISC(): %08xh\n", rcISC ); > > if ( ib.pvBuffer != NULL ) > { > LocalFree( ib.pvBuffer ); > ib.pvBuffer = NULL; > } > > if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == > SEC_I_COMPLETE_NEEDED ) > { > if ( pf->CompleteAuthToken != NULL ) // only if implemented > (pf->CompleteAuthToken)( &cliCtx, &obd ); > if ( rcISC == SEC_I_COMPLETE_NEEDED ) > rcISC = SEC_E_OK; > else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE ) > rcISC = SEC_I_CONTINUE_NEEDED; > } > > // send the output buffer off to the server > // warning -- this is machine-dependent! FIX IT! > if ( ob.cbBuffer != 0 ) > { > send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); > bytesSent += sizeof ob.cbBuffer; > send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); > bytesSent += ob.cbBuffer; > } > LocalFree( ob.pvBuffer ); > ob.pvBuffer = NULL; > > if ( rcISC != SEC_I_CONTINUE_NEEDED ) > break; > > // prepare to get the server's response > ibd.ulVersion = SECBUFFER_VERSION; > ibd.cBuffers = 1; > ibd.pBuffers = &ib; // just one buffer > ib.BufferType = SECBUFFER_TOKEN; // preping a token here > > // receive the server's response > // MACHINE-DEPENDENT CODE! (Besides, we assume that we > // get the length with a single read, which is not guaranteed) > rc = recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); > bytesReceived += sizeof ib.cbBuffer; > ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); > > char *p = (char *) ib.pvBuffer; > int n = ib.cbBuffer; > while ( n ) > { > rc = recv( s, p, n, 0 ); > // if ( rc == SOCKET_ERROR ) > // wserr( rc, "recv" ); > // if ( rc == 0 ) > // wserr( 999, "recv" ); > bytesReceived += rc; > n -= rc; > p += rc; > } > > // by now we have an input buffer and a client context > > haveInbuffer = true; > haveContext = true; > > // loop back for another round > // puts( "looping" ); > } > > // we arrive here as soon as InitializeSecurityContext() > // returns != SEC_I_CONTINUE_NEEDED. > > if ( rcISC != SEC_E_OK ) > { > printf( "Oops! ISC() returned %08xh!\n", rcISC ); > } > > (pf->FreeContextBuffer)( secPackInfo ); > //printf( "auth() exiting (%d sent, %d received)\n", bytesSent, > bytesReceived ); > free( myTokenSource ); > if ( nameAndPwd != 0 ) > { > if ( nameAndPwd->Domain != 0 ) > free( nameAndPwd->Domain ); > if ( nameAndPwd->User != 0 ) > free( nameAndPwd->User ); > if ( nameAndPwd->Password != 0 ) > free( nameAndPwd->Password ); > free( nameAndPwd ); > } > } > > > > // wserr() displays winsock errors and aborts. No grace there. > void wserr( int rc, const char * const funcname ) > { > if ( rc == 0 ) > return; > > fprintf( stderr, "\nWinsock error %d [gle %d] returned by %s().\n" > "Sorry, no bonus!\n", rc, WSAGetLastError(), funcname ); > WSACleanup(); > exit( rc ); > } > > > > bool auth( SOCKET s, CredHandle& cred, CtxtHandle& srvCtx ) > { > int rc; > bool haveToken = true; > SecPkgInfo *secPackInfo; > int bytesReceived = 0, bytesSent = 0; > char buf[256]; > DWORD bufsiz = sizeof buf; > > puts( "auth() entered" ); > > rc = (pf->QuerySecurityPackageInfo)( "kerberos", &secPackInfo ); > printf( "QSPI(): %08xh\n", rc ); > if ( rc != SEC_E_OK ) > haveToken = false; > > TimeStamp useBefore; > > rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", > SECPKG_CRED_BOTH, > NULL, NULL, NULL, NULL, &cred, &useBefore ); > > // rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", > SECPKG_CRED_BOTH, > // NULL, NULL, NULL, NULL, &cred, &useBefore ); > > printf( "ACH(): %08xh\n", rc ); > if ( rc != SEC_E_OK ) > haveToken = false; > > // input and output buffers > SecBufferDesc obd, ibd; > SecBuffer ob, ib; > > DWORD ctxAttr; > > bool haveContext = false; > > while ( 1 ) > { > // prepare to get the server's response > ibd.ulVersion = SECBUFFER_VERSION; > ibd.cBuffers = 1; > ibd.pBuffers = &ib; // just one buffer > ib.BufferType = SECBUFFER_TOKEN; // preping a token here > > // receive the client's POD > // MACHINE-DEPENDENT CODE! (Besides, we assume that we > // get the length with a single read, which is not guaranteed) > recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); > bytesReceived += sizeof ib.cbBuffer; > ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); > > char *p = (char *) ib.pvBuffer; > int n = ib.cbBuffer; > while ( n ) > { > rc = recv( s, p, n, 0 ); > if ( rc == SOCKET_ERROR ) > wserr( rc, "recv" ); > if ( rc == 0 ) > wserr( 999, "recv" ); > bytesReceived += rc; > n -= rc; > p += rc; > } > > // by now we have an input buffer > > obd.ulVersion = SECBUFFER_VERSION; > obd.cBuffers = 1; > obd.pBuffers = &ob; // just one buffer > ob.BufferType = SECBUFFER_TOKEN; // preping a token here > ob.cbBuffer = secPackInfo->cbMaxToken; > ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); > > rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, > &ibd, 0,/* SECURITY_NATIVE_DREP */ SECURITY_NATIVE_DREP / > *SECURITY_NETWORK_DREP*/, &srvCtx, &obd, &ctxAttr, > &useBefore ); > printf( "ASC(): %08xh\n", rc ); > > if ( ib.pvBuffer != NULL ) > { > LocalFree( ib.pvBuffer ); > ib.pvBuffer = NULL; > } > > if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == > SEC_I_COMPLETE_NEEDED ) > { > if ( pf->CompleteAuthToken != NULL ) // only if implemented > (pf->CompleteAuthToken)( &srvCtx, &obd ); > if ( rc == SEC_I_COMPLETE_NEEDED ) > rc = SEC_E_OK; > else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) > rc = SEC_I_CONTINUE_NEEDED; > } > > // send the output buffer off to the server > // warning -- this is machine-dependent! FIX IT! > if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED ) > { > if ( ob.cbBuffer != 0 ) > { > send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); > bytesSent += sizeof ob.cbBuffer; > send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); > bytesSent += ob.cbBuffer; > } > LocalFree( ob.pvBuffer ); > ob.pvBuffer = NULL; > } > > if ( rc != SEC_I_CONTINUE_NEEDED ) > break; > > haveContext = true; > > // loop back for another round > puts( "looping" ); > } > > // we arrive here as soon as InitializeSecurityContext() > // returns != SEC_I_CONTINUE_NEEDED. > > if ( rc != SEC_E_OK ) > { > printf( "Oops! ASC() returned %08xh!\n", rc ); > haveToken = false; > } > > GetUserName( buf, &bufsiz ); > // now we try to use the context > rc = (pf->ImpersonateSecurityContext)( &srvCtx ); > printf( "ImpSC(): %08xh\n", rc ); > if ( rc != SEC_E_OK ) > { > printf( "Oops! ImpSC() returns %08xh!\n", rc ); > haveToken = false; > } > else > { > char buf[256]; > DWORD bufsiz = sizeof buf; > > printf( "haveToken = %s\n\n", haveToken? "true": "false" ); > send( s, (const char *) &haveToken, sizeof haveToken, 0 ); > > GetUserName( buf, &bufsiz ); > printf( "user name: \"%s\"\n", buf ); > //(pf->RevertSecurityContext)( &srvCtx ); > printf( "RSC(): %08xh\n", rc ); > } > > //(pf->FreeContextBuffer)( secPackInfo ); > > printf( "auth() exiting (%d received, %d sent)\n", bytesReceived, > bytesSent ); > return haveToken; > } > > int Ganesh_Client_Impl(CtxtHandle &srvCtx) > { > char buf[256]; > DWORD bufsiz = sizeof buf; > int rc = 0; > > //CtxtHandle tmpCtx = srvCtx; > > > SecPkgContext_Lifespan lspan; > rc = (pf->QueryContextAttributes)(&srvCtx, SECPKG_ATTR_LIFESPAN, > &lspan); > > rc = GetLastError(); > > GetUserName( buf, &bufsiz ); > //rc = (pf->ImpersonateSecurityContext)( &srvCtx ); > > rc = GetLastError(); > GetUserName( buf, &bufsiz ); > > int port, i, errors; > unsigned long naddr; > SOCKET sock; > WSADATA wsadata; > PHOSTENT phe; > PSERVENT pse; > SOCKADDR_IN addr; > HINSTANCE hSecLib; > const char *tokenSource = "win\\gtambat", *server = "client-machine"; > //const char *tokenSource = "PUN\\gtambat"/*"Authsamp"*/, *server = > "client-machine"; > const char *portstr = "12000", *user = 0, *pwd = 0, *domain = 0; > > errors = 0; > if ( server == 0 ) > { > //puts( "A server name or IP address must be specified." ); > ++ errors; > } > > if ( portstr == 0 ) > { > //puts( "A port name or port number must be specified." ); > ++ errors; > } > > if ( user == 0 && domain != 0 ) > { > } > // puts( "No user name was specified, ignoring the domain." ); > > if ( errors ) > { > /* puts( "\nusage: client -s your.server.com -p serverport" ); > puts( " [-t token-source] [-u user pwd [-d domain]]" ); > puts( "token-source is _required_ for Kerberos and should be > your" ); > puts( "current logon name (e.g., \"MYDOMAIN\\felixk\")." ); > puts( "If -u is absent, your current credentials will be used." );*/ > return 1; > } > > initSecLib( hSecLib ); > > rc = WSAStartup( 2, &wsadata ); > //wserr( rc, "WSAStartup" ); > > sock = socket( AF_INET, SOCK_STREAM, 0 ); > if ( sock == INVALID_SOCKET ) > { > rc = -1; > } > else > { > rc = 0; > } > > addr.sin_family = AF_INET; > // try numeric IP address first (inet_addr) > naddr = inet_addr( server ); > if ( naddr != INADDR_NONE ) > { > addr.sin_addr.s_addr = naddr; > } > else > { > phe = gethostbyname( server ); > // if ( phe == NULL ) > // wserr( 1, "gethostbyname" ); > addr.sin_addr.s_addr = *( (unsigned long *) (phe->h_addr) ); > memcpy( (char *) &addr.sin_addr, phe->h_addr, phe->h_length ); > } > > // try numeric protocol first > port = atoi( portstr ); > if ( port > 0 && port < 32768 ) > addr.sin_port = htons( (short) port ); > else > { > pse = getservbyname( portstr, "tcp" ); > // if ( pse == NULL ) > // wserr( 1, "getservbyname" ); > addr.sin_port = pse->s_port; > } > > CredHandle cred; > CtxtHandle cliCtx; > > rc = connect( sock, (SOCKADDR *) &addr, sizeof addr ); > //wserr( rc, "connect" ); > > struct sockaddr name; > int namelen = sizeof name;; > rc = getsockname( sock, &name, &namelen ); > /*wserr( rc, "getsockname()" ); > printf( "I am %u.%u.%u.%u\n", (unsigned int) (unsigned char) > name.sa_data[2], > (unsigned int) (unsigned char) name.sa_data[3], (unsigned int) > (unsigned char) name.sa_data[4], > (unsigned int) (unsigned char) name.sa_data[5] );*/ > > Ganesh_auth( sock, cred, cliCtx, tokenSource, user, pwd, domain ); // > this does the real work > > // use the authenticated connection here > bool haveToken = false; > rc = recv( sock, (char *) &haveToken, sizeof haveToken, 0 ); > if ( rc != sizeof haveToken ) > { > rc = 999; > } > > // wserr( 999, "result-recv" ); > > if ( haveToken ) > puts( "That seems to have worked." ); > else > puts( "Oops! Wrong user name or password?" ); > > > // the server is probably impersonating us by now > // this is where the client and server talk business > > // clean up > (pf->DeleteSecurityContext)( &cliCtx ); > (pf->FreeCredentialHandle)( &cred ); > > rc = closesocket( sock ); > wserr( rc, "closesocket" ); > > rc = WSACleanup(); > wserr( rc, "WSACleanup" ); > > __try > { > FreeLibrary( hSecLib ); > } > __except ( 1 ) > { > // puts( "Freelibrary( security.dll ) caused an access violation. > Yuck." ); > } > > return 0; > } > > struct CapName > { > DWORD bits; > const char *name; > const char *comment; > } capNames[] = { > { SECPKG_FLAG_INTEGRITY, "SECPKG_FLAG_INTEGRITY", "Supports integrity > on messages" }, > { SECPKG_FLAG_PRIVACY, "SECPKG_FLAG_PRIVACY", "Supports privacy > (confidentiality)" }, > { SECPKG_FLAG_TOKEN_ONLY, "SECPKG_FLAG_TOKEN_ONLY", "Only security > token needed" }, > { SECPKG_FLAG_DATAGRAM, "SECPKG_FLAG_DATAGRAM", "Datagram RPC > support" }, > { SECPKG_FLAG_CONNECTION, "SECPKG_FLAG_CONNECTION", "Connection > oriented RPC support" }, > { SECPKG_FLAG_MULTI_REQUIRED, "SECPKG_FLAG_MULTI_REQUIRED", "Full 3- > leg required for re-auth." }, > { SECPKG_FLAG_CLIENT_ONLY, "SECPKG_FLAG_CLIENT_ONLY", "Server side > functionality not available" }, > { SECPKG_FLAG_EXTENDED_ERROR, "SECPKG_FLAG_EXTENDED_ERROR", "Supports > extended error msgs" }, > { SECPKG_FLAG_IMPERSONATION, "SECPKG_FLAG_IMPERSONATION", "Supports > impersonation" }, > { SECPKG_FLAG_ACCEPT_WIN32_NAME, "SECPKG_FLAG_ACCEPT_WIN32_NAME", > "Accepts Win32 names" }, > { SECPKG_FLAG_STREAM, "SECPKG_FLAG_STREAM", "Supports stream > semantics" }, > { SECPKG_FLAG_NEGOTIABLE, "SECPKG_FLAG_NEGOTIABLE", "Can be used by > the negotiate package" }, > { SECPKG_FLAG_GSS_COMPATIBLE, "SECPKG_FLAG_GSS_COMPATIBLE", "GSS > Compatibility Available" }, > { SECPKG_FLAG_LOGON, "SECPKG_FLAG_LOGON", "Supports common > LsaLogonUser" }, > { SECPKG_FLAG_ASCII_BUFFERS, "SECPKG_FLAG_ASCII_BUFFERS", "Token > Buffers are in ASCII" }, > { 0xffffffffL, "(fence)", "(fence)" } > }; > > > > void initSecLib( HINSTANCE& hSec ) > { > PSecurityFunctionTable (*pSFT)( void ); > > hSec = LoadLibrary( "security.dll" ); > pSFT = (PSecurityFunctionTable (*)( void )) GetProcAddress( hSec, > "InitSecurityInterfaceA" ); > if ( pSFT == NULL ) > { > exit( 1 ); > } > > pf = pSFT(); > if ( pf == NULL ) > { > exit( 1 ); > } > > SECURITY_STATUS rc; > DWORD numPacks = 0, i, j; > SecPkgInfo *pPacks = NULL; > > rc = (pf->EnumerateSecurityPackages)( &numPacks, &pPacks ); > if ( rc != 0 ) > { > exit( 1 ); > } > > for ( i = 0; i < numPacks; ++ i ) > { > for ( j = 0; capNames[j].bits != 0xffffffffL; ++ j ) > { > //if ( ( capNames[j].bits & pPacks[i].fCapabilities ) == capNames > [j].bits ) > //printf( " %s (%s)\n", capNames[j].name, capNames > [j].comment ); > } > } > > if ( pPacks != NULL ) > (pf->FreeContextBuffer)( pPacks ); > } > > > > int main( int argc, char *argv[] ) > { > > int rc, port, addrlen; > HINSTANCE hSecLib; > CtxtHandle srvCtx; > > bool haveToken; > SOCKET sock, s; > WSADATA wsadata; > PSERVENT pse; > SOCKADDR_IN addr; > HANDLE threadRet; > char buf[256]; > DWORD bufsiz = sizeof buf; > > if ( argc != 2 ) > { > puts( "usage: server portnumber" ); > return 1; > } > > initSecLib( hSecLib ); > > rc = WSAStartup( 2, &wsadata ); > wserr( rc, "WSAStartup" ); > > sock = socket( AF_INET, SOCK_STREAM, 0 ); > if ( sock == INVALID_SOCKET ) > wserr( 999, "socket" ); > > addr.sin_family = AF_INET; > addr.sin_addr.s_addr = INADDR_ANY; > > // try numeric protocol first > port = atoi( argv[1] ); > if ( port > 0 && port < 32768 ) > addr.sin_port = htons( (short) port ); > else > { > pse = getservbyname( argv[1], "tcp" ); > if ( pse == NULL ) > wserr( 1, "getservbyname" ); > addr.sin_port = pse->s_port; > } > > rc = bind( sock, (SOCKADDR *) &addr, sizeof addr ); > wserr( rc, "bind" ); > > rc = listen( sock, 2 ); > wserr( rc, "listen" ); > > CredHandle cred; > > while ( 1 ) > { > addrlen = sizeof addr; > s = accept( sock, (SOCKADDR *) &addr, &addrlen ); > if ( s == INVALID_SOCKET ) > wserr( s, "accept" ); > > haveToken = auth( s, cred, srvCtx ); > > // now we talk to the client > printf( "haveToken = %s\n\n", haveToken? "true": "false" ); > send( s, (const char *) &haveToken, sizeof haveToken, 0 ); > > // clean up > > // Modified by Ganesh > /*(pf->DeleteSecurityContext)( &srvCtx ); > (pf->FreeCredentialHandle)( &cred ); > closesocket( s );*/ > break; > } > > int j; > puts("/n/n Should I start client implemenation within server ?: "); > scanf("%d",&j); > > LPVOID threadParam = &srvCtx; > DWORD threadId; > > //PROCESS_INFORMATION Pi; > //STARTUPINFO Si; > //HANDLE hTokenNew = NULL, hTokenDup = NULL; > > //ZeroMemory( &Pi,sizeof(Pi)); > //ZeroMemory( &Si, sizeof( STARTUPINFO ) ); > //Si.cb = sizeof( STARTUPINFO ); > // Si.lpDesktop = "winsta0\\default"; > > //GetUserName( buf, &bufsiz ); > //rc = (pf->ImpersonateSecurityContext)( &srvCtx ); > > //rc = GetLastError(); > //GetUserName( buf, &bufsiz ); > > //rc = CreateProcess("C:\\WINDOWS\\system32\\notepad.exe","C:\\WINDOWS > \\system32\\notepad.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, > NULL, NULL, &Si, &Pi); > > rc = GetLastError(); > > //threadRet = CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE) > Ganesh_Client_Impl, threadParam, 0, &threadId); > > j = Ganesh_Client_Impl(srvCtx); > > WaitForSingleObject(threadRet,INFINITE); > CloseHandle( threadRet ); > > FreeLibrary( hSecLib ); > > return 0; > } > > *************************************************************************************** > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From paul.moore at centrify.com Thu Dec 18 16:46:24 2008 From: paul.moore at centrify.com (Paul Moore) Date: Thu, 18 Dec 2008 13:46:24 -0800 Subject: SSPI Kerberos for delegation References: Message-ID: you have to check on 'trust this machine for delegation' in the server computer's ADUC property page. Doing this will tell the client kerberos package that it should get a forwardable ticket and that it should forward it ________________________________ From: kerberos-bounces at mit.edu on behalf of Kasparov Sent: Thu 12/18/2008 8:24 AM To: kerberos at mit.edu Subject: SSPI Kerberos for delegation Hi, We want the authentication to happen without providing credentials anywhere. For this we are planning to use Windows SSPI. Now the problem I am facing is once the authentication from client to server is successful, I want to use the security context created in server to connect back and authenticate to the client. I am trying to find out if this thing is possible with SSPI. For this I have written an application (prototype) with client side and server side. I am connecting to the server and after successfully authentication at the server side I try to connect back (to the server component on the client machine, running in the same process and thread as client) using the same procedure I used in the client side. My understanding is since I have impersonated I will be able to authenticate the same user again. But I always get the error "No credentials are available in the security package" and the credentials might have expired. I have verified that both the user accounts are trusted for delegation and "cannot be delegated" tab is unchcked. Also both the servers are trusted for delegation for any service for Kerberos. I have tried doing this with NTLM and Kerberos. With NTLM it looks like the reverse connection is successful but after impersonation at the client side if I try to print the user name it says "Anonymous Logon". With Kerberos I am getting various errors (not enough memory, credentials are expired etc) and I am still working on that part. The reason I am trying with Kerberos is that I learned from some articles on Net that such a thing (delegation) is possible only with Kerberos. Surprisingly I am not able to find out a single working solution of this kind. I have pasted my entire code below. Can anyone help me on this and advise me on how this can be achieved ? Please see the code samples below: Client (Logged in user: win\gtambat) *************************************************************************************** #include #include #include #include #define SECURITY_WIN32 1 #include #pragma hdrstop // ==================================================================== // IMPORTANT NOTICE -- Check out // http://www.mvps.org/security/sspi.html // for the gory details of how this works // ==================================================================== void auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name = NULL, const char *pwd = NULL, const char *domain = NULL ); PSecurityFunctionTable pf = NULL; void initSecLib( HINSTANCE& hSec ); bool Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& srvCtx ) { int rc; bool haveToken = true; SecPkgInfo *secPackInfo; int bytesReceived = 0, bytesSent = 0; char buf[256]; DWORD bufsiz = sizeof buf; HANDLE threadRet; puts( "auth() entered" ); rc = (pf->QuerySecurityPackageInfo)( "Kerberos", &secPackInfo ); printf( "QSPI(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; TimeStamp useBefore; rc = (pf->AcquireCredentialsHandle)( NULL, "Kerberos", SECPKG_CRED_BOTH, NULL, NULL, NULL, NULL, &cred, &useBefore ); rc = GetLastError(); printf( "ACH(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxAttr; bool haveContext = false; while ( 1 ) { // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the client's POD // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); // if ( rc == SOCKET_ERROR ) // wserr( rc, "recv" ); // if ( rc == 0 ) // wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); // rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, // &ibd, 0, SECURITY_NATIVE_DREP, &srvCtx, &obd, &ctxAttr, // &useBefore ); rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, &ibd, 0, SECURITY_NATIVE_DREP /*SECURITY_NETWORK_DREP*/, &srvCtx, &obd, &ctxAttr, &useBefore ); printf( "ASC(): %08xh\n", rc ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &srvCtx, &obd ); if ( rc == SEC_I_COMPLETE_NEEDED ) rc = SEC_E_OK; else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) rc = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED ) { if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; } if ( rc != SEC_I_CONTINUE_NEEDED ) break; haveContext = true; // loop back for another round puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rc != SEC_E_OK ) { printf( "Oops! ASC() returned %08xh!\n", rc ); haveToken = false; } rc = GetLastError(); GetUserName( buf, &bufsiz ); // now we try to use the context rc = (pf->ImpersonateSecurityContext)( &srvCtx ); printf( "ImpSC(): %08xh\n", rc ); if ( rc != SEC_E_OK ) { printf( "Oops! ImpSC() returns %08xh!\n", rc ); haveToken = false; } else { char buf[256]; DWORD bufsiz = sizeof buf; GetUserName( buf, &bufsiz ); printf( "user name: \"%s\"\n", buf ); (pf->RevertSecurityContext)( &srvCtx ); printf( "RSC(): %08xh\n", rc ); } (pf->FreeContextBuffer)( secPackInfo ); printf( "auth() exiting (%d received, %d sent)\n", bytesReceived, bytesSent ); return haveToken; } int Ganesh_Server_Impl() { int rc, port = 12000, addrlen; bool haveToken; SOCKET sock, s; WSADATA wsadata; PSERVENT pse; SOCKADDR_IN addr; HINSTANCE hSecLib; initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); // wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) { rc = -1; } else { rc = 0; } // wserr( 999, "socket" ); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; // try numeric protocol first if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { } rc = bind( sock, (SOCKADDR *) &addr, sizeof addr ); // wserr( rc, "bind" ); rc = listen( sock, 2 ); // wserr( rc, "listen" ); CredHandle cred; CtxtHandle srvCtx; while ( 1 ) { addrlen = sizeof addr; s = accept( sock, (SOCKADDR *) &addr, &addrlen ); if ( s == INVALID_SOCKET ) { rc = -1; } else { rc = 0; } // wserr( s, "accept" ); haveToken = Ganesh_auth( s, cred, srvCtx ); // now we talk to the client printf( "haveToken = %s\n\n", haveToken? "true": "false" ); send( s, (const char *) &haveToken, sizeof haveToken, 0 ); // clean up (pf->DeleteSecurityContext)( &srvCtx ); (pf->FreeCredentialHandle)( &cred ); closesocket( s ); } } // wserr() displays winsock errors and aborts. No grace there. void wserr( int rc, const char * const funcname ) { if ( rc == 0 ) return; fprintf( stderr, "\nWinsock error %d [gle %d] returned by %s().\n" "Sorry, no bonus!\n", rc, WSAGetLastError(), funcname ); WSACleanup(); exit( rc ); } void auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name /* = NULL */, const char *pwd /* = NULL */, const char *domain /* = NULL */ ) { int rc, rcISC; SecPkgInfo *secPackInfo; SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL; int bytesReceived = 0, bytesSent = 0; puts( "auth() entered" ); // the arguments to ISC() is not const ... for once, I decided // on creating writable copies instead of using a brutalizing cast. char *myTokenSource; myTokenSource = _strdup( tokenSource ); if ( name != NULL ) { nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof SEC_WINNT_AUTH_IDENTITY ); memset( nameAndPwd, '\0', sizeof *nameAndPwd ); nameAndPwd->Domain = (byte *) _strdup( domain? domain: "" ); nameAndPwd->DomainLength = domain? strlen( domain ): 0; nameAndPwd->User = (byte *) _strdup( name? name: "" ); nameAndPwd->UserLength = name? strlen( name ): 0; nameAndPwd->Password = (byte *) _strdup( pwd? pwd: "" ); nameAndPwd->PasswordLength = pwd? strlen( pwd ): 0; nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; } rc = (pf->QuerySecurityPackageInfo)( "Kerberos", &secPackInfo ); printf( "QSPI(): %08xh\n", rc ); TimeStamp useBefore; rc = (pf->AcquireCredentialsHandle)( NULL, "Kerberos", SECPKG_CRED_BOTH, NULL, nameAndPwd, NULL, NULL, &cred, &useBefore ); printf( "ACH(): %08xh\n", rc ); // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxReq, ctxAttr; // from sspi.h: // #define ISC_REQ_DELEGATE 0x00000001 // #define ISC_REQ_MUTUAL_AUTH 0x00000002 // #define ISC_REQ_REPLAY_DETECT 0x00000004 // #define ISC_REQ_SEQUENCE_DETECT 0x00000008 // #define ISC_REQ_CONFIDENTIALITY 0x00000010 // #define ISC_REQ_USE_SESSION_KEY 0x00000020 // #define ISC_REQ_PROMPT_FOR_CREDS 0x00000040 // #define ISC_REQ_USE_SUPPLIED_CREDS 0x00000080 // #define ISC_REQ_ALLOCATE_MEMORY 0x00000100 // #define ISC_REQ_USE_DCE_STYLE 0x00000200 // #define ISC_REQ_DATAGRAM 0x00000400 // #define ISC_REQ_CONNECTION 0x00000800 // #define ISC_REQ_CALL_LEVEL 0x00001000 // #define ISC_REQ_EXTENDED_ERROR 0x00004000 // #define ISC_REQ_STREAM 0x00008000 // #define ISC_REQ_INTEGRITY 0x00010000 ctxReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE; bool haveInbuffer = false; bool haveContext = false; ib.pvBuffer = NULL; while ( 1 ) { obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); rcISC = (pf->InitializeSecurityContext)( &cred, haveContext? &cliCtx: NULL, myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP / *SECURITY_NETWORK_DREP*/, haveInbuffer? &ibd: NULL, 0, &cliCtx, &obd, &ctxAttr, &useBefore ); printf( "ISC(): %08xh\n", rcISC ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &cliCtx, &obd ); if ( rcISC == SEC_I_COMPLETE_NEEDED ) rcISC = SEC_E_OK; else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE ) rcISC = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; if ( rcISC != SEC_I_CONTINUE_NEEDED ) break; // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the server's response // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); if ( rc == SOCKET_ERROR ) wserr( rc, "recv" ); if ( rc == 0 ) wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer and a client context haveInbuffer = true; haveContext = true; // loop back for another round puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rcISC != SEC_E_OK ) printf( "Oops! ISC() returned %08xh!\n", rcISC ); (pf->FreeContextBuffer)( secPackInfo ); printf( "auth() exiting (%d sent, %d received)\n", bytesSent, bytesReceived ); free( myTokenSource ); if ( nameAndPwd != 0 ) { if ( nameAndPwd->Domain != 0 ) free( nameAndPwd->Domain ); if ( nameAndPwd->User != 0 ) free( nameAndPwd->User ); if ( nameAndPwd->Password != 0 ) free( nameAndPwd->Password ); free( nameAndPwd ); } } void initSecLib( HINSTANCE& hSec ) { PSecurityFunctionTable (*pSFT)( void ); hSec = LoadLibrary( "security.dll" ); pSFT = (PSecurityFunctionTable (*)( void )) GetProcAddress( hSec, "InitSecurityInterfaceA" ); if ( pSFT == NULL ) { puts( "security.dll load messed up ..." ); exit( 1 ); } pf = pSFT(); if ( pf == NULL ) { puts( "no function table?!?" ); exit( 1 ); } } int main( int argc, char *argv[] ) { int rc, port, i, errors; HINSTANCE hSecLib; unsigned long naddr; SOCKET sock; WSADATA wsadata; PHOSTENT phe; PSERVENT pse; SOCKADDR_IN addr; //const char *tokenSource = "Authsamp", *server = "server-machine"; const char *tokenSource = "win\\gtambat1", *server = "server- machine"; const char *portstr = "11000", *user = 0, *pwd = 0, *domain = 0; errors = 0; for ( i = 1; i < argc; ++ i ) { if ( argv[i][0] != '-' && argv[i][0] != '/' ) { printf( "\"%s\" is not a valid switch.\n", argv[i] ); ++ errors; continue; } switch ( argv[i][1] ) { case 's': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( server != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else server = argv[++ i]; break; case 'p': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( portstr != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else portstr = argv[++ i]; break; case 't': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( tokenSource != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else tokenSource = argv[++ i]; break; case 'd': if ( i >= argc - 1 ) { printf( "\"%s\" requires an argument.\n", argv[i] ); ++ errors; } else if ( domain != 0 ) { printf( "\"%s\" has already been used.\n", argv[i ++] ); ++ errors; } else domain = argv[++ i]; break; case 'u': if ( i >= argc - 2 ) { printf( "\"%s\" requires two arguments.\n", argv[i ++] ); ++ errors; } else if ( user != 0 ) { printf( "\"%s\" has already been used.\n", argv[i] ); i += 2; ++ errors; } else { user = argv[++ i]; pwd = argv[++ i]; } break; default: printf( "\"%s\" is not a valid switch.\n", argv[i] ); ++ errors; break; } } if ( server == 0 ) { puts( "A server name or IP address must be specified." ); ++ errors; } if ( portstr == 0 ) { puts( "A port name or port number must be specified." ); ++ errors; } if ( user == 0 && domain != 0 ) puts( "No user name was specified, ignoring the domain." ); if ( errors ) { puts( "\nusage: client -s your.server.com -p serverport" ); puts( " [-t token-source] [-u user pwd [-d domain]]" ); puts( "token-source is _required_ for Kerberos and should be your" ); puts( "current logon name (e.g., \"MYDOMAIN\\felixk\")." ); puts( "If -u is absent, your current credentials will be used." ); return 1; } initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) wserr( 999, "socket" ); addr.sin_family = AF_INET; // try numeric IP address first (inet_addr) naddr = inet_addr( server ); if ( naddr != INADDR_NONE ) { addr.sin_addr.s_addr = naddr; } else { phe = gethostbyname( server ); if ( phe == NULL ) wserr( 1, "gethostbyname" ); addr.sin_addr.s_addr = *( (unsigned long *) (phe->h_addr) ); memcpy( (char *) &addr.sin_addr, phe->h_addr, phe->h_length ); } // try numeric protocol first port = atoi( portstr ); if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { pse = getservbyname( portstr, "tcp" ); if ( pse == NULL ) wserr( 1, "getservbyname" ); addr.sin_port = pse->s_port; } CredHandle cred; CtxtHandle cliCtx; rc = connect( sock, (SOCKADDR *) &addr, sizeof addr ); wserr( rc, "connect" ); struct sockaddr name; int namelen = sizeof name;; rc = getsockname( sock, &name, &namelen ); wserr( rc, "getsockname()" ); printf( "I am %u.%u.%u.%u\n", (unsigned int) (unsigned char) name.sa_data[2], (unsigned int) (unsigned char) name.sa_data[3], (unsigned int) (unsigned char) name.sa_data[4], (unsigned int) (unsigned char) name.sa_data[5] ); auth( sock, cred, cliCtx, tokenSource, user, pwd, server ); // this does the real work // Added by Ganesh //auth( sock, cred, cliCtx, tokenSource, "ganesh", "ganesh", "client- machine" ); // this does the real work // use the authenticated connection here bool haveToken = false; rc = recv( sock, (char *) &haveToken, sizeof haveToken, 0 ); if ( rc != sizeof haveToken ) wserr( 999, "result-recv" ); if ( haveToken ) puts( "That seems to have worked." ); else puts( "Oops! Wrong user name or password?" ); // the server is probably impersonating us by now // this is where the client and server talk business // clean up (pf->DeleteSecurityContext)( &cliCtx ); (pf->FreeCredentialHandle)( &cred ); rc = closesocket( sock ); wserr( rc, "closesocket" ); rc = WSACleanup(); wserr( rc, "WSACleanup" ); int j; puts("/n/n Should I start server implemenation within client ?: "); scanf("%d",&j); rc = Ganesh_Server_Impl(); __try { FreeLibrary( hSecLib ); } __except ( 1 ) { puts( "Freelibrary( security.dll ) caused an access violation. Yuck." ); } return 0; } *************************************************************************************** Server (Logged in user win\gtambat1) *************************************************************************************** #include #include #include #include #define SECURITY_WIN32 1 #include //#include // uncomment if you have an old Platform SDK #pragma hdrstop // ==================================================================== // IMPORTANT NOTICE -- Check out // http://www.mvps.org/security/sspi.html // for the gory details of how this works // ==================================================================== PSecurityFunctionTable pf = NULL; int Ganesh_Client_Impl(CtxtHandle &srvCtx); void initSecLib( HINSTANCE& hSec ); void Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name /* = NULL */, const char *pwd /* = NULL */, const char *domain /* = NULL */ ); void Ganesh_auth( SOCKET s, CredHandle& cred, CtxtHandle& cliCtx, const char *tokenSource, const char *name /* = NULL */, const char *pwd /* = NULL */, const char *domain /* = NULL */ ) { int rc, rcISC; SecPkgInfo *secPackInfo; SEC_WINNT_AUTH_IDENTITY *nameAndPwd = NULL; int bytesReceived = 0, bytesSent = 0; //puts( "auth() entered" ); // the arguments to ISC() is not const ... for once, I decided // on creating writable copies instead of using a brutalizing cast. char *myTokenSource; myTokenSource = _strdup( tokenSource ); if ( name != NULL ) { nameAndPwd = (SEC_WINNT_AUTH_IDENTITY *) malloc( sizeof SEC_WINNT_AUTH_IDENTITY ); memset( nameAndPwd, '\0', sizeof *nameAndPwd ); nameAndPwd->Domain = (byte *) _strdup( domain? domain: "" ); nameAndPwd->DomainLength = domain? strlen( domain ): 0; nameAndPwd->User = (byte *) _strdup( name? name: "" ); nameAndPwd->UserLength = name? strlen( name ): 0; nameAndPwd->Password = (byte *) _strdup( pwd? pwd: "" ); nameAndPwd->PasswordLength = pwd? strlen( pwd ): 0; nameAndPwd->Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; } rc = (pf->QuerySecurityPackageInfo)( "kerberos", &secPackInfo ); //printf( "QSPI(): %08xh\n", rc ); TimeStamp useBefore; rc = GetLastError(); rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", SECPKG_CRED_BOTH, NULL, nameAndPwd, NULL, NULL, &cred, &useBefore ); //printf( "ACH(): %08xh\n", rc ); rc = GetLastError(); // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxReq, ctxAttr; // from sspi.h: // #define ISC_REQ_DELEGATE 0x00000001 // #define ISC_REQ_MUTUAL_AUTH 0x00000002 // #define ISC_REQ_REPLAY_DETECT 0x00000004 // #define ISC_REQ_SEQUENCE_DETECT 0x00000008 // #define ISC_REQ_CONFIDENTIALITY 0x00000010 // #define ISC_REQ_USE_SESSION_KEY 0x00000020 // #define ISC_REQ_PROMPT_FOR_CREDS 0x00000040 // #define ISC_REQ_USE_SUPPLIED_CREDS 0x00000080 // #define ISC_REQ_ALLOCATE_MEMORY 0x00000100 // #define ISC_REQ_USE_DCE_STYLE 0x00000200 // #define ISC_REQ_DATAGRAM 0x00000400 // #define ISC_REQ_CONNECTION 0x00000800 // #define ISC_REQ_CALL_LEVEL 0x00001000 // #define ISC_REQ_EXTENDED_ERROR 0x00004000 // #define ISC_REQ_STREAM 0x00008000 // #define ISC_REQ_INTEGRITY 0x00010000 ctxReq = ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_CONFIDENTIALITY | ISC_REQ_DELEGATE; bool haveInbuffer = false; bool haveContext = false; ib.pvBuffer = NULL; while ( 1 ) { obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); rcISC = (pf->InitializeSecurityContext)( &cred, haveContext? &cliCtx: NULL, myTokenSource, ctxReq, 0, SECURITY_NATIVE_DREP / *SECURITY_NETWORK_DREP*/, haveInbuffer? &ibd: NULL, 0, &cliCtx, &obd, &ctxAttr, &useBefore ); // printf( "ISC(): %08xh\n", rcISC ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE || rcISC == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &cliCtx, &obd ); if ( rcISC == SEC_I_COMPLETE_NEEDED ) rcISC = SEC_E_OK; else if ( rcISC == SEC_I_COMPLETE_AND_CONTINUE ) rcISC = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; if ( rcISC != SEC_I_CONTINUE_NEEDED ) break; // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the server's response // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) rc = recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); // if ( rc == SOCKET_ERROR ) // wserr( rc, "recv" ); // if ( rc == 0 ) // wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer and a client context haveInbuffer = true; haveContext = true; // loop back for another round // puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rcISC != SEC_E_OK ) { printf( "Oops! ISC() returned %08xh!\n", rcISC ); } (pf->FreeContextBuffer)( secPackInfo ); //printf( "auth() exiting (%d sent, %d received)\n", bytesSent, bytesReceived ); free( myTokenSource ); if ( nameAndPwd != 0 ) { if ( nameAndPwd->Domain != 0 ) free( nameAndPwd->Domain ); if ( nameAndPwd->User != 0 ) free( nameAndPwd->User ); if ( nameAndPwd->Password != 0 ) free( nameAndPwd->Password ); free( nameAndPwd ); } } // wserr() displays winsock errors and aborts. No grace there. void wserr( int rc, const char * const funcname ) { if ( rc == 0 ) return; fprintf( stderr, "\nWinsock error %d [gle %d] returned by %s().\n" "Sorry, no bonus!\n", rc, WSAGetLastError(), funcname ); WSACleanup(); exit( rc ); } bool auth( SOCKET s, CredHandle& cred, CtxtHandle& srvCtx ) { int rc; bool haveToken = true; SecPkgInfo *secPackInfo; int bytesReceived = 0, bytesSent = 0; char buf[256]; DWORD bufsiz = sizeof buf; puts( "auth() entered" ); rc = (pf->QuerySecurityPackageInfo)( "kerberos", &secPackInfo ); printf( "QSPI(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; TimeStamp useBefore; rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", SECPKG_CRED_BOTH, NULL, NULL, NULL, NULL, &cred, &useBefore ); // rc = (pf->AcquireCredentialsHandle)( NULL, "kerberos", SECPKG_CRED_BOTH, // NULL, NULL, NULL, NULL, &cred, &useBefore ); printf( "ACH(): %08xh\n", rc ); if ( rc != SEC_E_OK ) haveToken = false; // input and output buffers SecBufferDesc obd, ibd; SecBuffer ob, ib; DWORD ctxAttr; bool haveContext = false; while ( 1 ) { // prepare to get the server's response ibd.ulVersion = SECBUFFER_VERSION; ibd.cBuffers = 1; ibd.pBuffers = &ib; // just one buffer ib.BufferType = SECBUFFER_TOKEN; // preping a token here // receive the client's POD // MACHINE-DEPENDENT CODE! (Besides, we assume that we // get the length with a single read, which is not guaranteed) recv( s, (char *) &ib.cbBuffer, sizeof ib.cbBuffer, 0 ); bytesReceived += sizeof ib.cbBuffer; ib.pvBuffer = LocalAlloc( 0, ib.cbBuffer ); char *p = (char *) ib.pvBuffer; int n = ib.cbBuffer; while ( n ) { rc = recv( s, p, n, 0 ); if ( rc == SOCKET_ERROR ) wserr( rc, "recv" ); if ( rc == 0 ) wserr( 999, "recv" ); bytesReceived += rc; n -= rc; p += rc; } // by now we have an input buffer obd.ulVersion = SECBUFFER_VERSION; obd.cBuffers = 1; obd.pBuffers = &ob; // just one buffer ob.BufferType = SECBUFFER_TOKEN; // preping a token here ob.cbBuffer = secPackInfo->cbMaxToken; ob.pvBuffer = LocalAlloc( 0, ob.cbBuffer ); rc = (pf->AcceptSecurityContext)( &cred, haveContext? &srvCtx: NULL, &ibd, 0,/* SECURITY_NATIVE_DREP */ SECURITY_NATIVE_DREP / *SECURITY_NETWORK_DREP*/, &srvCtx, &obd, &ctxAttr, &useBefore ); printf( "ASC(): %08xh\n", rc ); if ( ib.pvBuffer != NULL ) { LocalFree( ib.pvBuffer ); ib.pvBuffer = NULL; } if ( rc == SEC_I_COMPLETE_AND_CONTINUE || rc == SEC_I_COMPLETE_NEEDED ) { if ( pf->CompleteAuthToken != NULL ) // only if implemented (pf->CompleteAuthToken)( &srvCtx, &obd ); if ( rc == SEC_I_COMPLETE_NEEDED ) rc = SEC_E_OK; else if ( rc == SEC_I_COMPLETE_AND_CONTINUE ) rc = SEC_I_CONTINUE_NEEDED; } // send the output buffer off to the server // warning -- this is machine-dependent! FIX IT! if ( rc == SEC_E_OK || rc == SEC_I_CONTINUE_NEEDED ) { if ( ob.cbBuffer != 0 ) { send( s, (const char *) &ob.cbBuffer, sizeof ob.cbBuffer, 0 ); bytesSent += sizeof ob.cbBuffer; send( s, (const char *) ob.pvBuffer, ob.cbBuffer, 0 ); bytesSent += ob.cbBuffer; } LocalFree( ob.pvBuffer ); ob.pvBuffer = NULL; } if ( rc != SEC_I_CONTINUE_NEEDED ) break; haveContext = true; // loop back for another round puts( "looping" ); } // we arrive here as soon as InitializeSecurityContext() // returns != SEC_I_CONTINUE_NEEDED. if ( rc != SEC_E_OK ) { printf( "Oops! ASC() returned %08xh!\n", rc ); haveToken = false; } GetUserName( buf, &bufsiz ); // now we try to use the context rc = (pf->ImpersonateSecurityContext)( &srvCtx ); printf( "ImpSC(): %08xh\n", rc ); if ( rc != SEC_E_OK ) { printf( "Oops! ImpSC() returns %08xh!\n", rc ); haveToken = false; } else { char buf[256]; DWORD bufsiz = sizeof buf; printf( "haveToken = %s\n\n", haveToken? "true": "false" ); send( s, (const char *) &haveToken, sizeof haveToken, 0 ); GetUserName( buf, &bufsiz ); printf( "user name: \"%s\"\n", buf ); //(pf->RevertSecurityContext)( &srvCtx ); printf( "RSC(): %08xh\n", rc ); } //(pf->FreeContextBuffer)( secPackInfo ); printf( "auth() exiting (%d received, %d sent)\n", bytesReceived, bytesSent ); return haveToken; } int Ganesh_Client_Impl(CtxtHandle &srvCtx) { char buf[256]; DWORD bufsiz = sizeof buf; int rc = 0; //CtxtHandle tmpCtx = srvCtx; SecPkgContext_Lifespan lspan; rc = (pf->QueryContextAttributes)(&srvCtx, SECPKG_ATTR_LIFESPAN, &lspan); rc = GetLastError(); GetUserName( buf, &bufsiz ); //rc = (pf->ImpersonateSecurityContext)( &srvCtx ); rc = GetLastError(); GetUserName( buf, &bufsiz ); int port, i, errors; unsigned long naddr; SOCKET sock; WSADATA wsadata; PHOSTENT phe; PSERVENT pse; SOCKADDR_IN addr; HINSTANCE hSecLib; const char *tokenSource = "win\\gtambat", *server = "client-machine"; //const char *tokenSource = "PUN\\gtambat"/*"Authsamp"*/, *server = "client-machine"; const char *portstr = "12000", *user = 0, *pwd = 0, *domain = 0; errors = 0; if ( server == 0 ) { //puts( "A server name or IP address must be specified." ); ++ errors; } if ( portstr == 0 ) { //puts( "A port name or port number must be specified." ); ++ errors; } if ( user == 0 && domain != 0 ) { } // puts( "No user name was specified, ignoring the domain." ); if ( errors ) { /* puts( "\nusage: client -s your.server.com -p serverport" ); puts( " [-t token-source] [-u user pwd [-d domain]]" ); puts( "token-source is _required_ for Kerberos and should be your" ); puts( "current logon name (e.g., \"MYDOMAIN\\felixk\")." ); puts( "If -u is absent, your current credentials will be used." );*/ return 1; } initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); //wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) { rc = -1; } else { rc = 0; } addr.sin_family = AF_INET; // try numeric IP address first (inet_addr) naddr = inet_addr( server ); if ( naddr != INADDR_NONE ) { addr.sin_addr.s_addr = naddr; } else { phe = gethostbyname( server ); // if ( phe == NULL ) // wserr( 1, "gethostbyname" ); addr.sin_addr.s_addr = *( (unsigned long *) (phe->h_addr) ); memcpy( (char *) &addr.sin_addr, phe->h_addr, phe->h_length ); } // try numeric protocol first port = atoi( portstr ); if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { pse = getservbyname( portstr, "tcp" ); // if ( pse == NULL ) // wserr( 1, "getservbyname" ); addr.sin_port = pse->s_port; } CredHandle cred; CtxtHandle cliCtx; rc = connect( sock, (SOCKADDR *) &addr, sizeof addr ); //wserr( rc, "connect" ); struct sockaddr name; int namelen = sizeof name;; rc = getsockname( sock, &name, &namelen ); /*wserr( rc, "getsockname()" ); printf( "I am %u.%u.%u.%u\n", (unsigned int) (unsigned char) name.sa_data[2], (unsigned int) (unsigned char) name.sa_data[3], (unsigned int) (unsigned char) name.sa_data[4], (unsigned int) (unsigned char) name.sa_data[5] );*/ Ganesh_auth( sock, cred, cliCtx, tokenSource, user, pwd, domain ); // this does the real work // use the authenticated connection here bool haveToken = false; rc = recv( sock, (char *) &haveToken, sizeof haveToken, 0 ); if ( rc != sizeof haveToken ) { rc = 999; } // wserr( 999, "result-recv" ); if ( haveToken ) puts( "That seems to have worked." ); else puts( "Oops! Wrong user name or password?" ); // the server is probably impersonating us by now // this is where the client and server talk business // clean up (pf->DeleteSecurityContext)( &cliCtx ); (pf->FreeCredentialHandle)( &cred ); rc = closesocket( sock ); wserr( rc, "closesocket" ); rc = WSACleanup(); wserr( rc, "WSACleanup" ); __try { FreeLibrary( hSecLib ); } __except ( 1 ) { // puts( "Freelibrary( security.dll ) caused an access violation. Yuck." ); } return 0; } struct CapName { DWORD bits; const char *name; const char *comment; } capNames[] = { { SECPKG_FLAG_INTEGRITY, "SECPKG_FLAG_INTEGRITY", "Supports integrity on messages" }, { SECPKG_FLAG_PRIVACY, "SECPKG_FLAG_PRIVACY", "Supports privacy (confidentiality)" }, { SECPKG_FLAG_TOKEN_ONLY, "SECPKG_FLAG_TOKEN_ONLY", "Only security token needed" }, { SECPKG_FLAG_DATAGRAM, "SECPKG_FLAG_DATAGRAM", "Datagram RPC support" }, { SECPKG_FLAG_CONNECTION, "SECPKG_FLAG_CONNECTION", "Connection oriented RPC support" }, { SECPKG_FLAG_MULTI_REQUIRED, "SECPKG_FLAG_MULTI_REQUIRED", "Full 3- leg required for re-auth." }, { SECPKG_FLAG_CLIENT_ONLY, "SECPKG_FLAG_CLIENT_ONLY", "Server side functionality not available" }, { SECPKG_FLAG_EXTENDED_ERROR, "SECPKG_FLAG_EXTENDED_ERROR", "Supports extended error msgs" }, { SECPKG_FLAG_IMPERSONATION, "SECPKG_FLAG_IMPERSONATION", "Supports impersonation" }, { SECPKG_FLAG_ACCEPT_WIN32_NAME, "SECPKG_FLAG_ACCEPT_WIN32_NAME", "Accepts Win32 names" }, { SECPKG_FLAG_STREAM, "SECPKG_FLAG_STREAM", "Supports stream semantics" }, { SECPKG_FLAG_NEGOTIABLE, "SECPKG_FLAG_NEGOTIABLE", "Can be used by the negotiate package" }, { SECPKG_FLAG_GSS_COMPATIBLE, "SECPKG_FLAG_GSS_COMPATIBLE", "GSS Compatibility Available" }, { SECPKG_FLAG_LOGON, "SECPKG_FLAG_LOGON", "Supports common LsaLogonUser" }, { SECPKG_FLAG_ASCII_BUFFERS, "SECPKG_FLAG_ASCII_BUFFERS", "Token Buffers are in ASCII" }, { 0xffffffffL, "(fence)", "(fence)" } }; void initSecLib( HINSTANCE& hSec ) { PSecurityFunctionTable (*pSFT)( void ); hSec = LoadLibrary( "security.dll" ); pSFT = (PSecurityFunctionTable (*)( void )) GetProcAddress( hSec, "InitSecurityInterfaceA" ); if ( pSFT == NULL ) { exit( 1 ); } pf = pSFT(); if ( pf == NULL ) { exit( 1 ); } SECURITY_STATUS rc; DWORD numPacks = 0, i, j; SecPkgInfo *pPacks = NULL; rc = (pf->EnumerateSecurityPackages)( &numPacks, &pPacks ); if ( rc != 0 ) { exit( 1 ); } for ( i = 0; i < numPacks; ++ i ) { for ( j = 0; capNames[j].bits != 0xffffffffL; ++ j ) { //if ( ( capNames[j].bits & pPacks[i].fCapabilities ) == capNames [j].bits ) //printf( " %s (%s)\n", capNames[j].name, capNames [j].comment ); } } if ( pPacks != NULL ) (pf->FreeContextBuffer)( pPacks ); } int main( int argc, char *argv[] ) { int rc, port, addrlen; HINSTANCE hSecLib; CtxtHandle srvCtx; bool haveToken; SOCKET sock, s; WSADATA wsadata; PSERVENT pse; SOCKADDR_IN addr; HANDLE threadRet; char buf[256]; DWORD bufsiz = sizeof buf; if ( argc != 2 ) { puts( "usage: server portnumber" ); return 1; } initSecLib( hSecLib ); rc = WSAStartup( 2, &wsadata ); wserr( rc, "WSAStartup" ); sock = socket( AF_INET, SOCK_STREAM, 0 ); if ( sock == INVALID_SOCKET ) wserr( 999, "socket" ); addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; // try numeric protocol first port = atoi( argv[1] ); if ( port > 0 && port < 32768 ) addr.sin_port = htons( (short) port ); else { pse = getservbyname( argv[1], "tcp" ); if ( pse == NULL ) wserr( 1, "getservbyname" ); addr.sin_port = pse->s_port; } rc = bind( sock, (SOCKADDR *) &addr, sizeof addr ); wserr( rc, "bind" ); rc = listen( sock, 2 ); wserr( rc, "listen" ); CredHandle cred; while ( 1 ) { addrlen = sizeof addr; s = accept( sock, (SOCKADDR *) &addr, &addrlen ); if ( s == INVALID_SOCKET ) wserr( s, "accept" ); haveToken = auth( s, cred, srvCtx ); // now we talk to the client printf( "haveToken = %s\n\n", haveToken? "true": "false" ); send( s, (const char *) &haveToken, sizeof haveToken, 0 ); // clean up // Modified by Ganesh /*(pf->DeleteSecurityContext)( &srvCtx ); (pf->FreeCredentialHandle)( &cred ); closesocket( s );*/ break; } int j; puts("/n/n Should I start client implemenation within server ?: "); scanf("%d",&j); LPVOID threadParam = &srvCtx; DWORD threadId; //PROCESS_INFORMATION Pi; //STARTUPINFO Si; //HANDLE hTokenNew = NULL, hTokenDup = NULL; //ZeroMemory( &Pi,sizeof(Pi)); //ZeroMemory( &Si, sizeof( STARTUPINFO ) ); //Si.cb = sizeof( STARTUPINFO ); // Si.lpDesktop = "winsta0\\default"; //GetUserName( buf, &bufsiz ); //rc = (pf->ImpersonateSecurityContext)( &srvCtx ); //rc = GetLastError(); //GetUserName( buf, &bufsiz ); //rc = CreateProcess("C:\\WINDOWS\\system32\\notepad.exe","C:\\WINDOWS \\system32\\notepad.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &Si, &Pi); rc = GetLastError(); //threadRet = CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE) Ganesh_Client_Impl, threadParam, 0, &threadId); j = Ganesh_Client_Impl(srvCtx); WaitForSingleObject(threadRet,INFINITE); CloseHandle( threadRet ); FreeLibrary( hSecLib ); return 0; } *************************************************************************************** ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From fcocquyt at stanford.edu Fri Dec 19 09:41:54 2008 From: fcocquyt at stanford.edu (Fletcher Cocquyt) Date: Fri, 19 Dec 2008 14:41:54 +0000 (UTC) Subject: disabling krb524d attempts - causes login hangs Message-ID: Hi, a recent campus firewall change has caused user's kerberos logins to hang on this system. The problem has been isolated to a krb524 attempt (which used to swiftly fail - but now tries for 60-90 seconds before failing). How can we explicitly disable the krb524 communication attempt (campus does not run that service) Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: no external Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: warn Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ticket lifetime: 0 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: renewable lifetime: 0 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: minimum uid: 100 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: banner: Kerberos 5 Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ccache dir: /tmp Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: keytab: FILE:/etc /krb5.keytab Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: called to authenticate 'fcocquyt', realm 'stanford.edu' Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating 'fcocquyt at stanford.edu' Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: trying previously-entered password for 'fcocquyt', allowing libkrb5 to prompt for more Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating 'fcocquyt at stanford.edu' to 'krbtgt/stanford.edu at stanford.edu' Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: krb5_get_init_creds_password(krbtgt/stanford.edu at stanford.edu) returned 0 (Success) Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: got result 0 (Success) Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtaining v4-compatible key Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtained des-cbc-crc v5 creds Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: converting v5 creds to v4 creds (etype = 1) ... ... 60 seconds > ... ... many thanks From raeburn at MIT.EDU Fri Dec 19 09:52:09 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 19 Dec 2008 09:52:09 -0500 Subject: disabling krb524d attempts - causes login hangs In-Reply-To: References: Message-ID: <58FDDE96-B3A7-4EF3-96CB-DE522532D57D@mit.edu> On Dec 19, 2008, at 09:41, Fletcher Cocquyt wrote: > Hi, a recent campus firewall change has caused user's kerberos > logins to hang on > this system. The problem has been isolated to a krb524 attempt > (which used to > swiftly fail - but now tries for 60-90 seconds before failing). My guess is the old firewall configuration would generate port- unreachable errors (or let the packets through so that the KDC could send them), which would cause an immediate failure, and now the client just waits for a response and sees nothing. > How can we explicitly disable the krb524 communication attempt > (campus does not > run that service) 1) Make the port-unreachable messages come back, or 2) Create SRV records for _krb524._udp.REALM listing a host name of "." (which means "service not available", as opposed to having no SRV records which means "no information") Ken From mathew_rowley at cable.comcast.com Fri Dec 19 10:44:13 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Fri, 19 Dec 2008 08:44:13 -0700 Subject: LDAP + Kerberos grouping/password Message-ID: Do you have to sync passwords between Kerberos and LDAP if I am using LDAP for user specific information? For example, if I ssh to a box, I want it to authenticate with kerberos, but get the gid/uid/shell/homedir from LDAP. Is there a way to specify the LDAP PAM module to not to auth against LDAP, just get the user information? Thanks. -- MAT From coy.hile at coyhile.com Fri Dec 19 10:52:26 2008 From: coy.hile at coyhile.com (Coy Hile) Date: Fri, 19 Dec 2008 15:52:26 +0000 (UTC) Subject: LDAP + Kerberos grouping/password In-Reply-To: References: Message-ID: On Fri, 19 Dec 2008, Mathew Rowley wrote: > Do you have to sync passwords between Kerberos and LDAP if I am using LDAP > for user specific information? For example, if I ssh to a box, I want it to > authenticate with kerberos, but get the gid/uid/shell/homedir from LDAP. Is > there a way to specify the LDAP PAM module to not to auth against LDAP, just > get the user information? > The user information is obtained via nss calls. That's not controlled by PAM at all. You shouldn't need ldap mentioned in your PAM config at all. Fix your nss config and you should be fine. From deengert at anl.gov Fri Dec 19 10:59:56 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 19 Dec 2008 09:59:56 -0600 Subject: LDAP + Kerberos grouping/password In-Reply-To: References: Message-ID: <494BC4FC.8060205@anl.gov> Mathew Rowley wrote: > Do you have to sync passwords between Kerberos and LDAP if I am using LDAP > for user specific information? For example, if I ssh to a box, I want it to > authenticate with kerberos, but get the gid/uid/shell/homedir from LDAP. Is > there a way to specify the LDAP PAM module to not to auth against LDAP, just > get the user information? Not clear why you want to sync passwords. If you want to use Kerberos for authentication, don't authenticate to LDAP, and don't use the passwords. Depending on your OS, you can have them set to NP or *NP* so they can't be used. So don't use the pam_ldap. Let nsswitch find ldap for getting the rest of the info and use pam_krb5. > > Thanks. > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ghudson at MIT.EDU Fri Dec 19 11:39:14 2008 From: ghudson at MIT.EDU (Greg Hudson) Date: Fri, 19 Dec 2008 11:39:14 -0500 Subject: disabling krb524d attempts - causes login hangs In-Reply-To: References: Message-ID: <1229704754.12360.32.camel@ray> On Fri, 2008-12-19 at 14:41 +0000, Fletcher Cocquyt wrote: > How can we explicitly disable the krb524 communication attempt (campus does not > run that service) Ken's suggestions will work at a global level without requiring changes to client configuration, which may be advantageous. But I read your question as asking about client configuration, so: First, find where pam_krb5 is configured in your system's PAM configuration. grepping for krb5 in /etc/pam.d/* will probably turn it up. Second, consult the pam_krb5 man page (if you have one) to see what option to use to turn it off. It may be "convert_krb4=false". Append that to the pam_krb5 configuration line. From fcocquyt at stanford.edu Fri Dec 19 12:16:13 2008 From: fcocquyt at stanford.edu (Fletcher Cocquyt) Date: Fri, 19 Dec 2008 17:16:13 +0000 (UTC) Subject: disabling krb524d attempts - causes login hangs References: <1229704754.12360.32.camel@ray> Message-ID: Greg Hudson mit.edu> writes: > > On Fri, 2008-12-19 at 14:41 +0000, Fletcher Cocquyt wrote: > > How can we explicitly disable the krb524 communication attempt (campus does not > > run that service) > > Ken's suggestions will work at a global level without requiring changes > to client configuration, which may be advantageous. But I read your > question as asking about client configuration, so: > > First, find where pam_krb5 is configured in your system's PAM > configuration. grepping for krb5 in /etc/pam.d/* will probably turn it > up. > > Second, consult the pam_krb5 man page (if you have one) to see what > option to use to turn it off. It may be "convert_krb4=false". Append > that to the pam_krb5 configuration line. > So in /etc/pam.d/system-auth-ac (the same place I added debug for logging krb and the only pam.d with krb config) I set: krb4_convert=false krb4_convert_524=false krb4_convert tells pam_krb5.so to obtain Kerberos IV credentials for users, in addition to Kerberos 5 credentials, using either a v4-capable KDC or This option is poorly named. This option is automatically enabled if AFS is detected. krb4_convert_524 tells pam_krb5.so to obtain Kerberos IV credentials for users using the krb524 service. This option modifies the krb4_convert option. If disabled, pam_krb5 will only attempt to obtain Kerberos IV credentials using the KDC. per the man page: http://linux.die.net/man/8/pam_krb5 It had no effect - even after restarting the sshd service Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: krb5_get_init_creds_password(krbtgt/stanford.edu at stanford.edu) returned 0 (Success) Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: got result 0 (Success) Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: obtaining v4-compatible key Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: obtained des-cbc-crc v5 creds Dec 19 09:08:56 admsys-local sshd[17077]: pam_krb5[17077]: converting v5 creds to v4 creds (etype = 1) my system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass debug krb4_convert=false krb4_convert_524=false auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so krb4_convert=false krb4_convert_524=false account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok krb4_convert=false krb4_convert_524=false password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so krb4_convert=false krb4_convert_524=false thanks for any tips From tlyu at MIT.EDU Fri Dec 19 14:35:22 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Fri, 19 Dec 2008 14:35:22 -0500 Subject: AS_REQ Return code 60 for principal expired? In-Reply-To: (Mike Friedman's message of "Thu, 11 Dec 2008 12:54:23 -0800 (PST)") References: Message-ID: Mike Friedman writes: > I've been doing some testing of my programs that use the MIT API against a > KDC running 1.6.1 on a Linux system. On all prior systems where I've run > a KDC, and according to the Kerberos docs, a principal expired condition > should set a return code of 1. But on this test system, it seems I'm > getting back a 60, which the docs define as a 'generic error'. I am unable to reproduce this condition. Is the krb5-1.6.1 KDC possibly built using the --with-vague-errors option? From rra at stanford.edu Fri Dec 19 14:47:34 2008 From: rra at stanford.edu (Russ Allbery) Date: Fri, 19 Dec 2008 11:47:34 -0800 Subject: disabling krb524d attempts - causes login hangs In-Reply-To: (Fletcher Cocquyt's message of "Fri\, 19 Dec 2008 17\:16\:13 +0000 \(UTC\)") References: <1229704754.12360.32.camel@ray> Message-ID: <87ocz8q755.fsf@windlord.stanford.edu> Fletcher Cocquyt writes: > per the man page: http://linux.die.net/man/8/pam_krb5 > > It had no effect - even after restarting the sshd service Judging from the man page, this is the Red Hat pam-krb5 module. I know that other people around Stanford have had a ton of problems with delays caused by that module and its attempts to get Kerberos v4 tickets. There's probably some way to fix it, but the most common solution has been to just get rid of it and run a different PAM module. Probably not surprisingly, all the Stanford central infrastructure systems use my PAM module: http://www.eyrie.org/~eagle/software/pam-krb5/ I wrote it to never try to get Kerberos v4 tickets, so it shouldn't have this problem. Switching to it has fixed the problem for a number of Red Hat users around campus. -- Russ Allbery (rra at stanford.edu) From nalin at redhat.com Fri Dec 19 15:07:45 2008 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 19 Dec 2008 15:07:45 -0500 Subject: disabling krb524d attempts - causes login hangs In-Reply-To: References: <1229704754.12360.32.camel@ray> Message-ID: <20081219200745.GA5135@redhat.com> On Fri, Dec 19, 2008 at 05:16:13PM +0000, Fletcher Cocquyt wrote: > So in /etc/pam.d/system-auth-ac (the same place I added debug for logging krb > > and the only pam.d with krb config) I set: > > krb4_convert=false krb4_convert_524=false That should work in the 'pam' portion of the [appdefaults] section in krb5.conf. If you're passing it in as an argument, try "no_krb4_convert" and "no_krb4_convert_524" instead. HTH, Nalin From fcocquyt at stanford.edu Fri Dec 19 17:18:51 2008 From: fcocquyt at stanford.edu (Fletcher Cocquyt) Date: Fri, 19 Dec 2008 22:18:51 +0000 (UTC) Subject: SUMMARY: disabling krb524d attempts - causes login hangs References: <1229704754.12360.32.camel@ray> <20081219200745.GA5135@redhat.com> Message-ID: Nalin Dahyabhai redhat.com> writes: > > On Fri, Dec 19, 2008 at 05:16:13PM +0000, Fletcher Cocquyt wrote: > > So in /etc/pam.d/system-auth-ac (the same place I added debug for logging krb > > > > and the only pam.d with krb config) I set: > > > > krb4_convert=false krb4_convert_524=false > > That should work in the 'pam' portion of the [appdefaults] section > in krb5.conf. If you're passing it in as an argument, try > "no_krb4_convert" and "no_krb4_convert_524" instead. > > HTH, > > Nalin DingDingDing! we have a winner! Added krb4_convert_524=false to the appdefaults section (note, krb4_convert = false already existed): [appdefaults] default_lifetime = 25hrs krb4_get_tickets = false krb4_convert = false krb4_convert_524 = false krb5_get_tickets = true krb5_get_forwardable = true Solved the issue - kerberos authentication proceeds completes swiftly without hanging on the krb524 conversion Thanks to Nalin and all who provided feedback Cheers, Fletcher From mathew_rowley at cable.comcast.com Mon Dec 22 12:06:33 2008 From: mathew_rowley at cable.comcast.com (Mathew Rowley) Date: Mon, 22 Dec 2008 10:06:33 -0700 Subject: Same config as server: kinit(v5): Improper format of Kerberos configuration file... Message-ID: I am trying to set up a server for kerberos authentication, but when I copy my krb5.conf file over to the server, I get the following error while trying to do a kinit: kinit(v5): Improper format of Kerberos configuration file while initializing Kerberos 5 library The only difference I can see is the versions installed on the kerberos server vs the secondary server. The kerberos server has 1.6.1, and the machine I want to use krb based auth has 1.4.3. Will that cause this error to occur? This is the krb5.conf file: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IPA.COMCAST.COM dns_lookup_realm = false dns_lookup_kdc = false [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [realms] IPA.COMCAST.COM = { kdc = ipa01.security.lab.comcast.com:88 admin_server = ipa01.security.lab.comcast.com:749 default_domain = security.lab.comcast.com database_module = openldap_ldapconf } [domain_realm] .security.lab.comcast.com = IPA.COMCAST.COM security.lab.comcast.com = IPA.COMCAST.COM [dbdefaults] ldap_kerberos_container_dn = cn=krbcontainer,o=comcast,dc=comcast,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kerberos_container_dn = cn=krbcontainer,o=comcast,dc=comcast,dc=com ldap_kdc_dn = "cn=krbadmin,o=comcast,dc=comcast,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=krbadmin,o=comcast,dc=comcast,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldap://ipa01.security.lab.comcast.com ldap_conns_per_server = 5 } -- MAT From tlyu at MIT.EDU Mon Dec 22 13:11:50 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Mon, 22 Dec 2008 13:11:50 -0500 Subject: non-KDC replay cache problems? Message-ID: I am attempting to determine if there is a significant need to improve the false positive performance of the replay cache. A symptom of this behavior is the error message "Request is a replay" when there is apparently no replay. My impression is that many of the replay cache false-positive problems reported to date have been due to the KDC replay cache. Has anyone experienced problems due to false positive conditions on an application replay cache? This is in contrast to a false positive indication on the KDC replay cache, which can cause error conditions in situations such as when mod_auth_krb obtains a ticket from the KDC using a user-submitted password. In the case where false positives in application replay caches present a significant issue, the following project proposal describes one approach we can use to solve the problem: http://k5wiki.kerberos.org/wiki/Projects/replay_cache_collision_avoidance If it turns out that almost all of the problems are due to the KDC replay cache, we can consider turning off the KDC replay cache, as we believe that doing so poses negligible security consequences, and is substantially easier. -- Tom Yu Development Manager MIT Kerberos Consortium From raeburn at MIT.EDU Mon Dec 22 13:26:52 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 22 Dec 2008 13:26:52 -0500 Subject: Same config as server: kinit(v5): Improper format of Kerberos configuration file... In-Reply-To: References: Message-ID: On Dec 22, 2008, at 12:06, Mathew Rowley wrote: > I am trying to set up a server for kerberos authentication, but when > I copy > my krb5.conf file over to the server, I get the following error > while trying > to do a kinit: > > kinit(v5): Improper format of Kerberos configuration file while > initializing > Kerberos 5 library > > The only difference I can see is the versions installed on the > kerberos > server vs the secondary server. The kerberos server has 1.6.1, and > the > machine I want to use krb based auth has 1.4.3. Will that cause this > error > to occur? This is the krb5.conf file: I didn't recall this on first reading your message, but after a little experimentation it looks like we did have a minor syntax change somewhere between 1.4.3 and 1.6.1 -- in the older code, a comment had to have the "#" at the start of the line, and now there can be whitespace in front of it. Just remove the leading whitespace from those comment lines and all should be fine (though I think 1.4.3 predates the DAL and LDAP support, so you could just drop that section altogether). Ken From Nicolas.Williams at sun.com Tue Dec 23 01:00:15 2008 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Tue, 23 Dec 2008 00:00:15 -0600 Subject: non-KDC replay cache problems? In-Reply-To: References: Message-ID: <20081223060014.GH12468@Sun.COM> On Mon, Dec 22, 2008 at 01:11:50PM -0500, Tom Yu wrote: > Has anyone experienced problems due to false positive conditions on an > application replay cache? [...] Yes, this happens with Windows clients, where the Kerberos stack may re-use a seconds and microseconds value, if multiple AP-REQs are initiated in the same second, but with a different sub-session key. > If it turns out that almost all of the problems are due to the KDC > replay cache, we can consider turning off the KDC replay cache, as we > believe that doing so poses negligible security consequences, and is > substantially easier. The KDC replay cache is not an issue, although the replay cache for TGS-REQs needs to behave similarly to the AP-REQ replay cache. Nico -- From jaltman at secure-endpoints.com Tue Dec 23 03:42:27 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 23 Dec 2008 03:42:27 -0500 Subject: non-KDC replay cache problems? In-Reply-To: References: Message-ID: <4950A473.80408@secure-endpoints.com> Tom Yu wrote: > Has anyone experienced problems due to false positive conditions on an > application replay cache? The motivation that Roland and I have for re-working the replay cache are primarily driven by application replay cache false positives. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081223/c4ff6227/smime.bin From raeburn at MIT.EDU Tue Dec 23 12:15:21 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 23 Dec 2008 12:15:21 -0500 Subject: non-KDC replay cache problems? In-Reply-To: <4950A473.80408@secure-endpoints.com> References: <4950A473.80408@secure-endpoints.com> Message-ID: <2CA7543D-823B-4078-8E1B-BC07678822C3@mit.edu> On Dec 23, 2008, at 03:42, Jeffrey Altman wrote: > Tom Yu wrote: >> Has anyone experienced problems due to false positive conditions on >> an >> application replay cache? > The motivation that Roland and I have for re-working the replay cache > are primarily driven by application replay cache false positives. How much do these problems still occur with the Windows time-offset code fixed? Ken From bhushan1988 at gmail.com Tue Dec 23 11:53:49 2008 From: bhushan1988 at gmail.com (Bhushan Jain) Date: Tue, 23 Dec 2008 22:23:49 +0530 Subject: Help reqd: Query regarding Kerberised application available with MIT Message-ID: <62fd3c0a0812230853p45db8b00raf86e4eeb45d32f1@mail.gmail.com> Hello , Greetings for X'mas Holidays. I had few queries regarding some of the kerberized application avaiable with MIT. Can anyone help me address them. FTP Query: While I want to decide which ftp ( server and client) I need to use, I came across the following doubt. Can any of the Kerberos gurus help address this. 1. When should I use 'sftp' and when should I choose to use MIT kerberized 'ftp' ? Which one is better under what cirumstances or what are the pros and corns between the two ? 2. Does 'sftp' client be inter-operable with MIT Kerberized 'ftpd' ? HTTP Query: - Does any of the open source httpd support Kerberos ? Does Apache support kerberized httpd and http ? Any clue? I hope they do as kerberos is the future. SAMBA(CIFS) /NFS V4 - NFS V4 on Linux supports Kerberized auth plus per message encryption, but does SAMBA support kerberized auth with per message encryption ? -- Thanks, -------------- Bhushan From paul.moore at centrify.com Tue Dec 23 12:41:11 2008 From: paul.moore at centrify.com (Paul Moore) Date: Tue, 23 Dec 2008 09:41:11 -0800 Subject: Help reqd: Query regarding Kerberised application available with MIT References: <62fd3c0a0812230853p45db8b00raf86e4eeb45d32f1@mail.gmail.com> Message-ID: no relationship between sftp and ftp - sftp is part of ssh suite you should use kerberized openssh (sftp) - supports file trasnfer , remote execute and remote login all with one service ________________________________ From: kerberos-bounces at mit.edu on behalf of Bhushan Jain Sent: Tue 12/23/2008 8:53 AM To: kerberos at mit.edu Subject: Help reqd: Query regarding Kerberised application available with MIT Hello , Greetings for X'mas Holidays. I had few queries regarding some of the kerberized application avaiable with MIT. Can anyone help me address them. FTP Query: While I want to decide which ftp ( server and client) I need to use, I came across the following doubt. Can any of the Kerberos gurus help address this. 1. When should I use 'sftp' and when should I choose to use MIT kerberized 'ftp' ? Which one is better under what cirumstances or what are the pros and corns between the two ? 2. Does 'sftp' client be inter-operable with MIT Kerberized 'ftpd' ? HTTP Query: - Does any of the open source httpd support Kerberos ? Does Apache support kerberized httpd and http ? Any clue? I hope they do as kerberos is the future. SAMBA(CIFS) /NFS V4 - NFS V4 on Linux supports Kerberized auth plus per message encryption, but does SAMBA support kerberized auth with per message encryption ? -- Thanks, -------------- Bhushan ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From jaltman at secure-endpoints.com Tue Dec 23 13:03:53 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 23 Dec 2008 13:03:53 -0500 Subject: non-KDC replay cache problems? In-Reply-To: <2CA7543D-823B-4078-8E1B-BC07678822C3@mit.edu> References: <4950A473.80408@secure-endpoints.com> <2CA7543D-823B-4078-8E1B-BC07678822C3@mit.edu> Message-ID: <49512809.9080807@secure-endpoints.com> Ken Raeburn wrote: > On Dec 23, 2008, at 03:42, Jeffrey Altman wrote: >> Tom Yu wrote: >>> Has anyone experienced problems due to false positive conditions on an >>> application replay cache? >> The motivation that Roland and I have for re-working the replay cache >> are primarily driven by application replay cache false positives. > > How much do these problems still occur with the Windows time-offset > code fixed? > > Ken The problem needs to be fixed at the service end. There are many clients not all of whom are MIT code base and even those that are, its not possible to force upgrades to new code. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081223/123dc67b/smime.bin From mike503 at gmail.com Wed Dec 24 01:13:19 2008 From: mike503 at gmail.com (mike) Date: Tue, 23 Dec 2008 22:13:19 -0800 Subject: Development Request: Anyone interested in creating an SPNEGO module for nginx? Message-ID: I believe it will take the exact principles of using the Solaris 10 mod_auth_gss module, described here: http://blogs.sun.com/wyllys/entry/kerberos_web_authentiation_with_apache Basically would take the Apache module, rework it to work as an nginx module, make it work as an nginx authentication mechanism. I think that's it. I've got a RentACoder request up but I would be looking for anyone interested to email me. It should not be hard for anyone who knows C and Kerberos-y stuff. http://www.rentacoder.com/RentACoder/misc/BidRequests/ShowBidRequest.asp?lngBidRequestId=1064860 The intention is to pay for the development and release it to the open source community. Not keep it proprietary at all. I would like to be able to use nginx inside my company's intranet, and this would make it so much easier for me. Please drop me a line if you are interested. We can work off-list, using RentACoder, Paypal or anything else. Thanks! - mike From hello at example.com Thu Dec 25 16:31:14 2008 From: hello at example.com (Darek) Date: 25 Dec 2008 21:31:14 GMT Subject: kpasswd not listening Message-ID: I am running version 1.6.3 on FreeBSD 7.0-RELEASE, installed from ports. I start the daemon with /usr/local/sbin/krb5kdc This starts root krb5kdc 38718 99 udp4 127.0.0.1:750 *:* root krb5kdc 38718 100udp4 127.0.0.1:88 *:* (only showing localhost, but public IPs listening as well) However, I do not see a passwd daemon running. Tried specifying it in /etc/kdc.conf with "kpasswd_port = 464" in my realm and still no go. Surprisingly, I've not found much info online. Maybe I'm searching for the wrong thing. Despite this, I tried running kpasswd from the kdc itself and got: kpasswd: krb5_change_password: unable to reach any changepw server in realm DOMAIN.TLD Any pointers? Ticket granting and ssh/sudo both work, but I'd want to give users the ability to change their pass and not hassle me. :P - Darek My /etc/krb5.conf: ================= [libdefaults] default_realm = DOMAIN.NET [realms] DOMAIN.NET = { kdc = kerberos.domain.net admin_server = kerberos.domain.net } [domain_realm] .domain.net = DOMAIN.NET [password_quality] min_length = 8 min_classes = 3 From tlyu at MIT.EDU Sun Dec 28 14:47:45 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Sun, 28 Dec 2008 14:47:45 -0500 Subject: kpasswd not listening In-Reply-To: (hello@example.com's message of "25 Dec 2008 21:31:14 GMT") References: Message-ID: Darek writes: > I am running version 1.6.3 on FreeBSD 7.0-RELEASE, installed from ports. > > I start the daemon with /usr/local/sbin/krb5kdc > > This starts > > root krb5kdc 38718 99 udp4 127.0.0.1:750 *:* > root krb5kdc 38718 100udp4 127.0.0.1:88 *:* > > (only showing localhost, but public IPs listening as well) > > However, I do not see a passwd daemon running. Tried specifying it in > /etc/kdc.conf with "kpasswd_port = 464" in my realm and still no go. > > Surprisingly, I've not found much info online. Maybe I'm searching for > the wrong thing. Despite this, I tried running kpasswd from the kdc > itself and got: > > kpasswd: krb5_change_password: unable to reach any changepw server in > realm DOMAIN.TLD kpasswd server functionality exists inside the kadmind, which is a separate program. Are you running one? From rra at stanford.edu Sun Dec 28 14:47:45 2008 From: rra at stanford.edu (Russ Allbery) Date: Sun, 28 Dec 2008 11:47:45 -0800 Subject: kpasswd not listening In-Reply-To: (Darek's message of "25 Dec 2008 21\:31\:14 GMT") References: Message-ID: <87wsdkm68u.fsf@windlord.stanford.edu> Darek writes: > I am running version 1.6.3 on FreeBSD 7.0-RELEASE, installed from ports. > > I start the daemon with /usr/local/sbin/krb5kdc > > This starts > > root krb5kdc 38718 99 udp4 127.0.0.1:750 *:* > root krb5kdc 38718 100udp4 127.0.0.1:88 *:* > > (only showing localhost, but public IPs listening as well) > > However, I do not see a passwd daemon running. Tried specifying it in > /etc/kdc.conf with "kpasswd_port = 464" in my realm and still no go. kpasswd services are provided by kadmind. You need to also start it. -- Russ Allbery (rra at stanford.edu) From vijivijayakumar at gmail.com Tue Dec 30 12:30:58 2008 From: vijivijayakumar at gmail.com (Viji V Nair) Date: Tue, 30 Dec 2008 23:00:58 +0530 Subject: Windows client authentication problem Message-ID: <84c89ac10812300930p4b17ddd0q9e54ed7d022b828b@mail.gmail.com> Hi, I am trying to authenticate windows xp clients to an MIT kerberos server. The Server is on a Linux machine and I have both windows and Linux clients on my network. I have followed the below steps, but no success. Configured the kerberos server and Linux clients are authenticating properly, but no success on windows clients. On the kerberos Server I have created a host principal using the following command. # kadmin -q "ank host/bmdata01.testing.com" (I tried kadmin -q "ank host/bmdata01" also) On the windows xp client(bmdata01), C:> ksetup /setrealm TESTING.COM C:> ksetup /addkdc TESTING.COM viji.bigmaps.com C:> ksetup /setmachpassword C:> ksetup /mapuser admin at TESTING.COM guest C:> ksetup /mapuser * * After the reboot windows is showing TESTING.COM as a Kerberos Realm on the login screen, but when I try to login using a kerberos user it is throwing the following error. *"The system could not log you on. Make sure your user name and domain are correct, and then type your password again. Letters in passwords must be typed using the correct case."* But the kerberos server is issuing the tickets, the log shows: Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112: NEEDED_PREAUTH: admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM, Additional pre-authentication required Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18 ses=23}, admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18 ses=23}, admin at TESTING.COM for host/bmdata01.testing.com@ TESTING.COM I have found some article on Microsoft website, saying this is a bug and apply the latest service pack (SP3), I even tried that, but no success. http://support.microsoft.com/kb/825081 Similar Thread: http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html c:> ksetup.exe default realm = TESTING.COM (external) TESTING.COM: kdc = viji.testing.com Realm Flags = 0x0 none Mapping all users (*) to guest. Mapping admin to guest. # cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTING.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] TESTING.COM = { kdc = viji.testing.com:88 admin_server = viji.testing.com:749 default_domain = testing.com } [domain_realm] .testing.com = TESTING.COM testing.com = TESTING.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [dbmodules] TESTING.COM = { db_library = kldap ldap_servers = ldap://127.0.0.1/ ldap_kerberos_container_dn = cn=kerberos,dc=testing,dc=com ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd } Any help on this will be greatly appreciated. Thanks & Regards Viji