From muksyed at stanford.edu Thu May 1 02:51:31 2008 From: muksyed at stanford.edu (Mukarram Syed) Date: Wed, 30 Apr 2008 23:51:31 -0700 Subject: krb5 help on RHEL3 Message-ID: <006201c8ab57$ca42a990$2e1c42ab@stanford.edu> I just built out a RHEL3 Update 9 box to test krb5 upgrade and I am running into some issues. I am sure I must be missing something during the build. Please advise from looking at my symptom. If asked, I can provide more information. When I login to the box I do get the krb5 afs tokens. asinfradev98:~> kdestroy;unlog asinfradev98:~> klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_39728_xP1raB) Kerberos 4 ticket cache: /tmp/tkt39728 klist: You have no tickets cached asinfradev98:~> exit logout Connection to asinfradev98 closed. muksyed at asmaster@stanford.edu> ssh muksyed at asinfradev98 muksyed at asinfradev98's password: Last login: Wed Apr 30 23:39:03 2008 from asmaster.stanford.edu asinfradev98:~> klist Ticket cache: FILE:/tmp/krb5cc_39728_gIS86f Default principal: muksyed at stanford.edu Valid starting Expires Service principal 04/30/08 23:39:32 05/01/08 09:39:32 krbtgt/stanford.edu at stanford.edu 04/30/08 23:39:32 05/01/08 09:39:32 afs/ir.stanford.edu at stanford.edu Kerberos 4 ticket cache: /tmp/tkt39728 klist: You have no tickets cached asinfradev98:~> But I keep getting this error when I try to run a kinit after logging in: asinfradev98:~> kinit Stanford University (Leland) (asinfradev98.stanford.edu) Password for muksyed at stanford.edu: aklog: Couldn't get ir.stanford.edu AFS tickets: aklog: No credentials found with supported encryption types while getting AFS tickets then when I run klist, my afs tokens are gone and I get the krbtgt for k4. Don't know how! asinfradev98:~> klist Ticket cache: FILE:/tmp/krb5cc_39728_y6YG66 Default principal: muksyed at stanford.edu Valid starting Expires Service principal 04/30/08 23:42:56 05/02/08 00:42:54 krbtgt/stanford.edu at stanford.edu Kerberos 4 ticket cache: /tmp/tkt39728 Principal: muksyed at IR.STANFORD.EDU Issued Expires Principal 04/30/08 23:42:56 05/02/08 01:09:17 krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU asinfradev98:~> Mukarram Syed Unix Systems Administrator, Administrative Services, Stanford University 340 Panama Street, Godzilla Building, Stanford, CA 94305 MC 2226. Phone: 650-736-7647 Cell: 408-480-8841 Email: muksyed at stanford.edu From bbense at slac.stanford.edu Thu May 1 11:09:12 2008 From: bbense at slac.stanford.edu (Booker Bense) Date: Thu, 1 May 2008 15:09:12 +0000 (UTC) Subject: krb5 help on RHEL3 References: Message-ID: In article , Mukarram Syed wrote: In theory there should be no problem with a lower case realm... In practice you run into all kinds of problems. I'm not sure what the status is these days, but when I worked on the main campus, part of my job was tweaking kerberos code to actually work with a lower case realm and some other unique to Stanford situations. The other problem is that the kerberos on RHEL3 is quite old and buggy. If at all possible upgrade to at least RHEL4. _ Booker C. Bense From support at amazon.com Thu May 1 22:25:57 2008 From: support at amazon.com (Amazon Customer Support Center) Date: Thu, 1 May 2008 21:25:57 -0500 Subject: Unauthorized access to your account! Message-ID: Dear Amazon customer, As the Internet and information technology enable us to expand our services, we are committed to maintaining the trust customers have placed in us for protecting the privacy and security of information we have about you. In order to protect your information against unauthorized access, identity theft and account fraud we earnestly ask you to update your profile. We also discovered a problem with your account information, and we temporary suspended access to it. You can easy re-activate your account by updating your information. To get started, please click the link below: http://antarticas01.altervista.org/www.amazon.com/ If you received this notice and you are not the authorized account holder, please be aware that it is in violation of our policy to represent oneself as another Amazon user. Such action may also be in violation of local, national, and/or international law. Amazon is committed to assist law enforcement with any inquiries related to attempts to misappropriate personal information with the intent to commit fraud or theft. Information will be provided at the request of law enforcement agencies to ensure that perpetrators are prosecuted to the fullest extent of the law. Thanks for your patience as we work together to maintain your account secure. Regards, Amazon Customer Support Center. This site is directed at or made available to persons in the United States and Amazon customers only. Products and services described, as well as associated fees, charges, interest rates, and balance requirements may differ among geographic locations. Not all products and services are offered at all locations. Copyright ? 2007 - Amazon From teogsql at cuk.canon.co.uk Fri May 2 07:16:52 2008 From: teogsql at cuk.canon.co.uk (Thilde ackermann ) Date: Fri, 2 May 2008 13:16:52 +0200 Subject: Verdienstmoeglichkeit Message-ID: <01c8ac56$c9087a00$a88cac4e@teogsql> Ein expandierendes Handelsunternehmen sucht neue Arbeitnehmer!! Sie haben 5 Stunden in der Wochen frei , besitzen einige Computerkenntnisse und sind tagsueber erreichebar?? -->Sie haben dann die Chanse bei uns einzusteigen und ab zwei Tausend monatlich zu verdienen!! Interessiert? - schreiben Sie uns an elfingo at km.ru und lassen Sie sich genauere Informationen zumailen. Mit freundlichen Gruessen ELFIN LTD From muksyed at stanford.edu Fri May 2 18:48:45 2008 From: muksyed at stanford.edu (Mukarram Syed) Date: Fri, 2 May 2008 15:48:45 -0700 Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade. Message-ID: <00b401c8aca6$adb0c190$2e1c42ab@stanford.edu> Hi Kerberos Gurus. I have 2 servers, the problem is that when I ssh into the box on the server-notworking, I get both the .k5 and .k4 tickets: server-notworking > klist Ticket cache: FILE:/tmp/krb5cc_39728_T16049 Default principal: me at stanford.edu Valid starting Expires Service principal 05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/stanford.edu at stanford.edu 05/02/08 15:18:47 05/03/08 16:18:45 afs/ir.stanford.edu at stanford.edu Kerberos 4 ticket cache: /tmp/tkt39728_16049 Principal: me at IR.STANFORD.EDU Issued Expires Principal 05/02/08 15:18:45 05/03/08 01:18:45 krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU 05/02/08 15:18:45 05/03/08 01:18:45 rcmd.server-notworking at IR.STANFORD.EDU But on the server that's working, I only get the k5 tickets: server-working > klist Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M Default principal: me at stanford.edu Valid starting Expires Service principal 05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/stanford.edu at stanford.edu 05/02/08 15:27:27 05/03/08 01:27:25 afs/ir.stanford.edu at stanford.edu Kerberos 4 ticket cache: /tmp/tkt39728 Principal: me at IR.STANFORD.EDU Issued Expires Principal 04/30/08 23:42:56 05/02/08 01:09:17 krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU The only difference that I can see between the two klist command outputs is: 05/02/08 15:18:45 05/03/08 01:18:45 rcmd.server-notworking at IR.STANFORD.EDU What is this? Below is a comparison of the two servers. I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the server-notworking. I don't think this will make a difference because I have already tried this on another server. I can't upgrade the kernel though to match the server that is working. The server that is not working is an actively used server. Also if I remove the .klogin file in my home directory on the server-notworking, I can't login to this box. I need both .klogin and .k5login files otherwise I get permission denied message when ssh'ing in. I don't have the .klogin file in the server that is working.only the .k5login file. Please advise. Thanks for you help. Regards # mukarram syed SYSTEM INFO server-notworking server-working 2.4.21-27.0.2.ELsmp 2.4.21-50.ELsmp Red Hat Enterprise Linux AS release 3 Red Hat Enterprise Linux AS release 3 (Taroon Update 4) (Taroon Update 9) STATUS Not getting the afs tokens without Fully Functional.NO aklog -setpag option set. the aklog -setpag option in the shell startup scripts. Need .klogin and .k5login to be able to SSH. SSH won't work without .klogin file. OPENAFS RPMS openafs-1.4.2-1.1 openafs-1.4.2-1.1 openafs-client-1.4.2-1.1 openafs-client-1.4.2-1.1 openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1 openafs-kernel-smp-1.4.2-2.4.21_50.EL_1 openafs-kernel-source-1.4.2-1.1 openafs-kernel-source-1.4.2-1.1 openafs-krb5-1.4.2-1.1 openafs-krb5-1.4.2-1.1 KRB5 RPMS krb5-devel-1.2.7-42 krb5-devel-1.2.7-64 krb5-libs-1.2.7-42 krb5-libs-1.2.7-64 krb5-SU-1.4.3-12.EL3 krb5-SU-1.4.4-4.EL3 openafs-krb5-1.4.2-1.1 openafs-krb5-1.4.2-1.1 pam_krb5-SU-3.8-1.EL3 pam_krb5-SU-3.8-1.EL3 PAM RPMS pam-0.75-62 pam-0.75-72 pam-afs-session-1.5-1.EL3 pam-afs-session-1.5-1.EL3 pam-devel-0.75-62 pam_ccreds-3-3.rhel3.2 pam_krb5-SU-3.8-1.EL3 pam-devel-0.75-72 pam_passwdqc-0.7.5-1 pam_krb5-SU-3.8-1.EL3 pam_smb-1.1.7-1 pam_passwdqc-0.7.5-1 pam_smb-1.1.7-1 IMPORTANT FILES: CKSUMS/SIZES 782515666 1077 /etc/pam.d/system-auth 782515666 1077 /etc/pam.d/system-auth 292550411 160 /etc/krb.conf 292550411 160 /etc/krb.conf 2006343950 4385 /etc/krb5.conf 3826595545 4386 /etc/krb5.conf 3068285566 267416 /usr/bin/aklog 1302602016 267416 /usr/bin/aklog 1323949453 19 /usr/vice/etc/CellAlias 1323949453 19 /usr/vice/etc/CellAlias 3556331601 16 /usr/vice/etc/ThisCell 3556331601 16 /usr/vice/etc/ThisCell 1399150640 446 /usr/vice/etc/CellServDB 514410920 208 /usr/vice/etc/CellServDB Also in the /etc/ssh/sshd_config file the only differences are (If I change it to no, on the server-notworking, I can't SSH, I get Permission denied errors): KerberosAuthentication yes KerberosAuthentication no KerberosOrLocalPasswd yes KerberosOrLocalPasswd no KerberosTicketCleanup yes KerberosTicketCleanup no SSH RPMS openssh-3.6.1p2-33.30.3 openssh-3.6.1p2-33.30.14 openssh-clients-3.6.1p2-33.30.3 openssh-askpass-3.6.1p2-33.30.14 openssh-server-3.6.1p2-33.30.3 openssh-askpass-gnome-3.6.1p2-33.30.14 openssh-clients-3.6.1p2-33.30.14 openssh-server-3.6.1p2-33.30.14 From bwmetropolitan at car4you.at Sun May 4 16:09:48 2008 From: bwmetropolitan at car4you.at (Klaus Liaupis) Date: Sun, 4 May 2008 22:09:48 +0200 Subject: 2 Job positions from Monster.com Message-ID: <001401c8ae33$913c6a80$00a28114@pc> Hello. This e-mail is promotion from Careerbuilder.com job-site. ========================================================= My name is Klaus Liaupis , I represent Kitaki Developers Inc. company operating in Latvia and Sweden. We seek for representatives in Denmark for full and part-time jobs (2 positions are available). We do not ask for any money, we are reputable company staying in business for more than 3 years. All candidates are paid daily + we compensate all taxes and charges. After approval, you will get benefits: - 4200 USD guaranteed monthly income - Comprehensive medical and life insurance for you and your dependents. You will be receiving company signed Medicine card and all the paperwork. GENERAL REQUIREMENTS: You have to be honest,loyal, responsible and hard-working. You have to comply with all reasonable and lawful instructions provided to you by our company. You need 5-7 hours during the week for communication. Residential address to receive correspondence (if any). Computer w/internet connection. Home/cell phone to contact you during the day. Please, reply to support at kitakidevelopersinc.com if you are interested, you can apply for either part-time or full time depending on your time shelude. Company manager will contact you shortly. Thanks Klaus Liaupis Kitaki Developers Inc. 12 brivas str B 44,, FI-00530 Helsinki, Finland +358 9 1748722 PLEASE, REPLY DIRECTLY TO: support at kitakidevelopersinc.com From iyqyouthful at buchanan-edwards.com Sun May 4 18:24:57 2008 From: iyqyouthful at buchanan-edwards.com (Davis Pickens) Date: Sun, 4 May 2008 19:24:57 -0300 Subject: USA! USA! All Play and you do not pay Message-ID: <001501c8ae1c$89c251f0$06cee24c@61e205531c44400> Is in the begun no command. Of at vertical. From ETB2 at PGE.COM Mon May 5 19:08:18 2008 From: ETB2 at PGE.COM (Bonacum, Ernie) Date: Mon, 5 May 2008 16:08:18 -0700 Subject: Unable to map local user Message-ID: <164D0ACCBE2F464FAD73C5F29D7A594102DBAAF2@exchange15.Utility.pge.com> I could use some help trying to figure out the next steps to figure out what is going wrong with a Kerberos/NFS initial installation on an AIX 5.3 system. I've followed several guides and I think everything checks out, but it obviously does not work. On the NFS server (foodev01) /tmp/syslog.out file, I am getting the error: May 5 14:52:17 foodev01 user:debug syslog: nfsrgyd: Unable to map local user (foouser) to a foreign user May 5 14:52:17 foodev01 user:debug syslog: nfsrgyd: Unable to map local group (foouser) to a foreign group In the Securing NFS for AIX guide, this error shows up and they have you change the NFS domain mapping. I've tried a number of variations of this and none seem to work. On the NFS server, chnfsrtd returns: root at foodev01:/etc/krb5=# chnfsrtd realm.dev.foo.com dev.foo.com I've also tried it with "realm.dev.foo.com foo.com" and "realm.dev.foo.com comp.foo.com" On the NFS server, chnfsdom returns: root at foodev01:/etc/krb5=# chnfsdom Current local domain: dev.foo.com My /etc/hosts is: 127.0.0.1 loopback localhost # loopback (lo0) name/address 10.244.111.50 fookdcdev01.comp.foo.com fookdcdev01 # KDC 10.244.111.51 foodev01.comp.foo.com foodev01 # NFS Server 10.244.111.52 footst02.comp.foo.com footst02 # NFS Client On the NFS Client (footst02) I get: root at footst02:/home/root=# chnfsrtd realm.dev.foo.com dev.foo.com root at footst02:/home/root=# chnfsdom Current local domain: dev.foo.com Each time I've made a change to the NFS info on the server and the client, I've stopped all the NFS daemons, did a nfsrgyd -f (to flush the cache) and then restarted the daemons. On the KDC server, I can list the principals: kadmin: listprincs K/M at REALM.DEV.FOO.COM admin/admin at REALM.DEV.FOO.COM host/wllogdev03.comp.foo.com at REALM.DEV.FOO.COM host/footst02.comp.foo.com at REALM.DEV.FOO.COM kadmin/admin at REALM.DEV.FOO.COM kadmin/changepw at REALM.DEV.FOO.COM kadmin/history at REALM.DEV.FOO.COM krbtgt/REALM.DEV.FOO.COM at REALM.DEV.FOO.COM nfs/foodev01.comp.foo.com at REALM.DEV.FOO.COM nfs/footst02.comp.foo.com at REALM.DEV.FOO.COM root/foodev01.comp.foo.com at REALM.DEV.FOO.COM root/footst02.comp.foo.com at REALM.DEV.FOO.COM foouser at REALM.DEV.FOO.COM fookrb5 at REALM.DEV.FOO.COM I check the tickets and can successfully renew tickets for root and foouser on the NFS server and the client. The NFS filesystems are exported and mount without any errors. So what can be done to analyze this and track down the source of the error? From muksyed at stanford.edu Mon May 5 20:23:10 2008 From: muksyed at stanford.edu (Mukarram Syed) Date: Mon, 5 May 2008 17:23:10 -0700 Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade. In-Reply-To: <00b401c8aca6$adb0c190$2e1c42ab@stanford.edu> Message-ID: <01ab01c8af0f$5dca2c00$2e1c42ab@stanford.edu> Hi Again, Any suggestion will be appreciated. Thanks # mukarram -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Mukarram Syed Sent: Friday, May 02, 2008 3:49 PM To: kerberos at mit.edu Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade. Hi Kerberos Gurus. I have 2 servers, the problem is that when I ssh into the box on the server-notworking, I get both the .k5 and .k4 tickets: server-notworking > klist Ticket cache: FILE:/tmp/krb5cc_39728_T16049 Default principal: me at stanford.edu Valid starting Expires Service principal 05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/stanford.edu at stanford.edu 05/02/08 15:18:47 05/03/08 16:18:45 afs/ir.stanford.edu at stanford.edu Kerberos 4 ticket cache: /tmp/tkt39728_16049 Principal: me at IR.STANFORD.EDU Issued Expires Principal 05/02/08 15:18:45 05/03/08 01:18:45 krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU 05/02/08 15:18:45 05/03/08 01:18:45 rcmd.server-notworking at IR.STANFORD.EDU But on the server that's working, I only get the k5 tickets: server-working > klist Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M Default principal: me at stanford.edu Valid starting Expires Service principal 05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/stanford.edu at stanford.edu 05/02/08 15:27:27 05/03/08 01:27:25 afs/ir.stanford.edu at stanford.edu Kerberos 4 ticket cache: /tmp/tkt39728 Principal: me at IR.STANFORD.EDU Issued Expires Principal 04/30/08 23:42:56 05/02/08 01:09:17 krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU The only difference that I can see between the two klist command outputs is: 05/02/08 15:18:45 05/03/08 01:18:45 rcmd.server-notworking at IR.STANFORD.EDU What is this? Below is a comparison of the two servers. I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the server-notworking. I don't think this will make a difference because I have already tried this on another server. I can't upgrade the kernel though to match the server that is working. The server that is not working is an actively used server. Also if I remove the .klogin file in my home directory on the server-notworking, I can't login to this box. I need both .klogin and .k5login files otherwise I get permission denied message when ssh'ing in. I don't have the .klogin file in the server that is working.only the .k5login file. Please advise. Thanks for you help. Regards # mukarram syed SYSTEM INFO server-notworking server-working 2.4.21-27.0.2.ELsmp 2.4.21-50.ELsmp Red Hat Enterprise Linux AS release 3 Red Hat Enterprise Linux AS release 3 (Taroon Update 4) (Taroon Update 9) STATUS Not getting the afs tokens without Fully Functional.NO aklog -setpag option set. the aklog -setpag option in the shell startup scripts. Need .klogin and .k5login to be able to SSH. SSH won't work without .klogin file. OPENAFS RPMS openafs-1.4.2-1.1 openafs-1.4.2-1.1 openafs-client-1.4.2-1.1 openafs-client-1.4.2-1.1 openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1 openafs-kernel-smp-1.4.2-2.4.21_50.EL_1 openafs-kernel-source-1.4.2-1.1 openafs-kernel-source-1.4.2-1.1 openafs-krb5-1.4.2-1.1 openafs-krb5-1.4.2-1.1 KRB5 RPMS krb5-devel-1.2.7-42 krb5-devel-1.2.7-64 krb5-libs-1.2.7-42 krb5-libs-1.2.7-64 krb5-SU-1.4.3-12.EL3 krb5-SU-1.4.4-4.EL3 openafs-krb5-1.4.2-1.1 openafs-krb5-1.4.2-1.1 pam_krb5-SU-3.8-1.EL3 pam_krb5-SU-3.8-1.EL3 PAM RPMS pam-0.75-62 pam-0.75-72 pam-afs-session-1.5-1.EL3 pam-afs-session-1.5-1.EL3 pam-devel-0.75-62 pam_ccreds-3-3.rhel3.2 pam_krb5-SU-3.8-1.EL3 pam-devel-0.75-72 pam_passwdqc-0.7.5-1 pam_krb5-SU-3.8-1.EL3 pam_smb-1.1.7-1 pam_passwdqc-0.7.5-1 pam_smb-1.1.7-1 IMPORTANT FILES: CKSUMS/SIZES 782515666 1077 /etc/pam.d/system-auth 782515666 1077 /etc/pam.d/system-auth 292550411 160 /etc/krb.conf 292550411 160 /etc/krb.conf 2006343950 4385 /etc/krb5.conf 3826595545 4386 /etc/krb5.conf 3068285566 267416 /usr/bin/aklog 1302602016 267416 /usr/bin/aklog 1323949453 19 /usr/vice/etc/CellAlias 1323949453 19 /usr/vice/etc/CellAlias 3556331601 16 /usr/vice/etc/ThisCell 3556331601 16 /usr/vice/etc/ThisCell 1399150640 446 /usr/vice/etc/CellServDB 514410920 208 /usr/vice/etc/CellServDB Also in the /etc/ssh/sshd_config file the only differences are (If I change it to no, on the server-notworking, I can't SSH, I get Permission denied errors): KerberosAuthentication yes KerberosAuthentication no KerberosOrLocalPasswd yes KerberosOrLocalPasswd no KerberosTicketCleanup yes KerberosTicketCleanup no SSH RPMS openssh-3.6.1p2-33.30.3 openssh-3.6.1p2-33.30.14 openssh-clients-3.6.1p2-33.30.3 openssh-askpass-3.6.1p2-33.30.14 openssh-server-3.6.1p2-33.30.3 openssh-askpass-gnome-3.6.1p2-33.30.14 openssh-clients-3.6.1p2-33.30.14 openssh-server-3.6.1p2-33.30.14 ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From cclausen at acm.org Mon May 5 20:32:25 2008 From: cclausen at acm.org (Christopher D. Clausen) Date: Mon, 5 May 2008 19:32:25 -0500 Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade. References: <01ab01c8af0f$5dca2c00$2e1c42ab@stanford.edu> Message-ID: <166681FEBAEF4FBEBA150DEE779183FC@CDCHOME> Can you post and compare your krb5.conf files? Are they identical? Have you asked someone at Stanford? This might be a specific configuration problem for that realm. If you join the #kerberos IRC on Freenode, various people may be able to help you out interactively. < wrote: > Hi Again, > > Any suggestion will be appreciated. > > Thanks > > # mukarram > > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On > Behalf Of Mukarram Syed > Sent: Friday, May 02, 2008 3:49 PM > To: kerberos at mit.edu > Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 > upgrade. > > Hi Kerberos Gurus. > > > > I have 2 servers, the problem is that when I ssh into the box on the > server-notworking, I get both the .k5 and .k4 tickets: > > > > server-notworking > klist > > Ticket cache: FILE:/tmp/krb5cc_39728_T16049 > > Default principal: me at stanford.edu > > > > Valid starting Expires Service principal > > 05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/stanford.edu at stanford.edu > > 05/02/08 15:18:47 05/03/08 16:18:45 afs/ir.stanford.edu at stanford.edu > > > > > > Kerberos 4 ticket cache: /tmp/tkt39728_16049 > > Principal: me at IR.STANFORD.EDU > > > > Issued Expires Principal > > 05/02/08 15:18:45 05/03/08 01:18:45 > krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU > > 05/02/08 15:18:45 05/03/08 01:18:45 > rcmd.server-notworking at IR.STANFORD.EDU > > > > But on the server that's working, I only get the k5 tickets: > > > > server-working > klist > > Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M > > Default principal: me at stanford.edu > > > > Valid starting Expires Service principal > > 05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/stanford.edu at stanford.edu > > 05/02/08 15:27:27 05/03/08 01:27:25 afs/ir.stanford.edu at stanford.edu > > > > > > Kerberos 4 ticket cache: /tmp/tkt39728 > > Principal: me at IR.STANFORD.EDU > > > > Issued Expires Principal > > 04/30/08 23:42:56 05/02/08 01:09:17 > krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU > > > > The only difference that I can see between the two klist command > outputs is: > > > > 05/02/08 15:18:45 05/03/08 01:18:45 > rcmd.server-notworking at IR.STANFORD.EDU > > > > What is this? > > > > Below is a comparison of the two servers. > > I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the > server-notworking. I don't think this will make a difference because > I have already tried this on another server. I can't upgrade the > kernel though to match the server that is working. The server that > is not working is an actively used server. > > > > Also if I remove the .klogin file in my home directory on the > server-notworking, I can't login to this box. I need both .klogin and > .k5login files otherwise I get permission denied message when ssh'ing > in. > > I don't have the .klogin file in the server that is working.only the > .k5login file. > > Please advise. > > > > Thanks for you help. > > > > Regards > > > > # mukarram syed > > > > > > SYSTEM INFO > > > > server-notworking > server-working > > > > > > 2.4.21-27.0.2.ELsmp > 2.4.21-50.ELsmp > > > > Red Hat Enterprise Linux AS release 3 > Red Hat Enterprise Linux AS release 3 > > (Taroon Update 4) > (Taroon Update 9) > > > > STATUS > > > > Not getting the afs tokens without > Fully Functional.NO aklog -setpag option set. > > the aklog -setpag option in the shell > > startup scripts. Need .klogin and .k5login > > to be able to SSH. SSH won't work without > > .klogin file. > > > > OPENAFS > RPMS > > > > openafs-1.4.2-1.1 > openafs-1.4.2-1.1 > > openafs-client-1.4.2-1.1 > openafs-client-1.4.2-1.1 > > openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1 > openafs-kernel-smp-1.4.2-2.4.21_50.EL_1 > > openafs-kernel-source-1.4.2-1.1 > openafs-kernel-source-1.4.2-1.1 > > openafs-krb5-1.4.2-1.1 > openafs-krb5-1.4.2-1.1 > > > > KRB5 RPMS > > > > > > krb5-devel-1.2.7-42 > krb5-devel-1.2.7-64 > > krb5-libs-1.2.7-42 > krb5-libs-1.2.7-64 > > krb5-SU-1.4.3-12.EL3 > krb5-SU-1.4.4-4.EL3 > > openafs-krb5-1.4.2-1.1 > openafs-krb5-1.4.2-1.1 > > pam_krb5-SU-3.8-1.EL3 > pam_krb5-SU-3.8-1.EL3 > > > > > > PAM RPMS > > > > pam-0.75-62 > pam-0.75-72 > > pam-afs-session-1.5-1.EL3 > pam-afs-session-1.5-1.EL3 > > pam-devel-0.75-62 > pam_ccreds-3-3.rhel3.2 > > pam_krb5-SU-3.8-1.EL3 > pam-devel-0.75-72 > > pam_passwdqc-0.7.5-1 > pam_krb5-SU-3.8-1.EL3 > > pam_smb-1.1.7-1 > pam_passwdqc-0.7.5-1 > > > pam_smb-1.1.7-1 > > > > > > > IMPORTANT FILES: > CKSUMS/SIZES > > > > 782515666 1077 /etc/pam.d/system-auth > 782515666 1077 /etc/pam.d/system-auth > > 292550411 160 /etc/krb.conf > 292550411 160 /etc/krb.conf > > 2006343950 4385 /etc/krb5.conf > 3826595545 4386 /etc/krb5.conf > > 3068285566 267416 /usr/bin/aklog > 1302602016 267416 /usr/bin/aklog > > 1323949453 19 /usr/vice/etc/CellAlias > 1323949453 19 /usr/vice/etc/CellAlias > > 3556331601 16 /usr/vice/etc/ThisCell > 3556331601 16 /usr/vice/etc/ThisCell > > 1399150640 446 /usr/vice/etc/CellServDB > 514410920 208 /usr/vice/etc/CellServDB > > > > Also in the /etc/ssh/sshd_config file the only differences are (If I > change it to no, on the server-notworking, I can't SSH, I get > > Permission denied errors): > > > > KerberosAuthentication yes > KerberosAuthentication no > > KerberosOrLocalPasswd yes > KerberosOrLocalPasswd no > > KerberosTicketCleanup yes > KerberosTicketCleanup no > > > > SSH RPMS > > > > openssh-3.6.1p2-33.30.3 > openssh-3.6.1p2-33.30.14 > openssh-clients-3.6.1p2-33.30.3 > openssh-askpass-3.6.1p2-33.30.14 > openssh-server-3.6.1p2-33.30.3 > openssh-askpass-gnome-3.6.1p2-33.30.14 > openssh-clients-3.6.1p2-33.30.14 > openssh-server-3.6.1p2-33.30.14 From stevenraymillerjr at yahoo.com Tue May 6 09:46:23 2008 From: stevenraymillerjr at yahoo.com (Steven Miller) Date: Tue, 6 May 2008 06:46:23 -0700 (PDT) Subject: account lockouts Message-ID: <882490.32953.qm@web38504.mail.mud.yahoo.com> I understand that kerberos wasn't designed with that in mind. That being said, is there any way to do that? thanks in advance Steven ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From muksyed at stanford.edu Tue May 6 12:39:36 2008 From: muksyed at stanford.edu (Mukarram Syed) Date: Tue, 6 May 2008 09:39:36 -0700 Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade. In-Reply-To: <166681FEBAEF4FBEBA150DEE779183FC@CDCHOME> Message-ID: <01eb01c8af97$c610a040$2e1c42ab@stanford.edu> Thanks Christopher. I'll try to get on kerberos IRC on Freenode. Here are my krb5.conf files. There are not different, that I could see. [root at server-working etc]# cksum /etc/krb5.conf 3826595545 4386 /etc/krb5.conf server-notworking:~> cksum /etc/krb5.conf 2006343950 4385 /etc/krb5.conf Krb5.conf from server-working: ------------------------------ #### cat /etc/krb5.conf # /etc/krb5.conf -- Kerberos V5 general configuration. # $Id: krb5.conf.erb 708 2007-01-31 21:22:39Z rra $ # # This is the standard Kerberos v5 configuration file for all of our # servers. It is based on the Stanford-wide configuration, the canonical # version of which is in /usr/pubsw/etc/krb5.conf. # # This configuration allows any enctypes. Some systems with really old # Kerberos software may have to limit to triple-DES and DES. [appdefaults] default_lifetime = 25hrs krb4_get_tickets = false krb5_get_tickets = true krb5_get_forwardable = true kinit = { krb4_convert = false } stanford.edu = { aklog_path = /usr/bin/aklog krb4_get_tickets = true krb4_convert = false krb_run_aklog = true } pam = { minimum_uid = 100 search_k5login = true forwardable = true } pam-afs-session = { minimum_uid = 100 } [libdefaults] default_realm = stanford.edu dns_lookup_realm = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms ticket_lifetime = 1500m [realms] stanford.edu = { kdc = krb5auth1.stanford.edu:88 kdc = krb5auth2.stanford.edu:88 kdc = krb5auth3.stanford.edu:88 master_kdc = krb5auth1.stanford.edu:88 admin_server = krb5-admin.stanford.edu default_domain = stanford.edu kadmind_port = 749 v4_realm = IR.STANFORD.EDU } MS.STANFORD.EDU = { kdc = msdc0.ms.stanford.edu:88 kdc = msdc1.ms.stanford.edu:88 kpasswd_server = msdc0.ms.stanford.edu } WIN.STANFORD.EDU = { kdc = mothra.win.stanford.edu:88 kdc = rodan.win.stanford.edu:88 kpasswd_server = mothra.win.stanford.edu } CS.STANFORD.EDU = { kdc = cs-kdc-1.stanford.edu:88 kdc = cs-kdc-2.stanford.edu:88 kdc = cs-kdc-3.stanford.edu:88 admin_server = cs-kdc-1.stanford.edu:749 } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 kdc = kerberos-3.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ISC.ORG = { kdc = k1.isc.org:88 kdc = k2.isc.org:88 admin_server = k1.isc.org:749 default_domain = isc.org } OPENLDAP.ORG = { kdc = kerberos.openldap.org default_domain = openldap.org } SUCHDAMAGE.ORG = { kdc = kerberos.suchdamage.org:88 admin_server = kerberos.suchdamage.org:749 default_domain = suckdamage.org } VIX.COM = { kdc = kerberos-0.vix.com:88 kdc = kerberos-1.vix.com:88 kdc = kerberos-2.vix.com:88 admin_server = kerberos-0.vix.com:749 default_domain = vix.com } ZEPA.NET = { kdc = kerberos.zepa.net kdc = kerberos-too.zepa.net admin_server = kerberos.zepa.net } [domain_realm] stanford.edu = stanford.edu .stanford.edu = stanford.edu .dc.stanford.org = stanford.edu ms.stanford.edu = MS.STANFORD.EDU .ms.stanford.edu = MS.STANFORD.EDU win.stanford.edu = WIN.STANFORD.EDU .win.stanford.edu = WIN.STANFORD.EDU windows.stanford.edu = IT.WIN.STANFORD.EDU infraappprod.stanford.edu = IT.WIN.STANFORD.EDU .eyrie.org = stanford.edu .isc.org = ISC.ORG mit.edu = ATHENA.MIT.EDU .mit.edu = ATHENA.MIT.EDU openldap.org = OPENLDAP.ORG .openldap.org = OPENLDAP.ORG whoi.edu = ATHENA.MIT.EDU .whoi.edu = ATHENA.MIT.EDU .vix.com = VIX.COM .zepa.net = ZEPA.NET zepa.net = ZEPA.NET [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE Krb5.conf from server-notworking: > cat /etc/krb5.conf # /etc/krb5.conf -- Kerberos V5 general configuration. # $Id: krb5.conf.erb 708 2007-01-31 21:22:39Z rra $ # # This is the standard Kerberos v5 configuration file for all of our # servers. It is based on the Stanford-wide configuration, the canonical # version of which is in /usr/pubsw/etc/krb5.conf. # # This configuration allows any enctypes. Some systems with really old # Kerberos software may have to limit to triple-DES and DES. [appdefaults] default_lifetime = 25hrs krb4_get_tickets = false krb5_get_tickets = true krb5_get_forwardable = true kinit = { krb4_convert = false } stanford.edu = { aklog_path = /usr/bin/aklog krb4_get_tickets = true krb4_convert = false krb_run_aklog = true } pam = { minimum_uid = 100 search_k5login = true forwardable = true } pam-afs-session = { minimum_uid = 100 } [libdefaults] default_realm = stanford.edu dns_lookup_realm = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms ticket_lifetime = 1500m [realms] stanford.edu = { kdc = krb5auth1.stanford.edu:88 kdc = krb5auth2.stanford.edu:88 kdc = krb5auth3.stanford.edu:88 master_kdc = krb5auth1.stanford.edu:88 admin_server = krb5-admin.stanford.edu default_domain = stanford.edu kadmind_port = 749 v4_realm = IR.STANFORD.EDU } MS.STANFORD.EDU = { kdc = msdc0.ms.stanford.edu:88 kdc = msdc1.ms.stanford.edu:88 kpasswd_server = msdc0.ms.stanford.edu } WIN.STANFORD.EDU = { kdc = mothra.win.stanford.edu:88 kdc = rodan.win.stanford.edu:88 kpasswd_server = mothra.win.stanford.edu } CS.STANFORD.EDU = { kdc = cs-kdc-1.stanford.edu:88 kdc = cs-kdc-2.stanford.edu:88 kdc = cs-kdc-3.stanford.edu:88 admin_server = cs-kdc-1.stanford.edu:749 } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 kdc = kerberos-3.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } ISC.ORG = { kdc = k1.isc.org:88 kdc = k2.isc.org:88 admin_server = k1.isc.org:749 default_domain = isc.org } OPENLDAP.ORG = { kdc = kerberos.openldap.org default_domain = openldap.org } SUCHDAMAGE.ORG = { kdc = kerberos.suchdamage.org:88 admin_server = kerberos.suchdamage.org:749 default_domain = suckdamage.org } VIX.COM = { kdc = kerberos-0.vix.com:88 kdc = kerberos-1.vix.com:88 kdc = kerberos-2.vix.com:88 admin_server = kerberos-0.vix.com:749 default_domain = vix.com } ZEPA.NET = { kdc = kerberos.zepa.net kdc = kerberos-too.zepa.net admin_server = kerberos.zepa.net } [domain_realm] stanford.edu = stanford.edu .stanford.edu = stanford.edu .dc.stanford.org = stanford.edu ms.stanford.edu = MS.STANFORD.EDU .ms.stanford.edu = MS.STANFORD.EDU win.stanford.edu = WIN.STANFORD.EDU .win.stanford.edu = WIN.STANFORD.EDU windows.stanford.edu = IT.WIN.STANFORD.EDU infraappprod.stanford.edu = IT.WIN.STANFORD.EDU .eyrie.org = stanford.edu .isc.org = ISC.ORG mit.edu = ATHENA.MIT.EDU .mit.edu = ATHENA.MIT.EDU openldap.org = OPENLDAP.ORG .openldap.org = OPENLDAP.ORG whoi.edu = ATHENA.MIT.EDU .whoi.edu = ATHENA.MIT.EDU .vix.com = VIX.COM .zepa.net = ZEPA.NET zepa.net = ZEPA.NET [logging] kdc = SYSLOG:NOTICE admin_server = SYSLOG:NOTICE default = SYSLOG:NOTICE -----Original Message----- From: Christopher D. Clausen [mailto:cclausen at acm.org] Sent: Monday, May 05, 2008 5:32 PM To: Mukarram Syed Cc: kerberos at mit.edu Subject: Re: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade. Can you post and compare your krb5.conf files? Are they identical? Have you asked someone at Stanford? This might be a specific configuration problem for that realm. If you join the #kerberos IRC on Freenode, various people may be able to help you out interactively. < wrote: > Hi Again, > > Any suggestion will be appreciated. > > Thanks > > # mukarram > > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On > Behalf Of Mukarram Syed > Sent: Friday, May 02, 2008 3:49 PM > To: kerberos at mit.edu > Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 > upgrade. > > Hi Kerberos Gurus. > > > > I have 2 servers, the problem is that when I ssh into the box on the > server-notworking, I get both the .k5 and .k4 tickets: > > > > server-notworking > klist > > Ticket cache: FILE:/tmp/krb5cc_39728_T16049 > > Default principal: me at stanford.edu > > > > Valid starting Expires Service principal > > 05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/stanford.edu at stanford.edu > > 05/02/08 15:18:47 05/03/08 16:18:45 afs/ir.stanford.edu at stanford.edu > > > > > > Kerberos 4 ticket cache: /tmp/tkt39728_16049 > > Principal: me at IR.STANFORD.EDU > > > > Issued Expires Principal > > 05/02/08 15:18:45 05/03/08 01:18:45 > krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU > > 05/02/08 15:18:45 05/03/08 01:18:45 > rcmd.server-notworking at IR.STANFORD.EDU > > > > But on the server that's working, I only get the k5 tickets: > > > > server-working > klist > > Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M > > Default principal: me at stanford.edu > > > > Valid starting Expires Service principal > > 05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/stanford.edu at stanford.edu > > 05/02/08 15:27:27 05/03/08 01:27:25 afs/ir.stanford.edu at stanford.edu > > > > > > Kerberos 4 ticket cache: /tmp/tkt39728 > > Principal: me at IR.STANFORD.EDU > > > > Issued Expires Principal > > 04/30/08 23:42:56 05/02/08 01:09:17 > krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU > > > > The only difference that I can see between the two klist command > outputs is: > > > > 05/02/08 15:18:45 05/03/08 01:18:45 > rcmd.server-notworking at IR.STANFORD.EDU > > > > What is this? > > > > Below is a comparison of the two servers. > > I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the > server-notworking. I don't think this will make a difference because > I have already tried this on another server. I can't upgrade the > kernel though to match the server that is working. The server that > is not working is an actively used server. > > > > Also if I remove the .klogin file in my home directory on the > server-notworking, I can't login to this box. I need both .klogin and > .k5login files otherwise I get permission denied message when ssh'ing > in. > > I don't have the .klogin file in the server that is working.only the > .k5login file. > > Please advise. > > > > Thanks for you help. > > > > Regards > > > > # mukarram syed > > > > > > SYSTEM INFO > > > > server-notworking > server-working > > > > > > 2.4.21-27.0.2.ELsmp > 2.4.21-50.ELsmp > > > > Red Hat Enterprise Linux AS release 3 > Red Hat Enterprise Linux AS release 3 > > (Taroon Update 4) > (Taroon Update 9) > > > > STATUS > > > > Not getting the afs tokens without > Fully Functional.NO aklog -setpag option set. > > the aklog -setpag option in the shell > > startup scripts. Need .klogin and .k5login > > to be able to SSH. SSH won't work without > > .klogin file. > > > > OPENAFS > RPMS > > > > openafs-1.4.2-1.1 > openafs-1.4.2-1.1 > > openafs-client-1.4.2-1.1 > openafs-client-1.4.2-1.1 > > openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1 > openafs-kernel-smp-1.4.2-2.4.21_50.EL_1 > > openafs-kernel-source-1.4.2-1.1 > openafs-kernel-source-1.4.2-1.1 > > openafs-krb5-1.4.2-1.1 > openafs-krb5-1.4.2-1.1 > > > > KRB5 RPMS > > > > > > krb5-devel-1.2.7-42 > krb5-devel-1.2.7-64 > > krb5-libs-1.2.7-42 > krb5-libs-1.2.7-64 > > krb5-SU-1.4.3-12.EL3 > krb5-SU-1.4.4-4.EL3 > > openafs-krb5-1.4.2-1.1 > openafs-krb5-1.4.2-1.1 > > pam_krb5-SU-3.8-1.EL3 > pam_krb5-SU-3.8-1.EL3 > > > > > > PAM RPMS > > > > pam-0.75-62 > pam-0.75-72 > > pam-afs-session-1.5-1.EL3 > pam-afs-session-1.5-1.EL3 > > pam-devel-0.75-62 > pam_ccreds-3-3.rhel3.2 > > pam_krb5-SU-3.8-1.EL3 > pam-devel-0.75-72 > > pam_passwdqc-0.7.5-1 > pam_krb5-SU-3.8-1.EL3 > > pam_smb-1.1.7-1 > pam_passwdqc-0.7.5-1 > > > pam_smb-1.1.7-1 > > > > > > > IMPORTANT FILES: > CKSUMS/SIZES > > > > 782515666 1077 /etc/pam.d/system-auth > 782515666 1077 /etc/pam.d/system-auth > > 292550411 160 /etc/krb.conf > 292550411 160 /etc/krb.conf > > 2006343950 4385 /etc/krb5.conf > 3826595545 4386 /etc/krb5.conf > > 3068285566 267416 /usr/bin/aklog > 1302602016 267416 /usr/bin/aklog > > 1323949453 19 /usr/vice/etc/CellAlias > 1323949453 19 /usr/vice/etc/CellAlias > > 3556331601 16 /usr/vice/etc/ThisCell > 3556331601 16 /usr/vice/etc/ThisCell > > 1399150640 446 /usr/vice/etc/CellServDB > 514410920 208 /usr/vice/etc/CellServDB > > > > Also in the /etc/ssh/sshd_config file the only differences are (If I > change it to no, on the server-notworking, I can't SSH, I get > > Permission denied errors): > > > > KerberosAuthentication yes > KerberosAuthentication no > > KerberosOrLocalPasswd yes > KerberosOrLocalPasswd no > > KerberosTicketCleanup yes > KerberosTicketCleanup no > > > > SSH RPMS > > > > openssh-3.6.1p2-33.30.3 > openssh-3.6.1p2-33.30.14 > openssh-clients-3.6.1p2-33.30.3 > openssh-askpass-3.6.1p2-33.30.14 > openssh-server-3.6.1p2-33.30.3 > openssh-askpass-gnome-3.6.1p2-33.30.14 > openssh-clients-3.6.1p2-33.30.14 > openssh-server-3.6.1p2-33.30.14 From mahmudulcit at gmail.com Tue May 6 15:36:10 2008 From: mahmudulcit at gmail.com (Mahmudul Haque) Date: Tue, 6 May 2008 22:36:10 +0300 Subject: cross compilation problem with krb5_1.6.3 Message-ID: <4b9d85200805061236i22ccbf14mc6c7136407cf0581@mail.gmail.com> hi, I am stuck in cross compiling the krb5-1.6.3 for my mips board. i am getting the following error whenever i try to compile it:- "checking for constructor/destructor attribute support... configure: error: Cannot test for constructor/destructor support when cross compiling" any suggestion would be highly appreciable.....thnx From raeburn at MIT.EDU Tue May 6 18:16:38 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 6 May 2008 18:16:38 -0400 Subject: cross compilation problem with krb5_1.6.3 In-Reply-To: <4b9d85200805061236i22ccbf14mc6c7136407cf0581@mail.gmail.com> References: <4b9d85200805061236i22ccbf14mc6c7136407cf0581@mail.gmail.com> Message-ID: <42C3D4E0-6097-49B9-8818-D8202202BDC4@mit.edu> On May 6, 2008, at 15:36, Mahmudul Haque wrote: > I am stuck in cross compiling the krb5-1.6.3 for my mips board. i am > getting the following error whenever i try to compile it:- > "checking for constructor/destructor attribute support... configure: > error: Cannot test for constructor/destructor support when cross > compiling" > any suggestion would be highly appreciable.....thnx Unfortunately, cross-compilation hasn't been a priority for us in the past; we've heard some interest in that area, but haven't yet begun to really explore it. I'm sure there are a number of places in the configure script where we assume a native compilation environment. If you don't mind looking through autoconf scripts, the ones I know about off the top of my head shouldn't be hard to find: Look for any use of AC_TRY_LINK and AC_TRY_RUN in src/configure.in and src/aclocal.m4. You'll probably need to explicitly set in your environment the ac_cv_* variables those tests will try to set. Depending on the target system, the link tests may work, or may not; the execution tests obviously won't. There are also places where we test the name of the host system, so if you're not specifying "--host=mips-something", you probably should be. (In GNU autoconf terminology, "host" is the system where the software will be run, "build" is where you run your compiler to make the software, and if the software you're building is a compiler or related tool, "target" is the system for which it would generate code; so something like "configure --build=sparc-solaris2.10 --host=i686- windows" means you're compiling Windows programs on a Solaris machine. I doubt there's much in our build system that cares what the build OS is, but the host OS would be important.) There are a few things -- special linker options, for example -- that are hard to figure out with autoconf tests even if you can execute programs, and for an embedded system our configuration scripts will have no idea what to do. You'll probably need to change src/config/ shlib.conf to support your MIPS board. Once you get past that, there are probably other issues that'll come up: * We assume you want to build the applications like telnet, which may be impossible for some embedded systems, and you probably don't want them anyways. There's no real hook for building just an SDK or something like that. * We assume we're building and installing shared libraries; that may work for some embedded systems, but not others. Unfortunately, our documentation for build system dependencies is somewhat haphazard, an issue we're hoping to address soon, but some of the info you might need is in doc/implementor.texinfo. It's a little out of date, because it still describes building static libraries, which we don't support well (or officially at all) at the moment. I did add, at the end, a copy of some email I sent to someone asking about a port to pSOS a while back. I know others have gotten Kerberos code working on embedded systems before: * TeamF1 has products for VxWorks and others * Shoichi Sakane mentions in http://tools.ietf.org/html/draft-sakane-krb-cross-problem-statement-02 porting the MIT code to an H8 processor. If you do go ahead with this, please keep us informed, and please consider contributing patches back. Most of the interest we've heard lately has been focused on mobile devices, not precisely the same requirements as embedded devices in general, but with some overlap I'm sure. So feedback on how this works out for you may help us plan our future work better, and make incorporating future releases easier for you in turn. -- Ken Raeburn, Senior Programmer MIT Kerberos Consortium From ETB2 at PGE.COM Tue May 6 18:35:16 2008 From: ETB2 at PGE.COM (Bonacum, Ernie) Date: Tue, 6 May 2008 15:35:16 -0700 Subject: Unable to map local user Message-ID: <164D0ACCBE2F464FAD73C5F29D7A594102DBADDF@exchange15.Utility.pge.com> I should have posted my krb5.conf file: //footst02.comp.foo.com/home/foouser $ cat /etc/krb5/krb5.conf [libdefaults] default_realm = REALM.DEV.FOO.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc [realms] REALM.DEV.FOO.COM = { kdc = fookdcdev01.comp.foo.com:88 admin_server = fookdcdev01.comp.foo.com:749 default_domain = comp.foo.com } [domain_realm] .comp.foo.com = REALM.DEV.FOO.COM comp.foo.com = REALM.DEV.FOO.COM fookdcdev01.comp.foo.com = REALM.DEV.FOO.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log From jason at rampaginggeek.com Tue May 6 18:56:21 2008 From: jason at rampaginggeek.com (Jason Edgecombe) Date: Tue, 06 May 2008 18:56:21 -0400 Subject: cross compilation problem with krb5_1.6.3 In-Reply-To: <42C3D4E0-6097-49B9-8818-D8202202BDC4@mit.edu> References: <4b9d85200805061236i22ccbf14mc6c7136407cf0581@mail.gmail.com> <42C3D4E0-6097-49B9-8818-D8202202BDC4@mit.edu> Message-ID: <4820E215.5010007@rampaginggeek.com> Ken Raeburn wrote: > On May 6, 2008, at 15:36, Mahmudul Haque wrote: > >> I am stuck in cross compiling the krb5-1.6.3 for my mips board. i am >> getting the following error whenever i try to compile it:- >> "checking for constructor/destructor attribute support... configure: >> error: Cannot test for constructor/destructor support when cross >> compiling" >> any suggestion would be highly appreciable.....thnx >> > > Unfortunately, cross-compilation hasn't been a priority for us in the > past; we've heard some interest in that area, but haven't yet begun to > really explore it. > Hi there, I have successfully cross-compiled MIT kerberos5 1.6.3 for the ARMEL platform using scratchbox. Perhaps that would work. Sincerely, Jason From ggossett at symantec.com Wed May 7 20:47:07 2008 From: ggossett at symantec.com (Grant Gossett) Date: Wed, 7 May 2008 17:47:07 -0700 Subject: Understanding cross-realm ticket flow - TGS-REQ to wrong(?) realm's KDC Message-ID: Hello there, I'm currently trying to get cross-realm authentication working with a one-way active directory trust that involves a service principal in the trusting realm running apache with mod_auth_kerb. The setup uses 2 W2K3 R2 domain controllers which have a 1-way trust. Realm (domain) LABS.A.COM trusts realm (domain) CORP.A.COM - it is an external (non-transitive) trust. Inside of LABS.A.COM I have an apache server configured using mod_auth_kerb named support.labs.a.com with a service principal created for HTTP/support.labs.a.com at LABS.A.COM setup properly on the domain controller (at least I think it is). The reasoning behind my belief that it is set up properly is that kerberos authentication works for user principals that are in the LABS.A.COM realm. The web server is running CentOS 4.6 and apache was installed with mod_auth_kerb using the CentOS installer rather than being built afterward. In other words, "default CentOS distro options and versions" for apache and mod_auth_kerb. The problem I am seeing (or maybe misunderstanding) is that when user principals in the CORP.A.COM realm try to authenticate (using Internet Explorer 6) the AS-REQ and AS-RES seem to work out swimmingly. The TGS-REQ is where things seem to go bad. The TGS-REQ seems to be asking the TGS for a service ticket for the principal HTTP/support.labs.a.com at CORP.A.COM, rather than HTTP/support.labs.a.com at LABS.A.COM. This is where things are still a little fuzzy for me as I am new to kerberos, but I am assuming that this is where the problem lies. Naturally, the KDC for CORP.A.COM returns an error that the service principal is unknown and it all stops there. So I have a couple of questions that hopefully someone with more cross-realm authentication experience can help me with: First, is it normal for a kerberized client (IE 6 in this case) to always ask its TGS in its realm for service tickets even if the service principal does not exist in its realm? Second, its is my understanding that the client is responsible for traversing the authentication path. In other words, the TGS doesn't "do the work" of getting the client a service ticket for another realm's service principal, the client must do the work by getting a service ticket for the cross-realm service principal (krbtgt/corp.a.com at LABS.A.COM(?)), using that ticket to send a TGS-REQ to the next realm's TGS to actually get a ticket for the service principal in the next realm. Is that correct? Third, assuming that the answer to my first two questions is yes, how does the client learn from its TGS that it must ask a TGS further down the authentication path or that what it really needs to ask for is the trust's service principal? Fourth, and this may be beyond scope, how do clients normally identify what realm a network resource resides in (or in other words, which TGS to ask for a service ticket, assuming they can make a TGS-REQ to a different realm's TGS)? It seems like there is a simple solution here, and that is to get IE to send the TGS-REQ for HTTP/support.labs.a.com at LABS.A.COM rather than HTTP/support.labs.a.com at CORP.A.COM. Is that correct? If so, does anyone have an inkling as to what I have set up incorrectly? Many thanks, Grant From jsanders at TechFak.Uni-Bielefeld.DE Thu May 8 06:07:19 2008 From: jsanders at TechFak.Uni-Bielefeld.DE (Jan Sanders) Date: Thu, 08 May 2008 12:07:19 +0200 Subject: Encryption Type wrong In-Reply-To: <48186FF9.6030306@TechFak.Uni-Bielefeld.DE> References: <48186FF9.6030306@TechFak.Uni-Bielefeld.DE> Message-ID: <4822D0D7.50501@TechFak.Uni-Bielefeld.DE> Hi, noone has any ideas? Maybe s.o. knows where I can find an appropriate forum/list on the Sun Microsystems site. I was unable to find one. I only found blogs on Kerberos topics. cheers Jan Sanders Jan Sanders wrote: > Hello, > > I am having a little problem here. I am running a KDC on Solaris and a > number of clients on GNU/Linux. For both the KDC and the > Kerberos-Clients I have configured them to use only the > dec-crc-cbc:default encryption type. > When creating a principal on the server using addprinc wo/-e > des-cbc-crc:default the principal is created with 4 keys. getprinc reveals: > > Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt > Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt > Key: vno 21, ArcFour with HMAC/md5, no salt > Key: vno 21, DES cbc mode with RSA-MD5, no salt > > If I use addprinc -e des-cbc-crc:normal then I get the desired > Key: vno 22, DES cbc mode with CRC-32, no salt > > The same goes for cpw. > > This I could live with since the group of users having admin privileges > is very small. > > But the ordinary user once in a while wants to change the password and > will use kpasswd. kpasswd does not have the ability to choose the > encryption type and then a users ends up not having a key with > des-cbc-crc:normal. Unfortunately GNU/Linux kinit breaks if the KDC does > not have a key with the des-cbc-crc:normal encryption type in store. > > > Any help appreciated > > cheers > > Jan Sanders > > The config files following. > > The krb5.conf on the GNU/Linux client: > [libdefaults] > default_realm = MY.DOMAIN > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > # The following encryption type specification will be used by MIT Kerberos > # if uncommented. In general, the defaults in the MIT Kerberos code are > # correct and overriding these specifications only serves to disable new > # encryption types as they are added, creating interoperability problems. > > default_tgs_enctypes = des-cbc-crc > default_tkt_enctypes = des-cbc-crc > permitted_enctypes = des-cbc-crc > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > MY.DOMAIN = { > kdc = kdc.my.domain > admin_server = kdc.my.domain > } > > [domain_realm] > my.domain = MY.DOMAIN > .my.domain = MY.DOMAIN > > [login] > krb4_convert = true > krb4_get_tickets = false > > > > > The kdc.conf on the Solaris machine: > > [libdefaults] > default_realm = MY.DOMAIN > default_keytab_name = /etc/krb5/krb5.keytab > > [kdcdefaults] > kdc_ports = 88,750 > > [realms] > MY.DOMAIN = { > profile = /etc/krb5/krb5.conf > database_name = /var/krb5/principal > admin_keytab = /etc/krb5/kadm5.keytab > acl_file = /etc/krb5/kadm5.acl > kadmind_port = 749 > max_life = 8h 0m 0s > max_renewable_life = 7d 0h 0m 0s > default_principal_flags = +preauth > supported_enctypes = des-cbc-crc:normal > } > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From deengert at anl.gov Thu May 8 09:53:49 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 08 May 2008 08:53:49 -0500 Subject: Understanding cross-realm ticket flow - TGS-REQ to wrong(?) realm's KDC In-Reply-To: References: Message-ID: <482305ED.6030404@anl.gov> Grant Gossett wrote: > Hello there, > > I'm currently trying to get cross-realm authentication working with a > one-way active directory trust that involves a service principal in the > trusting realm running apache with mod_auth_kerb. > > The setup uses 2 W2K3 R2 domain controllers which have a 1-way trust. > Realm (domain) LABS.A.COM trusts realm (domain) CORP.A.COM - it is an > external (non-transitive) trust. Inside of LABS.A.COM I have an apache > server configured using mod_auth_kerb named support.labs.a.com with a > service principal created for HTTP/support.labs.a.com at LABS.A.COM setup > properly on the domain controller (at least I think it is). The > reasoning behind my belief that it is set up properly is that kerberos > authentication works for user principals that are in the LABS.A.COM > realm. The web server is running CentOS 4.6 and apache was installed > with mod_auth_kerb using the CentOS installer rather than being built > afterward. In other words, "default CentOS distro options and versions" > for apache and mod_auth_kerb. > > The problem I am seeing (or maybe misunderstanding) is that when user > principals in the CORP.A.COM realm try to authenticate (using Internet > Explorer 6) the AS-REQ and AS-RES seem to work out swimmingly. The > TGS-REQ is where things seem to go bad. The TGS-REQ seems to be asking > the TGS for a service ticket for the principal > HTTP/support.labs.a.com at CORP.A.COM, rather than > HTTP/support.labs.a.com at LABS.A.COM. This is where things are still a > little fuzzy for me as I am new to kerberos, but I am assuming that this > is where the problem lies. Naturally, the KDC for CORP.A.COM returns an > error that the service principal is unknown and it all stops there. > > So I have a couple of questions that hopefully someone with more > cross-realm authentication experience can help me with: > > First, is it normal for a kerberized client (IE 6 in this case) to > always ask its TGS in its realm for service tickets even if the service > principal does not exist in its realm? Microsoft introduced referrals to Kerberos where the client asks its own KDC for information about where the service is located. So for IE it would be normal. Its not standard, but other Kerberos implementations are starting to add this feature. See: http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-referrals-10.txt Traditionally the Kerberos client would use the krb5.conf [domain_realm] to determine the realm of a server, then start to traverse the authentication path. The referral lets the client ask its KDC for the information, and thus simplifies the client management as it does not need to maintain the [domain_realm] tables. > > Second, its is my understanding that the client is responsible for > traversing the authentication path. In other words, the TGS doesn't "do > the work" of getting the client a service ticket for another realm's > service principal, the client must do the work by getting a service > ticket for the cross-realm service principal > (krbtgt/corp.a.com at LABS.A.COM(?)), using that ticket to send a TGS-REQ > to the next realm's TGS to actually get a ticket for the service > principal in the next realm. Is that correct? The client would ask CORP.A.COM for krbtgt/LABS.A.COM at CORP.A.COM CORP.A.COM would issue it to the client, and it is usable at LABS.A.COM to get service tickets. A result of setting up your one way trust. > > Third, assuming that the answer to my first two questions is yes, how > does the client learn from its TGS that it must ask a TGS further down > the authentication path or that what it really needs to ask for is the > trust's service principal? Thats the referral vs the [domain_realms] > > Fourth, and this may be beyond scope, how do clients normally identify > what realm a network resource resides in (or in other words, which TGS > to ask for a service ticket, assuming they can make a TGS-REQ to a > different realm's TGS)? > [domain_realms] and [capaths] But the default, assume direct trust exists, otherwise walk the path up then down the realm hierarchy. CORP.A.COM->A.COM->LABS.A.COM But with referrals on Windows, the client asks the KDC what is next in the path. > > It seems like there is a simple solution here, and that is to get IE to > send the TGS-REQ for HTTP/support.labs.a.com at LABS.A.COM rather than > HTTP/support.labs.a.com at CORP.A.COM. Is that correct? If so, does anyone > have an inkling as to what I have set up incorrectly? > Look at the netdom trust command and namesuffixes and addtln on CORP.A.COM Also look a the verify option to make sure it is set up correctly http://technet2.microsoft.com/windowsserver/en/library/539c5381-db4f-445f-aac0-2df5448181c11033.mspx?mfr=true > > > Many thanks, > > > Grant > > > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From rra at stanford.edu Thu May 8 13:22:09 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 08 May 2008 10:22:09 -0700 Subject: Encryption Type wrong In-Reply-To: <48186FF9.6030306@TechFak.Uni-Bielefeld.DE> (Jan Sanders's message of "Wed\, 30 Apr 2008 15\:11\:21 +0200") References: <48186FF9.6030306@TechFak.Uni-Bielefeld.DE> Message-ID: <87wsm4679a.fsf@windlord.stanford.edu> Jan Sanders writes: > I am having a little problem here. I am running a KDC on Solaris and a > number of clients on GNU/Linux. For both the KDC and the > Kerberos-Clients I have configured them to use only the > dec-crc-cbc:default encryption type. When creating a principal on the > server using addprinc wo/-e des-cbc-crc:default the principal is created > with 4 keys. getprinc reveals: > > Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt > Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt > Key: vno 21, ArcFour with HMAC/md5, no salt > Key: vno 21, DES cbc mode with RSA-MD5, no salt I'm not sure what to say beyond it looks like you've not actually configured the KDC to use only that encryption type. The KDC is clearly using a wide variety of encryption types, probably its default set. > But the ordinary user once in a while wants to change the password and > will use kpasswd. kpasswd does not have the ability to choose the > encryption type and then a users ends up not having a key with > des-cbc-crc:normal. That's correct. kpasswd will use whatever the default enctypes are in the Kerberos kadmind configuration. > Unfortunately GNU/Linux kinit breaks if the KDC does not have a key with > the des-cbc-crc:normal encryption type in store. This on the other hand definitely isn't the case; GNU/Linux kinit will work fine with no DES enctypes at all. However, it is certainly true that if you specifically configure it to only use des-cbc-crc:normal and no such keys are available, it won't work. The first question I'd have is why are you doing this? Normally you never want to restrict enctypes. If you just remove all the enctype restrictions, everything will work as expected and be able to negotiate a mutually acceptable enctype. If you're worried about old Java code, you could still allow 3DES, which is generally acceptable to just about everything except Microsoft clients (which can use RC4). > The kdc.conf on the Solaris machine: > > [libdefaults] > default_realm = MY.DOMAIN > default_keytab_name = /etc/krb5/krb5.keytab > > [kdcdefaults] > kdc_ports = 88,750 > > [realms] > MY.DOMAIN = { > profile = /etc/krb5/krb5.conf > database_name = /var/krb5/principal > admin_keytab = /etc/krb5/kadm5.keytab > acl_file = /etc/krb5/kadm5.acl > kadmind_port = 749 > max_life = 8h 0m 0s > max_renewable_life = 7d 0h 0m 0s > default_principal_flags = +preauth > supported_enctypes = des-cbc-crc:normal > } This looks right, but it's clearly not working. Could kadmind be loading some other kdc.conf? -- Russ Allbery (rra at stanford.edu) From jason at rampaginggeek.com Thu May 8 18:41:45 2008 From: jason at rampaginggeek.com (Jason Edgecombe) Date: Thu, 08 May 2008 18:41:45 -0400 Subject: Where should the source for the maemo krb5 packages be hosted? Message-ID: <482381A9.7050000@rampaginggeek.com> Hi everyone, I have successfully packaged mit krb5 for maemo, the OS for the Nokia N8X0 tablets. I remove the appl folder from the package, though. Where should the debian source package be hosted? Should they be in the MIT krb5 cvs or hosted separately? Thanks, Jason From sbuckley at MIT.EDU Fri May 9 17:12:11 2008 From: sbuckley at MIT.EDU (Stephen C. Buckley) Date: Fri, 9 May 2008 17:12:11 -0400 Subject: Position Available: Programmer/Analyst, MIT kerberos Consortium Message-ID: <6C210A2E-96AB-4404-9727-50DA4D08A06E@mit.edu> PROGRAMMER ANALYST III, MIT KERBEROS CONSORTIUM, Information Services and Technology, to perform the software development and interoperability test and documentation activities necessary to achieve the consortium's goal of ubiquitous support for Kerberos- based, single sign-on solutions across all aspects of the world's communication infrastructure. Will assist with the development of software tools for system and network security, and with the development of test and interoperability suites. The Kerberos protocols invented and popularized by MIT have become the fundamental building blocks of major desktop and server operating systems, core networking infrastructure, global file systems, global messaging systems, and much more. REQUIREMENTS: at least three years of C language programming experience, preferably in UNIX or Linux environments; deep understanding of the C language, with an emphasis on achieving high portability and standards conformance; proficiency in system administration, including installation and configuration of operating system and application software on UNIX or Linux, preferably with additional experience on Windows or Mac OS X; experience with security software development, user interface design, network server programming, and operating system programming; ability both to work independently and to collaborate effectively with a team and a worldwide network of contributors on the Internet; excellent written and oral communication skills; proven analytical skills, including troubleshooting and debugging of complex and subtle software defects; strong interest in and aptitude for finding new ways of conceptualizing complex problems; proven ability to rapidly and independently learn new technologies and tools; comfort with C memory management and string manipulation; familiarity with source control systems such as CVS, Subversion, or Mercurial; and familiarity with build systems such as Make, Autoconf, or Ant. The Programmer Analyst III will perform software development, interoperability test and documentation activities necessary to achieve our goal of ubiquitous support for Kerberos-based single sign- on solutions across all aspects of the world?s communication infrastructure. Please feel free to contact me with any questions (sbuckley at mit.edu). More information about the MIT Kerberos Consortium is available at http://www.kerberos.org s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director MIT Kerberos Consortium Massachusetts Institute of Technology email: sbuckley at mit.edu web: http://www.kerberos.org From kmwkawrt at yahoo.com Sun May 11 12:21:50 2008 From: kmwkawrt at yahoo.com (kmwkawrt@yahoo.com) Date: 11 May 2008 16:21:50 GMT Subject: acheter zocor canada a vendre acheter zocor soft generique achat zocor en France a vendre acheter zocor soft bon marche acheter zocor generique bon marche 1 Message-ID: <48271d1e$0$6435$834e42db@reader.greatnowhere.com> acheter zocor canada a vendre acheter zocor soft generique achat zocor en France a vendre acheter zocor soft bon marche acheter zocor generique bon marche +++ Cholest�rol +++ Cholest�rol +++ Cholest�rol +++ + ACHETER ZOCOR BON MARCHE (ALL CARDS ACCEPTED !!!) http://jhku.net/ACHETER-ZOCOR-BON-MARCHE/ http://jhku.net/ACHETER-ZOCOR-BON-MARCHE/ ACHETER ZOCOR BON MARCHE (Western Union, Diners, AMEX) http://WWW.ACHETER-ZOCOR-BON-MARCHE.TK/ http://WWW.ACHETER-ZOCOR-BON-MARCHE.TK/ + + ACHETER LIPITOR BON MARCHE (ALL CARDS ACCEPTED !!!) http://jhku.net/ACHETER-LIPITOR-BON-MARCHE/ http://jhku.net/ACHETER-LIPITOR-BON-MARCHE/ ACHETER LIPITOR BON MARCHE (Western Union, Diners, AMEX) http://WWW.ACHETER-LIPITOR-BON-MARCHE.TK/ http://WWW.ACHETER-LIPITOR-BON-MARCHE.TK/ + + + + + + + + + + + + + + + + + + + + + + http://www.generic-pharmacy.net/generic-ultram.html?affid=6138 http://ibm-news.for-um.de/showthread.php?goto=newpost&t=9694 http://www.c-medical.net/?affid=6138 http://WWW.GENERIC-PHARMACY.NET/french/xenical_generique.html?affid=6138 http://www.generic-pharmacy.net/Generic-Prevacid.html?affid=6138 acheter achat zocor canada en ligne acheter achat zocor bon marche en linge achat acheter zocor discret Achat acheter zocor france Achat achat zocor Pro acquerir acheter zocor us usa soft acheter du acheter zocor canada cinq femme en termes de achat zocor us usa achat zocor suisse par email un Achat de achat zocor en France avec livraison femme en termes de acheter zocor acheter zocor suisse achat zocor belgique le plus bon marche commander zocor en France en ligne achat zocor canada sans ordonnance femme en termes de acheter zocor us usa acheter zocor canada commander zocor canada en ligne achat zocor suisse sur internet acheter zocor canada concern�es par cette commander zocor en ligne aucune prescription acheter zocor belgique commande en ligne achat zocor belgique sans ordonnance femme en termes de acheter zocor canada Achat acheter zocor Pro achat zocor suisse aucune prescription acheter zocor bon marche en linge achat zocor suisse soft en ligne acheter zocor le plus bon marche un Achat de acheter zocor en France avec livraison comprimes de acheter zocor en France acheter zocor belgique Generique Inde acheter zocor soft bon marche achat zocor suisse zocor de Simvastatin generique medicaments canada acheter zocor Generique Inde From john at iastate.edu Mon May 12 08:43:58 2008 From: john at iastate.edu (John Hascall) Date: Mon, 12 May 2008 07:43:58 CDT Subject: Kerberos throwing SIGABORT in exit processing Message-ID: <32094.1210596238@malison.ait.iastate.edu> Has anyone else seen anything like this? The application completes successfully, then dies somewhere deep in exit processing (app's log): update_server: [info] Closing connection. Error detected by libpthread: Invalid mutex. Detected by file "/usr/src/lib/libpthread/pthread_mutex.c", line 334, function "pthread_mutex_unlock". See pthread(3) for information. exited on Abort trap signal And the dump: (gdb) where #0 0x4816cfbb in kill () from /usr/lib/libc.so.12 #1 0x4814d6d5 in pthread__errorfunc () from /usr/lib/libpthread.so.0 #2 0x4814a949 in pthread_mutex_unlock () from /usr/lib/libpthread.so.0 #3 0x481196ec in krb5int_key_delete (keynum=K5_KEY_COM_ERR) at threads.c:401 #4 0x48120102 in com_err_terminate () at error_message.c:76 #5 0x4811fdd5 in __dtors () from /usr/athena/lib/libcom_err.so #6 0x4811fe92 in __do_global_dtors_aux () from /usr/athena/lib/libcom_err.so #7 0x48122aa5 in fini_fallthru () from /usr/athena/lib/libcom_err.so #8 0x480566d6 in _rtld_exit () from /usr/libexec/ld.elf_so #9 0x481c929a in exit () from /usr/lib/libc.so.12 #10 0x08049ace in quit (str=0x8057260 "quit") at update_server.c:205 #11 0x0804999e in main (argc=1, argv=0xbfbff674) at update_server.c:150 #12 0x080494a2 in ___start () Using Kerberos5 1.6.3 on # uname -rms NetBSD 4.0_BETA2 i386 Thanks, John From raeburn at MIT.EDU Mon May 12 09:43:25 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 12 May 2008 09:43:25 -0400 Subject: Kerberos throwing SIGABORT in exit processing In-Reply-To: <32094.1210596238@malison.ait.iastate.edu> References: <32094.1210596238@malison.ait.iastate.edu> Message-ID: <64748717-CACB-448F-BC58-ACF2146D2286@mit.edu> On May 12, 2008, at 08:43, John Hascall wrote: > Has anyone else seen anything like this? > The application completes successfully, > then dies somewhere deep in exit processing > (app's log): > > update_server: [info] Closing connection. > Error detected by libpthread: Invalid mutex. > Detected by file "/usr/src/lib/libpthread/pthread_mutex.c", line > 334, function "pthread_mutex_unlock". > See pthread(3) for information. > exited on Abort trap signal Interesting... does this happen reproducibly? I've seen reports of crashes in the thread support before, but aside from a race condition Ezra reported (is this program multithreaded?), mostly they seem to do with programs that load multiple versions of the com_err library and I guess finalization code for one gets run without it having been properly initialized, or something. Can you give me some more details on this case? For example, what libraries are getting loaded by this program? I don't recall if gdb on i386-netbsd supports hardware watchpoints, but if it does, could you trace changes to "key_lock" in util/support/ threads.c and see if it's maybe getting destroyed more than once? Ken From john at iastate.edu Mon May 12 09:52:03 2008 From: john at iastate.edu (John Hascall) Date: Mon, 12 May 2008 08:52:03 CDT Subject: Kerberos throwing SIGABORT in exit processing In-Reply-To: Your message of Mon, 12 May 2008 09:43:25 -0400. <64748717-CACB-448F-BC58-ACF2146D2286@mit.edu> Message-ID: <32467.1210600323@malison.ait.iastate.edu> > Interesting... does this happen reproducibly? Yes. Every time. > I've seen reports of crashes in the thread support before, but aside > from a race condition Ezra reported (is this program multithreaded?), > mostly they seem to do with programs that load multiple versions of > the com_err library and I guess finalization code for one gets run > without it having been properly initialized, or something. Can you > give me some more details on this case? For example, what libraries > are getting loaded by this program? It is not a threaded program. It is possible that there is some com_err evilness -- lord knows the API change there has been a big pita before! Anyway, ldd says: /usr/athena/etc/update_server: -lresolv.1 => /usr/lib/libresolv.so.1 -lkrb5support => /usr/athena/lib/libkrb5support.so -lk5crypto => /usr/athena/lib/libk5crypto.so -lcom_err => /usr/athena/lib/libcom_err.so -lkrb5 => /usr/athena/lib/libkrb5.so -lcrypt.0 => /usr/lib/libcrypt.so.0 -lutil.7 => /usr/lib/libutil.so.7 -lroken.12 => /usr/lib/libroken.so.12 -lpthread.0 => /usr/lib/libpthread.so.0 -lc.12 => /usr/lib/libc.so.12 where /usr/athena/lib/lib{krb5support,k5crypto,com_err,krb5}.so are all the ones built in krb5.1.6.3 > I don't recall if gdb on i386-netbsd supports hardware watchpoints, > but if it does, could you trace changes to "key_lock" in util/support/ > threads.c and see if it's maybe getting destroyed more than once? I will attempt to figure this out, thanks. John From kenh at cmf.nrl.navy.mil Mon May 12 10:19:55 2008 From: kenh at cmf.nrl.navy.mil (Ken Hornstein) Date: Mon, 12 May 2008 10:19:55 -0400 Subject: Kerberos throwing SIGABORT in exit processing In-Reply-To: <32467.1210600323@malison.ait.iastate.edu> Message-ID: <200805121419.m4CEJtuV023257@hedwig.cmf.nrl.navy.mil> >Anyway, ldd says: >/usr/athena/etc/update_server: >[...] > -lroken.12 => /usr/lib/libroken.so.12 Isn't -lroken a Heimdal library? --Ken From john at iastate.edu Mon May 12 11:10:50 2008 From: john at iastate.edu (John Hascall) Date: Mon, 12 May 2008 10:10:50 CDT Subject: Kerberos throwing SIGABORT in exit processing In-Reply-To: Your message of Mon, 12 May 2008 10:19:55 -0400. <200805121419.m4CEJtuV023257@hedwig.cmf.nrl.navy.mil> Message-ID: <32693.1210605050@malison.ait.iastate.edu> > >Anyway, ldd says: > >/usr/athena/etc/update_server: > >[...] > > -lroken.12 => /usr/lib/libroken.so.12 > Isn't -lroken a Heimdal library? Yup, this was a hold over. Nothing actually used it and removing it from the link command didn't change the outcome. John From tlyu at MIT.EDU Mon May 12 12:07:23 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Mon, 12 May 2008 12:07:23 -0400 Subject: Kerberos throwing SIGABORT in exit processing In-Reply-To: <64748717-CACB-448F-BC58-ACF2146D2286@mit.edu> (Ken Raeburn's message of "Mon, 12 May 2008 09:43:25 -0400") References: <32094.1210596238@malison.ait.iastate.edu> <64748717-CACB-448F-BC58-ACF2146D2286@mit.edu> Message-ID: Ken Raeburn writes: > I've seen reports of crashes in the thread support before, but aside > from a race condition Ezra reported (is this program multithreaded?), > mostly they seem to do with programs that load multiple versions of > the com_err library and I guess finalization code for one gets run > without it having been properly initialized, or something. Can you > give me some more details on this case? For example, what libraries > are getting loaded by this program? I wonder if destructors running out of order might do this, e.g., libkrb5support destructor runs before the libcom_err destructor. From john at iastate.edu Mon May 12 13:18:42 2008 From: john at iastate.edu (John Hascall) Date: Mon, 12 May 2008 12:18:42 CDT Subject: Kerberos throwing SIGABORT in exit processing In-Reply-To: Your message of Mon, 12 May 2008 12:07:23 -0400. Message-ID: <289.1210612722@malison.ait.iastate.edu> > Ken Raeburn writes: > > I've seen reports of crashes in the thread support before, but aside > > from a race condition Ezra reported (is this program multithreaded?), > > mostly they seem to do with programs that load multiple versions of > > the com_err library and I guess finalization code for one gets run > > without it having been properly initialized, or something. Can you > > give me some more details on this case? For example, what libraries > > are getting loaded by this program? Tom Yu writes: > I wonder if destructors running out of order might do this, e.g., > libkrb5support destructor runs before the libcom_err destructor. Interestingly if I link with -lpthread_dbg instead of -lpthread I get: assertion "(&(&_m->os)->n)->initialized == K5_MUTEX_DEBUG_INITIALIZED" \ failed: file "threads.c", line 389, function "krb5int_key_delete" exited on Abort trap signal; core dumped John From raeburn at MIT.EDU Mon May 12 14:09:15 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 12 May 2008 14:09:15 -0400 Subject: Kerberos throwing SIGABORT in exit processing In-Reply-To: References: <32094.1210596238@malison.ait.iastate.edu> <64748717-CACB-448F-BC58-ACF2146D2286@mit.edu> Message-ID: On May 12, 2008, at 12:07, Tom Yu wrote: > I wonder if destructors running out of order might do this, e.g., > libkrb5support destructor runs before the libcom_err destructor. Yes, I think that's a possibility. Ken From jsanders at TechFak.Uni-Bielefeld.DE Tue May 13 04:45:24 2008 From: jsanders at TechFak.Uni-Bielefeld.DE (Jan Sanders) Date: Tue, 13 May 2008 10:45:24 +0200 Subject: Encryption Type wrong In-Reply-To: <87wsm4679a.fsf@windlord.stanford.edu> References: <48186FF9.6030306@TechFak.Uni-Bielefeld.DE> <87wsm4679a.fsf@windlord.stanford.edu> Message-ID: <48295524.5060908@TechFak.Uni-Bielefeld.DE> Russ Allbery wrote: > Jan Sanders writes: > > >> I am having a little problem here. I am running a KDC on Solaris and a >> number of clients on GNU/Linux. For both the KDC and the >> Kerberos-Clients I have configured them to use only the >> dec-crc-cbc:default encryption type. When creating a principal on the >> server using addprinc wo/-e des-cbc-crc:default the principal is created >> with 4 keys. getprinc reveals: >> >> Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt >> Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt >> Key: vno 21, ArcFour with HMAC/md5, no salt >> Key: vno 21, DES cbc mode with RSA-MD5, no salt >> > > I'm not sure what to say beyond it looks like you've not actually > configured the KDC to use only that encryption type. The KDC is clearly > using a wide variety of encryption types, probably its default set. > Yes, that is correct. If I use the default settings for Kerberos the behaviour is the same as above. > >> But the ordinary user once in a while wants to change the password and >> will use kpasswd. kpasswd does not have the ability to choose the >> encryption type and then a users ends up not having a key with >> des-cbc-crc:normal. >> > > That's correct. kpasswd will use whatever the default enctypes are in the > Kerberos kadmind configuration. > > >> Unfortunately GNU/Linux kinit breaks if the KDC does not have a key with >> the des-cbc-crc:normal encryption type in store. >> > > This on the other hand definitely isn't the case; GNU/Linux kinit will > work fine with no DES enctypes at all. However, it is certainly true that > if you specifically configure it to only use des-cbc-crc:normal and no > such keys are available, it won't work. > Good to know. But unfortunately I am stuck with des-cbc-crc:normal. All clients are configured to use only des-cbc-crc:normal. > The first question I'd have is why are you doing this? Normally you never > want to restrict enctypes. I have a number of GNU/Linux boxes that will have to use kerberized nfs4 in the near future. At the moment the NFS people are working on supporting mor than just des-crc-cbc:normal for use with nfs4. But there are still some older boxes that won't have this feature. Indeed it might be necessary, though undesired, to upgrade those boxes. > If you just remove all the enctype > restrictions, everything will work as expected and be able to negotiate a > mutually acceptable enctype. If you're worried about old Java code, you > could still allow 3DES, which is generally acceptable to just about > everything except Microsoft clients (which can use RC4). > > >> The kdc.conf on the Solaris machine: >> >> [libdefaults] >> default_realm = MY.DOMAIN >> default_keytab_name = /etc/krb5/krb5.keytab >> >> [kdcdefaults] >> kdc_ports = 88,750 >> >> [realms] >> MY.DOMAIN = { >> profile = /etc/krb5/krb5.conf >> database_name = /var/krb5/principal >> admin_keytab = /etc/krb5/kadm5.keytab >> acl_file = /etc/krb5/kadm5.acl >> kadmind_port = 749 >> max_life = 8h 0m 0s >> max_renewable_life = 7d 0h 0m 0s >> default_principal_flags = +preauth >> supported_enctypes = des-cbc-crc:normal >> } >> > > This looks right, but it's clearly not working. Could kadmind be loading > some other kdc.conf? > I used truss to trace file opening for kadmind and kadmin.local and it opens the (I believe only) krb.conf in /etc/krb. I was wondering if some (subtle) syntax error in the file makes Kerberos regress to deafult values. cheers Jan Sanders From mohamed.chaari at orange-ftgroup.com Tue May 13 04:44:29 2008 From: mohamed.chaari at orange-ftgroup.com (mohamed.chaari@orange-ftgroup.com) Date: Tue, 13 May 2008 10:44:29 +0200 Subject: Use of GSS-API Message-ID: Hello, I have installed kerberos v5 and the GSS-API, I would like to know if kerberos uses the GSS-API that I have installed when there is an exchange of credential or not. Is there a method for verifying? Thanks Regards, Mohamed From kwc at citi.umich.edu Tue May 13 09:58:05 2008 From: kwc at citi.umich.edu (Kevin Coffman) Date: Tue, 13 May 2008 09:58:05 -0400 Subject: Encryption Type wrong In-Reply-To: <48295524.5060908@TechFak.Uni-Bielefeld.DE> References: <48186FF9.6030306@TechFak.Uni-Bielefeld.DE> <87wsm4679a.fsf@windlord.stanford.edu> <48295524.5060908@TechFak.Uni-Bielefeld.DE> Message-ID: <4d569c330805130658y53f84324ve01d029ec098134f@mail.gmail.com> On Tue, May 13, 2008 at 4:45 AM, Jan Sanders wrote: > Russ Allbery wrote: > > Jan Sanders writes: > > > > > >> I am having a little problem here. I am running a KDC on Solaris and a > >> number of clients on GNU/Linux. For both the KDC and the > >> Kerberos-Clients I have configured them to use only the > >> dec-crc-cbc:default encryption type. When creating a principal on the > >> server using addprinc wo/-e des-cbc-crc:default the principal is created > >> with 4 keys. getprinc reveals: > >> > >> Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt > >> Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt > >> Key: vno 21, ArcFour with HMAC/md5, no salt > >> Key: vno 21, DES cbc mode with RSA-MD5, no salt > >> > > > > I'm not sure what to say beyond it looks like you've not actually > > configured the KDC to use only that encryption type. The KDC is clearly > > using a wide variety of encryption types, probably its default set. > > > Yes, that is correct. If I use the default settings for Kerberos the > behaviour is the same as above. > > > > >> But the ordinary user once in a while wants to change the password and > >> will use kpasswd. kpasswd does not have the ability to choose the > >> encryption type and then a users ends up not having a key with > >> des-cbc-crc:normal. > >> > > > > That's correct. kpasswd will use whatever the default enctypes are in the > > Kerberos kadmind configuration. > > > > > >> Unfortunately GNU/Linux kinit breaks if the KDC does not have a key with > >> the des-cbc-crc:normal encryption type in store. > >> > > > > This on the other hand definitely isn't the case; GNU/Linux kinit will > > work fine with no DES enctypes at all. However, it is certainly true that > > if you specifically configure it to only use des-cbc-crc:normal and no > > such keys are available, it won't work. > > > Good to know. But unfortunately I am stuck with des-cbc-crc:normal. All > clients are configured to use only des-cbc-crc:normal. > > > The first question I'd have is why are you doing this? Normally you never > > want to restrict enctypes. > I have a number of GNU/Linux boxes that will have to use kerberized nfs4 > in the near future. At the moment the NFS people are working on > supporting mor than just des-crc-cbc:normal for use with nfs4. But there > are still some older boxes that won't have this feature. > Indeed it might be necessary, though undesired, to upgrade those boxes. There is no need to cripple your entire realm to only des-cbc-crc for NFSv4. If you need help properly configuring Kerberos for NFSv4 on Linux (I assume you are talking about Linux), let me know. Again, there is no reason to limit your entire realm to des-cbc-crc for this one service! > > If you just remove all the enctype > > restrictions, everything will work as expected and be able to negotiate a > > mutually acceptable enctype. If you're worried about old Java code, you > > could still allow 3DES, which is generally acceptable to just about > > everything except Microsoft clients (which can use RC4). > > > > > > >> The kdc.conf on the Solaris machine: > >> > >> [libdefaults] > >> default_realm = MY.DOMAIN > >> default_keytab_name = /etc/krb5/krb5.keytab > >> > >> [kdcdefaults] > >> kdc_ports = 88,750 > >> > >> [realms] > >> MY.DOMAIN = { > >> profile = /etc/krb5/krb5.conf > >> database_name = /var/krb5/principal > >> admin_keytab = /etc/krb5/kadm5.keytab > >> acl_file = /etc/krb5/kadm5.acl > >> kadmind_port = 749 > >> max_life = 8h 0m 0s > >> max_renewable_life = 7d 0h 0m 0s > >> default_principal_flags = +preauth > >> supported_enctypes = des-cbc-crc:normal > >> } > >> > > > > This looks right, but it's clearly not working. Could kadmind be loading > > some other kdc.conf? > > > I used truss to trace file opening for kadmind and kadmin.local and it > opens the (I believe only) krb.conf in /etc/krb. I was wondering if > some (subtle) syntax error in the file makes Kerberos regress to deafult > values. Is that a typo? I think Solaris expects config files in /etc/krb5 (not /etc/krb). Please see my note above before continuing, though. From stevenraymillerjr at yahoo.com Tue May 13 11:39:45 2008 From: stevenraymillerjr at yahoo.com (Steven Miller) Date: Tue, 13 May 2008 08:39:45 -0700 (PDT) Subject: restoring from a dump file Message-ID: <440519.21571.qm@web38508.mail.mud.yahoo.com> I am using switching to an ldap backend from the default backend. I have not had much luck finding a procedure for this. Can anyone provide pointers to the right docs? thanks in advance Steven From rwilper at stanford.edu Tue May 13 12:46:12 2008 From: rwilper at stanford.edu (Wilper, Ross A) Date: Tue, 13 May 2008 09:46:12 -0700 Subject: Hotfix released for Windows Server 2008 KDC issue Message-ID: The hotfix for my KDC issue has been publicly released. http://support.microsoft.com/kb/951191 -Ross > * Authentication to Active Directory using a principal that contains a > slash (such as service/foo) from a keytab generated by the Windows > tool is broken in Windows 2008. From stevenraymillerjr at yahoo.com Tue May 13 13:59:25 2008 From: stevenraymillerjr at yahoo.com (Steven Miller) Date: Tue, 13 May 2008 10:59:25 -0700 (PDT) Subject: A better question concerning changing backends Message-ID: <237428.11164.qm@web38505.mail.mud.yahoo.com> Is it possible to change backends from the default db to ldap. If so, any pointers to some documentation or a general overview of what would have to happen. thanks again, Steven From neelsmail at rediffmail.com Tue May 13 08:23:41 2008 From: neelsmail at rediffmail.com (neelsmail@rediffmail.com) Date: Tue, 13 May 2008 05:23:41 -0700 (PDT) Subject: krb5 RHEL 5.1 and NetworkManager Message-ID: <70c09d06-61f5-4b20-837b-b1b7208cd135@u12g2000prd.googlegroups.com> Hi, I am _very_ new to kerberos AND Linux. But here is what I am trying to do: - I have Windows 2003 SP1 server which is acting as Domain Controller (KDC I believe). - I have Linux RHEL 5.1 which is trying to authenticate the added service principal. The problem: Every time I run the "kinit" command, like the one given below, in the context of Active Directory user I have logged in as, it pops up krb5-auth-dialog where I have to enter the credentials, _everytime_. Command: kinit /S host/AnotherXpHost.MyDomain.com -k -t /etc/ MyKeyTab.keytab ServicePrincipalName What I observed is before I run "kinit" command, klist (just "klist" without any argument), list that the current ticket avaiable is krbtgt/ MyDomain.com at MyDomain.com When the above mentioned "kinit" command is completed and I run "klist" it shows that, it is replaced with ticket for host/ AnotherXpHost.MyDomain.com at MyDomain.com Now, the password authentication dialog (krb5-auth-dialog) shows up. If I enter correct credentials now, and run klist, it again will display that ticket available right now is for krbtgt/ MyDomain.com at MyDomain.com Is it that the "kinit" I am running should _add_ instead of replacing the ticket? or should I run "kinit" command with krbtgt _always_? Thanks in advance, Neel. From nichu at CUT.onet.pl Tue May 13 09:52:02 2008 From: nichu at CUT.onet.pl (Marcin N) Date: Tue, 13 May 2008 15:52:02 +0200 Subject: kprop problem Message-ID: Hello again Kerberos database replication is probably too hard for me :> Now I'm trying to do it between to mandriva hosts.. I compiled krb-1.6.3 and I read documentation step-by-step ... I did rather everything like in doc.. My config files: krb5.conf [libdefaults] default_realm = KRB.COM [realms] KRB.COM = { admin_server = com1.krb.com kdc = com1.krb.com kdc = com2.krb.com default_domain = krb.com } [domain_realm] .krb.com = KRB.COM krb.com = KRB.COM [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log [kdc] profile = /usr/local/var/krb5kdc/kdc.conf =========================================================================== Here is my first questions : does krb5.conf should be the same on both machines? Maybe admin_server should be set on master on both sides, the order of kdc's should be the same on both machines? or only one should be set in the file (which?) ? =========================================================================== kdc.conf: [kdcdefaults] kdc_ports = 88 acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab [realms] KRB.COM = { profile = /etc/krb5.conf max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 database_name = /usr/local/var/krb5kdc/principal admin_database_name = /usr/local/var/krb5kdc/kadm5_adb admin_database_lockfile = /usr/local/var/krb5kdc/kadm5_adb.lock admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words key_stash_file = /usr/local/var/krb5kdc/.k5stash kdc_ports = 88 kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } =========================================================================== My next question is about: 4.1.2.3 Set Up the Slave KDCs for Database Propagation krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c -e I don't use inetd - so I executed kpropd and klogind by hand (on both machines): kpropd -S klogind -f is it ok? Now when I execute /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans ns1.krb.com there is error /usr/local/sbin/kprop: Server rejected authentication (during sendauth exchange) while authenticating to server Generic remote error: Wrong principal in request on log there is only: May 13 15:37:59 com2 krb5kdc[4799](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.111.109: ISSUE: authtime 1210685879, etypes {rep=16 tkt=16 ses=16}, host/com2.krb.com at KRB.COM for host/com1.krb.com at KRB.COM so it's the same error as in solaris :/ I'm really confused .. From Tim.Alsop at cybersafe.com Tue May 13 15:04:08 2008 From: Tim.Alsop at cybersafe.com (Tim Alsop) Date: Tue, 13 May 2008 20:04:08 +0100 Subject: Hotfix released for Windows Server 2008 KDC issue In-Reply-To: References: Message-ID: <0D8F2EFD3A10E24DAEEA48EA6DA07D3048AA32@postman-pat.csafe.local> Ross, There is a mistake in the kb in the "File information" section, where it suggests that Windows Server 2003, x86-based files are changed. I think this should refer to Windows Server 2008 since this is what the fix is for. There is no need for this fix if Windows Server 2003 is used. Also, there doesn't appear to be any x64 hotfix available for download. Thanks, Tim -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Wilper, Ross A Sent: 13 May 2008 17:46 To: kerberos at mit.edu Subject: Hotfix released for Windows Server 2008 KDC issue The hotfix for my KDC issue has been publicly released. http://support.microsoft.com/kb/951191 -Ross > * Authentication to Active Directory using a principal that contains a > slash (such as service/foo) from a keytab generated by the Windows > tool is broken in Windows 2008. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From rwilper at stanford.edu Tue May 13 15:44:42 2008 From: rwilper at stanford.edu (Wilper, Ross A) Date: Tue, 13 May 2008 12:44:42 -0700 Subject: Hotfix released for Windows Server 2008 KDC issue In-Reply-To: <0D8F2EFD3A10E24DAEEA48EA6DA07D3048AA32@postman-pat.csafe.local> References: <0D8F2EFD3A10E24DAEEA48EA6DA07D3048AA32@postman-pat.csafe.local> Message-ID: I left the same comment on the KB article, there are also some misspellings that I commented on. There are both i386 and AMD64 versions available. Windows6.0-KB951191-x86.msi and Windows6.0-KB951191-x64.msi -Ross -----Original Message----- From: Tim Alsop [mailto:Tim.Alsop at cybersafe.com] Sent: Tuesday, May 13, 2008 12:04 PM To: Wilper, Ross A; kerberos at mit.edu Subject: RE: Hotfix released for Windows Server 2008 KDC issue Ross, There is a mistake in the kb in the "File information" section, where it suggests that Windows Server 2003, x86-based files are changed. I think this should refer to Windows Server 2008 since this is what the fix is for. There is no need for this fix if Windows Server 2003 is used. Also, there doesn't appear to be any x64 hotfix available for download. Thanks, Tim -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Wilper, Ross A Sent: 13 May 2008 17:46 To: kerberos at mit.edu Subject: Hotfix released for Windows Server 2008 KDC issue The hotfix for my KDC issue has been publicly released. http://support.microsoft.com/kb/951191 -Ross > * Authentication to Active Directory using a principal that contains a > slash (such as service/foo) from a keytab generated by the Windows > tool is broken in Windows 2008. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From Martin.Schuster1 at infineon.com Wed May 14 03:08:46 2008 From: Martin.Schuster1 at infineon.com (Martin Schuster) Date: Wed, 14 May 2008 09:08:46 +0200 Subject: A better question concerning changing backends In-Reply-To: References: Message-ID: Steven Miller wrote: > Is it possible to change backends from the default db > to ldap. If so, any pointers to some documentation or > a general overview of what would have to happen. > 2 documents that helped me: http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend http://blogs.sun.com/wfiveash/entry/the_rough_guide_to_configuring hth, -- Infineon Technologies IT-Services GmbH Martin.Schuster1 at infineon.com Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster FB: LG Klagenfurt, FN 246787y +43 5 1777 3517 From Martin.Schuster1 at infineon.com Wed May 14 04:58:31 2008 From: Martin.Schuster1 at infineon.com (Martin Schuster) Date: Wed, 14 May 2008 10:58:31 +0200 Subject: Reusing existing people-entries for the LDAP-backend Message-ID: Using the two documents that I linked in today, http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend http://blogs.sun.com/wfiveash/entry/the_rough_guide_to_configuring I managed to get Kerberos to store it's database in LDAP. Only issue that I've encountered: I want to reuse the existing entries in our ou=people tree, and in order to do so I can of course use kdb5_ldap_util [...] modify -subtrees 'ou=people,[...]' to get Kerberos to look for the krbPrincipalName in that tree. But if I now add a principal by first setting the krbPrincipalName of the user in ou=people, and then issuing kadmin.local -q 'addprinc joeuser' the additional attributes (e.g. krbPrincipalKey) are still stored in the Kerberos container tree. I tried to use ou=people as container tree by issuing kdb5_ldap_util [...] modify -containerref 'ou=people,[...]' but then addprinc complains: add_principal: Principal or policy already exists while creating "joeuser@[...].COM". Is there a way to get all data into the people-tree? I'm not too afraid to hack around in plugins/kdb/ldap/ if necessary, but would be glad if you could give me some hints what I'd need to do there :) tia, -- Infineon Technologies IT-Services GmbH Martin.Schuster1 at infineon.com Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster FB: LG Klagenfurt, FN 246787y +43 5 1777 3517 From neelsmail at rediffmail.com Wed May 14 06:19:20 2008 From: neelsmail at rediffmail.com (neelsmail@rediffmail.com) Date: Wed, 14 May 2008 03:19:20 -0700 (PDT) Subject: How to find out why credentials have expired Message-ID: <4bf20035-cca8-4d15-aceb-d3583a9f00c2@u12g2000prd.googlegroups.com> Hi, I am using Kerberos 5 to authenticate an AD user from Linux RHEL 5.1 with NetworkManager installed. Every so often, a dialog box pops up which asks for the credentials of the AD user. I wanted to know how can I find out why and how his credentials have expired. Is there a way to do that? Thanks, Neel. From mc at suse.de Wed May 14 11:12:30 2008 From: mc at suse.de (Michael Calmer) Date: Wed, 14 May 2008 17:12:30 +0200 Subject: Reusing existing people-entries for the LDAP-backend In-Reply-To: References: Message-ID: <200805141712.31067.mc@suse.de> Hi, Am Mittwoch, 14. Mai 2008 schrieb Martin Schuster: > Using the two documents that I linked in > today, > http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configu >ring-Kerberos-with-OpenLDAP-back_002dend > http://blogs.sun.com/wfiveash/entry/the_rough_guide_to_configuring I > managed to get Kerberos to store it's database in LDAP. > > Only issue that I've encountered: > I want to reuse the existing entries in our ou=people tree, and in order to > do so I can of course use > kdb5_ldap_util [...] modify -subtrees 'ou=people,[...]' > to get Kerberos to look for the krbPrincipalName in that tree. > > But if I now add a principal by first setting the krbPrincipalName > of the user in ou=people, and then issuing > kadmin.local -q 'addprinc joeuser' > the additional attributes (e.g. krbPrincipalKey) are still stored in > the Kerberos container tree. You have to tell addprinc where to store this user by using addprinc -x dn= joeuser See also man kadmin. > I tried to use ou=people as container tree by issuing > kdb5_ldap_util [...] modify -containerref 'ou=people,[...]' > but then addprinc complains: > add_principal: Principal or policy already exists while creating > "joeuser@[...].COM". > > Is there a way to get all data into the people-tree? > I'm not too afraid to hack around in plugins/kdb/ldap/ if necessary, > but would be glad if you could give me some hints what I'd need > to do there :) > > tia, -- MFG Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer at suse.com -------------------------------------------------------------------------- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG N?rnberg) From ssorce at redhat.com Wed May 14 11:28:00 2008 From: ssorce at redhat.com (Simo Sorce) Date: Wed, 14 May 2008 11:28:00 -0400 Subject: How to find out why credentials have expired In-Reply-To: <4bf20035-cca8-4d15-aceb-d3583a9f00c2@u12g2000prd.googlegroups.com> References: <4bf20035-cca8-4d15-aceb-d3583a9f00c2@u12g2000prd.googlegroups.com> Message-ID: <1210778880.28428.29.camel@localhost.localdomain> On Wed, 2008-05-14 at 03:19 -0700, neelsmail at rediffmail.com wrote: > Hi, > > I am using Kerberos 5 to authenticate an AD user from Linux RHEL 5.1 > with NetworkManager installed. Every so often, a dialog box pops up > which asks for the credentials of the AD user. I wanted to know how > can I find out why and how his credentials have expired. Is there a > way to do that? It might be kerb_auth_dialog (a Red Hat helper package) popping up because your kerberos ticket is expired. Simo. -- Simo Sorce * Red Hat, Inc * New York From deengert at anl.gov Wed May 14 14:11:23 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 14 May 2008 13:11:23 -0500 Subject: Use of GSS-API In-Reply-To: References: Message-ID: <482B2B4B.7080107@anl.gov> mohamed.chaari at orange-ftgroup.com wrote: > Hello, > > I have installed kerberos v5 and the GSS-API, I would like to know if > kerberos uses the GSS-API that I have installed when there is an > exchange of credential or not. Is there a method for verifying? You mean does your application call GSS-API, and does GSS-API use the Kerberos mechanism. Use ldd on the application executable to see what libs it loads. You could do a network trace, and look at the packets to see if GSS-API with Kerberos is bring used. Wireshark formats the GSS-API and Kerberos packets. > > Thanks > > Regards, > Mohamed > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From neelsmail at rediffmail.com Wed May 14 11:53:01 2008 From: neelsmail at rediffmail.com (neelsmail@rediffmail.com) Date: Wed, 14 May 2008 08:53:01 -0700 (PDT) Subject: How to find out why credentials have expired References: <4bf20035-cca8-4d15-aceb-d3583a9f00c2@u12g2000prd.googlegroups.com> Message-ID: <2be7d5f8-fd4a-447a-86d4-f9db1a530a25@d19g2000prm.googlegroups.com> On May 14, 8:28?pm, Simo Sorce wrote: > On Wed, 2008-05-14 at 03:19 -0700, neelsm... at rediffmail.com wrote: > > Hi, > > > I am using Kerberos 5 to authenticate an AD user from Linux RHEL 5.1 > > with NetworkManager installed. Every so often, a dialog box pops up > > which asks for the credentials of the AD user. I wanted to know how > > can I find out why and how his credentials have expired. Is there a > > way to do that? > > It might be kerb_auth_dialog (a Red Hat helper package) popping up > because your kerberos ticket is expired. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York Thank you _very_ much. Yes, it is krb5-auth-dialog. I have been searching frantically for last couple of days why would it pop up. When I do "kinit", klist (without any arguments) shows that krbtgt ticket has been replaced by whatever host name I passed to kinit (with -S option). When that happens, krb5-auth-dialog pops up. If I enter correct password now, the ticket for host I sent to kinit gets replaced again by krbtgt. Is that expected? The problem is it pops up _everytime_. Is there a way to get around this behaviour? I tried uninstalling NetworkManager, NetworkManager-gnome but that just makes any commands after "kinit" fail with "Cannot find ticket for the requested realm". Thanks, Neel. From jaltman at secure-endpoints.com Thu May 15 08:24:41 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 15 May 2008 08:24:41 -0400 Subject: AFS & Kerberos Best Practices Workshop 2008: Next Week May 19-23, Newark NJ USA Message-ID: <482C2B89.6040703@secure-endpoints.com> [Please forgive the cross-posting, and please feel free to forward to other appropriate communities.] The AFS & Kerberos Best Practices Workshop 2008 is being held next week in Newark NJ USA at New Jersey Institute of Technology. http://workshop.openafs.org/afsbpw08/ In conjunction with the Wednesday demonstration of MIT Kerberos and OpenAFS running on the Nokia N810 Internet Tablet, the Nokia USA flagship store in Manhattan will be offering all workshop attendees the opportunity to purchase an N810 at a price of US$380 (regularly US$479). Nokia representatives will be at the workshop with demo units for attendees to play with. [Proof of workshop registration is required.] This year's social event will include billiards, ping pong, appetizers and an open bar. The social event is being sponsored by The Linux Box, Secure Endpoints Inc, and Sine Nomine Associates. Although on-site registration is permitted, we strongly urge you to register before pre-registration closes on Friday. http://workshop.openafs.org/afsbpw08/registration.html The full day AFS and Kerberos tutorials will be held on Monday and Tuesday. The keynote is entitled "OpenAFS and the Dawn of a New Era" and will be given by Alistair Ferguson of Morgan Stanley on Wednesday. Other sessions include presentations The complete abstract and the rest of the workshop session schedule can be found at: http://workshop.openafs.org/afsbpw08/schedule.html This year the workshop will host two panel discussions related to OpenAFS. The first will be a panel on AFS Cell Troubleshooting. If your organization has issues that you would like to have considered for solving by our expert panel, please send e-mail to workshop-info at openafs.org. http://workshop.openafs.org/afsbpw08/wed_panel.html The second panel discussion will be on AFS and Kerberos Configuration in which a separate panel of experts will discuss the pros and cons of various cell and realm configurations including but not limited to directory hierarchies, volume distribution, and server configurations, ldap backends, password expiration policies, and cross-realm key exchange. If there are specific questions you would the panel of experts to address, please send them to workshop-info at openafs.org. http://workshop.openafs.org/afsbpw08/thu_panel.html Following in the tradition of previous workshops there will be a PGP key signing event. http://workshop.openafs.org/afsbpw08/afsbpw-keysigning.html If there is interest in a Kerberos cross-realm key exchange event we will consider that as well. As of this writing there are attendees from more than 60 organizations and ten countries. Please address all questions and comments to workshop-info at openafs.org. All proceeds are used to support the OpenAFS Community. We hope to see you there. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080515/950ae190/smime.bin From anshuman_hazarika at yahoo.co.uk Thu May 15 02:11:12 2008 From: anshuman_hazarika at yahoo.co.uk (Anshuman Hazarika) Date: Thu, 15 May 2008 07:11:12 +0100 (BST) Subject: Help required in using kerberos in our project Message-ID: <852937.34138.qm@web27909.mail.ukl.yahoo.com> Hi , We are developing a product called as Zeus. In this product we need our users to be authorised using kerberos. We would like to know how to proceed with the development of this module. We have the user information, like the user name and password, stored in ldap. What we understand as of now is that we need to download and install the mit kerberos server. After that do we have to develop a kerberos client which talks to the kerberos server? If so how do we go about it?Are there APIs Available? Can the utilities like kinit be used to develop the client which would take the username and password to be authorized using kerberos. any help in this regard would be appreciated thanks and regards, Anshuman Hazarika Anshuman Hazarika Mobile 9821434383 Vipassana can change u'r life. Do give it a try. www.dhamma.org __________________________________________________________ Sent from Yahoo! Mail. A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html From sbuckley at MIT.EDU Thu May 15 10:52:47 2008 From: sbuckley at MIT.EDU (Stephen C. Buckley) Date: Thu, 15 May 2008 10:52:47 -0400 Subject: MIT White Paper Available: "Why is Kerberos a Credible Security Solution? " Message-ID: <4EF63EFF-69E2-43AE-BCA3-DDA7B1A9EA6F@mit.edu> As you know, one of the goals of the MIT Kerberos Consortium is to provide better documentation to security software developers and practitioners. I'm pleased to announce the availability of our first white paper, entitled, "Why is Kerberos a Credible Security Solution?" It is available at no cost on our web site at: http://www.kerberos.org/software/whykerberos.pdf Comments are welcome. The writing of our second next white paper, "Kerberos in a Mixed Environment" is already underway. We have also begun a process of aggregating some content from other web sites, such as white papers, tutorials, specifications, guides, etc. A far from comprehensive collection of links to these resides here: http://www.kerberos.org/software/whitepapers.html Kind regards, s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director MIT Kerberos Consortium www.kerberos.org From ioplex at gmail.com Thu May 15 11:28:00 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 15 May 2008 11:28:00 -0400 Subject: Help required in using kerberos in our project In-Reply-To: <852937.34138.qm@web27909.mail.ukl.yahoo.com> References: <852937.34138.qm@web27909.mail.ukl.yahoo.com> Message-ID: <78c6bd860805150828q4f5eed25mb1552483b08ab7e0@mail.gmail.com> On Thu, May 15, 2008 at 2:11 AM, Anshuman Hazarika wrote: > Hi , > > We are developing a product called as Zeus. In this > product we need our users to be authorised using > kerberos. > > We would like to know how to proceed with the > development of this module. > > We have the user information, like the user name and > password, stored in ldap. > > What we understand as of now is that we need to > download and install the mit kerberos server. After > that do we have to develop a kerberos client which > talks to the kerberos server? If so how do we go about > it?Are there APIs Available? Look into something called "GSSAPI". It is a general purpose API for exchanging authentication tokens of different types (including Kerberos) in an application specific way. There are GSSAPI libraries for Java (JGSS) and for C (shipped with MIT and Heimdal distributions). On Windows you have SSPI which is mostly compatible with GSSAPI (SSPI tokens can be consumed by GSSAPI and GSSAPI tokens can be consumed by SSPI). > Can the utilities like kinit be used to develop the > client which would take the username and password to > be authorized using kerberos. Kerberos clients usually already have a credential cache infrastructure. Kinit is just one program that can populate your credential cache with a Keberos ticket given a username and password. Windows clients get a ticket and put it in a kernel based credential cache when you login the first time (e.g. using Ctrl-Alt-Del). Most Kerberos client and server programs use entirely GSSAPI to handle authentication. The KDC (MIT, Heimdal, Active Directory, ...) should already be setup and running in the target environment. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From jblaine at kickflop.net Thu May 15 12:55:15 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Thu, 15 May 2008 12:55:15 -0400 Subject: Solaris 10, secure nfs, permission denied Message-ID: <482C6AF3.9070206@kickflop.net> If anyone has any idea what I am doing wrong here, please chime in. ~:barnowl> uname -a SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc SUNW,Sun-Fire-V240 ~:barnowl> sudo klist -e -k /etc/krb5.keytab | grep nfs 3 nfs/barnowl.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32) 4 nfs/crete.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32) ~:barnowl> sudo share - /usr sec=krb5:krb5i:krb5p "" ~:barnowl> ~:crete> uname -a SunOS crete.foo.com 5.10 Generic_118833-36 sun4v sparc SUNW,Sun-Fire-T200 ~:crete> sudo klist -e -k /etc/krb5.keytab | grep nfs 3 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) 4 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt/barnowl nfs mount: mount: /mnt/barnowl: Permission denied ~:crete> krb5kdc.log on the KDC shows absolutely nothing From deengert at anl.gov Thu May 15 13:40:30 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 15 May 2008 12:40:30 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <482C6AF3.9070206@kickflop.net> References: <482C6AF3.9070206@kickflop.net> Message-ID: <482C758E.9000206@anl.gov> Jeff Blaine wrote: > If anyone has any idea what I am doing wrong here, please > chime in. > > ~:barnowl> uname -a > SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc > SUNW,Sun-Fire-V240 > ~:barnowl> sudo klist -e -k /etc/krb5.keytab | grep nfs > 3 nfs/barnowl.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32) > 4 nfs/crete.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32) Why does barnowl have a keytab entry for crete in its keytab? > ~:barnowl> sudo share > - /usr sec=krb5:krb5i:krb5p "" > ~:barnowl> > > > ~:crete> uname -a > SunOS crete.foo.com 5.10 Generic_118833-36 sun4v sparc SUNW,Sun-Fire-T200 > ~:crete> sudo klist -e -k /etc/krb5.keytab | grep nfs Could be hostname and principla dont match: crete.foo.com != crete.mitre.org and realms don't match between the two machines. > 3 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) > 4 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) Why does crete have a keytab entry for barnowl in its keytab? > ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt/barnowl > nfs mount: mount: /mnt/barnowl: Permission denied > ~:crete> > > krb5kdc.log on the KDC shows absolutely nothing > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jblaine at kickflop.net Thu May 15 13:44:28 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Thu, 15 May 2008 13:44:28 -0400 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <482C758E.9000206@anl.gov> References: <482C6AF3.9070206@kickflop.net> <482C758E.9000206@anl.gov> Message-ID: <482C767C.9050801@kickflop.net> Heh, so much for "sanitizing" email before I send it out. Everything is mitre.org. Ignore the foo.com. They all match. > Why does barnowl have a keytab entry for crete in its keytab? Just me screwing around. Should be irrelevant. > Could be hostname and principla dont match: crete.foo.com != > crete.mitre.org > and realms don't match between the two machines. See above. The whole krb5 environment works except for this. > Why does crete have a keytab entry for barnowl in its keytab? Just me screwing around. Should be irrelevant. From kwc at citi.umich.edu Thu May 15 13:48:03 2008 From: kwc at citi.umich.edu (Kevin Coffman) Date: Thu, 15 May 2008 13:48:03 -0400 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <482C6AF3.9070206@kickflop.net> References: <482C6AF3.9070206@kickflop.net> Message-ID: <4d569c330805151048t7a3e5ad6x1857ba53feeaa8e3@mail.gmail.com> On Thu, May 15, 2008 at 12:55 PM, Jeff Blaine wrote: > If anyone has any idea what I am doing wrong here, please > chime in. > > ~:barnowl> uname -a > SunOS barnowl.foo.com 5.10 Generic_127127-11 sun4u sparc > SUNW,Sun-Fire-V240 > ~:barnowl> sudo klist -e -k /etc/krb5.keytab | grep nfs > 3 nfs/barnowl.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32) > 4 nfs/crete.foo.com at RCF.FOO.COM (DES cbc mode with CRC-32) > ~:barnowl> sudo share > - /usr sec=krb5:krb5i:krb5p "" > ~:barnowl> > > > ~:crete> uname -a > SunOS crete.foo.com 5.10 Generic_118833-36 sun4v sparc SUNW,Sun-Fire-T200 > ~:crete> sudo klist -e -k /etc/krb5.keytab | grep nfs > 3 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) > 4 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) > ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt/barnowl > nfs mount: mount: /mnt/barnowl: Permission denied > ~:crete> > > krb5kdc.log on the KDC shows absolutely nothing It looks like maybe you tried to hide some details, but didn't get them all? Does your real DNS domain match your REALM name? If not, does your krb5.conf (/etc/krb5/krb5.conf) properly map the hosts' domain(s) to your realm? BTW, there is no need to limit Solaris 10 hosts to DES-only keys. That is a current Linux limitation. As long as your Solaris server has a DES key (along with keys for stronger enctypes), the Linux client should be able to negotiate the correct DES enctype. Solaris 10 servers and clients can handle the stronger encryption types. K.C. From jblaine at kickflop.net Thu May 15 13:52:16 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Thu, 15 May 2008 13:52:16 -0400 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <4d569c330805151048t7a3e5ad6x1857ba53feeaa8e3@mail.gmail.com> References: <482C6AF3.9070206@kickflop.net> <4d569c330805151048t7a3e5ad6x1857ba53feeaa8e3@mail.gmail.com> Message-ID: <482C7850.5010009@kickflop.net> > It looks like maybe you tried to hide some details, but didn't get > them all? Does your real DNS domain match your REALM name? If not, > does your krb5.conf (/etc/krb5/krb5.conf) properly map the hosts' > domain(s) to your realm? Yes *sigh* :( Everything works properly outside of this particular krb5 usage. The realm is all set up and working fine otherwise. I just wasn't careful enough with my email sanitization. > BTW, there is no need to limit Solaris 10 hosts to DES-only keys. > That is a current Linux limitation. As long as your Solaris server > has a DES key (along with keys for stronger enctypes), the Linux > client should be able to negotiate the correct DES enctype. Solaris > 10 servers and clients can handle the stronger encryption types. Good to know for when I get past this problem. Thanks. From William.Fiveash at sun.com Thu May 15 18:38:29 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Thu, 15 May 2008 17:38:29 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <482C6AF3.9070206@kickflop.net> References: <482C6AF3.9070206@kickflop.net> Message-ID: <20080515223829.GD10859@sun.com> On Thu, May 15, 2008 at 12:55:15PM -0400, Jeff Blaine wrote: > If anyone has any idea what I am doing wrong here, please > chime in. Have you followed the steps documented in the Configuring Kerberos NFS Servers and Configuring Kerberos Clients sections in: http://docs.sun.com/app/docs/doc/816-4557 with care? I suggest you check your config carefully. Or try using the kclient command which can do a number of these steps for you. If things are still not working, please post. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From William.Fiveash at sun.com Thu May 15 18:31:12 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Thu, 15 May 2008 17:31:12 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <4d569c330805151048t7a3e5ad6x1857ba53feeaa8e3@mail.gmail.com> References: <482C6AF3.9070206@kickflop.net> <4d569c330805151048t7a3e5ad6x1857ba53feeaa8e3@mail.gmail.com> Message-ID: <20080515223112.GC10859@sun.com> On Thu, May 15, 2008 at 01:48:03PM -0400, Kevin Coffman wrote: > BTW, there is no need to limit Solaris 10 hosts to DES-only keys. > That is a current Linux limitation. As long as your Solaris server > has a DES key (along with keys for stronger enctypes), the Linux > client should be able to negotiate the correct DES enctype. Solaris > 10 servers and clients can handle the stronger encryption types. There is a known bug in the Solaris Kerberos implementations that causes interop problems when NFS sec=krb5* is used with AES enctypes (as Kevin knows). The fix is currently in OpenSolaris and should be in Solaris 10 update 6. Until all Solaris 10 systems involved in doing NFS are fixed the workaround is to make sure no AES keys are found for the NFS service principal. This can be done like so (on the NFS server): kadmin -k -p nfs/nfsserv.foo.com -q 'ktadd -e arcfour-hmac-md5:normal -e des3-cbc-sha1-kd:normal -e des-cbc-md5:normal nfs/nfsserv.foo.com' When all systems are fixed use the following on the NFS server to get all enctype keys for the server including AES (this is the default): kadmin -k -p nfs/nfsserv.foo.com -q 'ktadd nfs/nfsserv.foo.com' Note this issue does not affect Solaris systems < S10 since they do not support the AES enctype. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From jblaine at kickflop.net Thu May 15 19:36:51 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Thu, 15 May 2008 19:36:51 -0400 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <20080515223829.GD10859@sun.com> References: <482C6AF3.9070206@kickflop.net> <20080515223829.GD10859@sun.com> Message-ID: <482CC913.9090201@kickflop.net> Will Fiveash wrote: > On Thu, May 15, 2008 at 12:55:15PM -0400, Jeff Blaine wrote: >> If anyone has any idea what I am doing wrong here, please >> chime in. > > Have you followed the steps documented in the Configuring Kerberos NFS > Servers and Configuring Kerberos Clients sections in: > http://docs.sun.com/app/docs/doc/816-4557 with care? I suggest you > check your config carefully. No, I hadn't. In searching Google before posting, I did in fact find a previous reply of yours to someone to do this, but you didn't provide a link that time. I poked around docs.sun.com earlier and could not find what I wanted. With your lead above, I've found the section here (for those looking in the future): http://docs.sun.com/app/docs/doc/816-4557/setup-97?a=view > Or try using the kclient command which can do a number of these steps > for you. If things are still not working, please post. I'm not a fan of commands like kclient. I want to know how to do all of this by hand so I know every piece involved. Off to read! From jblaine at kickflop.net Thu May 15 20:55:31 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Thu, 15 May 2008 20:55:31 -0400 Subject: Solaris 10, secure nfs, permission denied Message-ID: <482CDB83.5000402@kickflop.net> Okay, well, according to the docs, I don't see that I am doing anything wrong. Here's a load of info showing the situation and the resulting KDC info. PS: The catted example krb5.conf at http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view is missing a closing brace for gkadmin in appdefaults :) ==== Basic NFS works ============================================ ~:barnowl> sudo share -F nfs -o rw=crete /var/sadm ~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt ~:crete> sudo umount /mnt ~:barnowl> sudo unshare /var/sadm ~:barnowl> ==== Basic krb5 auth works, FWIW ================================ ~:crete> /usr/bin/klist Ticket cache: FILE:/tmp/krb5cc_26560 Default principal: jblaine at RCF.MITRE.ORG Valid starting Expires Service principal 05/15/08 20:07:07 05/22/08 20:07:07 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG renew until 05/22/08 20:07:07 ~:crete> ==== The failing NFSv4 with krb5 ================================ SERVER ------ ~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl 12 host/barnowl.mitre.org at RCF.MITRE.ORG (Triple DES cbc mode with HMAC/sha1) 12 host/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) 6 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) ~:barnowl> ~:barnowl> grep krb5 /etc/nfssec.conf krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS ~:barnowl> ~:barnowl> sudo svcadm restart network/rpc/gss ~:barnowl> ~:barnowl> svcs -x nfs/server svc:/network/nfs/server:default (NFS server) State: online since May 15, 2008 8:06:05 PM EDT See: nfsd(1M) See: /var/svc/log/network-nfs-server:default.log Impact: None. ~:barnowl> ~:barnowl> sudo share - /usr sec=krb5,rw=crete "" ~:barnowl> CLIENT ------ ~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete 5 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) 6 host/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) ~:crete> ~:crete> grep krb5 /etc/nfssec.conf krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS ~:crete> ~:crete> sudo svcadm restart network/rpc/gss ~:crete> ~:crete> sudo kdestroy ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt nfs mount: mount: /mnt: Permission denied ~:crete> sudo klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/crete.mitre.org at RCF.MITRE.ORG Valid starting Expires Service principal 05/15/08 20:49:34 05/16/08 06:49:34 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG 05/15/08 20:49:34 05/16/08 06:49:34 nfs/barnowl.mitre.org at RCF.MITRE.ORG Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ~:crete> ON THE KDC WHEN THE MOUNT FAILS ------------------------------- May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND: root/crete.mitre.org at RCF.MITRE.ORG for krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG, Client not found in Kerberos database May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): DISPATCH: repeated (retransmitted?) request from 128.29.72.73, resending previous response May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes {rep=3 tkt=16 ses=16}, host/crete.mitre.org at RCF.MITRE.ORG for krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): TGS_REQ (5 etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes {rep=16 tkt=1 ses=1}, host/crete.mitre.org at RCF.MITRE.ORG for nfs/barnowl.mitre.org at RCF.MITRE.ORG From anshuman_hazarika at yahoo.co.uk Fri May 16 05:27:18 2008 From: anshuman_hazarika at yahoo.co.uk (Anshuman Hazarika) Date: Fri, 16 May 2008 09:27:18 +0000 (GMT) Subject: Help required in using kerberos in our project In-Reply-To: <78c6bd860805150828q4f5eed25mb1552483b08ab7e0@mail.gmail.com> Message-ID: <442904.28129.qm@web27904.mail.ukl.yahoo.com> Hi Mike, Thanks for the information. It would be really helpful. Anshuman Hazarika Mobile 9821434383 Vipassana can change u'r [1] --- On Thu, 15/5/08, Michael B Allen & From: Michael B Allen Sub To: "Anshuman H Cc: Kerberos at mit.edu, ans amit.pawar at ftindia.com Date: Thursday, 15 MaOn Thu, May 15, 2008 at 2:11 AM, Anshuman Hazarika wrote: > Hi , > > We are developing a product called as Zeus. In this > product we need our users to be authorised using > kerberos. > > We would like to know how to proceed with the > development of this module. > > We have the user information, like the user name and > password, stored in ldap. > > What we understand as of now is that we need to > download and install the mit kerberos server. After > that do we have to develop a kerberos client which > talks to the kerberos server? If so how do we go about > it?Are there APIs Available? Look into something called "GSSAPI". It is a general purpose API for exchanging authentication tokens of different types (including Kerberos) in an application specific way. There are GSSAPI libraries for Java (JGSS) and for C (shipped with MIT and Heimdal distributions). On Windows you have SSPI which is mostly compatible with GSSAPI (SSPI tokens can be consumed by GSSAPI and GSSAPI tokens can be consumed by SSPI). > Can the utilities like kinit be used to develop the > client which would take the username and password to > be authorized using kerberos. Kerberos clients usually already have a credential cache infrastructure. Kinit is just one program that can populate your credential cache with a Keberos ticket given a username and password. Windows clients get a ticket and put it in a kernel based credential cache when you login the first time (e.g. using Ctrl-Alt-Del). Most Kerberos client and server programs use entirely GSSAPI to handle authentication. The KDC (MIT, Heimdal, Active Directory, ...) should already be setup and running in the target environment. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ _________________________________________________________________ Sent from Yahoo! Mail. A Smart References 1. 3D"http://www.dhamma.org/" From anshuman_hazarika at yahoo.co.uk Fri May 16 08:27:53 2008 From: anshuman_hazarika at yahoo.co.uk (Anshuman Hazarika) Date: Fri, 16 May 2008 12:27:53 +0000 (GMT) Subject: Help required in using kerberos in our project In-Reply-To: <78c6bd860805150828q4f5eed25mb1552483b08ab7e0@mail.gmail.com> Message-ID: <441787.56007.qm@web27914.mail.ukl.yahoo.com> Hi Mi Based on your sample C&n However, we It would be of great this regard. Thanking you again&n Anshuman Hazarika Mobile 9821434383 Vipassana can change u'r [1] --- On Thu, 15/5/08, Michael B Allen & From: Michael B Allen Sub To: "Anshuman H Cc: Kerberos at mit.edu, ans amit.pawar at ftindia.com Date: Thursday, 15 MaOn Thu, May 15, 2008 at 2:11 AM, Anshuman Hazarika wrote: > Hi , > > We are developing a product called as Zeus. In this > product we need our users to be authorised using > kerberos. > > We would like to know how to proceed with the > development of this module. > > We have the user information, like the user name and > password, stored in ldap. > > What we understand as of now is that we need to > download and install the mit kerberos server. After > that do we have to develop a kerberos client which > talks to the kerberos server? If so how do we go about > it?Are there APIs Available? Look into something called "GSSAPI". It is a general purpose API for exchanging authentication tokens of different types (including Kerberos) in an application specific way. There are GSSAPI libraries for Java (JGSS) and for C (shipped with MIT and Heimdal distributions). On Windows you have SSPI which is mostly compatible with GSSAPI (SSPI tokens can be consumed by GSSAPI and GSSAPI tokens can be consumed by SSPI). > Can the utilities like kinit be used to develop the > client which would take the username and password to > be authorized using kerberos. Kerberos clients usually already have a credential cache infrastructure. Kinit is just one program that can populate your credential cache with a Keberos ticket given a username and password. Windows clients get a ticket and put it in a kernel based credential cache when you login the first time (e.g. using Ctrl-Alt-Del). Most Kerberos client and server programs use entirely GSSAPI to handle authentication. The KDC (MIT, Heimdal, Active Directory, ...) should already be setup and running in the target environment. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ _________________________________________________________________ Sent from Yahoo! Mail. A Smart References 1. 3D"http://www.dhamma.org/" From William.Fiveash at sun.com Fri May 16 17:37:14 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Fri, 16 May 2008 16:37:14 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <482CDB83.5000402@kickflop.net> References: <482CDB83.5000402@kickflop.net> Message-ID: <20080516213714.GE10859@sun.com> On Thu, May 15, 2008 at 08:55:31PM -0400, Jeff Blaine wrote: > Okay, well, according to the docs, I don't see that I am > doing anything wrong. Here's a load of info showing the > situation and the resulting KDC info. In general it looks like it should be working. Can you do the sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt while on barnowl? Note, make sure nothing is mounted on /mnt first of course. If that doesn't work can you try using an actually root session and run the mount without sudo (which is not a native Solaris command). If it works without sudo, try that on crete. Also, what variant of krb are you using on crete? I ask because the klist output on that system shows krb v4 info which the native Solaris krb knows nothing about. While I don't think this is causing the problem with the mount command one should be careful about mixing use of krb variants on a system. > PS: The catted example krb5.conf at > http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view > is missing a closing brace for gkadmin in appdefaults :) Okay, thanks for the bug tip. > ==== Basic NFS works ============================================ > > ~:barnowl> sudo share -F nfs -o rw=crete /var/sadm > > ~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt > ~:crete> sudo umount /mnt > > ~:barnowl> sudo unshare /var/sadm > ~:barnowl> > > ==== Basic krb5 auth works, FWIW ================================ > > ~:crete> /usr/bin/klist > Ticket cache: FILE:/tmp/krb5cc_26560 > Default principal: jblaine at RCF.MITRE.ORG > > Valid starting Expires Service principal > 05/15/08 20:07:07 05/22/08 20:07:07 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG > renew until 05/22/08 20:07:07 > ~:crete> > > ==== The failing NFSv4 with krb5 ================================ > > SERVER > ------ > > ~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl > 12 host/barnowl.mitre.org at RCF.MITRE.ORG (Triple DES cbc mode with > HMAC/sha1) > 12 host/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) > 6 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) > ~:barnowl> > > ~:barnowl> grep krb5 /etc/nfssec.conf > krb5 390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > ~:barnowl> > > ~:barnowl> sudo svcadm restart network/rpc/gss > ~:barnowl> > > ~:barnowl> svcs -x nfs/server > svc:/network/nfs/server:default (NFS server) > State: online since May 15, 2008 8:06:05 PM EDT > See: nfsd(1M) > See: /var/svc/log/network-nfs-server:default.log > Impact: None. > ~:barnowl> > > ~:barnowl> sudo share > - /usr sec=krb5,rw=crete "" > ~:barnowl> > > CLIENT > ------ > > ~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete > 5 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) > 6 host/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) > ~:crete> > > ~:crete> grep krb5 /etc/nfssec.conf > krb5 390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > ~:crete> > > ~:crete> sudo svcadm restart network/rpc/gss > ~:crete> > > ~:crete> sudo kdestroy > ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt > nfs mount: mount: /mnt: Permission denied > ~:crete> sudo klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/crete.mitre.org at RCF.MITRE.ORG > > Valid starting Expires Service principal > 05/15/08 20:49:34 05/16/08 06:49:34 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG > 05/15/08 20:49:34 05/16/08 06:49:34 nfs/barnowl.mitre.org at RCF.MITRE.ORG > > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > ~:crete> > > ON THE KDC WHEN THE MOUNT FAILS > ------------------------------- > > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 > etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND: > root/crete.mitre.org at RCF.MITRE.ORG for > krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG, Client not found in Kerberos database > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): DISPATCH: > repeated (retransmitted?) request from 128.29.72.73, resending previous > response > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): AS_REQ (5 > etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes > {rep=3 tkt=16 ses=16}, host/crete.mitre.org at RCF.MITRE.ORG for > krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG > May 15 20:49:34 silmaril.mitre.org krb5kdc[11077](info): TGS_REQ (5 > etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes > {rep=16 tkt=1 ses=1}, host/crete.mitre.org at RCF.MITRE.ORG for > nfs/barnowl.mitre.org at RCF.MITRE.ORG > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From zhangl06843 at hotmail.com Sun May 18 14:00:22 2008 From: zhangl06843 at hotmail.com (=?gb2312?B?1cXB1Q==?=) Date: Mon, 19 May 2008 02:00:22 +0800 Subject: Problem when i use pkinit In-Reply-To: References: Message-ID: Hi, I use krb-1.6.3 to implement my pkinit according to the admin.pdf, I add X.509 cert to the directory, and I can get my TGT use 'kinit', but if I move my certs from the very directory, I can also get TGT, which puzzled me several days. Can you explain why ? My question is whether the preauthentication process of kerberos has been taken or not? My cert&key file format are both *.pem, rather than *.crt & *.key, and have assigned { +requires_preauth } in kdc.conf. Is there anything wrong i made. Thanks, --------------------------------------------Lin Zhang, Peking University, Beijing, China _________________________________________________________________ Windows Live Photo gallery ��ĳ��£��ɹ��ͱ༭��Ƭ��ȫ��ͼ�� http://get.live.cn/product/photo.html From jblaine at kickflop.net Mon May 19 10:12:28 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Mon, 19 May 2008 10:12:28 -0400 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <20080516213714.GE10859@sun.com> References: <482CDB83.5000402@kickflop.net> <20080516213714.GE10859@sun.com> Message-ID: <48318ACC.7060407@kickflop.net> > In general it looks like it should be working. Can you do the > > sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr > sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt /:barnowl> sudo share -F nfs -o sec=krb5,rw=crete:barnowl /usr /:barnowl> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt nfs mount: mount: /mnt: Permission denied /:barnowl> May 19 09:58:28 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 129.83.10.149: CLIENT_NOT_FOUND: root/barnowl.mitre.org at RCF.MITRE.ORG for krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG, Client not found in Kerberos database May 19 09:58:28 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes {17 16 23 3 1}) 129.83.10.149: ISSUE: authtime 1211205508, etypes {rep=16 tkt=16 ses=1 6}, host/barnowl.mitre.org at RCF.MITRE.ORG for krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG > while on barnowl? Note, make sure nothing is mounted on /mnt first of > course. If that doesn't work can you try using an actually root session > and run the mount without sudo (which is not a native Solaris command). > If it works without sudo, try that on crete. Nothing is mounted on /mnt barnowl# mount -F nfs -o sec=krb5 barnowl:/usr /mnt nfs mount: mount: /mnt: Permission denied barnowl# > Also, what variant of krb are you using on crete? I ask because the > klist output on that system shows krb v4 info which the native Solaris > krb knows nothing about. While I don't think this is causing the > problem with the mount command one should be careful about mixing use of > krb variants on a system. I don't think it's relevant either. I considered it last week while I was trying to solve this problem and disregarded it. To answer your specific question, MIT Kerberos 1.6.x is installed in /usr/rcf-krb5/bin and is favored PATH-wise. >> ==== Basic NFS works ============================================ >> >> ~:barnowl> sudo share -F nfs -o rw=crete /var/sadm >> >> ~:crete> sudo mount -F nfs barnowl:/var/sadm /mnt >> ~:crete> sudo umount /mnt >> >> ~:barnowl> sudo unshare /var/sadm >> ~:barnowl> >> >> ==== Basic krb5 auth works, FWIW ================================ >> >> ~:crete> /usr/bin/klist >> Ticket cache: FILE:/tmp/krb5cc_26560 >> Default principal: jblaine at RCF.MITRE.ORG >> >> Valid starting Expires Service principal >> 05/15/08 20:07:07 05/22/08 20:07:07 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG >> renew until 05/22/08 20:07:07 >> ~:crete> >> >> ==== The failing NFSv4 with krb5 ================================ >> >> SERVER >> ------ >> >> ~:barnowl> sudo klist -e -k /etc/krb5/krb5.keytab | grep barnowl >> 12 host/barnowl.mitre.org at RCF.MITRE.ORG (Triple DES cbc mode with >> HMAC/sha1) >> 12 host/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) >> 6 nfs/barnowl.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) >> ~:barnowl> >> >> ~:barnowl> grep krb5 /etc/nfssec.conf >> krb5 390003 kerberos_v5 default - # RPCSEC_GSS >> krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS >> krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS >> ~:barnowl> >> >> ~:barnowl> sudo svcadm restart network/rpc/gss >> ~:barnowl> >> >> ~:barnowl> svcs -x nfs/server >> svc:/network/nfs/server:default (NFS server) >> State: online since May 15, 2008 8:06:05 PM EDT >> See: nfsd(1M) >> See: /var/svc/log/network-nfs-server:default.log >> Impact: None. >> ~:barnowl> >> >> ~:barnowl> sudo share >> - /usr sec=krb5,rw=crete "" >> ~:barnowl> >> >> CLIENT >> ------ >> >> ~:crete> sudo klist -e -k /etc/krb5/krb5.keytab | grep crete >> 5 nfs/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) >> 6 host/crete.mitre.org at RCF.MITRE.ORG (DES cbc mode with CRC-32) >> ~:crete> >> >> ~:crete> grep krb5 /etc/nfssec.conf >> krb5 390003 kerberos_v5 default - # RPCSEC_GSS >> krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS >> krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS >> ~:crete> >> >> ~:crete> sudo svcadm restart network/rpc/gss >> ~:crete> >> >> ~:crete> sudo kdestroy >> ~:crete> sudo mount -F nfs -o sec=krb5 barnowl:/usr /mnt >> nfs mount: mount: /mnt: Permission denied >> ~:crete> sudo klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: host/crete.mitre.org at RCF.MITRE.ORG >> >> Valid starting Expires Service principal >> 05/15/08 20:49:34 05/16/08 06:49:34 krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG >> 05/15/08 20:49:34 05/16/08 06:49:34 nfs/barnowl.mitre.org at RCF.MITRE.ORG >> >> >> Kerberos 4 ticket cache: /tmp/tkt0 >> klist: You have no tickets cached > >> ~:crete> >> >> ON THE KDC WHEN THE MOUNT FAILS >> ------------------------------- >> >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 >> etypes {17 16 23 3 1}) 128.29.72.73: CLIENT_NOT_FOUND: >> root/crete.mitre.org at RCF.MITRE.ORG for >> krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG, Client not found in Kerberos database >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): DISPATCH: >> repeated (retransmitted?) request from 128.29.72.73, resending previous >> response >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 >> etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes >> {rep=3 tkt=16 ses=16}, host/crete.mitre.org at RCF.MITRE.ORG for >> krbtgt/RCF.MITRE.ORG at RCF.MITRE.ORG >> May 15 20:49:34 fookdc.mitre.org krb5kdc[11077](info): TGS_REQ (5 >> etypes {17 16 23 3 1}) 128.29.72.73: ISSUE: authtime 1210898974, etypes >> {rep=16 tkt=1 ses=1}, host/crete.mitre.org at RCF.MITRE.ORG for >> nfs/barnowl.mitre.org at RCF.MITRE.ORG >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > From borislav.stoichkov at gmail.com Mon May 19 16:15:48 2008 From: borislav.stoichkov at gmail.com (Borislav_S) Date: Mon, 19 May 2008 13:15:48 -0700 (PDT) Subject: Solaris 10, secure nfs, permission denied References: <482CDB83.5000402@kickflop.net> <20080516213714.GE10859@sun.com> Message-ID: <042255be-acfe-41ba-86a9-91c13d73f1ba@f36g2000hsa.googlegroups.com> According to the log below and your klist output you have not performed step 2a from the "How to Access a Kerberos Protected NFS File System as the root User" section here http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view. It is also listed as an optional step 6b in the "How to Manually Configure a Kerberos Client" section on the same page. Hope this is helpful. Thanks. > May 19 09:58:28 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes > {17 16 23 3 1}) 129.83.10.149: CLIENT_NOT_FOUND: > root/barnowl.mitre.... at RCF.MITRE.ORG for > krbtgt/RCF.MITRE.... at RCF.MITRE.ORG, Client not found in Kerberos database > May 19 09:58:28 fookdc.mitre.org krb5kdc[11077](info): AS_REQ (5 etypes > {17 16 23 3 1}) 129.83.10.149: ISSUE: authtime 1211205508, etypes > {rep=16 tkt=16 ses=1 6}, host/barnowl.mitre.... at RCF.MITRE.ORG for > krbtgt/RCF.MITRE.... at RCF.MITRE.ORG From William.Fiveash at sun.com Mon May 19 22:14:06 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Mon, 19 May 2008 21:14:06 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <042255be-acfe-41ba-86a9-91c13d73f1ba@f36g2000hsa.googlegroups.com> References: <482CDB83.5000402@kickflop.net> <20080516213714.GE10859@sun.com> <042255be-acfe-41ba-86a9-91c13d73f1ba@f36g2000hsa.googlegroups.com> Message-ID: <20080520021406.GB1244@sun.com> On Mon, May 19, 2008 at 01:15:48PM -0700, Borislav_S wrote: > > According to the log below and your klist output you have not > performed step 2a from the "How to Access a Kerberos Protected NFS > File System as the root User" section here > http://docs.sun.com/app/docs/doc/816-4557/setup-148?a=view. It is also > listed as an optional step 6b in the "How to Manually Configure a > Kerberos Client" section on the same page. Hope this is helpful. > Thanks. Creating a root principal is not needed for mounting a NFS share protected by krb. That is only needed if a user wants to access a NFS sec=krb5* share as root. In general it's better not to have a root principal unless there is a specific need. Note that Solaris krb will fall back to automatically acquiring a krb cred via the host/ entry in /etc/krb5/krb5.keytab if it exists when it is determined that a krb cred is needed by root as is the case when doing a mount of a NFS sec=krb5* share. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From anshuman_hazarika at yahoo.co.uk Tue May 20 11:17:03 2008 From: anshuman_hazarika at yahoo.co.uk (Anshuman Hazarika) Date: Tue, 20 May 2008 15:17:03 +0000 (GMT) Subject: kerberos vs openldap:urgent help needed Message-ID: <547658.43445.qm@web27903.mail.ukl.yahoo.com> Hi, In our project we are storing the data in open lda consists of the username and password. We are not c we are going to integrate open ldap with kerberos. Woul Kerberos database and the open ldap database be different? Or is it p ossible to make the open ldap database, the kerberos database. If so, how? Any help in clarifying my concepts in this regard would be appreciated & Regards, Anshuman Hazarika Mobile 9821434383 Vipassana can change u'r [1] _________________________________________________________________ Sent from Yahoo! Mail. A Smarter Email. References 1. 3D"http://www.dhamma.org/" From William.Fiveash at sun.com Tue May 20 18:17:11 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Tue, 20 May 2008 17:17:11 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <482C6AF3.9070206@kickflop.net> References: <482C6AF3.9070206@kickflop.net> Message-ID: <20080520221711.GF10859@sun.com> As a follow on to this, it looks like the problem is system configuration issues. For one, these errors reported by pkgchk -n indicate major problem in that these are system directories, without which Solaris Kerberos will not function. ERROR: /var/krb5 pathname does not exist ERROR: /var/krb5/rcache pathname does not exist ERROR: /var/krb5/rcache/root pathname does not exist Second, the nodename/hostname associated with a Solaris system should be short form. For example when running the /usr/bin/hostname command the output should be something like: $ /usr/bin/hostname foo not foo.bar.com. Sadly this isn't documented as clearly as it should be in the Solaris system admin guides. In addition Solaris krb currently requires DNS be enabled on the system. On Thu, May 15, 2008 at 12:55:15PM -0400, Jeff Blaine wrote: > If anyone has any idea what I am doing wrong here, please > chime in. > -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From michael at stroeder.com Tue May 20 13:44:28 2008 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 20 May 2008 19:44:28 +0200 Subject: kerberos vs openldap:urgent help needed In-Reply-To: References: Message-ID: Anshuman Hazarika wrote: > Woul= the Kerberos database and the open ldap database be different? > Or is it possible to make the open ldap database, the kerberos > database. Both is possible. > If so, how? =f not how would they both function together? The KDC can use the OpenLDAP server as database backend. You should be able to find docs describing such a setup with your favourite search engine. Are you using MIT Kerberos or heimdal? Ciao, Michael. From raeburn at MIT.EDU Tue May 20 13:21:42 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 20 May 2008 13:21:42 -0400 Subject: kerberos vs openldap:urgent help needed In-Reply-To: <547658.43445.qm@web27903.mail.ukl.yahoo.com> References: <547658.43445.qm@web27903.mail.ukl.yahoo.com> Message-ID: On May 20, 2008, at 11:17, Anshuman Hazarika wrote: > Hi, > In our project we are storing the data in open lda consists of > the username and password. We are not c we are going to integrate > open ldap with kerberos. Woul Kerberos database and the open ldap > database be different? Or is it p ossible to make the open ldap > database, the kerberos database. If so, > how? Please don't post HTML email to the Kerberos mailing list. Unfortunately, the HTML parts are converted to plain text, and the conversion code sucks. Quoting from the copy I got when the message landed in the moderation queue: > Hi, > In our project we are storing the data in open ldap. This data also > consists of the username and password. We are not clear as to how > we are going to integrate open ldap with kerberos. Would the > Kerberos database and the open ldap database be different? Or is it > possible to make the open ldap database, the kerberos database. If > so, how? If not how would they both function together? > > > Any help in clarifying my concepts in this regard would be appreciated From chaitra.shankar at globaledgesoft.com Wed May 21 08:26:14 2008 From: chaitra.shankar at globaledgesoft.com (Chaitra Shankar) Date: Wed, 21 May 2008 12:26:14 +0000 Subject: KDC not sending A Reply to AS Request Message-ID: <483414E6.5020901@globaledgesoft.com> Hi All, In our project we are using MIT kerberos KDC server and small variations are done to the code of the clients directory to suit our project requirements. As per the requirements we are supposed to use PKINIT. How to configure the KDC server to accept PKINIT Request? Also the KDC is not reponding to the AS Request sent to it. The Request is conformant to the specifications of Kerberos. The log files show an entry which is ,as follows: krb5kdc:ASN.1 structure is missing a required field - while despatching(udp) Please help us. We are not able to figure out where the problem might be occuring. Regards Chaitra From mohamed.chaari at orange-ftgroup.com Wed May 21 09:59:51 2008 From: mohamed.chaari at orange-ftgroup.com (mohamed.chaari@orange-ftgroup.com) Date: Wed, 21 May 2008 15:59:51 +0200 Subject: Kerberos proxy Message-ID: Hello, I have installed KDC in a first computer, the second which is a client1 is connected to the KDC with a wired connexion. This configuration works well. But now, I want to add a client2 which is connected to client1 with a wireless connexion. I have installed GSS-API in the client1, client2 and the KDC. I want to know if client1 is considered as a proxy because of the use of GSS-API or not. Must I install a special program in client1 to work as a proxy? Thanks Regards, Mohamed. From jblaine at kickflop.net Wed May 21 12:27:27 2008 From: jblaine at kickflop.net (Jeff Blaine) Date: Wed, 21 May 2008 12:27:27 -0400 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <20080516213714.GE10859@sun.com> References: <482CDB83.5000402@kickflop.net> <20080516213714.GE10859@sun.com> Message-ID: <48344D6F.2060000@kickflop.net> Will, you're a little too helpful :) I'm not ready to reply to the list and provide the summary of what the solution to my original post was. Strange that you are ... for me! A bit premature. Using short hostnames did not solve the problem. Fixing /var/krb5 on the single box that was missing it did not solve the problem. The problem is not solved. And replying to your last email to me (which was not sent to the list), pkgchk -n shows absolutely nothing of any relevance to the problem. These are not hackish boxes in random unknown states with 20 admins screwing around with them weekly. They're jumpstarted, patched at that time with the Recommended cluster, no users have root privs, and skew is overridden nightly via cfengine. From William.Fiveash at sun.com Wed May 21 13:46:34 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Wed, 21 May 2008 12:46:34 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <20080520221711.GF10859@sun.com> References: <482C6AF3.9070206@kickflop.net> <20080520221711.GF10859@sun.com> Message-ID: <20080521174634.GG10859@sun.com> On Tue, May 20, 2008 at 05:17:11PM -0500, Will Fiveash wrote: > Second, the nodename/hostname associated with a Solaris system should > be short form. For example when running the /usr/bin/hostname command > the output should be something like: > > $ /usr/bin/hostname > foo > > not foo.bar.com. Sadly this isn't documented as clearly as it should be > in the Solaris system admin guides. In addition Solaris krb currently > requires DNS be enabled on the system. I was premature posting the above info. I'm currently working on getting a definitive answer to what form of hostname is acceptable for configuring Solaris and I will post whatever I find out here. So please hold off making any changes to Solaris configurations if people were considering doing so based on my earlier post. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From William.Fiveash at sun.com Wed May 21 14:03:01 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Wed, 21 May 2008 13:03:01 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <48344D6F.2060000@kickflop.net> References: <482CDB83.5000402@kickflop.net> <20080516213714.GE10859@sun.com> <48344D6F.2060000@kickflop.net> Message-ID: <20080521180301.GH10859@sun.com> On Wed, May 21, 2008 at 12:27:27PM -0400, Jeff Blaine wrote: > Will, you're a little too helpful :) I'm not ready to reply > to the list and provide the summary of what the solution to > my original post was. Strange that you are ... for me! > > A bit premature. > > Using short hostnames did not solve the problem. Yes, I may have been mistaken here (I've just posted more about this in another message on this thread). > Fixing /var/krb5 on the single box that was missing it > did not solve the problem. But this solved the problem of doing a NFS sec=krb5 mount on barnowl itself, yes? > The problem is not solved. > > And replying to your last email to me (which was not sent > to the list), pkgchk -n shows absolutely nothing of any > relevance to the problem. These are not hackish boxes > in random unknown states with 20 admins screwing around > with them weekly. They're jumpstarted, patched at that > time with the Recommended cluster, no users have root > privs, and skew is overridden nightly via cfengine. But on the one system, barnowl, that you sent me the output of krb-diag show the box to be misconfigured in that several directories created by installing the Solaris Kerberos packages did not exist. Those directories can only be removed with root privilege. In addition, /usr/bin/kpassswd was deleted. In general, it is not advisable to make such changes to a Solaris system and expect it to work properly. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From William.Fiveash at sun.com Wed May 21 16:06:52 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Wed, 21 May 2008 15:06:52 -0500 Subject: Solaris 10, secure nfs, permission denied In-Reply-To: <20080521174634.GG10859@sun.com> References: <482C6AF3.9070206@kickflop.net> <20080520221711.GF10859@sun.com> <20080521174634.GG10859@sun.com> Message-ID: <20080521200652.GI10859@sun.com> On Wed, May 21, 2008 at 12:46:34PM -0500, Will Fiveash wrote: > On Tue, May 20, 2008 at 05:17:11PM -0500, Will Fiveash wrote: > > Second, the nodename/hostname associated with a Solaris system should > > be short form. For example when running the /usr/bin/hostname command > > the output should be something like: > > > > $ /usr/bin/hostname > > foo > > > > not foo.bar.com. Sadly this isn't documented as clearly as it should be > > in the Solaris system admin guides. In addition Solaris krb currently > > requires DNS be enabled on the system. > > I was premature posting the above info. I'm currently working on > getting a definitive answer to what form of hostname is acceptable for > configuring Solaris and I will post whatever I find out here. So please > hold off making any changes to Solaris configurations if people were > considering doing so based on my earlier post. After talking with several people at Sun the answer I have is that this is a very old interface which has traditionally been set with the short form of a hostname. It may be okay to set the system hostname/nodename to the long form FQDN however there may be some software that expects the hostname/nodename to be the short form and break if it isn't. So for people who have Solaris systems with FQDN hostnames don't worry about it unless something breaks but if one wants to play it safe, use the short form hostname/nodename when configuring Solaris. "man nodename.4" for more information. Note, I tried configuring a KDC on a Solaris system configured with a FQDN hostname and it works fine as well as a NFS sec=krb5 mount. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From anshuman_hazarika at yahoo.co.uk Thu May 22 07:18:47 2008 From: anshuman_hazarika at yahoo.co.uk (Anshuman Hazarika) Date: Thu, 22 May 2008 11:18:47 +0000 (GMT) Subject: Open LDAP VS Kerberos : help needed Message-ID: <207198.37257.qm@web27901.mail.ukl.yahoo.com> Hi, I now know that we can make kerberos use openldap as its data store backend, but only with heimdal as our kdc, not mit kerberos. I have read somewhere that with openldap you can add krb5Principal object class and krb5principalName attribute to your users to allow them to use credentials they get from kerberos to bind to the tree and change stuff. In such a case would the kerberos db and the open ldap db be seperate? Can we have a setup like this in which both the kerberos db and openldap db are diffrent but we bind to the openldap tree using kerberos credential? Any help to clarify my concepts in this regard would be appreciated. Anshuman Hazarika Mobile 9821434383 Vipassana can change u'r life. Do give it a try. www.dhamma.org ? __________________________________________________________ Sent from Yahoo! Mail. A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html From vilas.tadoori.ext at siemens.com Thu May 22 10:13:03 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Thu, 22 May 2008 10:13:03 -0400 Subject: Kerberos/GSSAPI--- C++ In-Reply-To: References: Message-ID: <0419C2808E620348A3119DCCE2A7A6950708BBA1@USCIMPLM004.net.plm.eds.com> Dear All, We are in the process of making our application an gssapi compliant. I would like to know the software necessary to do the same.Our server is running on suze 9.X and would like to install the kerberos v5 on the same machine. The server code is already in C++ and in order to make it an GSSAPI compliant we need to inlcude the gssapi libraries. could you specify the path from where i need or can download these libraries As per the requirement eitther MIT or hemidal is fine...but when i say include ...and building my code where would the compiler look for these header files. I would also appreciate if there is a working example on c++, on the internet I have seen the GSSAPi programming guide written in c. Any help on the same would be greatly appreciated. Thanks Vilas From raeburn at MIT.EDU Thu May 22 11:35:42 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 22 May 2008 11:35:42 -0400 Subject: Open LDAP VS Kerberos : help needed In-Reply-To: <207198.37257.qm@web27901.mail.ukl.yahoo.com> References: <207198.37257.qm@web27901.mail.ukl.yahoo.com> Message-ID: <65A618F7-A044-4A0C-A9CA-14E4B2B01B0E@mit.edu> On May 22, 2008, at 07:18, Anshuman Hazarika wrote: > I now know that we can make kerberos use openldap as its data store > backend, but only with heimdal as our kdc, not mit kerberos. Why do you think MIT Kerberos can't do that? Our current release has LDAP database support. I'm not really an expert on the use of LDAP, though, so aside from just pointing you at some documentation, I can't give you a lot of specific advice. http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend If you're using a version of MIT Kerberos included by an operating system vendor, it may or may not be recent enough to have the LDAP support, and the LDAP support may or may not have been compiled... -- Ken Raeburn, Senior Programmer MIT Kerberos Consortium From raeburn at MIT.EDU Thu May 22 11:57:35 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 22 May 2008 11:57:35 -0400 Subject: KDC not sending A Reply to AS Request In-Reply-To: <483414E6.5020901@globaledgesoft.com> References: <483414E6.5020901@globaledgesoft.com> Message-ID: <14FD822F-3DDA-4C8D-A554-8B51988874DE@mit.edu> On May 21, 2008, at 08:26, Chaitra Shankar wrote: > In our project we are using MIT kerberos KDC server and small > variations are done to the code of the clients directory to suit our > project requirements. As per the requirements we are supposed to use > PKINIT. How to configure the KDC server to accept PKINIT Request? > Also the KDC is not reponding to the AS Request sent to it. The > Request > is conformant to the specifications of Kerberos. > The log files show an entry which is ,as follows: > krb5kdc:ASN.1 structure is missing a required field - while > despatching(udp) > Please help us. We are not able to figure out where the problem > might be > occuring. The ASN.1 code is one of the ugliest bits of our code, IMO, and there is no good way to debug it. A not-so-good way might be to intercept all the places where that error code can be generated, attach the KDC process under a debugger, and set a breakpoint at the intercept point. If you're already making code modifications, I expect this won't be too difficult. For example, in src/lib/krb5/asn.1, in the files asn1_k_decode.c, asn1buf.c, and krb5_decode.c, after the inclusion of the headers and before the function definitions, add something like this (untested) code: static krb5_error_code asn1_missing_field = ASN1_MISSING_FIELD; static krb5_error_code report_missing_field(int lineno) { fprintf(stderr, "missing field at %s line %d", __FILE__, lineno); abort(); return asn1_missing_field; /* not actually reached */ } #undef ASN1_MISSING_FIELD #define ASN1_MISSING_FIELD (report_missing_field()) Compile, start it up under gdb, with "-n" to keep it in foreground with stderr attached to the terminal, set a breakpoint in "abort", and trigger the problem again. The stack trace will show you what lines in what decoding routines caused this error, and in each routine, the source code would indicate what field is being decoded. (If you leave out the abort call, make the function external, and declare it instead of defining it in all but one source file, and compile it either without optimization or with function inline expansion disabled, you can set a breakpoint in the function itself, and still have a KDC that should function normally when you're not actually debugging the problem -- it'll print the message and continue on.) Ken From William.Fiveash at sun.com Thu May 22 13:04:54 2008 From: William.Fiveash at sun.com (Will Fiveash) Date: Thu, 22 May 2008 12:04:54 -0500 Subject: Encryption Type wrong In-Reply-To: <4d569c330805130658y53f84324ve01d029ec098134f@mail.gmail.com> References: <48186FF9.6030306@TechFak.Uni-Bielefeld.DE> <87wsm4679a.fsf@windlord.stanford.edu> <48295524.5060908@TechFak.Uni-Bielefeld.DE> <4d569c330805130658y53f84324ve01d029ec098134f@mail.gmail.com> Message-ID: <20080522170454.GA19978@sun.com> On Tue, May 13, 2008 at 09:58:05AM -0400, Kevin Coffman wrote: > On Tue, May 13, 2008 at 4:45 AM, Jan Sanders > wrote: > > Russ Allbery wrote: > > > Jan Sanders writes: > > > > > > > > >> I am having a little problem here. I am running a KDC on Solaris and a > > >> number of clients on GNU/Linux. For both the KDC and the > > >> Kerberos-Clients I have configured them to use only the > > >> dec-crc-cbc:default encryption type. When creating a principal on the > > >> server using addprinc wo/-e des-cbc-crc:default the principal is created > > >> with 4 keys. getprinc reveals: > > >> > > >> Key: vno 21, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt > > >> Key: vno 21, Triple DES cbc mode with HMAC/sha1, no salt > > >> Key: vno 21, ArcFour with HMAC/md5, no salt > > >> Key: vno 21, DES cbc mode with RSA-MD5, no salt > > >> > > > > > > I'm not sure what to say beyond it looks like you've not actually > > > configured the KDC to use only that encryption type. The KDC is clearly > > > using a wide variety of encryption types, probably its default set. > > > > > Yes, that is correct. If I use the default settings for Kerberos the > > behaviour is the same as above. > > > > > > > >> But the ordinary user once in a while wants to change the password and > > >> will use kpasswd. kpasswd does not have the ability to choose the > > >> encryption type and then a users ends up not having a key with > > >> des-cbc-crc:normal. > > >> > > > > > > That's correct. kpasswd will use whatever the default enctypes are in the > > > Kerberos kadmind configuration. > > > > > > > > >> Unfortunately GNU/Linux kinit breaks if the KDC does not have a key with > > >> the des-cbc-crc:normal encryption type in store. > > >> > > > > > > This on the other hand definitely isn't the case; GNU/Linux kinit will > > > work fine with no DES enctypes at all. However, it is certainly true that > > > if you specifically configure it to only use des-cbc-crc:normal and no > > > such keys are available, it won't work. > > > > > Good to know. But unfortunately I am stuck with des-cbc-crc:normal. All > > clients are configured to use only des-cbc-crc:normal. > > > > > The first question I'd have is why are you doing this? Normally you never > > > want to restrict enctypes. > > I have a number of GNU/Linux boxes that will have to use kerberized nfs4 > > in the near future. At the moment the NFS people are working on > > supporting mor than just des-crc-cbc:normal for use with nfs4. But there > > are still some older boxes that won't have this feature. > > Indeed it might be necessary, though undesired, to upgrade those boxes. > > There is no need to cripple your entire realm to only des-cbc-crc for > NFSv4. If you need help properly configuring Kerberos for NFSv4 on > Linux (I assume you are talking about Linux), let me know. Again, > there is no reason to limit your entire realm to des-cbc-crc for this > one service! That is correct. The only time one should restrict the enctypes in this situation is during the creation the nfs/ service principal key entries in the keytab on a system that did not support the same set of enctypes the Solaris KDC supports. There is a shortcoming in the kadmin protocol used when doing a ktadd such that the KDC is not aware of the specific set of enctypes supported on the system where the kadmin utility is running. The workaround to this is to explicitly state the enctypes on the ktadd command if one does not wish to have keys generated for the set of enctypes supported on the KDC. Note that I'm saying only restrict the enctypes when creating keytab entries for a server that does not support the same set of enctypes as the KDC. As long as the Linux and other NFS clients are using a properly implemented krb that is requesting only supported enctypes for that system when acquiring a NFS service ticket everything should work fine. If you want to read more about enctypes see this blog entry: http://blogs.sun.com/wfiveash/entry/everything_you_wanted_to_know > > > If you just remove all the enctype > > > restrictions, everything will work as expected and be able to negotiate a > > > mutually acceptable enctype. If you're worried about old Java code, you > > > could still allow 3DES, which is generally acceptable to just about > > > everything except Microsoft clients (which can use RC4). > > > > > > > > > > >> The kdc.conf on the Solaris machine: > > >> > > >> [libdefaults] > > >> default_realm = MY.DOMAIN > > >> default_keytab_name = /etc/krb5/krb5.keytab > > >> > > >> [kdcdefaults] > > >> kdc_ports = 88,750 > > >> > > >> [realms] > > >> MY.DOMAIN = { > > >> profile = /etc/krb5/krb5.conf > > >> database_name = /var/krb5/principal > > >> admin_keytab = /etc/krb5/kadm5.keytab > > >> acl_file = /etc/krb5/kadm5.acl > > >> kadmind_port = 749 > > >> max_life = 8h 0m 0s > > >> max_renewable_life = 7d 0h 0m 0s > > >> default_principal_flags = +preauth > > >> supported_enctypes = des-cbc-crc:normal > > >> } > > >> > > > > > > This looks right, but it's clearly not working. Could kadmind be loading > > > some other kdc.conf? The initial Solaris 10 krb code was buggy in the way ktadd interacted with various enctype parameters including supported_enctypes. I suggest you update all your Solaris 10 systems to Solaris 10 Update 5 which has updated krb code. > > I used truss to trace file opening for kadmind and kadmin.local and it > > opens the (I believe only) krb.conf in /etc/krb. I was wondering if > > some (subtle) syntax error in the file makes Kerberos regress to deafult > > values. > > Is that a typo? I think Solaris expects config files in /etc/krb5 > (not /etc/krb). Please see my note above before continuing, though. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From dakoner at gmail.com Thu May 22 14:08:06 2008 From: dakoner at gmail.com (David Konerding) Date: Thu, 22 May 2008 11:08:06 -0700 Subject: Web servers and ssh servers behind load balancer Message-ID: <4f0f0cb0805221108p63db0525k260bd88bfd09b07e@mail.gmail.com> Hi folks, We have a bunch of hosts that allow password-free ssh logins using kerberos. These also run web servers, which use mod_auth_kerb. We also have a BigIP load balancer that has a name; when people ssh or web access that name, they get round-robin distributed across the cluster. The LB supports Layer 3 and Layer 5 transparent proxying to the back end. We have noticed that if people log into nodes with their real hostname, or web access a url using the real hostname of the server, everything works as expected. However, attempting to ssh into the load balancer address typically gives: debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Miscellaneous failure Unknown code debug1: Trying to start again And when users try to access the web server through the load balancer: Authentication never succeeds and the following mod_auth_kerb error is logged: failed to verify krb5 credentials: Server not found in Kerberos database Logging into the machine through the ssh load balancer shows the IP address of the loadbalancer, not the IP address of the source ssh machine. We did some attempts at putting server keys with the hostname of the load balancer into the srvtab on each of the servers, but never had any luck. Any ideas? I did some low-level tcpdumping and tracing various parts of the Kerberos code, and came up with some bizarre results for why we are getting failures. From brian at eng.wayne.edu Thu May 22 14:26:12 2008 From: brian at eng.wayne.edu (Brian Thompson) Date: Thu, 22 May 2008 14:26:12 -0400 Subject: Open LDAP VS Kerberos : help needed In-Reply-To: <65A618F7-A044-4A0C-A9CA-14E4B2B01B0E@mit.edu> References: <207198.37257.qm@web27901.mail.ukl.yahoo.com> <65A618F7-A044-4A0C-A9CA-14E4B2B01B0E@mit.edu> Message-ID: <4835BAC4.4020005@eng.wayne.edu> Ken Raeburn wrote: >On May 22, 2008, at 07:18, Anshuman Hazarika wrote: > > >>I now know that we can make kerberos use openldap as its data store >>backend, but only with heimdal as our kdc, not mit kerberos. >> >> > >Why do you think MIT Kerberos can't do that? > >Our current release has LDAP database support. I'm not really an >expert on the use of LDAP, though, so aside from just pointing you at >some documentation, I can't give you a lot of specific advice. > >http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend > >If you're using a version of MIT Kerberos included by an operating >system vendor, it may or may not be recent enough to have the LDAP >support, and the LDAP support may or may not have been compiled... > > > This slipped through my radar as well... We're currently using Heimdal since several years ago it was the only real option if a LDAP backend was required. Anyone know if the LDAP databases are compatible between Heimdal and MIT (in particular the user principals)? And, this might be a question for one of the Sun or OpenSolaris lists, but anyone know if there are any plans to add the LDAP support to the Solaris 11 flavor of MIT krb5? Thanks, Brian From tpmetz at ucdavis.edu Thu May 22 16:08:21 2008 From: tpmetz at ucdavis.edu (Tim Metz) Date: Thu, 22 May 2008 13:08:21 -0700 Subject: Commercial Support for MIT Kerberos Message-ID: <4835D2B5.1050208@ucdavis.edu> Greetings, Our organization is interested in evaluating commercial support for MIT Kerberos running on RedHat Enterprise 5. Of specific interest are companies that offer 24x7 support. I found http://www.kerberos.info/commercial.html, but suspect this list may not be current. Are there companies that offer 24x7 commercial MIT Kerberos support that anyone would recommend we contact? Thanks, - Tim From naveen.bn at globaledgesoft.com Mon May 26 12:02:51 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 26 May 2008 16:02:51 +0000 Subject: problem in sending AS_REQ Message-ID: <483ADF2B.9080907@globaledgesoft.com> hi all, This is my krb5.conf ********************* krb5.conf ****************************** [libdefaults] default_realm = _kerberos._udp.globaledgesoft.com krb4_config = /usr/kerberos/lib/krb.conf krb5_realms = /usr/kerberos/lib/krb.realms pkinit_anchors = FILE:/secure/ca-cert.pem [realms] _kerberos._udp.globaledgesoft.com = { admin_server = 172.16.8.141 kdc = 172.16.8.141 v4_instance_convert = { gesl = _kerberos._udp.globaledgesoft.com lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com } pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key } ANDREW.CMU.EDU = { admin_server = 172.16.8.141 } # use "kdc =" if realm admins haven't put SRV records into DNS GNU.ORG = { kdc = 172.16.8.141 kdc = 172.16.9.141 admin_server = 172.16.8.141 } [domain_realm] .globaledgesoft.com = _kerberos._udp.globaledgesoft.com globaledgesoft.com = _kerberos._udp.globaledgesoft.com [logging] # kdc = CONSOLE kdc=FILE:/var/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log *********************************************************************** and this is my kdc.conf [kdcdefaults] kdc_ports = 750,88 pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key pkinit_anchors=DIR:/secure/ca-cert.pem [realms] _kerberos._udp.globaledgesoft.com = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key pkinit_anchors=DIR:/secure/ca-cert.pem } ***************************************** kdc.conf ********************** I have used openssl program to generate the mycert.pem and key , but i have not signed it with any ( neither self nor with ca ). kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key naveen kinit(v5): Unknown code u8JW 88 while setting 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key i am not able to send AS_REQ with pa data filled with certificates . I am stuck her, please help me . thank you . with regards naveen From gaurav.v.bagga at gmail.com Mon May 26 11:40:28 2008 From: gaurav.v.bagga at gmail.com (gaurav bagga) Date: Mon, 26 May 2008 21:10:28 +0530 Subject: Kerberos Ldap Integration Message-ID: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> Hi all, I am trying to integrate Kerberos and Ldap but not happy with what I have achieved till now.I'll really appreciate if any one can help/guide by giving pointers towards *good articles *which give information regarding the steps to be performed in doing the same. Thanks in advance. Regards Gaurav From chris at interisle.net Mon May 26 12:30:22 2008 From: chris at interisle.net (Christopher Owens) Date: Mon, 26 May 2008 16:30:22 +0000 Subject: Kerberos Ldap Integration In-Reply-To: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> Message-ID: <84359CF7-949E-460B-83FA-95D77C0B28BE@interisle.net> Can you be more clear about what you mean "integrate Kerberos and LDAP?" Do you mean using Kerberos to authenticate connections into LDAP? Or LDAP as a back-end store for Kerberos? Or simply keeping Kerberos principals and LDAP entries synchronized to each other? On May 26, 2008, at 3:40 PM, gaurav bagga wrote: > Hi all, > > I am trying to integrate Kerberos and Ldap but not happy with what I > have > achieved till now.I'll really appreciate if any one can help/guide > by giving > pointers towards *good articles *which give information regarding > the steps > to be performed in doing the same. > > Thanks in advance. > > Regards > Gaurav > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From gaurav.v.bagga at gmail.com Mon May 26 14:29:21 2008 From: gaurav.v.bagga at gmail.com (gaurav bagga) Date: Mon, 26 May 2008 23:59:21 +0530 Subject: Kerberos Ldap Integration In-Reply-To: <84359CF7-949E-460B-83FA-95D77C0B28BE@interisle.net> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <84359CF7-949E-460B-83FA-95D77C0B28BE@interisle.net> Message-ID: <6052ead90805261129h280838e0q94d25cecce56d863@mail.gmail.com> Hi Christopher, Sorry for not being so clear. To elaborate more I have a system where already authentication mechanism is present at passwords are stored in relational Db, but as new features come in I have been told that when new users will be added from now in that old system, credentials will be saved in ldap also and kerberos should be linked to this ldap fo picking up passwords and granting tickets. I am new to this kerberos and ldap. I manged to integrate openldap with kerberos following various links but still passwords set through kerberos dont get stored in ldap. Since password din get saved so I am wondering if I enter some password in ldap how will kerberos know about it. I am confused how to achieve the following. - User added in old system, ldap gets updated - Any password changed in old system updates ldap - In all above cases kerberos should be able to authenticate the user Thanks in advance Regards Gaurav On Mon, May 26, 2008 at 10:00 PM, Christopher Owens wrote: > Can you be more clear about what you mean "integrate Kerberos and LDAP?" > > Do you mean using Kerberos to authenticate connections into LDAP? Or LDAP > as a back-end store for Kerberos? Or simply keeping Kerberos principals and > LDAP entries synchronized to each other? > > > > On May 26, 2008, at 3:40 PM, gaurav bagga wrote: > > Hi all, >> >> I am trying to integrate Kerberos and Ldap but not happy with what I have >> achieved till now.I'll really appreciate if any one can help/guide by >> giving >> pointers towards *good articles *which give information regarding the >> steps >> to be performed in doing the same. >> >> Thanks in advance. >> >> Regards >> Gaurav >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > From rra at stanford.edu Mon May 26 14:31:39 2008 From: rra at stanford.edu (Russ Allbery) Date: Mon, 26 May 2008 11:31:39 -0700 Subject: problem in sending AS_REQ In-Reply-To: <483ADF2B.9080907@globaledgesoft.com> (naveen bn's message of "Mon\, 26 May 2008 16\:02\:51 +0000") References: <483ADF2B.9080907@globaledgesoft.com> Message-ID: <878wxwgbn8.fsf@windlord.stanford.edu> "naveen.bn" writes: > [realms] > _kerberos._udp.globaledgesoft.com = { > admin_server = 172.16.8.141 > kdc = 172.16.8.141 > v4_instance_convert = { > gesl = _kerberos._udp.globaledgesoft.com > lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com > } This is almost certainly not what you want. You're confusing the DNS SRV records with the names of realms and hosts. The krb5.conf (and kdc.conf) should contain simple realm names and hostnames, not the SRV record names. -- Russ Allbery (rra at stanford.edu) From Martin.Schuster1 at infineon.com Mon May 26 03:00:16 2008 From: Martin.Schuster1 at infineon.com (Martin Schuster) Date: Mon, 26 May 2008 09:00:16 +0200 Subject: Reusing existing people-entries for the LDAP-backend In-Reply-To: References: Message-ID: Michael Calmer wrote: > Am Mittwoch, 14. Mai 2008 schrieb Martin Schuster: >> [...] >> But if I now add a principal by first setting the krbPrincipalName >> of the user in ou=people, and then issuing >> kadmin.local -q 'addprinc joeuser' >> the additional attributes (e.g. krbPrincipalKey) are still stored in >> the Kerberos container tree. > > You have to tell addprinc where to store this user by using > addprinc -x dn= joeuser > Thanks, that did the trick! regards, -- Infineon Technologies IT-Services GmbH Martin.Schuster1 at infineon.com Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster FB: LG Klagenfurt, FN 246787y +43 5 1777 3517 From naveen.bn at globaledgesoft.com Tue May 27 07:38:08 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 27 May 2008 11:38:08 +0000 Subject: problem in sending AS_REQ In-Reply-To: <878wxwgbn8.fsf@windlord.stanford.edu> References: <483ADF2B.9080907@globaledgesoft.com> <878wxwgbn8.fsf@windlord.stanford.edu> Message-ID: <483BF2A0.3030209@globaledgesoft.com> Russ Allbery wrote: >"naveen.bn" writes: > > > >>[realms] >> _kerberos._udp.globaledgesoft.com = { >> admin_server = 172.16.8.141 >> kdc = 172.16.8.141 >> v4_instance_convert = { >> gesl = _kerberos._udp.globaledgesoft.com >> lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com >> } >> >> > >This is almost certainly not what you want. You're confusing the DNS SRV >records with the names of realms and hosts. The krb5.conf (and kdc.conf) >should contain simple realm names and hostnames, not the SRV record names. > > > Hi Russ Allbery Thank you for your replay. I know this not a good practice,but the problem, i am facing in the AS_REQ is that, the pa_data field is not getting filled with the certificates provided from the command line. I am able to get AS_REP with out certificates . I am using krb5-1.6.3. It will be a great help if i get a link which gives example for using PKINIT enabled client configuration for using certificates for authentication. thank you. From kwc at umich.edu Tue May 27 08:40:52 2008 From: kwc at umich.edu (Kevin Coffman) Date: Tue, 27 May 2008 08:40:52 -0400 Subject: problem in sending AS_REQ In-Reply-To: <483ADF2B.9080907@globaledgesoft.com> References: <483ADF2B.9080907@globaledgesoft.com> Message-ID: <4d569c330805270540o138ee5ew5b152f2375204d33@mail.gmail.com> On Mon, May 26, 2008 at 12:02 PM, naveen.bn wrote: > hi all, > This is my krb5.conf > ********************* krb5.conf ****************************** > [libdefaults] > default_realm = _kerberos._udp.globaledgesoft.com > krb4_config = /usr/kerberos/lib/krb.conf > krb5_realms = /usr/kerberos/lib/krb.realms > pkinit_anchors = FILE:/secure/ca-cert.pem > > [realms] > _kerberos._udp.globaledgesoft.com = { > admin_server = 172.16.8.141 > kdc = 172.16.8.141 > v4_instance_convert = { > gesl = _kerberos._udp.globaledgesoft.com > lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com > } > > pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key > > } > ANDREW.CMU.EDU = { > admin_server = 172.16.8.141 > } > # use "kdc =" if realm admins haven't put SRV records into DNS > GNU.ORG = { > kdc = 172.16.8.141 > kdc = 172.16.9.141 > admin_server = 172.16.8.141 > } > > [domain_realm] > .globaledgesoft.com = _kerberos._udp.globaledgesoft.com > globaledgesoft.com = _kerberos._udp.globaledgesoft.com > > [logging] > # kdc = CONSOLE > kdc=FILE:/var/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > *********************************************************************** > and this is my kdc.conf > [kdcdefaults] > kdc_ports = 750,88 > pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key > pkinit_anchors=DIR:/secure/ca-cert.pem For pkinit_anchors, you are specifying "DIR:", but giving a file name? > [realms] > _kerberos._udp.globaledgesoft.com = { > database_name = /usr/local/var/krb5kdc/principal > admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab > acl_file = /usr/local/var/krb5kdc/kadm5.acl > key_stash_file = > /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com > kdc_ports = 750,88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > > pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key > pkinit_anchors=DIR:/secure/ca-cert.pem > } > > ***************************************** kdc.conf ********************** > I have used openssl program to generate the mycert.pem and key , but i > have not signed it with any ( neither self nor with ca ). I'm not sure what you mean here. A certificate must be signed by someone/something. The client will not attempt preauth if the server's certificate is not trusted. > kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key > naveen > kinit(v5): Unknown code u8JW 88 while setting > 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key Obviously, there is a problem with that error code. > i am not able to send AS_REQ with pa data filled with certificates . > I am stuck her, please help me . > > thank you . > > with regards > naveen The MIT client will not send pkinit information until the server indicates it will accept it. The server does this by indicating that the client principal requires preauthentication, and that pkinit is an acceptable form of preauthentication. Does the client principal have the requires_preauth flag set? Is the server telling the client that pkinit is an acceptable preauth method? From naveen.bn at globaledgesoft.com Tue May 27 11:09:16 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Tue, 27 May 2008 15:09:16 +0000 Subject: [Fwd: Re: problem in sending AS_REQ] Message-ID: <483C241C.1080706@globaledgesoft.com> -------------- next part -------------- An embedded message was scrubbed... From: "naveen.bn" Subject: Re: problem in sending AS_REQ Date: Tue, 27 May 2008 15:06:25 +0000 Size: 4908 Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20080527/da318597/probleminsendingAS_REQ.eml From vilas.tadoori.ext at siemens.com Tue May 27 09:05:44 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Tue, 27 May 2008 09:05:44 -0400 Subject: Kerberos/GSSAPI--- C++ References: Message-ID: <0419C2808E620348A3119DCCE2A7A695070CB395@USCIMPLM004.net.plm.eds.com> Any takers on my question? -----Original Message----- From: Tadoori (EXT), Vilas Sent: Thursday, May 22, 2008 7:43 PM To: 'kerberos at mit.edu' Subject: Kerberos/GSSAPI--- C++ Dear All, We are in the process of making our application an gssapi compliant. I would like to know the software necessary to do the same.Our server is running on suze 9.X and would like to install the kerberos v5 on the same machine. The server code is already in C++ and in order to make it an GSSAPI compliant we need to inlcude the gssapi libraries. could you specify the path from where i need or can download these libraries As per the requirement eitther MIT or hemidal is fine...but when i say include ...and building my code where would the compiler look for these header files. I would also appreciate if there is a working example on c++, on the internet I have seen the GSSAPi programming guide written in c. Any help on the same would be greatly appreciated. Thanks Vilas From raeburn at MIT.EDU Tue May 27 12:54:21 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 27 May 2008 12:54:21 -0400 Subject: Kerberos/GSSAPI--- C++ In-Reply-To: <0419C2808E620348A3119DCCE2A7A695070CB395@USCIMPLM004.net.plm.eds.com> References: <0419C2808E620348A3119DCCE2A7A695070CB395@USCIMPLM004.net.plm.eds.com> Message-ID: Sorry for the delay. I was hoping someone with more real-world GSSAPI/ C++ programming experience would reply. > We are in the process of making our application an gssapi compliant. I > would like to know the software necessary to do the same.Our server is > running on suze 9.X and would like to install the kerberos v5 on the > same machine. The server code is already in C++ and in order to make > it > an GSSAPI compliant we need to inlcude the gssapi libraries. could > you > specify the path from where i need or can download these libraries As > per the requirement eitther MIT or hemidal is fine...but when i say > include ...and building my code where would the > compiler look for these header files. If MIT Kerberos isn't available via the OS packaging system, you can visit http://www.mit.edu/~kerberos/ and download sources from there. One thing to be careful of: While we've tried to make our GSSAPI headers compatible with C++ (e.g., 'extern "C"' around all the function declarations), it is a C API. We intend to keep future versions reasonably backwards-compatible in terms of the C API and ABI, but that doesn't necessarily apply to C++ if you do something "interesting". In practical terms, I suggest you avoid depending on the specific type definitions used for GSSAPI types -- that is, avoid depending on whether we use int vs long for a given 32-bit type if both are 32 bits, don't use GSSAPI types in function signatures in your ABI (because the name encoding would depend on the typedef), stuff like that. > I would also appreciate if there is a working example on c++, on the > internet I have seen the GSSAPi programming guide written in c. Sorry, I can't help you there... Ken From deengert at anl.gov Tue May 27 14:42:22 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 27 May 2008 13:42:22 -0500 Subject: Kerberos/GSSAPI--- C++ In-Reply-To: <0419C2808E620348A3119DCCE2A7A695070CB395@USCIMPLM004.net.plm.eds.com> References: <0419C2808E620348A3119DCCE2A7A695070CB395@USCIMPLM004.net.plm.eds.com> Message-ID: <483C560E.4030602@anl.gov> Tadoori (EXT), Vilas wrote: > > Any takers on my question? > > -----Original Message----- > From: Tadoori (EXT), Vilas > Sent: Thursday, May 22, 2008 7:43 PM > To: 'kerberos at mit.edu' > Subject: Kerberos/GSSAPI--- C++ > > Dear All, > > We are in the process of making our application an gssapi compliant. I > would like to know the software necessary to do the same.Our server is > running on suze 9.X and would like to install the kerberos v5 on the > same machine. The server code is already in C++ and in order to make it > an GSSAPI compliant we need to inlcude the gssapi libraries. could you > specify the path from where i need or can download these libraries As > per the requirement eitther MIT or hemidal is fine...but when i say > include ...and building my code where would the > compiler look for these header files. When looking for #include <...> the compiler looks in the locations defined by the -I option as well as some well know locations like /usr/include. If you are using gcc or g++ add the -v option so see these. for example: g++ -v -c main.C > > I would also appreciate if there is a working example on c++, on the > internet I have seen the GSSAPi programming guide written in c. Sorry, din;t have an examples, but you might also want to look at the Microsoft SSPI that uses the GSS protocols, and how SSPI is called from C++. You might also look at the Grid Security Infrastructure, that implements a GSS like mechanisum. It is called using the GSS-API. There has been a lot of C++ uses with the grid over the years, and maybe there is a C++ class for GSS. http://mailman.mit.edu/pipermail/kerberos/2006-September/010533.html has a question on using C++ and GSSAPI, but no answers. (The bug looks like passing an uninitialized server_creds variable.) The point is the author has an acquire cred routine, and maybe more. > > Any help on the same would be greatly appreciated. > > Thanks > Vilas > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From kwc at umich.edu Tue May 27 17:13:43 2008 From: kwc at umich.edu (Kevin Coffman) Date: Tue, 27 May 2008 17:13:43 -0400 Subject: [Fwd: Re: problem in sending AS_REQ] In-Reply-To: <483C241C.1080706@globaledgesoft.com> References: <483C241C.1080706@globaledgesoft.com> Message-ID: <4d569c330805271413k478d3f4fsd8fc293f6cea061f@mail.gmail.com> On Tue, May 27, 2008 at 11:09 AM, naveen.bn wrote: > > > > ---------- Forwarded message ---------- > From: "naveen.bn" > To: Kevin Coffman > Date: Tue, 27 May 2008 15:06:25 +0000 > Subject: Re: problem in sending AS_REQ > Kevin Coffman wrote: > >> On Mon, May 26, 2008 at 12:02 PM, naveen.bn >> wrote: >> >>> >>> hi all, >>> This is my krb5.conf >>> ********************* krb5.conf ****************************** >>> [libdefaults] >>> default_realm = _kerberos._udp.globaledgesoft.com >>> krb4_config = /usr/kerberos/lib/krb.conf >>> krb5_realms = /usr/kerberos/lib/krb.realms >>> pkinit_anchors = FILE:/secure/ca-cert.pem >>> >>> [realms] >>> _kerberos._udp.globaledgesoft.com = { >>> admin_server = 172.16.8.141 >>> kdc = 172.16.8.141 >>> v4_instance_convert = { >>> gesl = _kerberos._udp.globaledgesoft.com >>> lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com >>> } >>> >>> pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key >>> >>> } >>> ANDREW.CMU.EDU = { >>> admin_server = 172.16.8.141 >>> } >>> # use "kdc =" if realm admins haven't put SRV records into DNS >>> GNU.ORG = { >>> kdc = 172.16.8.141 >>> kdc = 172.16.9.141 >>> admin_server = 172.16.8.141 >>> } >>> >>> [domain_realm] >>> .globaledgesoft.com = _kerberos._udp.globaledgesoft.com >>> globaledgesoft.com = _kerberos._udp.globaledgesoft.com >>> >>> [logging] >>> # kdc = CONSOLE >>> kdc=FILE:/var/krb5kdc.log >>> admin_server = FILE:/var/log/kadmin.log >>> default = FILE:/var/log/krb5lib.log >>> *********************************************************************** >>> and this is my kdc.conf >>> [kdcdefaults] >>> kdc_ports = 750,88 >>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key >>> pkinit_anchors=DIR:/secure/ca-cert.pem >>> >> >> For pkinit_anchors, you are specifying "DIR:", but giving a file name? >> >> >>> >>> [realms] >>> _kerberos._udp.globaledgesoft.com = { >>> database_name = /usr/local/var/krb5kdc/principal >>> admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab >>> acl_file = /usr/local/var/krb5kdc/kadm5.acl >>> key_stash_file = >>> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com >>> kdc_ports = 750,88 >>> max_life = 10h 0m 0s >>> max_renewable_life = 7d 0h 0m 0s >>> >>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key >>> pkinit_anchors=DIR:/secure/ca-cert.pem >>> } >>> >>> ***************************************** kdc.conf ********************** >>> I have used openssl program to generate the mycert.pem and key , but i >>> have not signed it with any ( neither self nor with ca ). >>> >> >> I'm not sure what you mean here. A certificate must be signed by >> someone/something. The client will not attempt preauth if the >> server's certificate is not trusted. >> >> >>> >>> kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key >>> naveen >>> kinit(v5): Unknown code u8JW 88 while setting >>> 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key >>> >> >> Obviously, there is a problem with that error code. >> >> >>> >>> i am not able to send AS_REQ with pa data filled with certificates . >>> I am stuck her, please help me . >>> >>> thank you . >>> >>> with regards >>> naveen >>> >> >> The MIT client will not send pkinit information until the server >> indicates it will accept it. The server does this by indicating that >> the client principal requires preauthentication, and that pkinit is an >> acceptable form of preauthentication. >> >> Does the client principal have the requires_preauth flag set? Is the >> server telling the client that pkinit is an acceptable preauth method? >> >> > > Hi kevin, > > Thank you for your replay it helped me. I had not set requires preauth flag > for the client. Now that i have set the flag i am getting the > KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends > a padata with encrypted timestamp and i am getting the ticket. But i want > to send certificates to kdc > and get the kdc certificates with dh parameters. pls kindly guide me . > And this is the concept that i have understood, please coorect me if i am > wrong .I need to generate the ca-cert.pem and ca-private.key using openssl > tool. Generate the RSA key for client like kdc.pem and kdc.key, > then signing the kdc.pem with the ca-private.key to generate kdc certificate > similarly for client and submite the paths of these files in there profiles > right. The certificates don't have to be created using openssl, but that is one way of doing it. If you do not currently have any PKI, then generating a self-signed CA certificate would be a good first step. This CA certificate can be used to sign a certificate for the KDC. The KDC's certificate must contain the proper Extended Key Usage (EKU) KeyPurposeId, to indicate it is intended to be used as a KDC >From section 3.2.4 of rfc4556: id-pkinit-KPKdc OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) pkinit(3) keyPurposeKdc(5) } -- Signing KDC responses. -- Key usage bits that MUST be consistent: -- digitalSignature. The client must possess the self-signed CA certificate, and have it listed as a trust anchor. If the reply from the KDC does not include pkinit as an acceptable preauth mechanism, then there is something wrong with your KDC configuration. If it is listed, then there is something wrong with your client configuration such that it doesn't trust the KDC. This message has some pointers on creating certs for use with pkinit with openssl: http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html K.C. From kwc at umich.edu Wed May 28 10:05:02 2008 From: kwc at umich.edu (Kevin Coffman) Date: Wed, 28 May 2008 10:05:02 -0400 Subject: [Fwd: Re: problem in sending AS_REQ] In-Reply-To: <483D58CE.4000802@globaledgesoft.com> References: <483C241C.1080706@globaledgesoft.com> <4d569c330805271413k478d3f4fsd8fc293f6cea061f@mail.gmail.com> <483D58CE.4000802@globaledgesoft.com> Message-ID: <4d569c330805280705u6a02603cv5f7576648b4b053a@mail.gmail.com> On Wed, May 28, 2008 at 9:06 AM, naveen.bn wrote: > Kevin Coffman wrote: > > On Tue, May 27, 2008 at 11:09 AM, naveen.bn > wrote: > > > ---------- Forwarded message ---------- > From: "naveen.bn" > To: Kevin Coffman > Date: Tue, 27 May 2008 15:06:25 +0000 > Subject: Re: problem in sending AS_REQ > Kevin Coffman wrote: > > > > On Mon, May 26, 2008 at 12:02 PM, naveen.bn > wrote: > > > > hi all, > This is my krb5.conf > ********************* krb5.conf ****************************** > [libdefaults] > default_realm = _kerberos._udp.globaledgesoft.com > krb4_config = /usr/kerberos/lib/krb.conf > krb5_realms = /usr/kerberos/lib/krb.realms > pkinit_anchors = FILE:/secure/ca-cert.pem > > [realms] > _kerberos._udp.globaledgesoft.com = { > admin_server = 172.16.8.141 > kdc = 172.16.8.141 > v4_instance_convert = { > gesl = _kerberos._udp.globaledgesoft.com > lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com > } > > pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key > > } > ANDREW.CMU.EDU = { > admin_server = 172.16.8.141 > } > # use "kdc =" if realm admins haven't put SRV records into DNS > GNU.ORG = { > kdc = 172.16.8.141 > kdc = 172.16.9.141 > admin_server = 172.16.8.141 > } > > [domain_realm] > .globaledgesoft.com = _kerberos._udp.globaledgesoft.com > globaledgesoft.com = _kerberos._udp.globaledgesoft.com > > [logging] > # kdc = CONSOLE > kdc=FILE:/var/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > *********************************************************************** > and this is my kdc.conf > [kdcdefaults] > kdc_ports = 750,88 > pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key > pkinit_anchors=DIR:/secure/ca-cert.pem > > > > For pkinit_anchors, you are specifying "DIR:", but giving a file name? > > > > > [realms] > _kerberos._udp.globaledgesoft.com = { > database_name = /usr/local/var/krb5kdc/principal > admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab > acl_file = /usr/local/var/krb5kdc/kadm5.acl > key_stash_file = > /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com > kdc_ports = 750,88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > > pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key > pkinit_anchors=DIR:/secure/ca-cert.pem > } > > ***************************************** kdc.conf ********************** > I have used openssl program to generate the mycert.pem and key , but i > have not signed it with any ( neither self nor with ca ). > > > > I'm not sure what you mean here. A certificate must be signed by > someone/something. The client will not attempt preauth if the > server's certificate is not trusted. > > > > > kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key > naveen > kinit(v5): Unknown code u8JW 88 while setting > 'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key > > > > Obviously, there is a problem with that error code. > > > > > i am not able to send AS_REQ with pa data filled with certificates . > I am stuck her, please help me . > > thank you . > > with regards > naveen > > > > The MIT client will not send pkinit information until the server > indicates it will accept it. The server does this by indicating that > the client principal requires preauthentication, and that pkinit is an > acceptable form of preauthentication. > > Does the client principal have the requires_preauth flag set? Is the > server telling the client that pkinit is an acceptable preauth method? > > > > > Hi kevin, > > Thank you for your replay it helped me. I had not set requires preauth flag > for the client. Now that i have set the flag i am getting the > KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends > a padata with encrypted timestamp and i am getting the ticket. But i want > to send certificates to kdc > and get the kdc certificates with dh parameters. pls kindly guide me . > And this is the concept that i have understood, please coorect me if i am > wrong .I need to generate the ca-cert.pem and ca-private.key using openssl > tool. Generate the RSA key for client like kdc.pem and kdc.key, > then signing the kdc.pem with the ca-private.key to generate kdc certificate > similarly for client and submite the paths of these files in there profiles > right. > > > The certificates don't have to be created using openssl, but that is > one way of doing it. If you do not currently have any PKI, then > generating a self-signed CA certificate would be a good first step. > > This CA certificate can be used to sign a certificate for the KDC. > The KDC's certificate must contain the proper Extended Key Usage (EKU) > KeyPurposeId, to indicate it is intended to be used as a KDC > > >From section 3.2.4 of rfc4556: > > id-pkinit-KPKdc OBJECT IDENTIFIER ::= > { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) > pkinit(3) keyPurposeKdc(5) } > -- Signing KDC responses. > -- Key usage bits that MUST be consistent: > -- digitalSignature. > > The client must possess the self-signed CA certificate, and have it > listed as a trust anchor. > > If the reply from the KDC does not include pkinit as an acceptable > preauth mechanism, then there is something wrong with your KDC > configuration. If it is listed, then there is something wrong with > your client configuration such that it doesn't trust the KDC. > > This message has some pointers on creating certs for use with pkinit > with openssl: > http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html > > K.C. > > > > Hi Kevin, > > Thanks for your reply. I am still trying to send the AS_REQ with > certificates(i.e., PA-PK-AS-REQ). > I have changed my kdc.conf krb5.conf files as specified below . > I have made use of the link you gave for configuring the openssl.cnf to > generate the certificates. > > This is how my openssl.cnf looks like > /********************* start of openssl.cnf *******************/ > > # OpenSSL example configuration file. > # This is mostly being used for generation of certificate requests. > # > > # This definition stops the following lines choking if HOME isn't > # defined. > HOME = . > RANDFILE = $ENV::HOME/.rnd > > # Extra OBJECT IDENTIFIER info: > #oid_file = $ENV::HOME/.oid > oid_section = new_oids > > [ new_oids ] > [ ca ] > default_ca = CA_default # The default ca section > > [ CA_default ] > > dir = ./demoCA # Where everything is kept > certs = $dir/certs # Where the issued certs are kept > crl_dir = $dir/crl # Where the issued crl are kept > database = $dir/index.txt # database index file. > new_certs_dir = $dir/newcerts # default place for new certs. > > certificate = $dir/cacert.pem # The CA certificate > serial = $dir/serial # The current serial number > crl = $dir/crl.pem # The current CRL > private_key = $dir/private/cakey.pem # The private key > RANDFILE = $dir/private/.rand # private random number file > > x509_extensions = usr_cert # The extentions to add to the cert > > default_days = 10000 # how long to certify for > default_crl_days= 30 # how long before next CRL > default_md = sha1 # which md to use. > preserve = no # keep passed DN ordering > policy = policy_match > > [ policy_match ] > countryName = optional > stateOrProvinceName = optional > organizationName = optional > organizationalUnitName = optional > commonName = optional > emailAddress = optional > > > [ policy_anything ] > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ req ] > default_bits = 1024 > default_keyfile = privkey.pem > distinguished_name = req_distinguished_name > attributes = req_attributes > x509_extensions = v3_ca # The extentions to add to the self signed cert > string_mask = nombstr > > [ req_distinguished_name ] > countryName = Country Name (2 letter code) > countryName_default = IN > countryName_min = 2 > countryName_max = 2 > > 0.organizationName = Organization Name (eg, company) > 0.organizationName_default = GlobalEdge Soft ltd > organizationalUnitName = Organizational Unit Name (eg, section) > organizationalUnitName_default = > commonName = Common Name (eg, YOUR name) > commonName_max = 64 > > [ req_attributes ] > > [ usr_cert ] > > [ v3_req ] > basicConstraints = CA:FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > [ v3_ca ] > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid:always,issuer:always > basicConstraints = CA:true > > [ crl_ext ] > authorityKeyIdentifier=keyid:always,issuer:always > > [ kdc_cert ] > basicConstraints=CA:FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement > extendedKeyUsage = 1.3.6.1.5.2.3.5 > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer > issuerAltName=issuer:copy > subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name > > [kdc_princ_name] > realm = EXP:0, GeneralString:${ENV::REALM} > principal_name = EXP:1, SEQUENCE:kdc_principal_seq > > [kdc_principal_seq] > name_type = EXP:0, INTEGER:1 > name_string = EXP:1, SEQUENCE:kdc_principals > > [kdc_principals] > princ1 = GeneralString:krbtgt > princ2 = GeneralString:${ENV::REALM} > > [ client_cert ] > basicConstraints=CA:FALSE > keyUsage = digitalSignature, keyEncipherment, keyAgreement > extendedKeyUsage = 1.3.6.1.5.2.3.4 > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer > subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name > issuerAltName=issuer:copy > > [princ_name] > realm = EXP:0, GeneralString:${ENV::REALM} > principal_name = EXP:1, SEQUENCE:principal_seq > > [principal_seq] > name_type = EXP:0, INTEGER:1 > name_string = EXP:1, SEQUENCE:principals > > [principals] > princ1 = GeneralString:${ENV::CLIENT} > > /***************** End of openssl.cnf ***************************/ > > I have set the environment variables REALM and CLIENT. > > I have used the following commands to generate the certificates. > > /************ CA certificates ***********/ > openssl genrsa -out ca.key 2048 > openssl req -new -key ca.key -out ca.csr > openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt > > at the end of this i have ca.crt and ca.key which is self signed > > /************* END of CA crt **************/ > > /************* Client certificate *********/ > > openssl genrsa -out client.key 2048 > openssl req -new -key client.key -out client.csr > openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions > client_cert -out client.crt > > at the end of this i have client.crt and client.key which is signed by the > ca.key > > /************* END of client crt ***********/ > > /************* KDC certificate *************/ > > openssl genrsa -out kdc.key 2048 > openssl req -new -key kdc.key -out kdc.csr > openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert > -out kdc.crt > > /************* END of KDC crt **************/ > > I am running both client and server in the same machine. I have kept the > files {ca.crt,ca.key} in /ca , files > {kdc.crt,kdc.key} in /key and files {client.crt,client.key} in /client > directories. > > > This is my new krb5.conf file. > /****************************** start of Krb5.conf > *************************/ > > [libdefaults] > default_realm = _kerberos._udp.globaledgesoft.com > krb4_config = /usr/kerberos/lib/krb.conf > krb4_realms = /usr/kerberos/lib/krb.realms > pkinit_anchors = DIR:/ca/ > > > > [realms] > _kerberos._udp.globaledgesoft.com = { > kdc = 172.16.8.141 > admin_server = 172.16.8.141 > pkinit_identity = DIR:/client/ > } > [kdc] > require-preauth = yes > pkinit_identity = DIR:/kdc/ > > [kadmin] > require-preauth = yes > > [domain_realm] > .globaledgesoft.com = _kerberos._udp.globaledgesoft.com > globaledgesoft.com = _kerberos._udp.globaledgesoft.com > > [logging] > kdc=FILE:/var/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > > /********************************* end of krb5.conf > **************************/ > > This is my new kdc.conf file . > > /********************************* start of kdc.conf > ******************************/ > > [kdcdefaults] > kdc_ports = 750,88 > pkinit_anchors = DIR:/ca/ > pkinit_identity = DIR:/kdc/ > [realms] > _kerberos._udp.globaledgesoft.com = { > database_name = /usr/local/var/krb5kdc/principal > admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab > acl_file = /usr/local/var/krb5kdc/kadm5.acl > key_stash_file = > /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com > kdc_ports = 750,88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > > pkinit_identity = FILE:/client/ > } > [kdc] > require-preauth = yes > /********************************** end of kdc.conf > ***********************************/ > > I also tried to generate the certificates using the link > http://acs.lbl.gov/~boverhof/openssl_certs.html > and modified the kdc.conf and krb5.conf in place of specifying DIR, i have > given the path of the file .pem > and .key in the profiles but it still isn't working. > I also have a doubt on whether to use .pem and .key format or .crt and .key > format certificates,it would > be helpful if i get some guidence in generating certificates. Are the above > configuration files right and > please do guide me in case there is mistake. Can you please send a link for > client configuration if i am > wrong in configuring the client and/or kdc for pkinit and i am not using the > smartcard. > > Thank you for support. > > With regards > naveen Unfortunately, I don't have the time right now to guide you. Below is an example of my test KDC's kdc.conf and client's krb5.conf. As Russ pointed out, your realm name is _highly_ unconventional, and is highly likely to cause problems. I don't know if it has anything to do with any problems you are currently seeing. Conventionally, your realm name should be GLOBALEDGESOFT.COM (upper-case of your domain name). Besides that, your config files look reasonable. Without seeing the contents of the /ca and /kdc directories, and the contents of the certificates within them, I can't say more. The contents of the cert and key files are expected to be in PEM format. Their names aren't important. See http://www.mit.edu/~kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html for more info on the config options. You *may* get more help by compiling the pkinit preauth plugin code with -DDEBUG, which will cause it to print more information to stdout. K.C. ---- example kdc.conf ---- [kdcdefaults] default_realm = KWCTEST.CITI.UMICH.EDU kdc_ports = 750,88 kdc_tcp_ports = 88 v4_mode = nopreauth [realms] KWCTEST.CITI.UMICH.EDU = { database_name = /usr/local/krb5/var/krb5kdc/KWCTEST/principal admin_keytab = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.keytab acl_file = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.acl dict_file = /usr/local/krb5/var/krb5kdc/kadm5.dict key_stash_file = /usr/local/krb5/var/krb5kdc/KWCTEST/.k5.KWCTEST.CITI.UMICH.EDU supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:afs3 kadmind_port = 749 pkinit_pool = FILE:/etc/grid-security/certificates/ca-intermediates.crt pkinit_revoke = DIR:/etc/grid-security/certificates pkinit_identity=FILE:/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.crt,/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.key pkinit_anchors=FILE:/etc/grid-security/certificates/ca-bundle.crt pkinit_anchors=FILE:/etc/grid-security/certificates/doe-ca.crt pkinit_allow_upn = true pkinit_eku_checking = none } ---- example krb5.conf ---- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = KWCTEST.CITI.UMICH.EDU dns_lookup_realm = true dns_lookup_kdc = true noaddresses = true no-addresses = true forwardable = true pkinit_anchors = DIR:/etc/grid-security/certificates KWCTEST.CITI.UMICH.EDU = { pkinit_require_eku = true pkinit_require_krbtgt_otherName = true pkinit_require_hostname_match = true } [realms] KWCTEST.CITI.UMICH.EDU = { kdc = rock.citi.umich.edu admin_server = rock.citi.umich.edu } [domain_realm] rock.citi.umich.edu = KWCTEST.CITI.UMICH.EDU roll.citi.umich.edu = KWCTEST.CITI.UMICH.EDU From naveen.bn at globaledgesoft.com Wed May 28 09:06:22 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Wed, 28 May 2008 13:06:22 +0000 Subject: [Fwd: Re: problem in sending AS_REQ] In-Reply-To: <4d569c330805271413k478d3f4fsd8fc293f6cea061f@mail.gmail.com> References: <483C241C.1080706@globaledgesoft.com> <4d569c330805271413k478d3f4fsd8fc293f6cea061f@mail.gmail.com> Message-ID: <483D58CE.4000802@globaledgesoft.com> Kevin Coffman wrote: >On Tue, May 27, 2008 at 11:09 AM, naveen.bn > wrote: > > >> >>---------- Forwarded message ---------- >>From: "naveen.bn" >>To: Kevin Coffman >>Date: Tue, 27 May 2008 15:06:25 +0000 >>Subject: Re: problem in sending AS_REQ >>Kevin Coffman wrote: >> >> >> >>>On Mon, May 26, 2008 at 12:02 PM, naveen.bn >>> wrote: >>> >>> >>> >>>>hi all, >>>>This is my krb5.conf >>>>********************* krb5.conf ****************************** >>>>[libdefaults] >>>> default_realm = _kerberos._udp.globaledgesoft.com >>>> krb4_config = /usr/kerberos/lib/krb.conf >>>> krb5_realms = /usr/kerberos/lib/krb.realms >>>> pkinit_anchors = FILE:/secure/ca-cert.pem >>>> >>>>[realms] >>>> _kerberos._udp.globaledgesoft.com = { >>>> admin_server = 172.16.8.141 >>>> kdc = 172.16.8.141 >>>> v4_instance_convert = { >>>> gesl = _kerberos._udp.globaledgesoft.com >>>> lithium = lithium.lcs. _kerberos._udp.globaledgesoft.com >>>> } >>>> >>>> pkinit_identity = FILE:/secure/mycert.pem,/secure/mycert.key >>>> >>>> } >>>> ANDREW.CMU.EDU = { >>>> admin_server = 172.16.8.141 >>>> } >>>># use "kdc =" if realm admins haven't put SRV records into DNS >>>> GNU.ORG = { >>>> kdc = 172.16.8.141 >>>> kdc = 172.16.9.141 >>>> admin_server = 172.16.8.141 >>>> } >>>> >>>>[domain_realm] >>>> .globaledgesoft.com = _kerberos._udp.globaledgesoft.com >>>> globaledgesoft.com = _kerberos._udp.globaledgesoft.com >>>> >>>>[logging] >>>># kdc = CONSOLE >>>> kdc=FILE:/var/krb5kdc.log >>>> admin_server = FILE:/var/log/kadmin.log >>>> default = FILE:/var/log/krb5lib.log >>>>*********************************************************************** >>>>and this is my kdc.conf >>>>[kdcdefaults] >>>> kdc_ports = 750,88 >>>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key >>>> pkinit_anchors=DIR:/secure/ca-cert.pem >>>> >>>> >>>> >>>For pkinit_anchors, you are specifying "DIR:", but giving a file name? >>> >>> >>> >>> >>>>[realms] >>>>_kerberos._udp.globaledgesoft.com = { >>>> database_name = /usr/local/var/krb5kdc/principal >>>> admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab >>>> acl_file = /usr/local/var/krb5kdc/kadm5.acl >>>> key_stash_file = >>>>/usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com >>>> kdc_ports = 750,88 >>>> max_life = 10h 0m 0s >>>> max_renewable_life = 7d 0h 0m 0s >>>> >>>> pkinit_identity=FILE:/secure/mycert.crt,/secure/mycert.key >>>> pkinit_anchors=DIR:/secure/ca-cert.pem >>>> } >>>> >>>>***************************************** kdc.conf ********************** >>>>I have used openssl program to generate the mycert.pem and key , but i >>>>have not signed it with any ( neither self nor with ca ). >>>> >>>> >>>> >>>I'm not sure what you mean here. A certificate must be signed by >>>someone/something. The client will not attempt preauth if the >>>server's certificate is not trusted. >>> >>> >>> >>> >>>>kinit -X X509_user_identity=FILE:/secure/mycert.pem,/secure/mycert.key >>>>naveen >>>>kinit(v5): Unknown code u8JW 88 while setting >>>>'X509_user_identity'='FILE:/secure/mycert.pem,/secure/mycert.key >>>> >>>> >>>> >>>Obviously, there is a problem with that error code. >>> >>> >>> >>> >>>>i am not able to send AS_REQ with pa data filled with certificates . >>>>I am stuck her, please help me . >>>> >>>>thank you . >>>> >>>>with regards >>>>naveen >>>> >>>> >>>> >>>The MIT client will not send pkinit information until the server >>>indicates it will accept it. The server does this by indicating that >>>the client principal requires preauthentication, and that pkinit is an >>>acceptable form of preauthentication. >>> >>>Does the client principal have the requires_preauth flag set? Is the >>>server telling the client that pkinit is an acceptable preauth method? >>> >>> >>> >>> >>Hi kevin, >> >>Thank you for your replay it helped me. I had not set requires preauth flag >>for the client. Now that i have set the flag i am getting the >>KRB5KDC_ERR_PREAUTH_REQUIRED message from the kdc and then the client sends >>a padata with encrypted timestamp and i am getting the ticket. But i want >>to send certificates to kdc >>and get the kdc certificates with dh parameters. pls kindly guide me . >>And this is the concept that i have understood, please coorect me if i am >>wrong .I need to generate the ca-cert.pem and ca-private.key using openssl >>tool. Generate the RSA key for client like kdc.pem and kdc.key, >>then signing the kdc.pem with the ca-private.key to generate kdc certificate >>similarly for client and submite the paths of these files in there profiles >>right. >> >> > >The certificates don't have to be created using openssl, but that is >one way of doing it. If you do not currently have any PKI, then >generating a self-signed CA certificate would be a good first step. > >This CA certificate can be used to sign a certificate for the KDC. >The KDC's certificate must contain the proper Extended Key Usage (EKU) >KeyPurposeId, to indicate it is intended to be used as a KDC > >>From section 3.2.4 of rfc4556: > > id-pkinit-KPKdc OBJECT IDENTIFIER ::= > { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) > pkinit(3) keyPurposeKdc(5) } > -- Signing KDC responses. > -- Key usage bits that MUST be consistent: > -- digitalSignature. > >The client must possess the self-signed CA certificate, and have it >listed as a trust anchor. > >If the reply from the KDC does not include pkinit as an acceptable >preauth mechanism, then there is something wrong with your KDC >configuration. If it is listed, then there is something wrong with >your client configuration such that it doesn't trust the KDC. > >This message has some pointers on creating certs for use with pkinit >with openssl: >http://mailman.mit.edu/pipermail/krbdev/2006-November/005180.html > >K.C. > > > Hi Kevin, Thanks for your reply. I am still trying to send the AS_REQ with certificates(i.e., PA-PK-AS-REQ). I have changed my kdc.conf krb5.conf files as specified below . I have made use of the link you gave for configuring the openssl.cnf to generate the certificates. This is how my openssl.cnf looks like /********************* start of openssl.cnf *******************/ # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids [ new_oids ] [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = 10000 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = sha1 # which md to use. preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = IN countryName_min = 2 countryName_max = 2 0.organizationName = Organization Name (eg, company) 0.organizationName_default = GlobalEdge Soft ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = commonName = Common Name (eg, YOUR name) commonName_max = 64 [ req_attributes ] [ usr_cert ] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always [ kdc_cert ] basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = 1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:kdc_principals [kdc_principals] princ1 = GeneralString:krbtgt princ2 = GeneralString:${ENV::REALM} [ client_cert ] basicConstraints=CA:FALSE keyUsage = digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = 1.3.6.1.5.2.3.4 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name issuerAltName=issuer:copy [princ_name] realm = EXP:0, GeneralString:${ENV::REALM} principal_name = EXP:1, SEQUENCE:principal_seq [principal_seq] name_type = EXP:0, INTEGER:1 name_string = EXP:1, SEQUENCE:principals [principals] princ1 = GeneralString:${ENV::CLIENT} /***************** End of openssl.cnf ***************************/ I have set the environment variables REALM and CLIENT. I have used the following commands to generate the certificates. /************ CA certificates ***********/ openssl genrsa -out ca.key 2048 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt at the end of this i have ca.crt and ca.key which is self signed /************* END of CA crt **************/ /************* Client certificate *********/ openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions client_cert -out client.crt at the end of this i have client.crt and client.key which is signed by the ca.key /************* END of client crt ***********/ /************* KDC certificate *************/ openssl genrsa -out kdc.key 2048 openssl req -new -key kdc.key -out kdc.csr openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert -out kdc.crt /************* END of KDC crt **************/ I am running both client and server in the same machine. I have kept the files {ca.crt,ca.key} in /ca , files {kdc.crt,kdc.key} in /key and files {client.crt,client.key} in /client directories. This is my new krb5.conf file. /****************************** start of Krb5.conf *************************/ [libdefaults] default_realm = _kerberos._udp.globaledgesoft.com krb4_config = /usr/kerberos/lib/krb.conf krb4_realms = /usr/kerberos/lib/krb.realms pkinit_anchors = DIR:/ca/ [realms] _kerberos._udp.globaledgesoft.com = { kdc = 172.16.8.141 admin_server = 172.16.8.141 pkinit_identity = DIR:/client/ } [kdc] require-preauth = yes pkinit_identity = DIR:/kdc/ [kadmin] require-preauth = yes [domain_realm] .globaledgesoft.com = _kerberos._udp.globaledgesoft.com globaledgesoft.com = _kerberos._udp.globaledgesoft.com [logging] kdc=FILE:/var/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /********************************* end of krb5.conf **************************/ This is my new kdc.conf file . /********************************* start of kdc.conf ******************************/ [kdcdefaults] kdc_ports = 750,88 pkinit_anchors = DIR:/ca/ pkinit_identity = DIR:/kdc/ [realms] _kerberos._udp.globaledgesoft.com = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s pkinit_identity = FILE:/client/ } [kdc] require-preauth = yes /********************************** end of kdc.conf ***********************************/ I also tried to generate the certificates using the link *http://acs.lbl.gov/~boverhof/openssl_certs.html* and modified the kdc.conf and krb5.conf in place of specifying DIR, i have given the path of the file .pem and .key in the profiles but it still isn't working. I also have a doubt on whether to use .pem and .key format or .crt and .key format certificates,it would be helpful if i get some guidence in generating certificates. Are the above configuration files right and please do guide me in case there is mistake. Can you please send a link for client configuration if i am wrong in configuring the client and/or kdc for pkinit and i am not using the smartcard. Thank you for support. With regards naveen From radaczynski at gmail.com Wed May 28 02:58:25 2008 From: radaczynski at gmail.com (radaczynski@gmail.com) Date: Tue, 27 May 2008 23:58:25 -0700 (PDT) Subject: Problems with authenticating to a Win domain controller Message-ID: <39b71f23-4227-4c63-b500-1801705cad9c@k37g2000hsf.googlegroups.com> Hi, I've recently encountered a strange error when trying to get a ticket from a W2k domain controller. My setup is like this: 1. krb5.conf: [libdefaults] default_realm = DOMAIN1.COM forwardable = true proxiable = true dns_lookup_realm = false dsn_lookup_kdc = false v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } [realms] DOMAIN1.COM = { kdc = aaa.domain1.com:88 } [domain_realm] .domain1.com = DOMAIN1.COM domain1.com = DOMAIN1.COM .domain2.com = DOMAIN2.COM domain2.com = DOMAIN2.COM [appdefaults] pam = { debug=false forwardable=true krb4_convert=false } DOMAIN2 is a trusted domain of DOMAIN1 now, when i do this: kinit myuser at DOMAIN2.COM Password for myuser at DOMAIN2.COM: and i get a TGT: renew until 05/29/08 08:55:12, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/ DOMAIN2.COM at DOMAIN2.COM then I try: kvno HTTP/test.domain1.com at DOMAIN1.COM and get: Server not found in Kerberos database while getting credentials when I ty: kvno HTTP/test.domain1.com at DOMAIN2.COM I get: KDC reply did not match expectations while getting credentials Any help would be greatly appreciated. From radaczynski at gmail.com Wed May 28 03:00:59 2008 From: radaczynski at gmail.com (radaczynski@gmail.com) Date: Wed, 28 May 2008 00:00:59 -0700 (PDT) Subject: Problems with authenticating to a Win domain controller References: <39b71f23-4227-4c63-b500-1801705cad9c@k37g2000hsf.googlegroups.com> Message-ID: On 28 Maj, 08:58, radaczyn... at gmail.com wrote: > Hi, > > I've recently encountered a strange error when trying to get a ticket > from a W2k domain controller. My setup is like this: > > 1. krb5.conf: > [libdefaults] > default_realm = DOMAIN1.COM > forwardable = true > proxiable = true > dns_lookup_realm = false > dsn_lookup_kdc = false > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > > [realms] > DOMAIN1.COM = { > kdc = aaa.domain1.com:88 > } > > [domain_realm] > .domain1.com = DOMAIN1.COM > domain1.com = DOMAIN1.COM > .domain2.com = DOMAIN2.COM > domain2.com = DOMAIN2.COM > > [appdefaults] > pam = { > debug=false > forwardable=true > krb4_convert=false > } > > DOMAIN2 is a trusted domain of DOMAIN1 > > now, when i do this: > kinit myu... at DOMAIN2.COM > Password for myu... at DOMAIN2.COM: > > and i get a TGT: renew until 05/29/08 08:55:12, Etype (skey, tkt): > ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/ > DOMAIN2.... at DOMAIN2.COM > > then I try: > kvno HTTP/test.domain1.... at DOMAIN1.COM > and get: > Server not found in Kerberos database while getting credentials > > when I ty: > kvno HTTP/test.domain1.... at DOMAIN2.COM > I get: > KDC reply did not match expectations while getting credentials > > Any help would be greatly appreciated. It seems that there is a similar thread (or rather a question) here: http://article.gmane.org/gmane.comp.encryption.kerberos.heimdal.general/2869 From David.Bear at asu.edu Wed May 28 11:41:37 2008 From: David.Bear at asu.edu (David Bear) Date: Wed, 28 May 2008 08:41:37 -0700 Subject: what happens when kfw is disconnected Message-ID: <1d1a54bf0805280841u45b79e29s573b9e00730f60e9@mail.gmail.com> We have the challenge of supporting very mobile users who may hop between many wireless networks. These machine are joined to an AD domain so when they hop on to a wireless network, they are logged on using whatever credentials windows has cached. This seems to cause an issue for KfW and/or Openafs. I am wondering of KfW handles the situation where it cannot contact a KDC becuase there is no network path available because windows hasn't connected to any network. Can KfW be instructed to wait a certain time period for trying to get a tgt? Or, can KfW wait for an event, like the availability of a wireless network -- and then contact the kdc for credentials? -- David Bear College of Public Programs at ASU 602-464-0424 From deengert at anl.gov Wed May 28 11:47:22 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 28 May 2008 10:47:22 -0500 Subject: Problems with authenticating to a Win domain controller In-Reply-To: <39b71f23-4227-4c63-b500-1801705cad9c@k37g2000hsf.googlegroups.com> References: <39b71f23-4227-4c63-b500-1801705cad9c@k37g2000hsf.googlegroups.com> Message-ID: <483D7E8A.7010102@anl.gov> radaczynski at gmail.com wrote: > Hi, > > I've recently encountered a strange error when trying to get a ticket > from a W2k domain controller. My setup is like this: > > 1. krb5.conf: > [libdefaults] > default_realm = DOMAIN1.COM > forwardable = true > proxiable = true > dns_lookup_realm = false > dsn_lookup_kdc = false > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > > [realms] > DOMAIN1.COM = { > kdc = aaa.domain1.com:88 > } > > [domain_realm] > .domain1.com = DOMAIN1.COM > domain1.com = DOMAIN1.COM > .domain2.com = DOMAIN2.COM > domain2.com = DOMAIN2.COM > > > [appdefaults] > pam = { > debug=false > forwardable=true > krb4_convert=false > } > > DOMAIN2 is a trusted domain of DOMAIN1 > > now, when i do this: > kinit myuser at DOMAIN2.COM > Password for myuser at DOMAIN2.COM: > > and i get a TGT: renew until 05/29/08 08:55:12, Etype (skey, tkt): > ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/ > DOMAIN2.COM at DOMAIN2.COM > > then I try: > kvno HTTP/test.domain1.com at DOMAIN1.COM > and get: > Server not found in Kerberos database while getting credentials This might be some cross realm issue. To get a ticket from DOMAIN1.COM requires you to first get a krbtgt/DOMAIN1.COM at DOMAIN2.COM from DOMAIN2.COM. You set the dns_lookup_kdc = false, and did not define DOMAIN1.COM in [realms] so you client can not find the KDCs for DOMAIN1.COM. It might be an issue that the cross realm trust is not set up as you think it is. To verify all if these for sure, use a trace program like Wireshark, that can format the Kerberos packets. > > when I ty: > kvno HTTP/test.domain1.com at DOMAIN2.COM > I get: > KDC reply did not match expectations while getting credentials W2K may have returned a referral saying look in DOMAIN1.COM. But the Kerberos lib does not handle today. > > Any help would be greatly appreciated. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jaltman at secure-endpoints.com Wed May 28 12:02:05 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 28 May 2008 12:02:05 -0400 Subject: what happens when kfw is disconnected In-Reply-To: <1d1a54bf0805280841u45b79e29s573b9e00730f60e9@mail.gmail.com> References: <1d1a54bf0805280841u45b79e29s573b9e00730f60e9@mail.gmail.com> Message-ID: <483D81FD.60206@secure-endpoints.com> David Bear wrote: > We have the challenge of supporting very mobile users who may hop between > many wireless networks. These machine are joined to an AD domain so when > they hop on to a wireless network, they are logged on using whatever > credentials windows has cached. This seems to cause an issue for KfW and/or > Openafs. I am wondering of KfW handles the situation where it cannot contact > a KDC becuase there is no network path available because windows hasn't > connected to any network. Can KfW be instructed to wait a certain time > period for trying to get a tgt? Or, can KfW wait for an event, like the > availability of a wireless network -- and then contact the kdc for > credentials? > KFW does not cache the user's password. If the KDC is not reachable during logon, the user will not obtain credentials. The user can obtain credentials at a later time using Network Identity Manager. You can configure NetIdMgr to monitor network connectivity and prompt the user to obtain credentials if s/he has none. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080528/3694f912/smime.bin From David.Bear at asu.edu Wed May 28 12:30:58 2008 From: David.Bear at asu.edu (David Bear) Date: Wed, 28 May 2008 09:30:58 -0700 Subject: what happens when kfw is disconnected In-Reply-To: <483D81FD.60206@secure-endpoints.com> References: <1d1a54bf0805280841u45b79e29s573b9e00730f60e9@mail.gmail.com> <483D81FD.60206@secure-endpoints.com> Message-ID: <1d1a54bf0805280930l38b182dcta6f5a7f844309f9f@mail.gmail.com> On Wed, May 28, 2008 at 9:02 AM, Jeffrey Altman < jaltman at secure-endpoints.com> wrote: > David Bear wrote: > >> We have the challenge of supporting very mobile users who may hop between >> many wireless networks. These machine are joined to an AD domain so when >> they hop on to a wireless network, they are logged on using whatever >> credentials windows has cached. This seems to cause an issue for KfW >> and/or >> Openafs. I am wondering of KfW handles the situation where it cannot >> contact >> a KDC becuase there is no network path available because windows hasn't >> connected to any network. Can KfW be instructed to wait a certain time >> period for trying to get a tgt? Or, can KfW wait for an event, like the >> availability of a wireless network -- and then contact the kdc for >> credentials? >> >> KFW does not cache the user's password. If the KDC is not reachable > during logon, the user will not obtain credentials. > > The user can obtain credentials at a later time using Network Identity > Manager. You can configure NetIdMgr to monitor network connectivity and > prompt the user to obtain credentials if s/he has none. > > > Then we should configured KfW to NOT get credentials at logon, and set it to prompt for logon when the network becomes active? I think I found that setting in NiM under options->general (uncheck obtain new credentials at startup). monitor network activity is also currently checked. I assume that is what needs to be checked to have NiM prompt for logon when available? -- David Bear College of Public Programs at ASU 602-464-0424 From jaltman at secure-endpoints.com Wed May 28 12:37:40 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 28 May 2008 12:37:40 -0400 Subject: what happens when kfw is disconnected In-Reply-To: <1d1a54bf0805280930l38b182dcta6f5a7f844309f9f@mail.gmail.com> References: <1d1a54bf0805280841u45b79e29s573b9e00730f60e9@mail.gmail.com> <483D81FD.60206@secure-endpoints.com> <1d1a54bf0805280930l38b182dcta6f5a7f844309f9f@mail.gmail.com> Message-ID: <483D8A54.2060003@secure-endpoints.com> David Bear wrote: > Then we should configured KfW to NOT get credentials at logon, and set > it to prompt for logon when the network becomes active? I think I > found that setting in NiM under options->general (uncheck obtain new > credentials at startup). > The NetIdMgr setting applies only to NetIdMgr, it does not have anything to do with the KFW or OpenAFS network providers that attempt to obtain credentials during Windows logon. All that setting does is ask NIM to prompt the user to obtain credentials when the NIM process starts if the "default identity" does not have any credentials. > monitor network activity is also currently checked. I assume that is > what needs to be checked to have NiM prompt for logon when available? Monitor network activity will cause NIM to prompt the user for credentials if the default identity has no credentials and the IP address list of the machine has changed. Jeffrey Altman Secure Endpoints Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080528/31ad6eb1/smime.bin From matt at slackers.net Wed May 28 16:19:01 2008 From: matt at slackers.net (Matthew Andrews) Date: Wed, 28 May 2008 13:19:01 -0700 Subject: krb5-sync 1.2 released In-Reply-To: <87hci6s2yt.fsf@windlord.stanford.edu> References: <87hci6s2yt.fsf@windlord.stanford.edu> Message-ID: <483DBE35.9050807@slackers.net> Russ Allbery wrote: > I'm pleased to announce release 1.2 of krb5-sync. > has anyone attempted to use the patch included in this with newer MIT kerberos releases? I'm particularly interested in 1.6.1 with RHEL5 patches, but if someone has tried this with a similar vintage krb5 I'd expect it to be helpful. I have tried applying the patch as is, and 3 pieces of the patch immediately fail(I've yet to try and determine if the rest of the chunks that apply are actually correct.) 1) src/lib/kadm5/configure.in does not exist in 1.6.1. the patch seems to be adding checks for dlopen: --- krb5-1.4.4/src/lib/kadm5/configure.in 2004-02-12 19:19:30.000000000 -0 800 +++ krb5-1.4.4-patched/src/lib/kadm5/configure.in 2007-07-29 19:12:55.0000 00000 -0700 @@ -10,10 +10,12 @@ AC_CHECK_PROG(RUNTEST,runtest,runtest) AC_CHECK_PROG(PERL,perl,perl) AC_CHECK_FUNCS(srand48 srand srandom) +AC_CHECK_LIB(dl, dlopen, DL_LIB=-ldl) AC_KRB5_TCL if test "$PERL" = perl -a "$RUNTEST" = runtest -a "$TCL_LIBS" != ""; then DO_TEST=ok fi +AC_SUBST(DL_LIB) AC_SUBST(DO_TEST) dnl KRB5_BUILD_LIBOBJS I'm not sure if these autoconf rules need to be added to some higher level configure.{in,ac} or if they are already taken care of in 1.6.1. 2) in src/lib/kadm5/srv/server_init.c, the addition of the call to init_pwupdate() just before adb_policy_init() failed. It looks like sdb_policy_init is being called in a fairly different place now. Any hints on what the appropriate time to initialize this plugin is in 1.6.1? 3) finally the actual init_pwupdate function failed to get added to svr_principal.c, but I think that was just because the file was enough shorter than the 1.4.4 version, and that it can be added to the end of the file. In any case, If anyone has any experience with this patch on newer krb5 releases, or can make recommendations on how to remedy the failed patch elements listed above(particularly issues 1, and 2), your help would be much appreciated. thanks, -Matt Andrews > krb5-sync is a toolkit for updating passwords and account status from an > MIT Kerberos master KDC to Active Directory and/or an AFS kaserver. It is > implemented as a patch to kadmind and a plugin module that will push > password changes and selected account flag changes to Active Directory or > to a kaserver at the same time as they are made to the local KDC database. > > Changes from previous release: > > Don't call rx_Finalize after every synchronization with an AFS > kaserver. This isn't correct and leaks threads. Only call > rx_Finalize when shutting down the entire module. > > The AFS synchronization code is now only built if requested using the > --with-afs flag to configure, allowing the package to be built at > sites that don't use AFS. > > Add the purge command to krb5-sync-backend, which removes all queued > actions last modified more than some number of days in the past. > > Use the new Kerberos error message APIs to retrieve error messages, > giving more complete errors in current versions of Kerberos. This is > also necessary in the long run for Heimdal support, although the > package in general doesn't support Heimdal yet. > > You can download it from: > > > > Please let me know of any problems or feature requests not already listed > in the TODO file. > From rra at stanford.edu Wed May 28 16:47:18 2008 From: rra at stanford.edu (Russ Allbery) Date: Wed, 28 May 2008 13:47:18 -0700 Subject: krb5-sync 1.2 released In-Reply-To: <483DBE35.9050807@slackers.net> (Matthew Andrews's message of "Wed\, 28 May 2008 13\:19\:01 -0700") References: <87hci6s2yt.fsf@windlord.stanford.edu> <483DBE35.9050807@slackers.net> Message-ID: <877ideyx49.fsf@windlord.stanford.edu> Matthew Andrews writes: > has anyone attempted to use the patch included in this with newer MIT > kerberos releases? I'm particularly interested in 1.6.1 with RHEL5 > patches, but if someone has tried this with a similar vintage krb5 I'd > expect it to be helpful. I personally haven't looked at it at all. I'm not sure when I'll get a chance to do so; we're fairly happy with 1.4, and haven't yet seen a lot of reason to upgrade to 1.6 (and have seen some issues with 1.6 around changes related to referrals that make us want to carefully plan upgrades). I expect we'll upgrade to 1.6 as part of upgrading our KDCs from etch to lenny, sometime after the Debian lenny release. The long-term goal is to add a plugin system to MIT kadmind using the new plugin support code in 1.6 and later, allowing krb5-sync to just provide a plugin and not provide a patch. I put together a proposal for this, but it has a bunch of unanswered questions and I haven't had time to work on it further. -- Russ Allbery (rra at stanford.edu) From rra at stanford.edu Wed May 28 22:24:28 2008 From: rra at stanford.edu (Russ Allbery) Date: Wed, 28 May 2008 19:24:28 -0700 Subject: kstart 3.13 released Message-ID: <873ao1rgo3.fsf@windlord.stanford.edu> I'm pleased to announce release 3.13 of kstart. k4start, k5start, and krenew are modified versions of kinit which add support for running as a daemon to maintain a ticket cache, running a command with credentials from a keytab and maintaining a ticket cache until that command completes, obtaining AFS tokens (via an external aklog) after obtaining tickets, and creating an AFS PAG for a command. They are primarily useful in conjunction with long-running jobs; for moving ticket handling code out of servers, cron jobs, or daemons; and to obtain tickets and AFS tokens with a single command. Changes from previous release: As of this release, k4start should be considered frozen. I will still fix bugs where possible, but it is no longer tested before releases and new features added to k5start and krenew will not be added to k4start. If the environment variable AKLOG is set, use its value as the path to the aklog program to run when -t is given to k5start or krenew. If AKLOG is set, always run that program unless -n was given in k4start. This environment variable replaces the badly-named KINIT_PROG, although KINIT_PROG is still supported for backward compatibility. Remove the restriction that -o, -g, and -m may not be used with -K or a command. The MIT Kerberos libraries have removed the restriction about ticket cache ownership and this now works properly. However, each authentication changes the permissions, so reset the ownership and permissions whenever we renew the cache. Thanks, Howard Wilkinson. Strip a leading FILE: or WRFILE: prefix from the ticket cache name when changing the ownership or permissions. Based on a patch from Howard Wilkinson. Fix a portability problem with Heimdal introduced in the previous release (Heimdal wants krb5_cc_copy_cache, not krb5_cc_copy_creds). Thanks, Jason White. Include a dummy object in libportable to avoid build failures on systems that don't need any portability functions (such as Mac OS X). You can download it from: Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From naveen.bn at globaledgesoft.com Wed May 28 19:05:35 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Wed, 28 May 2008 23:05:35 +0000 Subject: problem in sending AS_REQ with PKINIT Message-ID: <483DE53F.9020902@globaledgesoft.com> Hi Kevin, Thank you for the previous replay which you had sent me. /################ YOUR REPLAY #################/ Unfortunately, I don't have the time right now to guide you. Below is an example of my test KDC's kdc.conf and client's krb5.conf. As Russ pointed out, your realm name is _highly_ unconventional, and is highly likely to cause problems. I don't know if it has anything to do with any problems you are currently seeing. Conventionally, your realm name should be GLOBALEDGESOFT.COM (upper-case of your domain name). Besides that, your config files look reasonable. Without seeing the contents of the /ca and /kdc directories, and the contents of the certificates within them, I can't say more. The contents of the cert and key files are expected to be in PEM format. Their names aren't important. See http://www.mit.edu/~kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html for more info on the config options. You *may* get more help by compiling the pkinit preauth plugin code with -DDEBUG, which will cause it to print more information to stdout. K.C. ---- example kdc.conf ---- [kdcdefaults] default_realm = KWCTEST.CITI.UMICH.EDU kdc_ports = 750,88 kdc_tcp_ports = 88 v4_mode = nopreauth [realms] KWCTEST.CITI.UMICH.EDU = { database_name = /usr/local/krb5/var/krb5kdc/KWCTEST/principal admin_keytab = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.keytab acl_file = /usr/local/krb5/var/krb5kdc/KWCTEST/kadm5.acl dict_file = /usr/local/krb5/var/krb5kdc/kadm5.dict key_stash_file = /usr/local/krb5/var/krb5kdc/KWCTEST/.k5.KWCTEST.CITI.UMICH.EDU supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:afs3 kadmind_port = 749 pkinit_pool = FILE:/etc/grid-security/certificates/ca-intermediates.crt pkinit_revoke = DIR:/etc/grid-security/certificates pkinit_identity=FILE:/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.crt,/usr/local/krb5/var/krb5kdc/KWCTEST/kwctest_KDC.key pkinit_anchors=FILE:/etc/grid-security/certificates/ca-bundle.crt pkinit_anchors=FILE:/etc/grid-security/certificates/doe-ca.crt pkinit_allow_upn = true pkinit_eku_checking = none } ---- example krb5.conf ---- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = KWCTEST.CITI.UMICH.EDU dns_lookup_realm = true dns_lookup_kdc = true noaddresses = true no-addresses = true forwardable = true pkinit_anchors = DIR:/etc/grid-security/certificates KWCTEST.CITI.UMICH.EDU = { pkinit_require_eku = true pkinit_require_krbtgt_otherName = true pkinit_require_hostname_match = true } [realms] KWCTEST.CITI.UMICH.EDU = { kdc = rock.citi.umich.edu admin_server = rock.citi.umich.edu } [domain_realm] rock.citi.umich.edu = KWCTEST.CITI.UMICH.EDU roll.citi.umich.edu = KWCTEST.CITI.UMICH.EDU /#################### End of Replay ############### / It will really be helpful, if i can get steps/links on generating certificates for CA, kdc and client. I am not very confident with the way i am generating the certificates and placing them in their profiles. The method i have used to generate certificates is as follows /************ CA certificates ***********/ openssl genrsa -out ca.key 2048 openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt at the end of this i have ca.crt and ca.key which is self signed /************* END of CA crt **************/ /************* Client certificate *********/ openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -signkey ca.key -extensions client_cert -out client.crt at the end of this i have client.crt and client.key which is signed by the ca.key /************* END of client crt ***********/ /************* KDC certificate *************/ openssl genrsa -out kdc.key 2048 openssl req -new -key kdc.key -out kdc.csr openssl x509 -req -days 365 -in kdc.csr -signkey ca.key -extensions kdc_cert -out kdc.crt /************* END of KDC crt **************/ The content of /ca is ca.crt and ca.key , /kdc is kdc.crt and kdc.key , /client is client.crt and client.key which you had asked in the previous replay. Looking forward for to your replay regarding generating certificates, Can i get the steps which you have used to generate the mentioned certificates in the provided example files kdc.conf and krb5.conf (previous replay).Can i also know what are the certificates in DIR:/etc/grid-security/certificates and i will be helpful to know the way, the kinit program selects the certificates or the criteria to be met to select the certificates to send in AS_REQ. Mean while i will compile the kdc with -DDEBUG and try to find a solution. Thank you for your precious time and support... with regards naveen From naveen.bn at globaledgesoft.com Thu May 29 05:53:45 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Thu, 29 May 2008 09:53:45 +0000 Subject: preauth failed KRB5KDC_ERR_CLIENT_NAME_MISMATCH Message-ID: <483E7D29.4030907@globaledgesoft.com> Hi kevin, Thank you, I took the help of the example file that you had sent me and generated the certificates in pem formate . Now the AS_REQ is sent with the patype field with PA-DAS (16), I am getting the error KRB5KDC_ERR_CLIENT_NAME_MISMATCH this is what i am doing and my config files are shown. kinit -X X509_user_identity=FILE:/client/other/naveen.pem,/client/other/naveen.key naveen kinit(v5): Client name mismatch while getting initial credentials /************** krb5 .conf ************/ [libdefaults] krb4_config = /usr/kerberos/lib/krb.conf krb4_realms = /usr/kerberos/lib/krb.realms default_realm = globaledgesoft.com [realms] globaledgesoft.com = { kdc = 172.16.8.141 admin_server = 172.16.8.141 pkinit_anchors = DIR:/ca/other pkinit_require_eku = true pkinit_require_krbtgt_otherName = false pkinit_require_hostname_match = flase } [domain_realm] .globaledgesoft.com = globaledgesoft.com globaledgesoft.com = globaledgesoft.com [logging] kdc=FILE:/var/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log /********* end of krb5.conf ***************/ /********** kdc.conf ****************/ [kdcdefaults] default_realm = globaledgesoft.com kdc_ports = 750,88 [realms] globaledgesoft.com = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl key_stash_file = /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s pkinit_anchors = DIR:/ca/other pkinit_identity = FILE:/kdc/other/server.pem,/kdc/other/server.key # pkinit_allow_upn = true # pkinit_eku_checking = none pkinit_revoke = DIR:/ca/other } /********* end of kdc.conf ***************/ Thank you with regards naveen From kwc at umich.edu Thu May 29 09:04:39 2008 From: kwc at umich.edu (Kevin Coffman) Date: Thu, 29 May 2008 09:04:39 -0400 Subject: preauth failed KRB5KDC_ERR_CLIENT_NAME_MISMATCH In-Reply-To: <483E7D29.4030907@globaledgesoft.com> References: <483E7D29.4030907@globaledgesoft.com> Message-ID: <4d569c330805290604u1d91f599y612d3fae93c9a26c@mail.gmail.com> This means that you are either missing a Subject Alternative Name (SAN) in your client's certificate, or it doesn't match the principal name you are trying to authenticate. By default, the KDC requires that the client certificate has the id-pkinit-san as defined in rfc4556. If you specify "pkinit_allow_upn = true" in the KDC's config, it will also accept a Microsoft UPN SAN. There is no KDC configuration option to completely turn off the requirement for a SAN. K.C. On Thu, May 29, 2008 at 5:53 AM, naveen.bn wrote: > > Hi kevin, > > Thank you, I took the help of the example file that you had sent me and > generated the certificates in pem > formate . Now the AS_REQ is sent with the patype field with PA-DAS (16), I > am getting the error KRB5KDC_ERR_CLIENT_NAME_MISMATCH > > this is what i am doing and my config files are shown. > > kinit -X > X509_user_identity=FILE:/client/other/naveen.pem,/client/other/naveen.key > naveen > > kinit(v5): Client name mismatch while getting initial credentials > > /************** krb5 .conf ************/ > > [libdefaults] > > krb4_config = /usr/kerberos/lib/krb.conf > > krb4_realms = /usr/kerberos/lib/krb.realms > > default_realm = globaledgesoft.com > [realms] > > globaledgesoft.com = { > > kdc = 172.16.8.141 > > admin_server = 172.16.8.141 > > pkinit_anchors = DIR:/ca/other > > pkinit_require_eku = true > > pkinit_require_krbtgt_otherName = false > > pkinit_require_hostname_match = flase > > } > > [domain_realm] > > .globaledgesoft.com = globaledgesoft.com > > globaledgesoft.com = globaledgesoft.com > > [logging] > > kdc=FILE:/var/krb5kdc.log > > admin_server = FILE:/var/log/kadmin.log > > default = FILE:/var/log/krb5lib.log > > /********* end of krb5.conf ***************/ > > /********** kdc.conf ****************/ > > [kdcdefaults] > > default_realm = globaledgesoft.com > > kdc_ports = 750,88 > > [realms] > > globaledgesoft.com = { > > database_name = /usr/local/var/krb5kdc/principal > > admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab > > acl_file = /usr/local/var/krb5kdc/kadm5.acl > > key_stash_file = > /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com > > kdc_ports = 750,88 > > max_life = 10h 0m 0s > > max_renewable_life = 7d 0h 0m 0s > > pkinit_anchors = DIR:/ca/other > > pkinit_identity = FILE:/kdc/other/server.pem,/kdc/other/server.key > > # pkinit_allow_upn = true > > # pkinit_eku_checking = none > > pkinit_revoke = DIR:/ca/other > > } > > /********* end of kdc.conf ***************/ > > Thank you > with regards > naveen > > > > This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely > for the use of the addressee(s). If you are not the intended recipient, > please notify the sender by e-mail and delete the original message.Global > Edge Software Ltd has taken every reasonable precaution to minimize this > risk, but is not liable for any damage you may sustain as a result of any > virus in this e-mail. You should carry out your own virus checks before > opening the e-mail or attachment. Global Edge Software Ltd reserves the > right to monitor and review the content of all messages sent to or from this > e-mail address > > From david at MIT.EDU Thu May 29 01:02:31 2008 From: david at MIT.EDU (=?ISO-8859-1?Q?David_Andr=E9_Broniatowski?=) Date: Thu, 29 May 2008 01:02:31 -0400 Subject: Cannot contact any KDC Message-ID: Hi I just installed the Network Identity Manager on my windows XP machine, and I keep getting a message that says Krb5: Cannot contact any KDC for requested realm. Can you please help? Thanks David From radaczynski at gmail.com Thu May 29 02:30:09 2008 From: radaczynski at gmail.com (radaczynski@gmail.com) Date: Wed, 28 May 2008 23:30:09 -0700 (PDT) Subject: Problems with authenticating to a Win domain controller References: <39b71f23-4227-4c63-b500-1801705cad9c@k37g2000hsf.googlegroups.com> Message-ID: On May 28, 5:47 pm, "Douglas E. Engert" wrote: > radaczyn... at gmail.com wrote: > > Hi, > > > I've recently encountered a strange error when trying to get a ticket > > from a W2k domain controller. My setup is like this: > > > 1. krb5.conf: > > [libdefaults] > > default_realm = DOMAIN1.COM > > forwardable = true > > proxiable = true > > dns_lookup_realm = false > > dsn_lookup_kdc = false > > v4_instance_resolve = false > > v4_name_convert = { > > host = { > > rcmd = host > > ftp = ftp > > } > > plain = { > > something = something-else > > } > > } > > > [realms] > > DOMAIN1.COM = { > > kdc = aaa.domain1.com:88 > > } > > > [domain_realm] > > .domain1.com = DOMAIN1.COM > > domain1.com = DOMAIN1.COM > > .domain2.com = DOMAIN2.COM > > domain2.com = DOMAIN2.COM > > > [appdefaults] > > pam = { > > debug=false > > forwardable=true > > krb4_convert=false > > } > > > DOMAIN2 is a trusted domain of DOMAIN1 > > > now, when i do this: > > kinit myu... at DOMAIN2.COM > > Password for myu... at DOMAIN2.COM: > > > and i get a TGT: renew until 05/29/08 08:55:12, Etype (skey, tkt): > > ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/ > > DOMAIN2.... at DOMAIN2.COM > > > then I try: > > kvno HTTP/test.domain1.... at DOMAIN1.COM > > and get: > > Server not found in Kerberos database while getting credentials > > This might be some cross realm issue. To get a ticket from > DOMAIN1.COM requires you to first get a krbtgt/DOMAIN1.... at DOMAIN2.COM > from DOMAIN2.COM. Can you please tell me how to do it with command line utilities from MIT kerberos? > You set the dns_lookup_kdc = false, and did not define DOMAIN1.COM in > [realms] so you client can not find the KDCs for DOMAIN1.COM. actually, I did - I did not define DOMAIN2.COM, for which I do obtain tgt's. > > It might be an issue that the cross realm trust is not set up as you > think it is. doesn't the above prove that the cross realm trust is set up? > > To verify all if these for sure, use a trace program like Wireshark, > that can format the Kerberos packets. I will do that and report back the results. Any hints for running it? > > when I ty: > > kvno HTTP/test.domain1.... at DOMAIN2.COM > > I get: > > KDC reply did not match expectations while getting credentials > > W2K may have returned a referral saying look in DOMAIN1.COM. > But the Kerberos lib does not handle today. That's probably it -> I should look in DOMAIN1.COM, since the service principal is in DOMAIN1.COM. Thanks for the reply and any further hints anyone could give me. From gaurav.v.bagga at gmail.com Thu May 29 09:37:46 2008 From: gaurav.v.bagga at gmail.com (gaurav bagga) Date: Thu, 29 May 2008 19:07:46 +0530 Subject: Kerberos Ldap Integration In-Reply-To: <87iqwychhc.fsf@pumba.bayour.com> References: <6052ead90805260840x17a09f5cr88243b8abfa6feac@mail.gmail.com> <87iqwychhc.fsf@pumba.bayour.com> Message-ID: <6052ead90805290637l4614e2f4wdb4098997c855b27@mail.gmail.com> Hi Turbo, Thanks for the link... I am able to link ldap and kerberos, I can add principals from kadmin and they get added in ldap. But one problem still remains. I want to mix in Kerberos principal attributes to a directory entry of the people objectclass which has usserPassword. I want this password to be used by kdc. Is such a thing possible? I went through the schema and found that 'krbUPEnabled' helps in achieving this but how can one set this attribute. I am fairly new to this kerberos and ldap stuff so excuse me if I ask something thats silly. If someone has to automate the process of adding principals what are the possible solutions? Using scripts? Is that a good way ? Thanks and Regards, Gaurav On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson wrote: > >>>>> "gaurav" == gaurav bagga writes: > > gaurav> Hi all, I am trying to integrate Kerberos and Ldap but not > gaurav> happy with what I have achieved till now.I'll really > gaurav> appreciate if any one can help/guide by giving pointers > gaurav> towards *good articles *which give information regarding > gaurav> the steps to be performed in doing the same. > > Have a look at http://bayour.com/LDAPv3-HOWTO.html > From deengert at anl.gov Thu May 29 10:17:18 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 29 May 2008 09:17:18 -0500 Subject: Problems with authenticating to a Win domain controller In-Reply-To: References: <39b71f23-4227-4c63-b500-1801705cad9c@k37g2000hsf.googlegroups.com>

Message-ID: <483EBAEE.6060701@anl.gov> radaczynski at gmail.com wrote: > On May 28, 5:47 pm, "Douglas E. Engert" wrote: >> radaczyn... at gmail.com wrote: >>> Hi, >>> I've recently encountered a strange error when trying to get a ticket >>> from a W2k domain controller. My setup is like this: >>> 1. krb5.conf: >>> [libdefaults] >>> default_realm = DOMAIN1.COM >>> forwardable = true >>> proxiable = true >>> dns_lookup_realm = false >>> dsn_lookup_kdc = false >>> v4_instance_resolve = false >>> v4_name_convert = { >>> host = { >>> rcmd = host >>> ftp = ftp >>> } >>> plain = { >>> something = something-else >>> } >>> } >>> [realms] >>> DOMAIN1.COM = { >>> kdc = aaa.domain1.com:88 >>> } >>> [domain_realm] >>> .domain1.com = DOMAIN1.COM >>> domain1.com = DOMAIN1.COM >>> .domain2.com = DOMAIN2.COM >>> domain2.com = DOMAIN2.COM >>> [appdefaults] >>> pam = { >>> debug=false >>> forwardable=true >>> krb4_convert=false >>> } >>> DOMAIN2 is a trusted domain of DOMAIN1 >>> now, when i do this: >>> kinit myu... at DOMAIN2.COM >>> Password for myu... at DOMAIN2.COM: >>> and i get a TGT: renew until 05/29/08 08:55:12, Etype (skey, tkt): >>> ArcFour with HMAC/md5, ArcFour with HMAC/md5, the principal is: krbtgt/ >>> DOMAIN2.... at DOMAIN2.COM >>> then I try: >>> kvno HTTP/test.domain1.... at DOMAIN1.COM >>> and get: >>> Server not found in Kerberos database while getting credentials >> This might be some cross realm issue. To get a ticket from >> DOMAIN1.COM requires you to first get a krbtgt/DOMAIN1.... at DOMAIN2.COM >> from DOMAIN2.COM. > > Can you please tell me how to do it with command line utilities from > MIT kerberos? The Kerberos Libraries do this for you. > >> You set the dns_lookup_kdc = false, and did not define DOMAIN1.COM in >> [realms] so you client can not find the KDCs for DOMAIN1.COM. > > actually, I did - I did not define DOMAIN2.COM, for which I do obtain > tgt's. > >> It might be an issue that the cross realm trust is not set up as you >> think it is. > > doesn't the above prove that the cross realm trust is set up? No. Getting a krbtgt/DOMAIN1.COM at DOMAIN2.COM and using it to get another ticket at DOMAIN1.COM would prove it. > >> To verify all if these for sure, use a trace program like Wireshark, >> that can format the Kerberos packets. > > I will do that and report back the results. Any hints for running it? It has a GUI. Run as root on your client (windows or unix) and capture all traffic on your interface. Look for the KRB5 packets. > > >>> when I ty: >>> kvno HTTP/test.domain1.... at DOMAIN2.COM >>> I get: >>> KDC reply did not match expectations while getting credentials >> W2K may have returned a referral saying look in DOMAIN1.COM. >> But the Kerberos lib does not handle today. > > That's probably it -> I should look in DOMAIN1.COM, since the service > principal is in DOMAIN1.COM. You should also look in AD for the servicePrincipalName for HTTP/test.domain1.com You can mmc.exe and ADSI Edit snapin on a windows client. Or some other LDAP browser. > > Thanks for the reply and any further hints anyone could give me. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From huangz at us.ibm.com Thu May 29 12:35:19 2008 From: huangz at us.ibm.com (Zhiguo Huang) Date: Thu, 29 May 2008 09:35:19 -0700 Subject: Help on using AD as KDC Message-ID: Hi All, Could any person who has experience on using Active Directory as KDC give any pointer and helpful instruction? THanks! Jeff. From cclausen at acm.org Thu May 29 15:03:51 2008 From: cclausen at acm.org (Christopher D. Clausen) Date: Thu, 29 May 2008 14:03:51 -0500 Subject: Help on using AD as KDC References: Message-ID: <7CB07AC1F873489282C56C36AB5BC6E3@CDCHOME> Zhiguo Huang wrote: > Could any person who has experience on using Active Directory as KDC > give any pointer and helpful instruction? Regarding what? You just use it as a KDC and it works. < References: Message-ID: <483F028B.9010705@anl.gov> Zhiguo Huang wrote: > Hi All, > > > Could any person who has experience on using Active Directory as KDC give > any pointer and helpful instruction? Start with the original Step-by-Step Guide: http://technet.microsoft.com/en-us/library/bb742433.aspx Then Google: site:microsoft.com kerberos There are some 77,500 references. > > > THanks! > > > Jeff. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From naveen.bn at globaledgesoft.com Fri May 30 08:50:32 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Fri, 30 May 2008 18:20:32 +0530 Subject: error invalid certificate Message-ID: <483FF818.7050007@globaledgesoft.com> *Hi Kevin, I am getting this invlid certificate and in the krb5kdc log file i am getting certificate signature failure,but why And also i am not able to see the contents of the certificates in the ethereal capture or the contents of the PA-DAS .why is the request going with the PA-DAS and why not PA-PK-AS-REQ. This is the message display after doing kinit and the contents of the certificates are displayed bellow. **kinit -X X509_user_identity=FILE:/client/naveen.pem,/client/naveen.key naveen* *kinit(v5): Invalid certificate while getting initial credentials* *This is the contents of my certificates /**************** CA certificate ca.pem *************************/ Certificate: Data: Version: 1 (0x0) Serial Number: c0:cd:bd:5b:35:16:57:06 Signature Algorithm: sha1WithRSAEncryption Issuer: C=in, O=globaledgesoft, OU=test, CN=ca Validity Not Before: May 30 10:54:58 2008 GMT Not After : May 30 10:54:58 2009 GMT Subject: C=in, O=globaledgesoft, OU=test, CN=ca Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:aa:6d:c5:a1:e4:78:a2:8b:c8:c9:64:1e:55:c3: 2a:92:34:fc:db:0c:fd:7b:db:61:ff:27:6a:b8:d5: a6:2e:9c:10:78:28:b7:55:1c:85:73:e1:c9:ef:c1: 2a:4c:6f:68:a6:fa:21:39:84:03:f0:28:9e:52:5a: b0:5b:a7:ad:64:23:3d:8b:1c:54:01:0b:72:00:3c: 2c:20:21:37:80:c2:ea:6b:18:a9:c0:76:c9:fc:b0: 87:5a:18:84:05:23:93:bc:64:7e:43:f2:25:fe:d5: 6c:d0:15:08:82:c0:af:16:07:05:57:22:d1:72:7c: 0c:8a:9c:8e:58:70:57:b3:ad Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 4b:10:72:03:29:27:08:16:0b:10:39:dc:a4:e8:36:e7:70:6e: 28:e4:55:22:d5:e6:b5:28:d4:95:ed:da:00:79:75:a4:2c:74: 59:50:4b:15:c7:6f:3c:45:63:31:b5:56:8e:36:d4:eb:9d:fc: 02:b4:56:51:bd:cf:f2:e3:fb:b5:c8:67:e5:ed:82:64:99:76: f7:5a:9c:e0:bd:9b:92:53:b6:db:e1:a8:45:78:17:b9:ec:8e: 80:3f:9d:6d:fe:38:89:04:af:09:68:93:1d:a2:08:69:99:02: 40:d7:f4:42:91:16:4a:e0:65:fc:32:27:d4:49:1b:10:a1:72: 11:50 -----BEGIN CERTIFICATE----- MIICCTCCAXICCQDAzb1bNRZXBjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJp bjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNhYmxl MQswCQYDVQQDEwJjYTAeFw0wODA1MzAxMDU0NThaFw0wOTA1MzAxMDU0NThaMEkx CzAJBgNVBAYTAmluMRcwFQYDVQQKEw5nbG9iYWxlZGdlc29mdDEUMBIGA1UECxML cGFja2V0Y2FibGUxCzAJBgNVBAMTAmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQCqbcWh5Hiii8jJZB5VwyqSNPzbDP1722H/J2q41aYunBB4KLdVHIVz4cnv wSpMb2im+iE5hAPwKJ5SWrBbp61kIz2LHFQBC3IAPCwgITeAwuprGKnAdsn8sIda GIQFI5O8ZH5D8iX+1WzQFQiCwK8WBwVXItFyfAyKnI5YcFezrQIDAQABMA0GCSqG SIb3DQEBBQUAA4GBAEsQcgMpJwgWCxA53KToNudwbijkVSLV5rUo1JXt2gB5daQs dFlQSxXHbzxFYzG1Vo421Oud/AK0VlG9z/Lj+7XIZ+XtgmSZdvdanOC9m5JTttvh qEV4F7nsjoA/nW3+OIkErwlokx2iCGmZAkDX9EKRFkrgZfwyJ9RJGxChchFQ -----END CERTIFICATE-- /************************ END of CA ****************************/ /********************** CLIENT cert naveen.pem **************************/ Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=in, O=globaledgesoft, OU=text, CN=ca Validity Not Before: May 30 11:00:19 2008 GMT Not After : May 30 11:00:19 2009 GMT Subject: C=in, O=globaledgesoft, OU=test, CN=naveen Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:a9:7b:82:c0:0d:59:b6:8a:3a:3e:66:06:ad:3d: c6:ac:25:26:1c:47:dd:38:6f:23:d2:cb:9a:2b:8b: 53:da:42:d9:4b:5f:03:31:e7:0d:88:61:f2:c1:4b: e6:0e:24:1a:1d:db:a6:53:96:89:a5:ce:f4:ae:e0: 2f:e7:77:d9:6b Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 93:16:30:7b:f4:1e:0c:12:0e:2b:7e:de:9f:58:cd:21:51:ad: 00:ee:b0:44:13:b9:ad:51:d0:9c:77:48:2b:c4:6e:eb:6f:f2: 2e:11:74:68:a3:58:0f:3a:81:b7:75:d3:b2:53:59:c0:4d:51: bd:ee:ff:6d:24:11:d5:8b:5a:f9:af:31:1f:4d:02:1e:98:d0: 0b:63:7e:98:e4:ef:5a:d2:57:35:04:94:03:b0:f5:f1:3b:88: 4e:4a:b3:bc:a8:3f:26:41:25:65:db:4e:2f:66:d3:8c:a3:a7: 92:91:22:ad:7c:e4:3e:83:f4:f3:30:b0:0c:17:74:81:55:35: 70:4a -----BEGIN CERTIFICATE----- MIIBwTCCASoCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCaW4xFzAVBgNV BAoTDmdsb2JhbGVkZ2Vzb2Z0MRQwEgYDVQQLEwtwYWNrZXRjYWJsZTELMAkGA1UE AxMCY2EwHhcNMDgwNTMwMTEwMDE5WhcNMDkwNTMwMTEwMDE5WjBNMQswCQYDVQQG EwJpbjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNh YmxlMQ8wDQYDVQQDEwZuYXZlZW4wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAqXuC wA1Ztoo6PmYGrT3GrCUmHEfdOG8j0suaK4tT2kLZS18DMecNiGHywUvmDiQaHdum U5aJpc70ruAv53fZawIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJMWMHv0HgwSDit+ 3p9YzSFRrQDusEQTua1R0Jx3SCvEbutv8i4RdGijWA86gbd107JTWcBNUb3u/20k EdWLWvmvMR9NAh6Y0Atjfpjk71rSVzUElAOw9fE7iE5Ks7yoPyZBJWXbTi9m04yj p5KRIq185D6D9PMwsAwXdIFVNXBK -----END CERTIFICATE----- /******************* end of client certificate **************/ /****************** start of kdc.pem ********************/ Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=in, O=globaledgesoft, OU=test, CN=ca Validity Not Before: May 30 11:03:05 2008 GMT Not After : May 30 11:03:05 2009 GMT Subject: C=in, O=globaledgesoft, OU=test, CN=kdc Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:d2:c4:be:81:c5:a5:15:30:10:1a:00:9c:24:a8: 11:9e:63:dd:c5:c6:f1:06:4c:d9:66:eb:81:6a:ba: 85:5a:55:c8:74:6d:2a:75:ff:ba:44:02:19:d3:2e: a7:15:59:8f:62:94:9e:19:d5:0c:05:ce:f7:70:ce: 4b:ab:2b:a2:51 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 5f:e3:33:e0:55:c6:42:66:93:2c:6a:1a:df:12:cc:9e:85:75: 4e:d0:1a:7f:45:a3:2a:67:8b:af:39:6c:a5:a3:52:83:9f:95: d3:f7:6f:fd:e0:b8:70:51:49:3f:77:2f:cd:fa:d3:e5:74:1f: a6:c8:c3:79:7c:d8:3e:17:2e:19:2c:77:fd:c3:d1:3c:d1:25: eb:d9:6c:3a:64:16:66:1d:61:63:48:1f:d1:82:89:73:c5:3e: 5c:be:5f:99:0d:b3:41:29:1e:a5:51:ca:16:11:6d:3e:2a:4b: 60:48:fb:42:44:4b:10:96:d8:6a:30:4d:8a:32:4b:0f:47:19: ea:6e -----BEGIN CERTIFICATE----- MIIBvjCCAScCAQIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCaW4xFzAVBgNV BAoTDmdsb2JhbGVkZ2Vzb2Z0MRQwEgYDVQQLEwtwYWNrZXRjYWJsZTELMAkGA1UE AxMCY2EwHhcNMDgwNTMwMTEwMzA1WhcNMDkwNTMwMTEwMzA1WjBKMQswCQYDVQQG EwJpbjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNh YmxlMQwwCgYDVQQDEwNrZGMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA0sS+gcWl FTAQGgCcJKgRnmPdxcbxBkzZZuuBarqFWlXIdG0qdf+6RAIZ0y6nFVmPYpSeGdUM Bc73cM5LqyuiUQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAF/jM+BVxkJmkyxqGt8S zJ6FdU7QGn9Foypni685bKWjUoOfldP3b/3guHBRST93L8360+V0H6bIw3l82D4X Lhksd/3D0TzRJevZbDpkFmYdYWNIH9GCiXPFPly+X5kNs0EpHqVRyhYRbT4qS2BI +0JESxCW2GowTYoySw9HGepu -----END CERTIFICATE----- Kindly Guide me to get the AS_REP with KDC certificates. * From kwc at umich.edu Fri May 30 09:53:37 2008 From: kwc at umich.edu (Kevin Coffman) Date: Fri, 30 May 2008 09:53:37 -0400 Subject: error invalid certificate In-Reply-To: <483FF818.7050007@globaledgesoft.com> References: <483FF818.7050007@globaledgesoft.com> Message-ID: <4d569c330805300653s73735fe9qfbedc8a79a1c3a3a@mail.gmail.com> I see no v3 extensions in either your KDC or user certificates. You'll need to fix both. Here is what my (expired) client cert looks like. (Notice the "X509v3 extensions"): Version: 3 (0x2) Serial Number: 68454 (0x10b66) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Michigan, L=Ann Arbor, O=University of Michigan, CN=CITI Production KCA Validity Not Before: May 18 21:39:00 2007 GMT Not After : May 17 21:39:00 2008 GMT Subject: C=US, ST=Michigan, L=Ann Arbor, O=University of Michigan, OU=CITI Production KCA, CN=Kevin Coffman Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ee:6d:8b:06:d7:af:2d:80:4c:e2:d7:c5:46:2c: b1:54:bb:b1:74:23:c0:8b:9d:a9:44:30:ac:a5:92: 04:cb:a9:ab:bf:4f:d2:8b:53:f7:cd:a4:58:78:a7: 91:fb:d0:7e:60:1a:d2:9d:f8:b6:7a:b1:85:b5:36: ab:c0:43:f9:8c:a6:0a:e1:9f:96:fc:46:5e:39:f0: 2d:5b:98:7e:b2:23:43:85:e4:5f:e2:7e:a9:39:2b: 7a:08:02:bf:03:04:a4:6f:96:f3:8a:4e:96:d1:e8: 93:53:8d:9e:a2:bf:af:0e:e6:db:14:af:6b:cf:d1: 53:f9:ea:e9:bd:3a:4a:5a:db Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin, 1.3.6.1.5.2.3.4 Netscape Comment: OpenSSL Generated Certificate X509v3 CRL Distribution Points: URI:http://www.citi.umich.edu/projects/pkinit/citi_production_crls.crl X509v3 Subject Key Identifier: 71:5A:29:55:F8:F9:3A:93:A7:E6:78:92:BD:E6:5B:06:02:B7:58:B4 X509v3 Authority Key Identifier: keyid:65:CC:2C:0A:2E:D3:58:2F:C7:17:09:73:E4:EF:6A:DF:D3:40:7C:30 DirName:/C=US/ST=Michigan/L=Ann Arbor/O=University of Michigan/CN=CITI Production KCA serial:34:EB X509v3 Subject Alternative Name: othername:, othername: X509v3 Issuer Alternative Name: Signature Algorithm: sha1WithRSAEncryption bb:af:cc:86:87:b6:49:83:9f:e9:87:2e:71:55:d1:4b:4e:d7: f5:6e:10:0a:51:a7:da:aa:12:f4:1d:05:69:30:0d:4f:ee:20: 74:c9:01:d3:f2:ff:69:37:0a:86:d4:fe:5d:15:10:1f:bb:21: 2c:ad:34:97:87:9d:46:bb:93:59:4c:23:2b:4b:1b:fb:39:a8: 6d:1e:cb:32:2c:47:8e:fc:71:89:90:fc:5d:43:9d:13:0e:11: 39:c6:96:3e:15:07:91:62:12:f8:dd:92:3c:0a:14:5b:5b:06: 5e:9e:87:11:7f:d0:f1:aa:92:71:45:79:4d:9e:d3:b9:ff:7f: 3a:98:90:5b:0d:c3:c5:83:3c:a4:1e:63:54:fa:cc:89:b5:d0: bd:32:eb:34:30:8d:48:68:fb:71:94:30:2d:7e:b0:59:da:7f: da:42:4d:cc:a2:ef:55:26:47:14:42:69:70:2e:ae:b0:d3:87: 89:25:2c:28:75:fa:26:3d:8a:83:43:51:27:4c:16:f8:c1:8b: db:53:2f:2d:8c:8c:3a:09:71:bf:4c:45:f1:9e:84:17:27:76: f4:ae:63:ec:80:18:58:f9:98:af:2c:e1:51:8a:8e:bc:00:d2: 2b:ef:bd:37:e9:85:51:e6:d2:f5:5c:a5:3c:cd:71:23:92:54: 49:e5:de:66 On Fri, May 30, 2008 at 8:50 AM, naveen.bn wrote: > Hi Kevin, > > I am getting this invlid certificate and in the krb5kdc log file i am > getting certificate > signature failure,but why > And also i am not able to see the contents of the certificates in the > ethereal capture or the contents of the PA-DAS .why is the request > going with the PA-DAS and why not PA-PK-AS-REQ. > This is the message display after doing kinit and the contents of the > certificates are displayed bellow. > > kinit -X X509_user_identity=FILE:/client/naveen.pem,/client/naveen.key > naveen > kinit(v5): Invalid certificate while getting initial credentials > > This is the contents of my certificates > /**************** CA certificate ca.pem *************************/ > Certificate: > Data: > Version: 1 (0x0) > Serial Number: > c0:cd:bd:5b:35:16:57:06 > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=in, O=globaledgesoft, OU=test, CN=ca > Validity > Not Before: May 30 10:54:58 2008 GMT > Not After : May 30 10:54:58 2009 GMT > Subject: C=in, O=globaledgesoft, OU=test, CN=ca > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:aa:6d:c5:a1:e4:78:a2:8b:c8:c9:64:1e:55:c3: > 2a:92:34:fc:db:0c:fd:7b:db:61:ff:27:6a:b8:d5: > a6:2e:9c:10:78:28:b7:55:1c:85:73:e1:c9:ef:c1: > 2a:4c:6f:68:a6:fa:21:39:84:03:f0:28:9e:52:5a: > b0:5b:a7:ad:64:23:3d:8b:1c:54:01:0b:72:00:3c: > 2c:20:21:37:80:c2:ea:6b:18:a9:c0:76:c9:fc:b0: > 87:5a:18:84:05:23:93:bc:64:7e:43:f2:25:fe:d5: > 6c:d0:15:08:82:c0:af:16:07:05:57:22:d1:72:7c: > 0c:8a:9c:8e:58:70:57:b3:ad > Exponent: 65537 (0x10001) > Signature Algorithm: sha1WithRSAEncryption > 4b:10:72:03:29:27:08:16:0b:10:39:dc:a4:e8:36:e7:70:6e: > 28:e4:55:22:d5:e6:b5:28:d4:95:ed:da:00:79:75:a4:2c:74: > 59:50:4b:15:c7:6f:3c:45:63:31:b5:56:8e:36:d4:eb:9d:fc: > 02:b4:56:51:bd:cf:f2:e3:fb:b5:c8:67:e5:ed:82:64:99:76: > f7:5a:9c:e0:bd:9b:92:53:b6:db:e1:a8:45:78:17:b9:ec:8e: > 80:3f:9d:6d:fe:38:89:04:af:09:68:93:1d:a2:08:69:99:02: > 40:d7:f4:42:91:16:4a:e0:65:fc:32:27:d4:49:1b:10:a1:72: > 11:50 > -----BEGIN CERTIFICATE----- > MIICCTCCAXICCQDAzb1bNRZXBjANBgkqhkiG9w0BAQUFADBJMQswCQYDVQQGEwJp > bjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNhYmxl > MQswCQYDVQQDEwJjYTAeFw0wODA1MzAxMDU0NThaFw0wOTA1MzAxMDU0NThaMEkx > CzAJBgNVBAYTAmluMRcwFQYDVQQKEw5nbG9iYWxlZGdlc29mdDEUMBIGA1UECxML > cGFja2V0Y2FibGUxCzAJBgNVBAMTAmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB > iQKBgQCqbcWh5Hiii8jJZB5VwyqSNPzbDP1722H/J2q41aYunBB4KLdVHIVz4cnv > wSpMb2im+iE5hAPwKJ5SWrBbp61kIz2LHFQBC3IAPCwgITeAwuprGKnAdsn8sIda > GIQFI5O8ZH5D8iX+1WzQFQiCwK8WBwVXItFyfAyKnI5YcFezrQIDAQABMA0GCSqG > SIb3DQEBBQUAA4GBAEsQcgMpJwgWCxA53KToNudwbijkVSLV5rUo1JXt2gB5daQs > dFlQSxXHbzxFYzG1Vo421Oud/AK0VlG9z/Lj+7XIZ+XtgmSZdvdanOC9m5JTttvh > qEV4F7nsjoA/nW3+OIkErwlokx2iCGmZAkDX9EKRFkrgZfwyJ9RJGxChchFQ > -----END CERTIFICATE-- > /************************ END of CA ****************************/ > > /********************** CLIENT cert naveen.pem **************************/ > Certificate: > Data: > Version: 1 (0x0) > Serial Number: 1 (0x1) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=in, O=globaledgesoft, OU=text, CN=ca > Validity > Not Before: May 30 11:00:19 2008 GMT > Not After : May 30 11:00:19 2009 GMT > Subject: C=in, O=globaledgesoft, OU=test, CN=naveen > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (512 bit) > Modulus (512 bit): > 00:a9:7b:82:c0:0d:59:b6:8a:3a:3e:66:06:ad:3d: > c6:ac:25:26:1c:47:dd:38:6f:23:d2:cb:9a:2b:8b: > 53:da:42:d9:4b:5f:03:31:e7:0d:88:61:f2:c1:4b: > e6:0e:24:1a:1d:db:a6:53:96:89:a5:ce:f4:ae:e0: > 2f:e7:77:d9:6b > Exponent: 65537 (0x10001) > Signature Algorithm: sha1WithRSAEncryption > 93:16:30:7b:f4:1e:0c:12:0e:2b:7e:de:9f:58:cd:21:51:ad: > 00:ee:b0:44:13:b9:ad:51:d0:9c:77:48:2b:c4:6e:eb:6f:f2: > 2e:11:74:68:a3:58:0f:3a:81:b7:75:d3:b2:53:59:c0:4d:51: > bd:ee:ff:6d:24:11:d5:8b:5a:f9:af:31:1f:4d:02:1e:98:d0: > 0b:63:7e:98:e4:ef:5a:d2:57:35:04:94:03:b0:f5:f1:3b:88: > 4e:4a:b3:bc:a8:3f:26:41:25:65:db:4e:2f:66:d3:8c:a3:a7: > 92:91:22:ad:7c:e4:3e:83:f4:f3:30:b0:0c:17:74:81:55:35: > 70:4a > -----BEGIN CERTIFICATE----- > MIIBwTCCASoCAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCaW4xFzAVBgNV > BAoTDmdsb2JhbGVkZ2Vzb2Z0MRQwEgYDVQQLEwtwYWNrZXRjYWJsZTELMAkGA1UE > AxMCY2EwHhcNMDgwNTMwMTEwMDE5WhcNMDkwNTMwMTEwMDE5WjBNMQswCQYDVQQG > EwJpbjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNh > YmxlMQ8wDQYDVQQDEwZuYXZlZW4wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAqXuC > wA1Ztoo6PmYGrT3GrCUmHEfdOG8j0suaK4tT2kLZS18DMecNiGHywUvmDiQaHdum > U5aJpc70ruAv53fZawIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJMWMHv0HgwSDit+ > 3p9YzSFRrQDusEQTua1R0Jx3SCvEbutv8i4RdGijWA86gbd107JTWcBNUb3u/20k > EdWLWvmvMR9NAh6Y0Atjfpjk71rSVzUElAOw9fE7iE5Ks7yoPyZBJWXbTi9m04yj > p5KRIq185D6D9PMwsAwXdIFVNXBK > -----END CERTIFICATE----- > /******************* end of client certificate **************/ > > /****************** start of kdc.pem ********************/ > Certificate: > Data: > Version: 1 (0x0) > Serial Number: 2 (0x2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=in, O=globaledgesoft, OU=test, CN=ca > Validity > Not Before: May 30 11:03:05 2008 GMT > Not After : May 30 11:03:05 2009 GMT > Subject: C=in, O=globaledgesoft, OU=test, CN=kdc > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (512 bit) > Modulus (512 bit): > 00:d2:c4:be:81:c5:a5:15:30:10:1a:00:9c:24:a8: > 11:9e:63:dd:c5:c6:f1:06:4c:d9:66:eb:81:6a:ba: > 85:5a:55:c8:74:6d:2a:75:ff:ba:44:02:19:d3:2e: > a7:15:59:8f:62:94:9e:19:d5:0c:05:ce:f7:70:ce: > 4b:ab:2b:a2:51 > Exponent: 65537 (0x10001) > Signature Algorithm: sha1WithRSAEncryption > 5f:e3:33:e0:55:c6:42:66:93:2c:6a:1a:df:12:cc:9e:85:75: > 4e:d0:1a:7f:45:a3:2a:67:8b:af:39:6c:a5:a3:52:83:9f:95: > d3:f7:6f:fd:e0:b8:70:51:49:3f:77:2f:cd:fa:d3:e5:74:1f: > a6:c8:c3:79:7c:d8:3e:17:2e:19:2c:77:fd:c3:d1:3c:d1:25: > eb:d9:6c:3a:64:16:66:1d:61:63:48:1f:d1:82:89:73:c5:3e: > 5c:be:5f:99:0d:b3:41:29:1e:a5:51:ca:16:11:6d:3e:2a:4b: > 60:48:fb:42:44:4b:10:96:d8:6a:30:4d:8a:32:4b:0f:47:19: > ea:6e > -----BEGIN CERTIFICATE----- > MIIBvjCCAScCAQIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCaW4xFzAVBgNV > BAoTDmdsb2JhbGVkZ2Vzb2Z0MRQwEgYDVQQLEwtwYWNrZXRjYWJsZTELMAkGA1UE > AxMCY2EwHhcNMDgwNTMwMTEwMzA1WhcNMDkwNTMwMTEwMzA1WjBKMQswCQYDVQQG > EwJpbjEXMBUGA1UEChMOZ2xvYmFsZWRnZXNvZnQxFDASBgNVBAsTC3BhY2tldGNh > YmxlMQwwCgYDVQQDEwNrZGMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA0sS+gcWl > FTAQGgCcJKgRnmPdxcbxBkzZZuuBarqFWlXIdG0qdf+6RAIZ0y6nFVmPYpSeGdUM > Bc73cM5LqyuiUQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAF/jM+BVxkJmkyxqGt8S > zJ6FdU7QGn9Foypni685bKWjUoOfldP3b/3guHBRST93L8360+V0H6bIw3l82D4X > Lhksd/3D0TzRJevZbDpkFmYdYWNIH9GCiXPFPly+X5kNs0EpHqVRyhYRbT4qS2BI > +0JESxCW2GowTYoySw9HGepu > -----END CERTIFICATE----- > > Kindly Guide me to get the AS_REP with KDC certificates. > > > This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely > for the use of the addressee(s). If you are not the intended recipient, > please notify the sender by e-mail and delete the original message.Global > Edge Software Ltd has taken every reasonable precaution to minimize this > risk, but is not liable for any damage you may sustain as a result of any > virus in this e-mail. You should carry out your own virus checks before > opening the e-mail or attachment. Global Edge Software Ltd reserves the > right to monitor and review the content of all messages sent to or from this > e-mail address > > From dakoner at gmail.com Fri May 30 13:10:57 2008 From: dakoner at gmail.com (David Konerding) Date: Fri, 30 May 2008 10:10:57 -0700 Subject: Kerberos through a load balancer Message-ID: <4f0f0cb0805301010w7491dd82sa0eff1db86d32b0d@mail.gmail.com> Hi folks, We have a bunch of hosts that allow password-free ssh logins using kerberos. These also run web servers, which use mod_auth_kerb. We also have a BigIP load balancer that has a name; when people ssh or web access that name, they get round-robin distributed across the cluster. The LB supports Layer 3 and Layer 5 transparent proxying to the back end. We have noticed that if people log into nodes with their real hostname, or web access a url using the real hostname of the server, everything works as expected. However, attempting to ssh into the load balancer address typically gives: debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Miscellaneous failure Unknown code debug1: Trying to start again And when users try to access the web server through the load balancer: Authentication never succeeds and the following mod_auth_kerb error is logged: failed to verify krb5 credentials: Server not found in Kerberos database Logging into the machine through the ssh load balancer shows the IP address of the loadbalancer, not the IP address of the source ssh machine. We did some attempts at putting server keys with the hostname of the load balancer into the srvtab on each of the servers, but never had any luck. Any ideas? I did some low-level tcpdumping and tracing various parts of the Kerberos code, and came up with some bizarre results for why we are getting failures. From deengert at anl.gov Fri May 30 16:42:02 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 30 May 2008 15:42:02 -0500 Subject: Kerberos through a load balancer In-Reply-To: <4f0f0cb0805301010w7491dd82sa0eff1db86d32b0d@mail.gmail.com> References: <4f0f0cb0805301010w7491dd82sa0eff1db86d32b0d@mail.gmail.com> Message-ID: <4840669A.6030202@anl.gov> David Konerding wrote: > Hi folks, > > We have a bunch of hosts that allow password-free ssh logins using kerberos. > These also run web servers, which use mod_auth_kerb. > > We also have a BigIP load balancer that has a name; when people ssh or web > access that name, they get round-robin distributed across the cluster. > The LB supports Layer 3 and Layer 5 transparent proxying to the back end. > > We have noticed that if people log into nodes with their real hostname, > or web access a url using the real hostname of the server, everything > works as expected. > However, attempting to ssh into the load balancer address typically gives: > > debug1: Authentications that can continue: > publickey,gssapi-with-mic,keyboard-interactive > debug1: Next authentication method: gssapi-with-mic > debug1: Delegating credentials > debug1: Miscellaneous failure > Unknown code > > debug1: Trying to start again > ssh calls gss_acquire_cred with a service name derived from the host name. You really want to load balance the ssh sessions? > > And when users try to access the web server through the load balancer: > > Authentication never succeeds and the following mod_auth_kerb error is logged: > failed to verify krb5 credentials: Server not found in Kerberos database > mod_auth_kerb uses the service principal name derived from ap_get_server_name unless you set the KrbServiceName with a full principal like HTTP/fqdn at realm. So the best I can tell for both ssh and mod_auth_kerb you are limited to one service principal. (I used to have a mode for the gssapi code to be less restrictive about the checks, allowing a match for any entry in the keytab that matched the service and realm.) Don't know if some newer versions of Kerberos have adding anything like this. > > Logging into the machine through the ssh load balancer shows the IP > address of the loadbalancer, > not the IP address of the source ssh machine. > > We did some attempts at putting server keys with the hostname of the > load balancer into the > srvtab on each of the servers, but never had any luck. srvtab is an old term, Do you mean the /etc/krb5.keytab? Or so you mean the mod_auth_kerb parameter Krb5Keytab What version of SSH? What version of Kerberos? What OS? Some vendors might have a mod like I described above. What does the mod_auth_kerb parameters look like? > > Any ideas? I did some low-level tcpdumping and tracing various parts > of the Kerberos code, and came up with > some bizarre results for why we are getting failures. And what are the results? > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From eswars at huawei.com Fri May 30 03:39:10 2008 From: eswars at huawei.com (Eswar S) Date: Fri, 30 May 2008 13:09:10 +0530 Subject: LogonUserID in Chinese Authentication failed at KDC (Intigrity check Failed.errorcode :31) Message-ID: <000001c8c228$403f74c0$3e19120a@china.huawei.com> Hi, I have one issue authenticating Chinese user with KDC.i am using KFW libraries (1.6.2). i have converted USER name to UTF-8 so then KDC is able to recognize User at openLDAP. But Key Generation is getting failed (TIMESTAMP pre-authentication and DES encryption (3) is used at Client) Please provide me some inputs, how can I make it authenticating using Chinese User ID? But with same user java client is able to get TGT. ( I am suspecting Key generation is some problem in C++ for Time stamp pre-authentication). I absorbed the key generated at KDC side and Key (as_key) MIT client side are different. I have tried using Network Identity manger but it is also returning client not found in Kerberos Database. Regards, Eswar S **************************************************************************** *********** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! From ioplex at gmail.com Thu May 29 22:22:10 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 29 May 2008 22:22:10 -0400 Subject: Password Salting Methods Message-ID: <78c6bd860805291922w52ac1b83n955ed6a0b2d93259@mail.gmail.com> Hi, Is there a reference anywhere that outlines the different password salting methods used by different KDCs? AFAICT AD w/ RC4 doesn't actually use a salt. Heimdal seems to just use the realm and principal name concatenated together without any separators. What does MIT do? What does Windows 2008 w/ AES use? Windows 2000? Do the salt values change depending on the enctype? I'm interested in knowing to what degree salts can be predicted given only the information a client preparing to issue an AS-REQ would have. Ultimately I'm trying to reduce ETYPE_INFO(2) discovery to improve performance and get rid of annoying Windows "preauthentication failed" event log errors. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From vilas.tadoori.ext at siemens.com Fri May 30 06:24:20 2008 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Fri, 30 May 2008 06:24:20 -0400 Subject: Kerberos/GSSAPI--- C++ In-Reply-To: References: <0419C2808E620348A3119DCCE2A7A695070CB395@USCIMPLM004.net.plm.eds.com> Message-ID: <0419C2808E620348A3119DCCE2A7A695071BC7AC@USCIMPLM004.net.plm.eds.com> This is basically an (two tier)client server model where the server is on an C++ platform and the client is on an Java platform. We are in the process where we have identified the milestone for the project that we would be changing the code on the server where the calls to the server would be handled by GSSAPI before talking to a Kerberos server to get a ticket. I have searched on internet for the C++ bindings for GSSAPI so these can be included in our code. But unfortunately they are not available. We need some exprt opinion in the following... 1) Are C++ bindings available for GSSAPI. 2) If they are not, how could I put the C bindings of GSSAPI in my C++ code on the server. The code that I would like to incorporate is, talk to the Kerberos server v5 and get the ticket and pass it on the same to the client. In the process all the GSSAPI calls related like Initiating the context-between server and client Establishing the context-between server and client. Exchanging/Acknowledging the messages between the server and client the above points should not be lost. I would really be appreciate if you can help us with your expert opinion on the same. Awaiting your reply... Regards Vilas. -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: Tuesday, May 27, 2008 10:24 PM To: Tadoori (EXT), Vilas Cc: kerberos at mit.edu Subject: Re: Kerberos/GSSAPI--- C++ Sorry for the delay. I was hoping someone with more real-world GSSAPI/ C++ programming experience would reply. > We are in the process of making our application an gssapi compliant. I > would like to know the software necessary to do the same.Our server is > running on suze 9.X and would like to install the kerberos v5 on the > same machine. The server code is already in C++ and in order to make > it an GSSAPI compliant we need to inlcude the gssapi libraries. could > you specify the path from where i need or can download these > libraries As per the requirement eitther MIT or hemidal is fine...but > when i say include ...and building my code where > would the compiler look for these header files. If MIT Kerberos isn't available via the OS packaging system, you can visit http://www.mit.edu/~kerberos/ and download sources from there. One thing to be careful of: While we've tried to make our GSSAPI headers compatible with C++ (e.g., 'extern "C"' around all the function declarations), it is a C API. We intend to keep future versions reasonably backwards-compatible in terms of the C API and ABI, but that doesn't necessarily apply to C++ if you do something "interesting". In practical terms, I suggest you avoid depending on the specific type definitions used for GSSAPI types -- that is, avoid depending on whether we use int vs long for a given 32-bit type if both are 32 bits, don't use GSSAPI types in function signatures in your ABI (because the name encoding would depend on the typedef), stuff like that. > I would also appreciate if there is a working example on c++, on the > internet I have seen the GSSAPi programming guide written in c. Sorry, I can't help you there... Ken From fred at dushin.net Fri May 30 17:09:20 2008 From: fred at dushin.net (Fred Dushin) Date: Fri, 30 May 2008 17:09:20 -0400 Subject: Kerberos/GSSAPI--- C++ In-Reply-To: <0419C2808E620348A3119DCCE2A7A695071BC7AC@USCIMPLM004.net.plm.eds.com> References: <0419C2808E620348A3119DCCE2A7A695070CB395@USCIMPLM004.net.plm.eds.com> <0419C2808E620348A3119DCCE2A7A695071BC7AC@USCIMPLM004.net.plm.eds.com> Message-ID: I'm sort of confused here. First, I don't think there are any officially defined C++ bindings for the GSSAPI. Then again, I'm not an expert in this area. [1] But more to the point, you're in a C++ environment -- you can call "C" APIs without any difficulty (assuming you obey ISO C conventions, and you don't let your C++ training interfere (testing against 0 instead of NULL, etc). What am I missing? -Fred [1] I will say, however, that I've implemented a loose set of C++ APIs for using the GSSAPI -- these interfaces were based loosely off the JGSS, at least in terms of their structure. They formed a simple facade around the C bindings, and the implementation of these interfaces made direct calls on the C APIs. All they really provided was some C++-style state and memory management -- nothing spectacular to write home about, and clearly not rocket science. Unfortunately, this code is not my property, so I can't share it. On May 30, 2008, at 6:24 AM, Tadoori (EXT), Vilas wrote: > I have searched on internet for the C++ bindings for GSSAPI so these > can > be included in our code. > But unfortunately they are not available. We need some exprt opinion > in > the following... > > 1) Are C++ bindings available for GSSAPI. > 2) If they are not, how could I put the C bindings of GSSAPI in my C++ > code on the server.