From deengert at anl.gov  Wed Oct  1 09:30:43 2008
From: deengert at anl.gov (Douglas E. Engert)
Date: Wed, 01 Oct 2008 08:30:43 -0500
Subject: error configuring kerberos
In-Reply-To: <B0447625CC0ED249907B9919FC3466D302809700@CCSEXB10.CUNET.CARLETON.CA>
References: <B0447625CC0ED249907B9919FC3466D302809700@CCSEXB10.CUNET.CARLETON.CA>
Message-ID: <48E37B83.7020809@anl.gov>



Daulton_Theodore wrote:
> I am trying to build and install krb5-1.6.3 on Solaris 10 but I keep
> getting the following error message from ./configure.
> 
>  
> 
> Configure: cannot find res_nsearch or res_search

my output of configure for krb5-1.6.3 on Solairs 10 shows:

     82  checking for socket in -lsocket... yes
     83  checking for main in -lresolv... yes
     84  checking for res_ninit... yes
     85  checking for res_nclose... yes
     86  checking for res_ndestroy... yes
     87  checking for res_nsearch... yes
     88  checking for ns_initparse... yes
     89  checking for ns_name_uncompress... no
     90  checking for dn_skipname... yes
     91  checking for res_search... yes


It probably means the test program did not compile,
maybe for some other reason.
   grep "checking for res_nsearch" config.log
to see what was the test and why it failed.

I use  /usr/sfw/bin/gcc.

> 
> Any suggestions as to how to get past this would be appreciated.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~
> 
> Daulton Theodore
> 
> Systems Department,Carleton University Library
> 
> Email: daulton_theodore at carleton.ca
> <mailto:daulton_theodore at carleton.ca> 
> 
> Vmail: (613) 520-2600 ext:8352
> 
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From eagmunoz at gmail.com  Thu Oct  2 03:28:05 2008
From: eagmunoz at gmail.com (=?ISO-8859-1?Q?Eduardo_A_Mu=F1oz?=)
Date: Fri, 3 Oct 2008 02:58:05 +1930
Subject: using REQUIRES_PWCHANGE kinit reports expired passwords
Message-ID: <995e303f0810020028x53518f5fm9ebc15f6a3dcd1c5@mail.gmail.com>

Hi,

Im working with ubuntu 7.10 clients authenticating against kerberos. The
issue arises when I a set the REQUIRES_PWCHANGE attribute to a user key so
that in next login they are required to change the password. Some machines (
not all ) can't authenticate when the mentioned attribute is set , they
report
"kinit(v5): Password has expired while getting initial credentials"

(Of course my password expiration time haven't been reached and it reports
the same working with policies or without it)

if I a unset the attribute, i can obtain the tickets. Like i said this
behavior is present in some machines , others can get tickets with the
attribute set or unset with the same principals.

From Qiang.Xu at fujixerox.com  Thu Oct  2 04:58:18 2008
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Thu, 2 Oct 2008 16:58:18 +0800
Subject: -f option with kinit
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172238111E67@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

Hi, all:

To begin with, we are using krb5 MIT implementation as Kerberos client.

My problem is, kinit crashes with the option -f.

1. Failure:
denalic01:/tmp/dlms/kerberos/apps <138> kinit -f 120117097110 at SESSWIN2003.COM -M 070097105114049050051
Segmentation fault (core dumped)

2. Success:
denalic01:/tmp/dlms/kerberos/apps <140> kinit 120117097110 at SESSWIN2003.COM -M 070097105114049050051
denalic01:/tmp/dlms/kerberos/apps <141>

It seems the command line is not quite right. Anything wrong with this -f option?

Looking forward to help,
Xu Qiang


From huaraz at moeller.plus.com  Sun Oct  5 07:51:11 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Sun, 5 Oct 2008 12:51:11 +0100
Subject: Sequence numbering after export and import of context
Message-ID: <gca9nk$hki$1@ger.gmane.org>

I  have an application which initializes the security context in one process 
does some gss_wrap/gss_unwrap calls and then exports the context to hand it 
over to another process which imports the context and continues the 
gss_wrap/gss_unwrap.  Would the second process restart sequencing at 0 or 
continuing from where the context was exported ?

Thank you
Markus 



From ioplex at gmail.com  Sun Oct  5 12:09:09 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Sun, 5 Oct 2008 12:09:09 -0400
Subject: Sequence numbering after export and import of context
In-Reply-To: <gca9nk$hki$1@ger.gmane.org>
References: <gca9nk$hki$1@ger.gmane.org>
Message-ID: <78c6bd860810050909i1743bf6fv61e43ff130268ac7@mail.gmail.com>

On Sun, Oct 5, 2008 at 7:51 AM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> I  have an application which initializes the security context in one process
> does some gss_wrap/gss_unwrap calls and then exports the context to hand it
> over to another process which imports the context and continues the
> gss_wrap/gss_unwrap.  Would the second process restart sequencing at 0 or
> continuing from where the context was exported ?

I'm not even going to try to come up with a citation but common sense
would suggest that an imported GSS context must use the sequence
number of the exported context and must never reset the sequence
number to 0. I don't see how the peer could even know that the
sequence number was reset.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

From Nicolas.Williams at sun.com  Sun Oct  5 17:01:59 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sun, 5 Oct 2008 16:01:59 -0500
Subject: Sequence numbering after export and import of context
In-Reply-To: <gca9nk$hki$1@ger.gmane.org>
References: <gca9nk$hki$1@ger.gmane.org>
Message-ID: <20081005210159.GN1157@Sun.COM>

On Sun, Oct 05, 2008 at 12:51:11PM +0100, Markus Moeller wrote:
> I  have an application which initializes the security context in one process 
> does some gss_wrap/gss_unwrap calls and then exports the context to hand it 
> over to another process which imports the context and continues the 
> gss_wrap/gss_unwrap.  Would the second process restart sequencing at 0 or 
> continuing from where the context was exported ?

The latter is what should happen.

Nico
-- 

From Nicolas.Williams at sun.com  Sun Oct  5 17:10:49 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sun, 5 Oct 2008 16:10:49 -0500
Subject: Sequence numbering after export and import of context
In-Reply-To: <78c6bd860810050909i1743bf6fv61e43ff130268ac7@mail.gmail.com>
References: <gca9nk$hki$1@ger.gmane.org>
	<78c6bd860810050909i1743bf6fv61e43ff130268ac7@mail.gmail.com>
Message-ID: <20081005211049.GO1157@Sun.COM>

On Sun, Oct 05, 2008 at 12:09:09PM -0400, Michael B Allen wrote:
> On Sun, Oct 5, 2008 at 7:51 AM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> > I  have an application which initializes the security context in one process
> > does some gss_wrap/gss_unwrap calls and then exports the context to hand it
> > over to another process which imports the context and continues the
> > gss_wrap/gss_unwrap.  Would the second process restart sequencing at 0 or
> > continuing from where the context was exported ?
> 
> I'm not even going to try to come up with a citation but common sense
> would suggest that an imported GSS context must use the sequence
> number of the exported context and must never reset the sequence
> number to 0. I don't see how the peer could even know that the
> sequence number was reset.

RFC2743 (and also RFC2744).

In particular section 1.2.10 (Interprocess Context Transfer) of RFC2743.
It's exactly explicit on this point, but it does say:

"
   Since the security context data structure is expected to contain
   sequencing information, it is impractical in general to share a
   context between processes.
"

Which strongly implies that sequencing state is part of the state to be
transferred via exported security context tokens.  Besides applications
would definitely break if it weren't so.  It can only possibly be the
case that sequencing state must be represented in exported security
context tokens.

(I've not looked too carefully for more explicit requirements w.r.t.
this in the RFC.)

Nico
-- 

From huaraz at moeller.plus.com  Sun Oct  5 18:13:00 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Sun, 5 Oct 2008 23:13:00 +0100
Subject: Sequence numbering after export and import of context
In-Reply-To: <20081005210159.GN1157@Sun.COM>
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
Message-ID: <gcbe6d$mem$1@ger.gmane.org>

Thank you for the replies.

I get an GSS: error: "The token was a duplicate of an earlier token" and 
debugging on the client shows that it received seq 0 but expected 1.  So I 
need to dig a bit further what my server processes do. Is the following OK :

client <-> server main process establishes context -> export_context
client <-> child 1 import_context -> unwrap + wrap (seq 0) -> 
export_context
client <-> child 2 import_context -> unwrap + wrap (seq 1)-> cleanup

Markus

"Nicolas Williams" <Nicolas.Williams at sun.com> wrote in message 
news:20081005210159.GN1157 at Sun.COM...
> On Sun, Oct 05, 2008 at 12:51:11PM +0100, Markus Moeller wrote:
>> I  have an application which initializes the security context in one 
>> process
>> does some gss_wrap/gss_unwrap calls and then exports the context to hand 
>> it
>> over to another process which imports the context and continues the
>> gss_wrap/gss_unwrap.  Would the second process restart sequencing at 0 or
>> continuing from where the context was exported ?
>
> The latter is what should happen.
>
> Nico
> -- 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From Nicolas.Williams at sun.com  Sun Oct  5 22:38:13 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sun, 5 Oct 2008 21:38:13 -0500
Subject: Sequence numbering after export and import of context
In-Reply-To: <gcbe6d$mem$1@ger.gmane.org>
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
	<gcbe6d$mem$1@ger.gmane.org>
Message-ID: <20081006023813.GR1157@Sun.COM>

On Sun, Oct 05, 2008 at 11:13:00PM +0100, Markus Moeller wrote:
> Thank you for the replies.
> 
> I get an GSS: error: "The token was a duplicate of an earlier token" and 
> debugging on the client shows that it received seq 0 but expected 1.  So I 
> need to dig a bit further what my server processes do. Is the following OK :
> 
> client <-> server main process establishes context -> export_context
> client <-> child 1 import_context -> unwrap + wrap (seq 0) -> 
> export_context
> client <-> child 2 import_context -> unwrap + wrap (seq 1)-> cleanup

Do I understand correctly that you're importing a given exported
security context token twice?

If so, then "no, that's not supported."  RFC2743 is quite clear on this.

And it makes sense too: there may be no way for "child 1" and "child 2"
to keep their sequence number windows in sync and perform as well as if
they did not even try to keep them in sync.  Also, the spec allows the
second GSS_Import_sec_context() function call to fail, and it is
possible to imagine implementations where such a failure would occur.

Heck, even if an implementation supported multiple imports of one
exported security context token you'd still have problems because
whatever the per-message token sequence number window size is, if one
process consumes/produces per-message tokens at a sufficiently different
rate than the other then you'll still get sequencing errors.

You could cheat and not request sequencing, but there's no guarantee
that that will work either -- as long as you're importing the same
exported security context token more than once then you're in trouble,
and if it works it will be an accident of the mechanism's implementation
and so your application will not be portable.

Nico
-- 

From ioplex at gmail.com  Mon Oct  6 00:01:16 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Mon, 6 Oct 2008 00:01:16 -0400
Subject: Sequence numbering after export and import of context
In-Reply-To: <20081006023813.GR1157@Sun.COM>
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
	<gcbe6d$mem$1@ger.gmane.org> <20081006023813.GR1157@Sun.COM>
Message-ID: <78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>

On Sun, Oct 5, 2008 at 10:38 PM, Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> On Sun, Oct 05, 2008 at 11:13:00PM +0100, Markus Moeller wrote:
>> Thank you for the replies.
>>
>> I get an GSS: error: "The token was a duplicate of an earlier token" and
>> debugging on the client shows that it received seq 0 but expected 1.  So I
>> need to dig a bit further what my server processes do. Is the following OK :
>>
>> client <-> server main process establishes context -> export_context
>> client <-> child 1 import_context -> unwrap + wrap (seq 0) ->
>> export_context
>> client <-> child 2 import_context -> unwrap + wrap (seq 1)-> cleanup
>
> Do I understand correctly that you're importing a given exported
> security context token twice?
>
> If so, then "no, that's not supported."  RFC2743 is quite clear on this.
>
> And it makes sense too: there may be no way for "child 1" and "child 2"
> to keep their sequence number windows in sync and perform as well as if
> they did not even try to keep them in sync.  Also, the spec allows the
> second GSS_Import_sec_context() function call to fail, and it is
> possible to imagine implementations where such a failure would occur.
>
> Heck, even if an implementation supported multiple imports of one
> exported security context token you'd still have problems because
> whatever the per-message token sequence number window size is, if one
> process consumes/produces per-message tokens at a sufficiently different
> rate than the other then you'll still get sequencing errors.
>
> You could cheat and not request sequencing, but there's no guarantee
> that that will work either -- as long as you're importing the same
> exported security context token more than once then you're in trouble,
> and if it works it will be an accident of the mechanism's implementation
> and so your application will not be portable.

Personally I think the whole export / import of security contexts is a
little awkward. Instead of moving the context we just put all IO
buffers in shared memory and have one process running the muxer loop
(although the reason for doing this has nothing to do with GSSAPI).

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

From Nicolas.Williams at sun.com  Mon Oct  6 00:18:36 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sun, 5 Oct 2008 23:18:36 -0500
Subject: Sequence numbering after export and import of context
In-Reply-To: <78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
	<gcbe6d$mem$1@ger.gmane.org> <20081006023813.GR1157@Sun.COM>
	<78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>
Message-ID: <20081006041836.GS1157@Sun.COM>

On Mon, Oct 06, 2008 at 12:01:16AM -0400, Michael B Allen wrote:
> Personally I think the whole export / import of security contexts is a
> little awkward. Instead of moving the context we just put all IO
> buffers in shared memory and have one process running the muxer loop
> (although the reason for doing this has nothing to do with GSSAPI).

In Solaris secure NFS can deal with mechanisms that don't support
security context import/export, but for mechanisms that don't the price
to pay is an upcall to user-land for every GSS per-message token.

The security context import/export feature definitely has its place.

In the case of the original poster, however, I agree that there is a
better solution.  But that mostly follows from the OP's application
design being incompatible with security context import/export, and the
only solution is to change the application design.  At least IIUC.

Nico
-- 

From huaraz at moeller.plus.com  Mon Oct  6 15:06:13 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Mon, 6 Oct 2008 20:06:13 +0100
Subject: Sequence numbering after export and import of context
In-Reply-To: <20081006023813.GR1157@Sun.COM>
References: <gca9nk$hki$1@ger.gmane.org>
	<20081005210159.GN1157@Sun.COM><gcbe6d$mem$1@ger.gmane.org>
	<20081006023813.GR1157@Sun.COM>
Message-ID: <gcdo0f$clp$1@ger.gmane.org>

I understand that you need to keep the sequencing and in my case it is the 
case. Child 2 will always start after child 1 has finished. So there is a 
clear flow order which is just handled by different processes, why I thought 
I can re-export/re-import the context.  Unfortunately it is an existing 
application and not that easy to completely rewrite.

Thanks
Markus

"Nicolas Williams" <Nicolas.Williams at sun.com> wrote in message 
news:20081006023813.GR1157 at Sun.COM...
> On Sun, Oct 05, 2008 at 11:13:00PM +0100, Markus Moeller wrote:
>> Thank you for the replies.
>>
>> I get an GSS: error: "The token was a duplicate of an earlier token" and
>> debugging on the client shows that it received seq 0 but expected 1.  So 
>> I
>> need to dig a bit further what my server processes do. Is the following 
>> OK :
>>
>> client <-> server main process establishes context -> export_context
>> client <-> child 1 import_context -> unwrap + wrap (seq 0) ->
>> export_context
>> client <-> child 2 import_context -> unwrap + wrap (seq 1)-> cleanup
>
> Do I understand correctly that you're importing a given exported
> security context token twice?
>
> If so, then "no, that's not supported."  RFC2743 is quite clear on this.
>
> And it makes sense too: there may be no way for "child 1" and "child 2"
> to keep their sequence number windows in sync and perform as well as if
> they did not even try to keep them in sync.  Also, the spec allows the
> second GSS_Import_sec_context() function call to fail, and it is
> possible to imagine implementations where such a failure would occur.
>
> Heck, even if an implementation supported multiple imports of one
> exported security context token you'd still have problems because
> whatever the per-message token sequence number window size is, if one
> process consumes/produces per-message tokens at a sufficiently different
> rate than the other then you'll still get sequencing errors.
>
> You could cheat and not request sequencing, but there's no guarantee
> that that will work either -- as long as you're importing the same
> exported security context token more than once then you're in trouble,
> and if it works it will be an accident of the mechanism's implementation
> and so your application will not be portable.
>
> Nico
> -- 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From huaraz at moeller.plus.com  Mon Oct  6 15:11:41 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Mon, 6 Oct 2008 20:11:41 +0100
Subject: Sequence numbering after export and import of context
In-Reply-To: <78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>
References: <gca9nk$hki$1@ger.gmane.org>
	<20081005210159.GN1157@Sun.COM><gcbe6d$mem$1@ger.gmane.org>
	<20081006023813.GR1157@Sun.COM>
	<78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>
Message-ID: <gcdo0f$clp$2@ger.gmane.org>

I haven't used much shared memory. How would it work with shared memory ?  I 
would have thought gss_init_sec_context/gss_accept-sec_context just gets a 
pointer and the underlying gss functions allocate the memory somewhere, not 
necessarily in the shared memory area ?  How can you force the gss functions 
to use the shared memory ?

Thank you
Markus

"Michael B Allen" <ioplex at gmail.com> wrote in message 
news:78c6bd860810052101u252e873co8d7114b57796aacc at mail.gmail.com...
> On Sun, Oct 5, 2008 at 10:38 PM, Nicolas Williams
> <Nicolas.Williams at sun.com> wrote:
>> On Sun, Oct 05, 2008 at 11:13:00PM +0100, Markus Moeller wrote:
>>> Thank you for the replies.
>>>
>>> I get an GSS: error: "The token was a duplicate of an earlier token" and
>>> debugging on the client shows that it received seq 0 but expected 1.  So 
>>> I
>>> need to dig a bit further what my server processes do. Is the following 
>>> OK :
>>>
>>> client <-> server main process establishes context -> export_context
>>> client <-> child 1 import_context -> unwrap + wrap (seq 0) ->
>>> export_context
>>> client <-> child 2 import_context -> unwrap + wrap (seq 1)-> cleanup
>>
>> Do I understand correctly that you're importing a given exported
>> security context token twice?
>>
>> If so, then "no, that's not supported."  RFC2743 is quite clear on this.
>>
>> And it makes sense too: there may be no way for "child 1" and "child 2"
>> to keep their sequence number windows in sync and perform as well as if
>> they did not even try to keep them in sync.  Also, the spec allows the
>> second GSS_Import_sec_context() function call to fail, and it is
>> possible to imagine implementations where such a failure would occur.
>>
>> Heck, even if an implementation supported multiple imports of one
>> exported security context token you'd still have problems because
>> whatever the per-message token sequence number window size is, if one
>> process consumes/produces per-message tokens at a sufficiently different
>> rate than the other then you'll still get sequencing errors.
>>
>> You could cheat and not request sequencing, but there's no guarantee
>> that that will work either -- as long as you're importing the same
>> exported security context token more than once then you're in trouble,
>> and if it works it will be an accident of the mechanism's implementation
>> and so your application will not be portable.
>
> Personally I think the whole export / import of security contexts is a
> little awkward. Instead of moving the context we just put all IO
> buffers in shared memory and have one process running the muxer loop
> (although the reason for doing this has nothing to do with GSSAPI).
>
> Mike
>
> -- 
> Michael B Allen
> PHP Active Directory SPNEGO SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From raeburn at MIT.EDU  Mon Oct  6 15:17:27 2008
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 6 Oct 2008 15:17:27 -0400
Subject: Sequence numbering after export and import of context
In-Reply-To: <gcdo0f$clp$1@ger.gmane.org>
References: <gca9nk$hki$1@ger.gmane.org>
	<20081005210159.GN1157@Sun.COM><gcbe6d$mem$1@ger.gmane.org>
	<20081006023813.GR1157@Sun.COM> <gcdo0f$clp$1@ger.gmane.org>
Message-ID: <9FDBCF79-D726-4539-861B-B3F5F0D15176@mit.edu>

On Oct 6, 2008, at 15:06, Markus Moeller wrote:
> I understand that you need to keep the sequencing and in my case it  
> is the
> case. Child 2 will always start after child 1 has finished. So there  
> is a
> clear flow order which is just handled by different processes, why I  
> thought
> I can re-export/re-import the context.  Unfortunately it is an  
> existing
> application and not that easy to completely rewrite.

If child 1 imports the context, does stuff, and exports the context,  
and then child 2 imports the context exported by child 1, yes, that  
should be fine.  It's just if, for example, two children running in  
parallel imported the same context from the parent, that you'd have  
problems.

Ken

From ioplex at gmail.com  Mon Oct  6 16:03:34 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Mon, 6 Oct 2008 16:03:34 -0400
Subject: Sequence numbering after export and import of context
In-Reply-To: <gcdo0f$clp$2@ger.gmane.org>
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
	<gcbe6d$mem$1@ger.gmane.org> <20081006023813.GR1157@Sun.COM>
	<78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>
	<gcdo0f$clp$2@ger.gmane.org>
Message-ID: <78c6bd860810061303r77674dc1w2c5446457e834ef9@mail.gmail.com>

On Mon, Oct 6, 2008 at 3:11 PM, Markus Moeller <huaraz at moeller.plus.com> wrote:
> I haven't used much shared memory. How would it work with shared memory ?  I
> would have thought gss_init_sec_context/gss_accept-sec_context just gets a
> pointer and the underlying gss functions allocate the memory somewhere, not
> necessarily in the shared memory area ?  How can you force the gss functions
> to use the shared memory ?

Hi Markus,

I'm not talking about putting GSS objects in shared memory (although
it would be dandy if it accepted allocator functions so that that were
possible). The model I'm talking about is quite different from what
you're doing and would require significant reorganization. The model
I'm talking about uses one process dedicated to doing all socket IO
(the "muxer" process) and thus would handle any gss_{wrap/unwrap}
without any context exporting / importing. Now a caller process can
allocate a shared memory buffer, write the message into it and signal
the muxer to take over, write it, read the response and finally notify
the calling process (this isn't exactly how our code works, it's
actually much more complex but the idea is the same).

Anyway, from what I've read in this thread, provided things are
serialized properly, I think what you're doing should work. The
problem could very well be that the export/import feature is a code
path less travelled so there could be bugs. Are you using MIT or
Heimdal or ...?

Mike

> "Michael B Allen" <ioplex at gmail.com> wrote in message
> news:78c6bd860810052101u252e873co8d7114b57796aacc at mail.gmail.com...
>> On Sun, Oct 5, 2008 at 10:38 PM, Nicolas Williams
>> <Nicolas.Williams at sun.com> wrote:
>>> On Sun, Oct 05, 2008 at 11:13:00PM +0100, Markus Moeller wrote:
>>>> Thank you for the replies.
>>>>
>>>> I get an GSS: error: "The token was a duplicate of an earlier token" and
>>>> debugging on the client shows that it received seq 0 but expected 1.  So
>>>> I
>>>> need to dig a bit further what my server processes do. Is the following
>>>> OK :
>>>>
>>>> client <-> server main process establishes context -> export_context
>>>> client <-> child 1 import_context -> unwrap + wrap (seq 0) ->
>>>> export_context
>>>> client <-> child 2 import_context -> unwrap + wrap (seq 1)-> cleanup
>>>
>>> Do I understand correctly that you're importing a given exported
>>> security context token twice?
>>>
>>> If so, then "no, that's not supported."  RFC2743 is quite clear on this.
>>>
>>> And it makes sense too: there may be no way for "child 1" and "child 2"
>>> to keep their sequence number windows in sync and perform as well as if
>>> they did not even try to keep them in sync.  Also, the spec allows the
>>> second GSS_Import_sec_context() function call to fail, and it is
>>> possible to imagine implementations where such a failure would occur.
>>>
>>> Heck, even if an implementation supported multiple imports of one
>>> exported security context token you'd still have problems because
>>> whatever the per-message token sequence number window size is, if one
>>> process consumes/produces per-message tokens at a sufficiently different
>>> rate than the other then you'll still get sequencing errors.
>>>
>>> You could cheat and not request sequencing, but there's no guarantee
>>> that that will work either -- as long as you're importing the same
>>> exported security context token more than once then you're in trouble,
>>> and if it works it will be an accident of the mechanism's implementation
>>> and so your application will not be portable.
>>
>> Personally I think the whole export / import of security contexts is a
>> little awkward. Instead of moving the context we just put all IO
>> buffers in shared memory and have one process running the muxer loop
>> (although the reason for doing this has nothing to do with GSSAPI).
>>
>> Mike
>>
>> --
>> Michael B Allen
>> PHP Active Directory SPNEGO SSO
>> http://www.ioplex.com/
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

From Nicolas.Williams at sun.com  Mon Oct  6 15:54:28 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Mon, 6 Oct 2008 14:54:28 -0500
Subject: Sequence numbering after export and import of context
In-Reply-To: <gcdo0f$clp$1@ger.gmane.org>
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
	<gcbe6d$mem$1@ger.gmane.org> <20081006023813.GR1157@Sun.COM>
	<gcdo0f$clp$1@ger.gmane.org>
Message-ID: <20081006195427.GW8906@Sun.COM>

On Mon, Oct 06, 2008 at 08:06:13PM +0100, Markus Moeller wrote:
> I understand that you need to keep the sequencing and in my case it is the 
> case. Child 2 will always start after child 1 has finished. So there is a 
> clear flow order which is just handled by different processes, why I thought 
> I can re-export/re-import the context.  Unfortunately it is an existing 
> application and not that easy to completely rewrite.

Yes, you can have child 1 re-export the security context, and then child
2 can import it.  That will work.

From Nicolas.Williams at sun.com  Mon Oct  6 15:53:51 2008
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Mon, 6 Oct 2008 14:53:51 -0500
Subject: Sequence numbering after export and import of context
In-Reply-To: <gcdo0f$clp$2@ger.gmane.org>
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
	<gcbe6d$mem$1@ger.gmane.org> <20081006023813.GR1157@Sun.COM>
	<78c6bd860810052101u252e873co8d7114b57796aacc@mail.gmail.com>
	<gcdo0f$clp$2@ger.gmane.org>
Message-ID: <20081006195350.GV8906@Sun.COM>

On Mon, Oct 06, 2008 at 08:11:41PM +0100, Markus Moeller wrote:
> I haven't used much shared memory. How would it work with shared memory ?  I 
> would have thought gss_init_sec_context/gss_accept-sec_context just gets a 
> pointer and the underlying gss functions allocate the memory somewhere, not 
> necessarily in the shared memory area ?  How can you force the gss functions 
> to use the shared memory ?

That was a musing about internal implementation of the mechanism that
might allow what you're trying to do to work, but don't count on anyone
ever implementing it.

There is no way you can get what you're trying to do to work.  It
violates the spec.

From tlyu at MIT.EDU  Thu Oct  9 16:07:09 2008
From: tlyu at MIT.EDU (Tom Yu)
Date: Thu, 09 Oct 2008 16:07:09 -0400
Subject: Sequence numbering after export and import of context
In-Reply-To: <gcdo0f$clp$1@ger.gmane.org> (Markus Moeller's message of "Mon,
	6 Oct 2008 20:06:13 +0100")
References: <gca9nk$hki$1@ger.gmane.org> <20081005210159.GN1157@Sun.COM>
	<gcbe6d$mem$1@ger.gmane.org> <20081006023813.GR1157@Sun.COM>
	<gcdo0f$clp$1@ger.gmane.org>
Message-ID: <ldvprm9v8gi.fsf@cathode-dark-space.mit.edu>

"Markus Moeller" <huaraz at moeller.plus.com> writes:

> I understand that you need to keep the sequencing and in my case it is the 
> case. Child 2 will always start after child 1 has finished. So there is a 
> clear flow order which is just handled by different processes, why I thought 
> I can re-export/re-import the context.  Unfortunately it is an existing 
> application and not that easy to completely rewrite.

It sounds like you are experiencing a problem with sequence number
state when you are doing (in serial order):

* Exporting context1 from a parent
* Importing context1 into child1
* Sending wrap token from child1
* Exporting context2 from child1
* Importing context2 into child2
* Sending wrap token from child2

and child2 is producing an incorrect sequence number.

If this is the case, I would consider it to be a bug.  Would you be
willing to provide additional details about this problem?  What GSS
library and what release?

From tlyu at MIT.EDU  Thu Oct  9 16:10:19 2008
From: tlyu at MIT.EDU (Tom Yu)
Date: Thu, 09 Oct 2008 16:10:19 -0400
Subject: using REQUIRES_PWCHANGE kinit reports expired passwords
In-Reply-To: <995e303f0810020028x53518f5fm9ebc15f6a3dcd1c5@mail.gmail.com>
	(Eduardo A. =?iso-8859-1?Q?Mu=F1oz's?= message of "Fri,
	3 Oct 2008 02:58:05 +1930")
References: <995e303f0810020028x53518f5fm9ebc15f6a3dcd1c5@mail.gmail.com>
Message-ID: <ldvk5chv8b8.fsf@cathode-dark-space.mit.edu>

"Eduardo A Mu?oz" <eagmunoz at gmail.com> writes:

> Hi,
>
> Im working with ubuntu 7.10 clients authenticating against kerberos. The
> issue arises when I a set the REQUIRES_PWCHANGE attribute to a user key so
> that in next login they are required to change the password. Some machines (
> not all ) can't authenticate when the mentioned attribute is set , they
> report
> "kinit(v5): Password has expired while getting initial credentials"
>
> (Of course my password expiration time haven't been reached and it reports
> the same working with policies or without it)
>
> if I a unset the attribute, i can obtain the tickets. Like i said this
> behavior is present in some machines , others can get tickets with the
> attribute set or unset with the same principals.

This seems very strange and inconsisent.  Are you sure all the client
machines are talking to the same KDC?  REQUIRES_PWCHANGE should always
cause authentication failure except for service principals marked as
password-changing service principals.


From huaraz at moeller.plus.com  Thu Oct  9 16:19:05 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Thu, 9 Oct 2008 21:19:05 +0100
Subject: Sequence numbering after export and import of context
In-Reply-To: <ldvprm9v8gi.fsf@cathode-dark-space.mit.edu>
References: <gca9nk$hki$1@ger.gmane.org>
	<20081005210159.GN1157@Sun.COM><gcbe6d$mem$1@ger.gmane.org>
	<20081006023813.GR1157@Sun.COM><gcdo0f$clp$1@ger.gmane.org>
	<ldvprm9v8gi.fsf@cathode-dark-space.mit.edu>
Message-ID: <gclp01$rtv$1@ger.gmane.org>

Tom,

I am still tracing the issue.  I seem to have a problem with the transfer of 
the context between child 1 and child 2 (e.g. child 2 gets the original 
parent context).
In that case it wouldn't be a gss library issue, but a inter process 
communication issue.

Thank you
Markus

"Tom Yu" <tlyu at MIT.EDU> wrote in message 
news:ldvprm9v8gi.fsf at cathode-dark-space.mit.edu...
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>
>> I understand that you need to keep the sequencing and in my case it is 
>> the
>> case. Child 2 will always start after child 1 has finished. So there is a
>> clear flow order which is just handled by different processes, why I 
>> thought
>> I can re-export/re-import the context.  Unfortunately it is an existing
>> application and not that easy to completely rewrite.
>
> It sounds like you are experiencing a problem with sequence number
> state when you are doing (in serial order):
>
> * Exporting context1 from a parent
> * Importing context1 into child1
> * Sending wrap token from child1
> * Exporting context2 from child1
> * Importing context2 into child2
> * Sending wrap token from child2
>
> and child2 is producing an incorrect sequence number.
>
> If this is the case, I would consider it to be a bug.  Would you be
> willing to provide additional details about this problem?  What GSS
> library and what release?
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From vas at mpeks.no-spam-here.tomsk.su  Fri Oct 10 00:49:28 2008
From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov)
Date: Fri, 10 Oct 2008 04:49:28 +0000 (UTC)
Subject: Kerberize MS Exchange?
References: <g9ojcf$vq8$1@news.metronet.hr>
	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>
	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>
	<mailman.35.1220554840.4454.kerberos@mit.edu>
	<g9q4l0$l9c$1@relay.tomsk.ru>
	<mailman.36.1220627538.4454.kerberos@mit.edu>
Message-ID: <gcmmso$huu$1@relay.tomsk.ru>

Douglas E. Engert wrote:
> > 
> >> Incidentally, I have been informed off-list that newer versions of
> >> Exchange's IMAP implementation actually do support Kerberos via
> >> GSSAPI.
> > 
> > And what win32 IMAP clients can authenticate with GSSAPI?

> Thunderbird is reported to be able to do this:
> http://kb.mozillazine.org/Network.auth.use-sspi

> I have not tried it, but it looks promising.

I have tried Thunderbird 2.0.0.14 for Windows with
network.auth.use-sspi set to either true or false.

Ethereal does not see Thunderbird requesting any tickets for
imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
does not create any traffic to the DC. Am I missing something?

The server does support GSSAPI and announces it:
* OK CommuniGate Pro IMAP Server 5.1.13 at relay2.tomsk.ru ready
* CAPABILITY IMAP4 IMAP4REV1 ACL NAMESPACE UIDPLUS IDLE LITERAL+ QUOTA ID MULTIAPPEND LISTEXT CHILDREN BINARY LOGIN-REFERRALS UNSELECT STARTTLS AUTH=LOGIN AUTH=PLAIN AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=GSSAPI
1 OK completed

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

From hy93 at cornell.edu  Mon Oct 13 10:12:04 2008
From: hy93 at cornell.edu (Hong Ye)
Date: Mon, 13 Oct 2008 10:12:04 -0400
Subject: GSS Error on windows
Message-ID: <48F35734.4090202@cornell.edu>

Hi,

We are developing an authentication module for Apache using MIT kerberos 
GSS API . It works OK on Unix platform. But on Windows, it works fine 
when Apache starts up. After some indeterminate amount of time (or 
requests), we got GSS API error:

"There might be a problem with the keytab file for Permission denied in 
replay cache code. Check the file path and make sure it is the correct 
key file. "

Once this error occurred, all the requests failed with the same error. 
We have to reboot Apache to make it works again.

Can anyone shred some light on this problem?

Thank you very much for your time,

Hong Ye


From hy93 at cornell.edu  Mon Oct 13 10:31:22 2008
From: hy93 at cornell.edu (Hong Ye)
Date: Mon, 13 Oct 2008 10:31:22 -0400
Subject: GSS Error on windows
In-Reply-To: <48F35734.4090202@cornell.edu>
References: <48F35734.4090202@cornell.edu>
Message-ID: <48F35BBA.50306@cornell.edu>

Sorry. I forgot to mention the GSS API call. The failed call is 
gss_acquire_cred, The major status return code is 851968 and minor code 
is 1765328215. The error message is "Permission denied in replay cache 
code".

Thanks,

Hong Ye wrote:
> Hi,
>
> We are developing an authentication module for Apache using MIT kerberos 
> GSS API . It works OK on Unix platform. But on Windows, it works fine 
> when Apache starts up. After some indeterminate amount of time (or 
> requests), we got GSS API error:
>
> "There might be a problem with the keytab file for Permission denied in 
> replay cache code. Check the file path and make sure it is the correct 
> key file. "
>
> Once this error occurred, all the requests failed with the same error. 
> We have to reboot Apache to make it works again.
>
> Can anyone shred some light on this problem?
>
> Thank you very much for your time,
>
> Hong Ye
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>   



From paul.moore at centrify.com  Mon Oct 13 12:23:25 2008
From: paul.moore at centrify.com (Paul Moore)
Date: Mon, 13 Oct 2008 09:23:25 -0700
Subject: FW: ZDNet UK: Kerberos harbours critical flaws
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D021FE6FB@exch-one.centrify.com>

Which bugs is this article referring to

 

------------------------------------------------------------
http://news.zdnet.co.uk/security/0,1000000189,39165276,00.htm

Kerberos harbours critical flaws

The network-authentication technology can leave computers running Unix, Linux
or Mac OS X vulnerable
------------------------------------------------------------------------

ZDNet News: The UK's best source for computing news - updated
throughout the day. http://news.zdnet.co.uk/

Please report any abuse of this service to ukwebmaster at zdnet.com

Copyright ?? 2008 CNET Networks, Inc. All Rights Reserved.
ZDNET is a registered service mark of CNET Networks, Inc.
ZDNET Logo is a service mark of CNET NETWORKS, Inc.


From raeburn at MIT.EDU  Mon Oct 13 12:32:42 2008
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 13 Oct 2008 12:32:42 -0400
Subject: ZDNet UK: Kerberos harbours critical flaws
In-Reply-To: <BB7E16A14DE689469A181EC770AFBF4D021FE6FB@exch-one.centrify.com>
References: <BB7E16A14DE689469A181EC770AFBF4D021FE6FB@exch-one.centrify.com>
Message-ID: <49679D29-C531-48B4-B802-D8E689DAEECA@mit.edu>

On Oct 13, 2008, at 12:23, Paul Moore wrote:
> Which bugs is this article referring to
>
> ------------------------------------------------------------
> http://news.zdnet.co.uk/security/0,1000000189,39165276,00.htm
>
> Kerberos harbours critical flaws
>
> The network-authentication technology can leave computers running  
> Unix, Linux
> or Mac OS X vulnerable


They mention double-free problems, and the article is from September  
2004, so I expect it's referring to the flaw in advisory MITKRB5- 
SA-2004-002 (listed at http://web.mit.edu/kerberos/advisories/) which  
had come out a few days before.

Ken

From paul.moore at centrify.com  Mon Oct 13 12:36:35 2008
From: paul.moore at centrify.com (Paul Moore)
Date: Mon, 13 Oct 2008 09:36:35 -0700
Subject: ZDNet UK: Kerberos harbours critical flaws
In-Reply-To: <49679D29-C531-48B4-B802-D8E689DAEECA@mit.edu>
References: <BB7E16A14DE689469A181EC770AFBF4D021FE6FB@exch-one.centrify.com>
	<49679D29-C531-48B4-B802-D8E689DAEECA@mit.edu>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D021FE703@exch-one.centrify.com>

oops - i didnt notice the date. For some reason my automated alert
system picked it up. Thx

-----Original Message-----
From: Ken Raeburn [mailto:raeburn at MIT.EDU] 
Sent: Monday, October 13, 2008 9:33 AM
To: Paul Moore
Cc: kerberos at mit.edu
Subject: Re: ZDNet UK: Kerberos harbours critical flaws

On Oct 13, 2008, at 12:23, Paul Moore wrote:
> Which bugs is this article referring to
>
> ------------------------------------------------------------
> http://news.zdnet.co.uk/security/0,1000000189,39165276,00.htm
>
> Kerberos harbours critical flaws
>
> The network-authentication technology can leave computers running  
> Unix, Linux
> or Mac OS X vulnerable


They mention double-free problems, and the article is from September  
2004, so I expect it's referring to the flaw in advisory MITKRB5- 
SA-2004-002 (listed at http://web.mit.edu/kerberos/advisories/) which  
had come out a few days before.

Ken


From huaraz at moeller.plus.com  Sun Oct 12 11:05:57 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Sun, 12 Oct 2008 16:05:57 +0100
Subject: Kerberize MS Exchange?
In-Reply-To: <gcs72m$2ci$1@relay.tomsk.ru>
References: <g9ojcf$vq8$1@news.metronet.hr>
	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>
	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>
	<mailman.35.1220554840.4454.kerberos@mit.edu>
	<g9q4l0$l9c$1@relay.tomsk.ru>
	<mailman.36.1220627538.4454.kerberos@mit.edu>
	<gcmmso$huu$1@relay.tomsk.ru> <gcs72m$2ci$1@relay.tomsk.ru>
Message-ID: <2ZWdnVsd_tIAj2_VnZ2dneKdnZydnZ2d@posted.plusnet>

I use it against Cyrus IMAP v2.3.12p2 server (both client and server on 
Linux) with AD as kdc.

* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 
AUTH=PLAIN AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR] imap.server.home Cyrus IMAP 
v2.3.12p2 server ready
1 capability
* CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 AUTH=PLAIN 
AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA MAILBOX-REFERRALS 
NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND BINARY SORT 
SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES ANNOTATEMORE CATENATE 
CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED URLAUTH
1 OK Completed
2 authenticate GSSAPI
+ YIIGjwYJKoZIhv....
+ YIGDBgk....
+ YDAGCSqGSIb3EgE....
2 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte 
QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES 
ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT LIST-SUBSCRIBED URLAUTH] 
Success (no protection)

.
.

Markus

"Victor Sudakov" <vas at mpeks.no-spam-here.tomsk.su> wrote in message 
news:gcs72m$2ci$1 at relay.tomsk.ru...
> Victor Sudakov wrote:
>> > >
>> > >> Incidentally, I have been informed off-list that newer versions of
>> > >> Exchange's IMAP implementation actually do support Kerberos via
>> > >> GSSAPI.
>> > >
>> > > And what win32 IMAP clients can authenticate with GSSAPI?
>
>> > Thunderbird is reported to be able to do this:
>> > http://kb.mozillazine.org/Network.auth.use-sspi
>
>> > I have not tried it, but it looks promising.
>
>> I have tried Thunderbird 2.0.0.14 for Windows with
>> network.auth.use-sspi set to either true or false.
>
>> Ethereal does not see Thunderbird requesting any tickets for
>> imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
>> does not create any traffic to the DC. Am I missing something?
>
> Is there anyone for whom Thunderbird with GSSAPI really works?
> I hope it is not just theory, someone is using it or has tested it?
>
> -- 
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/ 


From huaraz at moeller.plus.com  Mon Oct 13 14:14:43 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Mon, 13 Oct 2008 19:14:43 +0100
Subject: Kerberize MS Exchange?
In-Reply-To: <2ZWdnVsd_tIAj2_VnZ2dneKdnZydnZ2d@posted.plusnet>
References: <g9ojcf$vq8$1@news.metronet.hr>
	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>
	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>
	<mailman.35.1220554840.4454.kerberos@mit.edu>
	<g9q4l0$l9c$1@relay.tomsk.ru>
	<mailman.36.1220627538.4454.kerberos@mit.edu>
	<gcmmso$huu$1@relay.tomsk.ru> <gcs72m$2ci$1@relay.tomsk.ru>
	<2ZWdnVsd_tIAj2_VnZ2dneKdnZydnZ2d@posted.plusnet>
Message-ID: <K4-dndTJB5TDDG7VnZ2dnUVZ8jmdnZ2d@posted.plusnet>

Victor,

I can also confirm that Thunderbird works with GSSAPI/SSPI on XP against the 
Cyrus IMAP server. ( I just downloaded Thunderbird and did not modify any 
settings other then adding the account details)

Markus

"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:2ZWdnVsd_tIAj2_VnZ2dneKdnZydnZ2d at posted.plusnet...
>I use it against Cyrus IMAP v2.3.12p2 server (both client and server on 
>Linux) with AD as kdc.
>
> * OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 
> AUTH=PLAIN AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR] imap.server.home Cyrus IMAP 
> v2.3.12p2 server ready
> 1 capability
> * CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID STARTTLS AUTH=DIGEST-MD5 
> AUTH=PLAIN AUTH=GSSAPI AUTH=CRAM-MD5 SASL-IR ACL RIGHTS=kxte QUOTA 
> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN 
> MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT 
> THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT 
> LIST-SUBSCRIBED URLAUTH
> 1 OK Completed
> 2 authenticate GSSAPI
> + YIIGjwYJKoZIhv....
> + YIGDBgk....
> + YDAGCSqGSIb3EgE....
> 2 OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID LOGINDISABLED ACL RIGHTS=kxte 
> QUOTA MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT 
> CHILDREN MULTIAPPEND BINARY SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT 
> THREAD=REFERENCES ANNOTATEMORE CATENATE CONDSTORE SCAN IDLE LISTEXT 
> LIST-SUBSCRIBED URLAUTH] Success (no protection)
>
> .
> .
>
> Markus
>
> "Victor Sudakov" <vas at mpeks.no-spam-here.tomsk.su> wrote in message 
> news:gcs72m$2ci$1 at relay.tomsk.ru...
>> Victor Sudakov wrote:
>>> > >
>>> > >> Incidentally, I have been informed off-list that newer versions of
>>> > >> Exchange's IMAP implementation actually do support Kerberos via
>>> > >> GSSAPI.
>>> > >
>>> > > And what win32 IMAP clients can authenticate with GSSAPI?
>>
>>> > Thunderbird is reported to be able to do this:
>>> > http://kb.mozillazine.org/Network.auth.use-sspi
>>
>>> > I have not tried it, but it looks promising.
>>
>>> I have tried Thunderbird 2.0.0.14 for Windows with
>>> network.auth.use-sspi set to either true or false.
>>
>>> Ethereal does not see Thunderbird requesting any tickets for
>>> imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
>>> does not create any traffic to the DC. Am I missing something?
>>
>> Is there anyone for whom Thunderbird with GSSAPI really works?
>> I hope it is not just theory, someone is using it or has tested it?
>>
>> -- 
>> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
>> 2:5005/49 at fidonet http://vas.tomsk.ru/
> 


From vas at mpeks.no-spam-here.tomsk.su  Sun Oct 12 02:56:22 2008
From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov)
Date: Sun, 12 Oct 2008 06:56:22 +0000 (UTC)
Subject: Kerberize MS Exchange?
References: <g9ojcf$vq8$1@news.metronet.hr>
	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>
	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>
	<mailman.35.1220554840.4454.kerberos@mit.edu>
	<g9q4l0$l9c$1@relay.tomsk.ru>
	<mailman.36.1220627538.4454.kerberos@mit.edu>
	<gcmmso$huu$1@relay.tomsk.ru>
Message-ID: <gcs72m$2ci$1@relay.tomsk.ru>

Victor Sudakov wrote:
> > > 
> > >> Incidentally, I have been informed off-list that newer versions of
> > >> Exchange's IMAP implementation actually do support Kerberos via
> > >> GSSAPI.
> > > 
> > > And what win32 IMAP clients can authenticate with GSSAPI?

> > Thunderbird is reported to be able to do this:
> > http://kb.mozillazine.org/Network.auth.use-sspi

> > I have not tried it, but it looks promising.

> I have tried Thunderbird 2.0.0.14 for Windows with
> network.auth.use-sspi set to either true or false.

> Ethereal does not see Thunderbird requesting any tickets for
> imap/relay2.tomsk.ru from AD. It just keeps asking for my password and
> does not create any traffic to the DC. Am I missing something?

Is there anyone for whom Thunderbird with GSSAPI really works?
I hope it is not just theory, someone is using it or has tested it?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

From luke.scharf at clusterbee.net  Tue Oct 14 14:34:44 2008
From: luke.scharf at clusterbee.net (Luke Scharf)
Date: Tue, 14 Oct 2008 13:34:44 -0500
Subject: Kerberize MS Exchange?
In-Reply-To: <gcs72m$2ci$1@relay.tomsk.ru>
References: <g9ojcf$vq8$1@news.metronet.hr>	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>	<mailman.35.1220554840.4454.kerberos@mit.edu>	<g9q4l0$l9c$1@relay.tomsk.ru>	<mailman.36.1220627538.4454.kerberos@mit.edu>	<gcmmso$huu$1@relay.tomsk.ru>
	<gcs72m$2ci$1@relay.tomsk.ru>
Message-ID: <48F4E644.1050408@clusterbee.net>

Victor Sudakov wrote:
> Is there anyone for whom Thunderbird with GSSAPI really works?
> I hope it is not just theory, someone is using it or has tested it?
>   

I use Thunderbird with GSSAPI with Dovecot on my home-network.  It works 
nicely.  The only weird thing was that they used the term "Secure 
Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".

I haven't figured out if there's a way to have Thunderbird use GSSAPI 
for SMTP.  I haven't looked closely, since I need to unlock my keystore 
before sending message to retrieve S/MIME keys -- so pulling out a 
password for smtp authentication isn't an inconvenience.  I do like the 
elegance of making everything Kerberos-happy, though.

-Luke


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3319 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081014/b469ded5/smime.bin

From edward at murrell.co.nz  Tue Oct 14 14:38:47 2008
From: edward at murrell.co.nz (Edward Murrell)
Date: Wed, 15 Oct 2008 07:38:47 +1300 (NZDT)
Subject: Kerberize MS Exchange?
In-Reply-To: <gcs72m$2ci$1@relay.tomsk.ru>
References: <g9ojcf$vq8$1@news.metronet.hr>
	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>
	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>
	<mailman.35.1220554840.4454.kerberos@mit.edu>
	<g9q4l0$l9c$1@relay.tomsk.ru>
	<mailman.36.1220627538.4454.kerberos@mit.edu>
	<gcmmso$huu$1@relay.tomsk.ru> <gcs72m$2ci$1@relay.tomsk.ru>
Message-ID: <39365.203.144.32.165.1224009527.squirrel@zinc.murrell.co.nz>

Yep, also confirmed to work with Dovecot IMAP server.

> Victor Sudakov wrote:
> Is there anyone for whom Thunderbird with GSSAPI really works?
> I hope it is not just theory, someone is using it or has tested it?
>
> --
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


From huaraz at moeller.plus.com  Tue Oct 14 18:21:25 2008
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Tue, 14 Oct 2008 23:21:25 +0100
Subject: Kerberize MS Exchange?
In-Reply-To: <48F4E644.1050408@clusterbee.net>
References: <g9ojcf$vq8$1@news.metronet.hr>	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>	<mailman.35.1220554840.4454.kerberos@mit.edu>	<g9q4l0$l9c$1@relay.tomsk.ru>	<mailman.36.1220627538.4454.kerberos@mit.edu>	<gcmmso$huu$1@relay.tomsk.ru><gcs72m$2ci$1@relay.tomsk.ru>
	<48F4E644.1050408@clusterbee.net>
Message-ID: <gd3617$b7l$1@ger.gmane.org>

I can also confirm that outgoing SMTP with GSSAPI auth works with 
Thunderbird against sendmail.

Markus

"Luke Scharf" <luke.scharf at clusterbee.net> wrote in message 
news:48F4E644.1050408 at clusterbee.net...
>Victor Sudakov wrote:
>> Is there anyone for whom Thunderbird with GSSAPI really works?
>> I hope it is not just theory, someone is using it or has tested it?
>>
>
>I use Thunderbird with GSSAPI with Dovecot on my home-network.  It works
>nicely.  The only weird thing was that they used the term "Secure
>Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".
>
>I haven't figured out if there's a way to have Thunderbird use GSSAPI
>for SMTP.  I haven't looked closely, since I need to unlock my keystore
>before sending message to retrieve S/MIME keys -- so pulling out a
>password for smtp authentication isn't an inconvenience.  I do like the
>elegance of making everything Kerberos-happy, though.
>
>-Luke
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From simon at sxw.org.uk  Tue Oct 14 19:53:09 2008
From: simon at sxw.org.uk (Simon Wilkinson)
Date: Wed, 15 Oct 2008 00:53:09 +0100
Subject: Kerberize MS Exchange?
In-Reply-To: <gd3617$b7l$1@ger.gmane.org>
References: <g9ojcf$vq8$1@news.metronet.hr>	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>	<mailman.35.1220554840.4454.kerberos@mit.edu>	<g9q4l0$l9c$1@relay.tomsk.ru>	<mailman.36.1220627538.4454.kerberos@mit.edu>	<gcmmso$huu$1@relay.tomsk.ru><gcs72m$2ci$1@relay.tomsk.ru>
	<48F4E644.1050408@clusterbee.net> <gd3617$b7l$1@ger.gmane.org>
Message-ID: <305C19F7-1171-4CA3-A2E1-25B0085BC534@sxw.org.uk>


On 14 Oct 2008, at 23:21, Markus Moeller wrote:

> I can also confirm that outgoing SMTP with GSSAPI auth works with
> Thunderbird against sendmail.

If anyone is having problems with GSSAPI and Thunderbird which they  
believe is a bug in the product, please open a bug in their Bugzilla  
and Cc: me on the bug. I can confirm that (with the exception of  
security layers), POP3, IMAP and SMTP should all work from version  
1.5 onwards.

Simon
(who wrote the GSSAPI stuff in Tbird)


From luke.scharf at clusterbee.net  Tue Oct 14 23:22:12 2008
From: luke.scharf at clusterbee.net (Luke Scharf)
Date: Tue, 14 Oct 2008 22:22:12 -0500
Subject: Kerberize MS Exchange?
In-Reply-To: <gd3617$b7l$1@ger.gmane.org>
References: <g9ojcf$vq8$1@news.metronet.hr>	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>	<mailman.35.1220554840.4454.kerberos@mit.edu>	<g9q4l0$l9c$1@relay.tomsk.ru>	<mailman.36.1220627538.4454.kerberos@mit.edu>	<gcmmso$huu$1@relay.tomsk.ru><gcs72m$2ci$1@relay.tomsk.ru>	<48F4E644.1050408@clusterbee.net>
	<gd3617$b7l$1@ger.gmane.org>
Message-ID: <48F561E4.2060406@clusterbee.net>

Markus Moeller wrote:
> I can also confirm that outgoing SMTP with GSSAPI auth works with 
> Thunderbird against sendmail.
>   


Is there a GUI-switch to turn GSSAPI authentication on for SMTP?

(It's quite possible that I missed it, or that the good folks who built 
Thunderbird for my distribution forgot to enable that feature...  :-)  
Or maybe I just neglected to create the principal for the SMTP server...)

Thanks,
-Luke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3332 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081014/7243efe3/smime.bin

From petesea at bigfoot.com  Wed Oct 15 01:56:58 2008
From: petesea at bigfoot.com (petesea@bigfoot.com)
Date: Tue, 14 Oct 2008 22:56:58 -0700 (PDT)
Subject: GSSAPI Key Exchange on multi-homed host
Message-ID: <alpine.OSX.1.10.0810142254500.747@zippy-air>

>From a security standpoint, if the default keytab (/etc/krb5.keytab) 
contains only ONE principal, does it matter if GSSAPIStrictAcceptorCheck 
is set to "yes" or "no"?

My company uses an internally built OpenSSH package that includes the 
GSSAPI Key Exchange patch.  Because we have 1000s of hosts, we need to use 
a "standard" sshd_config file that works for the majority of hosts. 
Unfortunately, the current "standard" sshd_config does not set the 
GSSAPIStrictAcceptorCheck entry, which defaults to "yes" and therefore 
does not work correctly on the multi-homed hosts.

I'd like to change our standard sshd_config so GSSAPIStrictAcceptorCheck 
defaults to "no", but before doing so, I want to better understand the 
implications.

As I understand the GSSAPIStrictAcceptorCheck flag, setting it to "no", 
simply enables matches against more then the 1st principal in 
/etc/krb5.keytab.  So... if there's only one principal in the keytab, it 
seems like it wouldn't matter if GSSAPIStrictAcceptorCheck is set to yes 
or no.  Is that correct?

From paul at subsignal.org  Wed Oct 15 08:00:00 2008
From: paul at subsignal.org (paul)
Date: Wed, 15 Oct 2008 14:00:00 +0200
Subject: Kerberize MS Exchange?
In-Reply-To: <48F4E644.1050408@clusterbee.net>
References: <g9ojcf$vq8$1@news.metronet.hr>	<78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com>	<6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world>	<mailman.35.1220554840.4454.kerberos@mit.edu>	<g9q4l0$l9c$1@relay.tomsk.ru>	<mailman.36.1220627538.4454.kerberos@mit.edu>	<gcmmso$huu$1@relay.tomsk.ru>	<gcs72m$2ci$1@relay.tomsk.ru>
	<48F4E644.1050408@clusterbee.net>
Message-ID: <gd4lvu$vto$1@ger.gmane.org>

Luke Scharf schrieb:
> I use Thunderbird with GSSAPI with Dovecot on my home-network.  It works 
> nicely.  The only weird thing was that they used the term "Secure 
> Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".
Thats by design. Technically GSSAPI is only one of the SASL mechanisms 
offered by the server. "secure authentication" just enables the SASL 
negotiation procedure which might result in something completely 
different than GSSAPI (DIGEST-MD5 in my case, or NTLM for Outlook, etc). 
Besides: "GSSAPI" or "Kerberos5" in a general purpose UI? WTF!

cheers
  Paul


From kenh at cmf.nrl.navy.mil  Wed Oct 15 10:42:53 2008
From: kenh at cmf.nrl.navy.mil (Ken Hornstein)
Date: Wed, 15 Oct 2008 10:42:53 -0400
Subject: Kerberize MS Exchange? 
In-Reply-To: <gd4lvu$vto$1@ger.gmane.org> 
Message-ID: <200810151442.m9FEgr0M021291@hedwig.cmf.nrl.navy.mil>

>Luke Scharf schrieb:
>> I use Thunderbird with GSSAPI with Dovecot on my home-network.  It works 
>> nicely.  The only weird thing was that they used the term "Secure 
>> Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".
>Thats by design. Technically GSSAPI is only one of the SASL mechanisms 
>offered by the server. "secure authentication" just enables the SASL 
>negotiation procedure which might result in something completely 
>different than GSSAPI (DIGEST-MD5 in my case, or NTLM for Outlook, etc). 
>Besides: "GSSAPI" or "Kerberos5" in a general purpose UI? WTF!

Urrrrk.  I STRONGLY disagree with you on this!  Here are my reasons:

- From the programmer/network protocol perspective, being able to write one
  program or define one protocol that negotiates a whole group of SASL
  mechanisms is great.  But from an administrator perspective, it
  bites.  I don't want to have users fall back to DIGEST-MD5 if
  Kerberos fails, I want to fix the Kerberos problem!  (And very likely
  if GSSAPI fails, DIGEST-MD5 isn't going to work for that user anyway;
  of course that depends on your site, but I think that's more true
  than not).  If the user explicitly picks a mechanism to use, these
  problems are eliminated.  Since many mainstream apps have each SASL
  mechanism coded explicitly (Thunderbird among them) there's not even
  a programming reason to obfuscate the choice of SASL mechanism (and
  explicitly picking the mechanism prevents a downgrade attack).

- From a user and administrator perspective, the whole situation with
  Thunderbird bites.  Note: I've talked with Simon about this; I
  understand the situation he was faced with regarding Thunderbird and
  GSSAPI support, and I'm glad he was able to get it in there.  But I
  believe even he would admit the current situation is not ideal (and
  I know that it would be tough for him to address it).

  I've helped a number of people get GSSAPI with Thunderbird working.
  The general flow of questions looks like this:

  - Uh, does it support Kerberos?  I don't see anything where I can enable
    it under Preferences.

  - So, uh, if it supports Kerberos, how do I turn it on?

  - Okay, I checked "Secure Authentication", but that didn't work, and
    it asked me for a password.  I typed in my Kerberos password, but that
    failed.

  First off, "Secure Authentication" is a SHITTY checkbox.  What this
  means is not clear, even to me.  Does this mean "Use TLS?"  Does this
  mean "Negotiate SASL?"  Does it mean both?  It's confusing to the
  user.  If it was one user, I would say that this confusion is an
  anomaly, but it seems like EVERYONE that tries to use Thunderbird
  here has problems with this.

  Secondly, the "attempt to negotiate all mechanisms" problem generates
  a number of practical issues.  The first is error reporting - let's
  say you try GSSAPI, and that fails.  Should you then report GSSAPI
  errors back to the user?  Well, in Thunderbird that doesn't happen; I
  can sort-of understand why Thunderbird doesn't do that, because most
  of the users don't use GSSAPI and any GSSAPI errors would be the
  "wrong" errors, but this illustrates the problem with multi-mechanism
  negotiation: which errors do you report to the user when you try
  multiple mechanisms?
  
  Another problem with multi-mechanism negotiation is that they have
  different user interactions.  For example, CRAM-MD5 and DIGEST-MD5
  likely want to prompt the user for a password, but of course for
  GSSAPI/Kerberos you normally wouldn't have the app do that; it would
  be done via a Kerberos application (or perhaps the GSSAPI library
  would do that).  So should an application prompt for a password no
  matter what the mechanism?  Probably not, but I've seen cases where
  that happens; again, more confusion for the user.

  Now, to be fair part of the problem with Thunderbird seems to spring
  from the fact that at least on Windows it's using third-party GSSAPI
  libraries (at least when we want to use it), and many of the problems
  come from finding those GSSAPI libraries.  And I know that it is
  possible to get the GSSAPI errors by setting some arcane environment
  variables.  It kinda bites that you have to go through this crappy
  process to GET those errors; like I said, I understand why this is
  the case, but it still sucks.

  Part of the confusion may be historical; many of our users were
  previously using Eudora, and that had a weird dance where you in some
  cases EXPLICITLY had to not turn on the "Use secure authentication"
  dialog (but it also had an explicit Kerberos configuration dialog).

I can contrast this with people who use Apple Mail, which has a very
clear configuration dialog which explicitly says, "Use Kerberos 5
(GSSAPI)".  No one ever asks me if Apple Mail supports Kerberos, or how
to turn it on.  The Kerberos errors (in most cases) are presented to
the user.  It just works better.  Presenting the SASL mechanism to the
user is a clear win.  A lot has to happen under the scenes to make
it all work, but I cannot see any reason why presenting this to the
user is bad.

--Ken

From mshbible at snu.ac.kr  Wed Oct 15 10:22:28 2008
From: mshbible at snu.ac.kr (=?EUC-KR?B?ua68usiv?=)
Date: Wed, 15 Oct 2008 23:22:28 +0900 (KST)
Subject: I have a question about your copyright for Kerberos
Message-ID: <6979418.1224080548701.JavaMail.root@auk1>

I am South Korean and my name is SungHwan Moon.
 
Thus, I use English smoothly and well.
 
I want your understanding for this point.
 
I am a graduate student and I am participating in great project.
 
I will use your the &quot;idea&quot; of Kerberos.
 
Hence, I want to know copyright of Kerberos.
 
I found &quot;

Export of this software from the United States of America may be subject to the Export Administration Regulations of the United States Department of Commerce, currently (October 2003) codified as Title 15 CFR Parts 730-774. 


You are responsible for complying with all applicable export regulations, including obtaining an export license if required. 


You may not download this software if you are located in, or are a citizen or national of, any country for which the US government prohibits the export of encryption source code, currently (October 2003) Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria. (15 CFR Sections 734(b)(3), 740.13(e)(4)) &quot; 
and
&quot;Cost of use. Kerberos doesn't infringe on any patents. Which means that it can be used for free, while SSL users may have to pay. &quot;
in your homepage.
 Thus I can guess that we can use your Kerberos.
 But I cannot find the document of copyright of Kerberos for &quot;United States of America may be subject to the Export Administration Regulations of the United States Department of Commerce, currently (October 2003) codified as Title 15 CFR Parts 730-774.&quot;
 
Also, I thank you very much if you send me the doument of copyright of kerberos or know me the exact homepage about that.
 
I already searched Export Administration Regulations and U. S. Bureau of Industry and Security.
 
Thanks for your attention

From tlyu at MIT.EDU  Wed Oct 15 11:33:17 2008
From: tlyu at MIT.EDU (Tom Yu)
Date: Wed, 15 Oct 2008 11:33:17 -0400
Subject: I have a question about your copyright for Kerberos
In-Reply-To: <6979418.1224080548701.JavaMail.root@auk1> (mshbible@snu.ac.kr's
	message of "Wed, 15 Oct 2008 23:22:28 +0900 (KST)")
References: <6979418.1224080548701.JavaMail.root@auk1>
Message-ID: <ldvod1ldgaq.fsf@cathode-dark-space.mit.edu>

<mshbible at snu.ac.kr> writes:

> Also, I thank you very much if you send me the doument of copyright
> of kerberos or know me the exact homepage about that.

The copyright and legal notices for each release are present in the
README file for that release.  For the krb5-1.6.3 release, you may
find them here:

http://web.mit.edu/kerberos/krb5-1.6/README-1.6.3.txt

It seems that we need to make this information more prominent.  As a
general query to people on this list/newsgroup, which of the following
changes are desirable?

* Remove most copyright notices from README, and place in a separate
  COPYRIGHT file at the top level of distributions.

* Add links to README file of each release on the downloads page.

* Create a web page that contains the main MIT Kerberos copyright
  notice, with a link to the README or COPYRIGHT file (whichever we
  end up with) of the current release for copyright details including
  the full text of licenses from contributors.

-- 
Tom Yu
Development Manager
MIT Kerberos Consortium

From mdw at umich.edu  Wed Oct 15 12:42:37 2008
From: mdw at umich.edu (Marcus Watts)
Date: Wed, 15 Oct 2008 12:42:37 -0400
Subject: I have a question about your copyright for Kerberos 
In-Reply-To: <ldvod1ldgaq.fsf@cathode-dark-space.mit.edu> 
References: <6979418.1224080548701.JavaMail.root@auk1>
	<ldvod1ldgaq.fsf@cathode-dark-space.mit.edu>
Message-ID: <E1Kq9SI-00029y-4e@spam.ifs.umich.edu>

Tom Yu <tlyu at MIT.EDU> writes:
> <mshbible at snu.ac.kr> writes:
> 
> > Also, I thank you very much if you send me the doument of copyright
> > of kerberos or know me the exact homepage about that.
> 
> The copyright and legal notices for each release are present in the
> README file for that release.  For the krb5-1.6.3 release, you may
> find them here:
> 
> http://web.mit.edu/kerberos/krb5-1.6/README-1.6.3.txt
> 
> It seems that we need to make this information more prominent.  As a
> general query to people on this list/newsgroup, which of the following
> changes are desirable?
> 
> * Remove most copyright notices from README, and place in a separate
>   COPYRIGHT file at the top level of distributions.
> 
> * Add links to README file of each release on the downloads page.
> 
> * Create a web page that contains the main MIT Kerberos copyright
>   notice, with a link to the README or COPYRIGHT file (whichever we
>   end up with) of the current release for copyright details including
>   the full text of licenses from contributors.

I think most people asking this are probably used to the GPL "LICENSE"
concept.  Putting a LICENSE file at the top of the distribution,
and creating links at various obvious parts of the download process
in imitation of common GPL projects pointing to the "license" may best
answer the expectations of these people.  Crafting the language for this
"license" should be an entertaining exercise.  Assuming all the bits of
MIT kerberos have BSD compatible licensing, concatenating the full text
of that licensing will be of limited value.  If there are parts that
have more restrictive licensing, that should certainly be mentioned.

The person who posted this particular question is I think not actually
asking about "copyright" proper, despite his subject line.  He seems
to be asking mostly about US export restrictions, which really has
nothing to do with copyright or licensing per se.  Putting that in a
README file is probably less useful than keeping this on a web page and
clearly identifying it as a "distribution" responsibility and not as a
"licensing" restriction.

				-Marcus Watts

From paul at subsignal.org  Thu Oct 16 07:28:55 2008
From: paul at subsignal.org (paul)
Date: Thu, 16 Oct 2008 13:28:55 +0200
Subject: Kerberize MS Exchange?
In-Reply-To: <200810151442.m9FEgr0M021291@hedwig.cmf.nrl.navy.mil>
References: <gd4lvu$vto$1@ger.gmane.org>
	<200810151442.m9FEgr0M021291@hedwig.cmf.nrl.navy.mil>
Message-ID: <gd78i4$g31$1@ger.gmane.org>

Ken Hornstein schrieb:
>> Luke Scharf schrieb:
>>> I use Thunderbird with GSSAPI with Dovecot on my home-network.  It works 
>>> nicely.  The only weird thing was that they used the term "Secure 
>>> Authentication" -- instead of "GSSAPI" or "Kerberos5" or "krb5".
>> Thats by design. Technically GSSAPI is only one of the SASL mechanisms 
>> offered by the server. "secure authentication" just enables the SASL 
>> negotiation procedure which might result in something completely 
>> different than GSSAPI (DIGEST-MD5 in my case, or NTLM for Outlook, etc). 
>> Besides: "GSSAPI" or "Kerberos5" in a general purpose UI? WTF!
> 
> Urrrrk.  I STRONGLY disagree with you on this!  
Thats always a good start ;)

> Here are my reasons:
> 
> - From the programmer/network protocol perspective, being able to write one
>   program or define one protocol that negotiates a whole group of SASL
>   mechanisms is great.  But from an administrator perspective, it
>   bites.  I don't want to have users fall back to DIGEST-MD5 if
>   Kerberos fails, I want to fix the Kerberos problem! 
As you probably know, you can do that with the sasl mechlist server side.

> (And very likely
>   if GSSAPI fails, DIGEST-MD5 isn't going to work for that user anyway;
>   of course that depends on your site, but I think that's more true
>   than not). 
I's not common put possible (you'd have to have credentials in more than 
one place (not so good)), however DIGEST-MD5 and others might still work 
where GSSAPI will fail (e.g. roadwarriors with broken time sync, no 
ticket, KDC not reacheable from the client, etc.)

>   If the user explicitly picks a mechanism to use, these
>   problems are eliminated.  
My point is that SASL mechanisms are all greek to average users, it is 
pointless to force a choice on them they can't reasonably make.

>   Since many mainstream apps have each SASL
>   mechanism coded explicitly (Thunderbird among them) there's not even
>   a programming reason to obfuscate the choice of SASL mechanism (and
>   explicitly picking the mechanism prevents a downgrade attack).
Again, you can configure SASL server side to prevent this. Postfix for 
example has options to allow different mechanisms over TLS secured 
connections vs. plain SMTP.

[snip]
>   I've helped a number of people get GSSAPI with Thunderbird working.
>   The general flow of questions looks like this:
> 
>   - Uh, does it support Kerberos?  I don't see anything where I can enable
>     it under Preferences.
> 
>   - So, uh, if it supports Kerberos, how do I turn it on?
> 
>   - Okay, I checked "Secure Authentication", but that didn't work, and
>     it asked me for a password.  I typed in my Kerberos password, but that
>     failed.
Yes, it would be nice if TB had some log/status window to check what was 
negotiated.

> 
>   First off, "Secure Authentication" is a SHITTY checkbox.  What this
>   means is not clear, even to me.  Does this mean "Use TLS?"  Does this
>   mean "Negotiate SASL?"  Does it mean both?  It's confusing to the
>   user.  If it was one user, I would say that this confusion is an
>   anomaly, but it seems like EVERYONE that tries to use Thunderbird
>   here has problems with this.
You have very educated users ;)

> 
>   Secondly, the "attempt to negotiate all mechanisms" problem generates
>   a number of practical issues.  The first is error reporting - let's
>   say you try GSSAPI, and that fails.  Should you then report GSSAPI
>   errors back to the user?  Well, in Thunderbird that doesn't happen; I
>   can sort-of understand why Thunderbird doesn't do that, because most
>   of the users don't use GSSAPI and any GSSAPI errors would be the
>   "wrong" errors, but this illustrates the problem with multi-mechanism
>   negotiation: which errors do you report to the user when you try
>   multiple mechanisms?
As I said, a log would be nice. IMO if the site policy *allows* GSSAPI 
and say NTLM fallback there should be no error if GSSAPI fails and NTLM 
succeeds. A user visible failure is only required if all allowed 
mechanisms failed because this ultimately results in a failed service 
(reading email).

>   
>   Another problem with multi-mechanism negotiation is that they have
>   different user interactions.  For example, CRAM-MD5 and DIGEST-MD5
>   likely want to prompt the user for a password, but of course for
>   GSSAPI/Kerberos you normally wouldn't have the app do that; it would
>   be done via a Kerberos application (or perhaps the GSSAPI library
>   would do that).  So should an application prompt for a password no
>   matter what the mechanism?  Probably not, but I've seen cases where
>   that happens; again, more confusion for the user.
Well, afaik if GSSAPI is the only mechanism advertised by the server 
there will be no password prompt. If the fallback is allowed you'd get a 
prompt. It's pretty much the same thing as you get with HTTP-Negotiate 
where NTLM will prompt but kerberos will not. It's the admins choice...


>   Part of the confusion may be historical; many of our users were
>   previously using Eudora, and that had a weird dance where you in some
>   cases EXPLICITLY had to not turn on the "Use secure authentication"
>   dialog (but it also had an explicit Kerberos configuration dialog).
> 
> I can contrast this with people who use Apple Mail, which has a very
> clear configuration dialog which explicitly says, "Use Kerberos 5
> (GSSAPI)".  No one ever asks me if Apple Mail supports Kerberos, or how
> to turn it on.  The Kerberos errors (in most cases) are presented to
> the user.  It just works better.  Presenting the SASL mechanism to the
> user is a clear win.  A lot has to happen under the scenes to make
> it all work, but I cannot see any reason why presenting this to the
> user is bad.
Hmm, I can see where you are coming from... You say TB is hard to debug 
wrt. failures because you don't get error messages? Granted, if TB had a 
"use kerberos" checkbox you'd at least know that it was kerberos that 
failed (but still no error messages, no?). And with proper error 
messages you'd get all the info in the "secure authentication" case as well.

cheers
  Paul
> 
> --Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


From kenh at cmf.nrl.navy.mil  Thu Oct 16 11:29:27 2008
From: kenh at cmf.nrl.navy.mil (Ken Hornstein)
Date: Thu, 16 Oct 2008 11:29:27 -0400
Subject: Kerberize MS Exchange? 
In-Reply-To: <gd78i4$g31$1@ger.gmane.org> 
Message-ID: <200810161529.m9GFTSTf011858@hedwig.cmf.nrl.navy.mil>

>> - From the programmer/network protocol perspective, being able to write one
>>   program or define one protocol that negotiates a whole group of SASL
>>   mechanisms is great.  But from an administrator perspective, it
>>   bites.  I don't want to have users fall back to DIGEST-MD5 if
>>   Kerberos fails, I want to fix the Kerberos problem! 
>As you probably know, you can do that with the sasl mechlist server side.

Well, of course I can limit mechanisms on the server side; that's easy
and nearly all of the server software support this.  But I don't want to.

Why, you ask?  The normal mode for us is to have people use GSSAPI.  But
occasionally we get someone who, for some strange reason, cannot use
GSSAPI.  These people are, on a case-by-case basis, permitted to use
another SASL mechanism, like DIGEST-MD5 (actually, it's always CRAM-MD5,
which is the one mechanism that everyone seems to support).  So I want
my _SERVER_ to be able to support multiple mechanisms.  You might claim
that I could run servers that support different mechanisms on different
ports; that would be a violation of the DoD Ports and Protocols Policy,
but aside from that, not only is that a pain in the ass from a client
configuration standpoint it also sort of defeats the whole point of
SASL, which is to create a protocol framework where multiple security
protocols can be negotiated on the same port.  In my experience, the
servers all handle multi-mechanism negotation fine; it's the clients
(like, say, Thunderbird) that need work.

>I's not common put possible (you'd have to have credentials in more than 
>one place (not so good)), however DIGEST-MD5 and others might still work 
>where GSSAPI will fail (e.g. roadwarriors with broken time sync, no 
>ticket, KDC not reacheable from the client, etc.)

Well, in theory, maybe; perhaps you maintain synchronization between
your DIGEST-MD5 and KDC database.  But very likely if you have a user
using GSSAPI, Thunderbird does not have their password stored, because
all the GSSAPI mechanism has access to is their TGT; this will involve
an additional prompt, or as you mention Thunderbird will have this
stored.  But trying multiple mechanisms causes the problems I mentioned
earlier; I would argue that is more common than having multiple valid
mechanisms for every user.

>>   If the user explicitly picks a mechanism to use, these
>>   problems are eliminated.  
>My point is that SASL mechanisms are all greek to average users, it is 
>pointless to force a choice on them they can't reasonably make.

I would argue that my experience with Apple Mail contradicts this
assertion.  Note that Apple Mail doesn't present the user with a choice
of SASL dialogs right up front; it's under an "Advanced" dialog.  And
there are plain-text names for the SASL mechanisms, like "Kerberos 5
(GSSAPI)", and "MD5 Challenge-Response".  This seems like a reasonable
choice to me; it doesn't confuse the average user who would have no idea
what GSSAPI is, but the advanced user can adjust the appropriate knobs.

>>   Since many mainstream apps have each SASL
>>   mechanism coded explicitly (Thunderbird among them) there's not even
>>   a programming reason to obfuscate the choice of SASL mechanism (and
>>   explicitly picking the mechanism prevents a downgrade attack).
>Again, you can configure SASL server side to prevent this. Postfix for 
>example has options to allow different mechanisms over TLS secured 
>connections vs. plain SMTP.

See above; this simply isn't good enough.

>As I said, a log would be nice. IMO if the site policy *allows* GSSAPI 
>and say NTLM fallback there should be no error if GSSAPI fails and NTLM 
>succeeds. A user visible failure is only required if all allowed 
>mechanisms failed because this ultimately results in a failed service 
>(reading email).

Personally, I think is a rather bizarre site policy (do you still
support cleartext telnet just in case ssh doesn't work?), but
nevertheless ... I think that most people would agree that it is at
least uncommon.  To me this argues that you might (as a user) want to
select a range of valid mechanisms for your site; you could click a
series of checkboxes for valid mechanisms to use when connecting to a
server.  But I think that if you normally use Kerberos at your site,
and Kerberos isn't working, the user should be notified!  That's not
the normal behavior!

>Well, afaik if GSSAPI is the only mechanism advertised by the server 
>there will be no password prompt. If the fallback is allowed you'd get a 
>prompt. It's pretty much the same thing as you get with HTTP-Negotiate 
>where NTLM will prompt but kerberos will not. It's the admins choice...

That may be true for Thunderbird, but I have personally seen programs
that still ask for a password prompt even when they were using Kerberos.
Yes, that's a bug; no argument there.

>Hmm, I can see where you are coming from... You say TB is hard to debug 
>wrt. failures because you don't get error messages? Granted, if TB had a 
>"use kerberos" checkbox you'd at least know that it was kerberos that 
>failed (but still no error messages, no?). And with proper error 
>messages you'd get all the info in the "secure authentication" case as well.

Well ... except that you'd have to try to dig out the "right" errors from
the failures with mechanisms you don't care about.  I've stared at too many
ssh debugging traces to think that's a good idea.

--Ken

From melvin.lim at bluecoat.com  Thu Oct 16 21:16:40 2008
From: melvin.lim at bluecoat.com (Lim, Melvin)
Date: Thu, 16 Oct 2008 18:16:40 -0700
Subject: Kerberos fallback 
Message-ID: <B583FBF374231F4A89607B4D08578A43020D2476@bcs-mail03.internal.cacheflow.com>

Hi 

I would like to double confirm where did the Kerberos fallback to NTLM
taking place, 

 

1. The fallback taking place while negotiation

2. The fallback taking place after the negotiation

 

Please advice, 

 

Melvin Lim 

Technical Support Engineer

Blue Coat Systems, Inc.

Phone: +1.408.220.2270

www.bluecoat.com <http://www.bluecoat.com>  

 


From ioplex at gmail.com  Fri Oct 17 00:41:30 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Fri, 17 Oct 2008 00:41:30 -0400
Subject: Kerberos fallback
In-Reply-To: <B583FBF374231F4A89607B4D08578A43020D2476@bcs-mail03.internal.cacheflow.com>
References: <B583FBF374231F4A89607B4D08578A43020D2476@bcs-mail03.internal.cacheflow.com>
Message-ID: <78c6bd860810162141h174f7b51h72b26385ffa49220@mail.gmail.com>

On Thu, Oct 16, 2008 at 9:16 PM, Lim, Melvin <melvin.lim at bluecoat.com> wrote:
> Hi
>
> I would like to double confirm where did the Kerberos fallback to NTLM
> taking place,
>
>
>
> 1. The fallback taking place while negotiation
>
> 2. The fallback taking place after the negotiation

Hi Melvin,

First, you should realize that you're asking about a largely Microsoft
Windows specific issue whereas this is a Kerberos-only mailing list
(albeit gracious to MS specific questions). Other than both being
authentication protocols, NTLM and Kerberos are not related.

Anyway, the answer to your question is option "0". Meaning a Windows
client will fall back to NTLM if it cannot perform Kerberos for any
reason. That evaluation occurs before any "negotiation" with the
target.

Specifically, when a Windows client decides that it is to perform SSPI
style authentication, it tries to acquire a Kerberos ticket for the
desired service. There are a number of points where that acquisition
can fail. The client may not be joined to the domain, it may not have
adequate communication with the KDC, the service account may not be
setup correctly, etc. If any of these things fail, the client will
then try NTLM.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

From melvin.lim at bluecoat.com  Fri Oct 17 01:26:24 2008
From: melvin.lim at bluecoat.com (Lim, Melvin)
Date: Thu, 16 Oct 2008 22:26:24 -0700
Subject: Kerberos fallback
In-Reply-To: <78c6bd860810162141h174f7b51h72b26385ffa49220@mail.gmail.com>
References: <B583FBF374231F4A89607B4D08578A43020D2476@bcs-mail03.internal.cacheflow.com>
	<78c6bd860810162141h174f7b51h72b26385ffa49220@mail.gmail.com>
Message-ID: <B583FBF374231F4A89607B4D08578A43020D24F7@bcs-mail03.internal.cacheflow.com>

Hi Mike,

Sorry for that & thanks for the explaination which help a lot.

Regards

Melvin Lim 

-----Original Message-----
From: Michael B Allen [mailto:ioplex at gmail.com] 
Sent: Friday, October 17, 2008 12:42 PM
To: Lim, Melvin
Cc: kerberos at mit.edu
Subject: Re: Kerberos fallback

On Thu, Oct 16, 2008 at 9:16 PM, Lim, Melvin <melvin.lim at bluecoat.com>
wrote:
> Hi
>
> I would like to double confirm where did the Kerberos fallback to NTLM
> taking place,
>
>
>
> 1. The fallback taking place while negotiation
>
> 2. The fallback taking place after the negotiation

Hi Melvin,

First, you should realize that you're asking about a largely Microsoft
Windows specific issue whereas this is a Kerberos-only mailing list
(albeit gracious to MS specific questions). Other than both being
authentication protocols, NTLM and Kerberos are not related.

Anyway, the answer to your question is option "0". Meaning a Windows
client will fall back to NTLM if it cannot perform Kerberos for any
reason. That evaluation occurs before any "negotiation" with the
target.

Specifically, when a Windows client decides that it is to perform SSPI
style authentication, it tries to acquire a Kerberos ticket for the
desired service. There are a number of points where that acquisition
can fail. The client may not be joined to the domain, it may not have
adequate communication with the KDC, the service account may not be
setup correctly, etc. If any of these things fail, the client will
then try NTLM.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/


From ben.lentz at gmail.com  Sat Oct 18 01:26:52 2008
From: ben.lentz at gmail.com (Ben Lentz)
Date: Sat, 18 Oct 2008 01:26:52 -0400
Subject: Using dns with kerberos-1.6.3 on AIX 5.3
Message-ID: <260bdc290810172226m72798b0jc53763be57910c7b@mail.gmail.com>

Greetings list,
I am trying to build kerberos-1.6.3 on an AIX 5.3 platform using
--enable-dns --enable-dns-for-kdc --enable-dns-for-realm. It would
appear that the ./configure script is not finding -lresolv in AIX.
However, this seems to work fine on my Linux systems which seem to
function properly with --enable-dns and are able to find -lresolv
provided by glibc. I've tried symlinking libresolv.a to libc.a on the
AIX system, but I still get the same error from kerberos after
rebuilding when I try to use kinit with a realm who's KDC SRV records
are published in DNS.

Is there any workaround to be able to use --enable-dns on systems,
like AIX, without -lresolv? Or am I missing something?

Thanks in advance.

From josh at acm-csuf.org  Sun Oct 19 11:45:44 2008
From: josh at acm-csuf.org (josh@acm-csuf.org)
Date: Sun, 19 Oct 2008 08:45:44 -0700 (PDT)
Subject: ip addresses
Message-ID: <59575.137.151.25.239.1224431144.squirrel@lazyrebels.com>

Is there a way on UNIX kerberos to only have the thing listen on one
interface or IP address. intead of listening on all ips with port 88.


From raeburn at MIT.EDU  Mon Oct 20 11:22:00 2008
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 20 Oct 2008 11:22:00 -0400
Subject: ip addresses
In-Reply-To: <59575.137.151.25.239.1224431144.squirrel@lazyrebels.com>
References: <59575.137.151.25.239.1224431144.squirrel@lazyrebels.com>
Message-ID: <E638039E-0522-4DC7-B809-47C08CDD485C@mit.edu>

On Oct 19, 2008, at 11:45, josh at acm-csuf.org wrote:
> Is there a way on UNIX kerberos to only have the thing listen on one
> interface or IP address. intead of listening on all ips with port 88.

Not in MIT's current implementation, no.

Ken

From luke.scharf at clusterbee.net  Mon Oct 20 14:30:57 2008
From: luke.scharf at clusterbee.net (Luke Scharf)
Date: Mon, 20 Oct 2008 13:30:57 -0500
Subject: ip addresses
In-Reply-To: <E638039E-0522-4DC7-B809-47C08CDD485C@mit.edu>
References: <59575.137.151.25.239.1224431144.squirrel@lazyrebels.com>
	<E638039E-0522-4DC7-B809-47C08CDD485C@mit.edu>
Message-ID: <48FCCE61.2060501@clusterbee.net>

Ken Raeburn wrote:
> On Oct 19, 2008, at 11:45, josh at acm-csuf.org wrote:
>   
>> Is there a way on UNIX kerberos to only have the thing listen on one
>> interface or IP address. intead of listening on all ips with port 88.
>>     
>
> Not in MIT's current implementation, no.
>   
Josh,

You could use iptables (or some other host-based firewall) to drop 
packets to port 88 on particular interfaces.

-Luke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3319 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081020/279684e0/smime.bin

From rdccosmo at gmail.com  Mon Oct 20 18:05:41 2008
From: rdccosmo at gmail.com (Rodrigo Cosme)
Date: Mon, 20 Oct 2008 20:05:41 -0200
Subject: Problem whn logging to kadmind remotely
Message-ID: <a99e3f890810201505m73debbe4uec8a24d6aec4bc61@mail.gmail.com>

Hello, all.

I'm havind this problem. I can kinit fine (though that renew date sounds
suspicious).
Valid starting       Expires               Service principal
10/20/08   19:56:29   10/21/08  19:56:29             krbtgt/INF.UFES.BR@
INF.UFES.BR
           renew until 10/20/08 19:56:29

And log in through kadmin with the user krbadm. But when ask for the
principals I get the following error:

kadmin -p krbadm
listprincs
get_principals: Programmer errror! Bad Admin server handle while retrieving
list.


In the kadm5.acl I have:
krbadm at INF.UFES.BR                *

Does anyone know what's going on?
-- 
__________________________________
Rodrigo de Castro Cosme
Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo
Suporte mailing list - suporte at inf.ufes.br
MSN - rdccosmo at gmail.com

From tolsen at limelabs.com  Tue Oct 21 11:30:41 2008
From: tolsen at limelabs.com (Tim Olsen)
Date: Tue, 21 Oct 2008 11:30:41 -0400
Subject: password policy to enforce difference passwords for different
	principal instances?
Message-ID: <QbWdnUUdqOI8aGDVnZ2dnUVZ_vadnZ2d@speakeasy.net>

At my company, we've setup IMAP and SMTP services to fallback to PLAIN
authentication using a different instance of the principal (over SSL of
course).  This way, users can use clients (such as the iPhone) that do
not support kerberos, but the kerberos password for their default
instance (which may grant them ssh access to certain machines) is not
cached on their client.  We are also considering doing something similar
for HTTP authentication (Negotiate falling back to Basic).

Is there any way to set up a password policy that would enforce that
different instances of a principal have different passwords?

Thanks,
Tim

From rdccosmo at gmail.com  Fri Oct 24 09:29:01 2008
From: rdccosmo at gmail.com (Rodrigo Cosme)
Date: Fri, 24 Oct 2008 11:29:01 -0200
Subject: Problem whn logging to kadmind remotely
In-Reply-To: <a99e3f890810201505m73debbe4uec8a24d6aec4bc61@mail.gmail.com>
References: <a99e3f890810201505m73debbe4uec8a24d6aec4bc61@mail.gmail.com>
Message-ID: <a99e3f890810240629w41852b3bh79fdfb4f20a4e46d@mail.gmail.com>

It ended up only being a problem with the binaries. A "make install" again
solved it.

On Mon, Oct 20, 2008 at 8:05 PM, Rodrigo Cosme <rdccosmo at gmail.com> wrote:

> Hello, all.
>
> I'm havind this problem. I can kinit fine (though that renew date sounds
> suspicious).
> Valid starting       Expires               Service principal
> 10/20/08   19:56:29   10/21/08  19:56:29             krbtgt/INF.UFES.BR@
> INF.UFES.BR
>            renew until 10/20/08 19:56:29
>
> And log in through kadmin with the user krbadm. But when ask for the
> principals I get the following error:
>
> kadmin -p krbadm
> listprincs
> get_principals: Programmer errror! Bad Admin server handle while retrieving
> list.
>
>
> In the kadm5.acl I have:
> krbadm at INF.UFES.BR                *
>
> Does anyone know what's going on?
> --
> __________________________________
> Rodrigo de Castro Cosme
> Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo
> Suporte mailing list - suporte at inf.ufes.br
> MSN - rdccosmo at gmail.com
>



-- 
__________________________________
Rodrigo de Castro Cosme
Ci?ncia da Computa??o - Universidade Federal do Esp?rito Santo
Suporte mailing list - suporte at inf.ufes.br
MSN - rdccosmo at gmail.com

From rofe at one.com  Mon Oct 27 04:47:11 2008
From: rofe at one.com (Ronni Feldt)
Date: Mon, 27 Oct 2008 09:47:11 +0100
Subject: Kerberos and SSH ?
Message-ID: <1225097231.5884.1.camel@localhost>


I'm about to make some central authentication for our linux servers. I
have followed these guides and some of it works, except ssh to the
server.

Guides:
http://www.visolve.com:81/security/ssh_kerberos.php
http://www.alittletooquiet.net/text/kerberos-on-ubuntu/

My test-environment is 3 computers (pc1, pc2 and pc3):

PC2 (Debian Etch)
Installed kerberos and configured realms in /etc/krb5.conf:

[libdefaults]
        default_realm = ONE.COM

[realms]
        ONE.COM = {
                kdc = kerberos.one.com
                admin_server = kerberos.one.com
        }

Created principals:
host/rofe	(the pc which I want to login to via ssh, PC1)
ronni		(me)

Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.

PC1 (Ubuntu 8.04):
I have installed kerberos and openssh and configured realms
in /etc/krb5.conf

[libdefaults]
        default_realm = ONE.COM

[realms]
        ONE.COM = {
                kdc = kerberos.one.com
                admin_server = kerberos.one.com
        }


Edited persmissions for /etc/krb5.keytab to:
chmod 600 /etc/krb5.keytab
chown root:root /etc/krb5.keytab

Configured and restarted ssh; /etc/ssh/sshd_config:
# Kerberos options
KerberosAuthentication yes
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes

Edited firewall-rules and /etc/hosts for communication.

-----
>From PC1 I can do a:
kinit ronni
And verify that I get a ticket with klist.

But it fails when I try to ssh from PC3 to PC1.
On PC2 I have tried to make a:
tcpdump -i eth0 'udp port 88'

And get this:
08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos:  v5
08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976: 
08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos:  v5
08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652: 

So they can communicate, but the authentication fails:
The /var/log/auth.log :
PC1 (where I want to login)
Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
192.168.212.254
Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
from 192.168.212.254 port 47098 ssh2
Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
unknown
Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3 
Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
from 192.168.212.254 port 47098 ssh2

PC2 (the kerberos server)
Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database


I know my user (ronni) is in the Kerberos database, but still I get
CLIENT_NOT_FOUND, so I may have missed something somewhere.
What I want to achieve is a central user database (Kerberos), and be
able to login on all servers without the need for creating every single
user on every server.


Help :-)

- Ronni


From edward at murrell.co.nz  Mon Oct 27 05:27:11 2008
From: edward at murrell.co.nz (Edward Murrell)
Date: Mon, 27 Oct 2008 22:27:11 +1300
Subject: Kerberos and SSH ?
In-Reply-To: <1225097231.5884.1.camel@localhost>
References: <1225097231.5884.1.camel@localhost>
Message-ID: <1225099631.6085.4.camel@fusion>

Assuming your DNS is set up properly, you'll need to set the host tab's
to have the principal fully qualified domain name, ie
host/rofe.one.com at ONE.COM instead of host/rofe at ONE.COM

You can check if it is by running host against the IP of the hostname.
So assuming rofe.one.com has the IP 10.1.1.1

> host 10.1.2.3
3.2.1.10.in-addr.arpa domain name pointer rofe.one.com.

(Note the the return IP is reversed, which is normal).

Cheers,
Edward


On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> I'm about to make some central authentication for our linux servers. I
> have followed these guides and some of it works, except ssh to the
> server.
> 
> Guides:
> http://www.visolve.com:81/security/ssh_kerberos.php
> http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
> 
> My test-environment is 3 computers (pc1, pc2 and pc3):
> 
> PC2 (Debian Etch)
> Installed kerberos and configured realms in /etc/krb5.conf:
> 
> [libdefaults]
>         default_realm = ONE.COM
> 
> [realms]
>         ONE.COM = {
>                 kdc = kerberos.one.com
>                 admin_server = kerberos.one.com
>         }
> 
> Created principals:
> host/rofe	(the pc which I want to login to via ssh, PC1)
> ronni		(me)
> 
> Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
> 
> PC1 (Ubuntu 8.04):
> I have installed kerberos and openssh and configured realms
> in /etc/krb5.conf
> 
> [libdefaults]
>         default_realm = ONE.COM
> 
> [realms]
>         ONE.COM = {
>                 kdc = kerberos.one.com
>                 admin_server = kerberos.one.com
>         }
> 
> 
> Edited persmissions for /etc/krb5.keytab to:
> chmod 600 /etc/krb5.keytab
> chown root:root /etc/krb5.keytab
> 
> Configured and restarted ssh; /etc/ssh/sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> 
> Edited firewall-rules and /etc/hosts for communication.
> 
> -----
> >From PC1 I can do a:
> kinit ronni
> And verify that I get a ticket with klist.
> 
> But it fails when I try to ssh from PC3 to PC1.
> On PC2 I have tried to make a:
> tcpdump -i eth0 'udp port 88'
> 
> And get this:
> 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos:  v5
> 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976: 
> 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos:  v5
> 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652: 
> 
> So they can communicate, but the authentication fails:
> The /var/log/auth.log :
> PC1 (where I want to login)
> Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> 192.168.212.254
> Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> unknown
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3 
> Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> 
> PC2 (the kerberos server)
> Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
> krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database
> 
> 
> I know my user (ronni) is in the Kerberos database, but still I get
> CLIENT_NOT_FOUND, so I may have missed something somewhere.
> What I want to achieve is a central user database (Kerberos), and be
> able to login on all servers without the need for creating every single
> user on every server.
> 
> 
> Help :-)
> 
> - Ronni
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


From msimovic at concurrent-thinking.com  Mon Oct 27 06:27:11 2008
From: msimovic at concurrent-thinking.com (Martin Simovic)
Date: Mon, 27 Oct 2008 10:27:11 +0000
Subject: Kerberos and SSH ?
In-Reply-To: <1225097231.5884.1.camel@localhost>
References: <1225097231.5884.1.camel@localhost>
Message-ID: <1225103231.11990.14.camel@precision.lan.streamline-computing.com>

Hi,

your DNS has to work properly, kerberos is unforgiving there. also, does
your user exist on the server you are trying to log to? you need a
separate mechanism (like LDAP) for user database, kerberos provides only
authentication (not authorization)

M.


On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> I'm about to make some central authentication for our linux servers. I
> have followed these guides and some of it works, except ssh to the
> server.
> 
> Guides:
> http://www.visolve.com:81/security/ssh_kerberos.php
> http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
> 
> My test-environment is 3 computers (pc1, pc2 and pc3):
> 
> PC2 (Debian Etch)
> Installed kerberos and configured realms in /etc/krb5.conf:
> 
> [libdefaults]
>         default_realm = ONE.COM
> 
> [realms]
>         ONE.COM = {
>                 kdc = kerberos.one.com
>                 admin_server = kerberos.one.com
>         }
> 
> Created principals:
> host/rofe	(the pc which I want to login to via ssh, PC1)
> ronni		(me)
> 
> Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
> 
> PC1 (Ubuntu 8.04):
> I have installed kerberos and openssh and configured realms
> in /etc/krb5.conf
> 
> [libdefaults]
>         default_realm = ONE.COM
> 
> [realms]
>         ONE.COM = {
>                 kdc = kerberos.one.com
>                 admin_server = kerberos.one.com
>         }
> 
> 
> Edited persmissions for /etc/krb5.keytab to:
> chmod 600 /etc/krb5.keytab
> chown root:root /etc/krb5.keytab
> 
> Configured and restarted ssh; /etc/ssh/sshd_config:
> # Kerberos options
> KerberosAuthentication yes
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> KerberosTicketCleanup yes
> 
> Edited firewall-rules and /etc/hosts for communication.
> 
> -----
> >From PC1 I can do a:
> kinit ronni
> And verify that I get a ticket with klist.
> 
> But it fails when I try to ssh from PC3 to PC1.
> On PC2 I have tried to make a:
> tcpdump -i eth0 'udp port 88'
> 
> And get this:
> 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos:  v5
> 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976: 
> 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos:  v5
> 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652: 
> 
> So they can communicate, but the authentication fails:
> The /var/log/auth.log :
> PC1 (where I want to login)
> Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> 192.168.212.254
> Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> unknown
> Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3 
> Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> from 192.168.212.254 port 47098 ssh2
> 
> PC2 (the kerberos server)
> Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
> krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database
> 
> 
> I know my user (ronni) is in the Kerberos database, but still I get
> CLIENT_NOT_FOUND, so I may have missed something somewhere.
> What I want to achieve is a central user database (Kerberos), and be
> able to login on all servers without the need for creating every single
> user on every server.
> 
> 
> Help :-)
> 
> - Ronni
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


From msimovic at concurrent-thinking.com  Mon Oct 27 07:32:26 2008
From: msimovic at concurrent-thinking.com (Martin Simovic)
Date: Mon, 27 Oct 2008 11:32:26 +0000
Subject: Kerberos and SSH ?
In-Reply-To: <1225105617.5884.26.camel@localhost>
References: <1225097231.5884.1.camel@localhost>
	<1225103231.11990.14.camel@precision.lan.streamline-computing.com>
	<1225105617.5884.26.camel@localhost>
Message-ID: <1225107146.11990.20.camel@precision.lan.streamline-computing.com>

Hi,

this should be simple enough and contains the explanation of what and
why is being done

http://techpubs.spinlocksolutions.com/dklar/ldap.html

http://techpubs.spinlocksolutions.com/dklar/kerberos.html

M.


On Mon, 2008-10-27 at 12:06 +0100, Ronni Feldt wrote:
> On Mon, 2008-10-27 at 10:27 +0000, Martin Simovic wrote:
> > Hi,
> > 
> > your DNS has to work properly, kerberos is unforgiving there. also, does
> > your user exist on the server you are trying to log to? you need a
> > separate mechanism (like LDAP) for user database, kerberos provides only
> > authentication (not authorization)
> > 
> > M.
> > 
> > 
> 
> No my user does not excist on the server. I found that clue my self, and
> tried to create the user ronni on the server and was then able to login
> via ssh using both the kerberos and local password.
> 
> So I can't do what I want, unless I use LDAP or create every single user
> on all servers :-P
> 
> I will take a look at OpenLDAP, anyone have any guides/howto on that
> subject?
> 
> And thank you for your help! :-)
> 
> - Ronni
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> > On Mon, 2008-10-27 at 09:47 +0100, Ronni Feldt wrote:
> > > I'm about to make some central authentication for our linux servers. I
> > > have followed these guides and some of it works, except ssh to the
> > > server.
> > > 
> > > Guides:
> > > http://www.visolve.com:81/security/ssh_kerberos.php
> > > http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
> > > 
> > > My test-environment is 3 computers (pc1, pc2 and pc3):
> > > 
> > > PC2 (Debian Etch)
> > > Installed kerberos and configured realms in /etc/krb5.conf:
> > > 
> > > [libdefaults]
> > >         default_realm = ONE.COM
> > > 
> > > [realms]
> > >         ONE.COM = {
> > >                 kdc = kerberos.one.com
> > >                 admin_server = kerberos.one.com
> > >         }
> > > 
> > > Created principals:
> > > host/rofe	(the pc which I want to login to via ssh, PC1)
> > > ronni		(me)
> > > 
> > > Exported keytab for host/rofe and copied it to PC1 in /etc/krb5.keytab.
> > > 
> > > PC1 (Ubuntu 8.04):
> > > I have installed kerberos and openssh and configured realms
> > > in /etc/krb5.conf
> > > 
> > > [libdefaults]
> > >         default_realm = ONE.COM
> > > 
> > > [realms]
> > >         ONE.COM = {
> > >                 kdc = kerberos.one.com
> > >                 admin_server = kerberos.one.com
> > >         }
> > > 
> > > 
> > > Edited persmissions for /etc/krb5.keytab to:
> > > chmod 600 /etc/krb5.keytab
> > > chown root:root /etc/krb5.keytab
> > > 
> > > Configured and restarted ssh; /etc/ssh/sshd_config:
> > > # Kerberos options
> > > KerberosAuthentication yes
> > > #KerberosGetAFSToken no
> > > #KerberosOrLocalPasswd yes
> > > KerberosTicketCleanup yes
> > > 
> > > Edited firewall-rules and /etc/hosts for communication.
> > > 
> > > -----
> > > >From PC1 I can do a:
> > > kinit ronni
> > > And verify that I get a ticket with klist.
> > > 
> > > But it fails when I try to ssh from PC3 to PC1.
> > > On PC2 I have tried to make a:
> > > tcpdump -i eth0 'udp port 88'
> > > 
> > > And get this:
> > > 08:16:01.559311 IP rofe.one.com.57976 > 192.168.212.15.kerberos:  v5
> > > 08:16:01.560194 IP 192.168.212.15.kerberos > rofe.one.com.57976: 
> > > 08:16:15.924029 IP rofe.one.com.47652 > 192.168.212.15.kerberos:  v5
> > > 08:16:15.924353 IP 192.168.212.15.kerberos > rofe.one.com.47652: 
> > > 
> > > So they can communicate, but the authentication fails:
> > > The /var/log/auth.log :
> > > PC1 (where I want to login)
> > > Oct 27 09:36:45 rofe sshd[11369]: Invalid user ronni from
> > > 192.168.212.254
> > > Oct 27 09:36:45 rofe sshd[11369]: Failed none for invalid user ronni
> > > from 192.168.212.254 port 47098 ssh2
> > > Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): check pass; user
> > > unknown
> > > Oct 27 09:36:49 rofe sshd[11369]: pam_unix(sshd:auth): authentication
> > > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc3 
> > > Oct 27 09:36:51 rofe sshd[11369]: Failed password for invalid user ronni
> > > from 192.168.212.254 port 47098 ssh2
> > > 
> > > PC2 (the kerberos server)
> > > Oct 27 09:36:49 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
> > > 3 2}) 192.168.212.93: CLIENT_NOT_FOUND: NOUSER at ONE.COM for
> > > krbtgt/ONE.COM at ONE.COM, Client not found in Kerberos database
> > > 
> > > 
> > > I know my user (ronni) is in the Kerberos database, but still I get
> > > CLIENT_NOT_FOUND, so I may have missed something somewhere.
> > > What I want to achieve is a central user database (Kerberos), and be
> > > able to login on all servers without the need for creating every single
> > > user on every server.
> > > 
> > > 
> > > Help :-)
> > > 
> > > - Ronni
> > > 
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 


From tlyu at MIT.EDU  Mon Oct 27 18:41:28 2008
From: tlyu at MIT.EDU (Tom Yu)
Date: Mon, 27 Oct 2008 18:41:28 -0400
Subject: password policy to enforce difference passwords for different
	principal instances?
In-Reply-To: <QbWdnUUdqOI8aGDVnZ2dnUVZ_vadnZ2d@speakeasy.net> (Tim Olsen's
	message of "Tue, 21 Oct 2008 11:30:41 -0400")
References: <QbWdnUUdqOI8aGDVnZ2dnUVZ_vadnZ2d@speakeasy.net>
Message-ID: <ldvljw97jaf.fsf@cathode-dark-space.mit.edu>

Tim Olsen <tolsen at limelabs.com> writes:

> At my company, we've setup IMAP and SMTP services to fallback to PLAIN
> authentication using a different instance of the principal (over SSL of
> course).  This way, users can use clients (such as the iPhone) that do
> not support kerberos, but the kerberos password for their default
> instance (which may grant them ssh access to certain machines) is not
> cached on their client.  We are also considering doing something similar
> for HTTP authentication (Negotiate falling back to Basic).
>
> Is there any way to set up a password policy that would enforce that
> different instances of a principal have different passwords?

The password policy support in MIT Kerberos is somewhat limited and
does not support this operation at the moment.  It probably would not
be too difficult to add the functionality as a quick hack.  If there
is interest in making a more general solution, I would like to hear
proposals about a plug-in interface or similar.

For future inclusion in MIT Kerberos source code, I would of course
prefer a general solution that would be useful to a wide range of
enterprises.

-- 
Tom Yu
Development Manager
MIT Kerberos Consortium

From rofe at one.com  Thu Oct 30 05:36:35 2008
From: rofe at one.com (Ronni Feldt)
Date: Thu, 30 Oct 2008 10:36:35 +0100
Subject: Kerberos and LDAP
Message-ID: <1225359395.6996.18.camel@localhost>

Hi,

Im still trying to get this to work.

Server: Debian Etch (3 hostnames=lookout, ldap and kerberos,
ip=192.168.212.15)
Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93)

I have followed the following guides:
http://techpubs.spinlocksolutions.com/dklar/kerberos.html
http://techpubs.spinlocksolutions.com/dklar/ldap.html

Created my own user "ronni" the same way as the user "mirko" is.

>From my workstation I can do:
kinit ronni
ldapsearch -x
which both work.

ldapsearch -x gives this output:
# extended LDIF
#
# LDAPv3
# base <dc=one,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# one.com
dn: dc=one,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: one.com
dc: one

# admin, one.com
dn: cn=admin,dc=one,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# People, one.com
dn: ou=People,dc=one,dc=com
ou: People
objectClass: organizationalUnit

# Group, one.com
dn: ou=Group,dc=one,dc=com
ou: Group
objectClass: organizationalUnit

# ronni, group, one.com
dn: cn=ronni,ou=group,dc=one,dc=com
cn: ronni
gidNumber: 20000
objectClass: top
objectClass: posixGroup

# ronni, people, one.com
dn: uid=ronni,ou=people,dc=one,dc=com
uid: ronni
uidNumber: 20000
gidNumber: 20000
cn: Ronni
sn: Ronni
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/ronni

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6



When I try to login it does'nt work, it just returns to the login screen
with no message.
Login screen:
8.04.1 rofe tty2
rofe login:

If I do this on lookout:
tcpdump -i eth0.212 'tcp port 389'
tcpdump -i eth0.212 'udp 88'

I get the following:

tcpdump 'tcp port 389'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
bytes
10:29:02.699116 IP rofe.one.com.40131 > 192.168.212.15.ldap: S
2718092773:2718092773(0) win 5840 <mss 1460,sackOK,timestamp 14666346
0,nop,wscale 7>
10:29:02.699148 IP 192.168.212.15.ldap > rofe.one.com.40131: S
1225469498:1225469498(0) ack 2718092774 win 5792 <mss
1460,sackOK,timestamp 1404889037 14666346,nop,wscale 7>
10:29:02.699293 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 1 win
46 <nop,nop,timestamp 14666346 1404889037>
10:29:02.699328 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 1:15(14)
ack 1 win 46 <nop,nop,timestamp 14666346 1404889037>
10:29:02.699341 IP 192.168.212.15.ldap > rofe.one.com.40131: . ack 15
win 46 <nop,nop,timestamp 1404889037 14666346>
10:29:02.699994 IP 192.168.212.15.ldap > rofe.one.com.40131: P 1:15(14)
ack 15 win 46 <nop,nop,timestamp 1404889037 14666346>
10:29:02.700130 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 15
win 46 <nop,nop,timestamp 14666347 1404889037>
10:29:02.700207 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 15:68(53)
ack 15 win 46 <nop,nop,timestamp 14666347 1404889037>
10:29:02.700515 IP 192.168.212.15.ldap > rofe.one.com.40131: P
15:270(255) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
10:29:02.700549 IP 192.168.212.15.ldap > rofe.one.com.40131: P
270:284(14) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
10:29:02.700737 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 284
win 54 <nop,nop,timestamp 14666347 1404889038>
10:29:02.701674 IP rofe.one.com.40131 > 192.168.212.15.ldap: F 68:68(0)
ack 284 win 54 <nop,nop,timestamp 14666347 1404889038>
10:29:02.701790 IP 192.168.212.15.ldap > rofe.one.com.40131: F
284:284(0) ack 69 win 46 <nop,nop,timestamp 1404889038 14666347>
10:29:02.702319 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 285
win 54 <nop,nop,timestamp 14666347 1404889038>



tcpdump 'udp 88'
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
bytes
10:29:02.693809 IP rofe.one.com.50355 > 192.168.212.15.kerberos:  v5
10:29:02.695165 IP 192.168.212.15.kerberos > rofe.one.com.50355:  v5


tail /var/log/auth.log on workstation says this:
Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): check pass;
user unknown
Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): authentication
failure; logname=rofe uid=0 euid=0 tty=tty2 ruser= rhost= 
Oct 30 10:29:02 rofe login[11133]: pam_unix(login:account): could not
identify user (from getpwnam(ronni))



What have I missed ?

- Ronni


From rofe at one.com  Thu Oct 30 05:55:35 2008
From: rofe at one.com (Ronni Feldt)
Date: Thu, 30 Oct 2008 10:55:35 +0100
Subject: Kerberos and LDAP (Some more logs)
In-Reply-To: <1225359395.6996.18.camel@localhost>
References: <1225359395.6996.18.camel@localhost>
Message-ID: <1225360535.6996.21.camel@localhost>

Some more logs:

>From lookout (also known as ldap and kerberos)
/var/log/auth.log
Oct 30 10:29:02 lookout krb5kdc[21046]: AS_REQ (7 etypes {18 17 16 23 1
3 2}) 192.168.212.93: ISSUE: authtime 1225358942, etypes {rep=16 tkt=16
ses=16}, ronni at ONE.COM for krbtgt/ONE.COM at ONE.COM

/var/log/syslog
Oct 30 10:29:02 lookout slapd[28071]: conn=93 fd=15 ACCEPT from
IP=192.168.212.93:40131 (IP=0.0.0.0:389) 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=0 BIND dn=""
method=128 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=0 RESULT tag=97 err=0
text= 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=1 SRCH
base="dc=one,dc=com" scope=2 deref=0 filter="(uid=ronni)" 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Oct 30 10:29:02 lookout slapd[28071]: conn=93 fd=15 closed (connection
lost) 

- Ronni



On Thu, 2008-10-30 at 10:36 +0100, Ronni Feldt wrote:
> Hi,
> 
> Im still trying to get this to work.
> 
> Server: Debian Etch (3 hostnames=lookout, ldap and kerberos,
> ip=192.168.212.15)
> Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93)
> 
> I have followed the following guides:
> http://techpubs.spinlocksolutions.com/dklar/kerberos.html
> http://techpubs.spinlocksolutions.com/dklar/ldap.html
> 
> Created my own user "ronni" the same way as the user "mirko" is.
> 
> >From my workstation I can do:
> kinit ronni
> ldapsearch -x
> which both work.
> 
> ldapsearch -x gives this output:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=one,dc=com> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # one.com
> dn: dc=one,dc=com
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: one.com
> dc: one
> 
> # admin, one.com
> dn: cn=admin,dc=one,dc=com
> objectClass: simpleSecurityObject
> objectClass: organizationalRole
> cn: admin
> description: LDAP administrator
> 
> # People, one.com
> dn: ou=People,dc=one,dc=com
> ou: People
> objectClass: organizationalUnit
> 
> # Group, one.com
> dn: ou=Group,dc=one,dc=com
> ou: Group
> objectClass: organizationalUnit
> 
> # ronni, group, one.com
> dn: cn=ronni,ou=group,dc=one,dc=com
> cn: ronni
> gidNumber: 20000
> objectClass: top
> objectClass: posixGroup
> 
> # ronni, people, one.com
> dn: uid=ronni,ou=people,dc=one,dc=com
> uid: ronni
> uidNumber: 20000
> gidNumber: 20000
> cn: Ronni
> sn: Ronni
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> loginShell: /bin/bash
> homeDirectory: /home/ronni
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 7
> # numEntries: 6
> 
> 
> 
> When I try to login it does'nt work, it just returns to the login screen
> with no message.
> Login screen:
> 8.04.1 rofe tty2
> rofe login:
> 
> If I do this on lookout:
> tcpdump -i eth0.212 'tcp port 389'
> tcpdump -i eth0.212 'udp 88'
> 
> I get the following:
> 
> tcpdump 'tcp port 389'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
> bytes
> 10:29:02.699116 IP rofe.one.com.40131 > 192.168.212.15.ldap: S
> 2718092773:2718092773(0) win 5840 <mss 1460,sackOK,timestamp 14666346
> 0,nop,wscale 7>
> 10:29:02.699148 IP 192.168.212.15.ldap > rofe.one.com.40131: S
> 1225469498:1225469498(0) ack 2718092774 win 5792 <mss
> 1460,sackOK,timestamp 1404889037 14666346,nop,wscale 7>
> 10:29:02.699293 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 1 win
> 46 <nop,nop,timestamp 14666346 1404889037>
> 10:29:02.699328 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 1:15(14)
> ack 1 win 46 <nop,nop,timestamp 14666346 1404889037>
> 10:29:02.699341 IP 192.168.212.15.ldap > rofe.one.com.40131: . ack 15
> win 46 <nop,nop,timestamp 1404889037 14666346>
> 10:29:02.699994 IP 192.168.212.15.ldap > rofe.one.com.40131: P 1:15(14)
> ack 15 win 46 <nop,nop,timestamp 1404889037 14666346>
> 10:29:02.700130 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 15
> win 46 <nop,nop,timestamp 14666347 1404889037>
> 10:29:02.700207 IP rofe.one.com.40131 > 192.168.212.15.ldap: P 15:68(53)
> ack 15 win 46 <nop,nop,timestamp 14666347 1404889037>
> 10:29:02.700515 IP 192.168.212.15.ldap > rofe.one.com.40131: P
> 15:270(255) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
> 10:29:02.700549 IP 192.168.212.15.ldap > rofe.one.com.40131: P
> 270:284(14) ack 68 win 46 <nop,nop,timestamp 1404889038 14666347>
> 10:29:02.700737 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 284
> win 54 <nop,nop,timestamp 14666347 1404889038>
> 10:29:02.701674 IP rofe.one.com.40131 > 192.168.212.15.ldap: F 68:68(0)
> ack 284 win 54 <nop,nop,timestamp 14666347 1404889038>
> 10:29:02.701790 IP 192.168.212.15.ldap > rofe.one.com.40131: F
> 284:284(0) ack 69 win 46 <nop,nop,timestamp 1404889038 14666347>
> 10:29:02.702319 IP rofe.one.com.40131 > 192.168.212.15.ldap: . ack 285
> win 54 <nop,nop,timestamp 14666347 1404889038>
> 
> 
> 
> tcpdump 'udp 88'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0.212, link-type EN10MB (Ethernet), capture size 96
> bytes
> 10:29:02.693809 IP rofe.one.com.50355 > 192.168.212.15.kerberos:  v5
> 10:29:02.695165 IP 192.168.212.15.kerberos > rofe.one.com.50355:  v5
> 
> 
> tail /var/log/auth.log on workstation says this:
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): check pass;
> user unknown
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): authentication
> failure; logname=rofe uid=0 euid=0 tty=tty2 ruser= rhost= 
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:account): could not
> identify user (from getpwnam(ronni))
> 
> 
> 
> What have I missed ?
> 
> - Ronni
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


From Qiang.Xu at fujixerox.com  Thu Oct 30 06:37:12 2008
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Thu, 30 Oct 2008 18:37:12 +0800
Subject: Kerberos and LDAP
In-Reply-To: <1225359395.6996.18.camel@localhost>
References: <1225359395.6996.18.camel@localhost>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1722387256BE@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Ronni Feldt
> Sent: Thursday, October 30, 2008 5:37 PM
> To: kerberos at mit.edu
> Subject: Kerberos and LDAP
>
> Hi,
>
> Im still trying to get this to work.
>
> Server: Debian Etch (3 hostnames=lookout, ldap and kerberos,
> ip=192.168.212.15)
> Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93)
>
> I have followed the following guides:
> http://techpubs.spinlocksolutions.com/dklar/kerberos.html
> http://techpubs.spinlocksolutions.com/dklar/ldap.html
>
> Created my own user "ronni" the same way as the user "mirko" is.
>
> >From my workstation I can do:
> kinit ronni
> ldapsearch -x
> which both work.

When you run ldapsearch with "-x" option, it means the simple binding and does not need a kerberos ticket. So your previous "kinit" command is redundant.

You need to test it without -x option to see whether it still works.

Just my 2 cents,
Xu Qiang


From docelic at mail.inet.hr  Thu Oct 30 07:52:23 2008
From: docelic at mail.inet.hr (Davor Ocelic)
Date: Thu, 30 Oct 2008 12:52:23 +0100
Subject: Kerberos and LDAP
In-Reply-To: <1225359395.6996.18.camel@localhost>
References: <1225359395.6996.18.camel@localhost>
Message-ID: <20081030125223.3a6c85dc@handgun.spinlock.hr>

On Thu, 30 Oct 2008 10:36:35 +0100
Ronni Feldt <rofe at one.com> wrote:

> Hi,
> 
> Im still trying to get this to work.
> 
> tail /var/log/auth.log on workstation says this:
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): check pass;
> user unknown
> Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth):
> authentication failure; logname=rofe uid=0 euid=0 tty=tty2 ruser=
> rhost= Oct 30 10:29:02 rofe login[11133]: pam_unix(login:account):
> could not identify user (from getpwnam(ronni))
> 

Hello,

Tcpdump is an overkill in this simple scenario.

A requirement for the login to succeed is to have commands such as
'id mirko' or 'id ronni' return the getent information for the 
requested user.

Not always, but 'getent passwd' should in most cases also return
an output that looks like a passwd file, but has both local and
remote entries included.

For that, you need libnss-ldap package installed & configured on
the client. (Configuration consists of libnss-ldap.conf and 
nsswitch.conf).

Also, if you have nscd installed on the client, turn it off for
a while until you get 'id ronni' working.

After you get that working first, move onto getting the actual
login step.

Cya,
-doc

From rofe at one.com  Thu Oct 30 09:05:05 2008
From: rofe at one.com (Ronni Feldt)
Date: Thu, 30 Oct 2008 14:05:05 +0100
Subject: Kerberos and LDAP
In-Reply-To: <20081030125223.3a6c85dc@handgun.spinlock.hr>
References: <1225359395.6996.18.camel@localhost>
	<20081030125223.3a6c85dc@handgun.spinlock.hr>
Message-ID: <1225371905.6996.31.camel@localhost>

Hi,

It worked!

I tried 'id ronni' which did not work.
Then I stopped nscd and success! I am now able to login using the user
in LDAP.

Now, I have read a lot, and seems to have lost the complete overview of
how it all works together. Can someone explain to me, just in a
superficial way, how it fits together or point me to a link?

My next step is to get Kerberos working with SSH, as I understand it, I
have to configure SSH to use Kerberos to authenticate the user by
forwarding my local Kerberos key; is that correct?

Thank you for your help so far!

- Ronni 



On Thu, 2008-10-30 at 12:52 +0100, Davor Ocelic wrote:
> On Thu, 30 Oct 2008 10:36:35 +0100
> Ronni Feldt <rofe at one.com> wrote:
> 
> > Hi,
> > 
> > Im still trying to get this to work.
> > 
> > tail /var/log/auth.log on workstation says this:
> > Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth): check pass;
> > user unknown
> > Oct 30 10:29:02 rofe login[11133]: pam_unix(login:auth):
> > authentication failure; logname=rofe uid=0 euid=0 tty=tty2 ruser=
> > rhost= Oct 30 10:29:02 rofe login[11133]: pam_unix(login:account):
> > could not identify user (from getpwnam(ronni))
> > 
> 
> Hello,
> 
> Tcpdump is an overkill in this simple scenario.
> 
> A requirement for the login to succeed is to have commands such as
> 'id mirko' or 'id ronni' return the getent information for the 
> requested user.
> 
> Not always, but 'getent passwd' should in most cases also return
> an output that looks like a passwd file, but has both local and
> remote entries included.
> 
> For that, you need libnss-ldap package installed & configured on
> the client. (Configuration consists of libnss-ldap.conf and 
> nsswitch.conf).
> 
> Also, if you have nscd installed on the client, turn it off for
> a while until you get 'id ronni' working.
> 
> After you get that working first, move onto getting the actual
> login step.
> 
> Cya,
> -doc
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


From docelic at mail.inet.hr  Thu Oct 30 09:41:54 2008
From: docelic at mail.inet.hr (Davor Ocelic)
Date: Thu, 30 Oct 2008 14:41:54 +0100
Subject: Kerberos and LDAP
In-Reply-To: <1225371905.6996.31.camel@localhost>
References: <1225359395.6996.18.camel@localhost>
	<20081030125223.3a6c85dc@handgun.spinlock.hr>
	<1225371905.6996.31.camel@localhost>
Message-ID: <20081030144154.6074262f@handgun.spinlock.hr>

On Thu, 30 Oct 2008 14:05:05 +0100
Ronni Feldt <rofe at one.com> wrote:

> Hi,
> 
> It worked!
> 
> I tried 'id ronni' which did not work.
> Then I stopped nscd and success! I am now able to login using the user
> in LDAP.

Nscd is a caching daemon; so after it caches information about 
'ronni' not existing, it will not figure out you added it until
you run nscd -i passwd or restart it.

> Now, I have read a lot, and seems to have lost the complete overview
> of how it all works together. Can someone explain to me, just in a
> superficial way, how it fits together or point me to a link?

There's nothing special really. NSS is used to get user metadata
(username, id, gid, homedir, shell, etc..), and PAM is used to perform
the actual verification of user credentials (login allowed or not).
And nscd is there just to cache NSS results so that the remote lookup
is not performed all the time.

> My next step is to get Kerberos working with SSH, as I understand it,
> I have to configure SSH to use Kerberos to authenticate the user by
> forwarding my local Kerberos key; is that correct?

Getting ssh work with kerberos is 2 or 3 lines...
sshd_config file something like:

KerberosAuthentication yes
GSSAPIAuthentication yes 
UsePAM yes

And ssh_config (client) file something like:

Host *
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials no

-doc

From yabadi at checkpoint.com  Thu Oct 30 10:47:34 2008
From: yabadi at checkpoint.com (yuval)
Date: Thu, 30 Oct 2008 16:47:34 +0200
Subject: No principal in keytab 
Message-ID: <011d01c93a9e$723528a0$7b2e1dc2@ad.checkpoint.com>

Hi 

 

I try to authenticate web server clients on Linux apache.

 

I have keytab from win2003 and kinit pass OK.

 

Klist show valid principal.

[Expert at fluid]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal:
HTTP/fluid.w2003ex.qa.checkpoint.com at W2003EX.QA.CHECKPOINT.COM

 

Valid starting     Expires            Service principal

10/30/08 14:50:28  10/31/08 00:50:46
krbtgt/W2003EX.QA.CHECKPOINT.COM at W2003EX.QA.CHECKPOINT.COM

        renew until 10/31/08 14:50:28

 

 

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

 

 

but I got gss error "No principal in keytab matches desired name"

 

 

debug:

[Thu Oct 30 16:14:15 2008] [debug] mod_auth_kerb.c(1182): [client
192.168.0.32] Acquiring creds for HTTP at fluid.w2003ex.qa.checkpoint.com

[Thu Oct 30 16:14:15 2008] [error] [client 192.168.0.32] gss_acquire_cred()
failed: Unspecified GSS failure.  Minor code may provide more information
(No principal in keytab matches desired name)

 

 

 

Is any one know how to debug this.

 

What went wrong?

 

Thanks

 

Yuval

 

 

 


From ioplex at gmail.com  Thu Oct 30 11:57:48 2008
From: ioplex at gmail.com (Michael B Allen)
Date: Thu, 30 Oct 2008 11:57:48 -0400
Subject: No principal in keytab
In-Reply-To: <011d01c93a9e$723528a0$7b2e1dc2@ad.checkpoint.com>
References: <011d01c93a9e$723528a0$7b2e1dc2@ad.checkpoint.com>
Message-ID: <78c6bd860810300857v4a46e9e2m6f40021a8c57f0e0@mail.gmail.com>

On Thu, Oct 30, 2008 at 10:47 AM, yuval <yabadi at checkpoint.com> wrote:
> Hi
>
>
>
> I try to authenticate web server clients on Linux apache.
>
>
>
> I have keytab from win2003 and kinit pass OK.
>
>
>
> Klist show valid principal.
>
> [Expert at fluid]# klist
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> Default principal:
> HTTP/fluid.w2003ex.qa.checkpoint.com at W2003EX.QA.CHECKPOINT.COM
>
>
>
> Valid starting     Expires            Service principal
>
> 10/30/08 14:50:28  10/31/08 00:50:46
> krbtgt/W2003EX.QA.CHECKPOINT.COM at W2003EX.QA.CHECKPOINT.COM
>
>        renew until 10/31/08 14:50:28
>
>
>
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
>
> klist: You have no tickets cached
>
>
>
>
>
> but I got gss error "No principal in keytab matches desired name"

What is the URL you are using the address bar of the browser? The
hostname in the URL must match the hostname in the principal name in
the keytab file exactly. For example, if you use an IP address to
visit the website, you will get the aforementioned error.

List the contents of the keytab file with ktutil.

Are you sure the keytab file is being successfully ready by Apache?

Mike

From dhazen at lbl.gov  Thu Oct 30 12:29:48 2008
From: dhazen at lbl.gov (Damian Hazen)
Date: Thu, 30 Oct 2008 09:29:48 -0700
Subject: IPv6 and channel bindings
Message-ID: <4909E0FC.8090907@lbl.gov>

Hi -

Does anyone know if IPv6 addresses work with kerberos v5 GSS-API channel 
bindings?


Thanks for any info,

-Damian


From jcparra at mx1.ibm.com  Fri Oct 31 01:01:43 2008
From: jcparra at mx1.ibm.com (Julio Cesar Parra/Mexico/IBM)
Date: Fri, 31 Oct 2008 00:01:43 -0500
Subject: Unable to obtain initial credentials with the status 0x96c73a44
Message-ID: <OFC6D9EA54.F400CB22-ON862574F3.001B53B6-862574F3.001BE098@mx1.ibm.com>

Hello. 

Does anybody, could help me to determine what could cause the next error ( 
Unable to obtain initial credentials with the status 0x96c73a44).? 

kinit -k krbsvr400/servicePrincipal at REALM.COM
Message 0x96c73a44 not found in catalog SKRBDLL.CAT
EUVF06014E Unable to obtain initial credentials.
           Status 0x96c73a44 - N/A.

and what the  0x96c73a44 error id means?

Thanks in advance. 
Regards.

From rofe at one.com  Fri Oct 31 04:43:55 2008
From: rofe at one.com (Ronni Feldt)
Date: Fri, 31 Oct 2008 09:43:55 +0100
Subject: Kerberos and LDAP
In-Reply-To: <20081030144154.6074262f@handgun.spinlock.hr>
References: <1225359395.6996.18.camel@localhost>
	<20081030125223.3a6c85dc@handgun.spinlock.hr>
	<1225371905.6996.31.camel@localhost>
	<20081030144154.6074262f@handgun.spinlock.hr>
Message-ID: <1225442635.13932.17.camel@localhost>

> > Now, I have read a lot, and seems to have lost the complete overview
> > of how it all works together. Can someone explain to me, just in a
> > superficial way, how it fits together or point me to a link?
> 
> There's nothing special really. NSS is used to get user metadata
> (username, id, gid, homedir, shell, etc..), and PAM is used to perform
> the actual verification of user credentials (login allowed or not).
> And nscd is there just to cache NSS results so that the remote lookup
> is not performed all the time.

Okey, this means it's something like this:

1. User login

2. PAM authenticates the user using info in /etc/pam.d/common-auth,
which tells it to use info from the local workstation and kerberos,
because of:
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_krb5.so use_first_pass
auth    required        pam_deny.so

In this step PAM is also using /etc/pam.d/common-password to find out
how to evaluate passwords. Again both local passwords and passwords in
Kerberos will do.
password  sufficient   pam_unix.so nullok obscure md5
password  required     pam_krb5.so use_first_pass

Question: Am I missing a password required pam_deny.so here?

3. If the user authentication is successful, PAM
uses /etc/pam.d/common-account to grant privileges to the user; the
ressources that the user may have access to. Again local information is
okey, as well as information from LDAP and Kerberos (Why Kerberos? It
only authenticates.)
account sufficient      pam_unix.so
account required        pam_ldap.so
account required        pam_krb5.so


In the steps above, PAM is using NSS (/etc/nsswitch.conf) to get
information about username, privileges etc. NSS bridges the information
from LDAP and/or local information to PAM.
/etc/nsswitch.conf
passwd:         ldap files
group:          ldap files
shadow:         ldap files

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis


Is that correct ?

- Ronni


From j.barber at dundee.ac.uk  Fri Oct 31 06:00:53 2008
From: j.barber at dundee.ac.uk (Jonathan Barber)
Date: Fri, 31 Oct 2008 10:00:53 +0000
Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon
Message-ID: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk>

We're recently introduced kerberos to our unix infrastructure and have
it working for ssh'ing from and to unix hosts, so are now trying to
configuring Windows as an ssh client.

Our first Windows client is a 2003 terminal server joined to a NT4 style
domain (provided by samba).

We've been following the instructions from here:
http://glast-ground.slac.stanford.edu/workbook/pages/getting_connected/ssh_forwindows.htm

And have successfully installed and configured NetIDMgr 1.3.1.0 and can
authenticate against our KDC as our principals and get tickets with
NetIDMgr.

After downloading putty from here:
http://web.mit.edu/jaltman/Public/putty-0.59-with-gssapi.zip

and copying the dll's from the MIT NetIDMgr install to
C:\Windows\system32, we get the following message from putty when we try
to connect to a kerberised ssh server:

Event Log: GSSAPI error: Unspecified GSS failure.  Minor code may provide more information
Event Log: GSSAPI mech specific error: Cannot resolve network address for KDC in requested realm

The same ssh server works fine from a linux client with the same
principal.

AFAIK DNS is correctly configured for the terminal server, can anyone
shed any light on what might be going on?

Regards.
-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

From jaltman at secure-endpoints.com  Fri Oct 31 06:49:24 2008
From: jaltman at secure-endpoints.com (Jeffrey Altman)
Date: Fri, 31 Oct 2008 03:49:24 -0700
Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon
In-Reply-To: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk>
References: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk>
Message-ID: <490AE2B4.7090202@secure-endpoints.com>

Jonathan Barber wrote:
> After downloading putty from here:
> http://web.mit.edu/jaltman/Public/putty-0.59-with-gssapi.zip
>
This version is known to be buggy and should have been deleted from
that location long ago.  It now has been.
> and copying the dll's from the MIT NetIDMgr install to
> C:\Windows\system32, 
Why are you copying DLLs from the installer directory to \WINDOWS\System32?
Application binaries do not belong there.
> we get the following message from putty when we try
> to connect to a kerberised ssh server:
>
> Event Log: GSSAPI error: Unspecified GSS failure.  Minor code may provide more information
> Event Log: GSSAPI mech specific error: Cannot resolve network address for KDC in requested realm
>
> The same ssh server works fine from a linux client with the same
> principal.
the problem is not your ssh server, its the putty client.

Secure Endpoints provides gss putty clients that work (for 32-bit and
64-bit windows)
to its clients. 

Jeffrey Altman
Secure Endpoints Inc.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081031/df453c33/smime.bin

From j.barber at dundee.ac.uk  Fri Oct 31 08:29:02 2008
From: j.barber at dundee.ac.uk (Jonathan Barber)
Date: Fri, 31 Oct 2008 12:29:02 +0000
Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon
In-Reply-To: <490AE2B4.7090202@secure-endpoints.com>
References: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk>
	<490AE2B4.7090202@secure-endpoints.com>
Message-ID: <20081031122902.GB23664@flea.lifesci.dundee.ac.uk>

On Fri, Oct 31, 2008 at 03:49:24AM -0700, Jeffrey Altman wrote:
> Jonathan Barber wrote:
> > After downloading putty from here:
> > http://web.mit.edu/jaltman/Public/putty-0.59-with-gssapi.zip
> >
> This version is known to be buggy and should have been deleted from
> that location long ago.  It now has been.

That would explain that.

> > and copying the dll's from the MIT NetIDMgr install to
> > C:\Windows\system32, 
> Why are you copying DLLs from the installer directory to \WINDOWS\System32?
> Application binaries do not belong there.

Prior to that, we were getting errors including references to SSPI,
presumably because putty wasn't picking up the MIT DDLS.

> > we get the following message from putty when we try
> > to connect to a kerberised ssh server:
> >
> > Event Log: GSSAPI error: Unspecified GSS failure.  Minor code may provide more information
> > Event Log: GSSAPI mech specific error: Cannot resolve network address for KDC in requested realm
> >
> > The same ssh server works fine from a linux client with the same
> > principal.
> the problem is not your ssh server, its the putty client.

Yes, I'd reached that conclusion. The comment was there to rule out the
possibility that people might think that the issue was in the underlying
infrastructure.

> Secure Endpoints provides gss putty clients that work (for 32-bit and
> 64-bit windows)
> to its clients. 

How is this available?

We don't have any particular preference WRT ssh clients, putty was just
choosen as our test as it's what we have used in the past.

> Jeffrey Altman
> Secure Endpoints Inc.
-- 
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389

From sfrost at snowman.net  Fri Oct 31 08:43:11 2008
From: sfrost at snowman.net (Stephen Frost)
Date: Fri, 31 Oct 2008 08:43:11 -0400
Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon
In-Reply-To: <20081031122902.GB23664@flea.lifesci.dundee.ac.uk>
References: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk>
	<490AE2B4.7090202@secure-endpoints.com>
	<20081031122902.GB23664@flea.lifesci.dundee.ac.uk>
Message-ID: <20081031124311.GP4452@tamriel.snowman.net>

* Jonathan Barber (j.barber at dundee.ac.uk) wrote:
> We don't have any particular preference WRT ssh clients, putty was just
> choosen as our test as it's what we have used in the past.

This thread got me curious, and it appears that ~2 months ago, GSSAPI
support was committed to the PuTTY subversion tree.  Anyone tried it?
I'd love to move off of all of these hacked/patched versions of PuTTY
that are floating around.  We're currently using
http://sweb.cz/v_t_m/#putty but in the past we've used a variety of
things. :/

	Thanks!

		Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20081031/37da8f7b/attachment-0001.bin

From kwc at umich.edu  Fri Oct 31 09:11:48 2008
From: kwc at umich.edu (Kevin Coffman)
Date: Fri, 31 Oct 2008 09:11:48 -0400
Subject: Unable to obtain initial credentials with the status 0x96c73a44
In-Reply-To: <OFC6D9EA54.F400CB22-ON862574F3.001B53B6-862574F3.001BE098@mx1.ibm.com>
References: <OFC6D9EA54.F400CB22-ON862574F3.001B53B6-862574F3.001BE098@mx1.ibm.com>
Message-ID: <4d569c330810310611h5eb34c83x959e655de515ceb8@mail.gmail.com>

On Fri, Oct 31, 2008 at 1:01 AM, Julio Cesar Parra/Mexico/IBM
<jcparra at mx1.ibm.com> wrote:
> Hello.
>
> Does anybody, could help me to determine what could cause the next error (
> Unable to obtain initial credentials with the status 0x96c73a44).?
>
> kinit -k krbsvr400/servicePrincipal at REALM.COM
> Message 0x96c73a44 not found in catalog SKRBDLL.CAT
> EUVF06014E Unable to obtain initial credentials.
>           Status 0x96c73a44 - N/A.
>
> and what the  0x96c73a44 error id means?

Translating hex value to signed/unsigned:
    Unsigned 2529638980 hex 0x96c73a44 signed -1765328316

>From the MIT error codes:
    #define KRB5PLACEHOLD_68                         (-1765328316L)

>From RFC 4120:
    KDC_ERR_WRONG_REALM                   68  Reserved for future use


Sounds like the future is now  ;-)

From jivko.mitev at free.fr  Thu Oct 30 08:44:08 2008
From: jivko.mitev at free.fr (jivko)
Date: Thu, 30 Oct 2008 05:44:08 -0700 (PDT)
Subject: =?ISO-8859-1?Q?Parameters_in_=AB_Strategy_Kerberos_=BB_not_taken_into?=
	=?ISO-8859-1?Q?_account=2E?=
Message-ID: <ddb4ec4e-998b-403d-a4b2-bc1a1922d06d@26g2000hsk.googlegroups.com>

Title: Parameters in ? Strategy Kerberos ? not taken into account.

Environment: Domain controller ? Windows 2000 Server SP4 ?, client ?
Windows XP SP2?
Particularities of the environment:
The server is the only controller AD in its VLAN. It was added in the
production domain, replicated, after detached and plugged into a
closed VLAN with suppression of the missing references.
The server is in the mode AD2000 native, but the domain was not
created from scratch, it was migrated from NT.
The VLAN contains the only post XP, member of the domain.

At the beginning the domain was under NT, it contained a certain
number of hosts NT (1PDC, and several BDC).
The domain was migrated to Windows 2000 like that:
migration of PDC NT to 2000, 2000 is so in the mixed mode, which means
that the server 2000 emulates a PDC NT
replacement of all the controllers NT by the controllers 2000,
installed from scratch
at the end, when there were no controllers NT into the domain,
reinstallation from scratch to 2000 of the ex-PDC from NT
when there is only machines 2000 installed from scratch, passing of
the AD on the mode 2000 ? native ?

So, the controllers are 100% 2000, but the structure AD comes from the
old domain NT.


Description:
We want to modify the max lifetime of the tickets tgt Kerberos. To do
this :
1) we modified the value of of the tgt max lifetime to 600 in ?
Strat?gie de s?curit? du domaine / ?/ Strategie Kerberos?

On the client post we do :
 2) klist purge
 3) access to the shared folder
 4) klist tgt
===========
C:\Program Files\Resource Kit>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: GOVARTAN
DomainName: AESN.FR?
TargetDomainName: AESN.FR?
AltTargetDomainName: AESN.FR?
TicketFlags: 0x40e00000
KeyExpirationTime: 1/1/1601 2:00:00
StartTime: 10/16/2008 18:04:54
EndTime: 10/17/2008 2:04:54
RenewUntil: 10/16/2008 19:04:54
TimeSkew: 1/1/1601 2:00:00
==========

The problem: The tgt max lifetime is 8h.
After reboot of the server: the same result.
The same modifications are taken into account on the host installed
with Windows 2000 from scratch.

Questions :
1) As the ticket max lifetime by default is 10h from where commes the
duration 8h ?

2) How to modify (force) the tgt max lifetime in our platform
configuration?

From michael at stroeder.com  Fri Oct 31 07:21:18 2008
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Fri, 31 Oct 2008 12:21:18 +0100
Subject: Kerberos and LDAP
In-Reply-To: <mailman.16.1225442699.19136.kerberos@mit.edu>
References: <1225359395.6996.18.camel@localhost>	<20081030125223.3a6c85dc@handgun.spinlock.hr>	<1225371905.6996.31.camel@localhost>	<20081030144154.6074262f@handgun.spinlock.hr>
	<mailman.16.1225442699.19136.kerberos@mit.edu>
Message-ID: <fa6rt5-k5f.ln1@nb2.stroeder.com>

Ronni Feldt wrote:
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4

Are you actually using MDNS? You will run into problems if your domain
names end with .local.

Ciao, Michael.

From deengert at anl.gov  Fri Oct 31 13:25:21 2008
From: deengert at anl.gov (Douglas E. Engert)
Date: Fri, 31 Oct 2008 12:25:21 -0500
Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon
In-Reply-To: <20081031124311.GP4452@tamriel.snowman.net>
References: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk>	<490AE2B4.7090202@secure-endpoints.com>	<20081031122902.GB23664@flea.lifesci.dundee.ac.uk>
	<20081031124311.GP4452@tamriel.snowman.net>
Message-ID: <490B3F81.1050902@anl.gov>



Stephen Frost wrote:
> * Jonathan Barber (j.barber at dundee.ac.uk) wrote:
>> We don't have any particular preference WRT ssh clients, putty was just
>> choosen as our test as it's what we have used in the past.
> 
> This thread got me curious, and it appears that ~2 months ago, GSSAPI
> support was committed to the PuTTY subversion tree.  Anyone tried it?

Thanks for the tip. I too have complained for years about this, and
it nice to see the PuTTY people are adding GSSAPI.

This was the easies shared source Windows build I have seen!
I did an svn checkout on Unix to a shared file system (AFS) ran the
./mkfiles.pl on Unix, then from XP in their windows directory
nmake -f Makefile.vc  (Visual Studio 8)

As compared to http://sweb.cz/v_t_m/#putty, they did
change the names of some flags in the registry. GssapiFwd was GSSAPIFwdTGT,
GSSAPIServerRealm is not defined. But these are minor.

And it works!

The v_t_m version could use either the Microsoft SSPI, or the MIT GSSAPI
as implemented bi the MIT gssapi32.dll. The new PuTTY only does SSPI
so there are some implications if you are trying to use this from a
non-windows domain  machine. (But runas could be used.)


> I'd love to move off of all of these hacked/patched versions of PuTTY
> that are floating around.  We're currently using
> http://sweb.cz/v_t_m/#putty but in the past we've used a variety of
> things. :/
> 
> 	Thanks!
> 
> 		Stephen
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From pbh at MIT.EDU  Fri Oct 31 14:12:59 2008
From: pbh at MIT.EDU (Paul B. Hill)
Date: Fri, 31 Oct 2008 14:12:59 -0400
Subject: Putty + GSSAPI from W2k3 terminal server to linux openssh daemon
In-Reply-To: <490B3F81.1050902@anl.gov>
References: <20081031095755.GA23664@flea.lifesci.dundee.ac.uk>	<490AE2B4.7090202@secure-endpoints.com>	<20081031122902.GB23664@flea.lifesci.dundee.ac.uk>	<20081031124311.GP4452@tamriel.snowman.net>
	<490B3F81.1050902@anl.gov>
Message-ID: <490B4AAB.5070002@mit.edu>

Hi Doug or anyone else,

Do you know of any distributions that work with KfW that have a version 
of plink that doesn't always open a Windows console window? I know that 
Quest (formerly Vintella?) has a version that does this, but it only 
supports SSPI.

I want to be able to use svn+ssh from within Eclipse, on a machine that 
is not in a Windows domain, without having the system flash open a large 
number of console windows while I am either checking file out or in.

The Quest distribution of Putty works well for this purpose when I am 
using a machine that is in a Windows domain.

Paul

Douglas E. Engert wrote:
> 
> Stephen Frost wrote:
>> * Jonathan Barber (j.barber at dundee.ac.uk) wrote:
>>> We don't have any particular preference WRT ssh clients, putty was just
>>> choosen as our test as it's what we have used in the past.
>> This thread got me curious, and it appears that ~2 months ago, GSSAPI
>> support was committed to the PuTTY subversion tree.  Anyone tried it?
> 
> Thanks for the tip. I too have complained for years about this, and
> it nice to see the PuTTY people are adding GSSAPI.
> 
> This was the easies shared source Windows build I have seen!
> I did an svn checkout on Unix to a shared file system (AFS) ran the
> ./mkfiles.pl on Unix, then from XP in their windows directory
> nmake -f Makefile.vc  (Visual Studio 8)
> 
> As compared to http://sweb.cz/v_t_m/#putty, they did
> change the names of some flags in the registry. GssapiFwd was GSSAPIFwdTGT,
> GSSAPIServerRealm is not defined. But these are minor.
> 
> And it works!
> 
> The v_t_m version could use either the Microsoft SSPI, or the MIT GSSAPI
> as implemented bi the MIT gssapi32.dll. The new PuTTY only does SSPI
> so there are some implications if you are trying to use this from a
> non-windows domain  machine. (But runas could be used.)
> 
> 
>> I'd love to move off of all of these hacked/patched versions of PuTTY
>> that are floating around.  We're currently using
>> http://sweb.cz/v_t_m/#putty but in the past we've used a variety of
>> things. :/
>>
>> 	Thanks!
>>
>> 		Stephen
>>
>>
>> ------------------------------------------------------------------------
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>