From raeburn at MIT.EDU Mon Jun 2 00:21:08 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 2 Jun 2008 00:21:08 -0400 Subject: Password Salting Methods In-Reply-To: <78c6bd860805291922w52ac1b83n955ed6a0b2d93259@mail.gmail.com> References: <78c6bd860805291922w52ac1b83n955ed6a0b2d93259@mail.gmail.com> Message-ID: <01D7A9B5-BBF9-42DE-9D8C-2FF1C0B279ED@mit.edu> On May 29, 2008, at 22:22, Michael B Allen wrote: > Is there a reference anywhere that outlines the different password > salting methods used by different KDCs? There are RFCs 3961, 3962, and 4757, which outline how salt strings are incorporated in the string-to-key conversion function for each cryptosystem. RC4 ignores it, the others actually use it. How the salt string is determined is separate. According to RFC 4120, the default salt string is generated by joining the realm and principal components without separators. If another string is to be used, it must be indicated by some sort of preauth data like ETYPE-INFO2. The MIT KDC has support for some specific variations on salt strings, such as using only the realm, only the principal name without the realm, "v4" (i.e., no salt string at all, or rather an empty string), and "special" (a string stored in the principal record in the database with the key). Using the principal name as a salt string makes it more difficult for an attacker to precompute a dictionary of keys derived from a dictionary of pass phrases. Instead of generating a single complete dictionary, the attacker must pick a principal name (more to the point, a specific salt string) to use in the dictionary generation. Or, the attacker could multiply the pass phrase dictionary size by a set of principal names (salt strings) to be attacked, which increases the work to be done by that multiplier. Someday I'd like to see us have a flag in the database to indicate that random salt strings should be generated at every password change. Then even if a user keeps picking passwords that are in the attacker's dictionary, a dictionary built based on one salt string will be useless as soon as the password is changed. It probably would help to make them long, with comparable random bits to the key size itself, rather than a set of short alphanumeric strings as usernames often are. Then the distribution of password-generated keys, over a large set of users and password changes, is spread out over the entire key space. Someday.... Anyways, the enctype specification for the MIT KDC also indicates the salt type to use for each, when creating principal entries or changing passwords. > AFAICT AD w/ RC4 doesn't actually use a salt. Heimdal seems to just > use the realm and principal name concatenated together without any > separators. Right, that's the RC4 behavior, and the default salt as specified in the protocol. > What does MIT do? As above... > What does Windows 2008 w/ AES use? > Windows 2000? I can't tell you for sure offhand, but I would assume it probably either uses the default per RFC 4120, or sends ETYPE-INFO(2) to indicate no salt string is used. > Do the salt values change depending on the enctype? The default is protocol-wide. However, the database could store different salt strings for different encryption types. I'd have to think a bit to figure out if it's valid for the database to have different salts for a single encryption type, with the KDC randomly choosing between them. I don't know if that would break any interesting assumptions that client software might reasonably make. > I'm interested in knowing to what degree salts can be predicted given > only the information a client preparing to issue an AS-REQ would have. Obviously you can guess that it'll use the default... You could also cache the value from the previous time. Ken From ioplex at gmail.com Mon Jun 2 00:47:25 2008 From: ioplex at gmail.com (Michael B Allen) Date: Mon, 2 Jun 2008 00:47:25 -0400 Subject: Password Salting Methods In-Reply-To: <01D7A9B5-BBF9-42DE-9D8C-2FF1C0B279ED@mit.edu> References: <78c6bd860805291922w52ac1b83n955ed6a0b2d93259@mail.gmail.com> <01D7A9B5-BBF9-42DE-9D8C-2FF1C0B279ED@mit.edu> Message-ID: <78c6bd860806012147w2276f272wd2eabb3f83432549@mail.gmail.com> On 6/2/08, Ken Raeburn wrote: > On May 29, 2008, at 22:22, Michael B Allen wrote: > > > Is there a reference anywhere that outlines the different password > > salting methods used by different KDCs? > > > > There are RFCs 3961, 3962, and 4757, which outline how salt strings are > incorporated in the string-to-key conversion function for each cryptosystem. > RC4 ignores it, the others actually use it. > > How the salt string is determined is separate. > > According to RFC 4120, the default salt string is generated by joining the > realm and principal components without separators. If another string is to > be used, it must be indicated by some sort of preauth data like ETYPE-INFO2. > > The MIT KDC has support for some specific variations on salt strings, such > as using only the realm, only the principal name without the realm, "v4" > (i.e., no salt string at all, or rather an empty string), and "special" (a > string stored in the principal record in the database with the key). > > Using the principal name as a salt string makes it more difficult for an > attacker to precompute a dictionary of keys derived from a dictionary of > pass phrases. Instead of generating a single complete dictionary, the > attacker must pick a principal name (more to the point, a specific salt > string) to use in the dictionary generation. Or, the attacker could > multiply the pass phrase dictionary size by a set of principal names (salt > strings) to be attacked, which increases the work to be done by that > multiplier. > > Someday I'd like to see us have a flag in the database to indicate that > random salt strings should be generated at every password change. Then even > if a user keeps picking passwords that are in the attacker's dictionary, a > dictionary built based on one salt string will be useless as soon as the > password is changed. It probably would help to make them long, with > comparable random bits to the key size itself, rather than a set of short > alphanumeric strings as usernames often are. Then the distribution of > password-generated keys, over a large set of users and password changes, is > spread out over the entire key space. Someday.... > > Anyways, the enctype specification for the MIT KDC also indicates the salt > type to use for each, when creating principal entries or changing passwords. > > > > AFAICT AD w/ RC4 doesn't actually use a salt. Heimdal seems to just > > use the realm and principal name concatenated together without any > > separators. > > > > Right, that's the RC4 behavior, and the default salt as specified in the > protocol. > > > > What does MIT do? > > > > As above... > > > > What does Windows 2008 w/ AES use? > > Windows 2000? > > > > I can't tell you for sure offhand, but I would assume it probably either > uses the default per RFC 4120, or sends ETYPE-INFO(2) to indicate no salt > string is used. > > > > Do the salt values change depending on the enctype? > > > > The default is protocol-wide. However, the database could store different > salt strings for different encryption types. > > I'd have to think a bit to figure out if it's valid for the database to > have different salts for a single encryption type, with the KDC randomly > choosing between them. I don't know if that would break any interesting > assumptions that client software might reasonably make. > > > > I'm interested in knowing to what degree salts can be predicted given > > only the information a client preparing to issue an AS-REQ would have. > > > > Obviously you can guess that it'll use the default... You could also cache > the value from the previous time. Excellent information Ken. This will help a lot. Thanks, Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From chaitra.shankar at globaledgesoft.com Mon Jun 2 11:19:04 2008 From: chaitra.shankar at globaledgesoft.com (Chaitra Shankar) Date: Mon, 02 Jun 2008 15:19:04 +0000 Subject: PKINIT Message-ID: <48440F68.7000306@globaledgesoft.com> Hi all, We want to use PKINIT for authentication rather than password. So I would like to know if we can use self-signed certificates, instead of CA signed, for authentication purpose. I would be greatful of anybody could provide a sample krb5.conf file and kdc.conf file. We are using krb51.6.3 package. Regards Chaitra Shankar From naveen.bn at globaledgesoft.com Mon Jun 2 11:31:47 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 02 Jun 2008 21:01:47 +0530 Subject: client name mismatch Message-ID: <48441263.2040904@globaledgesoft.com> Hi kevin, I am getting the error from kdc as client name mismatch withe error KDC_ERR_CLIENT_NAME_MISMATCH. the client certificate CN=naveen and the request name is also naveen. Thank you. with regards naveen From bwhitehead at ti.com Sun Jun 1 16:35:09 2008 From: bwhitehead at ti.com (Brian Whitehead) Date: Sun, 01 Jun 2008 20:35:09 GMT Subject: ssh publickey auth w/ kerb Message-ID: <1KD0k.2112$BY1.1769@trnddc06> Using ssh -vvv shows that the public key is working, but no matter what I'm prompted for a password. Also, is a keytab file from the AD server with the client principal absolutely necessary? We have several Solaris 8 clients that work without a keytab. The Solaris 10 clients authenticate fine and accept the password, but the verbose authentication output always complains about the "Server not found in kerberos database". The admin working on this project doesn't, since he never had to put it on the Solaris 8 hosts. Again, the password does work and completes the login. I'm looking for some very direct step-by-step instructions on setting up Solaris 10 as a client against AD. There is a ton of documents out there, but they're very long and not very direct. Thanks in advance for any help. Regards, Brian From naveen.bn at globaledgesoft.com Mon Jun 2 06:14:56 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 02 Jun 2008 15:44:56 +0530 Subject: help Message-ID: <4843C820.2070004@globaledgesoft.com> Hi all, I am using krb5-1.6.3. I want to use pkinit support, Can we submit a self signed certificate with dh parameters and get back the replay from kdc server. If yes can i get a examples for the configuration files to do so. Thank you. with regards naveen From deengert at anl.gov Mon Jun 2 12:12:43 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 02 Jun 2008 11:12:43 -0500 Subject: ssh publickey auth w/ kerb In-Reply-To: <1KD0k.2112$BY1.1769@trnddc06> References: <1KD0k.2112$BY1.1769@trnddc06> Message-ID: <48441BFB.4070409@anl.gov> Brian Whitehead wrote: > Using ssh -vvv shows that the public key is working, but no matter what > I'm prompted for a password. > > Also, is a keytab file from the AD server with the client principal > absolutely necessary? With the client? No. Keytab normally have service principals, used by server applicaiton to accept requests. Users normally don't store long term secrets in keytabs, but use a password to get tickets. > We have several Solaris 8 clients that work > without a keytab. The Solaris 10 clients authenticate fine and accept > the password, but the verbose authentication output always complains > about the "Server not found in kerberos database". That sounds line the ssh client sees that the user has Kerberos tickets, and is trying to use GSSAPI which would not require the password to be entered again. Coiuld also be user did not give a FQDN, on the ssh command line, or the server principal is not in the KDC so the ssh client falls back to using passwords. It could also mean that the client's krb5.conf [domain_realm] section is not configured correctly, or DNS is not configured correctly. This could also mean that you are missing a verification of the ticket obtained using when using the password. See the Solaris 10 man page for krb5.conf and look at the verify_ap_req_nofail option. > The admin working on > this project doesn't, since he never had to put it on the Solaris 8 > hosts. Again, the password does work and completes the login. > > I'm looking for some very direct step-by-step instructions on setting up > Solaris 10 as a client against AD. There is a ton of documents out > there, but they're very long and not very direct. Not sure what you mean by "client of AD" In Kerberos terms, there are clients (usually people) that have user principals and servers like sshd that use keytabs, and have service principals. > > Thanks in advance for any help. > > Regards, > Brian > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From bwhitehead at ti.com Mon Jun 2 12:40:14 2008 From: bwhitehead at ti.com (Whitehead, Brian) Date: Mon, 2 Jun 2008 11:40:14 -0500 Subject: ssh publickey auth w/ kerb In-Reply-To: <48441BFB.4070409@anl.gov> References: <1KD0k.2112$BY1.1769@trnddc06> <48441BFB.4070409@anl.gov> Message-ID: <74DB28182CB793438AC65D689C58BBF801597514@dlee10.ent.ti.com> I'm thinking of the server being ssh'd to ask a kerberos client, because it is authenticating the user against the AD server using kerberos. This morning the other admin believes he has discovered the problem with the ssh keys being ignored. He looked at the pam_unix_account source code and found that the behavior for locked accounts has changed. He had been using *LK* in the password field of local accounts on the Solaris 8 servers and it worked fine. Apparently with Solaris 10, the behavior changed and changing to use *NP* or anything other than *LK* resolved the problem. Thanks for responding. If you do know of any step-by-step instructions on setting this up on both the AD and Solaris 10 side, please let me know. Regards, Brian > -----Original Message----- > From: Douglas E. Engert [mailto:deengert at anl.gov] > Sent: Monday, June 02, 2008 11:13 AM > To: Whitehead, Brian > Cc: kerberos at mit.edu > Subject: Re: ssh publickey auth w/ kerb > > > > Brian Whitehead wrote: > > Using ssh -vvv shows that the public key is working, but no matter > > what I'm prompted for a password. > > > > Also, is a keytab file from the AD server with the client principal > > absolutely necessary? > > With the client? No. Keytab normally have service principals, > used by server applicaiton to accept requests. Users normally > don't store long term secrets in keytabs, but use a password > to get tickets. > > > We have several Solaris 8 clients that work without a keytab. The > > Solaris 10 clients authenticate fine and accept the > password, but the > > verbose authentication output always complains about the > "Server not > > found in kerberos database". > > That sounds line the ssh client sees that the user has > Kerberos tickets, and is trying to use GSSAPI which would not > require the password to be entered again. Coiuld also be user > did not give a FQDN, on the ssh command line, or the server > principal is not in the KDC so the ssh client falls back to > using passwords. It could also mean that the client's > krb5.conf [domain_realm] section is not configured correctly, > or DNS is not configured correctly. > > This could also mean that you are missing a verification of > the ticket obtained using when using the password. See the > Solaris 10 man page for krb5.conf and look at the > verify_ap_req_nofail option. > > > The admin working on > > this project doesn't, since he never had to put it on the Solaris 8 > > hosts. Again, the password does work and completes the login. > > > > I'm looking for some very direct step-by-step instructions > on setting > > up Solaris 10 as a client against AD. There is a ton of > documents out > > there, but they're very long and not very direct. > > Not sure what you mean by "client of AD" In Kerberos terms, > there are clients (usually people) that have user principals > and servers like sshd that use keytabs, and have service principals. > > > > > Thanks in advance for any help. > > > > Regards, > > Brian > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > From tlyu at MIT.EDU Mon Jun 2 14:55:07 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Mon, 02 Jun 2008 14:55:07 -0400 Subject: ssh publickey auth w/ kerb In-Reply-To: <74DB28182CB793438AC65D689C58BBF801597514@dlee10.ent.ti.com> (Brian Whitehead's message of "Mon, 2 Jun 2008 11:40:14 -0500") References: <1KD0k.2112$BY1.1769@trnddc06> <48441BFB.4070409@anl.gov> <74DB28182CB793438AC65D689C58BBF801597514@dlee10.ent.ti.com> Message-ID: "Whitehead, Brian" writes: > I'm thinking of the server being ssh'd to ask a kerberos client, because > it is authenticating the user against the AD server using kerberos. Are you considering the ssh server to be a Kerberos client? While that may be a valid interpretation, please be aware that in the context of a Kerberos-authenticated ssh connection, the usual terminology refers to the ssh server as the application server, and to the ssh client as be both the application client and the Kerberos client. To better distinguish between the Kerberos server and the application server, we usually call the Kerberos server itself the KDC (Key Distribution Center). From bwhitehead at ti.com Mon Jun 2 15:05:30 2008 From: bwhitehead at ti.com (Whitehead, Brian) Date: Mon, 2 Jun 2008 14:05:30 -0500 Subject: ssh publickey auth w/ kerb In-Reply-To: References: <1KD0k.2112$BY1.1769@trnddc06> <48441BFB.4070409@anl.gov><74DB28182CB793438AC65D689C58BBF801597514@dlee10.ent.ti.com> Message-ID: <74DB28182CB793438AC65D689C58BBF8015975F3@dlee10.ent.ti.com> Thank you for the clarification. Brian > -----Original Message----- > From: Tom Yu [mailto:tlyu at MIT.EDU] > Sent: Monday, June 02, 2008 1:55 PM > To: Whitehead, Brian > Cc: Douglas E. Engert; kerberos at MIT.EDU > Subject: Re: ssh publickey auth w/ kerb > > "Whitehead, Brian" writes: > > > I'm thinking of the server being ssh'd to ask a kerberos client, > > because it is authenticating the user against the AD server > using kerberos. > > Are you considering the ssh server to be a Kerberos client? > While that may be a valid interpretation, please be aware > that in the context of a Kerberos-authenticated ssh > connection, the usual terminology refers to the ssh server as > the application server, and to the ssh client as be both the > application client and the Kerberos client. To better > distinguish between the Kerberos server and the application > server, we usually call the Kerberos server itself the KDC > (Key Distribution Center). > From naveen.bn at globaledgesoft.com Tue Jun 3 07:21:19 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 03 Jun 2008 16:51:19 +0530 Subject: certificate extension Message-ID: <4845292F.1020307@globaledgesoft.com> Hi all, I have a problem in retaining the X509 extension in the end certificate which will be submitted to kdc. i generate the certificate using the openssl tool this what it looks like . openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr -keyout ca.key optput is the ca.csr file, which looks like openssl req -text -noout -in ca.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=in, O=dfds, OU=fds, CN=f Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46: 47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96: c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55: 41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93: ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74: 9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f: 71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef: a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43: 1f:32:1f:ac:da:eb:79:41:3d Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Signature Algorithm: sha1WithRSAEncryption af:9e:41:62:06:95:2a:60:b2:cc:0d:cf:a1:99:ce:f1:71:74: cc:bd:2f:a1:53:10:53:45:3e:5f:db:93:06:90:7d:b5:74:36: 2e:66:93:bf:14:59:f0:ec:fd:3c:20:36:a1:35:6a:d1:6c:47: d7:81:fd:48:50:6b:01:10:ca:fd:c6:d4:cb:0e:2b:17:f5:3b: d3:61:69:1b:94:29:d8:12:91:af:15:4c:b1:27:35:ef:dc:82: cd:d2:1d:c8:13:4a:3b:19:ee:4d:b7:fa:c7:1a:c3:7a:d5:73: 69:1d:ac:a8:1b:2f:b6:fa:08:f0:a2:bf:67:d1:76:00:d5:98: 78:91 now i can see the x509 extension but after the ca.csr is used to generate a ca.pem certificate, i am not able to see the x509 extension, will this certificate be valid to use with krb5-1.6.3 with pkinit openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem openssl x509 -text -noout -in ca.pem Certificate: Data: Version: 1 (0x0) Serial Number: b5:0f:de:82:c6:24:be:1a Signature Algorithm: sha1WithRSAEncryption Issuer: C=in, O=dfds, OU=fds, CN=f Validity Not Before: Jun 3 11:17:23 2008 GMT Not After : Jun 3 11:17:23 2009 GMT Subject: C=in, O=dfds, OU=fds, CN=f Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46: 47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96: c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55: 41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93: ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74: 9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f: 71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef: a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43: 1f:32:1f:ac:da:eb:79:41:3d Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 2d:5b:be:a5:af:cb:ee:a8:17:34:bf:44:e6:9e:05:df:cd:bb: 79:3b:9f:8b:72:90:5c:d6:94:e4:6b:6a:58:af:36:ea:fd:a6: e2:2b:81:de:2c:c4:f8:00:05:60:4a:0b:c0:17:fe:a3:11:79: 67:09:4b:ac:d6:92:0c:28:ef:2c:5f:92:ba:d7:08:54:06:4c: 0f:ca:a0:93:10:66:2d:2c:54:36:d8:eb:bb:58:84:32:52:f4: f6:ff:ce:33:c9:72:f4:fc:c0:f5:7c:5e:6b:d3:2d:a7:ed:ff: 36:90:28:c1:fb:e2:77:b4:82:3a:41:27:f1:83:51:e2:d0:35: b0:51 Can some one help out with this . Thank you naveen From mc at suse.de Tue Jun 3 08:32:03 2008 From: mc at suse.de (Michael Calmer) Date: Tue, 3 Jun 2008 14:32:03 +0200 Subject: certificate extension In-Reply-To: <4845292F.1020307@globaledgesoft.com> References: <4845292F.1020307@globaledgesoft.com> Message-ID: <200806031432.03984.mc@suse.de> Hi, Am Dienstag, 3. Juni 2008 schrieb naveen.bn: > Hi all, > I have a problem in retaining the X509 extension in the end certificate > which will be submitted to kdc. i generate the certificate using the > openssl tool this what it looks like . > > > openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr > -keyout ca.key > > optput is the ca.csr file, which looks like > > openssl req -text -noout -in ca.csr > Certificate Request: > Data: [...] > Requested Extensions: > X509v3 Basic Constraints: > CA:TRUE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment [...] > now i can see the x509 extension but after the ca.csr is used to generate a > ca.pem certificate, i am not able to see the x509 extension, will this > certificate be valid to use with krb5-1.6.3 with pkinit > openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out Hmm, I use "openssl ca" command to sign requests. There you have also a option -config and you need to write the extensions again into the config during the sign process. (e.g. in the [ v3_ca ] section) The idea behind this (as I understand it:-) A user "request" some extensions but the CA is the only authority who can "allow" them to go into the final certificate. A UI would show the requested extensions and the CA would be able to accept or reject them (and add more if required). [...] > Can some one help out with this . -- MFG Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer at suse.com -------------------------------------------------------------------------- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG N?rnberg) From deengert at anl.gov Tue Jun 3 09:41:04 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 03 Jun 2008 08:41:04 -0500 Subject: certificate extension In-Reply-To: <4845292F.1020307@globaledgesoft.com> References: <4845292F.1020307@globaledgesoft.com> Message-ID: <484549F0.7020700@anl.gov> naveen.bn wrote: > Hi all, > I have a problem in retaining the X509 extension in the end certificate which will be submitted to kdc. > i generate the certificate using the openssl tool this what it looks like . > > > openssl req -new -newkey rsa:1024 -nodes -config openssl.cnf -out ca.csr -keyout ca.key > > optput is the ca.csr file, which looks like > > openssl req -text -noout -in ca.csr > Certificate Request: > Data: > Version: 0 (0x0) > Subject: C=in, O=dfds, OU=fds, CN=f > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46: > 47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96: > c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55: > 41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93: > ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74: > 9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f: > 71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef: > a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43: > 1f:32:1f:ac:da:eb:79:41:3d > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Basic Constraints: > CA:TRUE > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment > Signature Algorithm: sha1WithRSAEncryption > af:9e:41:62:06:95:2a:60:b2:cc:0d:cf:a1:99:ce:f1:71:74: > cc:bd:2f:a1:53:10:53:45:3e:5f:db:93:06:90:7d:b5:74:36: > 2e:66:93:bf:14:59:f0:ec:fd:3c:20:36:a1:35:6a:d1:6c:47: > d7:81:fd:48:50:6b:01:10:ca:fd:c6:d4:cb:0e:2b:17:f5:3b: > d3:61:69:1b:94:29:d8:12:91:af:15:4c:b1:27:35:ef:dc:82: > cd:d2:1d:c8:13:4a:3b:19:ee:4d:b7:fa:c7:1a:c3:7a:d5:73: > 69:1d:ac:a8:1b:2f:b6:fa:08:f0:a2:bf:67:d1:76:00:d5:98: > 78:91 > now i can see the x509 extension but after the ca.csr is used to generate a ca.pem certificate, > i am not able to see the x509 extension, will this certificate be valid to use with krb5-1.6.3 with > pkinit > openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem You did not include the -config openssl.cnf Extensions in a request are only suggestions. They may or may not be copied to the cert. The openssl.conf can specify what extensions will be in the cert. See the OpenSSL apps/CA.sh script on how to create a demo CA and use the openssl.cnf to create a CA cert and sign user requests. > openssl x509 -text -noout -in ca.pem > Certificate: > Data: > Version: 1 (0x0) > Serial Number: > b5:0f:de:82:c6:24:be:1a > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=in, O=dfds, OU=fds, CN=f > Validity > Not Before: Jun 3 11:17:23 2008 GMT > Not After : Jun 3 11:17:23 2009 GMT > Subject: C=in, O=dfds, OU=fds, CN=f > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:b8:d7:57:3b:de:28:38:9e:0f:cc:04:c6:29:46: > 47:42:ee:d9:a4:0b:4e:af:9e:e9:e7:9a:dd:2f:96: > c6:fc:72:d1:a5:7b:dc:1e:98:f7:2f:7b:b8:23:55: > 41:de:00:e7:06:95:36:c8:31:ba:a4:99:19:f6:93: > ca:0b:a3:51:b0:bd:df:3b:37:5d:d1:b6:a4:2f:74: > 9c:03:00:db:e5:4a:9e:22:a6:d8:0f:ff:87:a7:4f: > 71:64:2f:c1:1e:cc:03:c9:ae:83:da:0f:56:62:ef: > a8:27:fa:2d:00:26:d6:e4:19:89:af:f3:23:bb:43: > 1f:32:1f:ac:da:eb:79:41:3d > Exponent: 65537 (0x10001) > Signature Algorithm: sha1WithRSAEncryption > 2d:5b:be:a5:af:cb:ee:a8:17:34:bf:44:e6:9e:05:df:cd:bb: > 79:3b:9f:8b:72:90:5c:d6:94:e4:6b:6a:58:af:36:ea:fd:a6: > e2:2b:81:de:2c:c4:f8:00:05:60:4a:0b:c0:17:fe:a3:11:79: > 67:09:4b:ac:d6:92:0c:28:ef:2c:5f:92:ba:d7:08:54:06:4c: > 0f:ca:a0:93:10:66:2d:2c:54:36:d8:eb:bb:58:84:32:52:f4: > f6:ff:ce:33:c9:72:f4:fc:c0:f5:7c:5e:6b:d3:2d:a7:ed:ff: > 36:90:28:c1:fb:e2:77:b4:82:3a:41:27:f1:83:51:e2:d0:35: > b0:51 > > Can some one help out with this . > Thank you > naveen > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From naveen.bn at globaledgesoft.com Wed Jun 4 09:22:22 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Wed, 04 Jun 2008 18:52:22 +0530 Subject: PA_PK_AS_REP Message-ID: <4846970E.8070207@globaledgesoft.com> Hi Kevin, Thank you, I got the replay from the kdc with certificates in patype 17(PA_PK_AS_REP), but in the capture it say unknown 17. How can i make the message structure or the contents of the PA-PK-AS-REP in the (ethereal)capture. please guide to make the message structure of PA-PK-AS-REP and PA-PK-AS-REQ visible in the captures. thank you again. with regards naveen From huangz at us.ibm.com Wed Jun 4 13:01:43 2008 From: huangz at us.ibm.com (Zhiguo Huang) Date: Wed, 4 Jun 2008 10:01:43 -0700 Subject: /etc/idmap.conf for NFS Message-ID: Hi Kevin, Is the following configuration of /etc/idmap.conf for NFS ok if using LDAP as user management? [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = localdomain [Mapping] Nobody-User = nobody Nobody-Group = nobody Regards! Jeff. From vilas.tadoori.ext at siemens.com Wed Jun 4 09:11:32 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Wed, 4 Jun 2008 09:11:32 -0400 Subject: Kerberos- GSS-API C code issues Message-ID: <0419C2808E620348A3119DCCE2A7A6950721D1B8@USCIMPLM004.net.plm.eds.com> Hi, I have written an GSSAPI server application and the kerberos is MIT V5. When I run my application on the sun solaris I get the following message I have checked that the kerberos is running or not, and I see that kerberos is running fine. This code is written in C Please find the below message after running the GSS API testserver. Undefined first referenced symbol in file gss_display_status testserver.o gss_import_name testserver.o gss_release_oid testserver.o GSS_C_NT_HOSTBASED_SERVICE testserver.o __gss_oid_to_mech testserver.o gss_accept_sec_context testserver.o gss_unwrap testserver.o gss_delete_sec_context testserver.o gss_release_buffer testserver.o gss_oid_to_str testserver.o gss_str_to_oid testserver.o gss_display_name testserver.o gss_get_mic testserver.o gss_acquire_cred testserver.o gss_release_name testserver.o ld: fatal: Symbol referencing errors. No output written to a.out I would greatly appreciate if anyone can help me solve this issue. regards Vilas From raeburn at MIT.EDU Wed Jun 4 14:01:19 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 4 Jun 2008 14:01:19 -0400 Subject: Kerberos- GSS-API C code issues In-Reply-To: <0419C2808E620348A3119DCCE2A7A6950721D1B8@USCIMPLM004.net.plm.eds.com> References: <0419C2808E620348A3119DCCE2A7A6950721D1B8@USCIMPLM004.net.plm.eds.com> Message-ID: On Jun 4, 2008, at 09:11, Tadoori (EXT), Vilas wrote: > I have written an GSSAPI server application and the kerberos is MIT > V5. > When I run my application on the sun solaris I get the following > message > I have checked that the kerberos is running or not, and I see that > kerberos is running fine. > This code is written in C > > Please find the below message after running the GSS API testserver. > > Undefined first referenced > symbol in file > gss_display_status testserver.o > gss_import_name testserver.o > gss_release_oid testserver.o [...] This looks to me like you didn't link against the GSSAPI library. Add "-lgssapi_krb5" to the compiler link command, if you didn't already. Ken From suvendra_dutta at harvard.edu Wed Jun 4 14:08:08 2008 From: suvendra_dutta at harvard.edu (Suvendra Nath Dutta) Date: Wed, 04 Jun 2008 14:08:08 -0400 Subject: Kerberos and round robin login nodes Message-ID: We have two machine for users to log into, they round robin to the same name. One one I am able to change password fine: [sdutta at login2 ~]$ passwd Changing password for user sdutta. Kerberos 5 Password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [sdutta at login2 ~]$ On the other machine I get: [sdutta at hlogin1 ~]$ passwd Changing password for user sdutta. Kerberos 5 Password: Kerberos 5 Password: New UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error [sdutta at login1 ~]$ The server says (in the first case): Jun 04 13:59:03 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.15: ISSUE: authtime 1212602343, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 13:59:03 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.15: ISSUE: authtime 1212602343, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 13:59:06 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.15: ISSUE: authtime 1212602346, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 13:59:06 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.15: ISSUE: authtime 1212602346, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 13:59:10 m1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.15: ISSUE: authtime 1212602350, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for krbtgt/LOCAL at LOCAL Jun 04 13:59:10 m1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.15: ISSUE: authtime 1212602350, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for krbtgt/LOCAL at LOCAL And in the second case: Jun 04 14:01:27 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.14: ISSUE: authtime 1212602487, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 14:01:27 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.14: ISSUE: authtime 1212602487, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 14:01:29 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.14: ISSUE: authtime 1212602489, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 14:01:29 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.14: ISSUE: authtime 1212602489, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 14:01:29 sm1.local krb5kdc[1494](info): DISPATCH: repeated (retransmitted?) request from 10.24.4.14, resending previous response Jun 04 14:01:29 sm1.local krb5kdc[1494](info): DISPATCH: repeated (retransmitted?) request from 10.24.4.14, resending previous response Jun 04 14:01:32 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.14: ISSUE: authtime 1212602492, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Jun 04 14:01:32 sm1.local krb5kdc[1494](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.24.4.14: ISSUE: authtime 1212602492, etypes {rep=16 tkt=16 ses=16}, sdutta at LOCAL for kadmin/changepw at LOCAL Any ideas what might be going on here/ Thanks very much. From stephenpince at gmail.com Thu Jun 5 03:29:48 2008 From: stephenpince at gmail.com (stephenpince@gmail.com) Date: Thu, 5 Jun 2008 00:29:48 -0700 (PDT) Subject: kerberos login Message-ID: <47ff0255-204f-4e4f-b2a0-dce56589be52@m36g2000hse.googlegroups.com> Hi. I am real kerberos newbie. I am trying to add kerberos support for a web load testing tool that uses negotiate (kerberos). I have the following question. I would like to get a ticket from kdc with valid login credentials. It is not the current login credential of the current login session. e.g. usera/passworda userb/passwordb I see that the function call "gss_init_sec_context" has a credential paramater. How do you create a credential? Is this possible? pseudo code. 1) create or get a ticket for any user? 2) init gss context gss_init_sec_context() Steve since at opendemand.com From rra at stanford.edu Thu Jun 5 13:44:08 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 05 Jun 2008 10:44:08 -0700 Subject: kerberos login In-Reply-To: <47ff0255-204f-4e4f-b2a0-dce56589be52@m36g2000hse.googlegroups.com> (stephenpince@gmail.com's message of "Thu\, 5 Jun 2008 00\:29\:48 -0700 \(PDT\)") References: <47ff0255-204f-4e4f-b2a0-dce56589be52@m36g2000hse.googlegroups.com> Message-ID: <87prqv93pz.fsf@windlord.stanford.edu> stephenpince at gmail.com writes: > I am trying to add kerberos support for a web load testing tool that > uses negotiate (kerberos). I have the following question. > > I would like to get a ticket from kdc with valid login credentials. It > is not the current login credential of the current login session. > e.g. > usera/passworda > userb/passwordb > > I see that the function call "gss_init_sec_context" has a credential > paramater. How do you create a credential? Is this possible? You can't use GSS-API to get initial credentials. You have to use the Kerberos API itself, probably krb5_get_init_creds_password. -- Russ Allbery (rra at stanford.edu) From acirulli at gmail.com Fri Jun 6 04:01:36 2008 From: acirulli at gmail.com (Andrea Cirulli) Date: Fri, 6 Jun 2008 10:01:36 +0200 Subject: Problem with duplication of hostname Message-ID: <191a80d00806060101o2b4bf739l6b20acf3162ae508@mail.gmail.com> Hi all, I setted up kerberos on a big environment, let's say 1300 servers. We have one Master Kerberos and 16 Slaves. We have this problem: the environment is commercial so we are a little bit constrained, we are not allowed to use DNS nor any kind of host centralization. We are facing with the problem that some server can have the same hostname. My question is there is a way to have multiple key (host principal) having two server with the same hostname. For example, let's say we have two server called host_pippo, on the kdc side we create host/host_pippo at REALM. This principal can be used for both the hosts with hostname host_pippo. Is there any workaround to discriminate server with the same hostname? I know that kerberos without DNS managing thounsands of systems can be dangerous but we have no choice :-(, so any valid workaround would be helpful :-D Thanks in advance. -- Andrea Cirulli From nichu at CUT.onet.pl Fri Jun 6 03:06:41 2008 From: nichu at CUT.onet.pl (nichu) Date: Fri, 06 Jun 2008 09:06:41 +0200 Subject: krb +restart Message-ID: Hello I start kerberos by /usr/local/sbin/krb5kdc /usr/local/sbin/kadmind as in documentation... I would like to restart it safely (for ex. after some changes in conf file) How should i do it? Is there something like reload to update configuration? Because for now i kill it and start again and as i think it's not the best solution :) regards nichu From klausk at linux.vnet.ibm.com Fri Jun 6 16:16:07 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Fri, 06 Jun 2008 17:16:07 -0300 Subject: Principal attributes and policy in LDAP Realm Message-ID: <1212783367.27162.15.camel@klausk.br.ibm.com> Hi, I hav some questions regarding how data is organized when using the LDAP KDB plugin for a realm. I hope this is the right place to ask. I have a Realm set-up using the LDAP backend. First thing is: when querying a principal using kadmin, why attributes such as 'Last [successful,failed] authentication' and 'Failed password attempts' are never filled-up? After failing some authentication attempts I have the following: ... Last modified: Fri Jun 06 16:24:09 BRT 2008 (klaus/admin at MYREALM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 ... Also, where in the LDAP database is the 'last modified' attribute placed? Thanks, -K -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From mayer at ntp.isc.org Sun Jun 8 23:31:14 2008 From: mayer at ntp.isc.org (Danny Mayer) Date: Sun, 08 Jun 2008 23:31:14 -0400 Subject: Problem with duplication of hostname In-Reply-To: <191a80d00806060101o2b4bf739l6b20acf3162ae508@mail.gmail.com> References: <191a80d00806060101o2b4bf739l6b20acf3162ae508@mail.gmail.com> Message-ID: <484CA402.2000206@ntp.isc.org> Andrea Cirulli wrote: > Hi all, > > I setted up kerberos on a big environment, let's say 1300 servers. We have > one Master Kerberos and 16 Slaves. We have this problem: the environment is > commercial so we are a little bit constrained, we are not allowed to use DNS > nor any kind of host centralization. Why not? DNS needs to be part of your basic infrastructure. 1300 servers is unmanagable without it. > We are facing with the problem that > some server can have the same hostname. My question is there is a way to > have multiple key (host principal) having two server with the same hostname. > It's most unlikely that this will work, nor do you want this to work. > For example, let's say we have two server called host_pippo, on the kdc side > we create host/host_pippo at REALM. This principal can be used for both the > hosts with hostname host_pippo. Is there any workaround to discriminate > server with the same hostname? > How are you going to do that? You should never allow a host with the same name in a domain. You could use the IP addresses I guess but what's the point of that? > I know that kerberos without DNS managing thounsands of systems can be > dangerous but we have no choice :-(, so any valid workaround would be > helpful :-D > How about explaining why you cannot use DNS? Danny > Thanks in advance. > From rsavitha at novell.com Mon Jun 9 04:52:53 2008 From: rsavitha at novell.com (Savitha R) Date: Mon, 09 Jun 2008 02:52:53 -0600 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1212783367.27162.15.camel@klausk.br.ibm.com> References: <1212783367.27162.15.camel@klausk.br.ibm.com> Message-ID: <484D3CBD.C217.0053.0@novell.com> >>> On Sat, Jun 7, 2008 at 1:46 AM, in message <1212783367.27162.15.camel at klausk.br.ibm.com>, Klaus Heinrich Kiwi wrote: > Hi, > > I hav some questions regarding how data is organized when using the > LDAP KDB plugin for a realm. I hope this is the right place to ask. > > I have a Realm set-up using the LDAP backend. First thing is: when > querying a principal using kadmin, why attributes such as 'Last > [successful,failed] authentication' and 'Failed password attempts' are > never filled-up? After failing some authentication attempts I have the > following: > ... > Last modified: Fri Jun 06 16:24:09 BRT 2008 (klaus/admin at MYREALM) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > ... > These attributes are updated only when the KDC is built with the "--with-kdc-kdb-update" option. > Also, where in the LDAP database is the 'last modified' attribute > placed? > Last modification time is part of tl_data and entry's tl_data is stored in krbExtraData attribute. -Savitha From naveen.bn at globaledgesoft.com Mon Jun 9 06:38:23 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 09 Jun 2008 16:08:23 +0530 Subject: BER: error Message-ID: <484D081F.9010109@globaledgesoft.com> Hi all, When encoding AS_REQ for patype PA_PK_AS_REQ, I am getting the following error in the capture. BER Error: Wrong field in sequence expected class: UNIVERSAL(0) tag: 2 (INTEGER) but found class:APPLICATION(1) tag:4 and the certificate is in pem formate. How can i had the UNIVERSAL tag 2 in the certificate. please help me out with this problem . Thank you with regards naveen From raeburn at MIT.EDU Mon Jun 9 08:42:06 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 9 Jun 2008 08:42:06 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <484D3CBD.C217.0053.0@novell.com> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> Message-ID: <72CB359C-ABDC-41D6-98B6-47FA4EAA8208@mit.edu> On Jun 9, 2008, at 04:52, Savitha R wrote: >>>> On Sat, Jun 7, 2008 at 1:46 AM, in message > <1212783367.27162.15.camel at klausk.br.ibm.com>, Klaus Heinrich Kiwi > wrote: >> Hi, >> >> I hav some questions regarding how data is organized when using the >> LDAP KDB plugin for a realm. I hope this is the right place to ask. >> >> I have a Realm set-up using the LDAP backend. First thing is: when >> querying a principal using kadmin, why attributes such as 'Last >> [successful,failed] authentication' and 'Failed password attempts' >> are >> never filled-up? After failing some authentication attempts I have >> the >> following: >> ... >> Last modified: Fri Jun 06 16:24:09 BRT 2008 (klaus/admin at MYREALM) >> Last successful authentication: [never] >> Last failed authentication: [never] >> Failed password attempts: 0 >> ... >> > These attributes are updated only when the KDC is built with the > "--with-kdc-kdb-update" option. Which, unfortunately, doesn't seem to work since the DAL merge that made the use of LDAP possible (e.g., RT tickets 5668, 5716 -- the latter has a patch I haven't had a chance to evaluate). This probably should be made a runtime option -- or at least, have the configure-time option set a flag checked by code that's always compiled in. Ken From rdccosmo at gmail.com Tue Jun 10 07:35:46 2008 From: rdccosmo at gmail.com (Rodrigo Castro) Date: Tue, 10 Jun 2008 08:35:46 -0300 Subject: Kerberos Ldap Integration In-Reply-To: <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> Message-ID: Hi, I don't know if this is the right place to ask, but I've been striving to prevent local root su ldapuser, although failed so far. I've already configured kerberos to work with ldap following this page http://www.bayour.com/LDAPv3-HOWTO.html Any help is appreciated. On Thu, May 29, 2008 at 10:37 AM, gaurav bagga wrote: > Hi Turbo, > > Thanks for the link... > I am able to link ldap and kerberos, I can add principals from kadmin and > they get added in ldap. > > But one problem still remains. > I want to mix in Kerberos principal attributes to a directory entry of the > people objectclass which has usserPassword. I want this password to be used > by kdc. > > Is such a thing possible? I went through the schema and found that > 'krbUPEnabled' helps in achieving this but how can one set this attribute. > > I am fairly new to this kerberos and ldap stuff so excuse me if I ask > something thats silly. > > If someone has to automate the process of adding principals what are the > possible solutions? > Using scripts? Is that a good way ? > > Thanks and Regards, > Gaurav > > On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson > wrote: > > > >>>>> "gaurav" == gaurav bagga writes: > > > > gaurav> Hi all, I am trying to integrate Kerberos and Ldap but not > > gaurav> happy with what I have achieved till now.I'll really > > gaurav> appreciate if any one can help/guide by giving pointers > > gaurav> towards *good articles *which give information regarding > > gaurav> the steps to be performed in doing the same. > > > > Have a look at http://bayour.com/LDAPv3-HOWTO.html > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- __________________________________ Rodrigo de Castro Cosme Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo Suporte mailing list - suporte at inf.ufes.br MSN - rdccosmo at gmail.com From daniel.savard at gmail.com Tue Jun 10 09:28:43 2008 From: daniel.savard at gmail.com (Daniel Savard) Date: Tue, 10 Jun 2008 09:28:43 -0400 Subject: Kerberos Ldap Integration In-Reply-To: References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> Message-ID: <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> You cannot prevent root to su to any other local user. This is why root is called a superuser. This has nothing to do with Kerberos or LDAP, this is an OS issue. If the idea is to prevent access by the sysadmin to the ldapuser, you should simply be the sysadmin yourself. If you don't trust your sysadmin I fear you have no other choice than being it. 2008/6/10 Rodrigo Castro : > Hi, I don't know if this is the right place to ask, but I've been striving > to prevent local root su ldapuser, although failed so far. I've already > configured kerberos to work with ldap following this page > http://www.bayour.com/LDAPv3-HOWTO.html > Any help is appreciated. > > On Thu, May 29, 2008 at 10:37 AM, gaurav bagga > wrote: > > > Hi Turbo, > > > > Thanks for the link... > > I am able to link ldap and kerberos, I can add principals from kadmin and > > they get added in ldap. > > > > But one problem still remains. > > I want to mix in Kerberos principal attributes to a directory entry of > the > > people objectclass which has usserPassword. I want this password to be > used > > by kdc. > > > > Is such a thing possible? I went through the schema and found that > > 'krbUPEnabled' helps in achieving this but how can one set this > attribute. > > > > I am fairly new to this kerberos and ldap stuff so excuse me if I ask > > something thats silly. > > > > If someone has to automate the process of adding principals what are the > > possible solutions? > > Using scripts? Is that a good way ? > > > > Thanks and Regards, > > Gaurav > > > > On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson > > wrote: > > > > > >>>>> "gaurav" == gaurav bagga writes: > > > > > > gaurav> Hi all, I am trying to integrate Kerberos and Ldap but not > > > gaurav> happy with what I have achieved till now.I'll really > > > gaurav> appreciate if any one can help/guide by giving pointers > > > gaurav> towards *good articles *which give information regarding > > > gaurav> the steps to be performed in doing the same. > > > > > > Have a look at http://bayour.com/LDAPv3-HOWTO.html > > > > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > __________________________________ > Rodrigo de Castro Cosme > Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo > Suporte mailing list - suporte at inf.ufes.br > MSN - rdccosmo at gmail.com > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- ----------------- Daniel Savard From rdccosmo at gmail.com Tue Jun 10 10:06:41 2008 From: rdccosmo at gmail.com (Rodrigo Castro) Date: Tue, 10 Jun 2008 11:06:41 -0300 Subject: Kerberos Ldap Integration In-Reply-To: <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> Message-ID: I guess I haven't made myself clear. In my work environment we have many labs. Some of them have root priveleges to administrate their own lab. So with their root account they can become any ldapuser. This is undesirable. Is there any kerberos/ldap configuration to disable this? On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard wrote: > You cannot prevent root to su to any other local user. This is why root is > called a superuser. This has nothing to do with Kerberos or LDAP, this is > an > OS issue. If the idea is to prevent access by the sysadmin to the ldapuser, > you should simply be the sysadmin yourself. If you don't trust your > sysadmin > I fear you have no other choice than being it. > > 2008/6/10 Rodrigo Castro : > > > Hi, I don't know if this is the right place to ask, but I've been > striving > > to prevent local root su ldapuser, although failed so far. I've already > > configured kerberos to work with ldap following this page > > http://www.bayour.com/LDAPv3-HOWTO.html > > Any help is appreciated. > > > > On Thu, May 29, 2008 at 10:37 AM, gaurav bagga > > > wrote: > > > > > Hi Turbo, > > > > > > Thanks for the link... > > > I am able to link ldap and kerberos, I can add principals from kadmin > and > > > they get added in ldap. > > > > > > But one problem still remains. > > > I want to mix in Kerberos principal attributes to a directory entry of > > the > > > people objectclass which has usserPassword. I want this password to be > > used > > > by kdc. > > > > > > Is such a thing possible? I went through the schema and found that > > > 'krbUPEnabled' helps in achieving this but how can one set this > > attribute. > > > > > > I am fairly new to this kerberos and ldap stuff so excuse me if I ask > > > something thats silly. > > > > > > If someone has to automate the process of adding principals what are > the > > > possible solutions? > > > Using scripts? Is that a good way ? > > > > > > Thanks and Regards, > > > Gaurav > > > > > > On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson > > > wrote: > > > > > > > >>>>> "gaurav" == gaurav bagga writes: > > > > > > > > gaurav> Hi all, I am trying to integrate Kerberos and Ldap but not > > > > gaurav> happy with what I have achieved till now.I'll really > > > > gaurav> appreciate if any one can help/guide by giving pointers > > > > gaurav> towards *good articles *which give information regarding > > > > gaurav> the steps to be performed in doing the same. > > > > > > > > Have a look at http://bayour.com/LDAPv3-HOWTO.html > > > > > > > ________________________________________________ > > > Kerberos mailing list Kerberos at mit.edu > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > > > > > > -- > > __________________________________ > > Rodrigo de Castro Cosme > > Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo > > Suporte mailing list - suporte at inf.ufes.br > > MSN - rdccosmo at gmail.com > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > > -- > ----------------- > Daniel Savard > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- __________________________________ Rodrigo de Castro Cosme Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo Suporte mailing list - suporte at inf.ufes.br MSN - rdccosmo at gmail.com From eric at ijack.net Tue Jun 10 10:42:03 2008 From: eric at ijack.net (Eric Hill) Date: Tue, 10 Jun 2008 09:42:03 -0500 Subject: Kerberos Ldap Integration In-Reply-To: References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com><87iqwychhc.fsf@pumba.bayour.com><6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com><1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> Message-ID: <001401c8cb08$326a66f0$030a030a@pioneer.world> A root user on a system can become any user ID on that system. That's just the way unix security works. What you are trying to prevent is a root user on system A accessing user data on system B without knowing the users' credentials. This is precisely what Kerberos prevents. System B will not accept inbound sessions without a Kerberos ticket, and it is impossible for a root user on system A to gain a TGT for the user without knowing the users' credentials. Eric > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Rodrigo Castro > Sent: Tuesday, June 10, 2008 9:07 AM > To: Daniel Savard > Cc: kerberos at mit.edu > Subject: Re: Kerberos Ldap Integration > > I guess I haven't made myself clear. In my work environment we have many > labs. Some of them have root priveleges to administrate their own lab. So > with their root account they can become any ldapuser. This is undesirable. > Is there any kerberos/ldap configuration to disable this? From dharknes at umd.umich.edu Tue Jun 10 10:53:46 2008 From: dharknes at umd.umich.edu (Derek Harkness) Date: Tue, 10 Jun 2008 07:53:46 -0700 Subject: Kerberos Ldap Integration In-Reply-To: References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> Message-ID: <94DB3BF4-A2AA-4200-B2D3-7FC5CF1E87F3@umd.umich.edu> The general answer is no. The more specific answer is mostly no. Anyone with root can su to any other account on the system, this include ldap provided accounts. But even root can't obtain another user's kerberos creds without their password, key, or root access to the KDC. So as long as you services require kerberos then it doesn't matter is root can su to other user (well it does but it less damaging). I would recommend not using NFS for network shares or NFSv4 with krb is you do. I would also require users to reenter their password to change anything in the ldap directory. Since you can't prevent this it really better to just design around it. Derek Harkness University of Michigan-Dearborn Data Security Analyst On Jun 10, 2008, at 7:06, Rodrigo Castro wrote: > I guess I haven't made myself clear. In my work environment we have > many > labs. Some of them have root priveleges to administrate their own > lab. So > with their root account they can become any ldapuser. This is > undesirable. > Is there any kerberos/ldap configuration to disable this? > > On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard > > wrote: > >> You cannot prevent root to su to any other local user. This is why >> root is >> called a superuser. This has nothing to do with Kerberos or LDAP, >> this is >> an >> OS issue. If the idea is to prevent access by the sysadmin to the >> ldapuser, >> you should simply be the sysadmin yourself. If you don't trust your >> sysadmin >> I fear you have no other choice than being it. >> >> 2008/6/10 Rodrigo Castro : >> >>> Hi, I don't know if this is the right place to ask, but I've been >> striving >>> to prevent local root su ldapuser, although failed so far. I've >>> already >>> configured kerberos to work with ldap following this page >>> http://www.bayour.com/LDAPv3-HOWTO.html >>> Any help is appreciated. >>> >>> On Thu, May 29, 2008 at 10:37 AM, gaurav bagga >> >>> wrote: >>> >>>> Hi Turbo, >>>> >>>> Thanks for the link... >>>> I am able to link ldap and kerberos, I can add principals from >>>> kadmin >> and >>>> they get added in ldap. >>>> >>>> But one problem still remains. >>>> I want to mix in Kerberos principal attributes to a directory >>>> entry of >>> the >>>> people objectclass which has usserPassword. I want this password >>>> to be >>> used >>>> by kdc. >>>> >>>> Is such a thing possible? I went through the schema and found that >>>> 'krbUPEnabled' helps in achieving this but how can one set this >>> attribute. >>>> >>>> I am fairly new to this kerberos and ldap stuff so excuse me if I >>>> ask >>>> something thats silly. >>>> >>>> If someone has to automate the process of adding principals what >>>> are >> the >>>> possible solutions? >>>> Using scripts? Is that a good way ? >>>> >>>> Thanks and Regards, >>>> Gaurav >>>> >>>> On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson >>> > >>>> wrote: >>>> >>>>>>>>>> "gaurav" == gaurav bagga writes: >>>>> >>>>> gaurav> Hi all, I am trying to integrate Kerberos and Ldap but >>>>> not >>>>> gaurav> happy with what I have achieved till now.I'll really >>>>> gaurav> appreciate if any one can help/guide by giving pointers >>>>> gaurav> towards *good articles *which give information regarding >>>>> gaurav> the steps to be performed in doing the same. >>>>> >>>>> Have a look at http://bayour.com/LDAPv3-HOWTO.html >>>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos at mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>> >>> >>> >>> -- >>> __________________________________ >>> Rodrigo de Castro Cosme >>> Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo >>> Suporte mailing list - suporte at inf.ufes.br >>> MSN - rdccosmo at gmail.com >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> >> >> -- >> ----------------- >> Daniel Savard >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > > -- > __________________________________ > Rodrigo de Castro Cosme > Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo > Suporte mailing list - suporte at inf.ufes.br > MSN - rdccosmo at gmail.com > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From paul.moore at centrify.com Tue Jun 10 11:19:19 2008 From: paul.moore at centrify.com (Paul Moore) Date: Tue, 10 Jun 2008 08:19:19 -0700 Subject: Kerberos Ldap Integration Message-ID: Root can steal peoples creds too, joe user's tgt is in a cache file that root can use. So root can be joe on the network Sent from my GoodLink synchronized handheld (www.good.com) -----Original Message----- From: Derek Harkness [mailto:dharknes at umd.umich.edu] Sent: Tuesday, June 10, 2008 07:57 AM Pacific Standard Time To: Rodrigo Castro Cc: Daniel Savard; kerberos at mit.edu Subject: Re: Kerberos Ldap Integration The general answer is no. The more specific answer is mostly no. Anyone with root can su to any other account on the system, this include ldap provided accounts. But even root can't obtain another user's kerberos creds without their password, key, or root access to the KDC. So as long as you services require kerberos then it doesn't matter is root can su to other user (well it does but it less damaging). I would recommend not using NFS for network shares or NFSv4 with krb is you do. I would also require users to reenter their password to change anything in the ldap directory. Since you can't prevent this it really better to just design around it. Derek Harkness University of Michigan-Dearborn Data Security Analyst On Jun 10, 2008, at 7:06, Rodrigo Castro wrote: > I guess I haven't made myself clear. In my work environment we have > many > labs. Some of them have root priveleges to administrate their own > lab. So > with their root account they can become any ldapuser. This is > undesirable. > Is there any kerberos/ldap configuration to disable this? > > On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard > > wrote: > >> You cannot prevent root to su to any other local user. This is why >> root is >> called a superuser. This has nothing to do with Kerberos or LDAP, >> this is >> an >> OS issue. If the idea is to prevent access by the sysadmin to the >> ldapuser, >> you should simply be the sysadmin yourself. If you don't trust your >> sysadmin >> I fear you have no other choice than being it. >> >> 2008/6/10 Rodrigo Castro : >> >>> Hi, I don't know if this is the right place to ask, but I've been >> striving >>> to prevent local root su ldapuser, although failed so far. I've >>> already >>> configured kerberos to work with ldap following this page >>> http://www.bayour.com/LDAPv3-HOWTO.html >>> Any help is appreciated. >>> >>> On Thu, May 29, 2008 at 10:37 AM, gaurav bagga >> >>> wrote: >>> >>>> Hi Turbo, >>>> >>>> Thanks for the link... >>>> I am able to link ldap and kerberos, I can add principals from >>>> kadmin >> and >>>> they get added in ldap. >>>> >>>> But one problem still remains. >>>> I want to mix in Kerberos principal attributes to a directory >>>> entry of >>> the >>>> people objectclass which has usserPassword. I want this password >>>> to be >>> used >>>> by kdc. >>>> >>>> Is such a thing possible? I went through the schema and found that >>>> 'krbUPEnabled' helps in achieving this but how can one set this >>> attribute. >>>> >>>> I am fairly new to this kerberos and ldap stuff so excuse me if I >>>> ask >>>> something thats silly. >>>> >>>> If someone has to automate the process of adding principals what >>>> are >> the >>>> possible solutions? >>>> Using scripts? Is that a good way ? >>>> >>>> Thanks and Regards, >>>> Gaurav >>>> >>>> On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson >>> > >>>> wrote: >>>> >>>>>>>>>> "gaurav" == gaurav bagga writes: >>>>> >>>>> gaurav> Hi all, I am trying to integrate Kerberos and Ldap but >>>>> not >>>>> gaurav> happy with what I have achieved till now.I'll really >>>>> gaurav> appreciate if any one can help/guide by giving pointers >>>>> gaurav> towards *good articles *which give information regarding >>>>> gaurav> the steps to be performed in doing the same. >>>>> >>>>> Have a look at http://bayour.com/LDAPv3-HOWTO.html >>>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos at mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>> >>> >>> >>> -- >>> __________________________________ >>> Rodrigo de Castro Cosme >>> Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo >>> Suporte mailing list - suporte at inf.ufes.br >>> MSN - rdccosmo at gmail.com >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> >> >> -- >> ----------------- >> Daniel Savard >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > > -- > __________________________________ > Rodrigo de Castro Cosme > Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo > Suporte mailing list - suporte at inf.ufes.br > MSN - rdccosmo at gmail.com > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From michael at stroeder.com Mon Jun 9 04:17:06 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 09 Jun 2008 10:17:06 +0200 Subject: SAP SSO: "No Kerberos SSPI credentials available for requested name" In-Reply-To: <67b1e730-d7ed-44fd-a357-57fd66d587cf@r66g2000hsg.googlegroups.com> References: <67b1e730-d7ed-44fd-a357-57fd66d587cf@r66g2000hsg.googlegroups.com> Message-ID: <2h5vh5-o64.ln1@nb2.stroeder.com> tomglx at googlemail.com wrote: > SAP Support says, that the guys at MIT have successfully implemented > such a scenario One of my customers also successfully installed that. I wasn't involved in that though. With this particular error message I'd examine two things: 1. DNS A and PTR RRs for all involved systems. 2. Attribute servicePrincipalName for the server account. Ciao, Michael. From michael at stroeder.com Mon Jun 9 13:20:47 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 09 Jun 2008 19:20:47 +0200 Subject: SAP SSO: "No Kerberos SSPI credentials available for requested name" In-Reply-To: <224b6167-6c9e-4c1a-a109-2ef640b27591@8g2000hse.googlegroups.com> References: <67b1e730-d7ed-44fd-a357-57fd66d587cf@r66g2000hsg.googlegroups.com> <2h5vh5-o64.ln1@nb2.stroeder.com> <224b6167-6c9e-4c1a-a109-2ef640b27591@8g2000hse.googlegroups.com> Message-ID: tomglx at googlemail.com wrote: > On 9 Jun., 10:17, Michael Str?der wrote: >> tom... at googlemail.com wrote: >>> SAP Support says, that the guys at MIT have successfully implemented >>> such a scenario >> One of my customers also successfully installed that. I wasn't involved >> in that though. >> >> With this particular error message I'd examine two things: >> 1. DNS A and PTR RRs for all involved systems. >> 2. Attribute servicePrincipalName for the server account. > > We have A und PTR for all our systems. But the KDCs are in the DNS > Domain > intra.cvk.de and the SAP Servers are in cvk.de. Check that all RRs are resolvable also from AD. > What do you mean by Attribute servicePrincipalName? We've already had > to set a servicePrincipalName per AD SAP ServiceAccount, because > we've had to produce a keytab with ktpass for each one of them. I mean exactly this. Double-check that it's really what it should be. > Does your customer run his SAP Servers on Linux? Yes, Linux (and AIX). Ciao, Michael. From tomglx at googlemail.com Mon Jun 9 04:03:01 2008 From: tomglx at googlemail.com (tomglx@googlemail.com) Date: Mon, 9 Jun 2008 01:03:01 -0700 (PDT) Subject: SAP SSO: "No Kerberos SSPI credentials available for requested name" Message-ID: <67b1e730-d7ed-44fd-a357-57fd66d587cf@r66g2000hsg.googlegroups.com> Hello, we have the following enviroment: Windows 2003 SP2 KDC and ktpass.exe from the SP2 Support Tools Package. We've produced a keytab for each SAP Instance. The principal names used were like SAPService/@. e.g. SAPServiceS01/cvk100.cvk.de at INTRA.CVK.DE. We've tried other variations, with no difference. The Keytab encryption mode was RC4-HMAC-NT, but we've also tried DES encryption. No difference. SAP Netweaver 7.0 AS on Novell SLES10SP1 Linux used Linux MIT Kerberos Versions are v1.4.3 and self-compiled v1.6.3 with no seen difference with the problem. We're using the SAP BC SNC Wrapper Library v1.1 (SAP BC-SNC Adapter). Here's an excerpt of our krb5.conf [libdefaults] ticket_lifetime = 24000 default_realm = INTRA.CVK.DE default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false [realms] INTRA.CVK.DE = { kdc = cvk020.intra.cvk.de:88 admin_server = cvk020.intra.cvk.de:749 default_domain = intra.cvk.de } [domain_realm] .intra.cvk.de = INTRA.CVK.DE intra.cvk.de = INTRA.CVK.DE Here's an excerpt from our SAP Profile: snc/enable = 1 snc/identity/as = p:SAPServiceS01/cvk100.cvk.de at INTRA.CVK.DE snc/gssapi_lib = /usr/local/lib/snckrb5.so and the rest of the needed snc parameters. SAP Client is v7.10 on Windows XP SP3 and SP2 Machines with newest GSSKRB5.DLL v1.0.8 from SAP. Also no difference in behaviour between SP2 and SP3. So MS KB885887 could'nt be a factor, because SP3 already includes it. We've installed the SAP SSO Kerberos solution using Calin Barbat's fine instruction posting on this list. In this posting he mentions, that for him Kerberos SSO also doesn't work all the time. With no specifics. SSO works initially every time, but after a while the aforementioned error message shows. We've found some postings from people that had similar problems, but they haven't found a solution yet. It seems just like the needed ticket expires after a while and isn't renewed. SAP Support says, that the guys at MIT have successfully implemented such a scenario and that we should ask them about that. Hopefully someone from that team reads this posting and has some advice on what is going wrong. Has anyone such a scenario in production? Best regards, Thomas From tomglx at googlemail.com Mon Jun 9 09:40:48 2008 From: tomglx at googlemail.com (tomglx@googlemail.com) Date: Mon, 9 Jun 2008 06:40:48 -0700 (PDT) Subject: SAP SSO: "No Kerberos SSPI credentials available for requested name" References: <67b1e730-d7ed-44fd-a357-57fd66d587cf@r66g2000hsg.googlegroups.com> <2h5vh5-o64.ln1@nb2.stroeder.com> Message-ID: <224b6167-6c9e-4c1a-a109-2ef640b27591@8g2000hse.googlegroups.com> On 9 Jun., 10:17, Michael Str?der wrote: > tom... at googlemail.com wrote: > > SAP Support says, that the guys at MIT have successfully implemented > > such a scenario > > One of my customers also successfully installed that. I wasn't involved > in that though. > > With this particular error message I'd examine two things: > 1. DNS A and PTR RRs for all involved systems. > 2. Attribute servicePrincipalName for the server account. > > Ciao, Michael. We have A und PTR for all our systems. But the KDCs are in the DNS Domain intra.cvk.de and the SAP Servers are in cvk.de. The settings dns_lookup_realm = false and dns_lookup_kdc = false should suppress at least some of the DNS requests. What do you mean by Attribute servicePrincipalName? We've already had to set a servicePrincipalName per AD SAP ServiceAccount, because we've had to produce a keytab with ktpass for each one of them. Does your customer run his SAP Servers on Linux? Regards, Thomas From hanigk at in.tum.de Tue Jun 10 12:37:52 2008 From: hanigk at in.tum.de (Sebastian Hanigk) Date: Tue, 10 Jun 2008 18:37:52 +0200 Subject: Kerberos Ldap Integration References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> Message-ID: "Eric Hill" writes: > What you are trying to prevent is a root user on system A accessing > user data on system B without knowing the users' credentials. This is > precisely what Kerberos prevents. System B will not accept inbound > sessions without a Kerberos ticket, and it is impossible for a root > user on system A to gain a TGT for the user without knowing the users' > credentials. Not true in general. The superuser has often the capability to read the user's credential cache (be it a plain file or something memory based) and could therefore impersonate the respective user - if already a valid ticket has been acquired by the user. Sebastian From turbo at bayour.com Wed Jun 11 05:28:39 2008 From: turbo at bayour.com (Turbo Fredriksson) Date: Wed, 11 Jun 2008 11:28:39 +0200 Subject: Kerberos Ldap Integration References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> Message-ID: <87zlpsb9rs.fsf@pumba.bayour.com> >>>>> "Rodrigo" == Rodrigo Castro writes: Rodrigo> I guess I haven't made myself clear. In my work Rodrigo> environment we have many labs. Some of them have root Rodrigo> priveleges to administrate their own lab. So with their Rodrigo> root account they can become any ldapuser. This is Rodrigo> undesirable. Is there any kerberos/ldap configuration to Rodrigo> disable this? This can't be avoided. If they are root on the machine, they have full access _to that machine_, including any home directories etc for users only in LDAP. HOWEVER, there is (at least) one way around this. Use AFS as storage for user home directories etc... Then set appropriate access control for the directories. You could also use NFS (with the "squash_root" or whatever the option in the exports was - it's been more than eight years since I touched NFS last :). That way, it doesn't matter if the are root, they won't have access to the directories any way. In the first case, they must have a valid Kerberos V ticket to get a token for the AFS share. In the other case (NFS), the root access is 'squashed' and they have 'anonymous' access on the share in question. That require that the access mode on the directories are smart enough to stop this. There might be other network file system which will give you the same solution, but other than that there's no way to stop a local root to have full access on the local machine! Rodrigo> On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard Rodrigo> Rodrigo> wrote: >> You cannot prevent root to su to any other local user. This is >> why root is called a superuser. This has nothing to do with >> Kerberos or LDAP, this is an OS issue. Another, more cumbersome solution would be to stop root access completely, and instead use sudo. Sudo can be setup so that there are 'command groups' (groups of accepted commands) and those groups can be applied to users. I don't have that config any more, but I used it a couple of years ago. The sudoers(5) man page have extensive examples on how to set this up. And this can be 'ldapified' (i.e. with external patch - included with Debian GNU/Linux if I'm not mistaken), the sudoers file can be 'put' in the LDAP database... It's just a matter of what you mean by 'administrate there own labs'. Being a little clever, you can write sudo rules instead of giving them full root access. From rdccosmo at gmail.com Wed Jun 11 09:31:17 2008 From: rdccosmo at gmail.com (Rodrigo Castro) Date: Wed, 11 Jun 2008 10:31:17 -0300 Subject: Kerberos Ldap Integration In-Reply-To: <87zlpsb9rs.fsf@pumba.bayour.com> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> <87zlpsb9rs.fsf@pumba.bayour.com> Message-ID: Thanks a lot turbo and all. I'll study the best approach to apply here in the Uni. On Wed, Jun 11, 2008 at 6:28 AM, Turbo Fredriksson wrote: > >>>>> "Rodrigo" == Rodrigo Castro writes: > > Rodrigo> I guess I haven't made myself clear. In my work > Rodrigo> environment we have many labs. Some of them have root > Rodrigo> priveleges to administrate their own lab. So with their > Rodrigo> root account they can become any ldapuser. This is > Rodrigo> undesirable. Is there any kerberos/ldap configuration to > Rodrigo> disable this? > > This can't be avoided. If they are root on the machine, they have > full access _to that machine_, including any home directories etc > for users only in LDAP. > > HOWEVER, there is (at least) one way around this. Use AFS as > storage for user home directories etc... Then set appropriate > access control for the directories. > > You could also use NFS (with the "squash_root" or whatever the > option in the exports was - it's been more than eight years since > I touched NFS last :). > > That way, it doesn't matter if the are root, they won't have access > to the directories any way. In the first case, they must have a > valid Kerberos V ticket to get a token for the AFS share. > > In the other case (NFS), the root access is 'squashed' and they have > 'anonymous' access on the share in question. That require that the > access mode on the directories are smart enough to stop this. > > > There might be other network file system which will give you the > same solution, but other than that there's no way to stop a local > root to have full access on the local machine! > > Rodrigo> On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard > Rodrigo> > Rodrigo> wrote: > > >> You cannot prevent root to su to any other local user. This is > >> why root is called a superuser. This has nothing to do with > >> Kerberos or LDAP, this is an OS issue. > > Another, more cumbersome solution would be to stop root access completely, > and instead use sudo. Sudo can be setup so that there are 'command groups' > (groups of accepted commands) and those groups can be applied to users. > > I don't have that config any more, but I used it a couple of years ago. > The sudoers(5) man page have extensive examples on how to set this up. > And this can be 'ldapified' (i.e. with external patch - included with > Debian GNU/Linux if I'm not mistaken), the sudoers file can be 'put' > in the LDAP database... > > It's just a matter of what you mean by 'administrate there own labs'. > Being a little clever, you can write sudo rules instead of giving them > full root access. > -- __________________________________ Rodrigo de Castro Cosme Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo Suporte mailing list - suporte at inf.ufes.br MSN - rdccosmo at gmail.com From ssorce at redhat.com Wed Jun 11 10:17:04 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 11 Jun 2008 10:17:04 -0400 Subject: Kerberos Ldap Integration In-Reply-To: <87zlpsb9rs.fsf@pumba.bayour.com> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> <87zlpsb9rs.fsf@pumba.bayour.com> Message-ID: <1213193824.26517.89.camel@localhost.localdomain> On Wed, 2008-06-11 at 11:28 +0200, Turbo Fredriksson wrote: > >>>>> "Rodrigo" == Rodrigo Castro writes: > > Rodrigo> I guess I haven't made myself clear. In my work > Rodrigo> environment we have many labs. Some of them have root > Rodrigo> priveleges to administrate their own lab. So with their > Rodrigo> root account they can become any ldapuser. This is > Rodrigo> undesirable. Is there any kerberos/ldap configuration to > Rodrigo> disable this? > > This can't be avoided. If they are root on the machine, they have > full access _to that machine_, including any home directories etc > for users only in LDAP. It depends on the OS, using SELinux on a linux kernel for example, you can certainly constrain root too, and make it impossible for it to access some resources even if it successfully 'su user' because you can always check who the user really is via SELinux. Granted such configuration is not easy to build on your own, but it is feasible, in theory and practice (as long as the malicious admin can't reboot and disable the selinux controls). > HOWEVER, there is (at least) one way around this. Use AFS as > storage for user home directories etc... Then set appropriate > access control for the directories. > > You could also use NFS (with the "squash_root" or whatever the > option in the exports was - it's been more than eight years since > I touched NFS last :). Root squash is useless i this case. > That way, it doesn't matter if the are root, they won't have access > to the directories any way. In the first case, they must have a > valid Kerberos V ticket to get a token for the AFS share. > > In the other case (NFS), the root access is 'squashed' and they have > 'anonymous' access on the share in question. That require that the > access mode on the directories are smart enough to stop this. ?root can always "su user", from that point on he will access the user's files on NFS as that user. Remember NFS (except when sec=krb5 is used) always fully trust the client machine. Root squash only prevents you to write/read files *as* uid 0 on the server. > There might be other network file system which will give you the > same solution, but other than that there's no way to stop a local > root to have full access on the local machine! CIFS/SMB is another network file system that does not trust the client machine but requires authentication to access resources as a specific user. Yet kernel client drivers not always enforce that, and in some cases they let users share their own access with all the users of the machine. We are working on fix it on the linux side by adding kerberos support. Simo. -- Simo Sorce * Red Hat, Inc * New York From scott at scottgrizzard.com Wed Jun 11 11:43:07 2008 From: scott at scottgrizzard.com (Scott Grizzard) Date: Wed, 11 Jun 2008 08:43:07 -0700 Subject: Kerberos Ldap Integration In-Reply-To: References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> Message-ID: <484FF28B.7010900@scottgrizzard.com> Yes, local users with su access could obtain a user's tgt, and then use that ticket to access network services in the user's name. However, the impostor could only use the tgt until the tickets expire, so there is a limit to the damage. If you are worried about this in the labs, set the tgt's for the "lower users" to expire after an hour or two. Consider just giving them sudo access instead of full root access. Then, redirect syslog to a system outside the admins' control. This way, all sudo action is logged. Then, in your orientation, emphasize the fact that, while they can do rouge stuff, it will be logged if they do. Ha ha ha. You can also setup sudo to use ldap for sudoers, so the administrative headache is not as large. - Scott Sebastian Hanigk wrote: > "Eric Hill" writes: > > >> What you are trying to prevent is a root user on system A accessing >> user data on system B without knowing the users' credentials. This is >> precisely what Kerberos prevents. System B will not accept inbound >> sessions without a Kerberos ticket, and it is impossible for a root >> user on system A to gain a TGT for the user without knowing the users' >> credentials. >> > > Not true in general. The superuser has often the capability to read the > user's credential cache (be it a plain file or something memory based) > and could therefore impersonate the respective user - if already a valid > ticket has been acquired by the user. > > > Sebastian > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > From vilas.tadoori.ext at siemens.com Wed Jun 11 10:42:32 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Wed, 11 Jun 2008 10:42:32 -0400 Subject: MIT kerberos example-- Message-ID: <0419C2808E620348A3119DCCE2A7A6950732DB02@USCIMPLM004.net.plm.eds.com> Hi, I am executing one of the sim_server.c example on the hemidal kerberos on the suse linux and the code breaks as the structures that are in krb5.h of mit do not exist in krb5.h of hemidal. simpserv.c: In function `main': simpserv.c:167: error: structure has no member named `enc_part2' simpserv.c:176: error: structure has no member named `addrtype' simpserv.c:176: error: `ADDRTYPE_INET' undeclared (first use in this function) simpserv.c:176: error: (Each undeclared identifier is reported only once simpserv.c:176: error: for each function it appears in.) simpserv.c:177: error: structure has no member named `length' simpserv.c:178: error: structure has no member named `contents' simpserv.c:178: error: `krb5_octet' undeclared (first use in this function) simpserv.c:178: error: parse error before ')' token simpserv.c:185: error: structure has no member named `addrtype' simpserv.c:185: error: `ADDRTYPE_IPPORT' undeclared (first use in this function) simpserv.c:186: error: structure has no member named `length' simpserv.c:187: error: structure has no member named `contents' simpserv.c:187: error: parse error before ')' token Are there any RPMs where I use to install the MIT kerberos on linux. I am using Suse Linux version 9. Any advice. Regards Vilas From edu.sachs at gmail.com Wed Jun 11 17:00:55 2008 From: edu.sachs at gmail.com (Eduardo Sachs) Date: Wed, 11 Jun 2008 21:00:55 +0000 Subject: Kerberos Ldap Integration In-Reply-To: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> Message-ID: <48503D07.7090005@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Gaurav! Look this howto about Kerberized OpenLDAP, Samba PDC and Squid: http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch But, it's only portuguese :( []'s gaurav bagga escreveu: > Hi all, > > I am trying to integrate Kerberos and Ldap but not happy with what I have > achieved till now.I'll really appreciate if any one can help/guide by giving > pointers towards *good articles *which give information regarding the steps > to be performed in doing the same. > > Thanks in advance. > > Regards > Gaurav > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > - -- Eduardo Sachs (51) 9262-3803 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFIUD0HKB6+7l7CbHURAjXfAJdCICXy0n8IYebGVRVa5MWajsPJAKCjcqPy CHFL+rTo0spJlNJGWRDi5g== =qY0H -----END PGP SIGNATURE----- From kulg123 at gmail.com Thu Jun 12 08:32:19 2008 From: kulg123 at gmail.com (kul gupta) Date: Thu, 12 Jun 2008 18:02:19 +0530 Subject: Help-GSSAPI and Kerberose Message-ID: <2203f95e0806120532u2fe67de1i5317c99a642f9a7c@mail.gmail.com> Hello I am very new to GSSAPI and kerberose. There are certain queries .I will be highly thankful if u can help me out in clearing my doubts. I want to use GSSAPI with kerberose v5 for my client and server authentication when i check my system-Red Hat enterprise Linux 5.0, there is already kerberose 1.5.17 installed and also cyrus SASL 2.1.22 is there. 1 )I think that GSSAPI by defualt uses kerberose mechanism so i need not specify it explicilty Am i right?? 2)what are the pre-requisites for using GSSAPI in my application using kerbeose mechanism. 3) Please let me know in steps how to proceed for my application who wants to use GSSAPI with kerberose . I was going through the sunmicrosystems site where GSSAPI is explained with the example. http://docs.sun.com/app/docs/doc/816-4863/sampleprogs-1?a=view Can i go with that example of client and server with the version already installed in my system Thanks Regards Kul From naveen.bn at globaledgesoft.com Thu Jun 12 11:10:08 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Thu, 12 Jun 2008 20:40:08 +0530 Subject: naming problem Message-ID: <48513C50.3090904@globaledgesoft.com> Hi kevin, I am getting client name mismatch when i do, kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key test/rg71 kinit(v5): Client name mismatch while getting initial credentials the naming which i have followed in the certificates are: CN = test/rg71 SAN= test/rg71 at globaledgesoft.com but, the same works when i do kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key test with CN = test SAN = test. Should there not be a slash in the clients name, but kinit will send the as_req with the slash in the client name. kindly help me in solving this problem. Thank you with regards naveen From kwc at umich.edu Thu Jun 12 11:40:44 2008 From: kwc at umich.edu (Kevin Coffman) Date: Thu, 12 Jun 2008 11:40:44 -0400 Subject: naming problem In-Reply-To: <48513C50.3090904@globaledgesoft.com> References: <48513C50.3090904@globaledgesoft.com> Message-ID: <4d569c330806120840u15b5a000ka2cb7e39da751053@mail.gmail.com> Normal principals usually don't have an instance. However, there shouldn't be anything that prevents a principal with an instance from working. If your certificates are correctly set up for the two principals, this might be a bug. K.C. On Thu, Jun 12, 2008 at 11:10 AM, naveen.bn wrote: > > Hi kevin, > I am getting client name mismatch when i do, > > kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key test/rg71 > kinit(v5): Client name mismatch while getting initial credentials > > the naming which i have followed in the certificates are: > > CN = test/rg71 > SAN= test/rg71 at globaledgesoft.com > > but, the same works when i do kinit -X > X509_user_identity=FILE:/client/test.pem,/client/test.key test > with CN = test > SAN = test. > Should there not be a slash in the clients name, but kinit will send the > as_req with > the slash in the client name. > > kindly help me in solving this problem. > > Thank you > with regards > naveen From kulg123 at gmail.com Thu Jun 12 05:28:25 2008 From: kulg123 at gmail.com (kul gupta) Date: Thu, 12 Jun 2008 14:58:25 +0530 Subject: GSSAPI+kerberose5 Message-ID: <2203f95e0806120228y6dde033dhaf41aa763f59d2e0@mail.gmail.com> Hello I am very new to GSSAPI and kerberose. There are certain queries .I will be highly thankful if u can help me out in clearing my doubts. I want to use GSSAPI with kerberose v5 for my client and server authentication when i check my system-Red Hat enterprise Linux 5.0, there is already kerberose 1.5.17 installed and also cyrus SASL 2.1.22 is there. 1 )I think that GSSAPI by defualt uses kerberose mechanism so i need not specify it explicilty Am i right?? 2)what are the pre-requisites for using GSSAPI in my application using kerbeose mechanism. 3) Please let me know in steps how to proceed for my application who wants to use GSSAPI with kerberose . I was going through the sunmicrosystems site where GSSAPI is explained with the example. http://docs.sun.com/app/docs/doc/816-4863/sampleprogs-1?a=view Can i go with that example of client and server with the version already installed in my system Thanks Regards Kul From vilas.tadoori.ext at siemens.com Thu Jun 12 04:38:37 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Thu, 12 Jun 2008 04:38:37 -0400 Subject: MIT Kerberos Distribution for Suse Linux 9 Message-ID: <0419C2808E620348A3119DCCE2A7A6950737FBD2@USCIMPLM004.net.plm.eds.com> Hi All, I am looking for the MIT Kerberos Distribution for Suse Linux version 9. I could not find it in the release page. If any one can help me on the same Regards Vilas _____ From: Tadoori (EXT), Vilas Sent: Wednesday, June 11, 2008 8:13 PM To: 'kerberos at mit.edu' Subject: RE: MIT kerberos example-- Hi, I am executing one of the sim_server.c example on the hemidal kerberos on the suse linux and the code breaks as the structures that are in krb5.h of mit do not exist in krb5.h of hemidal. simpserv.c: In function `main': simpserv.c:167: error: structure has no member named `enc_part2' simpserv.c:176: error: structure has no member named `addrtype' simpserv.c:176: error: `ADDRTYPE_INET' undeclared (first use in this function) simpserv.c:176: error: (Each undeclared identifier is reported only once simpserv.c:176: error: for each function it appears in.) simpserv.c:177: error: structure has no member named `length' simpserv.c:178: error: structure has no member named `contents' simpserv.c:178: error: `krb5_octet' undeclared (first use in this function) simpserv.c:178: error: parse error before ')' token simpserv.c:185: error: structure has no member named `addrtype' simpserv.c:185: error: `ADDRTYPE_IPPORT' undeclared (first use in this function) simpserv.c:186: error: structure has no member named `length' simpserv.c:187: error: structure has no member named `contents' simpserv.c:187: error: parse error before ')' token Are there any RPMs where I use to install the MIT kerberos on linux. I am using Suse Linux version 9. Any advice. Regards Vilas From vilas.tadoori.ext at siemens.com Thu Jun 12 10:36:57 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Thu, 12 Jun 2008 10:36:57 -0400 Subject: MIT Kerberos Distribution for Suse Linux 9 Message-ID: <0419C2808E620348A3119DCCE2A7A6950737FE55@USCIMPLM004.net.plm.eds.com> Any advice. I am looking for the MIT distribution of kerberos for SUSE Linux version 9. Regards Vilas _____ From: Tadoori (EXT), Vilas Sent: Thursday, June 12, 2008 2:09 PM To: 'kerberos at mit.edu' Subject: MIT Kerberos Distribution for Suse Linux 9 Hi All, I am looking for the MIT Kerberos Distribution for Suse Linux version 9. I could not find it in the release page. If any one can help me on the same Regards Vilas _____ From: Tadoori (EXT), Vilas Sent: Wednesday, June 11, 2008 8:13 PM To: 'kerberos at mit.edu' Subject: RE: MIT kerberos example-- Hi, I am executing one of the sim_server.c example on the hemidal kerberos on the suse linux and the code breaks as the structures that are in krb5.h of mit do not exist in krb5.h of hemidal. simpserv.c: In function `main': simpserv.c:167: error: structure has no member named `enc_part2' simpserv.c:176: error: structure has no member named `addrtype' simpserv.c:176: error: `ADDRTYPE_INET' undeclared (first use in this function) simpserv.c:176: error: (Each undeclared identifier is reported only once simpserv.c:176: error: for each function it appears in.) simpserv.c:177: error: structure has no member named `length' simpserv.c:178: error: structure has no member named `contents' simpserv.c:178: error: `krb5_octet' undeclared (first use in this function) simpserv.c:178: error: parse error before ')' token simpserv.c:185: error: structure has no member named `addrtype' simpserv.c:185: error: `ADDRTYPE_IPPORT' undeclared (first use in this function) simpserv.c:186: error: structure has no member named `length' simpserv.c:187: error: structure has no member named `contents' simpserv.c:187: error: parse error before ')' token Are there any RPMs where I use to install the MIT kerberos on linux. I am using Suse Linux version 9. Any advice. Regards Vilas From huaraz at moeller.plus.com Thu Jun 12 18:29:03 2008 From: huaraz at moeller.plus.com (Markus Moeller) Date: Thu, 12 Jun 2008 23:29:03 +0100 Subject: MIT Kerberos Distribution for Suse Linux 9 In-Reply-To: <0419C2808E620348A3119DCCE2A7A6950737FE55@USCIMPLM004.net.plm.eds.com> References: <0419C2808E620348A3119DCCE2A7A6950737FE55@USCIMPLM004.net.plm.eds.com> Message-ID: If you have Suse 9.3 it should contain MIT version 1.4 as part of the distribution. Markus "Tadoori (EXT), Vilas" wrote in message news:0419C2808E620348A3119DCCE2A7A6950737FE55 at USCIMPLM004.net.plm.eds.com... > Any advice. I am looking for the MIT distribution of kerberos for SUSE > Linux version 9. > > Regards > Vilas > > _____ > > From: Tadoori (EXT), Vilas > Sent: Thursday, June 12, 2008 2:09 PM > To: 'kerberos at mit.edu' > Subject: MIT Kerberos Distribution for Suse Linux 9 > > > Hi All, > > I am looking for the MIT Kerberos Distribution for Suse Linux version 9. > I could not find it in the release page. > If any one can help me on the same > > Regards > Vilas > > _____ > > From: Tadoori (EXT), Vilas > Sent: Wednesday, June 11, 2008 8:13 PM > To: 'kerberos at mit.edu' > Subject: RE: MIT kerberos example-- > > > Hi, > > I am executing one of the sim_server.c example on the hemidal kerberos > on the suse linux and the code breaks as > the structures that are in krb5.h of mit do not exist in krb5.h of > hemidal. > > > simpserv.c: In function `main': > simpserv.c:167: error: structure has no member named `enc_part2' > simpserv.c:176: error: structure has no member named `addrtype' > simpserv.c:176: error: `ADDRTYPE_INET' undeclared (first use in this > function) > simpserv.c:176: error: (Each undeclared identifier is reported only once > simpserv.c:176: error: for each function it appears in.) > simpserv.c:177: error: structure has no member named `length' > simpserv.c:178: error: structure has no member named `contents' > simpserv.c:178: error: `krb5_octet' undeclared (first use in this > function) > simpserv.c:178: error: parse error before ')' token > simpserv.c:185: error: structure has no member named `addrtype' > simpserv.c:185: error: `ADDRTYPE_IPPORT' undeclared (first use in this > function) > simpserv.c:186: error: structure has no member named `length' > simpserv.c:187: error: structure has no member named `contents' > simpserv.c:187: error: parse error before ')' token > > > Are there any RPMs where I use to install the MIT kerberos on linux. > > I am using Suse Linux version 9. > > Any advice. > > > Regards > Vilas > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From matt.smith at uconn.edu Fri Jun 13 10:10:37 2008 From: matt.smith at uconn.edu (Matthew J. Smith) Date: Fri, 13 Jun 2008 10:10:37 -0400 Subject: Warnings from Password Expiration vs. Expiration Message-ID: <48527FDD.9090101@uconn.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All- Just a quick sanity check - using 1.4.3+ MIT KDC, I notice that the password expiration warnings generated by both kinit on Ubuntu 8.0.4 and my Windows XP login references the "Expiration" date set by "modprinc - -expire ...", and not the "Password Expiration" date set by "modprinc - -pwexpire ..." . Is this to be expected? Can this be changed KDC-side? Thanks, - -Matt - -- Matthew J. Smith University of Connecticut ITS matt.smith at uconn.edu PGP KeyID: 0xE9C5244E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIUn/dGP63pOnFJE4RAmoYAJ9Ze483xPIQbQfq2uEwDKRWBERIggCfQIIc 5A3mhBtUqGM5Oh7EjL8wyKk= =upRv -----END PGP SIGNATURE----- From kulg123 at gmail.com Sun Jun 15 11:48:41 2008 From: kulg123 at gmail.com (kul gupta) Date: Sun, 15 Jun 2008 21:18:41 +0530 Subject: help Message-ID: <2203f95e0806150848k10973896ie082f11431849df0@mail.gmail.com> I am very new to kerborose and GSSAPI I will highly appreciate for the guidance for the issues below- I am bit confused about cyrus SASL and GSSAPI I have an authentication server (AS) which is kerborised Client gets the TGT using -kinit Now i need to use GSSAPI for authentication using GSSAPI 1) DO i need to have cyrus SASL also ?? or only kerborose will do?? 2) When i tried to run the example provided by SUN , i am getting following errors- gssapi_ext.h- No such file directory gssapi-misc.h-No such file directory I also tried to search these files in my system(Red hat enterprise linux 5.0),but these files are not present. I will be highly thankful if u can help me out for the same . Regards Ruchita From ioplex at gmail.com Sun Jun 15 14:06:41 2008 From: ioplex at gmail.com (Michael B Allen) Date: Sun, 15 Jun 2008 14:06:41 -0400 Subject: help In-Reply-To: <2203f95e0806150848k10973896ie082f11431849df0@mail.gmail.com> References: <2203f95e0806150848k10973896ie082f11431849df0@mail.gmail.com> Message-ID: <78c6bd860806151106w694647c9gadee5ac2a40ffdd8@mail.gmail.com> On 6/15/08, kul gupta wrote: > I am very new to kerborose and GSSAPI > I will highly appreciate for the guidance for the issues below- > I am bit confused about cyrus SASL and GSSAPI > > I have an authentication server (AS) which is kerborised > Client gets the TGT using -kinit > Now i need to use GSSAPI for authentication using GSSAPI > > 1) DO i need to have cyrus SASL also ?? or only kerborose will do?? Hi Ruchita, SASL and GSSAPI are two of several abstraction layers that are used to authenticate peers in different networking protocols. For example, an LDAP bind can use SASL which in turn can use GSSAPI whereas some HTTP clients can use GSSAPI directly. Why we need all of these layers I do not know but if you are using a protocol that uses SASL then yes you need SASL. If you are adding Kerberos authentication to your own networking protocol, then you do not need SASL and should probably just use GSSAPI directly. You could also skip the GSSAPI layer and use the Kerberos API directly but in practice there are a number of advantages to using GSSAPI. > 2) When i tried to run the example provided by SUN , i am getting following > errors- > gssapi_ext.h- No such file directory > gssapi-misc.h-No such file directory > > I also tried to search these files in my system(Red hat enterprise linux > 5.0),but these files are not present. RedHat ships with the MIT distribution of Kerberos. Install the kerberos-devel package and adjust the source code of your examples to use those header files. Or download the MIT source package and try the examples shipped with it with your RH provided system libraries. The later would probably be easier since those examples are designed to build with MIT libraries shipped with RH. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From dharknes at umd.umich.edu Mon Jun 16 10:40:46 2008 From: dharknes at umd.umich.edu (Derek Harkness) Date: Mon, 16 Jun 2008 07:40:46 -0700 Subject: Kerberos Ldap Integration In-Reply-To: References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> <1ba2520b0806100628j533d6e09gbfebf56e660b8b70@mail.gmail.com> Message-ID: True, I was going with the case of a lab of single person workstations in which no other creds would exist on the system. So root wouldn't be able to establish the creds. In the other case stealing the creds as root is certainly more difficult then accidental usage of root privileges. Again going with the lab problem posted here. Derek On Jun 10, 2008, at 9:37 AM, Sebastian Hanigk wrote: > "Eric Hill" writes: > >> What you are trying to prevent is a root user on system A accessing >> user data on system B without knowing the users' credentials. This >> is >> precisely what Kerberos prevents. System B will not accept inbound >> sessions without a Kerberos ticket, and it is impossible for a root >> user on system A to gain a TGT for the user without knowing the >> users' >> credentials. > > Not true in general. The superuser has often the capability to read > the > user's credential cache (be it a plain file or something memory based) > and could therefore impersonate the respective user - if already a > valid > ticket has been acquired by the user. > > > Sebastian > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From vilas.tadoori.ext at siemens.com Mon Jun 16 03:42:34 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Mon, 16 Jun 2008 03:42:34 -0400 Subject: Kerberos Digest, Vol 66, Issue 13 In-Reply-To: References: Message-ID: <0419C2808E620348A3119DCCE2A7A695073C1C30@USCIMPLM004.net.plm.eds.com> Hello kul, You do not need an cyrus SASL and SASL is a diff framework altogether. All you need is a keberos server for the same. It would be really wonderful if you can give some information more about your architecture. Also it would be helpful if you can tell on which platform are you comipiling the Sun examples. There are lot many things that we need to find out first before answering the question. Regards V. -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of kerberos-request at mit.edu Sent: Sunday, June 15, 2008 9:41 PM To: kerberos at mit.edu Subject: Kerberos Digest, Vol 66, Issue 13 Send Kerberos mailing list submissions to kerberos at mit.edu To subscribe or unsubscribe via the World Wide Web, visit https://mailman.mit.edu/mailman/listinfo/kerberos or, via email, send a message with subject or body 'help' to kerberos-request at mit.edu You can reach the person managing the list at kerberos-owner at mit.edu When replying, please edit your Subject line so it is more specific than "Re: Contents of Kerberos digest..." Today's Topics: 1. help (kul gupta) ---------------------------------------------------------------------- Message: 1 Date: Sun, 15 Jun 2008 21:18:41 +0530 From: "kul gupta" Subject: help To: kerberos at mit.edu, krbdev at mit.edu Message-ID: <2203f95e0806150848k10973896ie082f11431849df0 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 I am very new to kerborose and GSSAPI I will highly appreciate for the guidance for the issues below- I am bit confused about cyrus SASL and GSSAPI I have an authentication server (AS) which is kerborised Client gets the TGT using -kinit Now i need to use GSSAPI for authentication using GSSAPI 1) DO i need to have cyrus SASL also ?? or only kerborose will do?? 2) When i tried to run the example provided by SUN , i am getting following errors- gssapi_ext.h- No such file directory gssapi-misc.h-No such file directory I also tried to search these files in my system(Red hat enterprise linux 5.0),but these files are not present. I will be highly thankful if u can help me out for the same . Regards Ruchita ------------------------------ _______________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos End of Kerberos Digest, Vol 66, Issue 13 **************************************** From vilas.tadoori.ext at siemens.com Mon Jun 16 08:41:45 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Mon, 16 Jun 2008 08:41:45 -0400 Subject: Gssapi - kerberos errors References: Message-ID: <0419C2808E620348A3119DCCE2A7A695073FAF63@USCIMPLM004.net.plm.eds.com> Dear All, When I am compiling my test gssapi code I get the following below errors hykerbtcsso:~ # ./testgss1.c -bash: ./testgss1.c: Permission denied hykerbtcsso:~ # gcc testgss1.c /tmp/ccOaZHE4.o(.text+0x24): In function `server_acquire_creds': : undefined reference to `GSS_C_NT_HOSTBASED_SERVICE' /tmp/ccOaZHE4.o(.text+0x31): In function `server_acquire_creds': : undefined reference to `gss_import_name' /tmp/ccOaZHE4.o(.text+0x5f): In function `server_acquire_creds': : undefined reference to `gss_acquire_cred' /tmp/ccOaZHE4.o(.text+0x84): In function `server_acquire_creds': : undefined reference to `gss_release_name' collect2: ld returned 1 exit status Any help would be greatly appreciated. This is my test code: 1 #include 2 #include 3 #include 4 #include 5 6 int server_acquire_creds(service_name, server_creds) 7 char *service_name; 8 gss_cred_id_t *server_creds; 9 { 10 gss_buffer_desc name_buf; 11 gss_name_t server_name; 12 OM_uint32 maj_stat, min_stat; 13 14 name_buf.value = service_name; 15 name_buf.length = strlen(name_buf.value) + 1; 16 maj_stat = gss_import_name(&min_stat, &name_buf, 17 (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &server_name); 18 if (maj_stat != GSS_S_COMPLETE) { 19 /* display_status("importing name", maj_stat, min_stat); */ 20 return -1; 21 } 22 23 maj_stat = gss_acquire_cred(&min_stat, server_name, 0, 24 GSS_C_NULL_OID_SET, GSS_C_ACCEPT, 25 server_creds, NULL, NULL); 26 if (maj_stat != GSS_S_COMPLETE) { 27 /* display_status("acquiring credentials", maj_stat, min_stat); */ 28 return -1; 29 } 30 31 (void) gss_release_name(&min_stat, &server_name); 32 33 return 0; 34 } 35 36 int main(argc, argv) 37 38 int argc; 39 char **argv; 40 { 41 char *service_name; 42 gss_cred_id_t creds; 43 OM_uint32 min_stat; 44 u_short port =4444; 45 service_name = *argv; 46 int result = server_acquire_creds(service_name, &creds); 47 printf("%d\n", result); 48 49 return 0; 50 51 } From klausk at linux.vnet.ibm.com Mon Jun 16 19:00:46 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Mon, 16 Jun 2008 20:00:46 -0300 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <484D3CBD.C217.0053.0@novell.com> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> Message-ID: <1213657246.17827.15.camel@klausk.br.ibm.com> On Mon, 2008-06-09 at 02:52 -0600, Savitha R wrote: > Last modification time is part of tl_data and entry's tl_data is > stored > in krbExtraData attribute. Is there a better description of what's in the tl_data structure? I saw some #defines in the kdb_ldap.h header file but couldn't correlate to anything just by looking at their names. Also, looks like this tl_data structure has a function outside the kdb abstraction layer domain (ie.: it's used within the KDC itself). Could you give me any insight of how it's being used and where? The description in the Schema file ("holds the application specific data") is a little confusing (application here refers to the Kerberos protocol? MIT KDC implementation? the LDAP KDB plugin itself?) The IBM LDAP Schema can carry all kinds of data within a realm or principal object, so I'm trying to figure it out how to carry those with minimal change to the current LDAP KDB plugin code. Thanks, -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From raeburn at MIT.EDU Mon Jun 16 19:25:05 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 16 Jun 2008 19:25:05 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1213657246.17827.15.camel@klausk.br.ibm.com> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> Message-ID: <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> On Jun 16, 2008, at 19:00, Klaus Heinrich Kiwi wrote: > Is there a better description of what's in the tl_data structure? I > saw > some #defines in the kdb_ldap.h header file but couldn't correlate to > anything just by looking at their names. Also, looks like this tl_data > structure has a function outside the kdb abstraction layer domain > (ie.: > it's used within the KDC itself). Could you give me any insight of how > it's being used and where? The description in the Schema file ("holds > the application specific data") is a little confusing (application > here > refers to the Kerberos protocol? MIT KDC implementation? the LDAP KDB > plugin itself?) The "application" data in question is indeed the MIT KDC implementation; all this stuff is internal to the MIT implementation. In src/include/kdb.h you'll find definitions of some macros KRB5_TL_* vaguely describing in their names what they're used for; for the actual definitions of the layouts, you'll have to dig around in the sources. At the moment, it's sort of a catch-all slot for holding anything new we want to stick in there without having to redefine the XDR types we use for database records (since the old DBM-style APIs only give you "key" and "data" slots), stuff like that. Ken From klausk at linux.vnet.ibm.com Mon Jun 16 22:58:03 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Mon, 16 Jun 2008 23:58:03 -0300 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> Message-ID: <1213671483.17827.35.camel@klausk.br.ibm.com> On Mon, 2008-06-16 at 19:25 -0400, Ken Raeburn wrote: > The "application" data in question is indeed the MIT KDC > implementation; all this stuff is internal to the MIT implementation. > In src/include/kdb.h you'll find definitions of some macros KRB5_TL_* > vaguely describing in their names what they're used for; for the > actual definitions of the layouts, you'll have to dig around in the > sources. At the moment, it's sort of a catch-all slot for holding > anything new we want to stick in there without having to redefine the > XDR types we use for database records (since the old DBM-style APIs > only give you "key" and "data" slots), stuff like that. Ken, thank you for your explanation. I'm still a bit confused about how KDC uses the TL data at the same time the KDB LDAP plugin also has some specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData' accommodate any kind of attribute we think of, just by making sure the type numbers doesn't collide? Or is it working some other way? Also, is tl_data an attribute for principals, realms, or both? I'm working towards changing the upstream KDB LDAP plugin into supporting the IBM Schema, and that Schema brings a lot of things as attributes for principals and realms - I'm just trying to make sure to reuse the existing internal data structures whenever possible. Thanks, -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From klausk at linux.vnet.ibm.com Mon Jun 16 23:07:10 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Tue, 17 Jun 2008 00:07:10 -0300 Subject: krbUPEnabled LDAP attribute Message-ID: <1213672030.17827.44.camel@klausk.br.ibm.com> Is this attribute actually supported in the current KDB LDAP plugin implementation? ie.: The only code I can see that it's dealing with this attribute in the current tree refers to setting the permissions to this attribute in the LDAP Database (ldap_service_rights.c). And what actually means that "directory User Password has to be used" (krbUPEnabled=TRUE)? The required password to authenticate a user principal would be the same password used to bind with this user DN in the directory? Is that possible with the current KDB Abstraction Layer? Thanks! -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From raeburn at MIT.EDU Mon Jun 16 23:38:53 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 16 Jun 2008 23:38:53 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1213671483.17827.35.camel@klausk.br.ibm.com> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1213671483.17827.35.camel@klausk.br.ibm.com> Message-ID: <5312EC7E-A3E1-4291-AEA5-6A066157380E@MIT.EDU> On Jun 16, 2008, at 22:58, Klaus Heinrich Kiwi wrote: > thank you for your explanation. I'm still a bit confused about how KDC > uses the TL data at the same time the KDB LDAP plugin also has some > specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData' > accommodate any kind of attribute we think of, just by making sure the > type numbers doesn't collide? Or is it working some other way? Also, > is > tl_data an attribute for principals, realms, or both? I think as long as the numbers don't collide, you can store whatever you like, within the limits of the underlying database back end of course. Naturally there's the issue of possible conflicts if multiple database plugins or vendors start picking numbers while MIT's code base also adds numbers. > I'm working towards changing the upstream KDB LDAP plugin into > supporting the IBM Schema, and that Schema brings a lot of things as > attributes for principals and realms - I'm just trying to make sure to > reuse the existing internal data structures whenever possible. I suspect there are several LDAP schemas we could do a better job of supporting and integrating with... Ken From naveen.bn at globaledgesoft.com Tue Jun 17 06:17:57 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 17 Jun 2008 15:47:57 +0530 Subject: ASN.1 error Message-ID: <48578F55.5060604@globaledgesoft.com> Hi Kevin, I am facing problem with asn.1. The problem is that i am using an client application which was built with krb5-1.2.2 with added pkinit and it uses asn.1 of krb5-1.2.2. But now that i am using the krb51.6.3 server,when i send AS_REQ i get preauth failed. The krb5kdc.log file displays preauth (pkinit) verify failure: ASN.1 identifier doesn't match expected value. Is the decoding of AS_REQ be a problem or is it with the values that is being filled. But i have used the same certificates used by krb5-1.6.3 client, using which i was able to authenticate to server. Please help me in solving this problem . Thank you with regards naveen From naveen.bn at globaledgesoft.com Tue Jun 17 06:25:24 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 17 Jun 2008 15:55:24 +0530 Subject: ASN.1 Message-ID: <48579114.1070703@globaledgesoft.com> Hi all, Can any one provide me the link which gives the expected values for the ASN.1 identifier for PA_PK_AS_REQ used in krb5-1.6.3 because i am getting ASN1_BAD_ID. Thank you . with regards naveen From klausk at linux.vnet.ibm.com Tue Jun 17 07:57:01 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Tue, 17 Jun 2008 08:57:01 -0300 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <5312EC7E-A3E1-4291-AEA5-6A066157380E@MIT.EDU> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1213671483.17827.35.camel@klausk.br.ibm.com> <5312EC7E-A3E1-4291-AEA5-6A066157380E@MIT.EDU> Message-ID: <1213703822.17827.61.camel@klausk.br.ibm.com> On Mon, 2008-06-16 at 23:38 -0400, Ken Raeburn wrote: > I suspect there are several LDAP schemas we could do a better job of > supporting and integrating with... And what, in your opinion, would be the better approach to accomplish this task? The IBM Schema has a lot of commonality with the Novell Schema (the IBM Schema itself seems to be a mash-up between Netscape/IBM Tivoli Schema and the Microsoft Schema), but there are fundamental differences as well: * No Kerberos container concept, although I'm planning on using this configuration parameter to specify the DN of the object immediately above the Realms * Password Policy can object can be embedded within the Realm or the Principal objects themselves, in addition of being a separate object referenced by an attribute within the Realm or Principal * A lot of attributes (that I must admit I don't completely understand) like krbTrustedAdmObject, krbDisableTimeInterval, krbMultKeyVersionsOK, krbAdmAclDB, krbEncTypeSupport, krbKeyType, passwordDictFiles etc. * Principals have a krbSecretKeyCfg attribute that defines how authentication should be done, including a method that relies on the password stored by a 'userPassword' attribute of the entry representing the principal (I wonder if the KDB Abstraction Layer can support such operation) What I am doing right now is using the existing KDB LDAP plugin as a base for a new plugin (I wonder if I should worry about namespace collisions later), but of course ideally we should stick with a single code base and have the differences handled by runtime configuration. I'm just not sure if that is feasible or not. -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From matt.smith at uconn.edu Tue Jun 17 08:38:05 2008 From: matt.smith at uconn.edu (Matthew J. Smith) Date: Tue, 17 Jun 2008 08:38:05 -0400 Subject: "Expiration" vs "Password Expiration" Message-ID: <4857B02D.3050709@uconn.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All- To nudge my post from last week, I'm wondering if someone can just confirm what I'm seeing, or correct my understanding here. I am using the MIT KDC 1.4.3, as included in Ubuntu LTS. I am using the MIT kinit 1.6, as included in Ubuntu 8.0.4, but I also see the same message from my XP workstation configured to use the KDC. I modify the "expiration" and "password expiration" for the principal "mas02041" as follows: kadmin: modprinc -expire "7 day" -pwexpire "1 day" mas02041 Principal "mas02041 at UCONN.EDU" modified. kadmin: getprinc mas02041 Principal: mas02041 at UCONN.EDU Expiration date: Tue Jun 24 08:26:59 EDT 2008 ... Password expiration date: Wed Jun 18 08:26:59 EDT 2008 ... ~$ kinit mas02041 Password for mas02041 at UCONN.EDU: Warning: Your password will expire in 6 days. My expectation was that the password expiration message returned by kinit would reflect the "Password Expiration", not the "Expiration", as show in kadmin. Is this a bug, a feature, an old version issue, or simply my own misunderstanding or misconfiguration? Thank you all, - -Matt - -- Matthew J. Smith University of Connecticut ITS matt.smith at uconn.edu PGP KeyID: 0xE9C5244E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIV7AsGP63pOnFJE4RAuPYAKCEbbnsQLPU0VBLTaAv5JE/5/4x0ACgtVzB CJr7UUCKwAk96kKrS3al01s= =llW+ -----END PGP SIGNATURE----- From senseiwa at mac.com Tue Jun 17 13:45:53 2008 From: senseiwa at mac.com (Franco Milicchio) Date: Tue, 17 Jun 2008 19:45:53 +0200 Subject: kinit In-Reply-To: References: Message-ID: <1A1DFA64-71EB-4AE9-AD56-DEB79918ED84@mac.com> On Jun 16, 2008, at 5:04pm, mohamed.chaari at orange-ftgroup.com wrote: > Hello, > > I want to know if using kinit I will have the services ticket or not. The right mailing list is in CC, I suggest to move such questions there. And yes, kinit will give you a ticket, the initial ticket to be precise. Service tickets will be released if you use kerberized services, e.g. LDAP. From kwc at umich.edu Tue Jun 17 13:46:22 2008 From: kwc at umich.edu (Kevin Coffman) Date: Tue, 17 Jun 2008 13:46:22 -0400 Subject: ASN.1 In-Reply-To: <48579114.1070703@globaledgesoft.com> References: <48579114.1070703@globaledgesoft.com> Message-ID: <4d569c330806171046u7140754ck7226100a347f3d29@mail.gmail.com> The syntax of the preauth data with padata-type PA_PK_AS_REQ is defined in section 3.2 of RFC 4556. You might want to look at Peter Gutmann's dumpasn1 tool http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c You should be able to capture the request packet and feed it to this tool. (Details left to the reader.) It might point out ASN.1 problems. K.C. On Tue, Jun 17, 2008 at 6:25 AM, naveen.bn wrote: > Hi all, > > Can any one provide me the link which gives the expected values for the ASN.1 identifier for PA_PK_AS_REQ > used in krb5-1.6.3 because i am getting ASN1_BAD_ID. > > Thank you . > > with regards > naveen From matt.smith at uconn.edu Tue Jun 17 17:14:00 2008 From: matt.smith at uconn.edu (Smith, Matt) Date: Tue, 17 Jun 2008 17:14:00 -0400 Subject: "Expiration" vs "Password Expiration" References: <4857B02D.3050709@uconn.edu> Message-ID: <1975858073FA56489533973CC81B4D5303D55F33@EXCHANGEB.mgmt.ad.uconn.edu> All- To reply to my own post, I found a seemingly related ticket in the krbdev RT - Ticket #5755. The patch included there uses the lesser of either client.pw_expiration or client.expiration, which does seem like it could confuse the end user, but otherwise does seem to correctly assign reply_encpart.key_exp. So, now that the behavior has been confirmed for me, I am curious -- seeing this bug is >6 months old, and no responses to my question here, my guess is that no one really leverages the password expiration notices. Is it best-practice to use another notification method? Warning emails to the user, perhaps? Thanks all, -Matt -----Original Message----- From: kerberos-bounces at mit.edu on behalf of Matthew J. Smith Sent: Tue 2008-06-17 08:38 To: kerberos at mit.edu Subject: "Expiration" vs "Password Expiration" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All- To nudge my post from last week, I'm wondering if someone can just confirm what I'm seeing, or correct my understanding here. I am using the MIT KDC 1.4.3, as included in Ubuntu LTS. I am using the MIT kinit 1.6, as included in Ubuntu 8.0.4, but I also see the same message from my XP workstation configured to use the KDC. I modify the "expiration" and "password expiration" for the principal "mas02041" as follows: kadmin: modprinc -expire "7 day" -pwexpire "1 day" mas02041 Principal "mas02041 at UCONN.EDU" modified. kadmin: getprinc mas02041 Principal: mas02041 at UCONN.EDU Expiration date: Tue Jun 24 08:26:59 EDT 2008 ... Password expiration date: Wed Jun 18 08:26:59 EDT 2008 ... ~$ kinit mas02041 Password for mas02041 at UCONN.EDU: Warning: Your password will expire in 6 days. My expectation was that the password expiration message returned by kinit would reflect the "Password Expiration", not the "Expiration", as show in kadmin. Is this a bug, a feature, an old version issue, or simply my own misunderstanding or misconfiguration? Thank you all, - -Matt - -- Matthew J. Smith University of Connecticut ITS matt.smith at uconn.edu PGP KeyID: 0xE9C5244E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIV7AsGP63pOnFJE4RAuPYAKCEbbnsQLPU0VBLTaAv5JE/5/4x0ACgtVzB CJr7UUCKwAk96kKrS3al01s= =llW+ -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From kulg123 at gmail.com Wed Jun 18 00:23:56 2008 From: kulg123 at gmail.com (kul gupta) Date: Wed, 18 Jun 2008 09:53:56 +0530 Subject: help Message-ID: <2203f95e0806172123m65b60d87k438cad7a97961eb1@mail.gmail.com> Hello Thanks a lot for ur valuable guidance I am using-RedHatEnterprise Linux 5.0 and using Netbeans IDE to build the code and compiler is gcc ( for the code given in the SUN example) 1)There is AS server which is kerborized.I did the settings for the kerborized client also. 2)After obtaining the TGT (using kinit command from the client side),how should i proceed using the example given in SUN 3)I think mechanism used in GSSAPI by default is kerberos V5. So i need not specify it explicitly.?? Am i right. Can u please help me out in brief the steps i need to do for the same.. Please let me know to proceed. I will highly appreciate if someone can guide me on the same Thanks Ruchita From kulg123 at gmail.com Wed Jun 18 00:23:56 2008 From: kulg123 at gmail.com (kul gupta) Date: Wed, 18 Jun 2008 09:53:56 +0530 Subject: help Message-ID: <2203f95e0806172123m65b60d87k438cad7a97961eb1@mail.gmail.com> Hello Thanks a lot for ur valuable guidance I am using-RedHatEnterprise Linux 5.0 and using Netbeans IDE to build the code and compiler is gcc ( for the code given in the SUN example) 1)There is AS server which is kerborized.I did the settings for the kerborized client also. 2)After obtaining the TGT (using kinit command from the client side),how should i proceed using the example given in SUN 3)I think mechanism used in GSSAPI by default is kerberos V5. So i need not specify it explicitly.?? Am i right. Can u please help me out in brief the steps i need to do for the same.. Please let me know to proceed. I will highly appreciate if someone can guide me on the same Thanks Ruchita From rsavitha at novell.com Wed Jun 18 00:34:53 2008 From: rsavitha at novell.com (Savitha R) Date: Tue, 17 Jun 2008 22:34:53 -0600 Subject: krbUPEnabled LDAP attribute In-Reply-To: <1213672030.17827.44.camel@klausk.br.ibm.com> References: <1213672030.17827.44.camel@klausk.br.ibm.com> Message-ID: <4858DC7A.C217.0053.0@novell.com> >>> On Tue, Jun 17, 2008 at 8:37 AM, in message <1213672030.17827.44.camel at klausk.br.ibm.com>, Klaus Heinrich Kiwi wrote: > Is this attribute actually supported in the current KDB LDAP plugin > implementation? ie.: The only code I can see that it's dealing with this > attribute in the current tree refers to setting the permissions to this > attribute in the LDAP Database (ldap_service_rights.c). > No, this attribute is not supported in the current LDAP plugin implementation. > And what actually means that "directory User Password has to be > used" (krbUPEnabled=TRUE)? The required password to authenticate a user > principal would be the same password used to bind with this user DN in > the directory? Is that possible with the current KDB Abstraction Layer? yes, this is to enable the user to use the same password for directory authentication and kerberos authentication. There could be various ways of achieving this. We have implemented an external mechanism which synchronizes the directory and kerberos passwords -Savitha From raeburn at MIT.EDU Wed Jun 18 09:04:53 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 18 Jun 2008 09:04:53 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1213703822.17827.61.camel@klausk.br.ibm.com> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1213671483.17827.35.camel@klausk.br.ibm.com> <5312EC7E-A3E1-4291-AEA5-6A066157380E@MIT.EDU> <1213703822.17827.61.camel@klausk.br.ibm.com> Message-ID: On Jun 17, 2008, at 07:57, Klaus Heinrich Kiwi wrote: > On Mon, 2008-06-16 at 23:38 -0400, Ken Raeburn wrote: >> I suspect there are several LDAP schemas we could do a better job of >> supporting and integrating with... > > And what, in your opinion, would be the better approach to accomplish > this task? I don't think I'm familiar enough with LDAP in general and the various schemas in particular to be well-qualified to answer that right now. If the differences are minor, a single integrated back end with some run-time configuration, as you suggest, would probably be best, but if the differences in some of the schemas are too fundamental, it may not be practical to support all the commonly-used ones out there with a single database back end. Though at least some of the basic routines for handling LDAP server config info and managing communication channels can probably be kept common. > What I am doing right now is using the existing KDB LDAP plugin as a > base for a new plugin (I wonder if I should worry about namespace > collisions later), but of course ideally we should stick with a single > code base and have the differences handled by runtime configuration. > I'm > just not sure if that is feasible or not. It sounds good to me, but I can't judge the feasibility at the moment either. Ken From naveen.bn at globaledgesoft.com Wed Jun 18 03:32:31 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Wed, 18 Jun 2008 13:02:31 +0530 Subject: ASN.1 In-Reply-To: <4d569c330806171046u7140754ck7226100a347f3d29@mail.gmail.com> References: <48579114.1070703@globaledgesoft.com> <4d569c330806171046u7140754ck7226100a347f3d29@mail.gmail.com> Message-ID: <4858BA0F.9040805@globaledgesoft.com> Kevin Coffman wrote: > The syntax of the preauth data with padata-type PA_PK_AS_REQ is > defined in section 3.2 of RFC 4556. > > You might want to look at Peter Gutmann's dumpasn1 tool > http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c > > You should be able to capture the request packet and feed it to this > tool. (Details left to the reader.) It might point out ASN.1 > problems. > > K.C. > > On Tue, Jun 17, 2008 at 6:25 AM, naveen.bn wrote: > >> Hi all, >> >> Can any one provide me the link which gives the expected values for the ASN.1 identifier for PA_PK_AS_REQ >> used in krb5-1.6.3 because i am getting ASN1_BAD_ID. >> >> Thank you . >> >> with regards >> naveen >> > > Hi Kevin, I am sending the dump generated by dumpasn.1.c, Is the problem with the signed data part from the pa-data structure of as_req . 0 1931: [APPLICATION 10] { 4 1927: SEQUENCE { 8 3: [1] { 10 1: INTEGER 5 : } 13 3: [2] { 15 1: INTEGER 10 : } 18 1709: [3] { 22 1705: SEQUENCE { 26 1701: SEQUENCE { 30 3: [1] { 32 1: INTEGER 14 : } 35 1692: [2] { 39 1688: OCTET STRING, encapsulates { 43 1684: SEQUENCE { 47 1680: [0] { 51 1676: SEQUENCE { 55 9: OBJECT IDENTIFIER : signedData (1 2 840 113549 1 7 2) 66 1661: [0] { 70 1657: SEQUENCE { 74 1: INTEGER 3 77 9: SET { 79 7: SEQUENCE { 81 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) : } : } 88 510: SEQUENCE { 92 7: OBJECT IDENTIFIER '1 3 6 1 5 2 3 1' 101 497: [0] { 105 493: OCTET STRING, encapsulates { 109 489: SEQUENCE { 113 60: [0] { 115 58: SEQUENCE { 117 3: [0] { 119 1: INTEGER 1 : } 122 17: [1] { 124 15: GeneralizedTime 17/06/2008 12:03:58 GMT : } 141 3: [2] { 143 1: INTEGER 99 : } 146 27: [3] { 148 25: SEQUENCE { 150 3: [0] { 152 1: INTEGER 7 : } 155 18: [1] { 157 16: OCTET STRING : 1F A6 D6 33 6B 06 69 1E 2B FB 94 2B 6D 1F 3A BB : } : } : } : } : } 175 423: [1] { 179 419: SEQUENCE { 183 279: SEQUENCE { 187 7: OBJECT IDENTIFIER : dhPublicKey (1 2 840 10046 2 1) 196 266: SEQUENCE { 200 129: INTEGER : 00 FF FF FF FF FF FF FF FF C9 0F DA A2 21 68 C2 : 34 C4 C6 62 8B 80 DC 1C D1 29 02 4E 08 8A 67 CC : 74 02 0B BE A6 3B 13 9B 22 51 4A 08 79 8E 34 04 : DD EF 95 19 B3 CD 3A 43 1B 30 2B 0A 6D F2 5F 14 : 37 4F E1 35 6D 6D 51 C2 45 E4 85 B5 76 62 5E 7E : C6 F4 4C 42 E9 A6 37 ED 6B 0B FF 5C B6 F4 06 B7 : ED EE 38 6B FB 5A 89 9F A5 AE 9F 24 11 7C 4B 1F : E6 49 28 66 51 EC E6 53 81 FF FF FF FF FF FF FF : [ Another 1 bytes skipped ] 332 1: INTEGER 2 335 128: INTEGER : 7F FF FF FF FF FF FF FF E4 87 ED 51 10 B4 61 1A : 62 63 31 45 C0 6E 0E 68 94 81 27 04 45 33 E6 3A : 01 05 DF 53 1D 89 CD 91 28 A5 04 3C C7 1A 02 6E : F7 CA 8C D9 E6 9D 21 8D 98 15 85 36 F9 2F 8A 1B : A7 F0 9A B6 B6 A8 E1 22 F2 42 DA BB 31 2F 3F 63 : 7A 26 21 74 D3 1B F6 B5 85 FF AE 5B 7A 03 5B F6 : F7 1C 35 FD AD 44 CF D2 D7 4F 92 08 BE 25 8F F3 : 24 94 33 28 F6 73 29 C0 FF FF FF FF FF FF FF FF : } : } 466 133: BIT STRING, encapsulates { 470 129: INTEGER : 00 F9 6A 4F E7 39 17 9B 51 B5 35 48 4D A4 19 52 : FF D1 C7 DC 6F 22 F9 E0 5A D7 22 E9 28 A3 14 0E : 32 5A C1 78 95 94 9A 14 0C 52 4A DC 4E B7 EE A5 : DA 56 1C 58 A2 A2 55 0D F4 31 6E 59 07 C1 3F 7E : 7F 14 2A CB 87 3D F0 18 EE CB 97 CD E5 D0 C8 B1 : 20 CD FB 36 AC EA FA CF A6 5A 64 DC 3B 73 3F B0 : 6C 1C 1F C9 E6 7F 1A D8 3E 3A 94 AD 11 87 05 94 : A2 F8 AB F7 FC 9F F8 D6 AA D1 3E A6 2E 9A E1 12 : [ Another 1 bytes skipped ] : } : } : } : } : } : } : } 602 821: [0] { 606 817: SEQUENCE { 610 666: SEQUENCE { 614 3: [0] { 616 1: INTEGER 2 : } 619 1: INTEGER 32 622 13: SEQUENCE { 624 9: OBJECT IDENTIFIER : md5withRSAEncryption (1 2 840 113549 1 1 4) 635 0: NULL : } 637 131: SEQUENCE { 640 13: SET { 642 11: SEQUENCE { 644 3: OBJECT IDENTIFIER : organizationName (2 5 4 10) 649 4: PrintableString 'gesl' : } : } 655 20: SET { 657 18: SEQUENCE { 659 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 664 11: PrintableString 'packetcable' : } : } 677 26: SET { 679 24: SEQUENCE { 681 9: OBJECT IDENTIFIER : emailAddress (1 2 840 113549 1 9 1) 692 11: IA5String 'ca at gesl.com' : } : } 705 18: SET { 707 16: SEQUENCE { 709 3: OBJECT IDENTIFIER : localityName (2 5 4 7) 714 9: PrintableString 'bangalore' : } : } 725 18: SET { 727 16: SEQUENCE { 729 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 734 9: PrintableString 'karnataka' : } : } 745 11: SET { 747 9: SEQUENCE { 749 3: OBJECT IDENTIFIER : countryName (2 5 4 6) 754 2: PrintableString 'in' : } : } 758 11: SET { 760 9: SEQUENCE { 762 3: OBJECT IDENTIFIER : commonName (2 5 4 3) 767 2: PrintableString 'ca' : } : } : } 771 30: SEQUENCE { 773 13: UTCTime 13/06/2008 07:12:07 GMT 788 13: UTCTime 13/06/2009 07:12:07 GMT : } 803 84: SEQUENCE { 805 11: SET { 807 9: SEQUENCE { 809 3: OBJECT IDENTIFIER : countryName (2 5 4 6) 814 2: PrintableString 'in' : } : } 818 18: SET { 820 16: SEQUENCE { 822 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 827 9: PrintableString 'karnataka' : } : } 838 13: SET { 840 11: SEQUENCE { 842 3: OBJECT IDENTIFIER : organizationName (2 5 4 10) 847 4: PrintableString 'gesl' : } : } 853 20: SET { 855 18: SEQUENCE { 857 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 862 11: PrintableString 'packetcable' : } : } 875 12: SET { 877 10: SEQUENCE { 879 3: OBJECT IDENTIFIER : commonName (2 5 4 3) 884 3: PrintableString 'xyz' : } : } : } 889 159: SEQUENCE { 892 13: SEQUENCE { 894 9: OBJECT IDENTIFIER : rsaEncryption (1 2 840 113549 1 1 1) 905 0: NULL : } 907 141: BIT STRING, encapsulates { 911 137: SEQUENCE { 914 129: INTEGER : 00 CB E6 AC 3C 1A 8C 48 79 8E E7 34 D9 71 0A C0 : 09 E5 B6 6D 0E D4 D2 9D 7D 2A 0C F8 CA 8E 76 05 : 3E AA E1 49 60 83 4D D5 F5 7F 8B 70 2A 68 42 83 : EC 32 18 2E 94 20 6F 4B 82 6C B6 69 D3 87 C3 E2 : A2 57 F5 B3 86 56 FE 88 DF 52 05 8E 8E 01 10 DC : 68 E4 8A 87 77 99 F2 E9 B8 A0 F3 A4 54 7B 5F D3 : C6 65 8F 59 45 A0 3A A1 F1 57 20 87 2B 4C E4 85 : 73 6C 6B 6E 60 01 28 7A 8A 8E 26 A3 70 C2 3F 40 : [ Another 1 bytes skipped ] 1046 3: INTEGER 65537 : } : } : } 1051 226: [3] { 1054 223: SEQUENCE { 1057 9: SEQUENCE { 1059 3: OBJECT IDENTIFIER : basicConstraints (2 5 29 19) 1064 2: OCTET STRING, encapsulates { 1066 0: SEQUENCE {} : } : } 1068 11: SEQUENCE { 1070 3: OBJECT IDENTIFIER : keyUsage (2 5 29 15) 1075 4: OCTET STRING, encapsulates { 1077 2: BIT STRING 3 unused bits : '10101'B : } : } 1081 18: SEQUENCE { 1083 3: OBJECT IDENTIFIER : extKeyUsage (2 5 29 37) 1088 11: OCTET STRING, encapsulates { 1090 9: SEQUENCE { 1092 7: OBJECT IDENTIFIER '1 3 6 1 5 2 3 4' : } : } : } 1101 29: SEQUENCE { 1103 3: OBJECT IDENTIFIER : subjectKeyIdentifier (2 5 29 14) 1108 22: OCTET STRING, encapsulates { 1110 20: OCTET STRING : 60 F3 96 0C DA AD 9E 89 08 BA 6B CA A1 2B 06 FB : 3B 6E 9F F6 : } : } 1132 31: SEQUENCE { 1134 3: OBJECT IDENTIFIER : authorityKeyIdentifier (2 5 29 35) 1139 24: OCTET STRING, encapsulates { 1141 22: SEQUENCE { 1143 20: [0] : 16 DA CC F6 67 46 A7 2E 9A 1D DD 59 71 68 31 D9 : E1 DD 1C 06 : } : } : } 1165 102: SEQUENCE { 1167 3: OBJECT IDENTIFIER : subjectAltName (2 5 29 17) 1172 95: OCTET STRING, encapsulates { 1174 93: SEQUENCE { 1176 91: [0] { 1178 6: OBJECT IDENTIFIER '1 3 6 1 5 2 2' 1186 81: [0] { 1188 79: SEQUENCE { 1190 35: [0] { 1192 33: GeneralString '_kerberos._udp.globaledgesoft.com' : } 1227 40: [1] { 1229 38: SEQUENCE { 1231 3: [0] { 1233 1: INTEGER 1 : } 1236 31: [1] { 1238 29: SEQUENCE { 1240 27: GeneralString 'mta/rg71.globaledgesoft.com' : } : } : } : } : } : } : } : } : } : } 1269 9: SEQUENCE { 1271 3: OBJECT IDENTIFIER : issuerAltName (2 5 29 18) 1276 2: OCTET STRING, encapsulates { 1278 0: SEQUENCE {} : } : } : } : } : } 1280 13: SEQUENCE { 1282 9: OBJECT IDENTIFIER : md5withRSAEncryption (1 2 840 113549 1 1 4) 1293 0: NULL : } 1295 129: BIT STRING : 36 5D EA E8 07 38 08 EA 49 3D C1 A7 CF EB AF 51 : A9 41 2D EB F3 00 48 5B 94 E9 06 2F 81 FD B7 58 : D9 B5 BF 78 D8 D8 3C B7 AB DF 7A 3B 8D 90 08 C9 : 92 B1 31 79 43 3F FD F8 21 A1 95 A1 87 B5 6D 2F : 42 F8 BD 27 D4 73 AC 73 99 AC 76 D7 7D 38 64 81 : F2 EB 2B 75 E7 FA 45 76 C9 2C 42 2C 0C 73 3A E3 : 43 BE 32 3E B8 51 B4 ED D4 42 22 06 27 94 6B 33 : E1 8C 41 F0 84 71 BD 51 D0 CE C6 B9 23 D6 BB 4F : } : } 1427 300: SET { 1431 296: SEQUENCE { 1435 1: INTEGER 3 1438 137: SEQUENCE { 1441 131: SEQUENCE { 1444 13: SET { 1446 11: SEQUENCE { 1448 3: OBJECT IDENTIFIER : organizationName (2 5 4 10) 1453 4: PrintableString 'gesl' : } : } 1459 20: SET { 1461 18: SEQUENCE { 1463 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 1468 11: PrintableString 'packetcable' : } : } 1481 26: SET { 1483 24: SEQUENCE { 1485 9: OBJECT IDENTIFIER : emailAddress (1 2 840 113549 1 9 1) 1496 11: IA5String 'ca at gesl.com' : } : } 1509 18: SET { 1511 16: SEQUENCE { 1513 3: OBJECT IDENTIFIER : localityName (2 5 4 7) 1518 9: PrintableString 'bangalore' : } : } 1529 18: SET { 1531 16: SEQUENCE { 1533 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 1538 9: PrintableString 'karnataka' : } : } 1549 11: SET { 1551 9: SEQUENCE { 1553 3: OBJECT IDENTIFIER : countryName (2 5 4 6) 1558 2: PrintableString 'in' : } : } 1562 11: SET { 1564 9: SEQUENCE { 1566 3: OBJECT IDENTIFIER : commonName (2 5 4 3) 1571 2: PrintableString 'ca' : } : } : } 1575 1: INTEGER 32 : } 1578 7: SEQUENCE { 1580 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) : } 1587 11: SEQUENCE { 1589 9: OBJECT IDENTIFIER : sha1withRSAEncryption (1 2 840 113549 1 1 5) : } 1600 128: OCTET STRING : 39 CC 21 C2 7A 26 B0 8A AA 45 A1 1B 10 67 C1 40 : 1B 07 02 C4 60 F7 2F 3B 1B 11 D6 37 AE EB CF 75 : 0E 3B 99 C7 6B 03 DD A9 AF 28 40 47 45 14 2B 05 : AB 07 B1 A2 F7 F8 DD 96 C3 77 F7 2C 71 29 FD FA : 26 D8 B8 8C 0B FF C8 AE 04 0C 40 AE 30 32 B0 9F : 32 E1 E1 C3 3D 0E 38 72 62 50 4B D8 30 42 1A 03 : 84 8C 9B 79 BA D7 D0 14 D6 56 97 C4 FA F2 09 9F : E6 D8 92 C0 13 F1 94 48 FD 02 85 74 C7 30 C8 DF : } : } : } : } : } : } : } : } : } : } : } : } 1731 201: [4] { 1734 198: SEQUENCE { 1737 7: [0] { 1739 5: BIT STRING : '00000000000000000000000000000000'B : Error: Spurious zero bits in bitstring. : } 1746 41: [1] { 1748 39: SEQUENCE { 1750 3: [0] { 1752 1: INTEGER 3 : } 1755 32: [1] { 1757 30: SEQUENCE { 1759 3: GeneralString 'mta' 1764 23: GeneralString 'rg71.globaledgesoft.com' : } : } : } : } 1789 35: [2] { 1791 33: GeneralString '_kerberos._udp.globaledgesoft.com' : } 1826 54: [3] { 1828 52: SEQUENCE { 1830 3: [0] { 1832 1: INTEGER 2 : } 1835 45: [1] { 1837 43: SEQUENCE { 1839 6: GeneralString 'krbtgt' 1847 33: GeneralString '_kerberos._udp.globaledgesoft.com' : } : } : } : } 1882 17: [4] { 1884 15: GeneralizedTime 17/06/2008 12:03:58 GMT : } 1901 17: [5] { 1903 15: GeneralizedTime 17/06/2008 13:12:13 GMT : } 1920 6: [7] { 1922 4: INTEGER 1213704238 : } 1928 5: [8] { 1930 3: SEQUENCE { 1932 1: INTEGER 16 : } : } : } : } : } : } When I browsed to get the information on this error I found out that its with the type of encoding(DER/BER). But here I have used oly DER encoding. I don't know why its giving an error. Thank you with regards naveen From jaltman at secure-endpoints.com Wed Jun 18 16:33:01 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 18 Jun 2008 16:33:01 -0400 Subject: Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR Message-ID: <485970FD.9010109@secure-endpoints.com> I apologize for the cross-posting but I believe that in order for this proposal receive adequate feedback that it must be discussed among both the MIT Kerberos administrator and MIT Kerberos Developer communities. In the current implementation of the MIT KDC there are two principal policy flags that interact in what I believe is an undesirable way when applied to service principals. Copying from the Kerberos v5 System Administrator's Guide: *{-|+}allow_svr* The ?-allow_svr? flag prohibits the issuance of service tickets for this principal. ?+allow_svr? clears this flag. In effect, ?-allow_svr? sets the KRB5_KDB_DISALLOW_SVR flag on the principal in the database. *{-|+}allow_tix* The ?-allow_tix? option forbids the issuance of any tickets for this principal. ?+allow_tix? clears this flag. The default is ?+allow_tix?. In effect, ?-allow_tix? sets the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database. When a TGS or AS request is received by the KDC, under the current implementation the KDC will examine the client principal to determine whether or not +allow_tix is set. If not, it will reject the request. It also naturally checks the service principal to determine whether or not +allow_svr is set. If not, it will reject the request. However, the KDC will also check the service principal to determine it it is +allow_tix or not. If it is not, then the KDC will also reject the request. I believe that the meaning of allow_tix should be altered such that it only applies to the client in a TGS or AS request. This would permit -allow_tix to be applied to a service principal and ensure that no client ticket requests can be satisfied for that service principal while at the same time permitting other principals to obtain service tickets. Organizations that wish to disable the issuance of service tickets for the service principal would apply -allow_svr to the principal in addition to -allow_tix. I believe that making this change would permit a more robust security policy to be applied to service principals without requiring the additional of new flags that would have overlapping and conflicting meaning with the existing flags. Let the discussion begin. Jeffrey Altman Secure Endpoints Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080618/27478d35/smime-0001.bin From raeburn at MIT.EDU Wed Jun 18 16:54:04 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 18 Jun 2008 16:54:04 -0400 Subject: Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR In-Reply-To: <485970FD.9010109@secure-endpoints.com> References: <485970FD.9010109@secure-endpoints.com> Message-ID: On Jun 18, 2008, at 16:33, Jeffrey Altman wrote: > I believe that the meaning of allow_tix should be altered such that > it only applies to the client > in a TGS or AS request. This would permit -allow_tix to be applied > to a service principal > and ensure that no client ticket requests can be satisfied for that > service principal while at > the same time permitting other principals to obtain service tickets. > Organizations that wish to disable the issuance of service tickets > for the service principal > would apply -allow_svr to the principal in addition to -allow_tix. I think it should be pointed out that such a change would allow tickets to start being issued where currently they would not when the KDC software gets updated -- even if the latter really was the intent of the realm administrator. Because of that, we might instead want to create a new flag with the semantics Jeff wants, and leave the existing flag with its current (suboptimal) behavior. Ken From Nicolas.Williams at sun.com Wed Jun 18 17:13:44 2008 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Wed, 18 Jun 2008 16:13:44 -0500 Subject: Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR In-Reply-To: References: <485970FD.9010109@secure-endpoints.com> Message-ID: <20080618211343.GI2735@Sun.COM> On Wed, Jun 18, 2008 at 04:54:04PM -0400, Ken Raeburn wrote: > On Jun 18, 2008, at 16:33, Jeffrey Altman wrote: > > I believe that the meaning of allow_tix should be altered such that > > it only applies to the client > > in a TGS or AS request. This would permit -allow_tix to be applied > > to a service principal > > and ensure that no client ticket requests can be satisfied for that > > service principal while at > > the same time permitting other principals to obtain service tickets. > > Organizations that wish to disable the issuance of service tickets > > for the service principal > > would apply -allow_svr to the principal in addition to -allow_tix. > > I think it should be pointed out that such a change would allow > tickets to start being issued where currently they would not when the > KDC software gets updated -- even if the latter really was the intent > of the realm administrator. Because of that, we might instead want to > create a new flag with the semantics Jeff wants, and leave the > existing flag with its current (suboptimal) behavior. Or provide a migration script. From klausk at linux.vnet.ibm.com Thu Jun 19 09:16:16 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Thu, 19 Jun 2008 10:16:16 -0300 Subject: Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR In-Reply-To: References: <485970FD.9010109@secure-endpoints.com> Message-ID: <1213881376.17827.101.camel@klausk.br.ibm.com> On Wed, 2008-06-18 at 16:54 -0400, Ken Raeburn wrote: > I think it should be pointed out that such a change would allow > tickets to start being issued where currently they would not when the > KDC software gets updated -- even if the latter really was the intent > of the realm administrator. Because of that, we might instead want to > create a new flag with the semantics Jeff wants, and leave the > existing flag with its current (suboptimal) behavior. Sorry if this question sounds silly, but how much of both these solutions are implementation specific? Wouldn't such a change require changes to the current RFC? -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From jaltman at secure-endpoints.com Thu Jun 19 09:34:50 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 19 Jun 2008 09:34:50 -0400 Subject: Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR In-Reply-To: <1213881376.17827.101.camel@klausk.br.ibm.com> References: <485970FD.9010109@secure-endpoints.com> <1213881376.17827.101.camel@klausk.br.ibm.com> Message-ID: <485A607A.2030102@secure-endpoints.com> Klaus Heinrich Kiwi wrote: > On Wed, 2008-06-18 at 16:54 -0400, Ken Raeburn wrote: >> I think it should be pointed out that such a change would allow >> tickets to start being issued where currently they would not when the >> KDC software gets updated -- even if the latter really was the intent >> of the realm administrator. Because of that, we might instead want to >> create a new flag with the semantics Jeff wants, and leave the >> existing flag with its current (suboptimal) behavior. > > Sorry if this question sounds silly, but how much of both these > solutions are implementation specific? Wouldn't such a change require > changes to the current RFC? Its not a silly question. The allow_tix flag is 100% implementation specific. There is no standardized KDC database format nor is there a standardized kadmin interface. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080619/d2624f2f/smime.bin From paul.moore at centrify.com Fri Jun 20 12:45:05 2008 From: paul.moore at centrify.com (Paul Moore) Date: Fri, 20 Jun 2008 09:45:05 -0700 Subject: kinit In-Reply-To: <1A1DFA64-71EB-4AE9-AD56-DEB79918ED84@mac.com> References: <1A1DFA64-71EB-4AE9-AD56-DEB79918ED84@mac.com> Message-ID: Or do kinit -S -----Original Message----- From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Franco Milicchio Sent: Tuesday, June 17, 2008 10:46 AM To: mohamed.chaari at orange-ftgroup.com; krbdev at mit.edu Cc: kerberos at mit.edu Subject: Re: kinit On Jun 16, 2008, at 5:04pm, mohamed.chaari at orange-ftgroup.com wrote: > Hello, > > I want to know if using kinit I will have the services ticket or not. The right mailing list is in CC, I suggest to move such questions there. And yes, kinit will give you a ticket, the initial ticket to be precise. Service tickets will be released if you use kerberized services, e.g. LDAP. From naveen.bn at globaledgesoft.com Mon Jun 23 02:28:36 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 23 Jun 2008 11:58:36 +0530 Subject: krb5-API Message-ID: <485F4294.7030005@globaledgesoft.com> Hi Kevin, I found that the function krb5_get_in_tkt_with_skey which will acquire the pa-data for the PA_PK_AS_REQ is not invoked any were and, is it used . Can I find a good documentation on the kerberos-API for sending pre-authentication data . Thank you with regards naveen From ssorce at redhat.com Mon Jun 23 09:03:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 09:03:14 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> Message-ID: <1214226194.3822.23.camel@localhost.localdomain> On Mon, 2008-06-16 at 19:25 -0400, Ken Raeburn wrote: > On Jun 16, 2008, at 19:00, Klaus Heinrich Kiwi wrote: > > Is there a better description of what's in the tl_data structure? I > > saw > > some #defines in the kdb_ldap.h header file but couldn't correlate to > > anything just by looking at their names. Also, looks like this tl_data > > structure has a function outside the kdb abstraction layer domain > > (ie.: > > it's used within the KDC itself). Could you give me any insight of how > > it's being used and where? The description in the Schema file ("holds > > the application specific data") is a little confusing (application > > here > > refers to the Kerberos protocol? MIT KDC implementation? the LDAP KDB > > plugin itself?) > > The "application" data in question is indeed the MIT KDC > implementation; all this stuff is internal to the MIT implementation. > In src/include/kdb.h you'll find definitions of some macros KRB5_TL_* > vaguely describing in their names what they're used for; for the > actual definitions of the layouts, you'll have to dig around in the > sources. At the moment, it's sort of a catch-all slot for holding > anything new we want to stick in there without having to redefine the > XDR types we use for database records (since the old DBM-style APIs > only give you "key" and "data" slots), stuff like that. Ken, this krbExtraData blob is indeed quite problematic, in ldap we can add as much attributes as needed into the schema, and it is preferable to have clear separated attributes that can be manipulated by manually editing an ldif file. Is there a specific reason why the database layer has not been abstracted appropriately ? Any chance we can work to fix these problems and come up with a better schema ? Simo. -- Simo Sorce * Red Hat, Inc * New York From ssorce at redhat.com Mon Jun 23 09:05:10 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 09:05:10 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1213671483.17827.35.camel@klausk.br.ibm.com> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1213671483.17827.35.camel@klausk.br.ibm.com> Message-ID: <1214226310.3822.26.camel@localhost.localdomain> On Mon, 2008-06-16 at 23:58 -0300, Klaus Heinrich Kiwi wrote: > On Mon, 2008-06-16 at 19:25 -0400, Ken Raeburn wrote: > > > The "application" data in question is indeed the MIT KDC > > implementation; all this stuff is internal to the MIT implementation. > > In src/include/kdb.h you'll find definitions of some macros KRB5_TL_* > > vaguely describing in their names what they're used for; for the > > actual definitions of the layouts, you'll have to dig around in the > > sources. At the moment, it's sort of a catch-all slot for holding > > anything new we want to stick in there without having to redefine the > > XDR types we use for database records (since the old DBM-style APIs > > only give you "key" and "data" slots), stuff like that. > > Ken, > thank you for your explanation. I'm still a bit confused about how KDC > uses the TL data at the same time the KDB LDAP plugin also has some > specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData' > accommodate any kind of attribute we think of, just by making sure the > type numbers doesn't collide? Or is it working some other way? Also, is > tl_data an attribute for principals, realms, or both? > > I'm working towards changing the upstream KDB LDAP plugin into > supporting the IBM Schema, and that Schema brings a lot of things as > attributes for principals and realms - I'm just trying to make sure to > reuse the existing internal data structures whenever possible. Klaus, the current Kerberos schema as implemented by MIT is not ideal, but adding support for multiple schemas seem like a way to fragment, wouldn't it be better to join efforts to come up with a schema we can all standardize upon ? Do you have pointers to the IBM schema ? I'd like to take a look at the differences. Simo. -- Simo Sorce * Red Hat, Inc * New York From raeburn at MIT.EDU Mon Jun 23 10:05:32 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 23 Jun 2008 10:05:32 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1214226194.3822.23.camel@localhost.localdomain> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1214226194.3822.23.camel@localhost.localdomain> Message-ID: <9A56C6EF-CA98-473E-813A-43532C7C2AAA@MIT.EDU> On Jun 23, 2008, at 09:03, Simo Sorce wrote: > Is there a specific reason why the database layer has not been > abstracted appropriately ? Any chance we can work to fix these > problems > and come up with a better schema ? Mostly lack of resources/priority/motivation/etc I guess; certainly no reason why we don't want it done. But it's an issue that's been getting more discussion lately in some of our internal meetings. Have you followed the KDC information model and schema discussions happening related to the IETF Kerberos working group? The discussions were taking place on a couple of external mailing lists, not the main working group mailing list: http://mailman.mit.edu/mailman/listinfo/kdc-info http://mailman.mit.edu/mailman/listinfo/kdc-schema They're pretty quiet now, but you can check through the archives. Ken From ssorce at redhat.com Mon Jun 23 10:57:40 2008 From: ssorce at redhat.com (Simo Sorce) Date: Mon, 23 Jun 2008 10:57:40 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <9A56C6EF-CA98-473E-813A-43532C7C2AAA@MIT.EDU> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1214226194.3822.23.camel@localhost.localdomain> <9A56C6EF-CA98-473E-813A-43532C7C2AAA@MIT.EDU> Message-ID: <1214233060.3822.57.camel@localhost.localdomain> On Mon, 2008-06-23 at 10:05 -0400, Ken Raeburn wrote: > On Jun 23, 2008, at 09:03, Simo Sorce wrote: > > Is there a specific reason why the database layer has not been > > abstracted appropriately ? Any chance we can work to fix these > > problems > > and come up with a better schema ? > > Mostly lack of resources/priority/motivation/etc I guess; certainly no > reason why we don't want it done. But it's an issue that's been > getting more discussion lately in some of our internal meetings. > > Have you followed the KDC information model and schema discussions > happening related to the IETF Kerberos working group? The discussions > were taking place on a couple of external mailing lists, not the main > working group mailing list: > http://mailman.mit.edu/mailman/listinfo/kdc-info > http://mailman.mit.edu/mailman/listinfo/kdc-schema > They're pretty quiet now, but you can check through the archives. Ken, thanks for the pointers, I am starting looking into the archives, but it seem that both are up to August 2006 and there is nothing else afterward. Did communication stop right there? Or is there some other place with the recent archives ? Simo. -- Simo Sorce * Red Hat, Inc * New York From raeburn at MIT.EDU Mon Jun 23 11:25:22 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 23 Jun 2008 11:25:22 -0400 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1214233060.3822.57.camel@localhost.localdomain> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1214226194.3822.23.camel@localhost.localdomain> <9A56C6EF-CA98-473E-813A-43532C7C2AAA@MIT.EDU> <1214233060.3822.57.camel@localhost.localdomain> Message-ID: On Jun 23, 2008, at 10:57, Simo Sorce wrote: > Ken, thanks for the pointers, I am starting looking into the archives, > but it seem that both are up to August 2006 and there is nothing else > afterward. Did communication stop right there? Or is there some other > place with the recent archives ? It has been a while... I think that's probably when discussions wound up. I don't see anything more recent in my own mailboxes. Ken From rra at stanford.edu Mon Jun 23 12:14:34 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 23 Jun 2008 09:14:34 -0700 Subject: Kinit programatically?? In-Reply-To: <2203f95e0806222151g53570af2nec3f2fe17a46958b@mail.gmail.com> (kul gupta's message of "Mon\, 23 Jun 2008 10\:21\:12 +0530") References: <2203f95e0806222151g53570af2nec3f2fe17a46958b@mail.gmail.com> Message-ID: <87skv4f7rp.fsf@windlord.stanford.edu> "kul gupta" writes: > hello > Thanks > I m using MIT kerberose. > I will appreciate if someone can help me how to proceed to ahieve the > "Kinit" programatically. > > > The user has entered -username and password through stdin. > How can i get the TGT programatically?(using GSS-API) so as to proceed > further .?? You cannot get a TGT using GSSAPI. GSSAPI has no facility for initial authentication. For an example of many different types of authentication using the native Kerberos API, take a look at: http://www.eyrie.org/~eagle/software/kstart/ If you already have the password in hand, you probably want the krb5_get_init_creds_password function, but there's some setup that you have to do first and you probably want to store the credentials in a ticket cache afterwards. -- Russ Allbery (rra at stanford.edu) From paul.moore at centrify.com Mon Jun 23 12:44:21 2008 From: paul.moore at centrify.com (Paul Moore) Date: Mon, 23 Jun 2008 09:44:21 -0700 Subject: Kinit programatically?? In-Reply-To: <2203f95e0806222151g53570af2nec3f2fe17a46958b@mail.gmail.com> References: <2203f95e0806222151g53570af2nec3f2fe17a46958b@mail.gmail.com> Message-ID: U cannot get tgt with GSS Either System("kinit ....") Or Call Krb5_get_in_tkt_passwd (I think that's the correct name) -----Original Message----- From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of kul gupta Sent: Sunday, June 22, 2008 9:51 PM To: Tadoori (EXT), Vilas Cc: krbdev at mit.edu; kerberos at mit.edu Subject: Kinit programatically?? hello Thanks I m using MIT kerberose. I will appreciate if someone can help me how to proceed to ahieve the "Kinit" programatically. The user has entered -username and password through stdin. How can i get the TGT programatically?(using GSS-API) so as to proceed further .?? On 6/20/08, Tadoori (EXT), Vilas wrote: > > Kul, > > I would suggest you to down load the source code of MIT kerberos > > http://web.mit.edu/Kerberos/dist/ > > I would also recommend the following reading for your understanding > this is more on JAAS which is an security option that includes > gssapi and also java methods that include java and gssapi examples. > Here the methods used does not require you to specify the kerberos mech. > > > http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/p > art1.html > > Mind you they are completly on java but you will come to know how your > question can be answered. I would suggest you to read and you will > get your answer. > > > Regards > V. > > > ------------------------------ > *From:* kul gupta [mailto:kulg123 at gmail.com] > *Sent:* Friday, June 20, 2008 10:34 AM > *To:* Tadoori (EXT), Vilas > *Subject:* Re: Kerberos Digest, Vol 66, Issue 13 > > > hello > > The Example given in the SUN runs fine. > But I need to explicitly mention the mechanism name as -Kerberos _v5 > when i m not mentioning the name of the mechanism in the command line, > its giving error - gss_inquire _credentials > > My doubt is - that when i read the file mec.conf ,the mechanism > specified is Kerberos > > Then why it is not taking it automatically.?? > > > On 6/19/08, kul gupta wrote: >> >> Hello >> Thanks a lot for ur valuable time and guidance >> >> It helped me >> The example code there for both client and server is build >> succesfully now >> >> There are some basic doubts.Can u please help me in that. >> >> 1) I have a client application ( gss-client code given in SUN example >> ) and Server application code (gss-server code given in SUN example >> ). Both are build successfully >> >> 2) a) First step should be- that server application should be up to >> provide the kerborized service.Am i Right?? >> when i run the server application after taking TGT ,some error >> regarding gss_acquire _cred is coming.?? >> b) I am not getting what should i provide in the service_name on both >> client and server side?? >> c)When this much is done then only i should proceed with Client >> application?? >> (Again i need to do kinit and then run the client application so as >> to connect with the server application???) >> >> Can u please brief me the steps as how to proceed with it. >> It will really help me in clearing my baisc things on GSSAPI >> >> Thanks >> kul >> >> >> >> On 6/18/08, Tadoori (EXT), Vilas wrote: >>> >>> Hello Kul, >>> >>> I am not sure about the RHEL V5.0. I have modifed the code so that >>> it runs on the Solaris version. >>> u need to find out if the gssapi header files are installed at all >>> on your machine. >>> >>> you may find out using the linux command find /usr -name '*gss*' >>> you are looking for libraries like >>> >>> /usr/lib/gss >>> /usr/lib/gss/gsscred_clean >>> /usr/lib/gss/gssd >>> /usr/lib/libgss.so >>> /usr/include/gssapi >>> /usr/include/gssapi/gssapi.h >>> /usr/include/gssapi/gssapi_ext.h >>> the header files like gssapi_ext.h would be missing in linux because >>> these are sun specific examples which would run only on a sun o/s >>> >>> >>> Also ensure that u are linking your code with the gss libraries at >>> run time some thing like the below which is >>> >>> if you are using linux(rhel or suse) and c gcc -o >> output file> -l< the gsslibrary path> >>> >>> the syntax for c++ will be diff >>> g++ -o -l< the gsslibrary path> >>> >>> In my case in solaris i use the following which is >>> >>> cc testc.c -o test -lgss -O >>> >>> if you see the libraries is similar to the dir structure as above " >>> /usr/lib/gss" >>> >>> The final thing is how would you load your libraries in the run time? >>> you should check the env variable "LD_LIBRARY_PATH" >>> check the same using echo$LD_LIBRARY_PATH >>> >>> If you can see your gssapi libraries set in the path you would not >>> face any issues compiling the same. >>> >>> >>> I am not sure if I have answered your questions on this. >>> >>> Some of the code in the examples have been customised accordingly by >>> sun...so there is a great possibility that the code might break on >>> other O/s please read the rfc for gssapi v2 to ensure that you are >>> using only those functions , structures that are defined there... the rfc is 2744. >>> >>> >>> thanks >>> v. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ------------------------------ >>> *From:* kul gupta [mailto:kulg123 at gmail.com] >>> *Sent:* Tuesday, June 17, 2008 9:50 AM >>> *To:* Tadoori (EXT), Vilas >>> *Subject:* Re: Kerberos Digest, Vol 66, Issue 13 >>> >>> >>> Hello Vilas >>> >>> Thanks a lot for ur valuable guidance and time. >>> >>> I am using-RedHatEnterprise Linux 5.0 and using Netbeans IDE to >>> build the code and compiler is gcc ( for the code given in the SUN >>> example) >>> >>> 1)There is AS server which is kerborized.I did the settings for the >>> kerborized client also. >>> >>> 2)After obtaining the TGT (using kinit command from the client >>> side),how should i proceed using the example given in SUN >>> >>> 3)I think mechanism used in GSSAPI by default is kerberos V5. So i >>> need not specify it explicitly.?? >>> Am i right. >>> >>> Can u please help me out in brief the steps i need to do for the same.. >>> Please let me know to proceed. >>> >>> On 6/16/08, Tadoori (EXT), Vilas wrote: >>>> >>>> Hello kul, >>>> >>>> You do not need an cyrus SASL and SASL is a diff framework altogether. >>>> All you need is a keberos server for the same. >>>> It would be really wonderful if you can give some information more >>>> about your architecture. >>>> Also it would be helpful if you can tell on which platform are you >>>> comipiling the Sun examples. >>>> There are lot many things that we need to find out first before >>>> answering the question. >>>> >>>> >>>> Regards >>>> V. >>>> >>>> >>>> -----Original Message----- >>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On >>>> Behalf Of kerberos-request at mit.edu >>>> Sent: Sunday, June 15, 2008 9:41 PM >>>> To: kerberos at mit.edu >>>> Subject: Kerberos Digest, Vol 66, Issue 13 >>>> >>>> Send Kerberos mailing list submissions to >>>> kerberos at mit.edu >>>> >>>> To subscribe or unsubscribe via the World Wide Web, visit >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> or, via email, send a message with subject or body 'help' to >>>> kerberos-request at mit.edu >>>> >>>> You can reach the person managing the list at >>>> kerberos-owner at mit.edu >>>> >>>> When replying, please edit your Subject line so it is more specific >>>> than >>>> "Re: Contents of Kerberos digest..." >>>> >>>> >>>> Today's Topics: >>>> >>>> 1. help (kul gupta) >>>> >>>> >>>> ------------------------------------------------------------------- >>>> --- >>>> >>>> Message: 1 >>>> Date: Sun, 15 Jun 2008 21:18:41 +0530 >>>> From: "kul gupta" >>>> Subject: help >>>> To: kerberos at mit.edu, krbdev at mit.edu >>>> Message-ID: >>>> >>>> <2203f95e0806150848k10973896ie082f11431849df0 at mail.gmail.com> >>>> Content-Type: text/plain; charset=ISO-8859-1 >>>> >>>> I am very new to kerborose and GSSAPI I will highly appreciate for >>>> the guidance for the issues below- I am bit confused about cyrus >>>> SASL and GSSAPI >>>> >>>> I have an authentication server (AS) which is kerborised Client >>>> gets the TGT using -kinit Now i need to use GSSAPI for >>>> authentication using GSSAPI >>>> >>>> 1) DO i need to have cyrus SASL also ?? or only kerborose will do?? >>>> >>>> 2) When i tried to run the example provided by SUN , i am getting >>>> following >>>> errors- >>>> gssapi_ext.h- No such file directory gssapi-misc.h-No such file >>>> directory >>>> >>>> I also tried to search these files in my system(Red hat enterprise >>>> linux 5.0),but these files are not present. >>>> >>>> I will be highly thankful if u can help me out for the same . >>>> >>>> Regards >>>> Ruchita >>>> >>>> >>>> ------------------------------ >>>> >>>> _______________________________________________ >>>> Kerberos mailing list >>>> Kerberos at mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>>> >>>> End of Kerberos Digest, Vol 66, Issue 13 >>>> **************************************** >>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos at mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>> >>> >> > _______________________________________________ krbdev mailing list krbdev at mit.edu https://mailman.mit.edu/mailman/listinfo/krbdev From rkrieger at gmail.com Mon Jun 23 10:52:23 2008 From: rkrieger at gmail.com (Rogier Krieger) Date: Mon, 23 Jun 2008 16:52:23 +0200 Subject: NetIDMgr - showing incorrect lifetime Message-ID: Every now and then, I see incorrect lifetimes in the NetIDMgr window. Refreshing the view does not correct the displayed lifetimes (or only for the first identity in the list). The issue appears to be cosmetic only; even for 'expired' tickets (according to the timer in the GUI), there still appears a green background (if they're still valid according to the actual credential cache). Perhaps a picture says more. Please see the attached image. If I can provide further information, please let me know what would be of help. Cheers, Rogier -- If you don't know where you're going, any road will get you there. From jaltman at secure-endpoints.com Mon Jun 23 18:08:49 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 23 Jun 2008 18:08:49 -0400 Subject: Still distributing KFW 2.6.5 to your users? Please don't. Message-ID: <48601EF1.80300@secure-endpoints.com> Kerberos for Windows 2.6.5 was released on 17 September 2004. KFW 2.6.5 was the first release with an MSI installer, it included krb5_32.dll version 1.3.5, and was compatible with Windows XP Service Pack 2. As a result it was distributed far a wide but ... It is almost four years later. Vista and Server 2008 are widely deployed. XP SP3 is out as is 2003 SP2 and 64-bit Windows on Windows environments are widely available. KFW 2.6.5 was not developed with these environments in mind because they had not been shipped by Microsoft. KFW 2.6.5 is very unstable on these platforms. Microsoft Windows Error Reporting receives close to 200 crash reports a day from deployed KFW 2.6.5 clients. This rate is more than 200 times higher than the report rate for the KFW 3.2.2 release. If you are still deploying KFW 2.6.5 to your end users, please stop doing so. The release is simply no longer stable on modern versions of Microsoft Windows. If you require KFW support for your users, please upgrade to the current release. If there is a bug or incompatibility that prevents you from upgrading, please file a bug report. Jeffrey Altman Secure Endpoints Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080623/0c6ff836/smime.bin From jaltman at secure-endpoints.com Mon Jun 23 18:16:38 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 23 Jun 2008 18:16:38 -0400 Subject: NetIDMgr - showing incorrect lifetime In-Reply-To: References: Message-ID: <486020C6.7050701@secure-endpoints.com> Rogier Krieger wrote: > Every now and then, I see incorrect lifetimes in the NetIDMgr window. > Refreshing the view does not correct the displayed lifetimes (or only > for the first identity in the list). The issue appears to be cosmetic > only; even for 'expired' tickets (according to the timer in the GUI), > there still appears a green background (if they're still valid > according to the actual credential cache). > > Perhaps a picture says more. Please see the attached image. If I can > provide further information, please let me know what would be of help. > > Cheers, > > Rogier > Rogier: The correct place to file bug reports is kfw-bugs at mit.edu. Image files sent to this mailing list are stripped. In your bug report please specify the version of KFW you are using, provide the "klist -C" command line output that differs from the NIM display, and the NIM log file that can be activated from the Options->General page. Thank you. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080623/90b4891a/smime-0001.bin From rra at stanford.edu Tue Jun 24 00:30:00 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 23 Jun 2008 21:30:00 -0700 Subject: Kinit programatically?? In-Reply-To: <2203f95e0806232126g65ff1a96redaee1e5e1f3504a@mail.gmail.com> (kul gupta's message of "Tue\, 24 Jun 2008 09\:56\:53 +0530") References: <2203f95e0806222151g53570af2nec3f2fe17a46958b@mail.gmail.com> <87skv4f7rp.fsf@windlord.stanford.edu> <2203f95e0806232126g65ff1a96redaee1e5e1f3504a@mail.gmail.com> Message-ID: <87prq7h2uv.fsf@windlord.stanford.edu> You should really keep copying the mailing list so that other people can also help. I've re-added the mailing list as a cc. "kul gupta" writes: > Thanks a lot > It helped me > I read the link provided by u for Kstart > But Can i use it for the authentication on the client side? > When using Kinit ( or using krb5_get_init_creds_password ),it direcltly > contacts KDC. > Is there any possible way or API where i can get the credentials in between > KDC and the client. I'm not entirely sure what you're asking. If you're asking if there's a way to get a Kerberos TGT without contacting the KDC, the answer is no. That's a requirement of the Kerberos protocol and is fundamental to how Kerberos works. If you're asking something else, could you try rephrasing? -- Russ Allbery (rra at stanford.edu) From naveen.bn at globaledgesoft.com Tue Jun 24 01:15:05 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 24 Jun 2008 10:45:05 +0530 Subject: pre-authentication Message-ID: <486082D9.7040304@globaledgesoft.com> Hi Kevin, Guide on this , When i use require_preauth for the client and try to send the AS_REQ with pa-data using the command kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key naveen The first AS_REQ will go with out pa-data to the KDC, the kdc will replay with KRB5KDC_ERR_PREAUTH_REQUIRED (25) and the second AS_REQ will go from the client to the KDC with pa-data filled and i get a AS_REP back from kdc with the ticket. Please help me in finding the reason behind AS_REQ going twice from the client. Thank you with regards naveen From kulg123 at gmail.com Tue Jun 24 07:08:58 2008 From: kulg123 at gmail.com (kul gupta) Date: Tue, 24 Jun 2008 16:38:58 +0530 Subject: Help - Kerberos Message-ID: <2203f95e0806240408p11d93076j625528e2a1af298d@mail.gmail.com> Hi I am using MIT kerberos for authentication. Currently the client needs to do kinit (or call krb5_get_init_creds_password()) to get the TGT in which it direcly communicates with KDC. The envoirnment is that i dont want to make client directly communicate with the KDC and still want to achieve kerberos authentication. Are there any ways in which I can achieve this. How can i implement Authorization(giving access to specific service for a client) I will really appreciate your help.. Thanks and Regards kul From klausk at linux.vnet.ibm.com Tue Jun 24 07:43:44 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Tue, 24 Jun 2008 08:43:44 -0300 Subject: Principal attributes and policy in LDAP Realm In-Reply-To: <1214226310.3822.26.camel@localhost.localdomain> References: <1212783367.27162.15.camel@klausk.br.ibm.com> <484D3CBD.C217.0053.0@novell.com> <1213657246.17827.15.camel@klausk.br.ibm.com> <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu> <1213671483.17827.35.camel@klausk.br.ibm.com> <1214226310.3822.26.camel@localhost.localdomain> Message-ID: <1214307824.13517.13.camel@klausk.br.ibm.com> On Mon, 2008-06-23 at 09:05 -0400, Simo Sorce wrote: > Klaus, the current Kerberos schema as implemented by MIT is not ideal, > but adding support for multiple schemas seem like a way to fragment, > wouldn't it be better to join efforts to come up with a schema we can > all standardize upon ? I must admit I still need to verify this, but I'd assume that other applications may be using the same directory for other purposes, (including authentication?) - and may be simply easier to add support for this particular schema to one application then to support it in other (possibly legacy) applications. > Do you have pointers to the IBM schema ? I'd like to take a look at > the > differences. I can't seem to find any external links to it - I'll check if I can host it somewhere and let you know. -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From kwc at umich.edu Tue Jun 24 08:48:47 2008 From: kwc at umich.edu (Kevin Coffman) Date: Tue, 24 Jun 2008 08:48:47 -0400 Subject: pre-authentication In-Reply-To: <486082D9.7040304@globaledgesoft.com> References: <486082D9.7040304@globaledgesoft.com> Message-ID: <4d569c330806240548o445ccdc9ra9d3faa4287f4882@mail.gmail.com> On Tue, Jun 24, 2008 at 1:15 AM, naveen.bn wrote: > > Hi Kevin, > > Guide on this , When i use require_preauth for the client and try to send > the AS_REQ with pa-data using the command > kinit -X X509_user_identity=FILE:/client/test.pem,/client/test.key naveen > > The first AS_REQ will go with out pa-data to the KDC, the kdc will replay > with KRB5KDC_ERR_PREAUTH_REQUIRED (25) and the second AS_REQ will go from > the client to the KDC with pa-data filled and i get a AS_REP back from kdc > with the ticket. > Please help me in finding the reason behind AS_REQ going twice from the > client. This is the intended behavior of the MIT client. In the KDC's PREAUTH_REQUIRED reply, it informs the client which preauth methods may be used (and possibly some parameters for the methods, such as certificates in the PKINIT case). The client then chooses a method and sends a request with pa-data for the mutually acceptable preauth method. K.C. From rkrieger at gmail.com Mon Jun 23 19:05:48 2008 From: rkrieger at gmail.com (Rogier Krieger) Date: Tue, 24 Jun 2008 01:05:48 +0200 Subject: NetIDMgr - showing incorrect lifetime (for archive) Message-ID: My primary reason for sending it to this list was a sanity check before reporting it as a bug. Thanks for the pointers to provide a useful report; I'll file this at krb5-bugs at . This post is purely for archive purposes. NetIDMgr shows 'expired' for the tickets, even if they are valid for several hours. Refreshing the tickets through NetIDMgr or refreshing the view does not correct the displayed time. NetIDMgr keeps displaying 'expired' (even if the background colour behind the identity changes colour appropriate to ticket lifetime). NetIDMgr output: rkrieger at REALM (Default, Kerberos v5) (Expired) Above is displayed on a background colour appropriate for ticket lifetime. klist output: >klist -C Ticket cache: API:rkrieger at REALM Default principal: rkrieger at REALM Valid starting Expires Service principal 06/23/08 14:19:57 06/24/08 14:19:57 krbtgt/REALM at REALM renew until 06/30/08 14:19:57 Version information: Windows XP, SP2 KfW 3.2.2 (installed through 32-bit MSI) NetIDMgr 1.3.1.0 From rra at stanford.edu Tue Jun 24 11:15:54 2008 From: rra at stanford.edu (Russ Allbery) Date: Tue, 24 Jun 2008 08:15:54 -0700 Subject: Kinit programatically?? In-Reply-To: <2203f95e0806240115v358ae905nd3237f08ccfe28b6@mail.gmail.com> (kul gupta's message of "Tue\, 24 Jun 2008 13\:45\:14 +0530") References: <2203f95e0806222151g53570af2nec3f2fe17a46958b@mail.gmail.com> <87skv4f7rp.fsf@windlord.stanford.edu> <2203f95e0806232126g65ff1a96redaee1e5e1f3504a@mail.gmail.com> <87prq7h2uv.fsf@windlord.stanford.edu> <2203f95e0806240115v358ae905nd3237f08ccfe28b6@mail.gmail.com> Message-ID: <87bq1qhnit.fsf@windlord.stanford.edu> "kul gupta" writes: > Ya ,actually i framed it in a wrong way.I m really sorry for that. > I was to ask about fowarding Tickets > I get the TGT and needs to foward the same to a different target. > How can i achieve this programatically.? That is something you can do with GSSAPI. As part of the negotiation of the authentication context, you can request ticket delegation, which will delegate forwardable credentials to the remote host. See the documentation for gss_accept_sec_context and gss_init_sec_context. -- Russ Allbery (rra at stanford.edu) From jaltman at secure-endpoints.com Tue Jun 24 11:35:54 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 24 Jun 2008 11:35:54 -0400 Subject: NetIDMgr - showing incorrect lifetime (for archive) In-Reply-To: References: Message-ID: <4861145A.40707@secure-endpoints.com> There is a separate mail queue for KFW. kfw-bugs at ... When you examine the properties of the "rkrieger at REALM" entry what are the reported lifetimes? Rogier Krieger wrote: > My primary reason for sending it to this list was a sanity check > before reporting it as a bug. Thanks for the pointers to provide a > useful report; I'll file this at krb5-bugs at . This post is purely for > archive purposes. > > NetIDMgr shows 'expired' for the tickets, even if they are valid for > several hours. Refreshing the tickets through NetIDMgr or refreshing > the view does not correct the displayed time. NetIDMgr keeps > displaying 'expired' (even if the background colour behind the > identity changes colour appropriate to ticket lifetime). > > NetIDMgr output: > rkrieger at REALM (Default, Kerberos v5) > (Expired) > > Above is displayed on a background colour appropriate for ticket lifetime. > > > klist output: >> klist -C > Ticket cache: API:rkrieger at REALM > Default principal: rkrieger at REALM > > Valid starting Expires Service principal > 06/23/08 14:19:57 06/24/08 14:19:57 krbtgt/REALM at REALM > renew until 06/30/08 14:19:57 > > > Version information: > Windows XP, SP2 > KfW 3.2.2 (installed through 32-bit MSI) > NetIDMgr 1.3.1.0 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080624/c0f6c50b/smime-0001.bin From jhutz at cmu.edu Tue Jun 24 12:31:03 2008 From: jhutz at cmu.edu (Jeffrey Hutzelman) Date: Tue, 24 Jun 2008 12:31:03 -0400 Subject: Proposal to change the meaning of -allow_tix +allow_svr aka KRB5_KDB_DISALLOW_ALL_TIX & !KRB5_KDB_DISALLOW_SVR In-Reply-To: <200806182059.m5IKxYLQ028542@toasties.srv.cs.cmu.edu> References: <485970FD.9010109@secure-endpoints.com> <200806182059.m5IKxYLQ028542@toasties.srv.cs.cmu.edu> Message-ID: <2750DB3DE540171113F09501@sirius.fac.cs.cmu.edu> --On Wednesday, June 18, 2008 04:54:04 PM -0400 Ken Raeburn wrote: > On Jun 18, 2008, at 16:33, Jeffrey Altman wrote: >> I believe that the meaning of allow_tix should be altered such that >> it only applies to the client >> in a TGS or AS request. This would permit -allow_tix to be applied >> to a service principal >> and ensure that no client ticket requests can be satisfied for that >> service principal while at >> the same time permitting other principals to obtain service tickets. >> Organizations that wish to disable the issuance of service tickets >> for the service principal >> would apply -allow_svr to the principal in addition to -allow_tix. > > I think it should be pointed out that such a change would allow > tickets to start being issued where currently they would not when the > KDC software gets updated -- even if the latter really was the intent > of the realm administrator. Because of that, we might instead want to > create a new flag with the semantics Jeff wants, and leave the > existing flag with its current (suboptimal) behavior. I don't consider the current behavior of -allow_tix to be suboptimal. Its effect is to completely and totally disable a principal for all uses, which is a desirable thing to be able to do from an administrative point of view, separately from the ability to specify "this principal can only be used as a client" (-allow_svr) or "this principal can only be used as a service (the new flag Jeff is asking about). Note that there is a justification for having -allow_svr without -allow_clt. The former, when used with a policy requiring the use of preauth, prevents an attacker from asking the KDC for ciphertext to be used in a long-term attack against a principal's key. This is particularly useful for principals belonging to human users, whose keys are often derived from passwords with fairly low entropy. While -allow_clt may be a useful policy for administrative purposes, it doesn't serve the same kind of security goal. -- Jeff From rohitm at engr.uconn.edu Tue Jun 24 16:17:49 2008 From: rohitm at engr.uconn.edu (Rohit Kumar Mehta) Date: Tue, 24 Jun 2008 16:17:49 -0400 Subject: strange problem with kinit Message-ID: <4861566D.7040409@engr.uconn.edu> Hi guys, is there any reason running kinit from a cronjob would have different results from running from the shell? Here is my problem in a nutshell: We are trying to setup a webserver to serve NFS-mounted public_html directories with sec=krb5. The apache process (running as nobody) needs some kerberos credentials to access these NFS exported files (perms 755). To solve this I create a crontab for nobody which issues a command like the following: echo myPassword | kinit nobody at AD.ENGR.UCONN.EDU Before my cronjob runs, I su to nobody and run klist: nobody at sumo2:/root$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_65534) Kerberos 4 ticket cache: /tmp/tkt65534 klist: You have no tickets cached If I do an "ls /home/rohitm/public_html", I get a "Permission denied" error, and see the following in my logs: Jun 24 15:44:43 sumo2 rpc.gssd[3968]: ERROR: GSS-API: error in gss_acquire_cred(): Unspecified GSS failure. Minor code may provide more information - No credentials cache found Jun 24 15:44:43 sumo2 rpc.gssd[3968]: WARNING: Failed to create krb5 context for user with uid 65534 for server filesm.ad.engr.uconn.edu Now when the cronjob fires, I su to nobody and issue a klist: nobody at sumo2:~$ klist -f Ticket cache: FILE:/tmp/krb5cc_65534 Default principal: nobody at AD.ENGR.UCONN.EDU Valid starting Expires Service principal 06/24/08 15:30:02 06/25/08 01:30:02 krbtgt/AD.ENGR.UCONN.EDU at AD.ENGR.UCONN.EDU renew until 06/25/08 15:30:02, Flags: FRIA 06/24/08 15:30:32 06/25/08 01:30:02 nfs/filesm.ad.engr.uconn.edu at AD.ENGR.UCONN.EDU renew until 06/25/08 15:30:02, Flags: FRA 06/24/08 15:30:32 06/25/08 01:30:02 FILESM$@AD.ENGR.UCONN.EDU renew until 06/25/08 15:30:02, Flags: FRA Kerberos 4 ticket cache: /tmp/tkt65534 klist: You have no tickets cached Now comes the confusing part. At this point issuing a command like "ls -al /home/rohitm" *sometimes* succeeds, and other times it will continue to fail until the next time the cronjob trips or I run the kinit manually. I am really not sure what is going on, but I did find this thread: http://linux-nfs.org/pipermail/nfsv4/2007-October/006915.html and am trying out kkeepd. In the meantime, does anyone know why my "echo password | kinit" seems to fail intermittently? -- Rohit Mehta Computer Engineer University of Connecticut Engineering Computing Services 371 Fairfield Road Unit 2031 Storrs, CT 06269-2031 Office: (860) 486 - 2331 Fax: (860) 486 - 1273 From kwc at umich.edu Tue Jun 24 17:45:42 2008 From: kwc at umich.edu (Kevin Coffman) Date: Tue, 24 Jun 2008 17:45:42 -0400 Subject: strange problem with kinit In-Reply-To: <4861566D.7040409@engr.uconn.edu> References: <4861566D.7040409@engr.uconn.edu> Message-ID: <4d569c330806241445t59936768p6b3096f234e4b6f0@mail.gmail.com> I don't have an answer to why the cron thing fails. However, running gssd with -vvv will give a clue toward what credentials caches are being considered. I would suggest using a keytab rather than keeping a password around in a script, file, or wherever you are keeping it now. You might also want to look at kstart and krenew: http://www.eyrie.org/~eagle/software/kstart/ http://www.eyrie.org/~eagle/software/kstart/krenew.html On Tue, Jun 24, 2008 at 4:17 PM, Rohit Kumar Mehta wrote: > > Hi guys, is there any reason running kinit from a cronjob would have > different > results from running from the shell? > > Here is my problem in a nutshell: We are trying to setup a webserver to > serve > NFS-mounted public_html directories with sec=krb5. The apache process > (running as nobody) needs some kerberos credentials to access these NFS > exported files (perms 755). To solve this I create a crontab for nobody > which > issues a command like the following: > > echo myPassword | kinit nobody at AD.ENGR.UCONN.EDU > > Before my cronjob runs, I su to nobody and run klist: > > nobody at sumo2:/root$ klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_65534) > > > Kerberos 4 ticket cache: /tmp/tkt65534 > klist: You have no tickets cached > > If I do an "ls /home/rohitm/public_html", I get a "Permission denied" > error, and see > the following in my logs: > > Jun 24 15:44:43 sumo2 rpc.gssd[3968]: ERROR: GSS-API: error in > gss_acquire_cred(): Unspecified GSS failure. Minor code may provide > more information - No credentials cache found > Jun 24 15:44:43 sumo2 rpc.gssd[3968]: WARNING: Failed to create krb5 > context for user with uid 65534 for server filesm.ad.engr.uconn.edu > > Now when the cronjob fires, I su to nobody and issue a klist: > > nobody at sumo2:~$ klist -f > Ticket cache: FILE:/tmp/krb5cc_65534 > Default principal: nobody at AD.ENGR.UCONN.EDU > > Valid starting Expires Service principal > 06/24/08 15:30:02 06/25/08 01:30:02 > krbtgt/AD.ENGR.UCONN.EDU at AD.ENGR.UCONN.EDU > renew until 06/25/08 15:30:02, Flags: FRIA > 06/24/08 15:30:32 06/25/08 01:30:02 > nfs/filesm.ad.engr.uconn.edu at AD.ENGR.UCONN.EDU > renew until 06/25/08 15:30:02, Flags: FRA > 06/24/08 15:30:32 06/25/08 01:30:02 FILESM$@AD.ENGR.UCONN.EDU > renew until 06/25/08 15:30:02, Flags: FRA > > > Kerberos 4 ticket cache: /tmp/tkt65534 > klist: You have no tickets cached > > Now comes the confusing part. At this point issuing a command like "ls > -al /home/rohitm" *sometimes* > succeeds, and other times it will continue to fail until the next time > the cronjob trips or I > run the kinit manually. I am really not sure what is going on, but I > did find this thread: > > http://linux-nfs.org/pipermail/nfsv4/2007-October/006915.html > > and am trying out kkeepd. In the meantime, does anyone know why my > "echo password | kinit" seems > to fail intermittently? > > -- > Rohit Mehta > Computer Engineer > University of Connecticut > Engineering Computing Services > 371 Fairfield Road Unit 2031 > Storrs, CT 06269-2031 > > Office: (860) 486 - 2331 > Fax: (860) 486 - 1273 > > > _______________________________________________ > NFSv4 mailing list > NFSv4 at linux-nfs.org > http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4 > > From amitpawar007 at gmail.com Wed Jun 25 02:55:52 2008 From: amitpawar007 at gmail.com (amit pawar) Date: Wed, 25 Jun 2008 12:25:52 +0530 Subject: create principals in kerberos + openldap as backend (kdb5_ldap_util) Message-ID: <748000080806242355t1df1438bibdb7ce766088b271@mail.gmail.com> Hi, I am working configuring MIT Kerberos with openldap as backend. Till now i have been successful with integrating openldap as backend for kerberos. I have followed instruction s from http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Top and http://blogs.sun.com/wfiveash/entry/the_rough_guide_to_configuring (its for solaris) MIT Kerberos version: krb5-1.6.3 Openldap version: 2.4.7 I have successfully created realm EXAMPLE.COM kdb5_ldap_util -D cn=admin,o=org create -subtress o=org -sscope SUB -r EXAMPLE.COM -w secret this created realm also adding various entries to ldap database on ldapserver such as krbtgt/EXAMPLE.COM, kadmin/admin, kadmin/history, kadmin/changepw, etc. I have also added kdc and kadmin administrator entries to kerberos by ldif. cn=krbadmin, o=org and stash the password for same. Now i am stuck, Please answere this queries 1) how do i create principals for the same. (should i use kadmin.local option) 2) but kadmin.local doesn't work on my kdc(error given below) 3) is there any other way to create user principals....?????? As with only kerberos we use kadmin.local on kdc machine. but when in kerberos + openldap if i try using kadmin.local on kdc. It fails giving error # kadmin.local Authenticating as principal root/admin at EXAMPLE.COM with password. kadmin.local : Unable to access kerberos database while initializing kadmin.local interface. Thanks in advance. -- Regards, Amit Pawar Software Developer, Financial Technologies (India) Ltd. From kulg123 at gmail.com Wed Jun 25 07:34:18 2008 From: kulg123 at gmail.com (kul gupta) Date: Wed, 25 Jun 2008 17:04:18 +0530 Subject: GSSAPI + IAKERB Message-ID: <2203f95e0806250434t4e7ecdcfu9b87ccde3497c248@mail.gmail.com> Hello I was going through IAKERB and have some doubts I will be highly thankful if anyone can clear my doubts. 1) Can someone please explain me the scenerio for using IAKERB.? 2) I have to go fopr GSSAPI for IAKERB implementation?? 3) Is there any sample code available for the same? Thanks kul From jhutz at cmu.edu Wed Jun 25 12:33:18 2008 From: jhutz at cmu.edu (Jeffrey Hutzelman) Date: Wed, 25 Jun 2008 12:33:18 -0400 Subject: GSSAPI + IAKERB In-Reply-To: <200806251158.m5PBw2eT025506@raisinbran.srv.cs.cmu.edu> References: <200806251158.m5PBw2eT025506@raisinbran.srv.cs.cmu.edu> Message-ID: <526C046F05EEC2A94531131F@sirius.fac.cs.cmu.edu> --On Wednesday, June 25, 2008 05:04:18 PM +0530 kul gupta wrote: > Hello > > I was going through IAKERB and have some doubts > I will be highly thankful if anyone can clear my doubts. > > 1) Can someone please explain me the scenerio for using IAKERB.? Take a look at section 1 of draft-ietf-krb-wg-iakerb-00.txt, available from . Note that the older draft-ietf-cat-iakerb document has not been touched in several years, and is superceded by the krb-wg document. > 2) I have to go fopr GSSAPI for IAKERB implementation?? Yes, IAKERB is a GSS-API mechanism. > 3) Is there any sample code available for the same? Probably not; the new IAKERB document is still in the first stages of development. If anyone knows of an implementation of this, please speak up. If you have comments on IAKERB, please address them to the IETF Kerberos working group mailing list, ietf-krb-wg at anl.gov (this is an open list; subscribe at ). -- Jeffrey T. Hutzelman (N3NHS) Co-chair, IETF Kerberos Working Group Carnegie Mellon University - Pittsburgh, PA From David.Bear at asu.edu Wed Jun 25 13:25:57 2008 From: David.Bear at asu.edu (David Bear) Date: Wed, 25 Jun 2008 10:25:57 -0700 Subject: KfW failure to get afs tokens Message-ID: <1d1a54bf0806251025h13e3f9e4s4671f163652d5e7b@mail.gmail.com> Using KfW 3.2.2 I ran in to an issue today that I have not seen. Normally, we get the v5 credentials krbtgt/ASU.EDU at asu.edu afs at ASU.EDU and the openafs cache manager also gets afs at asu.edu However, today I installed kfw on a machine (windows xp prof) and gave it all the save configuration but we did not get the afs at asu.edu or the afs at ASU.EDU credential. Actually, I did get all the proper afs tokens/credentials when I tested it with my id. But when I destroy my credentials using NiM, I could not get afs credentials for the actual user id of the person using the machine. I was able to start afscreds and get afs tokens from the old gui, but I thought it very strange the KfW/NiM didn't get all the afs credentials it needed. Any idea's on what could be happening? -- David Bear College of Public Programs at ASU 602-464-0424 From rohitm at engr.uconn.edu Wed Jun 25 13:51:12 2008 From: rohitm at engr.uconn.edu (Rohit Kumar Mehta) Date: Wed, 25 Jun 2008 13:51:12 -0400 Subject: strange problem with kinit In-Reply-To: <4d569c330806241445t59936768p6b3096f234e4b6f0@mail.gmail.com> References: <4861566D.7040409@engr.uconn.edu> <4d569c330806241445t59936768p6b3096f234e4b6f0@mail.gmail.com> Message-ID: <48628590.1050101@engr.uconn.edu> Thanks Kevin, using k5start and a keytab seems is a much better solution! I did not know this existed. This seems to work quite well. However, if my "echo password | kinit" script should work, it might be worthwhile to figure out where the problem is. I have done some more tests and saved the logs for gssd -vvvvvv in both not working and working states. I did not notice anything in the logs (they are big!) that tipped me off to the problem, but if you like I can send them to you. Kevin Coffman wrote: > I don't have an answer to why the cron thing fails. However, running > gssd with -vvv will give a clue toward what credentials caches are > being considered. > > I would suggest using a keytab rather than keeping a password around > in a script, file, or wherever you are keeping it now. > > You might also want to look at kstart and krenew: > > http://www.eyrie.org/~eagle/software/kstart/ > http://www.eyrie.org/~eagle/software/kstart/krenew.html > > > On Tue, Jun 24, 2008 at 4:17 PM, Rohit Kumar Mehta > wrote: > >> Hi guys, is there any reason running kinit from a cronjob would have >> different >> results from running from the shell? >> >> Here is my problem in a nutshell: We are trying to setup a webserver to >> serve >> NFS-mounted public_html directories with sec=krb5. The apache process >> (running as nobody) needs some kerberos credentials to access these NFS >> exported files (perms 755). To solve this I create a crontab for nobody >> which >> issues a command like the following: >> >> echo myPassword | kinit nobody at AD.ENGR.UCONN.EDU >> >> Before my cronjob runs, I su to nobody and run klist: >> >> nobody at sumo2:/root$ klist >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_65534) >> >> >> Kerberos 4 ticket cache: /tmp/tkt65534 >> klist: You have no tickets cached >> >> If I do an "ls /home/rohitm/public_html", I get a "Permission denied" >> error, and see >> the following in my logs: >> >> Jun 24 15:44:43 sumo2 rpc.gssd[3968]: ERROR: GSS-API: error in >> gss_acquire_cred(): Unspecified GSS failure. Minor code may provide >> more information - No credentials cache found >> Jun 24 15:44:43 sumo2 rpc.gssd[3968]: WARNING: Failed to create krb5 >> context for user with uid 65534 for server filesm.ad.engr.uconn.edu >> >> Now when the cronjob fires, I su to nobody and issue a klist: >> >> nobody at sumo2:~$ klist -f >> Ticket cache: FILE:/tmp/krb5cc_65534 >> Default principal: nobody at AD.ENGR.UCONN.EDU >> >> Valid starting Expires Service principal >> 06/24/08 15:30:02 06/25/08 01:30:02 >> krbtgt/AD.ENGR.UCONN.EDU at AD.ENGR.UCONN.EDU >> renew until 06/25/08 15:30:02, Flags: FRIA >> 06/24/08 15:30:32 06/25/08 01:30:02 >> nfs/filesm.ad.engr.uconn.edu at AD.ENGR.UCONN.EDU >> renew until 06/25/08 15:30:02, Flags: FRA >> 06/24/08 15:30:32 06/25/08 01:30:02 FILESM$@AD.ENGR.UCONN.EDU >> renew until 06/25/08 15:30:02, Flags: FRA >> >> >> Kerberos 4 ticket cache: /tmp/tkt65534 >> klist: You have no tickets cached >> >> Now comes the confusing part. At this point issuing a command like "ls >> -al /home/rohitm" *sometimes* >> succeeds, and other times it will continue to fail until the next time >> the cronjob trips or I >> run the kinit manually. I am really not sure what is going on, but I >> did find this thread: >> >> http://linux-nfs.org/pipermail/nfsv4/2007-October/006915.html >> >> and am trying out kkeepd. In the meantime, does anyone know why my >> "echo password | kinit" seems >> to fail intermittently? >> >> -- >> Rohit Mehta >> Computer Engineer >> University of Connecticut >> Engineering Computing Services >> 371 Fairfield Road Unit 2031 >> Storrs, CT 06269-2031 >> >> Office: (860) 486 - 2331 >> Fax: (860) 486 - 1273 >> >> >> _______________________________________________ >> NFSv4 mailing list >> NFSv4 at linux-nfs.org >> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4 >> >> >> > > -- Rohit Mehta Computer Engineer University of Connecticut Engineering Computing Services 371 Fairfield Road Unit 2031 Storrs, CT 06269-2031 Office: (860) 486 - 2331 Fax: (860) 486 - 1273 From deengert at anl.gov Wed Jun 25 14:01:22 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 25 Jun 2008 13:01:22 -0500 Subject: KfW failure to get afs tokens In-Reply-To: <1d1a54bf0806251025h13e3f9e4s4671f163652d5e7b@mail.gmail.com> References: <1d1a54bf0806251025h13e3f9e4s4671f163652d5e7b@mail.gmail.com> Message-ID: <486287F2.6010703@anl.gov> David Bear wrote: > Using KfW 3.2.2 I ran in to an issue today that I have not seen. Normally, > we get the v5 credentials > krbtgt/ASU.EDU at asu.edu > afs at ASU.EDU > What is the name of your realm? ASU.EDU or asu.edu? Kerberos is case sensitive, but of the KDC is Windows AD it can take either and try and preserve the case. What is in the krb5.ini [domain_realm] section? Is it upper or lower? The default mapping from domain to realm takes the domain name and converts to uppercase to get a realm. Sounds like you are missing the krb5.ini on the new machine. > and the openafs cache manager also gets > afs at asu.edu That would be the cell name, that is normally lower case derived from the realm name. > > However, today I installed kfw on a machine (windows xp prof) and gave it > all the save configuration but we did not get the afs at asu.edu or the > afs at ASU.EDU credential. > > Actually, I did get all the proper afs tokens/credentials when I tested it > with my id. But when I destroy my credentials using NiM, I could not get afs > credentials for the actual user id of the person using the machine. > > I was able to start afscreds and get afs tokens from the old gui, but I > thought it very strange the KfW/NiM didn't get all the afs credentials it > needed. > > Any idea's on what could be happening? > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jblaine at kickflop.net Wed Jun 25 15:10:46 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Wed, 25 Jun 2008 15:10:46 -0400 Subject: Solaris 10 SMF manifest for slave KDC inetd stuff? Message-ID: <48629836.9020409@kickflop.net> Has anyone created a Solaris 10 SMF manifest for the following things which are *supposed* to go in /etc/inetd.conf? Maybe they won't work outside of inetd? krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -k -c -e From lokhande_dinesh at indiatimes.com Wed Jun 25 10:25:57 2008 From: lokhande_dinesh at indiatimes.com (Din) Date: Wed, 25 Jun 2008 07:25:57 -0700 (PDT) Subject: How we can enable trace for KINIT utility of Kerberos? Message-ID: <18113817.post@talk.nabble.com> Hi All, While executing KINIT utility i am getting an error (throwing some random error number) & error number is different on different unix boxs. In the case of success KINIT should return 0 but in my case it is returning some error number. My requirement is - How i can enable the trace msgs for that so that i can figure out the problematic area. Any help appreciated. Thanks n Regards, Dinesh -- View this message in context: http://www.nabble.com/How-we-can-enable-trace-for-KINIT-utility-of-Kerberos--tp18113817p18113817.html Sent from the Kerberos - General mailing list archive at Nabble.com. From paul at c-group.com Wed Jun 25 17:52:59 2008 From: paul at c-group.com (Paul Palacios) Date: Wed, 25 Jun 2008 14:52:59 -0700 Subject: strange problem with kinit In-Reply-To: <48628590.1050101@engr.uconn.edu> References: <4861566D.7040409@engr.uconn.edu> <4d569c330806241445t59936768p6b3096f234e4b6f0@mail.gmail.com> <48628590.1050101@engr.uconn.edu> Message-ID: <4862BE3B.7030908@c-group.com> You might also want to look into "mod_auth_kerb" for apache. It may do all that you need and you can place setting in httpd.conf or equiv: KrbAuthRealms XXX.COM KrbMethodNegotiate off KrbVerifyKDC off Krb5Keytab /etc/http/conf/krb5.keytab Rohit Kumar Mehta wrote: > Thanks Kevin, using k5start and a keytab seems is a much better > solution! I did not know this existed. This seems to > work quite well. > > However, if my "echo password | kinit" script should work, > it might be worthwhile to figure out where the problem is. > I have done some more tests and saved the logs for gssd -vvvvvv > in both not working and working states. I did not notice anything > in the logs (they are big!) that tipped me off to the problem, but > if you like I can send them to you. > > > Kevin Coffman wrote: > >> I don't have an answer to why the cron thing fails. However, running >> gssd with -vvv will give a clue toward what credentials caches are >> being considered. >> >> I would suggest using a keytab rather than keeping a password around >> in a script, file, or wherever you are keeping it now. >> >> You might also want to look at kstart and krenew: >> >> http://www.eyrie.org/~eagle/software/kstart/ >> http://www.eyrie.org/~eagle/software/kstart/krenew.html >> >> >> On Tue, Jun 24, 2008 at 4:17 PM, Rohit Kumar Mehta >> wrote: >> >> >>> Hi guys, is there any reason running kinit from a cronjob would have >>> different >>> results from running from the shell? >>> >>> Here is my problem in a nutshell: We are trying to setup a webserver to >>> serve >>> NFS-mounted public_html directories with sec=krb5. The apache process >>> (running as nobody) needs some kerberos credentials to access these NFS >>> exported files (perms 755). To solve this I create a crontab for nobody >>> which >>> issues a command like the following: >>> >>> echo myPassword | kinit nobody at AD.ENGR.UCONN.EDU >>> >>> Before my cronjob runs, I su to nobody and run klist: >>> >>> nobody at sumo2:/root$ klist >>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_65534) >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt65534 >>> klist: You have no tickets cached >>> >>> If I do an "ls /home/rohitm/public_html", I get a "Permission denied" >>> error, and see >>> the following in my logs: >>> >>> Jun 24 15:44:43 sumo2 rpc.gssd[3968]: ERROR: GSS-API: error in >>> gss_acquire_cred(): Unspecified GSS failure. Minor code may provide >>> more information - No credentials cache found >>> Jun 24 15:44:43 sumo2 rpc.gssd[3968]: WARNING: Failed to create krb5 >>> context for user with uid 65534 for server filesm.ad.engr.uconn.edu >>> >>> Now when the cronjob fires, I su to nobody and issue a klist: >>> >>> nobody at sumo2:~$ klist -f >>> Ticket cache: FILE:/tmp/krb5cc_65534 >>> Default principal: nobody at AD.ENGR.UCONN.EDU >>> >>> Valid starting Expires Service principal >>> 06/24/08 15:30:02 06/25/08 01:30:02 >>> krbtgt/AD.ENGR.UCONN.EDU at AD.ENGR.UCONN.EDU >>> renew until 06/25/08 15:30:02, Flags: FRIA >>> 06/24/08 15:30:32 06/25/08 01:30:02 >>> nfs/filesm.ad.engr.uconn.edu at AD.ENGR.UCONN.EDU >>> renew until 06/25/08 15:30:02, Flags: FRA >>> 06/24/08 15:30:32 06/25/08 01:30:02 FILESM$@AD.ENGR.UCONN.EDU >>> renew until 06/25/08 15:30:02, Flags: FRA >>> >>> >>> Kerberos 4 ticket cache: /tmp/tkt65534 >>> klist: You have no tickets cached >>> >>> Now comes the confusing part. At this point issuing a command like "ls >>> -al /home/rohitm" *sometimes* >>> succeeds, and other times it will continue to fail until the next time >>> the cronjob trips or I >>> run the kinit manually. I am really not sure what is going on, but I >>> did find this thread: >>> >>> http://linux-nfs.org/pipermail/nfsv4/2007-October/006915.html >>> >>> and am trying out kkeepd. In the meantime, does anyone know why my >>> "echo password | kinit" seems >>> to fail intermittently? >>> >>> -- >>> Rohit Mehta >>> Computer Engineer >>> University of Connecticut >>> Engineering Computing Services >>> 371 Fairfield Road Unit 2031 >>> Storrs, CT 06269-2031 >>> >>> Office: (860) 486 - 2331 >>> Fax: (860) 486 - 1273 >>> >>> >>> _______________________________________________ >>> NFSv4 mailing list >>> NFSv4 at linux-nfs.org >>> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4 >>> >>> >>> >>> >> >> > > > -- Paul Palacios paul at c-group.com From mohamed.chaari at orange-ftgroup.com Thu Jun 26 05:44:26 2008 From: mohamed.chaari at orange-ftgroup.com (mohamed.chaari@orange-ftgroup.com) Date: Thu, 26 Jun 2008 11:44:26 +0200 Subject: Kerberos V5 and GSSAPI Message-ID: > Hello, > > I'm interested to study the security of kerberos V5. I have seen the > code, I would like to know if the use of GSSAPI is optionnal or basic > in the communication betweew client and server application. If it is > basic, why not using the Ksession as a basic key to encrypt messages? > Also, I would like if communication between a client and the KDC is > encrypted. If it is the case, how it is done? > > Thanks. From kulg123 at gmail.com Thu Jun 26 10:54:40 2008 From: kulg123 at gmail.com (kul gupta) Date: Thu, 26 Jun 2008 20:24:40 +0530 Subject: windows+KDC+Lib files Message-ID: <2203f95e0806260754j6462fd04i67b94f2a30c057d5@mail.gmail.com> Hi I am trying to build a kerberos client on windows os and KDC (MIT kerberos) lying on a linux server. I am trying to use the kerberos krb5_get_init_creds_password() but i am not able to find the lib files for the with the MIT kerberos windows installation. where can i get the lib files for the kerberos libs on windows or is there any way i can call kerberos api. How should i configure kerberos client on windows i.e how to do krb5.conf setting Thanks and Regards kul From jos at catnook.com Thu Jun 26 17:41:29 2008 From: jos at catnook.com (Jos Backus) Date: Thu, 26 Jun 2008 14:41:29 -0700 Subject: Question about dns_lookup_realm and domain_realm Message-ID: <20080626214129.GB76461@lizzy.catnook.local> Our setup employs two Kerberos realms, PROD.FOO.COM and DEV.FOO.COM under a single DNS domain, foo.com. It would appear that dns_lookup_realm and the addition of TXT RRs are supposed to handle this situation but it doesn't appear to work. Setup: CentOS 5.1, krb5-1.6.1 RPMs. kerberos1-dev.foo.com = master kerberos2-dev.foo.com = slave, runs kpropd DNS: _kerberos.kerberos1-dev.foo.com IN TXT DEV.FOO.COM _kerberos.kerberos2-dev.foo.com IN TXT DEV.FOO.COM /etc/krb5.conf: [libdefaults] default_realm = DEV.FOO.COM dns_lookup_realm = true [realms] DEV.FOO.COM = { admin_server = kerberos1-dev.foo.com:749 } PROD.FOO.COM = { admin_server = kerberos1-prod.foo.com:749 } [domain_realm] .foo.com = PROD.FOO.COM Running `kprop -f /var/kerberos/krb5kdc/slave_datatrans kerberos2-dev.foo.com' yields: kprop: Client not found in Kerberos database while getting initial ticket Adding kerberos1-dev.foo.com = DEV.FOO.COM to the domain_realm section makes kprop work. However, is is undesirable from a maintenance point of view as a general fix. strace'ing kprop reveals that it does not make any TXT DNS queries, which is unexpected. How is this supposed to work? Thanks for any light you can shed on this mechanism. -- Jos Backus jos at catnook.com From matthew at loar.name Thu Jun 26 16:27:45 2008 From: matthew at loar.name (Matthew Loar) Date: Thu, 26 Jun 2008 20:27:45 +0000 (UTC) Subject: windows+KDC+Lib files References: Message-ID: kul gupta wrote: > Hi > I am trying to build a kerberos client on windows os and KDC (MIT > kerberos) lying on a linux server. > I am trying to use the kerberos krb5_get_init_creds_password() but i am not > able to find the lib files for the with the MIT kerberos windows > installation. where can i get the lib files for the kerberos libs on windows > or is there any way i can call kerberos api. The headers and libraries are included in the KfW SDK, current version at: http://web.mit.edu/kerberos/www/dist/kfw/3.2/kfw-3.2.2/kfw-3-2-2-sdk.zip > How should i configure kerberos client on windows i.e how to do krb5.conf > setting The krb5.conf is called krb5.ini and is in the Windows directory, i.e. C:\Windows\krb5.ini. Matt Loar From jos at catnook.com Thu Jun 26 23:04:34 2008 From: jos at catnook.com (Jos Backus) Date: Thu, 26 Jun 2008 20:04:34 -0700 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <20080626214129.GB76461@lizzy.catnook.local> References: <20080626214129.GB76461@lizzy.catnook.local> Message-ID: <20080627030434.GA7120@lizzy.catnook.local> (I know, following up on myself...) http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS says: "The second mechanism works by looking up the information in special TXT records in the Domain Name Service. This is currently not used by default because security holes could result if the DNS TXT records were spoofed. If this mechanism is enabled on the client, it will try to look up a TXT record for the DNS name formed by putting the prefix _kerberos in front of the hostname in question." (Fwiw, 1.5.4 has similar verbiage.) The dns_lookup_realm libdefaults option supposedly enables this mechanism on the client. The doc for it says: "Indicate whether DNS TXT records should be used to determine the Kerberos realm of a host." However, this doesn't actually work (at least in krb5 1.6.1, and likely other MIT versions as well), so either the docs are incorrect or there's a bug. Clients appear to use krb5_get_host_realm() (perhaps through calling krb5_sname_to_principal(), as in the case of kprop.c), _not_ krb5_get_fallback_host_realm() which does have code to lookup a _kerberos.FQDN TXT RR (but doesn't handle domain_realm). The attached proof-of-concept patch adds a new libdefaults option, dns_lookup_host_realm, which corrects this. When set (it defaults to false), the DNS TXT RR lookup is attempted first, and if it succeeds, the TXT RR's value is used as the realm. The code is cribbed from krb5_get_fallback_host_realm(), so some refactoring is clearly needed. Also, I realize there's no documentation. If you think this is a useful change I'm willing to clean it up some more and add documentation. Otherwise I'll just keep it as a local patch, as it fixes my particular issue. Thanks, -- Jos Backus jos at catnook.com -------------- next part -------------- A non-text attachment was scrubbed... Name: kerberos-dns_lookup_host_realm.diff Type: text/x-diff Size: 3794 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080626/30d30b3e/kerberos-dns_lookup_host_realm.bin From jaltman at secure-endpoints.com Fri Jun 27 00:52:49 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Fri, 27 Jun 2008 00:52:49 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <20080627030434.GA7120@lizzy.catnook.local> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> Message-ID: <48647221.8010103@secure-endpoints.com> Jos Backus wrote: > (I know, following up on myself...) > > http://web.mit.edu/kerberos/www/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Using-DNS says: > > "The second mechanism works by looking up the information in special TXT > records in the Domain Name Service. This is currently not used by default > because security holes could result if the DNS TXT records were spoofed. If > this mechanism is enabled on the client, it will try to look up a TXT record > for the DNS name formed by putting the prefix _kerberos in front of the > hostname in question." > > (Fwiw, 1.5.4 has similar verbiage.) The dns_lookup_realm libdefaults option > supposedly enables this mechanism on the client. The doc for it says: > > "Indicate whether DNS TXT records should be used to determine the Kerberos > realm of a host." > > However, this doesn't actually work (at least in krb5 1.6.1, and likely other > MIT versions as well), so either the docs are incorrect or there's a bug. > This behavior was most likely broken when the referrals code was added. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/886a7455/smime.bin From jos at catnook.com Fri Jun 27 01:37:59 2008 From: jos at catnook.com (Jos Backus) Date: Thu, 26 Jun 2008 22:37:59 -0700 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <48647221.8010103@secure-endpoints.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> Message-ID: <20080627053759.GB7120@lizzy.catnook.local> On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote: > This behavior was most likely broken when the referrals code was added. So it's a regression. Until this is fixed properly (which I don't claim my patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong with the patch as such? Thanks, -- Jos Backus jos at catnook.com From jaltman at secure-endpoints.com Fri Jun 27 01:57:37 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Fri, 27 Jun 2008 01:57:37 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <20080627053759.GB7120@lizzy.catnook.local> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> Message-ID: <48648151.50403@secure-endpoints.com> Jos Backus wrote: > On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote: >> This behavior was most likely broken when the referrals code was added. > > So it's a regression. Until this is fixed properly (which I don't claim my > patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong > with the patch as such? There are several issues here. First, DNS TXT records are known to be insecure. Turning them on for use in realm resolution provides for convenience but at the risk that your clients can be redirected to a realm that you do not control. Second, any domain_realm mapping for your domain .foo.com is going to override the use of DNS lookups. That is because local configuration data is considered to be trustworthy whereas DNS lookups are not. In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your hosts are in one and some are in the other. By default you want PROD.FOO.COM to be used. However, for specific hosts you want DEV.FOO.COM. Using the config file you would specify [domain_realm] devhost1.foo.com = DEV.FOO.COM .foo.com = PROD.FOO.COM If you want to rely on DNS TXT records you have to make sure that there are no mappings in the config file. Then you would create records for _kerberos.devhost1.foo.com IN TXT DEV.FOO.COM _kerberos.foo.com IN TXT PROD.FOO.COM Because DNS TXT records are insecure and there is a need to be able to provide for centralized configuration data Microsoft created the Kerberos referrals mechanism. Using referrals a client asks the KDC belonging to the TGT realm for a referral to the correct realm for the desired service principal. Referrals are used whenever there is not a local [domain_realm] mapping. The safe way to add DNS TXT records back into the equation would be to add the DNS TXT lookup after the referrals request fails. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/5295dd8e/smime-0001.bin From jos at catnook.com Fri Jun 27 02:29:33 2008 From: jos at catnook.com (Jos Backus) Date: Thu, 26 Jun 2008 23:29:33 -0700 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <48648151.50403@secure-endpoints.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> Message-ID: <20080627062933.GA12491@lizzy.catnook.local> On Fri, Jun 27, 2008 at 01:57:37AM -0400, Jeffrey Altman wrote: > There are several issues here. First, DNS TXT records are known to be > insecure. Turning > them on for use in realm resolution provides for convenience but at the > risk that your clients > can be redirected to a realm that you do not control. Understood. > Second, any domain_realm mapping for your domain .foo.com is going to > override the use > of DNS lookups. That is because local configuration data is considered > to be trustworthy > whereas DNS lookups are not. That's something my patch changes as it performs the DNS lookup first (when configured). > In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your > hosts are > in one and some are in the other. By default you want PROD.FOO.COM to > be used. > However, for specific hosts you want DEV.FOO.COM. Using the config > file you would > specify > > [domain_realm] > devhost1.foo.com = DEV.FOO.COM > .foo.com = PROD.FOO.COM Yup, tried that, works, but doesn't scale well. > If you want to rely on DNS TXT records you have to make sure that there > are no mappings > in the config file. Then you would create records for > > _kerberos.devhost1.foo.com IN TXT DEV.FOO.COM > _kerberos.foo.com IN TXT PROD.FOO.COM Okay. We have the former (obviously) but not the latter. I can add that. > Because DNS TXT records are insecure and there is a need to be able to > provide for centralized > configuration data Microsoft created the Kerberos referrals mechanism. > Using referrals a client > asks the KDC belonging to the TGT realm for a referral to the correct > realm for the desired > service principal. Referrals are used whenever there is not a local > [domain_realm] mapping. So this implies two-way trust and communication, yes? I wonder if this will require network/ACL changes. > The safe way to add DNS TXT records back into the equation would be to > add the DNS TXT > lookup after the referrals request fails. ISTR that's where krb5_get_fallback_host_realm() is called, from a comment in the code. Now it's clear why although I still don't quite grok the referral mechanism. Time to study the documentation. Thanks for the critique and helpful information, Jeffrey. -- Jos Backus jos at catnook.com From jaltman at secure-endpoints.com Fri Jun 27 08:37:23 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Fri, 27 Jun 2008 08:37:23 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <20080627062933.GA12491@lizzy.catnook.local> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <20080627062933.GA12491@lizzy.catnook.local> Message-ID: <4864DF03.2030008@secure-endpoints.com> Jos Backus wrote: > On Fri, Jun 27, 2008 at 01:57:37AM -0400, Jeffrey Altman wrote: >> There are several issues here. First, DNS TXT records are known to be >> insecure. Turning >> them on for use in realm resolution provides for convenience but at the >> risk that your clients >> can be redirected to a realm that you do not control. > > Understood. > >> Second, any domain_realm mapping for your domain .foo.com is going to >> override the use >> of DNS lookups. That is because local configuration data is considered >> to be trustworthy >> whereas DNS lookups are not. > > That's something my patch changes as it performs the DNS lookup first (when > configured). Which in turn would disable Kerberos referrals. > >> In the case of two realms, PROD.FOO.COM and DEV.FOO.COM some of your >> hosts are >> in one and some are in the other. By default you want PROD.FOO.COM to >> be used. >> However, for specific hosts you want DEV.FOO.COM. Using the config >> file you would >> specify >> >> [domain_realm] >> devhost1.foo.com = DEV.FOO.COM >> .foo.com = PROD.FOO.COM > > Yup, tried that, works, but doesn't scale well. There is a serious need for the zero configuration solution for Kerberos deployments. Of course, DNS is insecure so relying on DNS to boot strap your authentication system is undesirable. That is not to say it has not been used but only because there have been no other choices. > >> If you want to rely on DNS TXT records you have to make sure that there >> are no mappings >> in the config file. Then you would create records for >> >> _kerberos.devhost1.foo.com IN TXT DEV.FOO.COM >> _kerberos.foo.com IN TXT PROD.FOO.COM > > Okay. We have the former (obviously) but not the latter. I can add that. > >> Because DNS TXT records are insecure and there is a need to be able to >> provide for centralized >> configuration data Microsoft created the Kerberos referrals mechanism. >> Using referrals a client >> asks the KDC belonging to the TGT realm for a referral to the correct >> realm for the desired >> service principal. Referrals are used whenever there is not a local >> [domain_realm] mapping. > > So this implies two-way trust and communication, yes? I wonder if this will > require network/ACL changes. For referrals to work the user must have already obtained a TGT. If you are trying to decide which identity a user should obtain a credential for based upon the host that the user is going to communicate with, that is not something that will be solved by referrals. To be honest, I don't think it will be solved by domain_realm mappings whether stored locally or in DNS. > >> The safe way to add DNS TXT records back into the equation would be to >> add the DNS TXT >> lookup after the referrals request fails. > > ISTR that's where krb5_get_fallback_host_realm() is called, from a comment in > the code. Now it's clear why although I still don't quite grok the referral > mechanism. Time to study the documentation. > > Thanks for the critique and helpful information, Jeffrey. > > No problem. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/3f0bc9d5/smime.bin From naveen.bn at globaledgesoft.com Fri Jun 27 08:42:13 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Fri, 27 Jun 2008 18:12:13 +0530 Subject: guidance Message-ID: <4864E025.8040702@globaledgesoft.com> Hi Kevin, I am facing a problem and would like to get suggestion from you regarding it . My seniors had come up with a kerberos client which took the reference from krb5-1.2.2, which was with out PKINIT support and they had added the PKINIT support for it. I have no contact with them , I have no idea what server they had used. But, now that the krb5-1.6.3 supports PKINIT, I am trying to use it as Server . My client works without PKINIT, but with PKINIT support the server (krb5-1.6.3) is not able to decode AS_REQ packet and the kdc log says preauth (pkinit) verify failure: ASN.1 identifier doesn't match expected value. I tested the AS_REQ with the tool dumpasn1.c, I found no problem in pkinit asn1 dump. Kindly help me in solving this problem Thank you naveen -------------- next part -------------- This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address From kwc at umich.edu Fri Jun 27 09:40:15 2008 From: kwc at umich.edu (Kevin Coffman) Date: Fri, 27 Jun 2008 09:40:15 -0400 Subject: guidance In-Reply-To: <4864E025.8040702@globaledgesoft.com> References: <4864E025.8040702@globaledgesoft.com> Message-ID: <4d569c330806270640g41c1b76eu9f5643592a212a2b@mail.gmail.com> Are you aware that there are two different flavors of pkinit? There is the original protocol deployed by Microsoft in Windows 2000 (sometimes referred to as the "Draft 9 version" because it was basically the version defined by draft 9 of the RFC) and then the finalized RFC version (which was something like draft number 24). Do you know which version your client uses? The code in MIT 1.6.3 supports both versions of the protocol. It would be up to your client to make sure that it correctly identifies the protocol version it is using. (There are different preauth padata types for each version.) #define KRB5_PADATA_PK_AS_REQ_OLD 14 /* PKINIT */ #define KRB5_PADATA_PK_AS_REP_OLD 15 /* PKINIT */ #define KRB5_PADATA_PK_AS_REQ 16 /* PKINIT */ #define KRB5_PADATA_PK_AS_REP 17 /* PKINIT */ Beyond that, you would probably need to compile the KDC code to support debugging and trace through to find the portion of the client's request that the server code does not like. You might start looking at the code in src/lib/krb5/asn.1/asn1_k_decode.c. K.C. On Fri, Jun 27, 2008 at 8:42 AM, naveen.bn wrote: > > Hi Kevin, > > I am facing a problem and would like to get suggestion from you regarding it > . > > My seniors had come up with a kerberos client which took the reference from > krb5-1.2.2, which was with out PKINIT support and they > had added the PKINIT support for it. I have no contact with them , I have > no idea what server they had used. > But, now that the krb5-1.6.3 supports PKINIT, I am trying to use it as > Server . My client works without PKINIT, but with PKINIT > support the server (krb5-1.6.3) is not able to decode AS_REQ packet and > the kdc log says > preauth (pkinit) verify failure: ASN.1 identifier doesn't match expected > value. > > I tested the AS_REQ with the tool dumpasn1.c, I found no problem in pkinit > asn1 dump. > > Kindly help me in solving this problem > Thank you > > naveen > > > > > > > This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely > for the use of the addressee(s). If you are not the intended recipient, > please notify the sender by e-mail and delete the original message.Global > Edge Software Ltd has taken every reasonable precaution to minimize this > risk, but is not liable for any damage you may sustain as a result of any > virus in this e-mail. You should carry out your own virus checks before > opening the e-mail or attachment. Global Edge Software Ltd reserves the > right to monitor and review the content of all messages sent to or from this > e-mail address > > This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely > for the use of the addressee(s). If you are not the intended recipient, > please notify the sender by e-mail and delete the original message.Global > Edge Software Ltd has taken every reasonable precaution to minimize this > risk, but is not liable for any damage you may sustain as a result of any > virus in this e-mail. You should carry out your own virus checks before > opening the e-mail or attachment. Global Edge Software Ltd reserves the > right to monitor and review the content of all messages sent to or from this > e-mail address > > From ssorce at redhat.com Fri Jun 27 11:17:11 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 11:17:11 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <48648151.50403@secure-endpoints.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> Message-ID: <1214579831.3822.276.camel@localhost.localdomain> On Fri, 2008-06-27 at 01:57 -0400, Jeffrey Altman wrote: > Jos Backus wrote: > > On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote: > >> This behavior was most likely broken when the referrals code was added. > > > > So it's a regression. Until this is fixed properly (which I don't claim my > > patch does :-) ) I'm possibly need of a workaround. Do you see anything wrong > > with the patch as such? > There are several issues here. First, DNS TXT records are known to be > insecure. Jeff, this statements is interesting, how are TXT records "insecure" ? > Turning > them on for use in realm resolution provides for convenience but at the > risk that your clients > can be redirected to a realm that you do not control. You can do the same with DNS poisoning, if you do not trust DNS any name resolution becomes "insecure". Isn't "validation" all about verifying the KDC is one we can really trust by using a trusted secret ? > Second, any domain_realm mapping for your domain .foo.com is going to > override the use > of DNS lookups. That is because local configuration data is considered > to be trustworthy > whereas DNS lookups are not. How is local configuration data trustworthy given that to resolve names to IPs we still rely on DNS ? Or do you also rely on /etc/hosts for most of the data ? > The safe way to add DNS TXT records back into the equation would be to > add the DNS TXT > lookup after the referrals request fails. Do we have information on which clients support referrals ? And are they implemented in MIT KDC (and how) ? thanks, Simo. -- Simo Sorce * Red Hat, Inc * New York From raeburn at MIT.EDU Fri Jun 27 11:32:28 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 27 Jun 2008 11:32:28 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <1214579831.3822.276.camel@localhost.localdomain> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> Message-ID: On Jun 27, 2008, at 11:17, Simo Sorce wrote: > this statements is interesting, how are TXT records "insecure" ? If a forged TXT RR is received, the client may be told the server is in a different realm. That realm may have been compromised by an attacker, and cross-realm authentication to it may be possible (especially if and when we get something PKINIT-like deployed). So the client can "successfully" authenticate to host/server.foo.com at BLACK-HATS.TLD , and never know that that's not the principal it should be authenticating to for server.foo.com. > Isn't "validation" all about verifying the KDC is one we can really > trust by using a trusted secret ? Cross-realm authentication and the possibility of compromised "neighbor" realms makes it much more complicated. > How is local configuration data trustworthy given that to resolve > names > to IPs we still rely on DNS ? Trusting address records from DNS, but not trusting DNS at all for authentication purposes, would mean the attacker could get the client to connect to server.black-hats.tld, but it would try authenticating to the originally intended service principal; since the black hats don't have the service key, it would fail, and the client should disconnect. It's a denial of service, but not a transparent spoofing of the service. > Do we have information on which clients support referrals ? Current Microsoft and MIT clients do, I wouldn't be surprised if Heimdal does as well. > And are they implemented in MIT KDC (and how) ? Not yet. A basic implementation (using the domain_realm mapping from the KDC's config files) is currently on my plate. Ken From jaltman at secure-endpoints.com Fri Jun 27 11:31:28 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Fri, 27 Jun 2008 11:31:28 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <1214579831.3822.276.camel@localhost.localdomain> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> Message-ID: <486507D0.2030409@secure-endpoints.com> Simo Sorce wrote: >> There are several issues here. First, DNS TXT records are known to be >> insecure. > > Jeff, > this statements is interesting, how are TXT records "insecure" ? I will refer you to the security considerations section of the internet draft. Note that the insecurity is one reason that the TXT record portion of the draft was not added to RFC 4120 as the DNS SRV records portion was. http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03 > >> Turning >> them on for use in realm resolution provides for convenience but at the >> risk that your clients >> can be redirected to a realm that you do not control. > > You can do the same with DNS poisoning, if you do not trust DNS any name > resolution becomes "insecure". > Isn't "validation" all about verifying the KDC is one we can really > trust by using a trusted secret ? If the host name resolves to a different IP address, the authentication will fail. > >> Second, any domain_realm mapping for your domain .foo.com is going to >> override the use >> of DNS lookups. That is because local configuration data is considered >> to be trustworthy >> whereas DNS lookups are not. > > How is local configuration data trustworthy given that to resolve names > to IPs we still rely on DNS ? Or do you also rely on /etc/hosts for most > of the data ? If the host name resolves to a different IP address, the authentication will fail. > >> The safe way to add DNS TXT records back into the equation would be to >> add the DNS TXT >> lookup after the referrals request fails. > > Do we have information on which clients support referrals ? > And are they implemented in MIT KDC (and how) ? > Heimdal, MIT, and Microsoft support referrals as implemented in Windows Active Directory. The IETF Kerberos working group is still working on an RFC for referrals. http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-10.txt Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/d8af7878/smime.bin From ssorce at redhat.com Fri Jun 27 11:51:14 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 27 Jun 2008 11:51:14 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <486507D0.2030409@secure-endpoints.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> <486507D0.2030409@secure-endpoints.com> Message-ID: <1214581874.3822.284.camel@localhost.localdomain> On Fri, 2008-06-27 at 11:31 -0400, Jeffrey Altman wrote: > Simo Sorce wrote: > >> There are several issues here. First, DNS TXT records are known to be > >> insecure. > > > > Jeff, > > this statements is interesting, how are TXT records "insecure" ? > I will refer you to the security considerations section of the internet > draft. Note that > the insecurity is one reason that the TXT record portion of the draft > was not > added to RFC 4120 as the DNS SRV records portion was. > > http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03 Thanks, the explanation there makes a lot of sense, but reading through the lines it probably would not affect the original poster security, because the "insecurity" of the TXT record is exploitable only in case a trusted realm is compromised (and the DNS spoofed at the same time). But it is a very interesting consideration nonetheless. > > How is local configuration data trustworthy given that to resolve names > > to IPs we still rely on DNS ? Or do you also rely on /etc/hosts for most > > of the data ? > If the host name resolves to a different IP address, the authentication > will fail. Uhmm perhaps we are thinking of two different things, once you control DNS you control both direct and reverse address resolution. > >> The safe way to add DNS TXT records back into the equation would be to > >> add the DNS TXT > >> lookup after the referrals request fails. > > > > Do we have information on which clients support referrals ? > > And are they implemented in MIT KDC (and how) ? > > > Heimdal, MIT, and Microsoft support referrals as implemented in Windows > Active Directory. > The IETF Kerberos working group is still working on an RFC for referrals. > > http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-10.txt Thanks a lot, lots of very useful info here. Simo. -- Simo Sorce * Red Hat, Inc * New York From jos at catnook.com Fri Jun 27 12:06:53 2008 From: jos at catnook.com (Jos Backus) Date: Fri, 27 Jun 2008 09:06:53 -0700 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <4864DF03.2030008@secure-endpoints.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <20080627062933.GA12491@lizzy.catnook.local> <4864DF03.2030008@secure-endpoints.com> Message-ID: <20080627160653.GA18782@lizzy.catnook.local> On Fri, Jun 27, 2008 at 08:37:23AM -0400, Jeffrey Altman wrote: > > That's something my patch changes as it performs the DNS lookup first (when > > configured). > Which in turn would disable Kerberos referrals. Good to know. If referrals solve my problem, I'll set that up. > There is a serious need for the zero configuration solution for Kerberos > deployments. > Of course, DNS is insecure so relying on DNS to boot strap your > authentication system > is undesirable. That is not to say it has not been used but only > because there have > been no other choices. Amen. > For referrals to work the user must have already obtained a TGT. If you > are trying to decide > which identity a user should obtain a credential for based upon the host > that the user is going > to communicate with, that is not something that will be solved by > referrals. Understood. Thankfully that's not the issue here - the user already has a TGT. > To be honest, I don't think it will be solved by domain_realm mappings > whether stored > locally or in DNS. Based on what I know, I agree. Thanks, -- Jos Backus jos at catnook.com From jaltman at secure-endpoints.com Fri Jun 27 12:10:22 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Fri, 27 Jun 2008 12:10:22 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <1214581874.3822.284.camel@localhost.localdomain> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> <486507D0.2030409@secure-endpoints.com> <1214581874.3822.284.camel@localhost.localdomain> Message-ID: <486510EE.5090302@secure-endpoints.com> Simo Sorce wrote: > > Uhmm perhaps we are thinking of two different things, once you control > DNS you control both direct and reverse address resolution. > Hence the reason that reverse DNS lookups are not to be used as per the Security Considerations of RFC 4120. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080627/bbf65c99/smime.bin From raeburn at MIT.EDU Fri Jun 27 13:35:00 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 27 Jun 2008 13:35:00 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <1214581874.3822.284.camel@localhost.localdomain> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> <486507D0.2030409@secure-endpoints.com> <1214581874.3822.284.camel@localhost.localdomain> Message-ID: <72A24B21-10CF-46FA-8F5E-D29F99D36F5E@mit.edu> On Jun 27, 2008, at 11:51, Simo Sorce wrote: > Thanks, the explanation there makes a lot of sense, but reading > through > the lines it probably would not affect the original poster security, > because the "insecurity" of the TXT record is exploitable only in > case a > trusted realm is compromised (and the DNS spoofed at the same time). The "trusted realm" idea gets tossed around a lot, without a lot of specifics. Sometimes what is meant is, "a client in realm A can prove its identity to a server in realm B", and with multi-hop cross-realm authentication and (someday, we hope) something like PKCROSS, that doesn't have to imply any relationship directly between the two. With PKCROSS, all that's needed is KDCs to have certificates issued by trusted CAs. Sometimes what is meant is, "I know the administrators of realm B (or run it myself), and I put complete trust in anything they tell me, even if they're telling me something about my own users or servers". Kerberos cross-realm authentication is about the former. That said, if you don't exchange cross-realm keys with any outside realms, and disable PKCROSS if/when it gets implemented, you could have an isolated set of realms collectively considered part of your trusted computing base. >>> How is local configuration data trustworthy given that to resolve >>> names >>> to IPs we still rely on DNS ? Or do you also rely on /etc/hosts >>> for most >>> of the data ? >> If the host name resolves to a different IP address, the >> authentication >> will fail. > > Uhmm perhaps we are thinking of two different things, once you control > DNS you control both direct and reverse address resolution. The RFC says a Kerberos implementation shouldn't rely on DNS for determining the service principal name. That MIT's implementation does is a bug. (A long-standing one, one with implications as far as choices of names stored in keytabs, and changing it will involve some transition issues, as well as needing better support for handling multiple names for a server.) The name you attempt to *authenticate* to SHOULD be the name provided by the user, possibly transformed in some secure ways (e.g., add the local domain name, but do not look it up in DNS without DNSSEC). Ken From michael.krauss at progeny.net Fri Jun 27 15:40:48 2008 From: michael.krauss at progeny.net (Krauss, Michael) Date: Fri, 27 Jun 2008 15:40:48 -0400 Subject: Hostnames Message-ID: <59B8EABA59056F429D94000F15A3756922AFB3@es-22h.manassas.progeny.net> List members, Is t possible to have a server without a hostname? Thanks, -Michael From taofeek_1001 at yahoo.com Sat Jun 28 10:04:50 2008 From: taofeek_1001 at yahoo.com (Taofeek Bello) Date: Sat, 28 Jun 2008 07:04:50 -0700 (PDT) Subject: Hostname Message-ID: <301715.51548.qm@web37304.mail.mud.yahoo.com> Once you have a server and the server has IP address, for sure the server must have a name. This?is the hostname. ? Yours sincerely, ? Taofeek Bello Oracle Apps(eBussiness Suites) DBA /Unix Admin. TCT ORACLE????????????????????????? Mailing 37, Ekpo Archibong Road?????????? Women Development Centre???????P.O.Box 17476 Cross River State????????????????????????Ikeja CALABAR???????????????????????????????? LAGOS Nigeria??? ??? ??? ??? ??? ??? ??? ??? ??? ??? Nigeria +2348033451083 +2348979881 From lha at kth.se Sat Jun 28 04:05:54 2008 From: lha at kth.se (=?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?=) Date: Sat, 28 Jun 2008 09:05:54 +0100 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> Message-ID: <04CA95E9-8F79-4AA6-885F-4FFC5FFF8E0F@kth.se> > >> Do we have information on which clients support referrals ? > > Current Microsoft and MIT clients do, I wouldn't be surprised if > Heimdal does as well. heimdal supports client, server (both cross realm referals and server name) in both the client library and the KDC. Love From kulg123 at gmail.com Sun Jun 29 07:01:17 2008 From: kulg123 at gmail.com (kul gupta) Date: Sun, 29 Jun 2008 16:31:17 +0530 Subject: mod_auth_kerb+ apacahe+kerberos Message-ID: <2203f95e0806290401u7ce56bd7j3cd1532c811de8c2@mail.gmail.com> Hello I want to use the module "auth_mod_kerb" for the web authentication . Currently i m trying on RedHat enterprise linix 5.0 I have Openssl 0.9.8 g installed on it But when i m trying to install "apachae with ssl " ,i m getting some error. Without ssl apache is getting installed properly Is it necessary to have "apache with ssl " for working with "auth_mod_kerb" ?? If yes ,how can i proceed for the same I will highly appreciate if someone can help me on this issue. Thanks Regards KUL From msimovic at concurrent-thinking.com Sun Jun 29 07:20:55 2008 From: msimovic at concurrent-thinking.com (Martin Simovic) Date: Sun, 29 Jun 2008 12:20:55 +0100 Subject: mod_auth_kerb+ apacahe+kerberos In-Reply-To: <2203f95e0806290401u7ce56bd7j3cd1532c811de8c2@mail.gmail.com> References: <2203f95e0806290401u7ce56bd7j3cd1532c811de8c2@mail.gmail.com> Message-ID: <1214738455.8726.18.camel@precision.lan.streamline-computing.com> On Sun, 2008-06-29 at 16:31 +0530, kul gupta wrote: > Hello > > I want to use the module "auth_mod_kerb" for the web authentication . > Currently i m trying on RedHat enterprise linix 5.0 > > I have Openssl 0.9.8 g installed on it > But when i m trying to install "apachae with ssl " ,i m getting some error. > Without ssl apache is getting installed properly > > Is it necessary to have "apache with ssl " for working with > "auth_mod_kerb" ?? > If yes ,how can i proceed for the same > > I will highly appreciate if someone can help me on this issue. > > > Thanks > Regards > KUL > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos Hi, 'some error' does not actually help us to solve your problem. this is redhat specific and has nothing to do with kerberos or auth. whatsoever at this stage. look at the redhat docs (which used to be very good - last one i used was 'shrike' :) ) for the troubleshooting of apache SSL installation. to answer your question: for apache auth_mod_krb SSL is recomended, however not necessary. the fact is, it would work without it, but it's definitely something you do not want to do. without SSL your kerberos passwords will fly to the web server in cleartext (yes) and therefore totally compromise your kerberos infrastructure (all your kerberized services use the same useraname/password yes?) apart from that, if your goal is to implement SSO solution (so that your users will use kerberos TGT rather than password -but you never know what will user do ;) ) the firefox (and IE) plugin is configured to authenticate only to kerberos enabled websites over SSL - you would have to override this in about:config setting for each of your URL's in firefox (no idea for IE). summary: you want SSL there is a nice docs here (recommend reading through) http://modauthkerb.sourceforge.net/index.html Martin. From mayer at ntp.isc.org Sun Jun 29 23:54:32 2008 From: mayer at ntp.isc.org (Danny Mayer) Date: Sun, 29 Jun 2008 23:54:32 -0400 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <48648151.50403@secure-endpoints.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> Message-ID: <486858F8.6010500@ntp.isc.org> Jeffrey Altman wrote: > Jos Backus wrote: >> On Fri, Jun 27, 2008 at 12:52:49AM -0400, Jeffrey Altman wrote: >>> This behavior was most likely broken when the referrals code was added. >> >> So it's a regression. Until this is fixed properly (which I don't >> claim my >> patch does :-) ) I'm possibly need of a workaround. Do you see >> anything wrong >> with the patch as such? > There are several issues here. First, DNS TXT records are known to be > insecure. Turning > them on for use in realm resolution provides for convenience but at the > risk that your clients > can be redirected to a realm that you do not control. There is nothing insecure about DNS TXT records, any more than any other record in the DNS. I'm not sure where this idea came from. Danny From rra at stanford.edu Mon Jun 30 01:25:45 2008 From: rra at stanford.edu (Russ Allbery) Date: Sun, 29 Jun 2008 22:25:45 -0700 Subject: Question about dns_lookup_realm and domain_realm In-Reply-To: <486858F8.6010500@ntp.isc.org> (Danny Mayer's message of "Sun\, 29 Jun 2008 23\:54\:32 -0400") References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <486858F8.6010500@ntp.isc.org> Message-ID: <8763rr1okm.fsf@windlord.stanford.edu> Danny Mayer writes: > Jeffrey Altman wrote: >> There are several issues here. First, DNS TXT records are known to be >> insecure. Turning them on for use in realm resolution provides for >> convenience but at the risk that your clients can be redirected to a >> realm that you do not control. > There is nothing insecure about DNS TXT records, any more than any other > record in the DNS. I'm not sure where this idea came from. Where this idea came from is that using DNS TXT records for domain-realm mapping is potentially insecure in a way that using DNS records for SRV mapping is not. You can detect malicious SRV records because you share key material with the KDC and can confirm that you're talking to the correct KDC. Malicious TXT records are another matter, particularly if you have cross-realm trust set up with realms that could be attacked. They allow compromise of a realm with which you have cross-realm trust to be elevated into all sorts of nasty attacks on Kerberos authentications that otherwise would be entirely within your local realm. The security issues aren't about the relative security of DNS; rather, they're about how DNS TXT records for realm mapping are used and what attacks that makes possible compared to SRV records. -- Russ Allbery (rra at stanford.edu) From naveen.bn at globaledgesoft.com Mon Jun 30 02:38:24 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 30 Jun 2008 12:08:24 +0530 Subject: undefined reference Message-ID: <48687F60.3060304@globaledgesoft.com> Hi Kevin, If I compile krb5-1.6.3 by following these steps #export CFLAGS=-DDEBUG ./configure make but, I am facing problem with undefined references. I want to debug kdc. I am doing some thing wrong in the process of compiling . Thank you naveen -------------- next part -------------- This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address From kulg123 at gmail.com Mon Jun 30 08:35:56 2008 From: kulg123 at gmail.com (kul gupta) Date: Mon, 30 Jun 2008 18:05:56 +0530 Subject: mod_auth_kerb+ apacahe+mod_SSL Message-ID: <2203f95e0806300535u7636c4f1n394001f4debbbf44@mail.gmail.com> Hello I want to use the module "auth_mod_kerb" for the web authentication . Currently i m trying on RedHat enterprise linix 5.0 I have Openssl 0.9.8 g installed on it But when i m trying to install "apachae with ssl " (apache 2.2.8 ),i m getting some error. Without ssl apache is getting installed properly i did ./configure --enable-ssl --enable-mods-shared=all then make Now i m getting following errors /ab.c:382:undefined reference to`BIO_get_callback_arg' /ab.c:1144: undefined reference to`BIO_set_callback' /ab.c:1144: undefined reference to`BIO_set_callback' /ab.c:1145: undefined reference to`BIO_set_callback_arg' .libs/ab.o: In function `main': ab.c:2154: undefined reference to`SSL_CTX_set_info_callback' Please help me out in resloving this issue Thanks kul On 6/30/08, Henry B. Hotz wrote: > > > On Jun 29, 2008, at 9:15 AM, krbdev-request at mit.edu wrote: > > Message: 1 >> Date: Sun, 29 Jun 2008 16:31:17 +0530 >> From: "kul gupta" >> Subject: mod_auth_kerb+ apacahe+kerberos >> To: kerberos at mit.edu, krbdev at mit.edu, "Russ Allbery" >> , "Tadoori (EXT), Vilas" >> , "Jeffrey Hutzelman" < >> jhutz at cmu.edu> >> Message-ID: >> <2203f95e0806290401u7ce56bd7j3cd1532c811de8c2 at mail.gmail.com> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hello >> >> I want to use the module "auth_mod_kerb" for the web authentication . >> Currently i m trying on RedHat enterprise linix 5.0 >> >> I have Openssl 0.9.8 g installed on it >> But when i m trying to install "apachae with ssl " ,i m getting some >> error. >> Without ssl apache is getting installed properly >> >> Is it necessary to have "apache with ssl " for working with >> "auth_mod_kerb" ?? >> If yes ,how can i proceed for the same >> >> I will highly appreciate if someone can help me on this issue. >> >> >> Thanks >> Regards >> KUL >> > > Not in the sense of just making the software work. It's a very good idea > though. > > I'd say get ssl working first in a build with mod_so (dynamically loadable > modules). Then add mod_auth_kerb afterwards. > > ------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu > > > > From kulg123 at gmail.com Mon Jun 30 08:45:38 2008 From: kulg123 at gmail.com (kul gupta) Date: Mon, 30 Jun 2008 18:15:38 +0530 Subject: mod_auth_kerb+ apacahe+mod_SSL In-Reply-To: <2203f95e0806300535u7636c4f1n394001f4debbbf44@mail.gmail.com> References: <2203f95e0806300535u7636c4f1n394001f4debbbf44@mail.gmail.com> Message-ID: <2203f95e0806300545t6af3eeelb6cfb66aecdeec28@mail.gmail.com> On 6/30/08, kul gupta wrote: > > Hello > > I want to use the module "mod_auth_kerb" for the web authentication . > Currently i m trying on RedHat enterprise linix 5.0 > > I have Openssl 0.9.8 g installed on it > But when i m trying to install "apachae with ssl " (apache 2.2.8 ),i m > getting some error. > Without ssl apache is getting installed properly > > > i did > ./configure --enable-ssl --enable-mods-shared=all > > then > > make > > Now i m getting following errors > /ab.c:382:undefined reference to`BIO_get_callback_arg' > /ab.c:1144: undefined reference to`BIO_set_callback' > /ab.c:1144: undefined reference to`BIO_set_callback' > /ab.c:1145: undefined reference to`BIO_set_callback_arg' > .libs/ab.o: In function `main': > ab.c:2154: undefined reference to`SSL_CTX_set_info_callback' > > Please help me out in resloving this issue > Thanks > kul > > > > > > > > > On 6/30/08, Henry B. Hotz wrote: >> >> >> On Jun 29, 2008, at 9:15 AM, krbdev-request at mit.edu wrote: >> >> Message: 1 >>> Date: Sun, 29 Jun 2008 16:31:17 +0530 >>> From: "kul gupta" >>> Subject: mod_auth_kerb+ apacahe+kerberos >>> To: kerberos at mit.edu, krbdev at mit.edu, "Russ Allbery" >>> , "Tadoori (EXT), Vilas" >>> , "Jeffrey Hutzelman" < >>> jhutz at cmu.edu> >>> Message-ID: >>> <2203f95e0806290401u7ce56bd7j3cd1532c811de8c2 at mail.gmail.com> >>> Content-Type: text/plain; charset=ISO-8859-1 >>> >>> Hello >>> >>> I want to use the module "auth_mod_kerb" for the web authentication . >>> Currently i m trying on RedHat enterprise linix 5.0 >>> >>> I have Openssl 0.9.8 g installed on it >>> But when i m trying to install "apachae with ssl " ,i m getting some >>> error. >>> Without ssl apache is getting installed properly >>> >>> Is it necessary to have "apache with ssl " for working with >>> "auth_mod_kerb" ?? >>> If yes ,how can i proceed for the same >>> >>> I will highly appreciate if someone can help me on this issue. >>> >>> >>> Thanks >>> Regards >>> KUL >>> >> >> Not in the sense of just making the software work. It's a very good idea >> though. >> >> I'd say get ssl working first in a build with mod_so (dynamically loadable >> modules). Then add mod_auth_kerb afterwards. >> >> ------------------------------------------------------ >> The opinions expressed in this message are mine, >> not those of Caltech, JPL, NASA, or the US Government. >> Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu >> >> >> >> > From naveen.bn at globaledgesoft.com Mon Jun 30 08:52:22 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 30 Jun 2008 18:22:22 +0530 Subject: ASN.1 problem Message-ID: <4868D706.9060609@globaledgesoft.com> Hi Kevin, I found the problem, please help me in solving it. When decoding AS_REQ pa-data from the function asn1_decode_pa_pk_as_req_draft9( ..) in file asn1_k_decode.c the macro get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0) is invoked. which checks for asn1class = CONTEXT_SPECIFIC and construction = PRIMITIVE, but when i logged these values it was asn1class = CONTEXT_SPECIFIC and construction = CONSTRUCTED because of which it is failing to decode pa_data of AS_REQ. How can i make the pa_data to be have the expected decoding value for construction( expected value is PRIMITIVE ). Please guide me to solve this Thank you naveen -------------- next part -------------- This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address From naveen.bn at globaledgesoft.com Mon Jun 30 10:22:26 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 30 Jun 2008 19:52:26 +0530 Subject: guidance In-Reply-To: <4d569c330806270640g41c1b76eu9f5643592a212a2b@mail.gmail.com> References: <4864E025.8040702@globaledgesoft.com> <4d569c330806270640g41c1b76eu9f5643592a212a2b@mail.gmail.com> Message-ID: <4868EC22.9040602@globaledgesoft.com> Kevin Coffman wrote: > Are you aware that there are two different flavors of pkinit? There > is the original protocol deployed by Microsoft in Windows 2000 > (sometimes referred to as the "Draft 9 version" because it was > basically the version defined by draft 9 of the RFC) and then the > finalized RFC version (which was something like draft number 24). > > Do you know which version your client uses? The code in MIT 1.6.3 > supports both versions of the protocol. It would be up to your client > to make sure that it correctly identifies the protocol version it is > using. (There are different preauth padata types for each version.) > > #define KRB5_PADATA_PK_AS_REQ_OLD 14 /* PKINIT */ > #define KRB5_PADATA_PK_AS_REP_OLD 15 /* PKINIT */ > #define KRB5_PADATA_PK_AS_REQ 16 /* PKINIT */ > #define KRB5_PADATA_PK_AS_REP 17 /* PKINIT */ > > Beyond that, you would probably need to compile the KDC code to > support debugging and trace through to find the portion of the > client's request that the server code does not like. You might start > looking at the code in src/lib/krb5/asn.1/asn1_k_decode.c. > > K.C. > > On Fri, Jun 27, 2008 at 8:42 AM, naveen.bn wrote: > >> Hi Kevin, >> >> I am facing a problem and would like to get suggestion from you regarding it >> . >> >> My seniors had come up with a kerberos client which took the reference from >> krb5-1.2.2, which was with out PKINIT support and they >> had added the PKINIT support for it. I have no contact with them , I have >> no idea what server they had used. >> But, now that the krb5-1.6.3 supports PKINIT, I am trying to use it as >> Server . My client works without PKINIT, but with PKINIT >> support the server (krb5-1.6.3) is not able to decode AS_REQ packet and >> the kdc log says >> preauth (pkinit) verify failure: ASN.1 identifier doesn't match expected >> value. >> >> I tested the AS_REQ with the tool dumpasn1.c, I found no problem in pkinit >> asn1 dump. >> >> Kindly help me in solving this problem >> Thank you >> >> naveen >> >> >> >> >> >> >> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely >> for the use of the addressee(s). If you are not the intended recipient, >> please notify the sender by e-mail and delete the original message.Global >> Edge Software Ltd has taken every reasonable precaution to minimize this >> risk, but is not liable for any damage you may sustain as a result of any >> virus in this e-mail. You should carry out your own virus checks before >> opening the e-mail or attachment. Global Edge Software Ltd reserves the >> right to monitor and review the content of all messages sent to or from this >> e-mail address >> >> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely >> for the use of the addressee(s). If you are not the intended recipient, >> please notify the sender by e-mail and delete the original message.Global >> Edge Software Ltd has taken every reasonable precaution to minimize this >> risk, but is not liable for any damage you may sustain as a result of any >> virus in this e-mail. You should carry out your own virus checks before >> opening the e-mail or attachment. Global Edge Software Ltd reserves the >> right to monitor and review the content of all messages sent to or from this >> e-mail address >> >> >> > > Hi Kevin, I found the problem, please help me in solving it. When decoding AS_REQ pa-data from the function asn1_decode_pa_pk_as_req_draft9( ..) in file asn1_k_decode.c the macro get_implicit_octet_string(val->signedAuthPack.length, val->signedAuthPack.data, 0) is invoked. which checks for asn1class = CONTEXT_SPECIFIC and construction = PRIMITIVE, but when i logged these values it was asn1class = CONTEXT_SPECIFIC and construction = CONSTRUCTED because of which it is failing to decode pa_data of AS_REQ. How can i make the pa_data to be have the expected decoding value for construction( expected value is PRIMITIVE ). Please guide me to solve this Thank you with regards naveen -------------- next part -------------- This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message.Global Edge Software Ltd has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Global Edge Software Ltd reserves the right to monitor and review the content of all messages sent to or from this e-mail address From mohamed.chaari at orange-ftgroup.com Mon Jun 30 10:43:10 2008 From: mohamed.chaari at orange-ftgroup.com (mohamed.chaari@orange-ftgroup.com) Date: Mon, 30 Jun 2008 16:43:10 +0200 Subject: ASN.1 Message-ID: Hello, I would like to know if I can modify the ASN.1 files of kerberos. Thanks. From wouter at nixsys.be Sun Jun 29 11:34:47 2008 From: wouter at nixsys.be (Wouter Verhelst) Date: Sun, 29 Jun 2008 17:34:47 +0200 Subject: Cross-realm authentication Windows AD - MIT Message-ID: <20080627110208.GC3281@country.nixsys.be> Hi, Recently, I've set up an MIT kerberos realm. In this realm, there are a few users, and an Apache HTTP server that I've successfully done Kerberos-authentication against using mod_auth_kerb and firefox on the client-side. So far so good. Now when I try to do cross-realm authentication from a Windows host, it does not seem to work. The steps I've taken include: - set up cross-realm authentication: I have a one-way "incoming" trust relationship in Windows, and created a "krbtgt/MIT-REALM at WINDOWS-REALM" principal in kadmin, with the same password (a 40-character random string that was copy-pasted in both cases). The trust is a "realm" trust, not a "domain trust", to account for the differences between Windows "Kerberos" and the actual protocol. - Use "ksetup" to tell the Windows server where the MIT-REALM's KDC's are. This was necessary, because the MIT-REALM servers did not have DNS SRV records at first (later this was fixed, but that still did not solve the problem). - Use Internet Explorer, after logging in to a computer in WINDOWS-REALM, to access the webserver which uses mod_auth_kerb. This did not succeed. - Use firefox to try the same. Same issue. What's peculiar is that in the final two steps, the windows system doesn't even seem to request cross-realm kerberos tickets; it doesn't get a TGT, nor does it try to contact the MIT kerberos server. Searching for this kind of information on the net does not reveal anything that jumps out as relevant (except for one note somewhere that Microsoft doesn't support this kind of thing -- sigh); so I'm kindof hoping someone here would have some experience with a similar situation, and could help me find out what the hell is going wrong. Thanks, -- Wouter Verhelst NixSys BVBA Louizastraat 14, 2800 Mechelen T: +32 15 27 69 50 / F: +32 15 27 69 51 / M: +32 486 836 198 From rra at stanford.edu Mon Jun 30 12:50:41 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 30 Jun 2008 09:50:41 -0700 Subject: Cross-realm authentication Windows AD - MIT In-Reply-To: <20080627110208.GC3281@country.nixsys.be> (Wouter Verhelst's message of "Sun\, 29 Jun 2008 17\:34\:47 +0200") References: <20080627110208.GC3281@country.nixsys.be> Message-ID: <87myl2j28u.fsf@windlord.stanford.edu> Wouter Verhelst writes: > Now when I try to do cross-realm authentication from a Windows host, it > does not seem to work. The steps I've taken include: > > - set up cross-realm authentication: I have a one-way "incoming" trust > relationship in Windows, and created a > "krbtgt/MIT-REALM at WINDOWS-REALM" principal in kadmin, with the same > password (a 40-character random string that was copy-pasted in both > cases). The trust is a "realm" trust, not a "domain trust", to account > for the differences between Windows "Kerberos" and the actual > protocol. For what it's worth, Windows Kerberos is the actual protocol. Except for some issues around PKINIT, which aren't really Microsoft's fault, and the bugs that any implementation will have, Windows Kerberos follows the protocol just like everyone else. The PAC is allowed for in the protocol. Microsoft does deserve negative press for some things around how they handled the PAC situation, but protocol compliance isn't one of them. Microsoft Windows KDCs interoperate quite well with the rest of the world. > What's peculiar is that in the final two steps, the windows system > doesn't even seem to request cross-realm kerberos tickets; it doesn't > get a TGT, nor does it try to contact the MIT kerberos server. I think you have a one-way trust going the wrong way for what you're trying to do. You need an outgoing trust from Windows to MIT for the Windows client to get cross-realm tickets with MIT. Why not just set up full bidirectional trust? That's what we do and I can confirm that once that trust is set up, what you're trying to do works just fine; we do exactly the same thing for our central web authentication system. -- Russ Allbery (rra at stanford.edu) From vilas.tadoori.ext at siemens.com Mon Jun 30 12:15:37 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Mon, 30 Jun 2008 12:15:37 -0400 Subject: Kinit/kadmin does not work Message-ID: <0419C2808E620348A3119DCCE2A7A695075A4D81@USCIMPLM004.net.plm.eds.com> Dear All, It is really strange that the kinit does not work for me. I am pretty confident about my krb5.conf and kdc.conf files. They are good on the linux suse but when I have acutally started working over the weekend ...it gives me this message as below for the kinit(on solaris) bash-3.00# kinit kinit(v5): Cannot find KDC for requested realm while getting initial credentials The kadmin also is acting strange bash-3.00# kadmin -p x_tadoor Authenticating as principal x_tadoor with password. Password for x_tadoor at XXXXXXXXX * kadmin: Communication failure with server while initializing kadmin interface * intentionally crossed the realm This is giving problems on the SunOS x 86 architecture. bash-3.00# uname -a SunOS hysuntcsso 5.10 Generic_118855-33 i86pc i386 i86pc This is really frustrating....any help will be greatly appreciated. Regards Vilas From hotz at jpl.nasa.gov Mon Jun 30 18:06:56 2008 From: hotz at jpl.nasa.gov (Henry B. Hotz) Date: Mon, 30 Jun 2008 15:06:56 -0700 Subject: mod_auth_kerb+ apacahe+mod_SSL In-Reply-To: <2203f95e0806300545t6af3eeelb6cfb66aecdeec28@mail.gmail.com> References: <2203f95e0806300535u7636c4f1n394001f4debbbf44@mail.gmail.com> <2203f95e0806300545t6af3eeelb6cfb66aecdeec28@mail.gmail.com> Message-ID: Questions relating to Apache and SSL have nothing to do with Kerberos. I think you would get much better help from a RedHat or Apache list. Once you get Apache+SSL working, I suggest you ask on modauthkerb-help at lists.sourceforge.net about any mod_auth_kerb issues. Is there a reason you're not using the Apache+SSL+mod_auth_kerb that already are provided by RedHat? This is still probably not your best forum, but I don't want to cut you off too short. On Jun 30, 2008, at 5:45 AM, kul gupta wrote: > On 6/30/08, kul gupta wrote: > Hello > > I want to use the module "mod_auth_kerb" for the web authentication . > Currently i m trying on RedHat enterprise linix 5.0 > > I have Openssl 0.9.8 g installed on it > But when i m trying to install "apachae with ssl " (apache 2.2.8 ),i > m getting some error. > Without ssl apache is getting installed properly > > i did > ./configure --enable-ssl --enable-mods-shared=all > > then > > make > > Now i m getting following errors > /ab.c:382:undefined reference to`BIO_get_callback_arg' > /ab.c:1144: undefined reference to`BIO_set_callback' > /ab.c:1144: undefined reference to`BIO_set_callback' > /ab.c:1145: undefined reference to`BIO_set_callback_arg' > .libs/ab.o: In function `main': > ab.c:2154: undefined reference to`SSL_CTX_set_info_callback' > > Please help me out in resloving this issue > Thanks > kul > > > > > > > > > On 6/30/08, Henry B. Hotz wrote: > On Jun 29, 2008, at 9:15 AM, krbdev-request at mit.edu wrote: > > Message: 1 > Date: Sun, 29 Jun 2008 16:31:17 +0530 > From: "kul gupta" > Subject: mod_auth_kerb+ apacahe+kerberos > To: kerberos at mit.edu, krbdev at mit.edu, "Russ Allbery" > , "Tadoori (EXT), Vilas" > , "Jeffrey Hutzelman" > > Message-ID: > <2203f95e0806290401u7ce56bd7j3cd1532c811de8c2 at mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello > > I want to use the module "auth_mod_kerb" for the web authentication . > Currently i m trying on RedHat enterprise linix 5.0 > > I have Openssl 0.9.8 g installed on it > But when i m trying to install "apachae with ssl " ,i m getting some > error. > Without ssl apache is getting installed properly > > Is it necessary to have "apache with ssl " for working with > "auth_mod_kerb" ?? > If yes ,how can i proceed for the same > > I will highly appreciate if someone can help me on this issue. > > > Thanks > Regards > KUL > > Not in the sense of just making the software work. It's a very good > idea though. > > I'd say get ssl working first in a build with mod_so (dynamically > loadable modules). Then add mod_auth_kerb afterwards. > > ------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu > > > > >