From petesea at bigfoot.com Sat Nov 1 14:47:14 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Sat, 01 Nov 2008 11:47:14 -0700 (PDT) Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon In-Reply-To: References: Message-ID: On Fri, 31 Oct 2008, deengert at anl.gov wrote: > The v_t_m version could use either the Microsoft SSPI, or the MIT GSSAPI > as implemented bi the MIT gssapi32.dll. The new PuTTY only does SSPI so > there are some implications if you are trying to use this from a > non-windows domain machine. (But runas could be used.) That's unfortunate, I wish they would implement both methods. I also wish they would implement GSSAPI Key Exchange, to avoid the need to maintain host keys on the client. I haven't found any implementation of PuTTY that supports both MIT GSSAPI and GSSAPI Key Exchange. From petesea at bigfoot.com Sat Nov 1 15:13:30 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Sat, 01 Nov 2008 12:13:30 -0700 (PDT) Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon In-Reply-To: References: Message-ID: On Fri, 31 Oct 2008, pbh at MIT.EDU wrote: > Do you know of any distributions that work with KfW that have a version > of plink that doesn't always open a Windows console window? I know that > Quest (formerly Vintella?) has a version that does this, but it only > supports SSPI. > > I want to be able to use svn+ssh from within Eclipse, on a machine that > is not in a Windows domain, without having the system flash open a large > number of console windows while I am either checking file out or in. This is actually pretty easy to fix, if you don't mind compiling your own version. All you need to do is build a "GUI" version of plink.exe. By default (at least with the Cygwin build using Makefile.cyg), plink.exe is built as a "Console" app. In order to prevent the console windows you see when it's run via Eclipse/TortoiseSVN, you need to use a "GUI" version. These instructions are for compiling via Cygwin, but I'm guessing there must be a similar approach for the other methods: - go to the "windows" subdir of the source - edit Makefile.cyg - change the "all:" target and add "plinkgui.exe" just after "plink.exe" - make a copy of the "plink.exe" target dependency/build lines - change the target of the copy to "plinkgui.exe" - add "-mwindows" just after $(CC) in the plinkgui.exe build line - run make You should end up with both "plink.exe" and "plinkgui.exe". plink.exe will be a "Console" app and "plinkgui.exe" will be a "GUI" app. The GUI version will not display the console windows. If you're trying to debug a problem you probably want to use "plink.exe", but as long as everything is working and you just want to prevent the console windows, use "plinkgui.exe". From naveen.bn at globaledgesoft.com Mon Nov 3 07:56:47 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Mon, 03 Nov 2008 12:56:47 +0000 Subject: help Message-ID: <490EF50F.8040001@globaledgesoft.com> Hi all, Can any one help me to find out how a protocol registers with a socket layer . I want to register one of the transport protocols to socket layer. With regards naveen From deengert at anl.gov Mon Nov 3 09:48:15 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 03 Nov 2008 08:48:15 -0600 Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon In-Reply-To: <490B4AAB.5070002@mit.edu> References: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk> <490AE2B4.7090202@secure-endpoints.com> <20081031122902.GB23664@flea.lifesci.dundee.ac.uk> <20081031124311.GP4452@tamriel.snowman.net> <490B3F81.1050902@anl.gov> <490B4AAB.5070002@mit.edu> Message-ID: <490F0F2F.80601@anl.gov> Paul B. Hill wrote: > Hi Doug or anyone else, > > Do you know of any distributions that work with KfW that have a version > of plink that doesn't always open a Windows console window? I know that > Quest (formerly Vintella?) has a version that does this, but it only > supports SSPI. The http://sweb.cz/v_t_m/#putty version can do KfW or SSPI. It will look for gsslib32.dll, and if gss_acquire_cred shows credentials, it will try gss. If not it will try SSPI. The mods to do this came from gssklog :-) The version we are using is based on PuTTY 5.8. I sent a separate note Friday to the PuTTY project, thanking them for starting to work on GSS, and asked if the would pick up KfW and gss kex. I have not received an answer yet. > > I want to be able to use svn+ssh from within Eclipse, on a machine that > is not in a Windows domain, without having the system flash open a large > number of console windows while I am either checking file out or in. I believe the v_t_m version is smart enough to not flash any screens. You have to setup a session ahead of time to load, as all the GSS setting are not available on the command line. > > The Quest distribution of Putty works well for this purpose when I am > using a machine that is in a Windows domain. > > Paul > > Douglas E. Engert wrote: >> >> Stephen Frost wrote: >>> * Jonathan Barber (j.barber at dundee.ac.uk) wrote: >>>> We don't have any particular preference WRT ssh clients, putty was just >>>> choosen as our test as it's what we have used in the past. >>> This thread got me curious, and it appears that ~2 months ago, GSSAPI >>> support was committed to the PuTTY subversion tree. Anyone tried it? >> >> Thanks for the tip. I too have complained for years about this, and >> it nice to see the PuTTY people are adding GSSAPI. >> >> This was the easies shared source Windows build I have seen! >> I did an svn checkout on Unix to a shared file system (AFS) ran the >> ./mkfiles.pl on Unix, then from XP in their windows directory >> nmake -f Makefile.vc (Visual Studio 8) >> >> As compared to http://sweb.cz/v_t_m/#putty, they did >> change the names of some flags in the registry. GssapiFwd was >> GSSAPIFwdTGT, >> GSSAPIServerRealm is not defined. But these are minor. >> >> And it works! >> >> The v_t_m version could use either the Microsoft SSPI, or the MIT GSSAPI >> as implemented bi the MIT gssapi32.dll. The new PuTTY only does SSPI >> so there are some implications if you are trying to use this from a >> non-windows domain machine. (But runas could be used.) >> >> >>> I'd love to move off of all of these hacked/patched versions of PuTTY >>> that are floating around. We're currently using >>> http://sweb.cz/v_t_m/#putty but in the past we've used a variety of >>> things. :/ >>> >>> Thanks! >>> >>> Stephen >>> >>> >>> ------------------------------------------------------------------------ >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Mon Nov 3 10:09:07 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 03 Nov 2008 09:09:07 -0600 Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon In-Reply-To: References: Message-ID: <490F1413.7090001@anl.gov> petesea at bigfoot.com wrote: > On Fri, 31 Oct 2008, deengert at anl.gov wrote: > >> The v_t_m version could use either the Microsoft SSPI, or the MIT GSSAPI >> as implemented bi the MIT gssapi32.dll. The new PuTTY only does SSPI so >> there are some implications if you are trying to use this from a >> non-windows domain machine. (But runas could be used.) > > That's unfortunate, I wish they would implement both methods. Please express your concerns to the PuTTY people. A few years ago I tried to get then to add GSS. They added initial support in the SVN so they are open to suggestions. The wishlist page: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/kerberos-gssapi.html says: "fixed-in: r8138 2008-08-10". The Audit trail on the wishlist page says: "We've got this. Perhaps if we say so we can get more pre-release testing." > > I also wish they would implement GSSAPI Key Exchange, to avoid the need to > maintain host keys on the client. I haven't found any implementation of > PuTTY that supports both MIT GSSAPI and GSSAPI Key Exchange. That would be nice. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Mon Nov 3 10:41:22 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 03 Nov 2008 09:41:22 -0600 Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon In-Reply-To: <490F0F2F.80601@anl.gov> References: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk> <490AE2B4.7090202@secure-endpoints.com> <20081031122902.GB23664@flea.lifesci.dundee.ac.uk> <20081031124311.GP4452@tamriel.snowman.net> <490B3F81.1050902@anl.gov> <490B4AAB.5070002@mit.edu> <490F0F2F.80601@anl.gov> Message-ID: <490F1BA2.5060001@anl.gov> Correction it looks for gssapi32.dll Douglas E. Engert wrote: > The http://sweb.cz/v_t_m/#putty version can do KfW or SSPI. It will look for > gsslib32.dll, and if gss_acquire_cred shows credentials, > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From vssureka at gmail.com Mon Nov 3 18:10:45 2008 From: vssureka at gmail.com (vssureka@gmail.com) Date: Mon, 3 Nov 2008 15:10:45 -0800 (PST) Subject: Identified does not match issue Message-ID: <1855dd78-3e90-46fd-a9b5-12a292f225d6@b38g2000prf.googlegroups.com> After struggling with this issue for almost two days now, I have run out of issues. Here is what I get when i run kinit C:\Program Files\Java\jdk1.5.0_16\bin>kinit -k -t c:\JBOSS.host.keytab JBOSS Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-auth entication information was invalid KrbException: Pre-authentication information was invalid (24) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:66) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486) at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:308) at sun.security.krb5.internal.tools.Kinit.(Kinit.java: 259) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.(ASRep.java:53) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:50) ... 4 more We have a windows 2008 server running Active Directory. I have created a JBOSS user there and ran the SetSPN and Ktpass utlility. Also, I have made sure that DES encryption check box is checked for the JBOSS. Since I modified that check box few times, I have made sure that I reset the password everytime as I read few places that it can create issues with the encryption. I am running the kinit on windows 2003. I have generated the key tab file on 2003 using Ktab command. (I have also tried generating this file in 2008 and using that file when I run the command in 2003 but of no use) Now I am not sure what else is going on. Iniitlally I was running into client not found in the database. I went past that problem by making sure that I ran the kinit utility by just passing in the user name JBOSS rather than mydomanin\JBOSS If you need more info I would be more than happy to provide it. Looking for any clue to move forward. Thanks vs From anil.shashikumar.belur at gmail.com Tue Nov 4 06:20:20 2008 From: anil.shashikumar.belur at gmail.com (anil.shashikumar.belur@gmail.com) Date: Tue, 04 Nov 2008 03:20:20 -0800 Subject: Identified does not match issue Message-ID: <001485f3be62bf9164045adb3f54@google.com> > > C:\Program Files\Java\jdk1.5.0_16\bin>kinit -k -tc:\JBOSS.host.keytab > > JBOSS > > Exception: krb_error 24 Pre-authentication information was invalid This could be because the password/keytab or the principal name you provided you have provided may not be incorrect . Also you could check if there is any large clock skew time difference on your AD box and the client. From vssureka at gmail.com Tue Nov 4 12:14:03 2008 From: vssureka at gmail.com (vssureka@gmail.com) Date: Tue, 4 Nov 2008 09:14:03 -0800 (PST) Subject: Identified does not match issue References: Message-ID: I have checked and double checked the issue with password and everything looks right. The time is also synchronized. Here is some more information that I found last night If I run "kinit JBOSS <>" - it works fine and it gets the Ticket without any errors But when I use the keytab that I generate using ktab utility "ktab -k - t FILE:c:\myfile.keytab -a JBOSS <>" and then pass on this file to kinit utility using "kinit -k -t FILE:c:\myfile.ketyab JBOSS" I get the preauthenticatin error. Seems like the Ktab is generating a keytab file that is meshing up the password. Given that the first command succeeds tells me that the use is setup correctly on the AD side. (I further verified that by passing in a wrong password in "kinit JBOSS <>" and as expected it fails telling me that it does verifies the password as it is expected) Any help would be highly appreciated vs On Nov 4, 5:20?am, anil.shashikumar.be... at gmail.com wrote: > > C:\Program Files\Java\jdk1.5.0_16\bin>kinit -k -tc:\JBOSS.host.keytab > > > JBOSS > > > Exception: krb_error 24 Pre-authentication information was invalid > > This could be because the password/keytab or the principal name you ? > provided you have provided may not be incorrect . > > Also you could check if there is any large clock skew time difference on ? > your AD box and the client. From res at qoxp.net Tue Nov 4 17:54:08 2008 From: res at qoxp.net (Richard E. Silverman) Date: Tue, 04 Nov 2008 17:54:08 -0500 Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon References: Message-ID: >>>>> "petesea" == petesea writes: petesea> On Fri, 31 Oct 2008, deengert at anl.gov wrote: >> The v_t_m version could use either the Microsoft SSPI, or the MIT >> GSSAPI as implemented bi the MIT gssapi32.dll. The new PuTTY only >> does SSPI so there are some implications if you are trying to use >> this from a non-windows domain machine. (But runas could be used.) petesea> That's unfortunate, I wish they would implement both methods. petesea> I also wish they would implement GSSAPI Key Exchange, to petesea> avoid the need to maintain host keys on the client. I petesea> haven't found any implementation of PuTTY that supports both petesea> MIT GSSAPI and GSSAPI Key Exchange. http://rc.quest.com/topics/PuTTY/ -- Richard Silverman res at qoxp.net From res at qoxp.net Wed Nov 5 10:53:19 2008 From: res at qoxp.net (Richard E. Silverman) Date: Wed, 05 Nov 2008 10:53:19 -0500 Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon References: Message-ID: >>>>> "res" == Richard E Silverman writes: >>>>> "petesea" == petesea writes: petesea> On Fri, 31 Oct 2008, deengert at anl.gov wrote: >>> The v_t_m version could use either the Microsoft SSPI, or the MIT >>> GSSAPI as implemented bi the MIT gssapi32.dll. The new PuTTY only >>> does SSPI so there are some implications if you are trying to use >>> this from a non-windows domain machine. (But runas could be used.) petesea> That's unfortunate, I wish they would implement both methods. petesea> I also wish they would implement GSSAPI Key Exchange, to petesea> avoid the need to maintain host keys on the client. I petesea> haven't found any implementation of PuTTY that supports both petesea> MIT GSSAPI and GSSAPI Key Exchange. res> http://rc.quest.com/topics/PuTTY/ Oops, you said *MIT* GSSAPI. Indeed. FYI, in the commercial world, SecureCRT does this. res> -- Richard Silverman res at qoxp.net -- Richard Silverman res at qoxp.net From deengert at anl.gov Wed Nov 5 16:44:46 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 05 Nov 2008 15:44:46 -0600 Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon In-Reply-To: References: Message-ID: <491213CE.9080608@anl.gov> Richard E. Silverman wrote: >>>>>> "res" == Richard E Silverman writes: > >>>>>> "petesea" == petesea writes: > petesea> On Fri, 31 Oct 2008, deengert at anl.gov wrote: > >>> The v_t_m version could use either the Microsoft SSPI, or the MIT > >>> GSSAPI as implemented bi the MIT gssapi32.dll. The new PuTTY only > >>> does SSPI so there are some implications if you are trying to use > >>> this from a non-windows domain machine. (But runas could be used.) > > petesea> That's unfortunate, I wish they would implement both methods. > > petesea> I also wish they would implement GSSAPI Key Exchange, to > petesea> avoid the need to maintain host keys on the client. I > petesea> haven't found any implementation of PuTTY that supports both > petesea> MIT GSSAPI and GSSAPI Key Exchange. > > res> http://rc.quest.com/topics/PuTTY/ > > Oops, you said *MIT* GSSAPI. Indeed. FYI, in the commercial world, > SecureCRT does this. Yes and it is a fine product. The problem we see, is many third party packages come with the PuTTY plink.exe program under the covers, some with some version of GSSAPI(or SSPI), but not all. It would be nice if the base PuTTY code had the gssapi built in. > > res> -- Richard Silverman res at qoxp.net > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From monnier at iro.umontreal.ca Wed Nov 5 21:16:41 2008 From: monnier at iro.umontreal.ca (Stefan Monnier) Date: Wed, 05 Nov 2008 21:16:41 -0500 Subject: Destroy expired tickets? Message-ID: How can I destroy expired tickets? They're useless at best, and in some cases they're positively harmful (their presence prompts `ssh' to contact the KDC to try and delegate credentials, which is a waste if the tickets are expired, and is really annoying when the KDC times out because it's behind a firewall). But I couldn't find any command that would destroy only expired tickets. Any idea what I should use? I guess I could try and parse the date&time in "klist", but it'd be a pain in the rear and blatantly brittle. This is on a Debian GNU/Linux system, in case it matters, Stefan From raeburn at MIT.EDU Thu Nov 6 10:05:31 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 6 Nov 2008 10:05:31 -0500 Subject: Destroy expired tickets? In-Reply-To: References: Message-ID: <54BD26CC-007D-482E-946E-FD3FAC453E13@mit.edu> On Nov 5, 2008, at 21:16, Stefan Monnier wrote: > How can I destroy expired tickets? > > They're useless at best, and in some cases they're positively harmful > (their presence prompts `ssh' to contact the KDC to try and delegate > credentials, which is a waste if the tickets are expired, and is > really > annoying when the KDC times out because it's behind a firewall). Hm, that sounds a bit broken. I could see, maybe, inferring that you want to use Kerberos and prompting to get new tickets, but trying to forward expired ones is no good... > But I couldn't find any command that would destroy only expired > tickets. > Any idea what I should use? I guess I could try and parse the > date&time > in "klist", but it'd be a pain in the rear and blatantly brittle. Running "klist -s" and testing the exit status should let you figure out if there are currently-valid tickets. I don't know if there's a way to test for "tickets exist and are not valid", though perhaps "klist >& /dev/null" (C shell syntax) succeeding and "klist -s" failing would do the job. Or you could try "klist -s" and then just run "kdestroy >& /dev/null", ignoring any errors caused by a ticket cache not existing. Ken From chweiss at gmx.ch Thu Nov 6 10:34:02 2008 From: chweiss at gmx.ch (=?iso-8859-1?Q?=22Christian_Wei=DF=22?=) Date: Thu, 06 Nov 2008 16:34:02 +0100 Subject: No subject Message-ID: <20081106153402.322660@gmx.net> Hi, we use Kerberos for Windows (newest Version: 3.2.2) on our XP Clients for access to our intranet. This also works fine on a W2K3 Server (R2 Standard or Enterprise Edition with SP2), unless the Terminal Services are enabled. If so, the user gets a TGT correctly, but doesn't get a Ticket for HTTP when trying to connect to the intranet. Acquiring a Ticket manually with "kvno HTTP/$servername" fixes this problem. With Terminal Services disabled everything works fine again. Our KDC runs on a SuSE SLES 8 machine. Is this a known Issue? Does anybody have a solution for me? I didn't find anything about this in the list. Thanks in advance! Christian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer From res at qoxp.net Thu Nov 6 13:52:15 2008 From: res at qoxp.net (Richard E. Silverman) Date: Thu, 06 Nov 2008 13:52:15 -0500 Subject: Destroy expired tickets? References: Message-ID: >>>>> "KR" == Ken Raeburn writes: KR> On Nov 5, 2008, at 21:16, Stefan Monnier wrote: >> How can I destroy expired tickets? >> >> They're useless at best, and in some cases they're positively >> harmful (their presence prompts `ssh' to contact the KDC to try and >> delegate credentials, which is a waste if the tickets are expired, >> and is really annoying when the KDC times out because it's behind a >> firewall). KR> Hm, that sounds a bit broken. I could see, maybe, inferring that KR> you want to use Kerberos and prompting to get new tickets, but KR> trying to forward expired ones is no good... >> But I couldn't find any command that would destroy only expired >> tickets. Any idea what I should use? I guess I could try and >> parse the date&time in "klist", but it'd be a pain in the rear and >> blatantly brittle. FWIW, the Perl Authen::Krb5 module would allow you to write such a utility pretty easily. KR> Running "klist -s" and testing the exit status should let you KR> figure out if there are currently-valid tickets. I don't know if KR> there's a way to test for "tickets exist and are not valid", KR> though perhaps "klist >& /dev/null" (C shell syntax) succeeding KR> and "klist -s" failing would do the job. Or you could try "klist KR> -s" and then just run "kdestroy >& /dev/null", ignoring any errors KR> caused by a ticket cache not existing. KR> Ken -- Richard Silverman res at qoxp.net From cclausen at acm.org Thu Nov 6 17:00:21 2008 From: cclausen at acm.org (Christopher D. Clausen) Date: Thu, 6 Nov 2008 16:00:21 -0600 Subject: WTS and KfW for SPNEGO References: <20081106153402.322660@gmx.net> Message-ID: <56265CFE64744C819F6EE6D66DEBA6B7@CDCHOME> I bet the problem is that KfW is switching to a per-user krb5.ini instead of using the one you likely have in C:\Windows. Try to copy your system krb5.ini to c:\documents and settings\user\windows and see if that helps any when in Terminal Services mode. < wrote: > Hi, > > we use Kerberos for Windows (newest Version: 3.2.2) on our XP Clients > for access to our intranet. This also works fine on a W2K3 Server (R2 > Standard or Enterprise Edition with SP2), unless the Terminal > Services are enabled. If so, the user gets a TGT correctly, but > doesn't get a Ticket for HTTP when trying to connect to the intranet. > Acquiring a Ticket manually with "kvno HTTP/$servername" fixes this > problem. With Terminal Services disabled everything works fine again. > Our KDC runs on a SuSE SLES 8 machine. > Is this a known Issue? Does anybody have a solution for me? I didn't > find anything about this in the list. > > Thanks in advance! > Christian From meetvamshi at gmail.com Fri Nov 7 06:00:29 2008 From: meetvamshi at gmail.com (VAMSHI VELAGAPURI) Date: Fri, 7 Nov 2008 16:30:29 +0530 Subject: Kadmin error Message-ID: <1f81200a0811070300u435610d5ie7f97b8b0d3f397@mail.gmail.com> Hi, I am getting this error when i try to run kadmin daemon. kadmind[15257](Error): Cannot find/read stored master key while initializing, aborting when i tried to do kdb5_util create -s it says that [root at bunty krb5kdc]# kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'VAM.ORG', master key name 'K/M at VAM.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: create: File exists while creating database '/var/kerberos/krb5kdc/principal' It would be great if anybody corrects me. Thank you, Vam From simon at sxw.org.uk Thu Nov 6 19:13:42 2008 From: simon at sxw.org.uk (Simon Wilkinson) Date: Fri, 7 Nov 2008 00:13:42 +0000 Subject: Destroy expired tickets? In-Reply-To: <54BD26CC-007D-482E-946E-FD3FAC453E13@mit.edu> References: <54BD26CC-007D-482E-946E-FD3FAC453E13@mit.edu> Message-ID: <17494883-FF74-467A-9FB2-46C26764FDA4@sxw.org.uk> On 6 Nov 2008, at 15:05, Ken Raeburn wrote: > On Nov 5, 2008, at 21:16, Stefan Monnier wrote: >> How can I destroy expired tickets? >> >> They're useless at best, and in some cases they're positively harmful >> (their presence prompts `ssh' to contact the KDC to try and delegate >> credentials, which is a waste if the tickets are expired, and is >> really >> annoying when the KDC times out because it's behind a firewall). > > Hm, that sounds a bit broken. I could see, maybe, inferring that you > want to use Kerberos and prompting to get new tickets, but trying to > forward expired ones is no good... I'm not sure which version of ssh is being referred to here, however I can comment on what OpenSSH does (I suspect SunSSH has similar behaviour) OpenSSH with my patches calls gss_init_sec_context() for each supported mechanism to determine whether it should try key exchange for that mechanism (that's because if we pick a key exchange mechanism that fails for any reason, we've got not choice but to fail the connection). Depending on your Kerberos library, the presence (or absence) of a credentials cache may affect whether the call to gss_init_sec_context () causes the KDC to be contacted. It won't have any effect on delegation. S. From petesea at bigfoot.com Fri Nov 7 02:46:25 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Thu, 06 Nov 2008 23:46:25 -0800 (PST) Subject: kinit ignores kdc in config file on Mac 10.5 Message-ID: I have a user with a Mac 10.5 system and it SEEMS like kinit is ignoring the kdc entries in the config file. Instead it APPEARS to do a DNS query for the realm and then uses the A records returned and sends the kerberos request packets to them. The result is kinit takes a while and eventually fails with: Kerberos Login Failed: Cannot contact any KDC for requested realm I'm quite sure it's reading the config file because I've run kinit via dtruss and see it opening the config file and reading it. I've tried disabling dns lookups in the config file, by setting both dns_lookup_kdc and dns_lookup_realm to false, but that doesn't make a difference. There are many other Mac 10.5 users that work fine using exactly the same config file, so it must be some setting on this particular Mac, but I'm out of ideas where to look. Thanks for any help. From chweiss at gmx.ch Fri Nov 7 04:06:53 2008 From: chweiss at gmx.ch (=?iso-8859-1?Q?=22Christian_Wei=DF=22?=) Date: Fri, 07 Nov 2008 10:06:53 +0100 Subject: WTS and KfW for SPNEGO Message-ID: <20081107090653.103740@gmx.net> Hello Christopher, that's it! Thank you for your really fast and helpful answer. Even better it would be if KfW would fall back to the 'krb5.ini' in c:\windows if there is none in c:\dokuments and settings\user\windows. Then you wouldn't have to put it into every user's profile folder... Christian -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail From monnier at iro.umontreal.ca Thu Nov 6 20:53:45 2008 From: monnier at iro.umontreal.ca (Stefan Monnier) Date: Thu, 06 Nov 2008 20:53:45 -0500 Subject: Destroy expired tickets? In-Reply-To: <54BD26CC-007D-482E-946E-FD3FAC453E13@mit.edu> (Ken Raeburn's message of "Thu, 6 Nov 2008 10:05:31 -0500") References: <54BD26CC-007D-482E-946E-FD3FAC453E13@mit.edu> Message-ID: >> They're useless at best, and in some cases they're positively harmful >> (their presence prompts `ssh' to contact the KDC to try and delegate >> credentials, which is a waste if the tickets are expired, and is really >> annoying when the KDC times out because it's behind a firewall). > Hm, that sounds a bit broken. I could see, maybe, inferring that you want > to use Kerberos and prompting to get new tickets, but trying to forward > expired ones is no good... Does that mean that the session below (in Debian testing) is a sign of a bug in OpenSSH or in Kerbers? >> But I couldn't find any command that would destroy only expired tickets. >> Any idea what I should use? I guess I could try and parse the date&time >> in "klist", but it'd be a pain in the rear and blatantly brittle. > Running "klist -s" and testing the exit status should let you figure out if > there are currently-valid tickets. I don't know if there's a way to test > for "tickets exist and are not valid", though perhaps "klist >& /dev/null" > (C shell syntax) succeeding and "klist -s" failing would do the job. > Or you could try "klist -s" and then just run "kdestroy >& /dev/null", > ignoring any errors caused by a ticket cache not existing. Oh, I didn't realize that "klist" returns a status that indicates whether there are still valid keys. That might be good enough to hack something up (I don't expect I'll often bump into the case where I have some valid keys mixed in with some expired keys). Still, a better solution (for me anyway) would be for the Kerberos library to automatically throw away expired keys when it encounters some, Stefan The session below shows a "typical" situation for me: I have some left over tickets from last time I used the machine, but contacting the KDC times out because I haven't restarted the VPN. The session also shows that the KDC is contacted twice (in sequence) and that by the time those two attempts time out, the remote sshd server has already given up and closed the connection, so I don't even get a chance to type in my password. % date jeudi 6 novembre 2008, 20:37:38 (UTC-0500) % klist Ticket cache: FILE:/tmp/krb5cc_20848 Default principal: monnier at ADS.IRO.UMONTREAL.CA Valid starting Expires Service principal 11/06/08 09:46:40 11/06/08 19:46:44 krbtgt/ADS.IRO.UMONTREAL.CA at ADS.IRO.UMONTREAL.CA renew until 12/04/08 09:46:40 11/06/08 09:46:49 11/06/08 19:46:44 host/trex.iro.umontreal.ca at ADS.IRO.UMONTREAL.CA renew until 12/04/08 09:46:40 Kerberos 4 ticket cache: /tmp/tkt20848 klist: You have no tickets cached % ssh -v iro OpenSSH_5.1p1 Debian-3, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /home/monnier/.ssh/config debug1: Applying options for iro debug1: Applying options for * debug1: /home/monnier/.ssh/config line 58: Deprecated option "UseRsh" debug1: /home/monnier/.ssh/config line 59: Deprecated option "FallBackToRsh" debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: auto-mux: Trying existing master debug1: Control socket "/tmp/monnier/trex.iro.umontreal.ca-monnier-22" does not exist debug1: Connecting to trex.iro.umontreal.ca [132.204.27.213] port 22. debug1: Connection established. debug1: identity file /home/monnier/.ssh/identity type -1 debug1: identity file /home/monnier/.ssh/id_rsa type -1 debug1: identity file /home/monnier/.ssh/id_dsa type 2 debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.4 debug1: match: OpenSSH_4.4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 zlib at openssh.com debug1: kex: client->server aes128-cbc hmac-md5 zlib at openssh.com debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'trex.iro.umontreal.ca' is known and matches the RSA host key. debug1: Found key in /home/monnier/.ssh/known_hosts:7 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Cannot contact any KDC for requested realm debug1: Unspecified GSS failure. Minor code may provide more information Cannot contact any KDC for requested realm debug1: Unspecified GSS failure. Minor code may provide more information debug1: Next authentication method: publickey debug1: Offering public key: /home/monnier/.ssh/id_dsa Connection closed by 132.204.27.213 ~-255% From cclausen at acm.org Fri Nov 7 17:32:43 2008 From: cclausen at acm.org (Christopher D. Clausen) Date: Fri, 7 Nov 2008 16:32:43 -0600 Subject: WTS and KfW for SPNEGO References: <20081107090653.103740@gmx.net> Message-ID: <3F1DA4B2D1E34D278A9B548E780AEB99@CDCHOME> Christian, I recomend that you read through this email and follow its instructions: http://mailman.mit.edu/pipermail/kerberos/2008-January/012978.html That should solve the problem permanently. I personally like having my own per-user krb5.ini. I can fix configuration problems on machines where I am just a user and do not have admin access. < wrote: > Hello Christopher, > > that's it! Thank you for your really fast and helpful answer. Even > better it would be if KfW would fall back to the 'krb5.ini' in > c:\windows if there is none in c:\dokuments and > settings\user\windows. Then you wouldn't have to put it into every > user's profile folder... > > Christian From jobo at jobo.com Mon Nov 10 16:06:37 2008 From: jobo at jobo.com (Jobo) Date: Mon, 10 Nov 2008 22:06:37 +0100 Subject: IE6 Fallback to NTLM Message-ID: <4918a25e$0$767$58c7af7e@news.kabelfoon.nl> IE (6) and Kerberos At some (actually one) locations in our network (which is spread all over the Netherlands) we have the problem that IE6 randomly falls back to NTLM, while FF keeps on working flawlessly. Does anybody has a clou what is happening? Tickets are valid and available, and when a new instance of IE is opened, everything works OK again. The facts: Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3) Client: IE6 on XP Tickets are served by Active Directory. Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl) From ioplex at gmail.com Mon Nov 10 19:38:14 2008 From: ioplex at gmail.com (Michael B Allen) Date: Mon, 10 Nov 2008 19:38:14 -0500 Subject: IE6 Fallback to NTLM In-Reply-To: <4918a25e$0$767$58c7af7e@news.kabelfoon.nl> References: <4918a25e$0$767$58c7af7e@news.kabelfoon.nl> Message-ID: <78c6bd860811101638w7c440319v2f0269ae5fbee7f7@mail.gmail.com> On Mon, Nov 10, 2008 at 4:06 PM, Jobo wrote: > IE (6) and Kerberos > > At some (actually one) locations in our network (which is spread all > over the Netherlands) we have the problem that IE6 randomly falls back > to NTLM, while FF keeps on working flawlessly. > > Does anybody has a clou what is happening? Tickets are valid and > available, and when a new instance of IE is opened, everything works OK > again. > > The facts: > Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3) > Client: IE6 on XP > Tickets are served by Active Directory. In the past there have been a few bugs in cache handling on XP: http://support.microsoft.com/kb/906524 http://support.microsoft.com/kb/885887 Check your kerberos DLLs. But I haven't seen anyone complain about these sorts of things in a while so I'm not sure if the bugs described in these KBs are really relevant anymore. Note that FF can exhibit different behavior depending on how it's configured. Note that for some strange reason, FF on Linux actually requests a service ticket with each HTTP request even though it has a perfectly good one in the cache. So make sure you're testing FF on Windows if you want a fair comparison. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From JackyC at umac.mo Tue Nov 11 03:18:30 2008 From: JackyC at umac.mo (Jacky Chan) Date: Tue, 11 Nov 2008 00:18:30 -0800 (PST) Subject: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~ Message-ID: <20435198.post@talk.nabble.com> Dear all, I have the subjected components configured to have single sign on in Linux box against W2K3 AD. In which, 3 W2K3 AD handling the authentication and name service. Linux box is ldap and nss client in such case. I have a concern of the failover behavours when W2K3 AD masteer Kerberos server is fail-over. And I have done the following tests already, If the master Kerberos server is down, # An already cached user (probably by nscd), can be login by su or ssh And the new password changed in the Kerberos server which is taked over the slave server takes effect. # A non-cached user, though, cannot even login by su or ssh, finally ended up with user doesn't exist. Some users of this kind of, can issue kinit, but some are not. I tried getent passwd, it gives me all the users in AD with UNIX attribute even for whose ended up by user doesn't exist in su or ssh. I am wondering, if krb5.conf can only specify one admin_server (master Kerboers server), how does it handle failover suitation when this master server is down? Is anyone out there try this approach and has the similiar concern? Let's share and disccuss. Thank you very much. Best, Jacky -- View this message in context: http://www.nabble.com/krb5-%2B-nss_ldap-%2B-nscd-%2B-Window-AD-2003-Failover-Concern%7E%7E-tp20435198p20435198.html Sent from the Kerberos - General mailing list archive at Nabble.com. From JackyC at umac.mo Tue Nov 11 04:00:37 2008 From: JackyC at umac.mo (JackyC@umac.mo) Date: Tue, 11 Nov 2008 17:00:37 +0800 Subject: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~ In-Reply-To: References: <20435198.post@talk.nabble.com> Message-ID: >> You don't need admin server for normal operation. Just KDC, which allows multiple entries. Oh yeap, I have set two KDC, one of this is the admin server, when the admin server down, non-cached user cannot login and even kinit. >> Only if the flag to change password on next login is enabled on AD and is honoured by pam-krb5 the absence of extra admin servers is a problem. What exactly does you mean, pam_krb5 will not allow change password on next login when the admin server is down? >> I think the problem you have is that nscd/nss-ldap allows a single ldap server to query. If the configured one is down, only users already cached are known to the system. Actually, I set two ldap server in /etc/ldap.conf; I tried to down the slave Kerberos server, which is the ldap server No.2 in /etc/ldap.conf. With nscd running, failover for non-cached user works. But only if the master Kerberos server down, non-cached user cannot login by su for ssh. >> It shoul be noticed that if I'm right, all the users returned by getent passwd should be able to login (if match some principal, obviously), and it appears not your case. Thank you very much! Yours Sincerely, Jacky, Hoi Kei Chan, From deengert at anl.gov Tue Nov 11 12:10:43 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 11 Nov 2008 11:10:43 -0600 Subject: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~ In-Reply-To: <20435198.post@talk.nabble.com> References: <20435198.post@talk.nabble.com> Message-ID: <4919BC93.3010600@anl.gov> Jacky Chan wrote: > Dear all, > > I have the subjected components configured to have single sign on in Linux > box against W2K3 AD. > In which, 3 W2K3 AD handling the authentication and name service. Linux box > is ldap and nss client in such case. > > I have a concern of the failover behavours when W2K3 AD masteer Kerberos > server is fail-over. > And I have done the following tests already, > > If the master Kerberos server is down, > # An already cached user (probably by nscd), can be login by su or ssh > And the new password changed in the Kerberos server which is taked > over the slave server takes effect. > > # A non-cached user, though, cannot even login by su or ssh, finally > ended up with user doesn't exist. Sounds like either AD is not replicating, or not replicating fast enough for your tests. Or you krb5.conf is not pointing at all the DCs. It could also be NCSD has cache negative response for some time, but not as long as it would a positive positive responses. Is you nss ldap configured to use multiple DCs? > Some users of this kind of, can issue kinit, but some are not. > I tried getent passwd, it gives me all the users in AD with UNIX > attribute even for whose ended up by user doesn't exist in su or ssh. > > I am wondering, if krb5.conf can only specify one admin_server (master > Kerboers server), how does it handle failover suitation when this master > server is down? Is anyone out there try this approach and has the similiar > concern? Let's share and disccuss. AD does not have the master/slave concept, so you can point the admin_server at any one of them. The MIT 1.6.3 looks like it might find more then one admin_server so try it out specifyng all your DCs. > > Thank you very much. > > Best, > Jacky -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From javiplx at gmail.com Tue Nov 11 13:00:17 2008 From: javiplx at gmail.com (Javier Palacios) Date: Tue, 11 Nov 2008 19:00:17 +0100 Subject: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~ In-Reply-To: References: <20435198.post@talk.nabble.com> Message-ID: >>> Only if the flag to change password on next login is enabled > on AD and is honoured by pam-krb5 the absence of extra admin servers is > a problem. > > What exactly does you mean, pam_krb5 will not allow change password on next > login when the admin server is down? Sorry, I didn't explain well. If the admin server is down, there is no way to change the password (at least with MIT kerberos). The other point is whether pam-krb5 do follow the change on next login thing in the same manner than a windows workstation does (I have never tested that). If that is true _and_ the admin server is down, the password cannot be changed and the login gets refused. Enable debug on pam-krb5, which is not very verbose but allows to pinpoint some problems. >>> I think the problem you have is that nscd/nss-ldap allows a single ldap >>> server > to query. If the configured one is down, only users already cached are known > to the system. > Actually, I set two ldap server in /etc/ldap.conf; Last time I look at that, only one was allowed. Javier Palacios From jobo at jobo.com Tue Nov 11 02:17:19 2008 From: jobo at jobo.com (Jobo) Date: Tue, 11 Nov 2008 08:17:19 +0100 Subject: IE6 Fallback to NTLM In-Reply-To: References: <4918a25e$0$767$58c7af7e@news.kabelfoon.nl> Message-ID: <49193180$0$761$58c7af7e@news.kabelfoon.nl> Michael B Allen schreef: > On Mon, Nov 10, 2008 at 4:06 PM, Jobo wrote: >> IE (6) and Kerberos >> >> At some (actually one) locations in our network (which is spread all >> over the Netherlands) we have the problem that IE6 randomly falls back >> to NTLM, while FF keeps on working flawlessly. >> >> Does anybody has a clou what is happening? Tickets are valid and >> available, and when a new instance of IE is opened, everything works OK >> again. >> >> The facts: >> Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3) >> Client: IE6 on XP >> Tickets are served by Active Directory. > > In the past there have been a few bugs in cache handling on XP: > > http://support.microsoft.com/kb/906524 > http://support.microsoft.com/kb/885887 > > Check your kerberos DLLs. > > But I haven't seen anyone complain about these sorts of things in a > while so I'm not sure if the bugs described in these KBs are really > relevant anymore. > > Note that FF can exhibit different behavior depending on how it's > configured. Note that for some strange reason, FF on Linux actually > requests a service ticket with each HTTP request even though it has a > perfectly good one in the cache. So make sure you're testing FF on > Windows if you want a fair comparison. > > Mike > Actually we had these problems, and solved them with the AllowTgtSessionKey registry setting. FF is also on Windows. Thnx anyway, I read all the ioplex stuff. From jobo at jobo.com Tue Nov 11 02:19:46 2008 From: jobo at jobo.com (Jobo) Date: Tue, 11 Nov 2008 08:19:46 +0100 Subject: IE6 Fallback to NTLM In-Reply-To: References: <4918a25e$0$767$58c7af7e@news.kabelfoon.nl> Message-ID: <49193212$0$761$58c7af7e@news.kabelfoon.nl> Richard E. Silverman schreef: >>>>>> "Jobo" == Jobo writes: > > Jobo> IE (6) and Kerberos At some (actually one) locations in our > Jobo> network (which is spread all over the Netherlands) we have the > Jobo> problem that IE6 randomly falls back to NTLM, while FF keeps on > Jobo> working flawlessly. > > Jobo> Does anybody has a clou what is happening? Tickets are valid and > Jobo> available, and when a new instance of IE is opened, everything > Jobo> works OK again. > > Jobo> The facts: Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 > Jobo> release 1.4.3) Client: IE6 on XP Tickets are served by Active > Jobo> Directory. > > Jobo> Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl) > > Is the name you're giving the browser for the webserver perhaps a DNS > alias (CNAME RR)? Bizarre and pointless as it is, Microsoft "doesn't like > CNAMEs" (direct quote from a Microsoft engineer), and I've seen it behave > like this. > Thanks, a CNAME it is! I gonna try your solution, it will take a couple or days, but I wil be back. From res at qoxp.net Mon Nov 10 22:27:53 2008 From: res at qoxp.net (Richard E. Silverman) Date: Mon, 10 Nov 2008 22:27:53 -0500 Subject: IE6 Fallback to NTLM References: <4918a25e$0$767$58c7af7e@news.kabelfoon.nl> Message-ID: >>>>> "Jobo" == Jobo writes: Jobo> IE (6) and Kerberos At some (actually one) locations in our Jobo> network (which is spread all over the Netherlands) we have the Jobo> problem that IE6 randomly falls back to NTLM, while FF keeps on Jobo> working flawlessly. Jobo> Does anybody has a clou what is happening? Tickets are valid and Jobo> available, and when a new instance of IE is opened, everything Jobo> works OK again. Jobo> The facts: Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 Jobo> release 1.4.3) Client: IE6 on XP Tickets are served by Active Jobo> Directory. Jobo> Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl) Is the name you're giving the browser for the webserver perhaps a DNS alias (CNAME RR)? Bizarre and pointless as it is, Microsoft "doesn't like CNAMEs" (direct quote from a Microsoft engineer), and I've seen it behave like this. -- Richard Silverman res at qoxp.net From tlyu at MIT.EDU Tue Nov 11 18:19:30 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 11 Nov 2008 18:19:30 -0500 Subject: Kadmin error In-Reply-To: <1f81200a0811070300u435610d5ie7f97b8b0d3f397@mail.gmail.com> (VAMSHI VELAGAPURI's message of "Fri, 7 Nov 2008 16:30:29 +0530") References: <1f81200a0811070300u435610d5ie7f97b8b0d3f397@mail.gmail.com> Message-ID: "VAMSHI VELAGAPURI" writes: > Hi, > I am getting this error when i try to run kadmin daemon. > > kadmind[15257](Error): Cannot find/read stored master key while > initializing, aborting > > > > when i tried to do kdb5_util create -s it says that > > [root at bunty krb5kdc]# kdb5_util create -s > Loading random data > Initializing database '/var/kerberos/krb5kdc/principal' for realm 'VAM.ORG', > master key name 'K/M at VAM.ORG' > You will be prompted for the database Master Password. > It is important that you NOT FORGET this password. > Enter KDC database master key: > Re-enter KDC database master key to verify: > create: File exists while creating database > '/var/kerberos/krb5kdc/principal' > > It would be great if anybody corrects me. Like the error message says, the database already exists. You will need to use the kdb5_util stash command instead. From JackyC at umac.mo Tue Nov 11 20:39:00 2008 From: JackyC at umac.mo (Jacky Chan) Date: Tue, 11 Nov 2008 17:39:00 -0800 (PST) Subject: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~ In-Reply-To: <4919BC93.3010600@anl.gov> References: <20435198.post@talk.nabble.com> <4919BC93.3010600@anl.gov> Message-ID: <20452361.post@talk.nabble.com> Douglas E. Engert wrote: > > > Sounds like either AD is not replicating, or not replicating fast enough > for your tests. Or you krb5.conf is not pointing at all the DCs. It could > also be NCSD has cache negative response for some time, but not as > long as it would a positive positive responses. > > Is you nss ldap configured to use multiple DCs? > > Yes, NSCD negative response time should not longer than positive one. I should clean up and reload once it is time out. I configured nss_ldap like the following, I think it could lead to use multiple DCs uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc And I had also configured /etc/krb5.conf to point to multiple DCs like FAILOVER.DC = { kdc = w2k3dc1.failover.dc:88 kdc = w2k3dc2.failover.dc:88 admin_server = w2k3dc1.failover.dc:749 } The different with which I search online is, they use different admin_server in compare to kdc. The my testing environment above, I configure one of the kdc server to be the one of admin_server. If I down w2k3dc1.failover.dc, the failover cannot take effect, su or ssh just here. Maybe I turn on debug mode on pam_krb5 to see the log or setup a new w2k3dc3.failover.dc to avoid. Douglas E. Engert wrote: > > > AD does not have the master/slave concept, so you can point the > admin_server > at any one of them. The MIT 1.6.3 looks like it might find more then one > admin_server so try it out specifyng all your DCs. > > But you say I can point the admin_server to any one of the KDC server. That means you above assumption not correct. But if it is the case, how come the failover doesn't work when the admin server is down? Where do I find MIT1.6.3 for testing? Thank you very much Best, Jacky -- View this message in context: http://www.nabble.com/krb5-%2B-nss_ldap-%2B-nscd-%2B-Window-AD-2003-Failover-Concern%7E%7E-tp20435198p20452361.html Sent from the Kerberos - General mailing list archive at Nabble.com. From JackyC at umac.mo Tue Nov 11 21:04:23 2008 From: JackyC at umac.mo (Jacky Chan) Date: Tue, 11 Nov 2008 18:04:23 -0800 (PST) Subject: krb5 + nss_ldap + nscd + Window AD 2003 Failover Concern~~ In-Reply-To: References: <20435198.post@talk.nabble.com> Message-ID: <20452584.post@talk.nabble.com> Javier Palacios-2 wrote: > >>>> Only if the flag to change password on next login is enabled >> on AD and is honoured by pam-krb5 the absence of extra admin servers is >> a problem. >> >> What exactly does you mean, pam_krb5 will not allow change password on >> next >> login when the admin server is down? > > Sorry, I didn't explain well. If the admin server is down, there is no > way to change > the password (at least with MIT kerberos). > The other point is whether pam-krb5 do follow the change on next login > thing in > the same manner than a windows workstation does (I have never tested > that). > If that is true _and_ the admin server is down, the password cannot be > changed > and the login gets refused. Enable debug on pam-krb5, which is not very > verbose > but allows to pinpoint some problems. > > Yes, I got your mean. And it is does has this problem. Javier Palacios-2 wrote: > > >>>> I think the problem you have is that nscd/nss-ldap allows a single ldap >>>> server >> to query. If the configured one is down, only users already cached are >> known >> to the system. >> Actually, I set two ldap server in /etc/ldap.conf; > > Last time I look at that, only one was allowed. > > If saying to use, nss_ldap 253, it is allowed to configure more than one ldap server in uri entry. uri ldap://w2k3dc1.failover.dc ldap://w2k3dc2.failover.dc ldap://w2k3dc3.failover.dc But you need to set bind_policy to soft to trigger intermediate failover instead of wait for nss_ldap to retry and reconnection until its default maximmun is reached. -- View this message in context: http://www.nabble.com/krb5-%2B-nss_ldap-%2B-nscd-%2B-Window-AD-2003-Failover-Concern%7E%7E-tp20435198p20452584.html Sent from the Kerberos - General mailing list archive at Nabble.com. From deepti.mhr at gmail.com Thu Nov 13 04:01:14 2008 From: deepti.mhr at gmail.com (deepti malhotra) Date: Thu, 13 Nov 2008 14:31:14 +0530 Subject: Importantly need coding of Kerberos Protocol in java Message-ID: I am doing computer engineering and working on project in java that need implementation of kerberos protocol. so please kindly provide me with the coding of the specified. THANKING YOU. DEEPTI From deengert at anl.gov Thu Nov 13 10:09:37 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 13 Nov 2008 09:09:37 -0600 Subject: Importantly need coding of Kerberos Protocol in java In-Reply-To: References: Message-ID: <491C4331.6020705@anl.gov> deepti malhotra wrote: > I am doing computer engineering and working on project in java that need > implementation of kerberos protocol. so please kindly provide me with the > coding of the specified. Google for java kerberos > > > THANKING YOU. > DEEPTI > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From tlyu at MIT.EDU Thu Nov 13 11:14:43 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 13 Nov 2008 11:14:43 -0500 Subject: KfW service tickets and Terminal Services (Re: none) In-Reply-To: <20081106153402.322660@gmx.net> (Christian =?iso-8859-1?Q?Wei?= =?iso-8859-1?Q?=DF's?= message of "Thu, 06 Nov 2008 16:34:02 +0100") References: <20081106153402.322660@gmx.net> Message-ID: "Christian Wei?" writes: > we use Kerberos for Windows (newest Version: 3.2.2) on our XP Clients for > access to our intranet. This also works fine on a W2K3 Server (R2 Standard > or Enterprise Edition with SP2), unless the Terminal Services are enabled. > If so, the user gets a TGT correctly, but doesn't get a Ticket for HTTP > when trying to connect to the intranet. Acquiring a Ticket manually with > "kvno HTTP/$servername" fixes this problem. With Terminal Services disabled > everything works fine again. Our KDC runs on a SuSE SLES 8 machine. > Is this a known Issue? Does anybody have a solution for me? I didn't find > anything about this in the list. I have not heard about this issue before. Do you have access to the KDC logs on your SuSE machine? What tickets are the client actually requesting in each case? From tlyu at MIT.EDU Thu Nov 13 11:22:29 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 13 Nov 2008 11:22:29 -0500 Subject: kinit ignores kdc in config file on Mac 10.5 In-Reply-To: (petesea@bigfoot.com's message of "Thu, 06 Nov 2008 23:46:25 -0800 (PST)") References: Message-ID: petesea at bigfoot.com writes: > I have a user with a Mac 10.5 system and it SEEMS like kinit is ignoring > the kdc entries in the config file. Instead it APPEARS to do a DNS query > for the realm and then uses the A records returned and sends the kerberos Does it look up the A record for the realm name, instead of looking up the SRV record for the realm name? > request packets to them. The result is kinit takes a while and eventually > fails with: > > Kerberos Login Failed: Cannot contact any KDC for requested realm > > I'm quite sure it's reading the config file because I've run kinit via > dtruss and see it opening the config file and reading it. > > I've tried disabling dns lookups in the config file, by setting both > dns_lookup_kdc and dns_lookup_realm to false, but that doesn't make a > difference. > > There are many other Mac 10.5 users that work fine using exactly the same > config file, so it must be some setting on this particular Mac, but I'm > out of ideas where to look. Which config files are you changing? There are several that could affect the result. From petesea at bigfoot.com Thu Nov 13 12:47:38 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Thu, 13 Nov 2008 09:47:38 -0800 (PST) Subject: kinit ignores kdc in config file on Mac 10.5 In-Reply-To: References: Message-ID: On Thu, 13 Nov 2008, Tom Yu wrote: > petesea at bigfoot.com writes: > >> I have a user with a Mac 10.5 system and it SEEMS like kinit is >> ignoring the kdc entries in the config file. Instead it APPEARS to do >> a DNS query for the realm and then uses the A records returned and >> sends the kerberos > > Does it look up the A record for the realm name, instead of looking up > the SRV record for the realm name? Yes... A, not SRV. Oddly, the exact case of the realm it queries is mixed, eg: COMPANY.com, instead of COMPANY.COM. The config file only uses all uppercase for the realm name and all lowercase for the domain name in the [domain_realm] section, it never uses mixed case. I started tcpdump restricting the capture filter to only ports 88 (Kerberos) and 53 (DNS), then ran kinit. The tcpdump capture shows: - A query for an A record for the realm name by the client - A response from the DNS server with 4 IP addresses - An "AS-REQ" from the client to the 1st IP address - After 1 sec an "AS-REQ" from the client to the 2nd IP address - After 1 sec an "AS-REQ" from the client to the 3rd IP address - After 1 sec an "AS-REQ" from the client to the 4th IP address - After 7 secs a 2nd "AS-REQ" from the client to the 1st IP address - After 1 sec a 2nd "AS-REQ" from the client to the 2nd IP address - After 1 sec a 2nd "AS-REQ" from the client to the 4th IP address - After 5 secs a 3rd "AS-REQ" from the client to the 1st IP address - After 1 sec a 3rd "AS-REQ" from the client to the 2nd IP address - After 1 sec a 3rd "AS-REQ" from the client to the 4th IP address There is no response to any of the AS-REQ packets. At this point the kinit command fails with: Kerberos Login Failed: Cannot contact any KDC for requested realm > Which config files are you changing? There are several that could > affect the result. ~/Library/Preferences/edu.mit.Kerberos. I added the following lines to the "[libdefaults]" section: dns_lookup_kdc = false dns_lookup_realm = false dns_fallback = false I've also made sure all of the following do NOT exist: /Library/Preferences/edu.mit.Kerberos /etc/krb5.conf /usr/etc/krb5.conf From raeburn at MIT.EDU Thu Nov 13 14:04:01 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 13 Nov 2008 14:04:01 -0500 Subject: kinit ignores kdc in config file on Mac 10.5 In-Reply-To: References: Message-ID: <650C0D48-1337-4259-8AC5-F74FC53717CF@mit.edu> On Nov 13, 2008, at 12:47, petesea at bigfoot.com wrote: > Yes... A, not SRV. Oddly, the exact case of the realm it queries is > mixed, eg: COMPANY.com, instead of COMPANY.COM. The config file only > uses all uppercase for the realm name and all lowercase for the domain > name in the [domain_realm] section, it never uses mixed case. It's possible this is just an artifact of the local forwarding resolver code. E.g., if it builds a tree with "com" below the root (because someone looked up something.com in lower case), and then someone looks up COMPANY.COM, it could add a node "COMPANY" below "com", and use those strings in building the query... As to why it would try to contact a host matching the name of the realm, I don't know. Our basic library code shouldn't do that, but Apple ships a couple of KDC-locating plugins in /System/Library/ KerberosPlugins/KerberosFrameworkPlugins which I haven't looked at. Our library code does allow plugins to override the config file; perhaps one of them is doing so. Is the Mac joined to a domain? If not, one of the plugins might be triggering anyways. I'm not sure if it's safe to move them to another directory or "chmod 0" them, to try to see what's going on. But doing it only briefly while you've got a command-line window open with a root shell would -- I would *guess* -- not be too risky. > - A query for an A record for the realm name by the client > - A response from the DNS server with 4 IP addresses > - An "AS-REQ" from the client to the 1st IP address [...] Curious, that's not quite the behavior I'd expect. It shouldn't stop talking to the 3rd address after the first attempt, unless it got back a TCP RST, UDP response, or ICMP error, and decided it couldn't use that server. And the delays between the passes (7s, then 5s) should start smaller than that, and increase. (See around line 1160 in http://src.mit.edu/opengrok/xref/trunk/src/lib/krb5/os/sendto_kdc.c , that describes the library behavior, and what you'll see for UDP traffic; TCP connections are initiated in the first pass, but retransmissions would be managed by the OS kernel.) But that's probably not important right now... Ken From rra at stanford.edu Thu Nov 13 14:20:36 2008 From: rra at stanford.edu (Russ Allbery) Date: Thu, 13 Nov 2008 11:20:36 -0800 Subject: pam-krb5 3.12 released Message-ID: <87skpv77qz.fsf@windlord.stanford.edu> I'm pleased to announce release 3.12 of pam-krb5. pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports configuration either by PAM options or in krb5.conf or both. Changes from previous release: Add alt_auth_map configuration option, which allows mapping of usernames to alternative Kerberos principals, useful primarily for using particular instances for access to a given PAM-authenticated service. Also added force_alt_auth and only_alt_auth options to control when alternative Kerberos principals are used. Patch from Booker Bense. Fix incorrect error handling for bad .k5login ownership when search_k5login is set, leading to a NULL pointer dereference and a segfault. Thanks, Andrew Deason. Fix double-free of the ticket cache structure if creation of the ticket cache in the session module fails. Thanks, Jens Jorgensen. Log all syslog messages to LOG_AUTHPRIV, or LOG_AUTH if the system doesn't define LOG_AUTHPRIV. Thanks, Mark Painter. Fix portability to AIX's bundled Kerberos. Thanks, Markus Moeller. When debugging is enabled, log an exit status of PAM_IGNORE as ignore rather than failure. Document that pam-krb5 must be listed in the session group as well as the auth group for interactive logins or OpenSSH won't set up the user's credential cache properly. Document adding ignore=ignore to complex [] action configuration for the session and account groups since the module now returns PAM_IGNORE instead of PAM_SUCCESS for accounts that didn't use Kerberos. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian experimental to not interfere with the upcoming lenny release. They will be uploaded to Debian unstable after the release. (The significant bug fixes mentioned above have already been fixed in Debian unstable for the lenny release.) Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From robert at marcanoonline.com Thu Nov 13 17:55:50 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Thu, 13 Nov 2008 18:25:50 -0430 Subject: Kbrfw: failed to decrypt password Message-ID: <1226616950.3404.7.camel@localhost.localdomain> When a password is expired i have problems to replace it with a new password on Windows clients: With kinit: Password expired. You must change it now. Enter new password: Enter it again: kinit(v5): Password change failed while getting initial credentials With kpasswd and Network Identity Manager: "failed to decrypt password" On a Linux client I am able to update the password without problems using kpasswd or kinit. Those errors only happens on MIT kerberos for Windows, any help is appreciated. Thanks in advance From petesea at bigfoot.com Thu Nov 13 18:22:59 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Thu, 13 Nov 2008 15:22:59 -0800 (PST) Subject: kinit ignores kdc in config file on Mac 10.5 In-Reply-To: <650C0D48-1337-4259-8AC5-F74FC53717CF@mit.edu> References: <650C0D48-1337-4259-8AC5-F74FC53717CF@mit.edu> Message-ID: On Thu, 13 Nov 2008, Ken Raeburn wrote: > As to why it would try to contact a host matching the name of the realm, > I don't know. Our basic library code shouldn't do that, but Apple ships > a couple of KDC-locating plugins in > /System/Library/KerberosPlugins/KerberosFrameworkPlugins which I haven't > looked at. Our library code does allow plugins to override the config > file; perhaps one of them is doing so. Is the Mac joined to a domain? If by "joined to a domain" you mean there's a DNS entry associated with this host, then yes there is... both forward and reverse. > If not, one of the plugins might be triggering anyways. I'm not sure if > it's safe to move them to another directory or "chmod 0" them, to try to > see what's going on. But doing it only briefly while you've got a > command-line window open with a root shell would -- I would *guess* -- > not be too risky. It looks like the culprit is (or is related to): /System/Library/KerberosPlugins/KerberosFrameworkPlugins/ODLocate.bundle If I move ODLocate.bundle to a directory outside it's current location then kinit works. But, I've compared all the files (included checksums) under this directory to another 10.5 system owned by the same user and they are identical. So the actual problem must be some other library/plugin or config file. Any idea where else to look? And any idea what the ODLocate.bundle plugin is for? From raeburn at MIT.EDU Thu Nov 13 19:19:27 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 13 Nov 2008 19:19:27 -0500 Subject: kinit ignores kdc in config file on Mac 10.5 In-Reply-To: References: <650C0D48-1337-4259-8AC5-F74FC53717CF@mit.edu> Message-ID: <52FC3D97-A16F-438C-AE07-2B4DDF24969E@MIT.EDU> On Nov 13, 2008, at 18:22, petesea at bigfoot.com wrote: > If by "joined to a domain" you mean there's a DNS entry associated > with this host, then yes there is... both forward and reverse. No, I was thinking of Active Directory or Open Directory. I assume that's what would trigger ODLocate.bundle to answer. But I don't run my Macs that way, so I'm really guessing here... Some quick Google searching suggests that the "Directory Utility" app (or "Directory Access" on older Macs) is probably how it's managed, and I'm not sure where in the file system you might look for its config data. Ken From raeburn at MIT.EDU Thu Nov 13 19:22:19 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 13 Nov 2008 19:22:19 -0500 Subject: Kbrfw: failed to decrypt password In-Reply-To: <1226616950.3404.7.camel@localhost.localdomain> References: <1226616950.3404.7.camel@localhost.localdomain> Message-ID: On Nov 13, 2008, at 17:55, Robert Marcano wrote: > When a password is expired i have problems to replace it with a new > password on Windows clients: > > With kinit: > > Password expired. You must change it now. > Enter new password: > Enter it again: > kinit(v5): Password change failed while getting initial credentials > > With kpasswd and Network Identity Manager: "failed to decrypt > password" > > On a Linux client I am able to update the password without problems > using kpasswd or kinit. Those errors only happens on MIT kerberos for > Windows, any help is appreciated. What's the network configuration like? The password changing protocol may not work through a NAT box. Ken From robert at marcanoonline.com Fri Nov 14 11:42:15 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Fri, 14 Nov 2008 12:12:15 -0430 Subject: Kbrfw: failed to decrypt password In-Reply-To: References: <1226616950.3404.7.camel@localhost.localdomain> Message-ID: <1226680935.3491.3.camel@localhost.localdomain> On Thu, 2008-11-13 at 19:22 -0500, Ken Raeburn wrote: > On Nov 13, 2008, at 17:55, Robert Marcano wrote: > > When a password is expired i have problems to replace it with a new > > password on Windows clients: > > > > With kinit: > > > > Password expired. You must change it now. > > Enter new password: > > Enter it again: > > kinit(v5): Password change failed while getting initial credentials > > > > With kpasswd and Network Identity Manager: "failed to decrypt > > password" > > > > On a Linux client I am able to update the password without problems > > using kpasswd or kinit. Those errors only happens on MIT kerberos for > > Windows, any help is appreciated. > > What's the network configuration like? The password changing protocol > may not work through a NAT box. > yes that was the reason, Windows was running on an VM (virtualbox.org) on my laptop connected to the net using NAT. So this test passed :-), but I think this will cause me a little trouble on production when a user is behind of one of those wireless routers that do NAT by default Thanks... > Ken From robert at marcanoonline.com Fri Nov 14 11:56:30 2008 From: robert at marcanoonline.com (Robert Marcano) Date: Fri, 14 Nov 2008 12:26:30 -0430 Subject: kadmin help when using LDAP db (MIT kerberos) Message-ID: <1226681790.3491.15.camel@localhost.localdomain> I am relatively new to kerberos, and as part of the installation of freeipa, I am writing a script to be used by Samba for password changes. I read about kadmin.local but the man pages says "If the database is LDAP, kadmin.local need not be run on the KDC." so I am unable to use it instead of kadmin that requires a password that I do not understand very well how to supply, The fist time I started the kadmin service on a CentOS server, it says it was adding a few principals with these two commands /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}" /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success This immediately disabled the usage of kpasswd (unable to find KDC error) or kinit with a expired password how can I use the network version of kadmin in order to change a user password? which principal can i use with the right privileges: "change_password: Operation requires ``change-password'' privilege while changing password for ..." do kadmin only replaces the password? or do it reset last password change date/time and related fields? Thanks in advance From ssorce at redhat.com Fri Nov 14 12:12:47 2008 From: ssorce at redhat.com (Simo Sorce) Date: Fri, 14 Nov 2008 12:12:47 -0500 Subject: kadmin help when using LDAP db (MIT kerberos) In-Reply-To: <1226681790.3491.15.camel@localhost.localdomain> References: <1226681790.3491.15.camel@localhost.localdomain> Message-ID: <1226682767.32715.102.camel@localhost.localdomain> On Fri, 2008-11-14 at 12:26 -0430, Robert Marcano wrote: > I am relatively new to kerberos, and as part of the installation of > freeipa, I am writing a script to be used by Samba for password changes. > I read about kadmin.local but the man pages says > > "If the database is LDAP, kadmin.local need not be run on the KDC." > > so I am unable to use it instead of kadmin that requires a password that > I do not understand very well how to supply, The fist time I started the > kadmin service on a CentOS server, it says it was adding a few > principals with these two commands > > > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin${KRB5REALM:+@$KRB5REALM} kadmin/changepw${KRB5REALM:+@$KRB5REALM}" > /usr/kerberos/sbin/kadmin.local ${KRB5REALM:+-r $KRB5REALM} -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/`hostname`${KRB5REALM:+@$KRB5REALM}" 2> /dev/null && success If you read freeipa documentation you will see that using kadmin or kadmin.local is discouraged if you do not know exactly what you are doing. > This immediately disabled the usage of kpasswd (unable to find KDC > error) or kinit with a expired password Yes you reset the secret and did not update the keytab file that ipa_kpasswd uses. > how can I use the network version of kadmin in order to change a user > password? which principal can i use with the right privileges: At this stage you cannot use kadmind with Freeipa, you can use kpasswd, ipa-passwd, ldappasswd, and recently also ipa-getkeytab I'd suggest you use freeipa-users at redhat.com if you have freeipa related questions. Simo. -- Simo Sorce * Red Hat, Inc * New York From raeburn at MIT.EDU Fri Nov 14 14:18:30 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 14 Nov 2008 14:18:30 -0500 Subject: Kbrfw: failed to decrypt password In-Reply-To: <1226680935.3491.3.camel@localhost.localdomain> References: <1226616950.3404.7.camel@localhost.localdomain> <1226680935.3491.3.camel@localhost.localdomain> Message-ID: <49620574-E0AC-4E0F-ACFC-23364185E178@MIT.EDU> On Nov 14, 2008, at 11:42, Robert Marcano wrote: > yes that was the reason, Windows was running on an VM (virtualbox.org) > on my laptop connected to the net using NAT. So this test passed :-), > but I think this will cause me a little trouble on production when a > user is behind of one of those wireless routers that do NAT by default Yeah, it's a problem. The original Kerberos 5 protocol was designed when NATs weren't much of an issue, and when including an IP address was thought to be a (more) helpful additional security measure. The revised spec (RFC 4120) fudges it by defining new "address" types that merely identify one party as the initiator of the authentication exchange and the other as the recipient, but MIT has not implemented this yet; I don't know if anyone else has. (There are also backwards compatibility issues to deal with, in case you're trying to talk to an implementation that doesn't yet know about these directional addresses -- how do you know when you can use the directional addresses? Or does the application-level code just have to try it twice?) And fixing this hasn't, unfortunately, bubbled up to the top of the Consortium's priority list just yet. Patches are welcome though. :-) I don't expect it to necessarily be helpful in your case, but VPN software may help -- or may hurt. If it gives the application a non- NATted address on the enterprise network, the Kerberos library may be able to determine the network address that the KDC will see the message as coming from. But on the other hand, some VPN software makes it difficult to figure out what that assigned address is, and will similarly cause things to break even if no NAT was involved in the first place. Ken From tlyu at MIT.EDU Fri Nov 14 14:35:59 2008 From: tlyu at MIT.EDU (Tom Yu) Date: Fri, 14 Nov 2008 14:35:59 -0500 Subject: Parameters in =?iso-8859-1?Q?=AB?= Strategy Kerberos =?iso-8859-1?Q?=BB?= not taken into account. In-Reply-To: (jivko.mitev@free.fr's message of "Thu, 30 Oct 2008 05:44:08 -0700 (PDT)") References: Message-ID: jivko writes: > Title: Parameters in ? Strategy Kerberos ? not taken into account. > > Environment: Domain controller ? Windows 2000 Server SP4 ?, client ? > Windows XP SP2? > Particularities of the environment: > The server is the only controller AD in its VLAN. It was added in the > production domain, replicated, after detached and plugged into a > closed VLAN with suppression of the missing references. > The server is in the mode AD2000 native, but the domain was not > created from scratch, it was migrated from NT. > The VLAN contains the only post XP, member of the domain. > > At the beginning the domain was under NT, it contained a certain > number of hosts NT (1PDC, and several BDC). > The domain was migrated to Windows 2000 like that: > migration of PDC NT to 2000, 2000 is so in the mixed mode, which means > that the server 2000 emulates a PDC NT > replacement of all the controllers NT by the controllers 2000, > installed from scratch > at the end, when there were no controllers NT into the domain, > reinstallation from scratch to 2000 of the ex-PDC from NT > when there is only machines 2000 installed from scratch, passing of > the AD on the mode 2000 ? native ? > > So, the controllers are 100% 2000, but the structure AD comes from the > old domain NT. > > > Description: > We want to modify the max lifetime of the tickets tgt Kerberos. To do > this : > 1) we modified the value of of the tgt max lifetime to 600 in ? > Strat?gie de s?curit? du domaine / ?/ Strategie Kerberos? Because it is likely that most of the readers of this newsgroup / list primarily speak English, you may get more useful responses if you could quote the names of the settings that you mention above from an English localization rather than from the French localization. > On the client post we do : > 2) klist purge > 3) access to the shared folder > 4) klist tgt > =========== > C:\Program Files\Resource Kit>klist tgt > > Cached TGT: > > ServiceName: krbtgt > TargetName: krbtgt > FullServiceName: GOVARTAN > DomainName: AESN.FR? > TargetDomainName: AESN.FR? > AltTargetDomainName: AESN.FR? > TicketFlags: 0x40e00000 > KeyExpirationTime: 1/1/1601 2:00:00 > StartTime: 10/16/2008 18:04:54 > EndTime: 10/17/2008 2:04:54 > RenewUntil: 10/16/2008 19:04:54 > TimeSkew: 1/1/1601 2:00:00 > ========== > > The problem: The tgt max lifetime is 8h. > After reboot of the server: the same result. > The same modifications are taken into account on the host installed > with Windows 2000 from scratch. > > Questions : > 1) As the ticket max lifetime by default is 10h from where commes the > duration 8h ? I am not familiar with how AD configures its ticket lifetimes, but if it is similar to how MIT krb5 determines ticket lifetime, it probably uses the smallest lifetime value out the set containing the client principal ticket lifetime, the service principal ticket lifetime and the requested lifetime. > 2) How to modify (force) the tgt max lifetime in our platform > configuration? Again, I am not very familiar with AD administration, but there may be individual lifetime restrictions one each client principal, or more global settings, that could affect ticket lifetime in the way you wish. From rra at stanford.edu Fri Nov 14 22:20:18 2008 From: rra at stanford.edu (Russ Allbery) Date: Fri, 14 Nov 2008 19:20:18 -0800 Subject: remctl 2.13 released Message-ID: <878wrln099.fsf@windlord.stanford.edu> I'm pleased to announce release 2.13 of remctl. remctl is a client/server application that supports remote execution of specific commands, using Kerberos v5 GSS-API for authentication. Authorization is controlled by a configuration file and ACL files and can be set separately for each command, unlike with rsh. remctl is like a Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh and sudo without most of the features and complexity of either. Changes from previous release: Add support for ACL methods in the remctld server. The supported schemes in this release are file and princ, which together provide the same functionality as earlier releases, plus deny to explicitly reject a user who matches another ACL and support for the CMU GPUT authorization system. There is now a framework in place for adding new ACL methods in the future. This work was contributed by Jeffrey Hutzelman. When processing the include of a directory for configuration files or ACL files, limit the files read to those whose names contain only characters in [a-zA-Z0-9_-]. This replaces the previous exclusion of files containing periods and also excludes Emacs backup and temporary files. Thanks, Timothy G. Abbott. Add a PHP remctl PECL module from Andrew Mortensen, enabled with --enable-php at configure time. These bindings are only tested with PHP 5. Add Python bindings from Thomas L. Kula, enabled with --enable-python at configure time. These bindings are tested with Python 2.5 but should work with versions back to 2.3. Include all *.class files in the JAR file built by java/Makefile, making the resulting JAR actually useful. Thanks, Marcus Watts. Add an ant build configuration for the Java remctl implementation. It also has the capability to generate a distribution of just the Java implementation using a file layout more similar to an Apache Jakarta project than the layout of the java subdirectory. Several Windows fixes from Matthew Loar, plus really include portable/winsock.c in the distribution. This version should now build and run on Windows. With --with-gssapi, attempt to determine if the library directory is lib32 or lib64 instead of lib and set LDFLAGS accordingly. Based on an idea from the CMU Autoconf macros. Add --with-gssapi-include and --with-gssapi-lib options to set the include and library paths separately if needed. Restore GSS-API portability checks for old versions of MIT Kerberos accidentally dropped in the previous release. Provide a proper bool type when built with Sun Studio 12 on Solaris 10. Thanks, Jeffrey Hutzelman. Sanity-check the results of krb5-config before proceeding and error out in configure if they don't work. Fix Autoconf syntax error when probing for libkrb5support. Thanks, Mike Garrison. Create the docs directory in the build tree if it's missing, fixing a build failure when builddir != srcdir. Thanks, Jeffrey Hutzelman. In standalone mode, close the main server socket immediately in the child handler processes. Since the socket was already marked close on exec, this probably only matters for consistent test suite results, ensuring that the port is released immediately, but it's more correct. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian experimental to not interfere with the upcoming lenny release. I expect them to take some time to be approved through the NEW queue. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From howard at cohtech.com Sun Nov 16 12:21:03 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Sun, 16 Nov 2008 17:21:03 +0000 Subject: Problem with Active Directory, pam_krb5 when a domain controller is shutting down Message-ID: <4920567F.6080707@cohtech.com> I am fairly sure that this is a Microsoft issue, but I am looking for a work round in the kerberos library. I have a site where one of the domain controllers is also running an Exchange 2003 instance. The controller takes about 20 minutes to shut down, but from the time when the shutdown is requested until almost the last second before the machine restarts the KDC on the machine continues to respond to requests. However, it responds with 'krb5kdc_err_c_principal_unknown' to all users. This causes pam_krb5 to error out and refuse to log in any users until the KDC has gone away, when the library fails over to an alternative domain controller and everything works as it is supposed to. I have read my way down into the kerberos library - got as far as the krb5_get_init_creds code and got stuck working out how the KDC get selected and whether it would be possible to get the library to try more than one KDC! So I am now calling for advice. Has anybody else seen this, have had no luck googling for this so am not thinking about it the same way as anybody else who has! Does anybody have any suggestions as to how to work round this problem - without getting Microsoft to fix their end which is a long term battle! Is this a library issue or should I be looking at the pam_krb5 code to specify which KDC's to use? Regards, Howard. From res at qoxp.net Sun Nov 16 13:34:51 2008 From: res at qoxp.net (Richard E. Silverman) Date: Sun, 16 Nov 2008 13:34:51 -0500 Subject: Problem with Active Directory, pam_krb5 when a domain controller is shutting down References: Message-ID: >>>>> "HW" == Howard Wilkinson writes: HW> I am fairly sure that this is a Microsoft issue, but I am looking HW> for a work round in the kerberos library. HW> I have a site where one of the domain controllers is also running HW> an Exchange 2003 instance. The controller takes about 20 minutes HW> to shut down, but from the time when the shutdown is requested HW> until almost the last second before the machine restarts the KDC HW> on the machine continues to respond to requests. However, it HW> responds with krb5kdc_err_c_principal_unknown' to all users. This HW> causes pam_krb5 to error out and refuse to log in any users until HW> the KDC has gone away, when the library fails over to an HW> alternative domain controller and everything works as it is HW> supposed to. HW> I have read my way down into the kerberos library - got as far as HW> the krb5_get_init_creds code and got stuck working out how the KDC HW> get selected and whether it would be possible to get the library HW> to try more than one KDC! So I am now calling for advice. I wouldn't want to do that -- it's like having a DNS resolver try another nameserver if the first one returns NXDOMAIN. "No such principal" is an authoritative response. HW> Has anybody else seen this, have had no luck googling for this so HW> am not thinking about it the same way as anybody else who has! HW> Does anybody have any suggestions as to how to work round this HW> problem - without getting Microsoft to fix their end which is a HW> long term battle! HW> Is this a library issue or should I be looking at the pam_krb5 HW> code to specify which KDC's to use? Two suggestions: * When you shut down the domain controller, manually shut down the KDC service first. * If that's not feasible, then force the Kerberos libraries to use the alternative domain controller, either by pushing out a new krb5.conf file, or removing the first DC from the DNS SRV records for the realm. HW> Regards, Howard. -- Richard Silverman res at qoxp.net From raeburn at MIT.EDU Tue Nov 18 16:31:24 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 18 Nov 2008 16:31:24 -0500 Subject: IPv6 and channel bindings In-Reply-To: <4909E0FC.8090907@lbl.gov> References: <4909E0FC.8090907@lbl.gov> Message-ID: <6720257E-4423-46BE-863D-BE05F14B4C36@mit.edu> On Oct 30, 2008, at 12:29, Damian Hazen wrote: > Hi - > > Does anyone know if IPv6 addresses work with kerberos v5 GSS-API > channel > bindings? Sorry for the delayed response... MIT's implementation doesn't define a value for GSS_C_AF_INET6, and there's no standardized value for it as far as I recall, so strictly speaking, you can't (portably) specify IPv6 channel bindings. The Heimdal implementation defines the macro with the value 24, and if you felt like hardcoding a number for now with the MIT implementation, I *think* you could make it work; I haven't tried it. Ken From some.r at ndom.mail.invalid Tue Nov 18 16:21:43 2008 From: some.r at ndom.mail.invalid (S2) Date: 18 Nov 2008 21:21:43 GMT Subject: Kerberos protocol transition for linux? Message-ID: <492331e7$0$1080$4fafbaef@reader1.news.tin.it> Hallo all! In our small corporate we decided some time ago that in our intranet "all" (when possible) services we write should use kerberos to authenticate the users. This way we can have a central location to store all identities and we can propagate the user identity from service to service using forwardable tickets (well... this is what kerberos was designed for :)). As it happens to be, some of our applications need to be accessed from the evil internet, and the users accessing them can't access our KDC to get a TGT, so we use Microsofts ISA server to make the transition from Forms Based authentication to kerberos tickets. Let me explain this part just to be sure we are talking about the same stuff: ISA shows the user a form asking for a username and a password, uses this credentials to get a TGT from the KDC and then uses that ticket to authenticate to the applications in our intranet on behalf of the user. ISA keeps a list of SSO-Cookie-Values and kerberos tokens, so it can talk cookies to the user and kerberos to the backend applications. Now my question: is there something like this for linux? I just need this basic functionality, and I think I may be able to implement this myself in a few weeks, but I think such a critical application is better done as an open source app (more eyes ecc. ecc. ecc.). Thank you for any pointers. From ioplex at gmail.com Wed Nov 19 11:07:36 2008 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 19 Nov 2008 11:07:36 -0500 Subject: Kerberos protocol transition for linux? In-Reply-To: <492331e7$0$1080$4fafbaef@reader1.news.tin.it> References: <492331e7$0$1080$4fafbaef@reader1.news.tin.it> Message-ID: <78c6bd860811190807i28e4fe0fr101c8417c550ee87@mail.gmail.com> On Tue, Nov 18, 2008 at 4:21 PM, S2 wrote: > Hallo all! > In our small corporate we decided some time ago that in our intranet > "all" (when possible) services we write should use kerberos to > authenticate the users. This way we can have a central location to store > all identities and we can propagate the user identity from service to > service using forwardable tickets (well... this is what kerberos was > designed for :)). > As it happens to be, some of our applications need to be accessed from > the evil internet, and the users accessing them can't access our KDC to > get a TGT, so we use Microsofts ISA server to make the transition from > Forms Based authentication to kerberos tickets. Let me explain this part > just to be sure we are talking about the same stuff: ISA shows the user a > form asking for a username and a password, uses this credentials to get a > TGT from the KDC and then uses that ticket to authenticate to the > applications in our intranet on behalf of the user. ISA keeps a list of > SSO-Cookie-Values and kerberos tokens, so it can talk cookies to the user > and kerberos to the backend applications. > Now my question: is there something like this for linux? If you have PHP see the link in my sig about Plexcel. It certainly could do what you describe. Mike PS: The '.invalid' address in your email actually stops gmail from sending directly to you. You might want to try a valid TLD. -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From some.r at ndom.mail.invalid Wed Nov 19 11:45:35 2008 From: some.r at ndom.mail.invalid (S2) Date: Wed, 19 Nov 2008 17:45:35 +0100 Subject: Kerberos protocol transition for linux? In-Reply-To: References: <492331e7$0$1080$4fafbaef@reader1.news.tin.it> Message-ID: <492442fa$0$1081$4fafbaef@reader2.news.tin.it> Michael B Allen wrote: > If you have PHP see the link in my sig about Plexcel. It certainly > could do what you describe. The back end services are a mix of Java, .NET, php and rails apps (on windows and on linux servers), so the proxy should be language independent and not require a module on the application server side. I am not sure I understood from the pdf how Plexcel works. All application servers can already speak SPNEGO, so that should be used to forward the Kerbeos credentials over HTTP (I did read SPNEGO on that page, but I am not sure how it is used). So what we would like to do is (fixed font required): O \|/ +-------------+ +-------------------+ | -------> | Magic proxy | ------> | Protected Service | / \ HTTP +-------------+ SPNEGO +-------------------+ User ^ from the | Internet | v +-----+ | KDC | +-----+ Do you think Plexcel could be the "Magic Proxy" Box? > PS: The '.invalid' address in your email actually stops gmail from > sending directly to you. You might want to try a valid TLD. That email account is not valid anyway. From ioplex at gmail.com Wed Nov 19 14:24:29 2008 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 19 Nov 2008 14:24:29 -0500 Subject: Kerberos protocol transition for linux? In-Reply-To: <492442fa$0$1081$4fafbaef@reader2.news.tin.it> References: <492331e7$0$1080$4fafbaef@reader1.news.tin.it> <492442fa$0$1081$4fafbaef@reader2.news.tin.it> Message-ID: <78c6bd860811191124p1808ec56vf9f3deb452129328@mail.gmail.com> On Wed, Nov 19, 2008 at 11:45 AM, S2 wrote: > Michael B Allen wrote: >> If you have PHP see the link in my sig about Plexcel. It certainly >> could do what you describe. > > The back end services are a mix of Java, .NET, php and rails apps (on > windows and on linux servers), so the proxy should be language > independent and not require a module on the application server side. > I am not sure I understood from the pdf how Plexcel works. > All application servers can already speak SPNEGO, so that should be used > to forward the Kerbeos credentials over HTTP (I did read SPNEGO on that > page, but I am not sure how it is used). > So what we would like to do is (fixed font required): > > O > \|/ +-------------+ +-------------------+ > | -------> | Magic proxy | ------> | Protected Service | > / \ HTTP +-------------+ SPNEGO +-------------------+ > User ^ > from the | > Internet | > v > +-----+ > | KDC | > +-----+ > > Do you think Plexcel could be the "Magic Proxy" Box? Actually yes, I think Plexcel would work quite well for this. Basically you would just write a PHP script that presented a logon form and then used plexcel_logon [1] to associate the TGT with the user's session ID. You'll need to use the putenv_krb5ccname option with plexcel_new [2] so that the TGT is saved in a ccache file in the plexcel/tmp directory. Once you have their TGT in a ccache file, you can use an SPNEGO capable HTTP client like the cURL extension. In the plexcel/examples directory, there's actually an example script that uses the delegated TGT to query another SPNEGO protected page using cURL (note that unlike Plexcel, using cURL to do SPNEGO requires a valid local /etc/krb5.conf). Then you just need to look at the hostname (or whatever you're using to address second tier requests), build a cURL request with the original request input, send it to the corresponding service and redirect the output of cURL back to the client. Plexcel would also allow you to add nice access control at the proxy level. Note that you'll be invoking a PHP script with each request. Even though Plexcel is fast and SPNEGO with the second tier is the elephant in the room, a raw pure C proxy like Squid would give you better throughput (albeit with less flexability). In practice I think your level of awareness wrt protocol details like pipelining, chunked responses, etc will be the important to real world performance of the solution. But at the very least, building your "Magic Proxy" with Plexcel would be an easy way to determine if it is possible and how it can be done in an optimal way. Then you can worry more about performance. Your "Magic Proxy" idea is actually very interesting. One nice thing about it is that I suspect the script itself should be no more than a few hundred lines of code in one file. If it really works, send it my way and maybe I'll tweak it up and support it like the Plexcel plugins for Joomla! and MediaWiki (note these plugins are good examples of how to use Plexcel correctly). [1] http://www.ioplex.com/api/plexcel_logon.html [2] http://www.ioplex.com/api/plexcel_new.html >> PS: The '.invalid' address in your email actually stops gmail from >> sending directly to you. You might want to try a valid TLD. > > That email account is not valid anyway. I know but I'm saying gmail actually pops up a dialog that complains the address is invalid. I have to actually remove the bogus address before I can send. If you used @ndom.mail.invalid.net you might improve your chances of getting responses. Also we're drifting off topic with this thread. Contact me directly with your real address if you have any further questions. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From some.r at ndom.mail.invalid.net Wed Nov 19 16:19:18 2008 From: some.r at ndom.mail.invalid.net (S2) Date: 19 Nov 2008 21:19:18 GMT Subject: Kerberos protocol transition for linux? References: <492331e7$0$1080$4fafbaef@reader1.news.tin.it> <492442fa$0$1081$4fafbaef@reader2.news.tin.it> Message-ID: <492482d5$0$1071$4fafbaef@reader2.news.tin.it> On Wed, 19 Nov 2008 14:24:29 -0500, Michael B Allen wrote: > Also we're drifting off topic with this thread. Contact me directly with > your real address if you have any further questions. Ok, thanks a lot for your response. I will look into Plexcel as soon as I have some time to implement the Magic Proxy(tm) :) And thanks for your availability to contact you directly, if I need help or when I am done with the script, I will. From avison44 at googlemail.com Thu Nov 20 12:29:16 2008 From: avison44 at googlemail.com (Anna) Date: Thu, 20 Nov 2008 09:29:16 -0800 (PST) Subject: Missing admin/hosts/users policies in recent krb-server build (RHEL4.5) Message-ID: Greetings All, I built a test kerberos server a month ago & it had some pre-installed account policies. But in duplicating this (prod server & other test servers), no policies!! Can anyone advise? more info: I'm new to Kerberos & AFS (AFS being the reason for using Kerberos). I've googled a couple hours about this & can't find any answers. I'm following instructions for Fedora 9, although I'm using ScientificLinux 4.5 = a clone of RHEL4.5. http://www.dementia.org/twiki/bin/view/AFSLore/FedoraAFSInstall On a test server built a month ago, these rpms installed: root at vlad> rpm -qa | grep krb | sort krb5-auth-dialog-0.2-1.i386 krb5-devel-1.3.4-54.el4_6.1.i386 krb5-libs-1.3.4-54.el4_6.1.i386 krb5-server-1.3.4-54.el4_6.1.i386 krb5-workstation-1.3.4-54.el4_6.1.i386 krbafs-1.2.2-6.i386 krbafs-devel-1.2.2-6.i386 krbafs-utils-1.2.2-6.i386 openafs-krb5-1.4.6-58.SL4.i386 pam_krb5-2.1.8-1.i386 It is pre-configured with policies admin, hosts, users. root at vlad> kadmin.local -q "getpols" Authenticating as principal root/admin at KTEST.PHY with password. admin default (I made that one) hosts users In starting work on the real server - same except 64-bit - & after the default policy was made, it was clear it did not come with admin, hosts, users policies! root at zen> kadmin.local -q "getpols" Authenticating as principal admin/admin at KREAL.PHY with password. default Experiments were made on a 32-bit SL4.5 VM - following (hopefully) the exact same as the first krb server (that has policies) - with the same result - no policies : root at sl45vm-min> rpm -qa | grep krb | sort krb5-auth-dialog-0.2-1.i386 krb5-devel-1.3.4-54.el4_6.1.i386 krb5-libs-1.3.4-54.el4_6.1.i386 krb5-server-1.3.4-54.el4_6.1.i386 krb5-workstation-1.3.4-54.el4_6.1.i386 krbafs-1.2.2-6.i386 krbafs-devel-1.2.2-6.i386 openafs-krb5-1.4.6-58.SL4.i386 pam_krb5-2.1.8-1.i386 root at sl45vm-min> kadmin.local -q "getpols" Authenticating as principal root/admin at KTEST.PHY with password. The source was downloaded for krb5-1.3.4 from MIT, compiled & installed, configured and... no policies either. Where might one look for why a server built a month ago has admin, users, hosts policies built in, but any other machine since has none? The policies can be made by hand, but am concerned & puzzled why they are gone. Many thanks for advice. From mizmoose at gmail.com Thu Nov 20 14:29:03 2008 From: mizmoose at gmail.com (Esther Filderman) Date: Thu, 20 Nov 2008 14:29:03 -0500 Subject: CFP: 2009 OpenAFS & Kerberos Best Practices Workshop Message-ID: The Sixth Annual International AFS & Kerberos Best Practices Workshop announces the 2009 Call For Participation. Come talk to your peers about: * Completed projects * Best practices * Work in progress * Related research * Theories * Updates on previous talks or anything else of note involving AFS and/or Kerberos. The AFS & Kerberos Best Practices Workshop is a week long conference for the novice and the experienced. The week is filled with two full-day classes introducing AFS and Kerberos plus two and one half days of talks by your peers and colleagues. The workshop will be held at Stanford University, June 1st to 5th, 2009. Topics may include, but are not limited to: * AFS & Kerberos v5 * AFS & Kerberos v5 related tools * Best practices * Upgrade strategies * Benchmarking * Automation * Web integration * Administration delegation * Work on non-Unix platforms * Server scaling * Service monitoring * Work on new features * Performance tuning * Unique methods of AFS and/or Kerberos Backups The Call for Participation will end Friday January 9, 2009. Acceptances will be made based upon quality, applicability, and fit with other submissions. We look forward to hearing about your talk! Submit your talk at: http://workshop.openafs.org/afsbpw09/cfp.html The Workshop Organizers http://workshop.openafs.org/ From kgrindley at ll.mit.edu Fri Nov 21 08:06:21 2008 From: kgrindley at ll.mit.edu (Grindley, Karl) Date: Fri, 21 Nov 2008 08:06:21 -0500 Subject: Mac OS X 10.5 automatic ticket creation tips? Message-ID: Greetings, I'm struggling with what should be a simple problem. I have a number of Macs and users that are authenticating into a kerberos realm. Authentication within the realm works without issue and Initial ticket creation on login. I'm using Russ Albury's krenew package to keep credentials renewed until the user gets a new ticket. Everything works great until the maximum renewable lifetime has expired, the user must manually kinit to get a new ticket. This is slightly annoying. However, on linux based systems using PAM, new tickets are requested from the KDC, extending the maximum renewal lifetime every time the user unlocks the console via screen saver. Is there a simple way to do this on the mac (specifically in leopard?) Does anyone have any good suggestions or tips? Thanks, Karl From invitation at mydailyflog.com Fri Nov 21 13:16:55 2008 From: invitation at mydailyflog.com (ramesh rao) Date: Fri, 21 Nov 2008 12:16:55 -0600 Subject: Check out this photo on MyDailyFlog! Message-ID: <90a3d2aab63f8c64190c7c0656d07ff6@www.mydailyflog.com> Hi! I would like to invite you to visit MyDailyFlog and see my latest photos. Check out: http://www.mydailyflog.com/go/invite_register/ram2079/18163663 Cheers! ramesh rao ======================================== Got a digital camera? MyDailyFlog is a personal photo-blogging space where you can easily post your latest and greatest photos, and share them with your friends and family. Create your own DailyFlog at www.MyDailyFlog.com ....................................................................... Unsubscribe: to opt out of further invitations from your friends to see their DailyFlogs, please click below: http://www.mydailyflog.com/go/system/euns=kerberos at mit.edu&md5=99102a6b9415e222447a2bfcde440335 Please do not reply directly to this email. Questions? Contact us - http://www.mydailyflog.com/go/contact_us MyDailyFlog, Refriendz Ltd. PO BOX 1184, Luton, Bedfordshire, LU1 9AT. From edward at murrell.co.nz Fri Nov 21 14:54:22 2008 From: edward at murrell.co.nz (Edward Murrell) Date: Sat, 22 Nov 2008 08:54:22 +1300 Subject: Mac OS X 10.5 automatic ticket creation tips? In-Reply-To: References: Message-ID: <1227297263.6040.6.camel@fusion> Hi, >From my notes for 10.4 for doing this a few years ago (at a company that I no longer work for, so my memory may be fuzzy and/or out of date) you need to run through the instructions here; http://support.apple.com/kb/TA20987?viewlocale=en_US AND you need modify the pam files in /etc/pam.d/ Hope that helps some. :/ Edward On Fri, 2008-11-21 at 08:06 -0500, Grindley, Karl wrote: > Greetings, > > I'm struggling with what should be a simple problem. I have a number of Macs and users that are authenticating into a kerberos realm. Authentication within the realm works without issue and Initial ticket creation on login. I'm using Russ Albury's krenew package to keep credentials renewed until the user gets a new ticket. Everything works great until the maximum renewable lifetime has expired, the user must manually kinit to get a new ticket. This is slightly annoying. > > However, on linux based systems using PAM, new tickets are requested from the KDC, extending the maximum renewal lifetime every time the user unlocks the console via screen saver. Is there a simple way to do this on the mac (specifically in leopard?) Does anyone have any good suggestions or tips? > > Thanks, > Karl > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From Blake.Duffey at noblis.org Fri Nov 21 15:46:48 2008 From: Blake.Duffey at noblis.org (Duffey, Blake A.) Date: Fri, 21 Nov 2008 15:46:48 -0500 Subject: MIT Kerberos cross realm authentication with Windows Active Directory Message-ID: I have encountered a peculiar problem and would like to know if anyone has seen it (or can duplicate it) and has a work around. I have a cross-realm trust between a Windows 2008 Active Directory and an MIT Kerberos Realm. The resources (apache, sshd, postgresql) are in the MIT realm and the users are in the AD (at the moment this setup cannot be changed). While my domain controller is Windows 2008, my current 'client' is a Windows 2003 server. When I boot the server and logon using a domain ID, the cross realm works great. I log on with an AD account (which is mapped to a Kerberos princ in the MIT realm) and connect using Kerberos-aware clients (putty, Firefox, IE) to resources in the MIT realm. Doing a network capture, I see my client send a request for the tgt to my domain controller, I get the correct ticket which is then passed along, and all is well. If I log off, and then log back on as the same user (or the screen locks, which on Windows clears the Kerberos cache), the cross realm does NOT work. (in fact, my network capture shows my client asking for host/bobo.mit.realm at MIT.REALM rather than the tgt). I have replicated this on different servers and on different AD domains. This is a standard Windows 2003 server install, I have just used ksetup to set the KDC for the MIT realm and implemented a registry hack (see below). If I use a Windows 2008 server as my client, it works perfectly. The 'ksetup' program in Windows 2008 has a switch called 'AddHostToRealmMap' which does what it sounds like. (I believe this acts like the krb5.conf settings under the [domain_realm] section). This switch doesn't exist in the Windows 2003 version of ksetup, but MS claims I can add the registry keys thusly: http://technet.microsoft.com/en-us/library/cc738673.aspx But it doesn't work after a log off and it doesn't work after a screen lock. If I reboot the machine and log in, it all works again. I am baffled by this behavior and, since I can't be the first person to try to implement this scenario, would love to hear if anyone has any insight. Thanks and I appreciate your time. Blake -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 8271 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081121/b20b5c1a/smime.bin From deengert at anl.gov Fri Nov 21 16:51:26 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 21 Nov 2008 15:51:26 -0600 Subject: MIT Kerberos cross realm authentication with Windows Active Directory In-Reply-To: References: Message-ID: <49272D5E.1000106@anl.gov> Duffey, Blake A. wrote: > I have encountered a peculiar problem and would like to know if anyone has > seen it (or can duplicate it) and has a work around. > > I have a cross-realm trust between a Windows 2008 Active Directory and an > MIT Kerberos Realm. The resources (apache, sshd, postgresql) are in the MIT > realm and the users are in the AD (at the moment this setup cannot be > changed). > > While my domain controller is Windows 2008, my current 'client' is a Windows > 2003 server. You mean the client machine is W2003, but the Kerberos "client" is a user in AD? > When I boot the server and logon using a domain ID, Do you give DOMAIN\user or user at DOMAIN or user at MITrealm or just user? Can you try other combinations? > the cross > realm works great. I log on with an AD account (which is mapped to a > Kerberos princ in the MIT realm) But you said the user's were in AD. So why did you map the princ to the MIT realm? This would only be used if the user's were in the MIT realm if you did not want AD to do the Kerberos AS processing but have the user get the TGT from the MIT realm. Are you sure you want to do the princ mapping? > and connect using Kerberos-aware clients > (putty, Firefox, IE) to resources in the MIT realm. Which PuTTY? Is putty using the MS SSPI or the GSSAPI from MIT Kerberos For Windows? i.e. what kerberos libs and which krb5 configuration is being used to get the service ticket, krb5.ini or the Registry as set by ksetup? > Doing a network > capture, I see my client send a request for the tgt to my domain controller, > I get the correct ticket which is then passed along, and all is well. > > If I log off, and then log back on as the same user (or the screen locks, > which on Windows clears the Kerberos cache), the cross realm does NOT work. > (in fact, my network capture shows my client asking for > host/bobo.mit.realm at MIT.REALM rather than the tgt). I assume these are obfuscated names. Does the real DNS name match the MIT realm name? Is bobo the name of your "client" Windows 2003 server or the name of resource machines? I have replicated this > on different servers and on different AD domains. This is a standard > Windows 2003 server install, I have just used ksetup to set the KDC for the > MIT realm and implemented a registry hack (see below). > > If I use a Windows 2008 server as my client, it works perfectly. The > 'ksetup' program in Windows 2008 has a switch called 'AddHostToRealmMap' > which does what it sounds like. (I believe this acts like the krb5.conf > settings under the [domain_realm] section). This switch doesn't exist in > the Windows 2003 version of ksetup, but MS claims I can add the registry > keys thusly: http://technet.microsoft.com/en-us/library/cc738673.aspx > > But it doesn't work after a log off and it doesn't work after a screen lock. > If I reboot the machine and log in, it all works again. I am baffled by > this behavior and, since I can't be the first person to try to implement > this scenario, would love to hear if anyone has any insight. > Does this work in an XP client machine? > Thanks and I appreciate your time. > > Blake > > > > > > ------------------------------------------------------------------------ > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From stephenpince at gmail.com Fri Nov 21 15:24:03 2008 From: stephenpince at gmail.com (Steve) Date: Fri, 21 Nov 2008 12:24:03 -0800 (PST) Subject: gss_krb5_ccache_name Message-ID: <1f81fe1e-d268-4610-b728-47c3cad1f195@k8g2000yqn.googlegroups.com> I have memory leak in the function call gss_krb5_ccache_name. I am using kfw-3-2-2-final on win32. It is a multi-threaded application and I am using the api as followed. major_status =gss_krb5_ccache_name(&minor_status,krb5- >ccache_name, NULL); : major_status = gss_init_sec_context(&minor_status,) How am i suppose to cleanup. I have also tried the following major_status =gss_krb5_ccache_name(&minor_status,krb5- >ccache_name, &old_name); : major_status = gss_init_sec_context(&minor_status,) : major_status =gss_krb5_ccache_name(&minor_status,old_name, NULL); Here is a profile of my memory leaking. A user is a thread with 4 addional threads. Run 2 - 10 users/2 minutes - 4 threads...1164 Bytes leaking Run 3 - 10 users/5 minutes - 4 threads...2424 Bytes leaking Run 4 - 10 users/10 minutes - 4 threads...4428 Bytes leaking Run 5 - 10 users/15 minutes - 4 threads...6660 Bytes leaking purify dump. I] Summary of all memory leaks... {600 bytes, 50 blocks} [W] MLK: Memory leak of 600 bytes from 50 blocks allocated in wcscat [MSVCR71.DLL] Distribution of leaked blocks 600 bytes from 50 blocks of 12 bytes (first block: 0x003f2f78) Allocation location HeapAlloc [C:\WINDOWS\system32\KERNEL32.DLL] wcscat [C:\WINDOWS\SYSTEM32\MSVCR71.DLL] Curl_input_negotiate [C:\work\flood_openload \flood_negotiate.c:240] krb5_lock(); if( neg_ctx->context == GSS_C_NO_CONTEXT){ locked = 1; => major_status =gss_krb5_ccache_name (&minor_status,krb5->ccache_name, NULL); From srinivas.cheruku at gmail.com Mon Nov 24 05:19:00 2008 From: srinivas.cheruku at gmail.com (Srinivas Cheruku) Date: Mon, 24 Nov 2008 15:49:00 +0530 Subject: Client Referral Support In-Reply-To: <486507D0.2030409@secure-endpoints.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> <486507D0.2030409@secure-endpoints.com> Message-ID: <492a7f95.0616300a.3901.fffff077@mx.google.com> Hi Jeffrey Altman, >From your reply to email with subject "Question about dns_lookup_realm and domain_realm": > > > > Do we have information on which clients support referrals ? > > And are they implemented in MIT KDC (and how) ? > > > Heimdal, MIT, and Microsoft support referrals as implemented in Windows > Active Directory. > The IETF Kerberos working group is still working on an RFC for > referrals. > > http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos- > referrals-10.txt > > Jeffrey Altman I don't see principal name type NT-ENTERPRISE or Kerberos error code KDC_ERR_WRONG_REALM supported by MIT krb5-1.6.3 code. Does this mean the Client Referrals (e.g. trying to authenticate and get TGT using emailid that is unique across organization and not the actual client principal name) are not supported by MIT? But, I see that KRB5_PADATA_REFERRAL (assume same as PA-SERVER-REFERRAL=25 from draft-ietf-krb-wg-kerberos-referrals-10) which is used in code. #define KRB5_PADATA_REFERRAL 25 /* draft referral system */ Does this mean only Server Referrals are supported by MIT code and not Client Referrals? Any clients other than MS supporting Client Referral at moment? Thanks, Srini From Blake.Duffey at noblis.org Mon Nov 24 09:02:41 2008 From: Blake.Duffey at noblis.org (Duffey, Blake A.) Date: Mon, 24 Nov 2008 09:02:41 -0500 Subject: MIT Kerberos cross realm authentication with Windows Active Directory In-Reply-To: <49272D5E.1000106@anl.gov> References: <49272D5E.1000106@anl.gov> Message-ID: Thanks for your reply Douglas. Sorry if I was unclear, I'll try to clarify. The user ID exists in AD. The resources I want to access exist in the MIT realm. I log on to my Windows 2003 server using an ID/password which exists in AD (effectively it is ADDOMAIN\user). I have a one-way trust between my AD and my MIT realm (the user blake at ADDOMAIN is mapped to blake at MITream under NAME MAPPINGS in AD). As I understand it this is the correct way to handle SSO when the users are in the AD and the resources are in the MIT realm. If there is a better way I'd love to hear it. I am using a PuTTY which uses the MS SSPI, as well as Firefox configured to use SSPI, as well as IE (so everything is coming from the registry as configured by ksetup). I don't even have Kerberos for Windows installed (although I am open to that if I can get this working). Yes, those are obfuscated. "bobo" is the name of the resource machine. The DNS name of the resource server matches the realm name, yes. The names of the AD domain and MIT resource realm are not the same, however. I haven't tried an XP machine as my current production configuration demands a server (it is a terminal services configuration). I appreciate any insight that can be provided. -----Original Message----- From: Douglas E. Engert [mailto:deengert at anl.gov] Sent: Friday, November 21, 2008 4:51 PM To: Duffey, Blake A. Cc: kerberos at mit.edu Subject: Re: MIT Kerberos cross realm authentication with Windows Active Directory Duffey, Blake A. wrote: > I have encountered a peculiar problem and would like to know if anyone > has seen it (or can duplicate it) and has a work around. > > I have a cross-realm trust between a Windows 2008 Active Directory and > an MIT Kerberos Realm. The resources (apache, sshd, postgresql) are > in the MIT realm and the users are in the AD (at the moment this setup > cannot be changed). > > While my domain controller is Windows 2008, my current 'client' is a > Windows > 2003 server. You mean the client machine is W2003, but the Kerberos "client" is a user in AD? > When I boot the server and logon using a domain ID, Do you give DOMAIN\user or user at DOMAIN or user at MITrealm or just user? Can you try other combinations? > the cross > realm works great. I log on with an AD account (which is mapped to a > Kerberos princ in the MIT realm) But you said the user's were in AD. So why did you map the princ to the MIT realm? This would only be used if the user's were in the MIT realm if you did not want AD to do the Kerberos AS processing but have the user get the TGT from the MIT realm. Are you sure you want to do the princ mapping? > and connect using Kerberos-aware clients (putty, Firefox, IE) to > resources in the MIT realm. Which PuTTY? Is putty using the MS SSPI or the GSSAPI from MIT Kerberos For Windows? i.e. what kerberos libs and which krb5 configuration is being used to get the service ticket, krb5.ini or the Registry as set by ksetup? > Doing a network > capture, I see my client send a request for the tgt to my domain > controller, I get the correct ticket which is then passed along, and all is well. > > If I log off, and then log back on as the same user (or the screen > locks, which on Windows clears the Kerberos cache), the cross realm does NOT work. > (in fact, my network capture shows my client asking for > host/bobo.mit.realm at MIT.REALM rather than the tgt). I assume these are obfuscated names. Does the real DNS name match the MIT realm name? Is bobo the name of your "client" Windows 2003 server or the name of resource machines? I have replicated this > on different servers and on different AD domains. This is a standard > Windows 2003 server install, I have just used ksetup to set the KDC > for the MIT realm and implemented a registry hack (see below). > > If I use a Windows 2008 server as my client, it works perfectly. The > 'ksetup' program in Windows 2008 has a switch called 'AddHostToRealmMap' > which does what it sounds like. (I believe this acts like the > krb5.conf settings under the [domain_realm] section). This switch > doesn't exist in the Windows 2003 version of ksetup, but MS claims I > can add the registry keys thusly: > http://technet.microsoft.com/en-us/library/cc738673.aspx > > But it doesn't work after a log off and it doesn't work after a screen lock. > If I reboot the machine and log in, it all works again. I am baffled > by this behavior and, since I can't be the first person to try to > implement this scenario, would love to hear if anyone has any insight. > Does this work in an XP client machine? > Thanks and I appreciate your time. > > Blake > > > > > > ---------------------------------------------------------------------- > -- > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 8271 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081124/86e6bb5c/smime.bin From raeburn at MIT.EDU Mon Nov 24 11:18:29 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 24 Nov 2008 11:18:29 -0500 Subject: Client Referral Support In-Reply-To: <492a7f95.0616300a.3901.fffff077@mx.google.com> References: <20080626214129.GB76461@lizzy.catnook.local> <20080627030434.GA7120@lizzy.catnook.local> <48647221.8010103@secure-endpoints.com> <20080627053759.GB7120@lizzy.catnook.local> <48648151.50403@secure-endpoints.com> <1214579831.3822.276.camel@localhost.localdomain> <486507D0.2030409@secure-endpoints.com> <492a7f95.0616300a.3901.fffff077@mx.google.com> Message-ID: <0C4E8CB6-C916-4827-8D1A-77F4BAE7D124@mit.edu> On Nov 24, 2008, at 05:19, Srinivas Cheruku wrote: > Does this mean only Server Referrals are supported by MIT code and not > Client Referrals? That's correct. Ken From deengert at anl.gov Mon Nov 24 11:50:39 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 24 Nov 2008 10:50:39 -0600 Subject: MIT Kerberos cross realm authentication with Windows Active Directory In-Reply-To: References: <49272D5E.1000106@anl.gov> Message-ID: <492ADB5F.6060709@anl.gov> Duffey, Blake A. wrote: > Thanks for your reply Douglas. Sorry if I was unclear, I'll try to clarify. > The user ID exists in AD. The resources I want to access exist in the MIT > realm. I log on to my Windows 2003 server using an ID/password which exists > in AD (effectively it is ADDOMAIN\user). I have a one-way trust between my > AD and my MIT realm (the user blake at ADDOMAIN is mapped to blake at MITream > under NAME MAPPINGS in AD). As I understand it this is the correct way to > handle SSO when the users are in the AD and the resources are in the MIT > realm. This might be the problem. The user principals are not needed in the MIT realm and the name mappings are not need in AD. Only the service principals are in the MITrealm. The name mappings in AD were to allow AD to use an external Kerberos realm for authentication. Some sites had preexisting Kerberos realms before AD, and wanted to continue to use the Kerberos realm for authentication, but use AD only for authorization. So if AD saw a request for a cross realm ticket from an MIT user, it could map this to a local account in AD and could add the PAC to the cross realm TGT. > If there is a better way I'd love to hear it. > > I am using a PuTTY which uses the MS SSPI, as well as Firefox configured to > use SSPI, as well as IE (so everything is coming from the registry as > configured by ksetup). I don't even have Kerberos for Windows installed > (although I am open to that if I can get this working). > So the user at ADDOMAIN has a ticket for krbtgt at ADDOMAIN, and when ittries to get a ticket for: host/bobo.mit.realm the client lib has to figure out what realm the host is in. Once it figures out the realm is MITrealm, the lib then needs to get a cross realm TGT: krbtgt/MITrealm at ADDOMAIN from AD. This TGT can then be used to get the service ticket for host/bobo.mit.realm at MITrealm from the MITrealm. The issue is how does the client lib determine the realm of bobo. The Microsoft SSPI can use "referrals" to ask user's AD what realm. The SSPI can also be passed the realm, as SSPI can be passed "host at bobo.mit.realm@MITrealm" It might now be able to use the registry HostToRealm. When we were running an AD and MIT realm like you, the MIT client lib code on the other hand did not understand referrals, or the HostToRealm registry, but used the krb5.ini [domain_realm] section. ("referrals" are being added.) And the gssapi name routines could only accept "host at bobo.mit.realm" We also used a PuTTY that could use either SSPI or the MIT gssapi, and the PuTTY had a option for providing the server realm to pass to SSPI. But today the users and servers are all defined in AD, and we don't have an external MIT realm. If you have not seen the W2000 document on Kerberos and Windows interoperability, it is worth reading as it covers a lot of these issues. http://technet.microsoft.com/en-us/library/bb742433.aspx > Yes, those are obfuscated. "bobo" is the name of the resource machine. The > DNS name of the resource server matches the realm name, yes. The names of > the AD domain and MIT resource realm are not the same, however. I haven't > tried an XP machine as my current production configuration demands a server > (it is a terminal services configuration). > > > I appreciate any insight that can be provided. > > -----Original Message----- > From: Douglas E. Engert [mailto:deengert at anl.gov] > Sent: Friday, November 21, 2008 4:51 PM > To: Duffey, Blake A. > Cc: kerberos at mit.edu > Subject: Re: MIT Kerberos cross realm authentication with Windows Active > Directory > > > > Duffey, Blake A. wrote: >> I have encountered a peculiar problem and would like to know if anyone >> has seen it (or can duplicate it) and has a work around. >> >> I have a cross-realm trust between a Windows 2008 Active Directory and >> an MIT Kerberos Realm. The resources (apache, sshd, postgresql) are >> in the MIT realm and the users are in the AD (at the moment this setup >> cannot be changed). >> >> While my domain controller is Windows 2008, my current 'client' is a >> Windows >> 2003 server. > > You mean the client machine is W2003, but the Kerberos "client" is a user in > AD? > >> When I boot the server and logon using a domain ID, > > Do you give DOMAIN\user or user at DOMAIN or user at MITrealm or just user? > Can you try other combinations? > > >> the cross >> realm works great. I log on with an AD account (which is mapped to a >> Kerberos princ in the MIT realm) > > But you said the user's were in AD. > > So why did you map the princ to the MIT realm? This would only be used if > the user's were in the MIT realm if you did not want AD to do the Kerberos > AS processing but have the user get the TGT from the MIT realm. > Are you sure you want to do the princ mapping? > > >> and connect using Kerberos-aware clients (putty, Firefox, IE) to >> resources in the MIT realm. > > Which PuTTY? Is putty using the MS SSPI or the GSSAPI from MIT Kerberos For > Windows? i.e. what kerberos libs and which krb5 configuration is being used > to get the service ticket, krb5.ini or the Registry as set by ksetup? > >> Doing a network >> capture, I see my client send a request for the tgt to my domain >> controller, I get the correct ticket which is then passed along, and all > is well. >> >> If I log off, and then log back on as the same user (or the screen >> locks, which on Windows clears the Kerberos cache), the cross realm does > NOT work. >> (in fact, my network capture shows my client asking for >> host/bobo.mit.realm at MIT.REALM rather than the tgt). > > I assume these are obfuscated names. Does the real DNS name match the MIT > realm name? Is bobo the name of your "client" Windows 2003 server or the > name of resource machines? > > > I have replicated this >> on different servers and on different AD domains. This is a standard >> Windows 2003 server install, I have just used ksetup to set the KDC >> for the MIT realm and implemented a registry hack (see below). >> >> If I use a Windows 2008 server as my client, it works perfectly. The >> 'ksetup' program in Windows 2008 has a switch called 'AddHostToRealmMap' >> which does what it sounds like. (I believe this acts like the >> krb5.conf settings under the [domain_realm] section). This switch >> doesn't exist in the Windows 2003 version of ksetup, but MS claims I >> can add the registry keys thusly: >> http://technet.microsoft.com/en-us/library/cc738673.aspx >> >> But it doesn't work after a log off and it doesn't work after a screen > lock. >> If I reboot the machine and log in, it all works again. I am baffled >> by this behavior and, since I can't be the first person to try to >> implement this scenario, would love to hear if anyone has any insight. >> > > Does this work in an XP client machine? > >> Thanks and I appreciate your time. >> >> Blake >> >> >> >> >> >> ---------------------------------------------------------------------- >> -- >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From rich.mcdonough at worldgaming.com Wed Nov 26 21:41:42 2008 From: rich.mcdonough at worldgaming.com (Rich McDonough) Date: Wed, 26 Nov 2008 21:41:42 -0500 Subject: Trouble with service principal missing its realm Message-ID: <9050CEE9-E490-447D-BD59-4F2F9FF21775@worldgaming.com> I'm having a strange issue that is proving very troublesome to diagnose, and I've been unable to reproduce it on another network. We're working toward rolling-out Kerberos and OpenLDAP on our staging and production networks shortly, but are having a strange issue that is likely simple to solve, but still eludes us. In short, our service principals look like this after trying to do an ldapwhoami or other such operations, and incidentally maybe the cause of an issue with mod_auth_kerb as well (though I won't stray into that right now): staging [richm at mail ~]$ klist Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: joe at STAGING.WG Valid starting Expires Service principal 11/27/08 02:11:09 11/28/08 02:10:41 krbtgt/STAGING.WG at STAGING.WG 11/27/08 02:11:57 11/28/08 02:10:41 ldap/db.wg@ The missing @STAGING.WG seems to be causing issues with GSSAPI and LDAP as they are (rightly, I believe) returning an error 144 (wrong principal in request). I'm fairly sure that this is a configuration issue or course, and not really sure how I'm getting a service principal like this in the first place. Here's our krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAGING.WG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] STAGING.WG = { kdc = db.wg:88 admin_server = db.wg:749 default_domain = staging.wg } [domain_realm] .staging.wg = STAGING.WG staging.wg = STAGING.WG [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Also, lookups for hosts work both forward and reverse without issue, / etc/hosts files are in good shape and hostnames are certainly right. LDAP and Kerberos are both running on the same host (db), and the /etc/ krb5.keytab looks like this, and has been made world-readable (though once things are working I obviously want to move the ldap service principal to its own keytab): staging [root at db richm]# klist -ek /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 7 host/db.wg at STAGING.WG (DES cbc mode with CRC-32) 3 ldap/db.wg at STAGING.WG (Triple DES cbc mode with HMAC/sha1) 3 ldap/db.wg at STAGING.WG (DES cbc mode with CRC-32) Finally, here is the kdc.conf from our system: [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] STAGING.WG = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab #supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des- hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal } We're running CentOS 5.2 x64. Thank you for any assistance that you can give us! Rich McDonough From jaltman at secure-endpoints.com Thu Nov 27 04:00:57 2008 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 27 Nov 2008 04:00:57 -0500 Subject: Trouble with service principal missing its realm In-Reply-To: <9050CEE9-E490-447D-BD59-4F2F9FF21775@worldgaming.com> References: <9050CEE9-E490-447D-BD59-4F2F9FF21775@worldgaming.com> Message-ID: <492E61C9.6020406@secure-endpoints.com> A service ticket in the credential cache without a realm name is a service ticket that was obtained using server side referrals. The actual realm name was not specified by the client when requesting the service ticket. Your domain_realm mappings provide the client a mapping of all hosts in the staging.wg domain as being part of the STAGING.WG realm. However, the hostname db.wg is not covered by that mapping. As a result, server side referrals are used when requesting the service ticket. You could work around the problem by providing in the krb5.conf file a mapping for .wg or db.wg to the STAGING.WG realm. However, it would be useful to determine exactly which piece of code is generating the error you are receiving. Whichever it is, it needs to be fixed to deal with server side referrals. Jeffrey Altman Rich McDonough wrote: > I'm having a strange issue that is proving very troublesome to > diagnose, and I've been unable to reproduce it on another network. > We're working toward rolling-out Kerberos and OpenLDAP on our staging > and production networks shortly, but are having a strange issue that > is likely simple to solve, but still eludes us. > > In short, our service principals look like this after trying to do an > ldapwhoami or other such operations, and incidentally maybe the cause > of an issue with mod_auth_kerb as well (though I won't stray into that > right now): > > staging [richm at mail ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_10000 > Default principal: joe at STAGING.WG > > Valid starting Expires Service principal > 11/27/08 02:11:09 11/28/08 02:10:41 krbtgt/STAGING.WG at STAGING.WG > 11/27/08 02:11:57 11/28/08 02:10:41 ldap/db.wg@ > > The missing @STAGING.WG seems to be causing issues with GSSAPI and > LDAP as they are (rightly, I believe) returning an error 144 (wrong > principal in request). I'm fairly sure that this is a configuration > issue or course, and not really sure how I'm getting a service > principal like this in the first place. Here's our krb5.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = STAGING.WG > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > STAGING.WG = { > kdc = db.wg:88 > admin_server = db.wg:749 > default_domain = staging.wg > } > > [domain_realm] > .staging.wg = STAGING.WG > staging.wg = STAGING.WG > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > Also, lookups for hosts work both forward and reverse without issue, / > etc/hosts files are in good shape and hostnames are certainly right. > LDAP and Kerberos are both running on the same host (db), and the /etc/ > krb5.keytab looks like this, and has been made world-readable (though > once things are working I obviously want to move the ldap service > principal to its own keytab): > > staging [root at db richm]# klist -ek /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 7 host/db.wg at STAGING.WG (DES cbc mode with CRC-32) > 3 ldap/db.wg at STAGING.WG (Triple DES cbc mode with HMAC/sha1) > 3 ldap/db.wg at STAGING.WG (DES cbc mode with CRC-32) > > Finally, here is the kdc.conf from our system: > > [kdcdefaults] > v4_mode = nopreauth > kdc_tcp_ports = 88 > > [realms] > STAGING.WG = { > #master_key_type = des3-hmac-sha1 > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > #supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des- > hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 > des-cbc-crc:afs3 > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > } > > We're running CentOS 5.2 x64. Thank you for any assistance that you > can give us! > > > > Rich McDonough > > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081127/7c6d4d3b/smime.bin From Tim.Alsop at CyberSafe.com Thu Nov 27 04:26:15 2008 From: Tim.Alsop at CyberSafe.com (Tim Alsop) Date: Thu, 27 Nov 2008 09:26:15 +0000 Subject: Trouble with service principal missing its realm In-Reply-To: <492E61C9.6020406@secure-endpoints.com> References: <9050CEE9-E490-447D-BD59-4F2F9FF21775@worldgaming.com> <492E61C9.6020406@secure-endpoints.com> Message-ID: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E4902A10@exchange.cybersafe.local> Jeffrey, Regarding: > A service ticket in the credential cache without a realm name > is a service ticket that was obtained using server side referrals. > The actual realm name was not specified by the client when > requesting the service ticket. [Tim Alsop] Is the fact that there is no realm, a bug, or is the cache supposed to contain tickets without a realm in this scenario ? Surely if actual realm was not specified, when the actual realm is determined by KDC, and ticket issued, this realm should be used when putting the ticket in the client cache ? if not, why not ? Thanks, Tim From rich.mcdonough at worldgaming.com Thu Nov 27 06:47:30 2008 From: rich.mcdonough at worldgaming.com (Rich McDonough) Date: Thu, 27 Nov 2008 06:47:30 -0500 Subject: Trouble with service principal missing its realm In-Reply-To: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E4902A10@exchange.cybersafe.local> References: <9050CEE9-E490-447D-BD59-4F2F9FF21775@worldgaming.com> <492E61C9.6020406@secure-endpoints.com> <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E4902A10@exchange.cybersafe.local> Message-ID: <3936275F-8F3E-4115-A593-42E833B65BA7@worldgaming.com> That's an excellent question. Jeffery is right though - adding this to my krb5.conf fixed the realm issue: [domain_realm] .staging.wg = STAGING.WG staging.wg = STAGING.WG .wg = STAGING.WG wg = STAGING.WG staging [joe at nms ~]$ klist Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: joe at STAGING.WG Valid starting Expires Service principal 11/27/08 11:41:29 11/28/08 11:40:46 krbtgt/STAGING.WG at STAGING.WG 11/27/08 11:41:41 11/28/08 11:40:46 ldap/db.wg at STAGING.WG On 27-Nov-08, at 4:26 AM, Tim Alsop wrote: > Jeffrey, > > Regarding: > >> A service ticket in the credential cache without a realm name >> is a service ticket that was obtained using server side referrals. >> The actual realm name was not specified by the client when >> requesting the service ticket. > > [Tim Alsop] Is the fact that there is no realm, a bug, or is the > cache supposed to contain tickets without a realm in this scenario ? > Surely if actual realm was not specified, when the actual realm is > determined by KDC, and ticket issued, this realm should be used when > putting the ticket in the client cache ? if not, why not ? > > Thanks, > Tim Rich McDonough System Adminstrator Worldgaming rich.mcdonough at worldgaming.com From kevin.doran at accenture.com Fri Nov 28 12:41:38 2008 From: kevin.doran at accenture.com (kevin.doran@accenture.com) Date: Fri, 28 Nov 2008 09:41:38 -0800 (PST) Subject: KVNO/Keytab Question Message-ID: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> Hi, I'm hoping someone can help. We are having issues using SPNEGO. Our problem seems to be the one defined on: http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=swg21259123&loc=en_US&cs=UTF-8&lang=en When we try to login, our browsers pass the following ticket information: Ticket Tkt-vno: 5 Realm: DWPPTP.LONDONDC.COM Server Name (Service and Instance): HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and Instance (2) Name: HTTP Name: ettloadbalancer.dwpptp.londondc.com enc-part des-cbc-md5 Encryption type: des-cbc-md5 (3) Kvno: 4 enc-part: 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... The Kvno is 4, yet when performing a klist on the keytab file: ivmgr at dptettsw02:/var/pdweb/log$ klist -k /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab name: FILE:/var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 HTTP/ettloadbalancer.dwpptp.londondc.com at DWPPTP.LONDONDC.COM We have followed the recommendation of recreating the keytab file and this has change the KVNO number in the keytab file. However the KVNO passed by the browser does not matched - how does this value get set? Any help is appreciated Regards Kev From res at qoxp.net Fri Nov 28 22:21:24 2008 From: res at qoxp.net (Richard E. Silverman) Date: Fri, 28 Nov 2008 22:21:24 -0500 Subject: KVNO/Keytab Question References: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> Message-ID: >>>>> "KD" == kevin doran writes: KD> Hi, I'm hoping someone can help. We are having issues using KD> SPNEGO. Our problem seems to be the one defined on: KD> http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=swg21259123&loc=en_US&cs=UTF-8&lang=en KD> When we try to login, our browsers pass the following ticket KD> information: KD> Ticket Tkt-vno: 5 Realm: KD> DWPPTP.LONDONDC.COM Server Name (Service and Instance): KD> HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and KD> Instance (2) Name: HTTP Name: ettloadbalancer.dwpptp.londondc.com KD> enc-part des-cbc-md5 Encryption type: des-cbc-md5 (3) Kvno: 4 KD> enc-part: 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... KD> The Kvno is 4, yet when performing a klist on the keytab file: KD> ivmgr at dptettsw02:/var/pdweb/log$ klist -k KD> /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab KD> name: FILE:/var/pdweb/keytab-dptettsw02/ KD> ettloadbalancer_HTTP.keytab KVNO Principal ---- KD> -------------------------------------------------------------------------- KD> 3 HTTP/ettloadbalancer.dwpptp.londondc.com at DWPPTP.LONDONDC.COM KD> We have followed the recommendation of recreating the keytab file KD> and this has change the KVNO number in the keytab file. However KD> the KVNO passed by the browser does not matched - how does this KD> value get set? You need to purge the ccache on the client machine so that it obtains a new, matching ticket from the KDC. KD> Any help is appreciated KD> Regards KD> Kev -- Richard Silverman res at qoxp.net From kevin.doran at accenture.com Sat Nov 29 03:32:35 2008 From: kevin.doran at accenture.com (kevin.doran@accenture.com) Date: Sat, 29 Nov 2008 00:32:35 -0800 (PST) Subject: KVNO/Keytab Question References: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> Message-ID: <6221aade-3942-48ad-91c1-a835d4898c1d@x14g2000yqk.googlegroups.com> On 29 Nov, 03:21, "Richard E. Silverman" wrote: > >>>>> "KD" == kevin doran writes: > > ? ? KD> Hi, I'm hoping someone can help. ?We are having issues using > ? ? KD> SPNEGO. Our problem seems to be the one defined on: > ? ? KD>http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s... > > ? ? KD> When we try to login, our browsers pass the following ticket > ? ? KD> information: > > ? ? KD> ? ? ? ? ? ? ? ? ? ? ? ? ? ? Ticket Tkt-vno: 5 Realm: > ? ? KD> DWPPTP.LONDONDC.COM Server Name (Service and Instance): > ? ? KD> HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and > ? ? KD> Instance (2) Name: HTTP Name: ettloadbalancer.dwpptp.londondc.com > ? ? KD> enc-part des-cbc-md5 Encryption type: des-cbc-md5 (3) Kvno: 4 > ? ? KD> enc-part: 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... > > ? ? KD> The Kvno is 4, yet when performing a klist on the keytab file: > > ? ? KD> ivmgr at dptettsw02:/var/pdweb/log$ klist -k > ? ? KD> /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab > ? ? KD> name: FILE:/var/pdweb/keytab-dptettsw02/ > ? ? KD> ettloadbalancer_HTTP.keytab KVNO Principal ---- > ? ? KD> -------------------------------------------------------------------------- > ? ? KD> 3 HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM > > ? ? KD> We have followed the recommendation of recreating the keytab file > ? ? KD> and this has change the KVNO number in the keytab file. However > ? ? KD> the KVNO passed by the browser does not matched - how does this > ? ? KD> value get set? > > You need to purge the ccache on the client machine so that it obtains a > new, matching ticket from the KDC. > > ? ? KD> Any help is appreciated > > ? ? KD> Regards > > ? ? KD> Kev > > -- > ? Richard Silverman > ? r... at qoxp.net Thanks Richard, is that done using the "C:\Program Files\Resource Kit \KLIST.EXE" purge" command? If so, I have tried this but it still isn't working From res at qoxp.net Sun Nov 30 12:30:57 2008 From: res at qoxp.net (Richard E. Silverman) Date: Sun, 30 Nov 2008 12:30:57 -0500 Subject: KVNO/Keytab Question References: <5eea5ac7-a68f-4e3c-a9ac-f372b197de4b@u14g2000yqg.googlegroups.com> <6221aade-3942-48ad-91c1-a835d4898c1d@x14g2000yqk.googlegroups.com> Message-ID: >>>>> "KD" == kevin doran writes: KD> On 29 Nov, 03:21, "Richard E. Silverman" wrote: >> >>>>> "KD" == kevin doran writes: >> >> ? ? KD> Hi, I'm hoping someone can help. ?We are having issues >> using ? ? KD> SPNEGO. Our problem seems to be the one defined on: ? >> ? >> KD>http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s... >> >> ? ? KD> When we try to login, our browsers pass the following >> ticket ? ? KD> information: >> >> ? ? KD> ? ? ? ? ? ? ? ? ? ? ? ? ? ? Ticket Tkt-vno: 5 Realm: ? ? >> KD> DWPPTP.LONDONDC.COM Server Name (Service and Instance): ? ? KD> >> HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and ? ? >> KD> Instance (2) Name: HTTP Name: >> ettloadbalancer.dwpptp.londondc.com ? ? KD> enc-part des-cbc-md5 >> Encryption type: des-cbc-md5 (3) Kvno: 4 ? ? KD> enc-part: >> 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... >> >> ? ? KD> The Kvno is 4, yet when performing a klist on the keytab >> file: >> >> ? ? KD> ivmgr at dptettsw02:/var/pdweb/log$ klist -k ? ? KD> >> /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab ? >> ? KD> name: FILE:/var/pdweb/keytab-dptettsw02/ ? ? KD> >> ettloadbalancer_HTTP.keytab KVNO Principal ---- ? ? KD> >> -------------------------------------------------------------------------- >> ? ? KD> 3 >> HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM >> >> ? ? KD> We have followed the recommendation of recreating the >> keytab file ? ? KD> and this has change the KVNO number in the >> keytab file. However ? ? KD> the KVNO passed by the browser does >> not matched - how does this ? ? KD> value get set? >> >> You need to purge the ccache on the client machine so that it >> obtains a new, matching ticket from the KDC. >> >> ? ? KD> Any help is appreciated >> >> ? ? KD> Regards >> >> ? ? KD> Kev >> >> -- ? Richard Silverman ? r... at qoxp.net KD> Thanks Richard, is that done using the "C:\Program Files\Resource KD> Kit \KLIST.EXE" purge" command? If so, I have tried this but it KD> still isn't working Do all of the following match? * kvno reported by "getprinc" in kadmin * kvno in the keytab file * kvno in the ticket supplied by the browser What are you using on the server side, Apache + mod_auth_kerb? If so, what are the log messages emitted by mod_auth_kerb? -- Richard Silverman res at qoxp.net