From petesea at bigfoot.com Tue Sep 2 11:26:53 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Tue, 02 Sep 2008 08:26:53 -0700 (PDT) Subject: Renaming Realm Message-ID: Is there an easy way to rename a realm? I have a simple Kerberos setup I use for testing. It's isolated to just one KDC and a few client systems. I'd like to rename the realm (from TEST.ORG -> TEST.LAN), but was wondering if there's a relatively easy way to do this, other then manually starting over. And, given the size of my setup, perhaps that is the easiest. At a minimum, I realize the krb5.conf file and any application keytabs will need to be changed on each client and (I assume) the following will need to be changed on the KDC: /etc/krb5.conf /etc/krb5.keytab /var/kerberos/krb5kdc/.k5.TEST.ORG /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kadm5.keytab /var/kerberos/krb5kdc/principal /var/kerberos/krb5kdc/principal.kadm5 It appears I may be able to use kdb5_util (dump->destroy->create->load), but I'm not so sure about the order of things or what I will need to modify. eg, do I need to manually change/recreate kadm5.acl, kadm5.keytab and the stash file or will the "create" do that for me? From genijalac at yahoo.com Thu Sep 4 08:13:03 2008 From: genijalac at yahoo.com (Walter Sobchak) Date: Thu, 04 Sep 2008 14:13:03 +0200 Subject: Kerberize MS Exchange? Message-ID: I'd like to kerberize ms exchange. I found some information about adding a security patch and some settings but not enough for it to work. Are there any pointers someone could give me? Do I have to use some commercial solution or it can be configured or programmed manually? Thanks in advance. From moshe.valenci at gmail.com Thu Sep 4 08:01:22 2008 From: moshe.valenci at gmail.com (Moshe Valenci) Date: Thu, 4 Sep 2008 15:01:22 +0300 Subject: bug reports: gss-server.exe not using WSAStartup() Message-ID: <10a541410809040501i5eb0e090wd077a2325028c8e3@mail.gmail.com> Hello, I tried testing KFW gss-server.exe for quite a while with no success. The app just exited with the message "creating socket: No error". I gabbed the sources and tried debugging the issue and i think i found a bug. WSAStartup and WSACleanup are being called whenever GSS is called. In the caller context, no one calls WSAStartup so 'create_socket' always fail. Adding WSAStartup() right after main() and WSACleanup() before exiting resolved the issue. can you please confirm this bug? please check if this this happen for gss-client.exe as well, this looks like a swift problem. Regards, Moshe From SBuckley at MIT.EDU Thu Sep 4 11:52:35 2008 From: SBuckley at MIT.EDU (Stephen C. Buckley) Date: Thu, 4 Sep 2008 11:52:35 -0400 Subject: Recommended Practices for Deploying and Using Kerberos in Mixed Environments Message-ID: I'm pleased to announce our latest white paper "Recommended Practices for Deploying & Using Kerberos in Mixed Environments", is now available at: http://www.kerberos.org/software/mixenvkerberos.pdf This document explores some of the many issues that emerge when deploying and using Kerberos in mixed environments, and presents guidance on addressing these issues and recommends practices for minimizing problems while optimizing the value of Kerberos as a consistent, cross?platform authentication solution. The target audience includes IT professionals with responsibility for infrastructure planning, strategy, architecture, and technology refresh. While the focus is on how Kerberos can be used effectively in mixed environments, it also addresses many issues that will be encountered by people who primarily deal with homogeneous environments. In addition, we have received many comments on earlier white papers that have improved the quality and completeness of these works. I welcome additional comments you might have on these: "The Role of Kerberos in Modern Information Systems http://www.kerberos.org/software/rolekerberos.pdf "The MIT Kerberos Administrator's How-to Guide" http://www.kerberos.org/software/adminkerberos.pdf "Best Practices for Integrating Kerberos Into Your Application" http://www.kerberos.org/software/appskerberos.pdf "Why is Kerberos a Credible Security Solution?" http://www.kerberos.org/software/whykerberos.pdf Please note, that these white papers are made available under the same copyright as the MIT Kerberos software, which grants permission to use, copy, modify, and distribute this documentation for any purpose. Thank you again for your support of the Kerberos Consortium. s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director Kerberos Consortium Massachusetts Institute of Technology 77 Massachusetts Ave W92-159 Cambridge, MA 02139 web: http://www.kerberos.org From ioplex at gmail.com Thu Sep 4 12:10:14 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 4 Sep 2008 12:10:14 -0400 Subject: Kerberize MS Exchange? In-Reply-To: References: Message-ID: <78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com> On Thu, Sep 4, 2008 at 8:13 AM, Walter Sobchak wrote: > I'd like to kerberize ms exchange. I found some information about adding > a security patch and some settings but not enough for it to work. > Are there any pointers someone could give me? > Do I have to use some commercial solution or it can be configured or > programmed manually? Kerberize it how? MS Exchange uses a proprietary communications protocol so it's not clear how Kerberos authentication even works in Exchange [1]. If you're talking about using IMAP4, last I checked MS Exchange does not support Kerberos w/ IMAP4 at all. Mike [1] There is some new "Exchange Protocols" documentation released as part of the EU settlement that might include such details. -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From eric at ijack.net Thu Sep 4 14:26:32 2008 From: eric at ijack.net (Eric Hill) Date: Thu, 4 Sep 2008 13:26:32 -0500 Subject: Kerberize MS Exchange? In-Reply-To: <78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com> References: <78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com> Message-ID: <6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world> > Kerberize it how? > > MS Exchange uses a proprietary communications protocol so it's not > clear how Kerberos authentication even works in Exchange [1]. > > If you're talking about using IMAP4, last I checked MS Exchange does > not support Kerberos w/ IMAP4 at all. > > Mike > > [1] There is some new "Exchange Protocols" documentation released as > part of the EU settlement that might include such details. Actually the protocol doesn't really include anything for authentication. The core Exchange security mechanism is a named pipe connection to the server, and a thread running ImpersonateNamedPipeClient on the server-side to handle requests on behalf of the user. Microsoft may or may not use Kerberos to authenticate the pipe. Eric From ioplex at gmail.com Thu Sep 4 15:00:24 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 4 Sep 2008 15:00:24 -0400 Subject: Kerberize MS Exchange? In-Reply-To: <6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world> References: <78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com> <6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world> Message-ID: <78c6bd860809041200m5205aa33p564696ca9baf06a0@mail.gmail.com> On Thu, Sep 4, 2008 at 2:26 PM, Eric Hill wrote: >> Kerberize it how? >> >> MS Exchange uses a proprietary communications protocol so it's not >> clear how Kerberos authentication even works in Exchange [1]. >> >> If you're talking about using IMAP4, last I checked MS Exchange does >> not support Kerberos w/ IMAP4 at all. >> >> Mike >> >> [1] There is some new "Exchange Protocols" documentation released as >> part of the EU settlement that might include such details. > > Actually the protocol doesn't really include anything for authentication. The core Exchange security mechanism is a named pipe > connection to the server, and a thread running ImpersonateNamedPipeClient on the server-side to handle requests on behalf of the > user. > > Microsoft may or may not use Kerberos to authenticate the pipe. I understand. That's good actually because there is quite a bit of open code that can do Kerberos over Windows named pipes (including SMB named pipes). Incidentally, I have been informed off-list that newer versions of Exchange's IMAP implementation actually do support Kerberos via GSSAPI. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From genijalac at yahoo.com Fri Sep 5 03:04:19 2008 From: genijalac at yahoo.com (Walter Sobchak) Date: Fri, 05 Sep 2008 09:04:19 +0200 Subject: Kerberize MS Exchange? In-Reply-To: References: Message-ID: Michael B Allen wrote: > On Thu, Sep 4, 2008 at 8:13 AM, Walter Sobchak wrote: >> I'd like to kerberize ms exchange. I found some information about adding >> a security patch and some settings but not enough for it to work. >> Are there any pointers someone could give me? >> Do I have to use some commercial solution or it can be configured or >> programmed manually? > > Kerberize it how? > > MS Exchange uses a proprietary communications protocol so it's not > clear how Kerberos authentication even works in Exchange [1]. > > If you're talking about using IMAP4, last I checked MS Exchange does > not support Kerberos w/ IMAP4 at all. > > Mike > > [1] There is some new "Exchange Protocols" documentation released as > part of the EU settlement that might include such details. > What I really want to do is use Outlook Web Access. Also I would like to have this option for Internet users, not only local company users. From vas at mpeks.no-spam-here.tomsk.su Thu Sep 4 22:13:52 2008 From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov) Date: Fri, 5 Sep 2008 02:13:52 +0000 (UTC) Subject: Kerberize MS Exchange? References: <78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com> <6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world> Message-ID: Michael B Allen wrote: > Incidentally, I have been informed off-list that newer versions of > Exchange's IMAP implementation actually do support Kerberos via > GSSAPI. And what win32 IMAP clients can authenticate with GSSAPI? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ From deengert at anl.gov Fri Sep 5 11:11:25 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 05 Sep 2008 10:11:25 -0500 Subject: Kerberize MS Exchange? In-Reply-To: References: <78c6bd860809040910u171bee84ya6597e32742051ec@mail.gmail.com> <6BBC1BDFD77747F7BB00884FC9C544EE@pioneer.world> Message-ID: <48C14C1D.7060408@anl.gov> Victor Sudakov wrote: > Michael B Allen wrote: > >> Incidentally, I have been informed off-list that newer versions of >> Exchange's IMAP implementation actually do support Kerberos via >> GSSAPI. > > And what win32 IMAP clients can authenticate with GSSAPI? Thunderbird is reported to be able to do this: http://kb.mozillazine.org/Network.auth.use-sspi I have not tried it, but it looks promising. > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From petesea at bigfoot.com Sat Sep 6 12:58:42 2008 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Sat, 06 Sep 2008 09:58:42 -0700 (PDT) Subject: Obtain Credentials On-Demand Message-ID: Using the Kerberos (1.6.2) and OpenSSH (4.7p1) available with Mac Leopard (10.5)... is there a way to get the Kerberos GUI-based "Authenticate to Kerberos" dialog to be displayed automatically if there are no credentials or the credentials have expired? In other words, if I go to a command line and run: $ ssh bozo at zippy.com and there are no credentials or the credentials have expired, I'd like to see the "Authenticate to Kerberos" dialog popup automatically. From abhishek.brave at gmail.com Mon Sep 8 07:22:25 2008 From: abhishek.brave at gmail.com (Abhishek Chowdhury) Date: Mon, 8 Sep 2008 04:22:25 -0700 (PDT) Subject: AFP not working for cross realm Message-ID: <19370052.post@talk.nabble.com> I have configured AFP for kerberized authentication. It is working fine with simple kerberos authentication,but with cross ream i am not able to mount using the command mount_afp afp://user1 at aca.com/test1 /test2 i am getting all the cross realm ticktes and the service ticktes and I have verified the kvno off all the principals , everything is correct. The error is AFPMountURL returned error -5019,error is -5019 what could be the reason for this error??? :working: -- View this message in context: http://www.nabble.com/AFP-not-working-for-cross-realm-tp19370052p19370052.html Sent from the Kerberos - General mailing list archive at Nabble.com. From kenh at cmf.nrl.navy.mil Mon Sep 8 10:07:13 2008 From: kenh at cmf.nrl.navy.mil (Ken Hornstein) Date: Mon, 08 Sep 2008 10:07:13 -0400 Subject: AFP not working for cross realm In-Reply-To: <19370052.post@talk.nabble.com> Message-ID: <200809081407.m88E7D7p010817@hedwig.cmf.nrl.navy.mil> >I have configured AFP for kerberized authentication. It is working fine with >simple kerberos authentication,but with cross ream i am not able to mount >using the command > >mount_afp afp://user1 at aca.com/test1 /test2 >i am getting all the cross realm ticktes and the service ticktes and I have >verified the kvno off all the principals , everything is correct. > >The error is >AFPMountURL returned error -5019,error is -5019 If you're getting the cross-realm tickets, I am _guessing_ that the issue is one of authorization - your cross-realm identity isn't allowed to mount that particular filesystem. That is a guess. And if that is the problem, I have no idea how to fix it. --Ken From eitan.solel at gmail.com Sat Sep 6 07:52:12 2008 From: eitan.solel at gmail.com (esolel) Date: Sat, 6 Sep 2008 04:52:12 -0700 (PDT) Subject: gss_accept_sec_context Message-ID: <19345844.post@talk.nabble.com> Hi, I would like to know when gss_accept_sec_context returns GSS_S_CONTINUE_NEEDED ? -- View this message in context: http://www.nabble.com/gss_accept_sec_context-tp19345844p19345844.html Sent from the Kerberos - General mailing list archive at Nabble.com. From genijalac at yahoo.com Fri Sep 5 09:57:59 2008 From: genijalac at yahoo.com (Walter Sobchak) Date: Fri, 05 Sep 2008 15:57:59 +0200 Subject: Kerberize MS Exchange? In-Reply-To: References: Message-ID: Walter Sobchak wrote: > I'd like to kerberize ms exchange. I found some information about adding > a security patch and some settings but not enough for it to work. > Are there any pointers someone could give me? > Do I have to use some commercial solution or it can be configured or > programmed manually? > > Thanks in advance. Maybe kerberos authenticatio could be done with an isapi extension (wildcard application map). I read something about creating an impersonation token with LsaLogonUser function.. Is this the right way?? From peter at ifm.liu.se Mon Sep 8 04:30:54 2008 From: peter at ifm.liu.se (Peter Eriksson) Date: Mon, 8 Sep 2008 08:30:54 +0000 (UTC) Subject: Monitoring your Kerberos servers? Message-ID: I'm a bit surprised to find (or rather not finding) that there doesn't seem to exist much in a way of monitoring software for Kerberos servers/services... What _are_ people using to make sure that their KDC's are up and running, *and* containing valid data? I've now experienced a couple of times confusing system behaviour due to KDC's not running or KDC slaves containing old/stale data... The last such occurance was fun - the primary KDC server had due to some unknown even shut down the "kdc" service. However the "kadmin" service was still running. So I would use 'kadmin' to add new principals to the database, and/or ktadd updated ones to hosts keytabs and then get very confusing errors since the remaning slave KDC would use the old data (since it couldn't contact the master KDC to get the updated database records)... Specifically I'd like to see a Nagios plugin that can be directed to talk to a *specific* KDC (not just the first one that answers from the list in krb5.conf) to check that the KDC service is running. I'd also like some Nagios plugin that can check that slave KDC's contain valid up-to-date data by comparing things with the master KDC... (I've solved the second part with a special hack for Solaris Kerberos that has a "kproplog" utility) - Peter -- -- Peter Eriksson Phone: +46 13 28 2786 Computer Systems Manager/BOFH Cell/GSM: +46 705 18 2786 Physics Department, Linköping University Room: Building F, F203 From bodik at civ.zcu.cz Mon Sep 8 17:05:33 2008 From: bodik at civ.zcu.cz (=?ISO-8859-2?Q?Radoslav_Bod=F3?=) Date: Mon, 08 Sep 2008 23:05:33 +0200 Subject: Monitoring your Kerberos servers? In-Reply-To: References: Message-ID: <48C5939D.7020208@civ.zcu.cz> > Specifically I'd like to see a Nagios plugin that can be > directed to talk to a *specific* KDC (not just the first one that > answers from the list in krb5.conf) to check that the KDC service > is running. we have done this ourselves by checking running processes (bin/ps | grep) in a custom NRPE subroutine. It's called on each of our kdc servers. well, it's not talking to real service, just a process check, but it works. bodik From mohamed.chaari at orange-ftgroup.com Tue Sep 9 08:25:17 2008 From: mohamed.chaari at orange-ftgroup.com (mohamed.chaari@orange-ftgroup.com) Date: Tue, 9 Sep 2008 14:25:17 +0200 Subject: Module Integration Message-ID: Hello, I'm working in a project using Kerberos V5, I must integrate an other module (source code) in Kerberos. The source code of the new module is located in a folder named new_module in which there is a Makefile and generate an executable. I want to know if it's possible to integrate this module in kerberos and use its functions. If it is possible, what are the modification in the Configure file or Makefile file in Kerberos that I must done? Thanks. Regards, Mohamed. From james.chavez at sanmina-sci.com Wed Sep 10 02:12:21 2008 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Tue, 9 Sep 2008 23:12:21 -0700 Subject: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> Hello, Please point me to the correct list if this is wrong. I was having an issue compiling samba3.2.3 on my Solaris 10 box. It would not compile with the native Solaris 10 Kerberos libraries. I installed MIT Kerberos 1.6.3 from source and was able to successfully install Samba by pointing it to the MIT libraries. Prior to installing MIT 1.6.3 Kerberos, I was getting debug information from pam_krb5.so.1. Since the installation however I get nothing. I get nothing in the messages log concerning the failed kerberos login attempts nor for successful. Is there something I can do to get pam_krb5 to log messages again? Something perhaps I forgot to do after installing the MIT version. As I understand it, Solaris 10 Kerberos is based on MIT Kerberos. The way I was getting debug info from pam_krb5.so.1 previously was by appending debug to the lines in pam.conf. Does installing the MIT version of Kerberos change the way pam_krb5 logs debug output? Perhaps in the app_defaults section in the krb5.conf file? Thanks James pam.conf ----------------------- #login login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 debug login auth required pam_unix_auth.so.1 login account optional pam_krb5.so.1 debug login session required pam_unix_session.so.1 login session optional pam_krb5.so.1 debug login password optional pam_krb5.so.1 debug CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From deengert at anl.gov Wed Sep 10 10:28:21 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 10 Sep 2008 09:28:21 -0500 Subject: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> Message-ID: <48C7D985.8060007@anl.gov> Chavez, James R. wrote: > Hello, > Please point me to the correct list if this is wrong. > I was having an issue compiling samba3.2.3 on my Solaris 10 box. It > would not compile with the native Solaris 10 Kerberos libraries. I > installed MIT Kerberos 1.6.3 from source and was able to successfully > install Samba by pointing it to the MIT libraries. > Prior to installing MIT 1.6.3 Kerberos, I was getting debug information > from pam_krb5.so.1. Since the installation however I get nothing. I get > nothing in the messages log concerning the failed kerberos login > attempts nor for successful. Is there something I can do to get pam_krb5 > to log messages again? Something perhaps I forgot to do after installing > the MIT version. As I understand it, Solaris 10 Kerberos is based on MIT > Kerberos. The way I was getting debug info from pam_krb5.so.1 previously > was by appending debug to the lines in pam.conf. Does installing the MIT > version of Kerberos change the way pam_krb5 logs debug output? Perhaps > in the app_defaults section in the krb5.conf file? When you say pam_krb5 fails, is it failing for the normal login without any samba involved, or only when a samba program is calling pam which calls pam_krb5? Is this the Solaris provided pam_krb5, or did you build an open source version? Did you replace any of the /usr/lib/krb5 libs? It could be a problem of the samba program loading the MIT libs, and the pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and /usr/lib/gss/mech_krb5.so.1. There have duplicate routine names. The pam_krb5 may be calling the MIT versions of these routines and failing. If you can run the program under truss you can see what libs are loaded, and maybe where the pam_krb5 is failing. > > Thanks > James > > pam.conf > ----------------------- > #login > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth sufficient pam_krb5.so.1 debug > login auth required pam_unix_auth.so.1 > login account optional pam_krb5.so.1 debug > login session required pam_unix_session.so.1 > login session optional pam_krb5.so.1 debug > login password optional pam_krb5.so.1 debug > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From abhishek.brave at gmail.com Wed Sep 10 05:11:38 2008 From: abhishek.brave at gmail.com (abhishekbrave) Date: Wed, 10 Sep 2008 02:11:38 -0700 (PDT) Subject: AFP not working for cross realm References: Message-ID: <79ea4c5d-24b9-491d-a5f1-41216686a9a7@m36g2000hse.googlegroups.com> On Sep 8, 7:07?pm, Ken Hornstein wrote: > >I have configured AFP for kerberized authentication. It is working fine with > >simple kerberos authentication,but with cross ream i am not able to mount > >using the command > > >mount_afp afp://us... at aca.com/test1 /test2 > >i am getting all the cross realm ticktes and the service ticktes and ?I have > >verified the kvno off all the principals , everything is correct. > > >The error is > >AFPMountURL returned error -5019,error is -5019 > > If you're getting the cross-realm tickets, I am _guessing_ that the issue > is one of authorization - your cross-realm identity isn't allowed to mount > that particular filesystem. ?That is a guess. ?And if that is the problem, > I have no idea how to fix it. > > --Ken I am having same problem with NFS service also ,NFS and AFP both working fine for simple kerberos but not for cross realm authentication.Is there any way to verify wehter these service can be configured for NFS /AFP or not From krb at htam.net Tue Sep 9 09:55:07 2008 From: krb at htam.net (krb@htam.net) Date: Tue, 9 Sep 2008 15:55:07 +0200 Subject: Managing kerberos entity through LDAP Message-ID: <20080909135507.GA14716@htam.net> Hi everyone, I'm trying to set a kerberos KDC to use a LDAP-backend (OpenLDAP). I would like to reduce most of the action performed through kadmin tool. For example, I would like to be able to create principals with "ldif" file", especially, my users and computers are convenniantly organized in my LDAP directory and all informations (LDAP attributes, kerberos atributes, ...) relative to each other are stored in a single entry DN. I defininately don't want LDAP entries like krbPrincipalName=...,cn=MYREALM.COM,o=... for standard users and computers (except for the mandatory ones). Do you have any hints on doing this with kerberos 1.6 and OpenLDAP 2.4.11 ? I have tried to "copy" a previously kdc-created kerberos entry in my LDAP, modifying some of the fields and changing the password with kadmin but I can't use it to authenticate. It seems I have hard time with the "binary" attributes krbExtraData or the management of the krbTicketFlags. Thank you in advance for any advice or answer, Sincerely yours, Mathieu MILLET -- Mathieu MILLET mailto:krb at htam.net From james.chavez at sanmina-sci.com Wed Sep 10 13:05:37 2008 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Wed, 10 Sep 2008 10:05:37 -0700 Subject: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 In-Reply-To: <48C7D985.8060007@anl.gov> References: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> <48C7D985.8060007@anl.gov> Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC474@sjc1amfpew04.am.sanm.corp> Doug, Thanks for the reply. I am actually using kerberos for authenticating logins through ssh. Because I had no DNS entry for this Solaris box I was getting the following debug output from pam_krb5. Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Hostname cannot be canonicalized. This is indicative of DNS issues according to the Solaris Kerberos Commom errors guide. The The Windows team controls DNS and I am not on the Windows team. A work around for me was to use Samba's net utility However Solaris 10's version was not built with the proper flag to allow this. So I needed to upgrade Samba to accomplish this. The Samba configure script was bombing looking for krb5 libs, so I installed MIT and pointed it there. Since I upgraded Samba and added the DNS entry I can successfully login using kerberos creds with pam_krb5, however now the debug output is no longer visible. Could be that everything is working flawlwessly but the debug flag should still populate the messages log with pam_krb5 entries regardless of success or failure I would think. At least with Linux this is true. To answer your questions. When you say pam_krb5 fails, is it failing for the normal login without any samba involved, or only when a samba program is calling pam which calls pam_krb5? --This is during a normal login with no Samba involved. I am looking for verbose output for success or failure. Is this the Solaris provided pam_krb5, or did you build an open source version? --This is the Solaris version of pam_krb5. Did you replace any of the /usr/lib/krb5 libs? --The /usr/lib/krb5 libs should be intact, I installed the MIT stuff into /usr/local, the default. ldd /usr/lib/security/pam_krb5.so.1 libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1 mech_krb5.so.1 => /usr/lib/gss/mech_krb5.so.1 libpam.so.1 => /lib/libpam.so.1 libnsl.so.1 => /lib/libnsl.so.1 libc.so.1 => /lib/libc.so.1 libgss.so.1 => /usr/lib/libgss.so.1 libsocket.so.1 => /lib/libsocket.so.1 libresolv.so.2 => /lib/libresolv.so.2 libpkcs11.so.1 => /usr/lib/libpkcs11.so.1 libcmd.so.1 => /lib/libcmd.so.1 libmp.so.2 => /lib/libmp.so.2 libmd.so.1 => /lib/libmd.so.1 libscf.so.1 => /lib/libscf.so.1 libcryptoutil.so.1 => /usr/lib/libcryptoutil.so.1 libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libgen.so.1 => /lib/libgen.so.1 libm.so.2 => /lib/libm.so.2 /platform/SUNW,Ultra-60/lib/libc_psr.so.1 /platform/SUNW,Ultra-60/lib/libmd_psr.so.1 I ran a truss of klist and kinit and everything seems to be normal. I would not know how to directly invoke a truss of pam_krb5 however. Well at least kerberos is authenticating..Would be nice to see some debug though. Perhaps I can reinstall or freshen the pam_krb5 on my Solaris box? I will have to look into that. Thank you James -----Original Message----- From: Douglas E. Engert [mailto:deengert at anl.gov] Sent: Wednesday, September 10, 2008 7:28 AM To: Chavez, James R. Cc: kerberos at mit.edu Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 Chavez, James R. wrote: > Hello, > Please point me to the correct list if this is wrong. > I was having an issue compiling samba3.2.3 on my Solaris 10 box. It > would not compile with the native Solaris 10 Kerberos libraries. I > installed MIT Kerberos 1.6.3 from source and was able to successfully > install Samba by pointing it to the MIT libraries. > Prior to installing MIT 1.6.3 Kerberos, I was getting debug > information from pam_krb5.so.1. Since the installation however I get > nothing. I get nothing in the messages log concerning the failed > kerberos login attempts nor for successful. Is there something I can > do to get pam_krb5 to log messages again? Something perhaps I forgot > to do after installing the MIT version. As I understand it, Solaris 10 > Kerberos is based on MIT Kerberos. The way I was getting debug info > from pam_krb5.so.1 previously was by appending debug to the lines in > pam.conf. Does installing the MIT version of Kerberos change the way > pam_krb5 logs debug output? Perhaps in the app_defaults section in the krb5.conf file? When you say pam_krb5 fails, is it failing for the normal login without any samba involved, or only when a samba program is calling pam which calls pam_krb5? Is this the Solaris provided pam_krb5, or did you build an open source version? Did you replace any of the /usr/lib/krb5 libs? It could be a problem of the samba program loading the MIT libs, and the pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and /usr/lib/gss/mech_krb5.so.1. There have duplicate routine names. The pam_krb5 may be calling the MIT versions of these routines and failing. If you can run the program under truss you can see what libs are loaded, and maybe where the pam_krb5 is failing. > > Thanks > James > > pam.conf > ----------------------- > #login > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth sufficient pam_krb5.so.1 debug > login auth required pam_unix_auth.so.1 > login account optional pam_krb5.so.1 debug > login session required pam_unix_session.so.1 > login session optional pam_krb5.so.1 debug > login password optional pam_krb5.so.1 debug > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From deengert at anl.gov Wed Sep 10 15:14:19 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 10 Sep 2008 14:14:19 -0500 Subject: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6BEC474@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> <48C7D985.8060007@anl.gov> <19A4A238A352AD40B65B3D88780DDBC6BEC474@sjc1amfpew04.am.sanm.corp> Message-ID: <48C81C8B.6050400@anl.gov> Chavez, James R. wrote: > Doug, Thanks for the reply. > I am actually using kerberos for authenticating logins through ssh. > Because I had no DNS entry for this Solaris box I was getting the > following debug output from pam_krb5. > > Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602 auth.error] > PAM-KRB5 (auth): krb5_verify_init_creds failed: > Hostname cannot be canonicalized. This sounds like the sshd can not determine its FQDN. A host should be able to determine its name without DNS. This could be a /etc/hosts issue. The hostname should be fully qualified and listed in /etc/hosts before any short name. Also check `hostname` to make sure it is fully qualified. > This is indicative of DNS issues according to the Solaris Kerberos > Commom errors guide. > The The Windows team controls DNS and I am not on the Windows team. The other approach is to use a valid hostname that they will add to DNS. DNS is not Windows centric, and they should be able to add other names too. Are you using Windows AD for the KDC? (We do.) If not does your realm name match any AD domain names? If yes, then you will have issues down the road. Best to pick a realm name that does not conflict with a domain name. > A > work around for me was to use Samba's net utility However Solaris 10's > version was not built with the proper flag to allow this. So I needed to > upgrade Samba to accomplish this. The Samba configure script was bombing > looking for krb5 libs, so I installed MIT and pointed it there. So you are trying to use Samba to get around the DNS issue? I don't think you need samba at all. Are you trying to use Samba's net join? i.e. use AD as the KDC? There are other ways to do this, if you don't need other Samba features. > > Since I upgraded Samba and added the DNS entry I can successfully login > using kerberos creds with pam_krb5, however now the debug output is no > longer visible. Could be that everything is working flawlwessly but the > debug flag should still populate the messages log with pam_krb5 entries > regardless of success or failure I would think. At least with Linux this > is true. I should point out that the Solaris sshd calls pam with different Service Names depending on how the authentication is being done. (login is not one of them.) See the man sshd: > ____________________________________________________________ > | SSHv2 Userauth | PAM Service Name | > |_____________________________|_____________________________| > | none | sshd-none | > |_____________________________|_____________________________| > | password | sshd-password | > |_____________________________|_____________________________| > | keyboard-interactive | sshd-kbdint | > |_____________________________|_____________________________| > | pubkey | sshd-pubkey | > |_____________________________|_____________________________| > | hostbased | sshd-hostbased | > |_____________________________|_____________________________| > | gssapi-with-mic | sshd-gssapi | > |_____________________________|_____________________________| > | gssapi-keyex | sshd-gssapi | > |_____________________________|_____________________________| > So this may be a pam.conf issue. When sshd-gssapi is called, pam_krb5 is not used at all! Only the account and session are called to do other things. pam_krb5 is used only for passwords and thus only for password or keyboard-interactive. > > To answer your questions. > When you say pam_krb5 fails, is it failing for the normal login without > any samba involved, or only when a samba program is calling pam which > calls pam_krb5? > --This is during a normal login with no Samba involved. I am looking for > verbose output for success or failure. > Is this the Solaris provided pam_krb5, or did you build an open source > version? > --This is the Solaris version of pam_krb5. > Did you replace any of the /usr/lib/krb5 libs? > --The /usr/lib/krb5 libs should be intact, I installed the MIT stuff > into /usr/local, the default. > ldd /usr/lib/security/pam_krb5.so.1 > libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1 > mech_krb5.so.1 => /usr/lib/gss/mech_krb5.so.1 > libpam.so.1 => /lib/libpam.so.1 > libnsl.so.1 => /lib/libnsl.so.1 > libc.so.1 => /lib/libc.so.1 > libgss.so.1 => /usr/lib/libgss.so.1 > libsocket.so.1 => /lib/libsocket.so.1 > libresolv.so.2 => /lib/libresolv.so.2 > libpkcs11.so.1 => /usr/lib/libpkcs11.so.1 > libcmd.so.1 => /lib/libcmd.so.1 > libmp.so.2 => /lib/libmp.so.2 > libmd.so.1 => /lib/libmd.so.1 > libscf.so.1 => /lib/libscf.so.1 > libcryptoutil.so.1 => /usr/lib/libcryptoutil.so.1 > libdoor.so.1 => /lib/libdoor.so.1 > libuutil.so.1 => /lib/libuutil.so.1 > libgen.so.1 => /lib/libgen.so.1 > libm.so.2 => /lib/libm.so.2 > /platform/SUNW,Ultra-60/lib/libc_psr.so.1 > /platform/SUNW,Ultra-60/lib/libmd_psr.so.1 > I ran a truss of klist and kinit and everything seems to be normal. I > would not know how to directly invoke a truss of pam_krb5 however. > Well at least kerberos is authenticating..Would be nice to see some > debug though. Perhaps I can reinstall or freshen the pam_krb5 on my > Solaris box? I will have to look into that. > > Thank you > James > > > > -----Original Message----- > From: Douglas E. Engert [mailto:deengert at anl.gov] > Sent: Wednesday, September 10, 2008 7:28 AM > To: Chavez, James R. > Cc: kerberos at mit.edu > Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 > > > > Chavez, James R. wrote: >> Hello, >> Please point me to the correct list if this is wrong. >> I was having an issue compiling samba3.2.3 on my Solaris 10 box. It >> would not compile with the native Solaris 10 Kerberos libraries. I >> installed MIT Kerberos 1.6.3 from source and was able to successfully >> install Samba by pointing it to the MIT libraries. >> Prior to installing MIT 1.6.3 Kerberos, I was getting debug >> information from pam_krb5.so.1. Since the installation however I get >> nothing. I get nothing in the messages log concerning the failed >> kerberos login attempts nor for successful. Is there something I can >> do to get pam_krb5 to log messages again? Something perhaps I forgot >> to do after installing the MIT version. As I understand it, Solaris 10 > >> Kerberos is based on MIT Kerberos. The way I was getting debug info >> from pam_krb5.so.1 previously was by appending debug to the lines in >> pam.conf. Does installing the MIT version of Kerberos change the way >> pam_krb5 logs debug output? Perhaps in the app_defaults section in the > krb5.conf file? > > When you say pam_krb5 fails, is it failing for the normal login without > any samba involved, or only when a samba program is calling pam which > calls pam_krb5? > > Is this the Solaris provided pam_krb5, or did you build an open source > version? > > Did you replace any of the /usr/lib/krb5 libs? > > It could be a problem of the samba program loading the MIT libs, and the > pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and > /usr/lib/gss/mech_krb5.so.1. There have duplicate routine names. The > pam_krb5 may be calling the MIT versions of these routines and failing. > > If you can run the program under truss you can see what libs are loaded, > and maybe where the pam_krb5 is failing. > > >> Thanks >> James >> >> pam.conf >> ----------------------- >> #login >> login auth requisite pam_authtok_get.so.1 >> login auth required pam_dhkeys.so.1 >> login auth sufficient pam_krb5.so.1 debug >> login auth required pam_unix_auth.so.1 >> login account optional pam_krb5.so.1 debug >> login session required pam_unix_session.so.1 >> login session optional pam_krb5.so.1 debug >> login password optional pam_krb5.so.1 debug >> >> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for > use by the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail message, you are hereby notified that any dissemination, > distribution or copying of this e-mail message, and any attachments > thereto, is strictly prohibited. If you have received this e-mail > message in error, please immediately notify the sender and permanently > delete the original and any copies of this email and any prints thereof. >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the > Uniform Electronic Transactions Act or the applicability of any other > law of similar substance and effect, absent an express statement to the > contrary hereinabove, this e-mail message its contents, and any > attachments hereto are not intended to represent an offer or acceptance > to enter into a contract and are not otherwise intended to bind the > sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any > other person or entity. >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Nicolas.Williams at sun.com Wed Sep 10 15:40:42 2008 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Wed, 10 Sep 2008 14:40:42 -0500 Subject: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 In-Reply-To: <48C81C8B.6050400@anl.gov> References: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> <48C7D985.8060007@anl.gov> <19A4A238A352AD40B65B3D88780DDBC6BEC474@sjc1amfpew04.am.sanm.corp> <48C81C8B.6050400@anl.gov> Message-ID: <20080910194042.GO1875@Sun.COM> On Wed, Sep 10, 2008 at 02:14:19PM -0500, Douglas E. Engert wrote: > Chavez, James R. wrote: > > Doug, Thanks for the reply. > > I am actually using kerberos for authenticating logins through ssh. > > Because I had no DNS entry for this Solaris box I was getting the > > following debug output from pam_krb5. > > > > Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602 auth.error] > > PAM-KRB5 (auth): krb5_verify_init_creds failed: > > Hostname cannot be canonicalized. > > This sounds like the sshd can not determine its FQDN. A host should > be able to determine its name without DNS. This is coming from krb5_sname_to_principal(), which is called from krb5_verify_init_creds(), which is called from pam_krb5:pam_sm_authenticate(). Solaris Kerberos specifically requires DNS to be configured. Nico -- From james.chavez at sanmina-sci.com Wed Sep 10 18:08:47 2008 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Wed, 10 Sep 2008 15:08:47 -0700 Subject: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 In-Reply-To: <48C81C8B.6050400@anl.gov> References: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> <48C7D985.8060007@anl.gov> <19A4A238A352AD40B65B3D88780DDBC6BEC474@sjc1amfpew04.am.sanm.corp> <48C81C8B.6050400@anl.gov> Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC47A@sjc1amfpew04.am.sanm.corp> Douglas, Thank You for the response. The host name is definitely listed first as fully qualified in /etc/hosts. For Linux this was more than enough but for whatever reason this did not help in Solaris 10. Once I added the DNS entry and sshd-kbdint entries the authentication was succesfull but no logging. I agree that they could add this entry to DNS, the box does indeed follow their naming scheme. I wanted to see if the --dns-update flag was effective which it was at a cost it seems. I will ask that the DNS entry be added in the future to avoid rebuilding Samba and installing MIT 1.6.3. Although if possible I would rather not use Solaris Kerberos libraries and use MIT from source instead. Or if I can reinstall packages that contain the Solaris pam_krb5 libs perhaps that would help get the logging back. We are using Windows 2003 as the KDC. The domainname of DNS does match our Active Directory Kerberos realm name. I did use the net ads join after recompiling Samba and the --dns-update flag worked nicely. I will most likely need the features of Samba down the road, but in the future I will probably opt for adding the entry directly to DNS to avoid this issue. Could you briefly ellaborate on another method of using AD as the KDC without Samba? Thank you for the heads up on the sshd stuff, was going crazy last night trying to get PAM working for sshd. Blinded because pam_krb5 was not throwing any debug info for failed logins. I added sshd-kbdint entries to pam.conf and logins succeeded. Prior to the MIT install I was getting the "hostname cannot be canonicalized" messages so I worked on that which included the Samba and MIT installs. The pam_krb5 authentication would still have failed because I did not have the sshd-kbdint entries listed but at the time I did not know because I was stuck on the DNS issue. The info you posted about the sshd stuff below is invaluable and I do not know how I missed that! I read the man page for sshd_config but did not consider sshd for some reason. Thank you James -----Original Message----- From: Douglas E. Engert [mailto:deengert at anl.gov] Sent: Wednesday, September 10, 2008 12:14 PM To: Chavez, James R. Cc: kerberos at mit.edu Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 Chavez, James R. wrote: > Doug, Thanks for the reply. > I am actually using kerberos for authenticating logins through ssh. > Because I had no DNS entry for this Solaris box I was getting the > following debug output from pam_krb5. > > Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602 > auth.error] > PAM-KRB5 (auth): krb5_verify_init_creds failed: > Hostname cannot be canonicalized. This sounds like the sshd can not determine its FQDN. A host should be able to determine its name without DNS. This could be a /etc/hosts issue. The hostname should be fully qualified and listed in /etc/hosts before any short name. Also check `hostname` to make sure it is fully qualified. > This is indicative of DNS issues according to the Solaris Kerberos > Commom errors guide. > The The Windows team controls DNS and I am not on the Windows team. The other approach is to use a valid hostname that they will add to DNS. DNS is not Windows centric, and they should be able to add other names too. Are you using Windows AD for the KDC? (We do.) If not does your realm name match any AD domain names? If yes, then you will have issues down the road. Best to pick a realm name that does not conflict with a domain name. > A > work around for me was to use Samba's net utility However Solaris 10's > version was not built with the proper flag to allow this. So I needed > to upgrade Samba to accomplish this. The Samba configure script was > bombing looking for krb5 libs, so I installed MIT and pointed it there. So you are trying to use Samba to get around the DNS issue? I don't think you need samba at all. Are you trying to use Samba's net join? i.e. use AD as the KDC? There are other ways to do this, if you don't need other Samba features. > > Since I upgraded Samba and added the DNS entry I can successfully > login using kerberos creds with pam_krb5, however now the debug output > is no longer visible. Could be that everything is working flawlwessly > but the debug flag should still populate the messages log with > pam_krb5 entries regardless of success or failure I would think. At > least with Linux this is true. I should point out that the Solaris sshd calls pam with different Service Names depending on how the authentication is being done. (login is not one of them.) See the man sshd: > ____________________________________________________________ > | SSHv2 Userauth | PAM Service Name | > |_____________________________|_____________________________| > | none | sshd-none | > |_____________________________|_____________________________| > | password | sshd-password | > |_____________________________|_____________________________| > | keyboard-interactive | sshd-kbdint | > |_____________________________|_____________________________| > | pubkey | sshd-pubkey | > |_____________________________|_____________________________| > | hostbased | sshd-hostbased | > |_____________________________|_____________________________| > | gssapi-with-mic | sshd-gssapi | > |_____________________________|_____________________________| > | gssapi-keyex | sshd-gssapi | > |_____________________________|_____________________________| > So this may be a pam.conf issue. When sshd-gssapi is called, pam_krb5 is not used at all! Only the account and session are called to do other things. pam_krb5 is used only for passwords and thus only for password or keyboard-interactive. > > To answer your questions. > When you say pam_krb5 fails, is it failing for the normal login > without any samba involved, or only when a samba program is calling > pam which calls pam_krb5? > --This is during a normal login with no Samba involved. I am looking > for verbose output for success or failure. > Is this the Solaris provided pam_krb5, or did you build an open source > version? > --This is the Solaris version of pam_krb5. > Did you replace any of the /usr/lib/krb5 libs? > --The /usr/lib/krb5 libs should be intact, I installed the MIT stuff > into /usr/local, the default. > ldd /usr/lib/security/pam_krb5.so.1 > libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1 > mech_krb5.so.1 => /usr/lib/gss/mech_krb5.so.1 > libpam.so.1 => /lib/libpam.so.1 > libnsl.so.1 => /lib/libnsl.so.1 > libc.so.1 => /lib/libc.so.1 > libgss.so.1 => /usr/lib/libgss.so.1 > libsocket.so.1 => /lib/libsocket.so.1 > libresolv.so.2 => /lib/libresolv.so.2 > libpkcs11.so.1 => /usr/lib/libpkcs11.so.1 > libcmd.so.1 => /lib/libcmd.so.1 > libmp.so.2 => /lib/libmp.so.2 > libmd.so.1 => /lib/libmd.so.1 > libscf.so.1 => /lib/libscf.so.1 > libcryptoutil.so.1 => /usr/lib/libcryptoutil.so.1 > libdoor.so.1 => /lib/libdoor.so.1 > libuutil.so.1 => /lib/libuutil.so.1 > libgen.so.1 => /lib/libgen.so.1 > libm.so.2 => /lib/libm.so.2 > /platform/SUNW,Ultra-60/lib/libc_psr.so.1 > /platform/SUNW,Ultra-60/lib/libmd_psr.so.1 > I ran a truss of klist and kinit and everything seems to be normal. I > would not know how to directly invoke a truss of pam_krb5 however. > Well at least kerberos is authenticating..Would be nice to see some > debug though. Perhaps I can reinstall or freshen the pam_krb5 on my > Solaris box? I will have to look into that. > > Thank you > James > > > > -----Original Message----- > From: Douglas E. Engert [mailto:deengert at anl.gov] > Sent: Wednesday, September 10, 2008 7:28 AM > To: Chavez, James R. > Cc: kerberos at mit.edu > Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 > > > > Chavez, James R. wrote: >> Hello, >> Please point me to the correct list if this is wrong. >> I was having an issue compiling samba3.2.3 on my Solaris 10 box. It >> would not compile with the native Solaris 10 Kerberos libraries. I >> installed MIT Kerberos 1.6.3 from source and was able to successfully >> install Samba by pointing it to the MIT libraries. >> Prior to installing MIT 1.6.3 Kerberos, I was getting debug >> information from pam_krb5.so.1. Since the installation however I get >> nothing. I get nothing in the messages log concerning the failed >> kerberos login attempts nor for successful. Is there something I can >> do to get pam_krb5 to log messages again? Something perhaps I forgot >> to do after installing the MIT version. As I understand it, Solaris >> 10 > >> Kerberos is based on MIT Kerberos. The way I was getting debug info >> from pam_krb5.so.1 previously was by appending debug to the lines in >> pam.conf. Does installing the MIT version of Kerberos change the way >> pam_krb5 logs debug output? Perhaps in the app_defaults section in >> the > krb5.conf file? > > When you say pam_krb5 fails, is it failing for the normal login > without any samba involved, or only when a samba program is calling > pam which calls pam_krb5? > > Is this the Solaris provided pam_krb5, or did you build an open source > version? > > Did you replace any of the /usr/lib/krb5 libs? > > It could be a problem of the samba program loading the MIT libs, and > the > pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and > /usr/lib/gss/mech_krb5.so.1. There have duplicate routine names. The > pam_krb5 may be calling the MIT versions of these routines and failing. > > If you can run the program under truss you can see what libs are > loaded, and maybe where the pam_krb5 is failing. > > >> Thanks >> James >> >> pam.conf >> ----------------------- >> #login >> login auth requisite pam_authtok_get.so.1 >> login auth required pam_dhkeys.so.1 >> login auth sufficient pam_krb5.so.1 debug >> login auth required pam_unix_auth.so.1 >> login account optional pam_krb5.so.1 debug >> login session required pam_unix_session.so.1 >> login session optional pam_krb5.so.1 debug >> login password optional pam_krb5.so.1 debug >> >> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for > use by the addressee(s) named herein and may contain legally > privileged and/or confidential information. If you are not the > intended recipient of this e-mail message, you are hereby notified > that any dissemination, distribution or copying of this e-mail > message, and any attachments thereto, is strictly prohibited. If you > have received this e-mail message in error, please immediately notify > the sender and permanently delete the original and any copies of this email and any prints thereof. >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the > Uniform Electronic Transactions Act or the applicability of any other > law of similar substance and effect, absent an express statement to > the contrary hereinabove, this e-mail message its contents, and any > attachments hereto are not intended to represent an offer or > acceptance to enter into a contract and are not otherwise intended to > bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), > or any other person or entity. >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From rahulkohli2001 at yahoo.com Wed Sep 10 15:59:01 2008 From: rahulkohli2001 at yahoo.com (Rahul Kohli) Date: Wed, 10 Sep 2008 12:59:01 -0700 (PDT) Subject: Application to extract Kerberos Cerdential In-Reply-To: <835B1E34-B115-4FA4-8B0B-05AFB808839F@jpl.nasa.gov> Message-ID: <412398.5412.qm@web34503.mail.mud.yahoo.com> Hi Henry, ? Thanks for your response. ? This C application (shared library)?will be used for validating the kerberos credential of a user with KDC on Microsoft AD 2003. ? Please suggest how we can use/develop a?C application?to validate user's kerberos credentials with KDC located on different system. ? Any pointers to this will be of great help. ? Thanks, Rahul ? ? --- On Wed, 9/10/08, Henry B. Hotz wrote: From: Henry B. Hotz Subject: Re: Application to extract Kerberos Cerdential To: "krbdev at mit.edu" Date: Wednesday, September 10, 2008, 10:45 PM On Sep 10, 2008, at 9:17 AM, krbdev-request at mit.edu wrote: > Message: 1 > Date: Wed, 10 Sep 2008 07:05:39 -0700 (PDT) > From: Rahul Kohli > Subject: Application to extract Kerberos Cerdentials > To: krbdev at mit.edu > Message-ID: <786910.71656.qm at web34505.mail.mud.yahoo.com> > Content-Type: text/plain; charset=iso-8859-1 > > Hi All, > ? > I am using Kerberos Client installed on HP-UX with?Active Directory > 2003 (KDC Server).?I have verified the setup to be?working fine > using Kinit and Klist utilities installed with Kerberos Client. > ? > I need to develop a sample C/C++ application that can extract User's > kerberos credentials from the browser HTTP request and pass it to > Kerberos Client for validation with KDC Server. > ? > Please suggest how can we extract user's kerberos credentials from > Browser. Where can I get details of the API's to be used for this > purpose. > ? > Thanks, > Rahul > ? I think this kind of question belongs on the kerberos at mit.edu list, since it's not specific to the MIT implementation. I've set the reply- to header accordingly. I don't understand the application you're proposing. Is it possible that what you want is really a web server module like mod_auth_kerb? I can't imagine why you would want a *browser* to check a user's credentials because the user owns the browser and can run whichever one he/she wants, including a custom-modified one. For the normal usage scenarios the "extraction" process happens automatically as part of some other task. If you can tell us what you're trying to do, then perhaps we can point you at the right API's. _______________________________________________ krbdev mailing list krbdev at mit.edu https://mailman.mit.edu/mailman/listinfo/krbdev From ioplex at gmail.com Wed Sep 10 22:48:55 2008 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 10 Sep 2008 22:48:55 -0400 Subject: Application to extract Kerberos Cerdential In-Reply-To: <412398.5412.qm@web34503.mail.mud.yahoo.com> References: <835B1E34-B115-4FA4-8B0B-05AFB808839F@jpl.nasa.gov> <412398.5412.qm@web34503.mail.mud.yahoo.com> Message-ID: <78c6bd860809101948r3b37aff3q829dfb327187edc3@mail.gmail.com> On Wed, Sep 10, 2008 at 3:59 PM, Rahul Kohli wrote: > Hi Henry, > > Thanks for your response. > > This C application (shared library) will be used for validating the kerberos credential of a user with KDC on Microsoft AD 2003. > > Please suggest how we can use/develop a C application to validate user's kerberos credentials with KDC located on different system. You don't need to communicate with the KDC to validate the Kerberos token supplied by an HTTP client. You only need to use the service credential to decrypt the authenticator in the token and verify that the timestamp is within an acceptable range. And, depending on the system you're using, there are C routines that will perform all of these details for you. For example, UNIX systems usually come with a library called GSSAPI that have a gss_accept_sec_context function that does what you want. Sometimes GSSAPI is part of the Kerberos installation (e.g. on Linux GSSAPI usually comes with the MIT Kerberos packages). On Windows, there's something called SSPI which has a very similar function called AcceptSecurityContext. Mike > --- On Wed, 9/10/08, Henry B. Hotz wrote: > > From: Henry B. Hotz > Subject: Re: Application to extract Kerberos Cerdential > To: "krbdev at mit.edu" > Date: Wednesday, September 10, 2008, 10:45 PM > > On Sep 10, 2008, at 9:17 AM, krbdev-request at mit.edu wrote: > >> Message: 1 >> Date: Wed, 10 Sep 2008 07:05:39 -0700 (PDT) >> From: Rahul Kohli >> Subject: Application to extract Kerberos Cerdentials >> To: krbdev at mit.edu >> Message-ID: <786910.71656.qm at web34505.mail.mud.yahoo.com> >> Content-Type: text/plain; charset=iso-8859-1 >> >> Hi All, >> ? >> I am using Kerberos Client installed on HP-UX with?Active Directory >> 2003 (KDC Server).?I have verified the setup to be?working fine >> using Kinit and Klist utilities installed with Kerberos Client. >> ? >> I need to develop a sample C/C++ application that can extract User's >> kerberos credentials from the browser HTTP request and pass it to >> Kerberos Client for validation with KDC Server. >> ? >> Please suggest how can we extract user's kerberos credentials from >> Browser. Where can I get details of the API's to be used for this >> purpose. >> ? >> Thanks, >> Rahul >> ? > > I think this kind of question belongs on the kerberos at mit.edu list, > since it's not specific to the MIT implementation. I've set the reply- > > to header accordingly. > > I don't understand the application you're proposing. Is it possible > that what you want is really a web server module like mod_auth_kerb? > I can't imagine why you would want a *browser* to check a user's > credentials because the user owns the browser and can run whichever > one he/she wants, including a custom-modified one. > > For the normal usage scenarios the "extraction" process happens > automatically as part of some other task. If you can tell us what > you're trying to do, then perhaps we can point you at the right API's. > _______________________________________________ > krbdev mailing list krbdev at mit.edu > https://mailman.mit.edu/mailman/listinfo/krbdev > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From deengert at anl.gov Thu Sep 11 10:10:24 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 11 Sep 2008 09:10:24 -0500 Subject: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6BEC47A@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6BEC470@sjc1amfpew04.am.sanm.corp> <48C7D985.8060007@anl.gov> <19A4A238A352AD40B65B3D88780DDBC6BEC474@sjc1amfpew04.am.sanm.corp> <48C81C8B.6050400@anl.gov> <19A4A238A352AD40B65B3D88780DDBC6BEC47A@sjc1amfpew04.am.sanm.corp> Message-ID: <48C926D0.60402@anl.gov> Chavez, James R. wrote: > Douglas, > Thank You for the response. > The host name is definitely listed first as fully qualified in > /etc/hosts. For Linux this was more than enough but for whatever reason > this did not help in Solaris 10. Once I added the DNS entry and > sshd-kbdint entries the authentication was succesfull but no logging. > > I agree that they could add this entry to DNS, the box does indeed > follow their naming scheme. I wanted to see if the --dns-update flag was > effective which it was at a cost it seems. I will ask that the DNS entry > be added in the future to avoid rebuilding Samba and installing MIT > 1.6.3. Although if possible I would rather not use Solaris Kerberos > libraries and use MIT from source instead. Or if I can reinstall > packages that contain the Solaris pam_krb5 libs perhaps that would help > get the logging back. > > We are using Windows 2003 as the KDC. The domainname of DNS does match > our Active Directory Kerberos realm name. > I did use the net ads join after recompiling Samba and the --dns-update > flag worked nicely. I will most likely need the features of Samba down > the road, but in the future I will probably opt for adding the entry > directly to DNS to avoid this issue. > > Could you briefly ellaborate on another method of using AD as the KDC > without Samba? You have not said anything about how you got a host principal register in AD and how you initialized the /etc/krb5/krb5/keytab. (Solaris default.) But you used the samba net ads join, which does do these for you. The first place to start is: http://technet.microsoft.com/en-us/library/bb742433.aspx It gives all the basics, and talks about ktpass. There are newer versions of ktpass for 2003 and XP. Solairs, MIT, Heimdal and W2003 can all do more then DES, so use RC4. There is also msktutil (Google for it) that is run on Unix by someone with join type AD admin privilages. It uses LDAP to create an account for the host in AD and generate a krb5.keytab. (We use this.) Sun has a script, adjoin.sh, that is similar to msktutil, that use LDAP. See: http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp?cid=e5595 Keep in mind that Kerberos does authentication. You will still need authorization. NIS, LDAP or local passwd files can provide this. look at nsswitch.conf. AD and Samba add authorization data to the Kerberos tickets (PAC with user and group info) which Windows uses, and Samba can map, so the distinction gets a little muddled. If you use LDAP for authorization, AD could also be used. Also Google for: Solaris ldap kerberos active directory which can give you more pointers. We use msktutil, with AD 2003, and the Solairs 10 provided Kerberos, pam_krb5, ssh and sshd. We also have AFS, and use pam_afs_session, and have a local pam_krb5_ccache module to allow sshd to have session based ticket caches. Our DNS is separate, as is the LDAP for authorization. > > Thank you for the heads up on the sshd stuff, was going crazy last night > trying to get PAM working for sshd. Blinded because pam_krb5 was not > throwing any debug info for failed logins. I added sshd-kbdint entries > to pam.conf and logins succeeded. Prior to the MIT install I was > getting the "hostname cannot be canonicalized" messages so I worked on > that which included the Samba and MIT installs. The pam_krb5 > authentication would still have failed because I did not have the > sshd-kbdint entries listed but at the time I did not know because I was > stuck on the DNS issue. > The info you posted about the sshd stuff below is invaluable and I do > not know how I missed that! I read the man page for sshd_config but did > not consider sshd for some reason. > > Thank you > James > > > > -----Original Message----- > From: Douglas E. Engert [mailto:deengert at anl.gov] > Sent: Wednesday, September 10, 2008 12:14 PM > To: Chavez, James R. > Cc: kerberos at mit.edu > Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 > > > > Chavez, James R. wrote: >> Doug, Thanks for the reply. >> I am actually using kerberos for authenticating logins through ssh. >> Because I had no DNS entry for this Solaris box I was getting the >> following debug output from pam_krb5. >> >> Aug 26 10:24:21 solaris1.example.com sshd[1147]: [ID 537602 >> auth.error] >> PAM-KRB5 (auth): krb5_verify_init_creds failed: >> Hostname cannot be canonicalized. > > This sounds like the sshd can not determine its FQDN. A host should be > able to determine its name without DNS. > This could be a /etc/hosts issue. The hostname should be fully qualified > and listed in /etc/hosts before any short name. Also check `hostname` to > make sure it is fully qualified. > >> This is indicative of DNS issues according to the Solaris Kerberos >> Commom errors guide. >> The The Windows team controls DNS and I am not on the Windows team. > > The other approach is to use a valid hostname that they will add to DNS. > DNS is not Windows centric, and they should be able to add other names > too. > > Are you using Windows AD for the KDC? (We do.) If not does your realm > name match any AD domain names? > If yes, then you will have issues down the road. Best to pick a realm > name that does not conflict with a domain name. > >> A >> work around for me was to use Samba's net utility However Solaris 10's > >> version was not built with the proper flag to allow this. So I needed >> to upgrade Samba to accomplish this. The Samba configure script was >> bombing looking for krb5 libs, so I installed MIT and pointed it > there. > > So you are trying to use Samba to get around the DNS issue? > I don't think you need samba at all. > > Are you trying to use Samba's net join? i.e. use AD as the KDC? > There are other ways to do this, if you don't need other Samba features. > >> >> Since I upgraded Samba and added the DNS entry I can successfully >> login using kerberos creds with pam_krb5, however now the debug output > >> is no longer visible. Could be that everything is working flawlwessly >> but the debug flag should still populate the messages log with >> pam_krb5 entries regardless of success or failure I would think. At >> least with Linux this is true. > > I should point out that the Solaris sshd calls pam with different > Service Names depending on how the authentication is being done. > (login is not one of them.) See the man sshd: > >> ____________________________________________________________ >> | SSHv2 Userauth | PAM Service Name | >> |_____________________________|_____________________________| >> | none | sshd-none | >> |_____________________________|_____________________________| >> | password | sshd-password | >> |_____________________________|_____________________________| >> | keyboard-interactive | sshd-kbdint | >> |_____________________________|_____________________________| >> | pubkey | sshd-pubkey | >> |_____________________________|_____________________________| >> | hostbased | sshd-hostbased | >> |_____________________________|_____________________________| >> | gssapi-with-mic | sshd-gssapi | >> |_____________________________|_____________________________| >> | gssapi-keyex | sshd-gssapi | >> |_____________________________|_____________________________| >> > > So this may be a pam.conf issue. When sshd-gssapi is called, > pam_krb5 is not used at all! Only the account and session are called to > do other things. > > pam_krb5 is used only for passwords and thus only for password or > keyboard-interactive. > >> To answer your questions. >> When you say pam_krb5 fails, is it failing for the normal login >> without any samba involved, or only when a samba program is calling >> pam which calls pam_krb5? >> --This is during a normal login with no Samba involved. I am looking >> for verbose output for success or failure. >> Is this the Solaris provided pam_krb5, or did you build an open source > >> version? >> --This is the Solaris version of pam_krb5. >> Did you replace any of the /usr/lib/krb5 libs? >> --The /usr/lib/krb5 libs should be intact, I installed the MIT stuff >> into /usr/local, the default. >> ldd /usr/lib/security/pam_krb5.so.1 >> libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1 >> mech_krb5.so.1 => /usr/lib/gss/mech_krb5.so.1 >> libpam.so.1 => /lib/libpam.so.1 >> libnsl.so.1 => /lib/libnsl.so.1 >> libc.so.1 => /lib/libc.so.1 >> libgss.so.1 => /usr/lib/libgss.so.1 >> libsocket.so.1 => /lib/libsocket.so.1 >> libresolv.so.2 => /lib/libresolv.so.2 >> libpkcs11.so.1 => /usr/lib/libpkcs11.so.1 >> libcmd.so.1 => /lib/libcmd.so.1 >> libmp.so.2 => /lib/libmp.so.2 >> libmd.so.1 => /lib/libmd.so.1 >> libscf.so.1 => /lib/libscf.so.1 >> libcryptoutil.so.1 => /usr/lib/libcryptoutil.so.1 >> libdoor.so.1 => /lib/libdoor.so.1 >> libuutil.so.1 => /lib/libuutil.so.1 >> libgen.so.1 => /lib/libgen.so.1 >> libm.so.2 => /lib/libm.so.2 >> /platform/SUNW,Ultra-60/lib/libc_psr.so.1 >> /platform/SUNW,Ultra-60/lib/libmd_psr.so.1 >> I ran a truss of klist and kinit and everything seems to be normal. I >> would not know how to directly invoke a truss of pam_krb5 however. >> Well at least kerberos is authenticating..Would be nice to see some >> debug though. Perhaps I can reinstall or freshen the pam_krb5 on my >> Solaris box? I will have to look into that. >> >> Thank you >> James >> >> >> >> -----Original Message----- >> From: Douglas E. Engert [mailto:deengert at anl.gov] >> Sent: Wednesday, September 10, 2008 7:28 AM >> To: Chavez, James R. >> Cc: kerberos at mit.edu >> Subject: Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 >> >> >> >> Chavez, James R. wrote: >>> Hello, >>> Please point me to the correct list if this is wrong. >>> I was having an issue compiling samba3.2.3 on my Solaris 10 box. It >>> would not compile with the native Solaris 10 Kerberos libraries. I >>> installed MIT Kerberos 1.6.3 from source and was able to successfully > >>> install Samba by pointing it to the MIT libraries. >>> Prior to installing MIT 1.6.3 Kerberos, I was getting debug >>> information from pam_krb5.so.1. Since the installation however I get >>> nothing. I get nothing in the messages log concerning the failed >>> kerberos login attempts nor for successful. Is there something I can >>> do to get pam_krb5 to log messages again? Something perhaps I forgot >>> to do after installing the MIT version. As I understand it, Solaris >>> 10 >>> Kerberos is based on MIT Kerberos. The way I was getting debug info >>> from pam_krb5.so.1 previously was by appending debug to the lines in >>> pam.conf. Does installing the MIT version of Kerberos change the way >>> pam_krb5 logs debug output? Perhaps in the app_defaults section in >>> the >> krb5.conf file? >> >> When you say pam_krb5 fails, is it failing for the normal login >> without any samba involved, or only when a samba program is calling >> pam which calls pam_krb5? >> >> Is this the Solaris provided pam_krb5, or did you build an open source > >> version? >> >> Did you replace any of the /usr/lib/krb5 libs? >> >> It could be a problem of the samba program loading the MIT libs, and >> the >> pam_krb5 loading /usr/lib/krb5/libkadm5clnt.so.1 and >> /usr/lib/gss/mech_krb5.so.1. There have duplicate routine names. The >> pam_krb5 may be calling the MIT versions of these routines and > failing. >> If you can run the program under truss you can see what libs are >> loaded, and maybe where the pam_krb5 is failing. >> >> >>> Thanks >>> James >>> >>> pam.conf >>> ----------------------- >>> #login >>> login auth requisite pam_authtok_get.so.1 >>> login auth required pam_dhkeys.so.1 >>> login auth sufficient pam_krb5.so.1 debug >>> login auth required pam_unix_auth.so.1 >>> login account optional pam_krb5.so.1 debug >>> login session required pam_unix_session.so.1 >>> login session optional pam_krb5.so.1 debug >>> login password optional pam_krb5.so.1 debug >>> >>> >>> CONFIDENTIALITY >>> This e-mail message and any attachments thereto, is intended only for >> use by the addressee(s) named herein and may contain legally >> privileged and/or confidential information. If you are not the >> intended recipient of this e-mail message, you are hereby notified >> that any dissemination, distribution or copying of this e-mail >> message, and any attachments thereto, is strictly prohibited. If you >> have received this e-mail message in error, please immediately notify >> the sender and permanently delete the original and any copies of this > email and any prints thereof. >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the >> Uniform Electronic Transactions Act or the applicability of any other >> law of similar substance and effect, absent an express statement to >> the contrary hereinabove, this e-mail message its contents, and any >> attachments hereto are not intended to represent an offer or >> acceptance to enter into a contract and are not otherwise intended to >> bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), > >> or any other person or entity. >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From tuomaksen.spammiposti at gmail.com Thu Sep 11 12:30:18 2008 From: tuomaksen.spammiposti at gmail.com (Tuomas) Date: Thu, 11 Sep 2008 19:30:18 +0300 Subject: spnego In-Reply-To: References: <18707098.post@talk.nabble.com> <003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com> Message-ID: <48C9479A.3080604@gmail.com> Simo Sorce wrote: > On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote: > >> I have been struggling with the same problem (with apache & >> mod_auth_kerb). For me it seems that there really isn't a foolproof >> way >> to completely avoid getting NTLMSSP blobs from clients. >> >> I wonder is there a way to perform the login using NTLMSSP data? > > You can try with mod-auth-ntlm-winbind: > http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet > Thanks for the info, I will try it as soon as I can get another test server to use since it's not possible to use both mod_auth_kerb and mod_auth_ntlm_winbind on the same server. I also found out using wireshark what Internet Explorer does when it fails to authenticate using Kerberos. It asks a ticket from the Active Directory server for HTTP/virtualhost.domain.com instead of HTTP/realname.domain.com. For me this seems like a bug in IE7, has anyone found solutions for this? Cheers, Tuomas From vas at mpeks.no-spam-here.tomsk.su Thu Sep 11 13:03:34 2008 From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov) Date: Thu, 11 Sep 2008 17:03:34 +0000 (UTC) Subject: obtaining tickets by TCP Message-ID: Colleagues, Is there a way to configure a Kerberos client to use TCP for obtaining tickets, other that explicitly listing all KDC's in krb5.conf with the "tcp" prefix? I want to be able to prefer TCP transport and still retain the possibility of using DNS SRV records to lookup KDCs. TIA for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ From ioplex at gmail.com Thu Sep 11 14:01:33 2008 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 11 Sep 2008 14:01:33 -0400 Subject: spnego In-Reply-To: <48C9479A.3080604@gmail.com> References: <18707098.post@talk.nabble.com> <003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com> <48C9479A.3080604@gmail.com> Message-ID: <78c6bd860809111101ke8906dbm70ed1710beed7d02@mail.gmail.com> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas wrote: > I also found out using wireshark what Internet Explorer does when it > fails to authenticate using Kerberos. It asks a ticket from the Active > Directory server for HTTP/virtualhost.domain.com instead of > HTTP/realname.domain.com. For me this seems like a bug in IE7, has > anyone found solutions for this? That's not a bug. You will need to add SPNs to the desired account (using setspn) for each virtual hostname. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From raeburn at MIT.EDU Thu Sep 11 14:52:49 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 11 Sep 2008 14:52:49 -0400 Subject: obtaining tickets by TCP In-Reply-To: References: Message-ID: <988DE89F-F552-48BA-9967-0B9D278F8A51@mit.edu> On Sep 11, 2008, at 13:03, Victor Sudakov wrote: > Colleagues, > > Is there a way to configure a Kerberos client to use TCP for obtaining > tickets, other that explicitly listing all KDC's in krb5.conf with > the "tcp" prefix? > > I want to be able to prefer TCP transport and still retain the > possibility of using DNS SRV records to lookup KDCs. The setting "udp_preference_limit" (under libdefaults) indicates the minimum outgoing packet size for which the library will try TCP first. If it doesn't get through with TCP, it will still try UDP; this only controls the order. Ken From vas at mpeks.no-spam-here.tomsk.su Fri Sep 12 04:59:22 2008 From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov) Date: Fri, 12 Sep 2008 08:59:22 +0000 (UTC) Subject: obtaining tickets by TCP References: Message-ID: Ken Raeburn wrote: > > > > Is there a way to configure a Kerberos client to use TCP for obtaining > > tickets, other that explicitly listing all KDC's in krb5.conf with > > the "tcp" prefix? > > > > I want to be able to prefer TCP transport and still retain the > > possibility of using DNS SRV records to lookup KDCs. > The setting "udp_preference_limit" (under libdefaults) indicates the > minimum outgoing packet size for which the library will try TCP > first. If it doesn't get through with TCP, it will still try UDP; > this only controls the order. Sorry, I did not mention I was talking about Heimdal. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ From lha at kth.se Fri Sep 12 11:55:03 2008 From: lha at kth.se (=?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?=) Date: Fri, 12 Sep 2008 16:55:03 +0100 Subject: obtaining tickets by TCP In-Reply-To: References: Message-ID: 12 sep 2008 kl. 09.59 skrev Victor Sudakov: >>> Is there a way to configure a Kerberos client to use TCP for >>> obtaining >>> tickets, other that explicitly listing all KDC's in krb5.conf with >>> the "tcp" prefix? >>> Default protocol in Heimdal is udp, there is no way other then you described to override it. What problem do you have that require tcp ? Love From vas at mpeks.no-spam-here.tomsk.su Fri Sep 12 13:26:29 2008 From: vas at mpeks.no-spam-here.tomsk.su (Victor Sudakov) Date: Fri, 12 Sep 2008 17:26:29 +0000 (UTC) Subject: obtaining tickets by TCP References: Message-ID: Love H?rnquist ?strand wrote: > >>> Is there a way to configure a Kerberos client to use TCP for > >>> obtaining > >>> tickets, other that explicitly listing all KDC's in krb5.conf with > >>> the "tcp" prefix? > >>> > Default protocol in Heimdal is udp, there is no way other then you > described to override it. > What problem do you have that require tcp ? The problem is with a Heimdal client and Microsoft KDC: $ kinit sudakovva at SIBPTUS.TRANSNEFT.RU sudakovva at SIBPTUS.TRANSNEFT.RU's Password: kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP $ -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49 at fidonet http://vas.tomsk.ru/ From grawity+at+cluenet.org at gmail.com Fri Sep 12 14:50:45 2008 From: grawity+at+cluenet.org at gmail.com (=?UTF-8?B?TWFudGFzIE1pa3VsxJduYXM=?=) Date: Fri, 12 Sep 2008 21:50:45 +0300 Subject: SSH with Kerberos from Windows XP Message-ID: Hello everyone. I'm new here, so please don't hurt me. I want to use Kerberos authentication when SSHing from a home Windows XP machine to a remote network. How do I configure my PC? Client PC: * Microsoft Windows XP Pro SP3 * stand-alone home PC (domain = False) * I have the install CD User: * I'd prefer to use Microsoft's Kerberos if such a thing exists (MIT Kerberos has a stupid interface) * I use PuTTY for SSH * I have the QuestPuTTY mod * I like command-line * I don't like Cygwin Server: * Heimdal Kerberos * Debian Linux * I know the realm and KDC server address -- Mantas Mikul?nas Message-ID: <87iqsyhreh.fsf@squeak.fifthhorseman.net> On Sat 2008-09-13 02:57:39 -0400, Victor Sudakov wrote: > ws233# klist --version > klist (Heimdal 0.6.3) > Copyright 1999-2004 Kungliga Tekniska H.gskolan > Send bug-reports to heimdal-bugs at pdc.kth.se > ws233# uname -sr > FreeBSD 7.0-RELEASE > ws233# [...] > It is FreeBSD's stock Kerberos. > Can you give me the URL for the fix? I could submit a PR to the FreeBSD team. What version of FreeBSD are you using? For FreeBSD-7-STABLE, stock appears to be 1.0.1, fwict: 0 root at freebsdtest:~# cat /usr/ports/security/heimdal/distinfo MD5 (heimdal-1.0.1.tar.gz) = 498e24f52b4f2e658e31f728a1279769 SHA256 (heimdal-1.0.1.tar.gz) = b46222d18d52eb0b2f6e0959b4a047a4f4d992600a8d0fbe2f834c6c7fc54cc2 SIZE (heimdal-1.0.1.tar.gz) = 3398032 MD5 (heimdal-0.7.2-setuid-patch.txt) = b4413b9b8be35c87bf4b2f314047946c SHA256 (heimdal-0.7.2-setuid-patch.txt) = 5609bb6c97c7a0863881613ae985838b2dcdbaf5fc254dd890b2babfd39404e8 SIZE (heimdal-0.7.2-setuid-patch.txt) = 7357 0 root at freebsdtest:~# http://www.freebsd.org/cgi/ports.cgi?query=heimdal&stype=all --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 826 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080915/16adcd48/attachment.bin From Shu-ying.Yu at sybase.com Mon Sep 15 00:12:25 2008 From: Shu-ying.Yu at sybase.com (Shu-ying.Yu@sybase.com) Date: Mon, 15 Sep 2008 12:12:25 +0800 Subject: Kerberos credentials are defective Message-ID: Hi, I have to use kerberos authentication to support authentication between sybase products. An kerberos server has been setted up on the machine repsunsh.sybase.com(solaris platform) I have a sybase ASE server on the machine :replinux4.sybase.com(linux platform) and user :shuyingy. When i tried to login this ASE server by sybase client isql with kerberos authentication, i got such result: ASE log error message: 00:00000:00016:2008/09/14 20:05:04.25 server SCL error in function: sec_get_cred. Operation: sec_cred_acquire(). 00:00000:00016:2008/09/14 20:05:04.25 server SCL error in function: sec_setup. Operation: sec_get_cred(). 00:00000:00016:2008/09/14 20:05:04.25 kernel Connectivity Library (Security Control Layer) Error: Consistency checks performed on the credential failed (minor status 0). but I have got credentials of the server and user. klist: Ticket cache: FILE:/remote/repeng1/ost/krb5/ost_replnx4_13 Default principal: shuyingy/replinux4.sybase.com at OST.SYBASE.COM Valid starting Expires Service principal 09/14/08 21:04:06 09/15/08 21:03:49 krbtgt/OST.SYBASE.COM at OST.SYBASE.COM 09/14/08 21:04:38 09/15/08 21:03:49 ost_replnx4_13/OST.SYBASE.COM at OST.SYBASE.COM Kerberos 4 ticket cache: /tmp/tkt10646 klist: You have no tickets cached I think there was no error with my configure of kerberos since I have got the two credentials. Could anyone help me about this problem? Thank you very much. Best Regards, Shu-ying Yu Shanghai R&D Center, Sybase.Inc Email: shuyingy at sybase.com Tel: +86-21-38657383 From deengert at anl.gov Mon Sep 15 12:05:54 2008 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 15 Sep 2008 11:05:54 -0500 Subject: SSH with Kerberos from Windows XP In-Reply-To: References: Message-ID: <48CE87E2.5090709@anl.gov> Mantas Mikul?nas wrote: > Hello everyone. I'm new here, so please don't hurt me. > > I want to use Kerberos authentication when SSHing from a home Windows XP > machine to a remote network. How do I configure my PC? > > > > Client PC: > * Microsoft Windows XP Pro SP3 > * stand-alone home PC (domain = False) > * I have the install CD > > User: > * I'd prefer to use Microsoft's Kerberos if such a thing exists Yes and No. It is normally used only when the machine is joined to an AD domain, and the user logins in to the domain. This also implies AD is providing authorization data. But you could use the Windows ksetup command to set the name of the realm, and locations of the KDCs. Then use the Windows runas command to get a TGT usable only in the cmd.exe runas /netonly /user:user at REALM cmd.exe It will prompt for the Kerberos password. The TGT (You may need other parameters too.) you can then use the Windows klist command from this window to see the tickets, and start the Quest PuTTY. The PuTTY will use "SSPI" i.e. Windows GSSAPI to autheticate to a sshd with GSSAPI. cd \Program Files\Quest Software\PuTTY putty.exe -load my.host.profile > (MIT Kerberos has a stupid interface) A lot easier then what I just described above... > * I use PuTTY for SSH > * I have the QuestPuTTY mod > * I like command-line > * I don't like Cygwin > > Server: > * Heimdal Kerberos > * Debian Linux > * I know the realm and KDC server address > > > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From amalegaonkar at gmail.com Mon Sep 15 17:16:32 2008 From: amalegaonkar at gmail.com (Ashutosh Malegaonkar) Date: Mon, 15 Sep 2008 14:16:32 -0700 Subject: Distinguish between user-id and machine-id Message-ID: Folks, Newbie Question: I am writing a simple application whose end-goal is to create a user table after looking at kerberos packets in my network. I am currently looking TGS_REP only. Inside TGS, I am looking at "Principal-name". Now the question is, I see both machine name and used-id in subsequent packets. How do I distinguish between used-id VS machine name? Is there any other message I need to look at so that I can get only user-ids. Thanks! ashutosh From whobbie81-linuxgeek at yahoo.com Mon Sep 15 19:27:08 2008 From: whobbie81-linuxgeek at yahoo.com (wslyhbb) Date: Mon, 15 Sep 2008 16:27:08 -0700 (PDT) Subject: Kerberos/Telnet question Message-ID: <19502891.post@talk.nabble.com> I am trying to setup Kerberos on my Mandriva 2008.1 server. I think it is correctly configured but when I login with telnet, it seems to login fine, but then it immediately closes the connection and telnet is not usable. telnet: Trying 192.168.1.12... Connected to server01.bluemapletech.com (192.168.1.12). Escape character is '^]'. Waiting for encryption to be negotiated... [ Kerberos V5 accepts you as ``whobbie at BLUEMAPLETECH.COM'' ] done. Last login: Mon Sep 15 18:13:31 from server01 Why is this? What is wrong? -- View this message in context: http://www.nabble.com/Kerberos-Telnet-question-tp19502891p19502891.html Sent from the Kerberos - General mailing list archive at Nabble.com. From edward at murrell.co.nz Mon Sep 15 19:59:18 2008 From: edward at murrell.co.nz (Edward Murrell) Date: Tue, 16 Sep 2008 11:59:18 +1200 (NZST) Subject: Kerberos/Telnet question In-Reply-To: <19502891.post@talk.nabble.com> References: <19502891.post@talk.nabble.com> Message-ID: <36474.203.144.32.165.1221523158.squirrel@zinc.murrell.co.nz> Hi there, At the risk of sounding officious, you should use should use ssh (secure shell) instead of telnet, since telnet is insecure (even with Kerberos authentication). > > I am trying to setup Kerberos on my Mandriva 2008.1 server. I think it is > correctly configured but when I login with telnet, it seems to login fine, > but then it immediately closes the connection and telnet is not usable. > telnet: > Trying 192.168.1.12... > Connected to server01.bluemapletech.com (192.168.1.12). > Escape character is '^]'. > Waiting for encryption to be negotiated... > [ Kerberos V5 accepts you as ``whobbie at BLUEMAPLETECH.COM'' ] > done. > Last login: Mon Sep 15 18:13:31 from server01 > > Why is this? What is wrong? > -- > View this message in context: > http://www.nabble.com/Kerberos-Telnet-question-tp19502891p19502891.html > Sent from the Kerberos - General mailing list archive at Nabble.com. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From whobbie81-linuxgeek at yahoo.com Mon Sep 15 20:56:49 2008 From: whobbie81-linuxgeek at yahoo.com (wslyhbb) Date: Mon, 15 Sep 2008 17:56:49 -0700 (PDT) Subject: Kerberos/Telnet question In-Reply-To: <36474.203.144.32.165.1221523158.squirrel@zinc.murrell.co.nz> References: <19502891.post@talk.nabble.com> <36474.203.144.32.165.1221523158.squirrel@zinc.murrell.co.nz> Message-ID: <19503655.post@talk.nabble.com> Well, I was going through this book " http://oreilly.com/catalog/9780596004033/index.html Kerberos: The Definitive Guide " in order to setup Kerberos and on P. 82 it has you test your configuration using a telnet client, so that it what I was trying to do, but it is not fully working as it should. I mean, it accepts my TGT but then closes the session, what is up with that? Edward Murrell-2 wrote: > > Hi there, > > At the risk of sounding officious, you should use should use ssh (secure > shell) instead of telnet, since telnet is insecure (even with Kerberos > authentication). > > > >> >> I am trying to setup Kerberos on my Mandriva 2008.1 server. I think it is >> correctly configured but when I login with telnet, it seems to login >> fine, >> but then it immediately closes the connection and telnet is not usable. >> telnet: >> Trying 192.168.1.12... >> Connected to server01.bluemapletech.com (192.168.1.12). >> Escape character is '^]'. >> Waiting for encryption to be negotiated... >> [ Kerberos V5 accepts you as ``whobbie at BLUEMAPLETECH.COM'' ] >> done. >> Last login: Mon Sep 15 18:13:31 from server01 >> >> Why is this? What is wrong? >> -- >> View this message in context: >> http://www.nabble.com/Kerberos-Telnet-question-tp19502891p19502891.html >> Sent from the Kerberos - General mailing list archive at Nabble.com. >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/Kerberos-Telnet-question-tp19502891p19503655.html Sent from the Kerberos - General mailing list archive at Nabble.com. From tuomaksen.spammiposti at gmail.com Tue Sep 16 16:15:04 2008 From: tuomaksen.spammiposti at gmail.com (Tuomas) Date: Tue, 16 Sep 2008 23:15:04 +0300 Subject: spnego In-Reply-To: References: <18707098.post@talk.nabble.com> <003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com> <48C9479A.3080604@gmail.com> Message-ID: Michael B Allen wrote: > On Thu, Sep 11, 2008 at 12:30 PM, Tuomas > wrote: >> I also found out using wireshark what Internet Explorer does when it >> fails to authenticate using Kerberos. It asks a ticket from the Active >> Directory server for HTTP/virtualhost.domain.com instead of >> HTTP/realname.domain.com. For me this seems like a bug in IE7, has >> anyone found solutions for this? > > That's not a bug. You will need to add SPNs to the desired account > (using setspn) for each virtual hostname. I see, just can't understand why this is happening occasionally. At least it makes things harder. Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still didn't work as they should. Now i apache's error.log I get: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found) I understand that I should have also virtualhost.domain.com defined in my keytab, just don't have any idea how to do that. Thanks for all the help! -Tuomas From ioplex at gmail.com Tue Sep 16 17:48:21 2008 From: ioplex at gmail.com (Michael B Allen) Date: Tue, 16 Sep 2008 17:48:21 -0400 Subject: spnego In-Reply-To: References: <18707098.post@talk.nabble.com> <003301c9003b$de6792d0$7b2e1dc2@ad.checkpoint.com> <48C9479A.3080604@gmail.com> Message-ID: <78c6bd860809161448r4da5349bre7a496ad07052d4a@mail.gmail.com> On Tue, Sep 16, 2008 at 4:15 PM, Tuomas wrote: > Michael B Allen wrote: >> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas >> wrote: >>> I also found out using wireshark what Internet Explorer does when it >>> fails to authenticate using Kerberos. It asks a ticket from the Active >>> Directory server for HTTP/virtualhost.domain.com instead of >>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has >>> anyone found solutions for this? >> >> That's not a bug. You will need to add SPNs to the desired account >> (using setspn) for each virtual hostname. > > I see, just can't understand why this is happening occasionally. At > least it makes things harder. > > Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still > didn't work as they should. Now i apache's error.log I get: > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code > may provide more information (Key table entry not found) > > I understand that I should have also virtualhost.domain.com defined in > my keytab, just don't have any idea how to do that. Actually I think I might know why you're getting an error (I don't know a lot about mod_auth_kerb - I know a lot more about what is possible protocol-wise as opposed to what mod_auth_kerb can do). A keytab file can have multiple principals (SPNs in this case). For example, our Plexcel product automatically generates a keytab with all of the SPNs set on the HTTP service account. But now that I think about it, because mod_auth_kerb relies on ktpass.exe to generate the keytab file, and because ktpass can only generate the said keytab file with one principal, it has to be that one SPN you want to use. Meaning I suspect you have to run ktpass to generate a keytab file *with the specific SPN* you want to use. You might want to bring your problem to the mod_auth_kerb mailing list. They would certainly know better than I how to set this up. I'm happy to give you my best guess here but again, I'm not terribly familiar with mod_auth_kerb's nuances. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From aroth at arsoft-online.com Wed Sep 17 08:25:54 2008 From: aroth at arsoft-online.com (Andreas Roth) Date: Wed, 17 Sep 2008 14:25:54 +0200 Subject: [modauthkerb]: KRB5CCNAME only set for subprocesses Message-ID: <200809171425.54926.aroth@arsoft-online.com> Hello, i'm using mod_auth_kerb version 5.3 (from ubuntu intrepid) and apache2 on a ubuntu hardy machine. I set up the kerberos authentication using mod_auth_kerb and it works well, but i have one problem: When i use a CGI-Script (e.g. shell script) set environment variable KRB5CCNAME is set, but when i use a PHP- Script (just calling phpinfo() ) the environment variable is not set. Is this the correct behaviour? I would like to use the kerberos cache within my PHP scripts; how can i do this? Thanks in advance, Andreas Roth From mdevine at opendemand.com Wed Sep 17 14:32:43 2008 From: mdevine at opendemand.com (Matthew Devine) Date: Wed, 17 Sep 2008 14:32:43 -0400 Subject: KFW w/ IE Message-ID: <00c001c918f3$c651f7f0$640fa8c0@MattODS> So I created my test environment locally, 1 Linux KDC machine, 1 Linux apache web server w/ Mod_auth_kerb and 1 Windows XP machine to act as a client. Now I set this all up on Friday and then I was able to connect with, using the tickets that I obtained from Kerberos for Windows. IE would actually prompt me with the KFW window for the principals password and then it would send the correct negotiate header. Now I was able to verify this through use of Wireshark, so I actually saw the negotiate header getting returned from both browsers. Today though, when I try to connect with IE, it doesn't sync with KFW at all. It just populates the negotiate header on its own which fails. This is simply a test environment so I don't have any full blown domains setup. I'm not quite sure how it happened but what would I needed to do to have IE use KFW for its negotiate, if its even possibly. Much appreciated, Matthew Devine From klausk at linux.vnet.ibm.com Wed Sep 17 17:21:47 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Wed, 17 Sep 2008 18:21:47 -0300 Subject: Using LDAP backend with start_tls Message-ID: <1221686507.9420.28.camel@klausk.br.ibm.com> Hi everyone, I was wondering how can I use the LDAP backend over a TLS connection. Looking at the krb5.conf file man page, looks like there is no option covering this and I'm assuming that simply using ldaps:// as the ldap_servers URI will toggle SSL over port 636 instead of TLS at port 389. ldapi://socket will initiate a unix socket connection ldap://host will start an unsecured connection at port 389 ldaps://host will start SSL through port 636 Is there a way to START_TLS over port 389? Thanks, -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From ioplex at gmail.com Wed Sep 17 22:20:39 2008 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 17 Sep 2008 22:20:39 -0400 Subject: [modauthkerb]: KRB5CCNAME only set for subprocesses In-Reply-To: <200809171425.54926.aroth@arsoft-online.com> References: <200809171425.54926.aroth@arsoft-online.com> Message-ID: <78c6bd860809171920n63745398w3d1d24613170b811@mail.gmail.com> On Wed, Sep 17, 2008 at 8:25 AM, Andreas Roth wrote: > Hello, > > i'm using mod_auth_kerb version 5.3 (from ubuntu intrepid) and apache2 on a > ubuntu hardy machine. I set up the kerberos authentication using mod_auth_kerb > and it works well, but i have one problem: When i use a CGI-Script (e.g. shell > script) set environment variable KRB5CCNAME is set, but when i use a PHP- > Script (just calling phpinfo() ) the environment variable is not set. > Is this the correct behaviour? I would like to use the kerberos cache within > my PHP scripts; how can i do this? Andreas, I don't have a definitive answer for you but here are a few thoughts: Try adding KRB5CCNAME to the safe_mode_allowed_env_vars INI property. However, instinct tells me this is probably not the problem. Note that the $_ENV global and getenv() function can return different results - try running a simple script that uses getenv instead to see if KRB5CCNAME is set. I have a feeling this is going to be the issue which is to say there is no issue since any Kerberos aware client will use getenv(). Also, I think you have to set a mod_auth_kerb option to indicate that you want KRB5CCNAME set (although apparently you have already done this if it works under a cgi script). Finally, if your KDC is AD you might want to checkout our Plexcel product (see signature). Plexcel for PHP does SPNEGO or explicit Kerberos logons, delegation, script-level group based access control, setting / changing passwords, account management w/ name canonicalization, "Sites and Services" support, DNS caching, redundancy / fail-over, support for multiple SPNs in your keytab for virtual hosting, plugins for popular PHP applications and more. Many of these details are impossible or very difficult to implement with the standard OSS stack. Anyway, if you try Plexcel or have any questions about it, please contact IOPLEX Software support directly and I'll help you in whatever way I can. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From ioplex at gmail.com Wed Sep 17 23:28:56 2008 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 17 Sep 2008 23:28:56 -0400 Subject: Using LDAP backend with start_tls In-Reply-To: <1221686507.9420.28.camel@klausk.br.ibm.com> References: <1221686507.9420.28.camel@klausk.br.ibm.com> Message-ID: <78c6bd860809172028s3115572cp7bcf2270f18be0c0@mail.gmail.com> On Wed, Sep 17, 2008 at 5:21 PM, Klaus Heinrich Kiwi wrote: > Hi everyone, > > I was wondering how can I use the LDAP backend over a TLS connection. > Looking at the krb5.conf file man page, looks like there is no option > covering this and I'm assuming that simply using ldaps:// as the > ldap_servers URI will toggle SSL over port 636 instead of TLS at port > 389. > > ldapi://socket will initiate a unix socket connection > ldap://host will start an unsecured connection at port 389 > ldaps://host will start SSL through port 636 > > Is there a way to START_TLS over port 389? Perhaps you can grep through the ldap backend source. If it uses OpenLDAP's API I believe the function in question is called ldap_start_tls_s. If it exists, maybe you can determine what conditions are required to trigger it. Or wait for someone to answer who actually knows how the LDAP backend works :-> Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ From sonja.benz at de.ibm.com Thu Sep 18 01:14:33 2008 From: sonja.benz at de.ibm.com (Sonja Benz) Date: Thu, 18 Sep 2008 07:14:33 +0200 Subject: Using LDAP backend with start_tls In-Reply-To: <78c6bd860809172028s3115572cp7bcf2270f18be0c0@mail.gmail.com> Message-ID: TLS uses the standard LDAP port, by default 389, if it is started. To my understanding, then you just use ldap:// See also: http://www.openldap.org/faq/data/cache/605.html Sonja "Michael B Allen" Sent by: kerberos-bounces at mit.edu 18.09.2008 05:28 To "Klaus Heinrich Kiwi" cc kerberos at mit.edu Subject Re: Using LDAP backend with start_tls On Wed, Sep 17, 2008 at 5:21 PM, Klaus Heinrich Kiwi wrote: > Hi everyone, > > I was wondering how can I use the LDAP backend over a TLS connection. > Looking at the krb5.conf file man page, looks like there is no option > covering this and I'm assuming that simply using ldaps:// as the > ldap_servers URI will toggle SSL over port 636 instead of TLS at port > 389. > > ldapi://socket will initiate a unix socket connection > ldap://host will start an unsecured connection at port 389 > ldaps://host will start SSL through port 636 > > Is there a way to START_TLS over port 389? Perhaps you can grep through the ldap backend source. If it uses OpenLDAP's API I believe the function in question is called ldap_start_tls_s. If it exists, maybe you can determine what conditions are required to trigger it. Or wait for someone to answer who actually knows how the LDAP backend works :-> Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From mikmak at freenux.org Thu Sep 18 02:08:34 2008 From: mikmak at freenux.org (Mickael Marchand) Date: 18 Sep 2008 06:08:34 GMT Subject: Using LDAP backend with start_tls References: Message-ID: <48d1f062$0$10469$426a74cc@news.free.fr> Le 17-09-2008, Klaus Heinrich Kiwi a ?crit?: > Hi everyone, > > I was wondering how can I use the LDAP backend over a TLS connection. > Looking at the krb5.conf file man page, looks like there is no option > covering this and I'm assuming that simply using ldaps:// as the > ldap_servers URI will toggle SSL over port 636 instead of TLS at port > 389. > > ldapi://socket will initiate a unix socket connection > ldap://host will start an unsecured connection at port 389 > ldaps://host will start SSL through port 636 > > Is there a way to START_TLS over port 389? > > Thanks, > > -Klaus > > Hi, I have this setup with Heimdal and Openldap and iirc I checked the source code and TLS was -not- used at all there :/ I did not care much since I use the same server for both, but this is disturbing ... writing a patch for this in Heimdal should be pretty straight forward I guess. Cheers, Mik From jiawen at MIT.EDU Thu Sep 18 12:48:04 2008 From: jiawen at MIT.EDU (Jiawen Chen) Date: Thu, 18 Sep 2008 12:48:04 -0400 Subject: Kerberos on Windows Vista x64 Message-ID: <48D28644.2050208@mit.edu> Hello, I'm wondering if there is any word on when a release of Kerberos for Windows Vista x64 might be available. There appears to be a version from Secure Endpoints: http://www.secure-endpoints.com/#kfw ...but I'm not sure how reliable that is since it's not directly coming from MIT. My end goal is to get OpenAFS to work on my 64-bit machine. Thanks, Jiawen From jiawen at MIT.EDU Thu Sep 18 18:35:28 2008 From: jiawen at MIT.EDU (Jiawen Chen) Date: Thu, 18 Sep 2008 18:35:28 -0400 Subject: Kerberos on Windows Vista x64 In-Reply-To: <566291199AC64B8791119E2619E3798C@CDCHOME> References: <48D28644.2050208@mit.edu> <566291199AC64B8791119E2619E3798C@CDCHOME> Message-ID: <357B9F15-A8FB-477E-BDD9-BE641666739F@mit.edu> Thanks everyone. After a rather strange experience of installing and uninstalling various combinations of 32 and 64-bit KfW and OpenAFS, I managed to get everything working. --Jiawen On Sep 18, 2008, at 6:23 PM, Christopher D. Clausen wrote: > The secure-endpoints version is better. The developer used to produce > the MIT builds. Use it. And you'll want to install the 32-bit KfW in > addition to support 32-bit apps. > > < > Jiawen Chen wrote: >> Hello, >> >> I'm wondering if there is any word on when a release of Kerberos for >> Windows Vista x64 might be available. There appears to be a version >> from Secure Endpoints: >> >> http://www.secure-endpoints.com/#kfw >> >> ...but I'm not sure how reliable that is since it's not directly >> coming from MIT. My end goal is to get OpenAFS to work on my 64-bit >> machine. >> >> Thanks, > > From paulnelsontx at gmail.com Fri Sep 19 18:51:48 2008 From: paulnelsontx at gmail.com (Paul Nelson) Date: Fri, 19 Sep 2008 17:51:48 -0500 Subject: Kerberize MS Exchange? References: Message-ID: in article g9qllk$4te$1 at news.metronet.hr, Walter Sobchak at genijalac at yahoo.com wrote on 9/5/08 2:04 AM: > Michael B Allen wrote: >> On Thu, Sep 4, 2008 at 8:13 AM, Walter Sobchak wrote: >>> I'd like to kerberize ms exchange. I found some information about adding >>> a security patch and some settings but not enough for it to work. >>> Are there any pointers someone could give me? >>> Do I have to use some commercial solution or it can be configured or >>> programmed manually? >> >> Kerberize it how? >> >> MS Exchange uses a proprietary communications protocol so it's not >> clear how Kerberos authentication even works in Exchange [1]. >> >> If you're talking about using IMAP4, last I checked MS Exchange does >> not support Kerberos w/ IMAP4 at all. >> >> Mike >> >> [1] There is some new "Exchange Protocols" documentation released as >> part of the EU settlement that might include such details. >> > > What I really want to do is use Outlook Web Access. > Also I would like to have this option for Internet users, not only local > company users. OWA is going to be kerberized because it is built on top of IIS. Paul Nelson Tursby Software Systems, Inc From klausk at linux.vnet.ibm.com Thu Sep 25 12:45:55 2008 From: klausk at linux.vnet.ibm.com (Klaus Heinrich Kiwi) Date: Thu, 25 Sep 2008 13:45:55 -0300 Subject: Verifying the source package PGP signature Message-ID: <1222361155.13220.1.camel@klausk.br.ibm.com> Hi, How can I verify the PGP signature for say, krb5-1.6.3-signed.tar? Are there simple steps that I can take to do that? I'm actually trying to document it for a customer. Thanks, -Klaus -- Klaus Heinrich Kiwi Linux Security Development, IBM Linux Technology Center From raeburn at MIT.EDU Thu Sep 25 13:18:16 2008 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 25 Sep 2008 13:18:16 -0400 Subject: Verifying the source package PGP signature In-Reply-To: <1222361155.13220.1.camel@klausk.br.ibm.com> References: <1222361155.13220.1.camel@klausk.br.ibm.com> Message-ID: <2849824D-792D-4779-AA0E-B3B7856BDD17@mit.edu> On Sep 25, 2008, at 12:45, Klaus Heinrich Kiwi wrote: > How can I verify the PGP signature for say, krb5-1.6.3-signed.tar? Are > there simple steps that I can take to do that? > > I'm actually trying to document it for a customer. Tom Yu's PGP key was used to sign that. His public key should be available from the PGP key servers. It depends on the specific PGP software you use, but something like this for example: $ tar xvf krb5-1.6.3-signed.tar krb5-1.6.3.tar.gz krb5-1.6.3.tar.gz.asc $ gpg krb5-1.6.3.tar.gz.asc gpg: Signature made Mon Oct 22 17:04:31 2007 EDT using RSA key ID F376813D gpg: Good signature from "Tom Yu " Primary key fingerprint: 52 E0 3E E9 38 AE 70 58 3F 21 5C C8 5C C4 55 24 If the source tar file or signature is modified or corrupted, you'll get a different message out: $ echo malware > krb5-1.6.3.tar.gz $ gpg krb5-1.6.3.tar.gz.asc gpg: Signature made Mon Oct 22 17:04:31 2007 EDT using RSA key ID F376813D gpg: BAD signature from "Tom Yu " $ So what's to prevent some malware author from creating a key in Tom's name and signing his own version of the package? Well, nothing; as usual with PGP, the security depends on the "web of trust" scheme linking the verifier to Tom. We don't have any mechanism tied in to a centralized global PKI to verify the integrity of the distribution. It would be more difficult to duplicate the key ID number and fingerprint as well, but you still have the question of how to securely get that info to the customers. Maybe putting it in your documentation is sufficient? Ken From stephenpince at gmail.com Thu Sep 25 01:46:22 2008 From: stephenpince at gmail.com (Steve) Date: Wed, 24 Sep 2008 22:46:22 -0700 (PDT) Subject: krb5_get_in_tkt_with_password with KRB5_REALM_CANT_RESOLVE error Message-ID: I am getting a error with the krb5_get_in_tkt_with_password. I am trying to programmatically get a ticket from KDC server. I am using kfw 3.3.3 Mit kerberos toolkit. The userid is matt at FOOBAR.LOCAL. The host FOOBAR.LOCAL just has an entry in my C:\WINDOWS \SYSTEM32\DRIVERS\ETC\HOSTS. 69.127.38.76 apache.foobar.local apache 69.127.38.76 kdc.foobar.local kdc --------------------------------------------------------------- i have tried the following userids. matt at FOOBAR.LOCAL matt at kdc.foobar.local matt at apache.foobar.local matt at 69.127.38.76 The code is ------------------------------------------------------------------------------ err = krb5_get_in_tkt_with_password( krb5->context, kdcFlags, NULL, NULL, NULL, password, krb5->ccache, &krb5- >credentials, 0); Is it failing because the kerberos package can't use a host file but an actual dns entry? Any help would be greatly appreciated. Steve stephenpince at gmail.com From reto_schubnell at hotmail.com Thu Sep 25 09:23:19 2008 From: reto_schubnell at hotmail.com (Reto Schubnell) Date: Thu, 25 Sep 2008 13:23:19 +0000 Subject: Multiple Realms in Apache mod_auth_kerb Message-ID: Hello I have a problem to get my apache to work with 2 Domains test1 and test2 with kerberos The Site should be accessible by users in both domains. Is there a trust needed between the domains ? ( I can't do a trust between the domains for securiy reasons ) What steps are needed to get this work ? kerberos.conf in apache Options FollowSymLinks AllowOverride None AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthoritative On KrbVerifyKDC On KrbAuthRealms TEST1.LOCAL TEST2.LOCAL Krb5KeyTab /etc/apache2/test.keytab require valid-user krb5.conf [realms] TEST1.LOCAL = { kdc = kdc.test1.local admin_server = kdc.test1.local } TEST2.LOCAL = { kdc = kdc.test2.local admin_server = kdc.test2.local } _________________________________________________________________ Connect to the next generation of MSN Messenger? http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline From naveen.bn at globaledgesoft.com Fri Sep 26 06:09:54 2008 From: naveen.bn at globaledgesoft.com (naveen.bn) Date: Fri, 26 Sep 2008 10:09:54 +0000 Subject: help Message-ID: <48DCB4F2.8090904@globaledgesoft.com> Hi all, I am working on packetcable security module for MTA ,which requires Packetcable specific KDC server , Can any one guide me from where can i get a trial version of KDC server apart from ipfonix. Kindly help me in finding the KDC server with regards Naveen From lw at lwilke.de Sun Sep 28 14:54:18 2008 From: lw at lwilke.de (Lars Wilke) Date: Sun, 28 Sep 2008 20:54:18 +0200 Subject: Restrict principal Message-ID: Hi, Is it somehow possible to restrict a principal (real user) to obtain only certain service tickets like HTTP but not ftp with MIT Kerberos on CentOS 5.2? Thanks --lars From John.Corkish at lit.ie Mon Sep 29 03:31:18 2008 From: John.Corkish at lit.ie (John.Corkish) Date: Mon, 29 Sep 2008 08:31:18 +0100 Subject: kdb5_util "Help required" Message-ID: <344DCB69A1F07F4DA513D2385DF92B235F235631@litdomex07.litdom.lit.ie> Hello to all, My apologies for what may seem like a very basic question. However, I am currently installing Kerberos 5-1.6.3 on to a Linux Red Hat machine. I have followed the MIT installation guide and my installation worked fine, up on till, I had to create the KDC using the kdb5_util create -r PROJECT.ZONE -s command. My problem is that when I issued the above command, it returns with :bash: command not found. Can anyone please provide any advice on what to do or what might be the problem? Thanks and regards, John. This email, its content and any files transmitted with it are intended solely for the addressee(s) and may be legally privileged and/or confidential. Access by any other party is unauthorised without the express written permission of the sender. If you have received this email in error you may not copy or use the contents, attachments or information in any way. Please destroy it and contact the sender via e-mail return. Internet communications are not secure unless protected using strong cryptography. This email has been prepared using information believed by the author to be reliable and accurate, and LIT make no warranty as to its accuracy or completeness. In particular the author does not accept responsibility for changes made to this email after it was sent. Any opinions expressed in this document are those of the author and do not necessarily reflect the opinions of LIT, or its affiliates. From DaultonTheodore at cunet.carleton.ca Tue Sep 30 11:38:35 2008 From: DaultonTheodore at cunet.carleton.ca (Daulton_Theodore) Date: Tue, 30 Sep 2008 11:38:35 -0400 Subject: error configuring kerberos Message-ID: I am trying to build and install krb5-1.6.3 on Solaris 10 but I keep getting the following error message from ./configure. Configure: cannot find res_nsearch or res_search Any suggestions as to how to get past this would be appreciated. ~~~~~~~~~~~~~~~~~~~~~~~ Daulton Theodore Systems Department,Carleton University Library Email: daulton_theodore at carleton.ca Vmail: (613) 520-2600 ext:8352