From akisada at tahi.org Wed Apr 1 04:16:05 2009 From: akisada at tahi.org (Yukiyo Akisada) Date: Wed, 1 Apr 2009 17:16:05 +0900 Subject: PRF for des3-cbc-hmac-sha1-kd Message-ID: <20090401171605.3a7772ae.akisada@tahi.org> Hi, all. I may misunderstand RFC 3961, but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses PRF on Simplified Profile as its pseudo-random function. Now, I want to use PRF function from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation. Krb5: But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be defined in . Indeed, I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3, but I also need the following modification into krb5-1.6.3. In this moment, the following modification matches with my expected behavior, but I'm not sure whether this modification against krb5-1.6.3 is correct or not. Do you have any idea about this? --- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900 +++ krb5-1.6.3/src/lib/crypto/etypes.c 2009-04-01 14:42:01.000000000 +0900 @@ -94,26 +94,26 @@ { ENCTYPE_DES3_CBC_SHA1, "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, /*PRF*/ CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, /*PRF*/ CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, /*PRF*/ CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES_HMAC_SHA1, Regards, -- Yukiyo Akisada From edu.sachs at gmail.com Wed Apr 1 14:27:52 2009 From: edu.sachs at gmail.com (Eduardo Sachs) Date: Wed, 1 Apr 2009 15:27:52 -0300 Subject: LDAP-Kerberos sync passwords In-Reply-To: <49D07983.9070005@rcs-rds.ro> References: <49D07983.9070005@rcs-rds.ro> Message-ID: <3e7107590904011127x135777f3u2ebdecf40b535c6@mail.gmail.com> If you use Heimdal Kerberos, you can install the overlay smbk5pwd for OpenLDAP. It synchronizes the password for the Samba and Kerberos, and userPassword is fixed with the string {K5KEY}. Yes, you need configure your Heimdal Kerberos with backend LDAP. Read more in: http://www.openldap.org/devel//cvsweb.cgi/~checkout~/contrib/slapd-modules/smbk5pwd/README?rev=1.1.2.3&hideattic=0&sortbydate=1 http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch http://eduardosachs.org/mediawiki/index.php?title=Compilando_e_configurando_o_overlay_smbk5pwd_para_Debian_Etch Thanks! 2009/3/30 Adriana Gologaneanu : > Hi, > > I'm using LDAP for authorization and Kerberos for authentication. The > workstations are configured with pam_krb5 module. > There is a way to sync passwords between LDAP and Kerberos? Both are on > same machine and the passwords to ldap db are sent in MD5 via a virtual > java machine. I can't do same with Kerberos cause there are no free java > libraries. Also, I want to avoid ssh connection between java machine and > LDAP/Kerberos server. > > Many thanks, > Adriana > ________________________________________________ > Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From bdellegrazie at hotmail.com Thu Apr 2 10:22:24 2009 From: bdellegrazie at hotmail.com (Brett Delle Grazie) Date: Thu, 2 Apr 2009 15:22:24 +0100 Subject: Kerberos Password change over WWW Message-ID: Hi, I'm using Linux, OpenLDAP and MIT Kerberos with mod_auth_kerb over SSL for website authentication and single-sign-on. Is there an open-source product that is secure and will permit password changes to kerberos via the web (e.g. .cgi program or similar). I am expecting the user to have already authenticated with their existing username / password - this is so they can then change their current password. Thanks, Brett From cclausen at acm.org Thu Apr 2 19:32:45 2009 From: cclausen at acm.org (Christopher D. Clausen) Date: Thu, 2 Apr 2009 18:32:45 -0500 Subject: Fw: Kerberos Password change over WWW Message-ID: <515062CF5C9649DE9D72D29A992E113B@CDCHOME> Brett Delle Grazie wrote: > Is there an open-source product that is secure and will permit > password changes to kerberos via the web (e.g. .cgi program or > similar). I am expecting the user to have already authenticated with > their existing username / password - this is so they can then change > their current password. Try kpasswd.cgi from here: http://www.umich.edu/~umweb/software/ < References: <20090401171605.3a7772ae.akisada@tahi.org> Message-ID: <49d58cd8.0707d00a.7c60.0eff@mx.google.com> For me, your changes look good. -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Yukiyo Akisada Sent: 01 April 2009 13:46 To: kerberos at mit.edu Subject: PRF for des3-cbc-hmac-sha1-kd Hi, all. I may misunderstand RFC 3961, but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses PRF on Simplified Profile as its pseudo-random function. Now, I want to use PRF function from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation. Krb5: But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be defined in . Indeed, I need some modification into Krb5-1.8 to export prf function from krb5-1.6.3, but I also need the following modification into krb5-1.6.3. In this moment, the following modification matches with my expected behavior, but I'm not sure whether this modification against krb5-1.6.3 is correct or not. Do you have any idea about this? --- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 17:02:56.000000000 +0900 +++ krb5-1.6.3/src/lib/crypto/etypes.c 2009-04-01 14:42:01.000000000 +0900 @@ -94,26 +94,26 @@ { ENCTYPE_DES3_CBC_SHA1, "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, /*PRF*/ CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, /*PRF*/ CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES3_CBC_SHA1, /* alias */ "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, /*PRF*/ CKSUMTYPE_HMAC_SHA1_DES3 }, { ENCTYPE_DES_HMAC_SHA1, Regards, -- Yukiyo Akisada ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From akisada at tahi.org Sun Apr 5 20:12:59 2009 From: akisada at tahi.org (Yukiyo Akisada) Date: Mon, 6 Apr 2009 09:12:59 +0900 Subject: PRF for des3-cbc-hmac-sha1-kd In-Reply-To: <49d58cd8.0707d00a.7c60.0eff@mx.google.com> References: <20090401171605.3a7772ae.akisada@tahi.org> <49d58cd8.0707d00a.7c60.0eff@mx.google.com> Message-ID: <20090406091259.03067280.akisada@tahi.org> Thanks, Srinivas. I'll post this to krb5-bugs. Regards, On Fri, 3 Apr 2009 09:43:10 +0530 "Srinivas Cheruku" wrote: > For me, your changes look good. > > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf > Of Yukiyo Akisada > Sent: 01 April 2009 13:46 > To: kerberos at mit.edu > Subject: PRF for des3-cbc-hmac-sha1-kd > > Hi, all. > > I may misunderstand RFC 3961, > but in my understanding, des3-cbc-hmac-sha1-kd (etype=16) uses > PRF on Simplified Profile as its pseudo-random function. > > Now, I want to use PRF function > from Krb5-1.8 perl module which is based on MIT krb5-1.6.3 implementation. > > Krb5: > > But, PRF function for ENCTYPE_DES3_CBC_SHA1 has not be > defined in . > > Indeed, > I need some modification into Krb5-1.8 to export prf function from > krb5-1.6.3, > but I also need the following modification into krb5-1.6.3. > > In this moment, > the following modification matches with my expected behavior, > but I'm not sure whether this modification against krb5-1.6.3 is correct or > not. > > Do you have any idea about this? > > --- krb5-1.6.3/src/lib/crypto/etypes.c.orig 2009-04-01 > 17:02:56.000000000 +0900 > +++ krb5-1.6.3/src/lib/crypto/etypes.c 2009-04-01 14:42:01.000000000 > +0900 > @@ -94,26 +94,26 @@ > { ENCTYPE_DES3_CBC_SHA1, > "des3-cbc-sha1", "Triple DES cbc mode with HMAC/sha1", > &krb5int_enc_des3, &krb5int_hash_sha1, > - 8, > + 16, > krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, > krb5int_dk_string_to_key, > - NULL, /*PRF*/ > + krb5int_dk_prf, /*PRF*/ > CKSUMTYPE_HMAC_SHA1_DES3 }, > { ENCTYPE_DES3_CBC_SHA1, /* alias */ > "des3-hmac-sha1", "Triple DES cbc mode with HMAC/sha1", > &krb5int_enc_des3, &krb5int_hash_sha1, > - 8, > + 16, > krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, > krb5int_dk_string_to_key, > - NULL, /*PRF*/ > + krb5int_dk_prf, /*PRF*/ > CKSUMTYPE_HMAC_SHA1_DES3 }, > { ENCTYPE_DES3_CBC_SHA1, /* alias */ > "des3-cbc-sha1-kd", "Triple DES cbc mode with HMAC/sha1", > &krb5int_enc_des3, &krb5int_hash_sha1, > - 8, > + 16, > krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, > krb5int_dk_string_to_key, > - NULL, /*PRF*/ > + krb5int_dk_prf, /*PRF*/ > CKSUMTYPE_HMAC_SHA1_DES3 }, > > { ENCTYPE_DES_HMAC_SHA1, > > Regards, > > > -- > Yukiyo Akisada > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Yukiyo Akisada From adriana.gologaneanu at rcs-rds.ro Mon Apr 6 08:58:49 2009 From: adriana.gologaneanu at rcs-rds.ro (Adriana Gologaneanu) Date: Mon, 06 Apr 2009 15:58:49 +0300 Subject: LDAP-Kerberos sync passwords In-Reply-To: <3e7107590904011127x135777f3u2ebdecf40b535c6@mail.gmail.com> References: <49D07983.9070005@rcs-rds.ro> <3e7107590904011127x135777f3u2ebdecf40b535c6@mail.gmail.com> Message-ID: <49D9FC89.4040007@rcs-rds.ro> Hi again, Thanks first for all your advices. I configured Heimdal Kerberos with smbk5pwd plugin, it works. I have to do more tests from java client to be sure the passwords are correctly syncing. There is only a small error I have it at Gnome login with Ubuntu10 configured as client: "The system administrator has disabled your account". It's the ldap account. Does it sounds to be a common error? The user exists too in /etc/security/access.conf. Regards, Eduardo Sachs wrote: > If you use Heimdal Kerberos, you can install the overlay smbk5pwd for OpenLDAP. > > It synchronizes the password for the Samba and Kerberos, and > userPassword is fixed with the string {K5KEY}. > > Yes, you need configure your Heimdal Kerberos with backend LDAP. > > Read more in: > http://www.openldap.org/devel//cvsweb.cgi/~checkout~/contrib/slapd-modules/smbk5pwd/README?rev=1.1.2.3&hideattic=0&sortbydate=1 > http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch > http://eduardosachs.org/mediawiki/index.php?title=Compilando_e_configurando_o_overlay_smbk5pwd_para_Debian_Etch > > Thanks! > > 2009/3/30 Adriana Gologaneanu : > >> Hi, >> >> I'm using LDAP for authorization and Kerberos for authentication. The >> workstations are configured with pam_krb5 module. >> There is a way to sync passwords between LDAP and Kerberos? Both are on >> same machine and the passwords to ldap db are sent in MD5 via a virtual >> java machine. I can't do same with Kerberos cause there are no free java >> libraries. Also, I want to avoid ssh connection between java machine and >> LDAP/Kerberos server. >> >> Many thanks, >> Adriana >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> From zarafield at sky.com Mon Apr 6 14:47:59 2009 From: zarafield at sky.com (kerbie_newbie) Date: Mon, 6 Apr 2009 11:47:59 -0700 (PDT) Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be??? Message-ID: <22914739.post@talk.nabble.com> Hi, I'm pretty new to this so please excuse any confusion that creeps in ... I'm hosting a perl based web service on a Linux/Apache box that is accessed by Windows workstations. I have Kerberos 5 (MIT) wrapping a particular perl cgi script and all works fine for users who have an Active Directory account. I have recently come across a user who, for some reason, had an expired TGT ticket on his PC. I'm not sure how this happens as it looks to me like every time you logon/logoff or lock/unlock your Windows PC, your tickets are managed for you so you always have a valid TGT. As he is on a business PC, I'm not sure how this happens ... anyways. What I have been told is that all other systems in the business (that are all hosted on Windows based servers) will automatically fail over to some forms based or ldap authentication/ADAM if the initial Kerberos authentication fails. I have been asked to do the same and provide a means for non-AD and expired AD/TGT holder users to authenticate against ADAM. As far as I can tell, when using mod_auth_kerb and selecting kerberos as the authtype it is pretty much Kerberos or nothing ... is this correct? I can see no way to intercept the failure. I think what would be needed is to combine the modules so that Kerberos is tried first and then maybe something like mod_auth_ldap. I have googled this to death and cannot see a standard way of doing it (and I'm not touching the internal Kerberos module code as suggested on one site!!). I have been told I *must* get this working. What can I do or is there a 'simple' explanation I can give as to why I cannot do it. Thanks in advance, kerbie_newbie -- View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22914739.html Sent from the Kerberos - General mailing list archive at Nabble.com. From shahid.shaikh at in.ibm.com Tue Apr 7 04:43:55 2009 From: shahid.shaikh at in.ibm.com (Shahid M Shaikh) Date: Tue, 7 Apr 2009 14:13:55 +0530 Subject: Samba PDC and Kerberos Message-ID: Hi JDSalchow, This is with reference to your reply on kerberos mailing list (http://mailman.mit.edu/pipermail/kerberos/2004-December/006868.html) on the Samba PDC and Kerberos. I am trying to make Samba PDC in a AD (LDAP + KRB) domain. Could you please answer few of my queries on the same issue. 1. Whats the problem with Samba 3 to work as PDC in an AD domain? 2. What has been fixed to make Samba 4 work as PDC in an AD domain? 3. When would Samba 4 be available? Also it would be really help full if you can direct me to release notes of Samba 4. Thanks! Regards, Shahid Shaikh. Staff Software Engineer | SoNAS - Storage Group | shahid.shaikh at in.ibm.com | +91-20-2690-1651 From adriana.gologaneanu at rcs-rds.ro Tue Apr 7 10:15:35 2009 From: adriana.gologaneanu at rcs-rds.ro (Adriana Gologaneanu) Date: Tue, 07 Apr 2009 17:15:35 +0300 Subject: LDAP-Kerberos sync passwords In-Reply-To: <49D9FC89.4040007@rcs-rds.ro> References: <49D07983.9070005@rcs-rds.ro> <3e7107590904011127x135777f3u2ebdecf40b535c6@mail.gmail.com> <49D9FC89.4040007@rcs-rds.ro> Message-ID: <49DB6007.7020208@rcs-rds.ro> The issue with Ubuntu client it's fixed. I have added a login shell for users instead of "/bin/false". Thanks! Adriana Gologaneanu wrote: > Hi again, > > Thanks first for all your advices. I configured Heimdal Kerberos with > smbk5pwd plugin, it works. I have to do more tests from java client to > be sure the passwords are correctly syncing. > > There is only a small error I have it at Gnome login with Ubuntu10 > configured as client: "The system administrator has disabled your > account". It's the ldap account. Does it sounds to be a common error? > The user exists too in /etc/security/access.conf. > > Regards, > > > Eduardo Sachs wrote: > >> If you use Heimdal Kerberos, you can install the overlay smbk5pwd for OpenLDAP. >> >> It synchronizes the password for the Samba and Kerberos, and >> userPassword is fixed with the string {K5KEY}. >> >> Yes, you need configure your Heimdal Kerberos with backend LDAP. >> >> Read more in: >> http://www.openldap.org/devel//cvsweb.cgi/~checkout~/contrib/slapd-modules/smbk5pwd/README?rev=1.1.2.3&hideattic=0&sortbydate=1 >> http://eduardosachs.org/mediawiki/index.php?title=Heimdal_Kerberos_%2B_Samba_PDC_%2B_OpenLDAP_%2B_Squid_no_Debian_Etch >> http://eduardosachs.org/mediawiki/index.php?title=Compilando_e_configurando_o_overlay_smbk5pwd_para_Debian_Etch >> >> Thanks! >> >> 2009/3/30 Adriana Gologaneanu : >> >> >>> Hi, >>> >>> I'm using LDAP for authorization and Kerberos for authentication. The >>> workstations are configured with pam_krb5 module. >>> There is a way to sync passwords between LDAP and Kerberos? Both are on >>> same machine and the passwords to ldap db are sent in MD5 via a virtual >>> java machine. I can't do same with Kerberos cause there are no free java >>> libraries. Also, I want to avoid ssh connection between java machine and >>> LDAP/Kerberos server. >>> >>> Many thanks, >>> Adriana >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >>> > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ssorce at redhat.com Tue Apr 7 11:10:38 2009 From: ssorce at redhat.com (Simo Sorce) Date: Tue, 07 Apr 2009 11:10:38 -0400 Subject: Samba PDC and Kerberos In-Reply-To: References: Message-ID: <1239117038.26768.0.camel@localhost.localdomain> On Tue, 2009-04-07 at 14:13 +0530, Shahid M Shaikh wrote: > Hi JDSalchow, > > This is with reference to your reply on kerberos mailing list > (http://mailman.mit.edu/pipermail/kerberos/2004-December/006868.html) on > the Samba PDC and Kerberos. > > I am trying to make Samba PDC in a AD (LDAP + KRB) domain. > > Could you please answer few of my queries on the same issue. > 1. Whats the problem with Samba 3 to work as PDC in an AD domain? > 2. What has been fixed to make Samba 4 work as PDC in an AD domain? > 3. When would Samba 4 be available? > > Also it would be really help full if you can direct me to release notes of > Samba 4. I think you should ask these questions on the samba at samba.org list. Simo. -- Simo Sorce * Red Hat, Inc * New York From dkelson at gurulabs.com Tue Apr 7 11:50:26 2009 From: dkelson at gurulabs.com (Dax Kelson) Date: Tue, 07 Apr 2009 09:50:26 -0600 Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be??? In-Reply-To: <22914739.post@talk.nabble.com> References: <22914739.post@talk.nabble.com> Message-ID: <1239119426.5453.8.camel@mentor.gurulabs.com> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: > As far as I can tell, when using mod_auth_kerb and selecting kerberos as the > authtype it is pretty much Kerberos or nothing ... is this correct? I can > see no way to intercept the failure. This not correct. What you want are these two directives: KrbMethodNegotiate On KrbMethodK5Passwd On The second directive gives you fallback to interactive password prompting if the user doesn't have a valid TGT. Dax Kelson Guru Labs From fmendez at qualitytech.com Tue Apr 7 12:09:13 2009 From: fmendez at qualitytech.com (Mendez, Franklyn) Date: Tue, 7 Apr 2009 12:09:13 -0400 Subject: kpasswd: Authentication error: Failed reading application request In-Reply-To: <1239117038.26768.0.camel@localhost.localdomain> References: <1239117038.26768.0.camel@localhost.localdomain> Message-ID: <5888FCB767AD5F41A65DC0DCFE91C9210EC40DF4@EDC-SUW-EXCH.edeltacom.biz> Need assistance solving this issue. My Kerberos users can't change their password running kpasswd userid The client users can successfully login with their accounts. They can run kinit to acquire a token, but even though they do, they can't change their password. The client is configured to use PAM. Password for user at DOMAININT.COM: Enter new password: Enter it again: Authentication error: Failed reading application request On the Server's side I do see the client trying to change the user's password but no more detail: Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16 ses=16}, user at DOMAININT.COM for kadmin/changepw at DOMAININT.COM Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16 ses=16}, user at DOMAININT.COM for kadmin/changepw at DOMAININT.COM Any ideas? Thanks all, QUALITY TECHNOLOGY SERVICES CONFIDENTIALITY NOTICE: This e-mail message including its attachments is classified COMPANY CONFIDENTIAL. It is intended for the person or entity to which it is addressed and may contain confidential material. Quality Technology Services controls the distribution of COMPANY CONFIDENTIAL assets, as such, any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact us at irt at qualitytech.com or 866-239-5000 and destroy all copies of the original message. Thank you. From tlyu at MIT.EDU Tue Apr 7 14:10:25 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 07 Apr 2009 14:10:25 -0400 Subject: MITKRB5-SA-2009-002: ASN.1 decoder frees uninitialized pointer [CVE-2009-0846] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-002 MIT krb5 Security Advisory 2009-002 Original release: 2009-04-07 Last update: 2009-04-07 Topic: ASN.1 decoder frees uninitialized pointer [CVE-2009-0846] ASN.1 GeneralizedTime decoder can free uninitialized pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= [CVE-2009-0846] An ASN.1 decoder can free an uninitialized pointer when decoding an invalid encoding. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code. No exploit is known to exist that would cause arbitrary code execution. This is an implementation vulnerability in MIT krb5, and is not a vulnerability in the Kerberos protocol. IMPACT ====== [CVE-2009-0846] An unauthenticated, remote attacker could cause a Kerberos application, including the Kerberos administration daemon (kadmind) or the KDC to crash, and possibly to execute arbitrary code. Compromise of the KDC or kadmind can compromise the Kerberos key database and host security on the KDC host. (The KDC and kadmind typically run as root.) We believe this scenario is highly unlikely, given the details of the vulnerability. Third-party applications using MIT krb5 may also be vulnerable. MITIGATING FACTORS ================== While it is theoretically possible for an attacker to execute arbitrary code by exploiting this vulnerability, it is believed to be more difficult than exploiting other sorts of memory management flaws such as double-free or heap buffer overflow events. Also, in order to exploit this vulnerability to remotely execute code, an attacker must ensure that the uninitialized pointer points to valid address space, otherwise a null-dereference crash will typically occur. Some operating systems have hardened malloc implementations that are not susceptible to this problem. These operating systems are still vulnerable to a denial of service if the uninitialized pointer points to invalid address space. AFFECTED SOFTWARE ================= * All MIT krb5 releases * Third-party software using the krb5 library from MIT krb5 releases FIXES ===== * The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for this vulnerability. * Apply the patch diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c index aa4be32..5f7461d 100644 - --- a/src/lib/krb5/asn.1/asn1_decode.c +++ b/src/lib/krb5/asn.1/asn1_decode.c @@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) if(length != 15) return ASN1_BAD_LENGTH; retval = asn1buf_remove_charstring(buf,15,&s); + if (retval) return retval; /* Time encoding: YYYYMMDDhhmmssZ */ if(s[14] != 'Z') { free(s); diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index 0ff9343..1c427d1 100644 - --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -485,6 +485,22 @@ int main(argc, argv) ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + + retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); + if (retval) { + com_err("krb5_decode_test", retval, "while parsing"); + exit(1); + } + retval = decode_krb5_ap_rep_enc_part(&code, &var); + if (retval != ASN1_OVERRUN) { + printf("ERROR: "); + } else { + printf("OK: "); + } + printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); + krb5_free_data_contents(test_context, &code); + krb5_free_ap_rep_enc_part(test_context, var); + ktest_empty_ap_rep_enc_part(&ref); } This patch is also available at http://web.mit.edu/kerberos/advisories/2009-002-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-002-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-0846 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0846 CERT: VU#662091 http://www.kb.cert.org/vuls/id/662091 CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code. No exploit is known to exist that would cause arbitrary code execution. REVISION HISTORY ================ 2009-04-07 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iQCVAgUBSduVcabDgE/zdoE9AQI+OgQApBBzBcQYG2GfuPIvZhwhJlvaWzSAQpb4 lYgScNNihKVs+xQF8vE5omSXSC/uaRkb5pGd0sa+LAmNCCjwNGT13f5TB6fAKTwS MRxmJ6whZGTz+3myihBa/pac14hE0q4XTRw/BgCv4lL1B94/K9FyAFSsAWkkV/Mr H1P8smh5svk= =z9B1 -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce From tlyu at MIT.EDU Tue Apr 7 14:10:18 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 07 Apr 2009 14:10:18 -0400 Subject: MITKRB5-SA-2009-001: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844 CVE-2009-0845 CVE-2009-0847] Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2009-001 MIT krb5 Security Advisory 2009-001 Original release: 2009-04-07 Last update: 2009-04-07 Topic: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844] SPNEGO implementation can read beyond buffer end CVSSv2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 8.5 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.7 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2009-0845] SPNEGO implementation can dereference a null pointer CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 [CVE-2009-0847] ASN.1 decoder incorrect length validation CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 See DETAILS for the expanded CVSSv2 metrics for CVE-2009-0845 and CVE-2009-0847. SUMMARY ======= These are implementation vulnerabilities in MIT krb5, and not vulnerabilities in the Kerberos protocol. [CVE-2009-0844] The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read beyond the end of a network input buffer. This can cause a GSS-API application to crash by reading from invalid address space. Under theoretically possible but very unlikely conditions, a small information leak may occur. We believe that no successful exploit exists that could induce an information leak. [CVE-2009-0845] The MIT krb5 implementation of the SPNEGO GSS-API mechanism can dereference a null pointer under error conditions. This can cause a GSS-API application to crash. This vulnerability was previously publicly disclosed. [CVE-2009-0847] MIT krb5 can perform an incorrect length check inside an ASN.1 decoder. This only presents a problem in the PK-INIT code paths. In the MIT krb5 KDC or kinit program, this could lead to spurious malloc() failures or, under some conditions, program crash. We have heard reports of the spurious malloc() failures, but nobody has yet made the publicly made the connection to a security issue. IMPACT ====== [CVE-2009-0844] An unauthenticated, remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. Under extremely unlikely conditions, there may be a theoretical possibility of a small information disclosure. [CVE-2009-0845] An unauthenticated, remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash. [CVE-2009-0847] An unauthenticated, remote attacker could cause a KDC or kinit program to crash. AFFECTED SOFTWARE ================= [CVE-2009-0844 CVE-2009-0845] * kadmind in MIT releases krb5-1.5 and later * FTP daemon in MIT releases krb5-1.5 and later * Third-party software using the GSS-API library from MIT krb5 releases krb5-1.5 and later * MIT releases prior to krb5-1.5 did not contain the vulnerable code. [CVE-2009-0847] * The kinit program and the KDC from MIT krb5 release krb5-1.6.3. Prior releases contained the vulnerable code, but the vulnerability was masked due to operations performed by other code. FIXES ===== * The upcoming krb5-1.7 and krb5-1.6.4 releases will contain fixes for these vulnerabilities. * Apply the patch, available at http://web.mit.edu/kerberos/advisories/2009-001-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2009-001-patch.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2009-0844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0844 CVE: CVE-2009-0845 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0845 CVE: CVE-2009-0847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0847 CERT: VU#662091 http://www.kb.cert.org/vuls/id/662091 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6402 ACKNOWLEDGMENTS =============== CVE-2009-0844 was discovered by Product Security at Apple, Inc. We thank Apple and Sun for suggesting improvements to the patches. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/D9058C24 2009-01-26 [expires: 2010-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= [CVE-2009-0844] The get_input_token() function in the SPNEGO implementation can read beyond the end of a network input buffer. A length encoding that decodes to a value exceeding the number of remaining bytes in the input buffer will cause the function to copy memory past the end of the input buffer. [CVE-2009-0845] CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The spnego_gss_accept_sec_context() function in the GSS-API SPNEGO implementation can dereference a null pointer under error conditions. Cleanup code in this function can call the helper function make_spnego_tokenTarg_msg() without first confirming that the value of the "sc" variable is not null, thus causing a null pointer dereference. [CVE-2009-0847] CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.1 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed The asn1buf_imbed() function incorrectly checks lengths by comparing pointers after performing pointer arithmetic using an unchecked input length. In addition, the functions asn1buf_remove_charstring() and asn1buf_remove_octetstring() rely on an invariant that is violated when asn1buf_imbed() incorrectly validates lengths, performing pointer arithmetic using the invalid length. Consequently, malloc() receives a very large number as its argument. If the malloc() call somehow succeeds, the copy from the input buffer is likely to cross unmapped address space, causing a crash. Prior to the implementation of PK-INIT, the vulnerability was masked because no ASN.1 decoder used asn1buf_remove_charstring() or asn1buf_remove_octetstring() immediately following the use of asn1buf_imbed(). Protocol elements of PK-INIT require this sequence of calls in the decoder, unmasking the latent vulnerability. REVISION HISTORY ================ 2009-04-07 original release Copyright (C) 2009 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iQCVAgUBSduVZabDgE/zdoE9AQI9OgP+OymYyzsFHkUcUWjEVtiFPxKCYh6uZvIj foqgws9Kv4/TZ44SsJJLURCBgBthm/2coWwlaxaFdDgzXxH/KUW5J9UEBy/rraNx tLh9CFcuP/uG12N9+Hp9BmlO8euu60cMKRlhAKUuOLTLj74RPMYIID6TE4VgE0g8 UKIvMyadl2I= =OU63 -----END PGP SIGNATURE----- _______________________________________________ kerberos-announce mailing list kerberos-announce at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos-announce From javiplx at gmail.com Tue Apr 7 15:30:25 2009 From: javiplx at gmail.com (Javier Palacios) Date: Tue, 7 Apr 2009 21:30:25 +0200 Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be??? In-Reply-To: <1239119426.5453.8.camel@mentor.gurulabs.com> References: <22914739.post@talk.nabble.com> <1239119426.5453.8.camel@mentor.gurulabs.com> Message-ID: On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson wrote: > On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: > >> As far as I can tell, when using mod_auth_kerb and selecting kerberos as the >> authtype it is pretty much Kerberos or nothing ... is this correct? I can >> see no way to intercept the failure. > > This not correct. What you want are these two directives: > > KrbMethodNegotiate On > KrbMethodK5Passwd On If I remember right, there is a directive called something like authoritative. I did never use it but it is used to pass authentication to other modules (again, if I remember well). That is exactly what you need so instead of enabling password authentication, you need to stack the ldap authentication also, and let proceed if negotiate fails. Anyway, take into account that both fallbacks require a secure server, which is not the case for credential based authentication. Javier Palacios From zarafield at sky.com Tue Apr 7 17:05:43 2009 From: zarafield at sky.com (kerbie_newbie) Date: Tue, 7 Apr 2009 14:05:43 -0700 (PDT) Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be??? In-Reply-To: References: <22914739.post@talk.nabble.com> <1239119426.5453.8.camel@mentor.gurulabs.com> Message-ID: <22938291.post@talk.nabble.com> Thanks for the responses ... still a little confused though. In another thread I've read " Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap ... At least in Apache 2.0, it is extremely difficult in Apache to get two authentication modules to co-exist; Apache by and large considers any particular portion of the URL space to be protected by only one authentication scheme (possibly combined with IP address restrictions). This is partly a limitation of Apache (particularly the configuration syntax) and partly related to difficulties in the HTTP protocol (you can't easily negotiate and attempt multiple authentication protocols in turn). However, that being said, mod_auth_kerb does support: KrbDelegateBasic on | off (set to off by default) If set to 'on' this options causes that Basic authentication is always offered regardless setting the KrbMethodK[45]Pass directives. Then, if a Basic authentication header arrives authentication decision is passed along to another modules. This option is a work-around for insufficient authentication scheme in Apache (Apache 2.1 seems to provide better support for multiple various authentication mechanisms). The trick is that for this to work properly, mod_auth_kerb needs to go first and then the other authentication module needs to follow afterwards in the processing stack. That's something that modules can control in their own C code to some extent, but I don't know how you'd control this from outside without making code modifications." ... " Also, my server is not secure so Basic Authentication (which by my reckoning does not authenticate against AD) is not an option. Thanks again. Javier Palacios-2 wrote: > > On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson wrote: >> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: >> >>> As far as I can tell, when using mod_auth_kerb and selecting kerberos as >>> the >>> authtype it is pretty much Kerberos or nothing ... is this correct? I >>> can >>> see no way to intercept the failure. >> >> This not correct. What you want are these two directives: >> >> KrbMethodNegotiate On >> KrbMethodK5Passwd On > > If I remember right, there is a directive called something like > authoritative. > I did never use it but it is used to pass authentication to other > modules (again, if I remember well). > That is exactly what you need so instead of enabling password > authentication, you need to stack the ldap authentication also, and > let proceed if negotiate fails. > > Anyway, take into account that both fallbacks require a secure server, > which is not the case for credential based authentication. > > Javier Palacios > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938291.html Sent from the Kerberos - General mailing list archive at Nabble.com. From neelsmail at rediffmail.com Tue Apr 7 09:10:12 2009 From: neelsmail at rediffmail.com (neelsmail@rediffmail.com) Date: Tue, 7 Apr 2009 06:10:12 -0700 (PDT) Subject: Linux Daemons and Kerberos Tickets Message-ID: Hi, I wanted to know whether there are any recommendations regarding following scenario: - In order to Linux daemons to be running in kerberos/Active Directory users' context, a (krbtgt) ticket is needed and is fetched by kinit. - But this ticket is usually valid for some time depending on user configuration and it needs to be renewed. Is there a recommended way of renewing/getting new ticket for the user? One of the ways suggested to me was run kinit externally as cronjob for every user you want every n hours. But that seems dangerous to me. Putting kinit call to .bashrc sounds good to me but that will fetch ticket only for default duration. Is there a better way? Or how do admins do it usually? Thanks in advance, -Neel. From zarafield at sky.com Tue Apr 7 17:28:51 2009 From: zarafield at sky.com (kerbie_newbie) Date: Tue, 7 Apr 2009 14:28:51 -0700 (PDT) Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be??? In-Reply-To: <22938291.post@talk.nabble.com> References: <22914739.post@talk.nabble.com> <1239119426.5453.8.camel@mentor.gurulabs.com> <22938291.post@talk.nabble.com> Message-ID: <22938708.post@talk.nabble.com> Actually, since you say >>Anyway, take into account that both fallbacks require a secure server, >>which is not the case for credential based authentication. you mean that I would need to have some local storage (on my Linux box) of all user ids or some sort of synchronization with Active Directory? (... or have I misunderstood?). There are more than 50,000 users ... Thanks again kerbie_newbie wrote: > > Thanks for the responses ... still a little confused though. In another > thread I've read > > " > Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap > > ... > > At least in Apache 2.0, it is extremely difficult in Apache to get two > authentication modules to co-exist; Apache by and large considers any > particular portion of the URL space to be protected by only one > authentication scheme (possibly combined with IP address restrictions). > This is partly a limitation of Apache (particularly the configuration > syntax) and partly related to difficulties in the HTTP protocol (you can't > easily negotiate and attempt multiple authentication protocols in turn). > > However, that being said, mod_auth_kerb does support: > > KrbDelegateBasic on | off (set to off by default) > If set to 'on' this options causes that Basic authentication is always > offered regardless setting the KrbMethodK[45]Pass directives. Then, if > a Basic authentication header arrives authentication decision is passed > along to another modules. This option is a work-around for insufficient > authentication scheme in Apache (Apache 2.1 seems to provide better > support > for multiple various authentication mechanisms). > > The trick is that for this to work properly, mod_auth_kerb needs to go > first and then the other authentication module needs to follow > afterwards in the processing stack. That's something that modules can > control in their own C code to some extent, but I don't know how you'd > control this from outside without making code modifications." > > ... > " > > Also, my server is not secure so Basic Authentication (which by my > reckoning does not authenticate against AD) is not an option. > > Thanks again. > > > Javier Palacios-2 wrote: >> >> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson wrote: >>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: >>> >>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos >>>> as the >>>> authtype it is pretty much Kerberos or nothing ... is this correct? I >>>> can >>>> see no way to intercept the failure. >>> >>> This not correct. What you want are these two directives: >>> >>> KrbMethodNegotiate On >>> KrbMethodK5Passwd On >> >> If I remember right, there is a directive called something like >> authoritative. >> I did never use it but it is used to pass authentication to other >> modules (again, if I remember well). >> That is exactly what you need so instead of enabling password >> authentication, you need to stack the ldap authentication also, and >> let proceed if negotiate fails. >> >> Anyway, take into account that both fallbacks require a secure server, >> which is not the case for credential based authentication. >> >> Javier Palacios >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html Sent from the Kerberos - General mailing list archive at Nabble.com. From cclausen at acm.org Tue Apr 7 20:00:23 2009 From: cclausen at acm.org (Christopher D. Clausen) Date: Tue, 7 Apr 2009 19:00:23 -0500 Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not tobe??? References: <22914739.post@talk.nabble.com><1239119426.5453.8.camel@mentor.gurulabs.com> <22938291.post@talk.nabble.com> Message-ID: <498566843A7B4F1E9F5674B926D88BFD@CDCHOME> kerbie_newbie wrote: > At least in Apache 2.0, it is extremely difficult in Apache to get two > authentication modules to co-exist; Apache by and large considers any > particular portion of the URL space to be protected by only one > authentication scheme (possibly combined with IP address > restrictions). This is partly a limitation of Apache (particularly > the configuration syntax) and partly related to difficulties in the > HTTP protocol (you can't easily negotiate and attempt multiple > authentication protocols in turn). from: http://modauthkerb.sourceforge.net/configure.html KrbAuthoritative off will allow you to pass to authn/authz to another module. I've used a module that verifies against OpenAFS PTS groups and I assume LDAP works the same way. < References: Message-ID: On Fri, 6 Mar 2009, Ken Raeburn wrote: > On Mar 6, 2009, at 13:43, petesea at bigfoot.com wrote: > >> Is there any way to determine the version of kinit or klist? > > I'm afraid not, aside from the krb5-config option you noted. > > It's still in our bug database, but hasn't gotten any attention yet. :-( > (I knew it had been reported, but took me a little digging to discover > that the bug report was, in fact, from you, back in 2006...) > > Annoyingly, our argument parsing setup doesn't handle long options on > most platforms, and both the 'v' and 'V' one-letter options of kinit are > in use currently. But it looks like klist doesn't have a either option > yet.... Thanks Ken, that will be very helpful. With regards to kinit, what about adding the version as part of the "verbose" output with the -V option? That's certainly not unheard of, OpenSSH prints the client version with it's verbose output. And... from what I can tell, the -V option isn't really all that useful anyway. The only thing I've ever seen it print is: Authenticated to Kerberos v5 after a successful authentication. And speaking of the -V option... are there any plans (or could there be plans) to improve the -V output? Something that would really be helpful when trying to debug problems would be to show the KDC it's trying to access. From john.hefferman at cern.ch Wed Apr 8 05:52:45 2009 From: john.hefferman at cern.ch (John Hefferman) Date: Wed, 8 Apr 2009 11:52:45 +0200 Subject: Aqcuiring a TGT for a host/ principal using Active Directory References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> Message-ID: <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> Dear All, I'm not sure if this is the correct place to ask this question - it involves the MIT kinit program, but also Active Directory as the KDC (Server 2008). The problem I am experiencing, is that I can't seem to 'kinit -k' using an spn of an instance type such as host/ when using an AD domain controller. The procedure is as follows: - I create a new account in active directory, such as 'computerA' - I run ktpass (or msktutil) to associate a host/ principal name with this account (host/computerA.fqdn at REALM) and create a keytab - I securely transfer this keytab to the Linux computer (if msktutil was not used) - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM Kinit returns: kinit(v5): Client not found in Kerberos database while getting initial credentials Some additional information: - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA -pass +rndPass -out computerA.keytab - Name specified through -princ argument is definitely associated with computerA (checked in computerA's attribute list - kvno works against host/computerA.fqdn at REALM - computerA.keytab contains key and principal name specified through -princ - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory event viewer logs (on the Domain Controller) shows the 'Account Name' that is attempting to acquire the TGT as 'host', instead of host/.... at ... It appears to omit anything that comes after the forward slash. - I've tried ktpass with all encryption types - same result. - Same result with user or computer objects in AD. - Same result when both -ptype's are specified when running ktpass Just wondering if anyone had had any experience with TGT acquisition and principal names containing forward slashes. No problem if this is the wrong place to ask. Maybe it's not even possible to do this with AD, but I doubt that's the case. Thanks in advance for any help, John From srinivas.cheruku at gmail.com Wed Apr 8 06:19:30 2009 From: srinivas.cheruku at gmail.com (Srinivas Cheruku) Date: Wed, 8 Apr 2009 15:49:30 +0530 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> Message-ID: <49dc7a35.28d7720a.4a4f.0330@mx.google.com> Use "-ptype KRB5_NT_PRINCIPAL" with ktpass along with other options. e.g. - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA -pass +rndPass "-ptype KRB5_NT_PRINCIPAL -out computerA.keytab -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of John Hefferman Sent: 08 April 2009 15:23 To: kerberos at mit.edu Subject: Aqcuiring a TGT for a host/ principal using Active Directory Dear All, I'm not sure if this is the correct place to ask this question - it involves the MIT kinit program, but also Active Directory as the KDC (Server 2008). The problem I am experiencing, is that I can't seem to 'kinit -k' using an spn of an instance type such as host/ when using an AD domain controller. The procedure is as follows: - I create a new account in active directory, such as 'computerA' - I run ktpass (or msktutil) to associate a host/ principal name with this account (host/computerA.fqdn at REALM) and create a keytab - I securely transfer this keytab to the Linux computer (if msktutil was not used) - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM Kinit returns: kinit(v5): Client not found in Kerberos database while getting initial credentials Some additional information: - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA -pass +rndPass -out computerA.keytab - Name specified through -princ argument is definitely associated with computerA (checked in computerA's attribute list - kvno works against host/computerA.fqdn at REALM - computerA.keytab contains key and principal name specified through -princ - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory event viewer logs (on the Domain Controller) shows the 'Account Name' that is attempting to acquire the TGT as 'host', instead of host/.... at ... It appears to omit anything that comes after the forward slash. - I've tried ktpass with all encryption types - same result. - Same result with user or computer objects in AD. - Same result when both -ptype's are specified when running ktpass Just wondering if anyone had had any experience with TGT acquisition and principal names containing forward slashes. No problem if this is the wrong place to ask. Maybe it's not even possible to do this with AD, but I doubt that's the case. Thanks in advance for any help, John ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From john.hefferman at cern.ch Wed Apr 8 08:11:08 2009 From: john.hefferman at cern.ch (John Hefferman) Date: Wed, 8 Apr 2009 14:11:08 +0200 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: <49dc7a35.28d7720a.4a4f.0330@mx.google.com> References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> <49dc7a35.28d7720a.4a4f.0330@mx.google.com> Message-ID: <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F8@cernxchg42.cern.ch> Hi, Thanks very much for the reply, but using the KRB5_NT_PRINCIPAL principal type does not seem have an effect. I still get the message 'kinit(v5): Client not found in Kerberos database while getting initial credentials' when running kinit -kt computerA.keytab host/computerA.fqdn at REALM. Thanks, John -----Original Message----- From: Srinivas Cheruku [mailto:srinivas.cheruku at gmail.com] Sent: 08 April 2009 12:20 To: John Hefferman; kerberos at mit.edu Subject: RE: Aqcuiring a TGT for a host/ principal using Active Directory Use "-ptype KRB5_NT_PRINCIPAL" with ktpass along with other options. e.g. - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA -pass +rndPass "-ptype KRB5_NT_PRINCIPAL -out computerA.keytab -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of John Hefferman Sent: 08 April 2009 15:23 To: kerberos at mit.edu Subject: Aqcuiring a TGT for a host/ principal using Active Directory Dear All, I'm not sure if this is the correct place to ask this question - it involves the MIT kinit program, but also Active Directory as the KDC (Server 2008). The problem I am experiencing, is that I can't seem to 'kinit -k' using an spn of an instance type such as host/ when using an AD domain controller. The procedure is as follows: - I create a new account in active directory, such as 'computerA' - I run ktpass (or msktutil) to associate a host/ principal name with this account (host/computerA.fqdn at REALM) and create a keytab - I securely transfer this keytab to the Linux computer (if msktutil was not used) - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM Kinit returns: kinit(v5): Client not found in Kerberos database while getting initial credentials Some additional information: - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA -pass +rndPass -out computerA.keytab - Name specified through -princ argument is definitely associated with computerA (checked in computerA's attribute list - kvno works against host/computerA.fqdn at REALM - computerA.keytab contains key and principal name specified through -princ - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory event viewer logs (on the Domain Controller) shows the 'Account Name' that is attempting to acquire the TGT as 'host', instead of host/.... at ... It appears to omit anything that comes after the forward slash. - I've tried ktpass with all encryption types - same result. - Same result with user or computer objects in AD. - Same result when both -ptype's are specified when running ktpass Just wondering if anyone had had any experience with TGT acquisition and principal names containing forward slashes. No problem if this is the wrong place to ask. Maybe it's not even possible to do this with AD, but I doubt that's the case. Thanks in advance for any help, John ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From ls.niks at gmail.com Wed Apr 8 08:21:46 2009 From: ls.niks at gmail.com (Nikhil Mishra) Date: Wed, 8 Apr 2009 17:51:46 +0530 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F8@cernxchg42.cern.ch> References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> <49dc7a35.28d7720a.4a4f.0330@mx.google.com> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F8@cernxchg42.cern.ch> Message-ID: <35dad1db0904080521r261bdbe3g95aa65172fabb34@mail.gmail.com> There can be possibly two reasons for it with my experiences . 1. Windows server version ( enterprise edition , SP version ) and support tools version are incompatible. this is the case most of the times .Ktpass corrupts the mapping on service accounts If it is not correct ones. Please use update enterprise editions and support tools for SP2 and try this again. 2. Windows server 2008 does not support SPN 's by default for TGT . There is a patch available though . Thanks Nikhil On Wed, Apr 8, 2009 at 5:41 PM, John Hefferman wrote: > Hi, > > Thanks very much for the reply, but using the KRB5_NT_PRINCIPAL > principal type does not seem have an effect. > > I still get the message 'kinit(v5): Client not found in Kerberos > database while getting initial credentials' when running kinit -kt > computerA.keytab host/computerA.fqdn at REALM. > > Thanks, > > John > > -----Original Message----- > From: Srinivas Cheruku [mailto:srinivas.cheruku at gmail.com] > Sent: 08 April 2009 12:20 > To: John Hefferman; kerberos at mit.edu > Subject: RE: Aqcuiring a TGT for a host/ principal using Active > Directory > > Use "-ptype KRB5_NT_PRINCIPAL" with ktpass along with other options. > > e.g. > - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA > -pass +rndPass "-ptype KRB5_NT_PRINCIPAL -out computerA.keytab > > > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On > Behalf > Of John Hefferman > Sent: 08 April 2009 15:23 > To: kerberos at mit.edu > Subject: Aqcuiring a TGT for a host/ principal using Active Directory > > Dear All, > > I'm not sure if this is the correct place to ask this question - it > involves the MIT kinit program, but also Active Directory as the KDC > (Server 2008). > > The problem I am experiencing, is that I can't seem to 'kinit -k' using > an spn of an instance type such as host/ when using an AD domain > controller. > > The procedure is as follows: > - I create a new account in active directory, such as 'computerA' > - I run ktpass (or msktutil) to associate a host/ principal name with > this account (host/computerA.fqdn at REALM) and create a keytab > - I securely transfer this keytab to the Linux computer (if msktutil was > not used) > - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM > > Kinit returns: kinit(v5): Client not found in Kerberos database while > getting initial credentials > > Some additional information: > > - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA > -pass +rndPass -out computerA.keytab > > - Name specified through -princ argument is definitely associated with > computerA (checked in computerA's attribute list > > - kvno works against host/computerA.fqdn at REALM > > - computerA.keytab contains key and principal name specified through > -princ > > - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory > event viewer logs (on the Domain Controller) shows the 'Account Name' > that is attempting to acquire the TGT as 'host', instead of > host/.... at ... It appears to omit anything that comes after the forward > slash. > > - I've tried ktpass with all encryption types - same result. > > - Same result with user or computer objects in AD. > > - Same result when both -ptype's are specified when running ktpass > > Just wondering if anyone had had any experience with TGT acquisition and > principal names containing forward slashes. No problem if this is the > wrong place to ask. Maybe it's not even possible to do this with AD, but > I doubt that's the case. > > Thanks in advance for any help, > > John > > > > > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From res at qoxp.net Tue Apr 7 22:27:45 2009 From: res at qoxp.net (Richard E. Silverman) Date: Tue, 07 Apr 2009 22:27:45 -0400 Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be??? References: <22914739.post@talk.nabble.com> <1239119426.5453.8.camel@mentor.gurulabs.com> <22938291.post@talk.nabble.com> Message-ID: kn> Actually, since you say >>> Anyway, take into account that both fallbacks require a secure >>> server, which is not the case for credential based authentication. kn> you mean that I would need to have some local storage (on my Linux kn> box) of all user ids or some sort of synchronization with Active kn> Directory? (... or have I misunderstood?). There are more than kn> 50,000 users ... No; mod_auth_kerb will do the equivalent of kinit to validate the user's password (as well as an anti-spoof check on the KDC). - Richard kn> Thanks again kn> kerbie_newbie wrote: >> > Thanks for the responses ... still a little confused though. In another >> thread I've read >> >> " Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap >> >> ... >> >> At least in Apache 2.0, it is extremely difficult in Apache to get >> two authentication modules to co-exist; Apache by and large >> considers any particular portion of the URL space to be protected >> by only one authentication scheme (possibly combined with IP >> address restrictions). This is partly a limitation of Apache >> (particularly the configuration syntax) and partly related to >> difficulties in the HTTP protocol (you can't easily negotiate and >> attempt multiple authentication protocols in turn). >> >> However, that being said, mod_auth_kerb does support: >> >> KrbDelegateBasic on | off (set to off by default) If set to 'on' >> this options causes that Basic authentication is always offered >> regardless setting the KrbMethodK[45]Pass directives. Then, if a >> Basic authentication header arrives authentication decision is >> passed along to another modules. This option is a work-around for >> insufficient authentication scheme in Apache (Apache 2.1 seems to >> provide better support for multiple various authentication >> mechanisms). >> >> The trick is that for this to work properly, mod_auth_kerb needs to >> go first and then the other authentication module needs to follow >> afterwards in the processing stack. That's something that modules >> can control in their own C code to some extent, but I don't know >> how you'd control this from outside without making code >> modifications." >> >> ... " >> >> Also, my server is not secure so Basic Authentication (which by my >> reckoning does not authenticate against AD) is not an option. >> >> Thanks again. >> >> >> Javier Palacios-2 wrote: >>> >> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson wrote: >>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: >>> >>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos >>>> as the >>>> authtype it is pretty much Kerberos or nothing ... is this correct? I >>>> can >>>> see no way to intercept the failure. >>> >>> This not correct. What you want are these two directives: >>> >>> KrbMethodNegotiate On >>> KrbMethodK5Passwd On >> >> If I remember right, there is a directive called something like >> authoritative. >> I did never use it but it is used to pass authentication to other >> modules (again, if I remember well). >> That is exactly what you need so instead of enabling password >> authentication, you need to stack the ldap authentication also, and >> let proceed if negotiate fails. >> >> Anyway, take into account that both fallbacks require a secure server, >> which is not the case for credential based authentication. >> >> Javier Palacios >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html Sent from the Kerberos - General mailing list archive at Nabble.com. -- Richard Silverman res at qoxp.net From res at qoxp.net Wed Apr 8 02:04:06 2009 From: res at qoxp.net (Richard E. Silverman) Date: Wed, 08 Apr 2009 02:04:06 -0400 Subject: Linux Daemons and Kerberos Tickets References: Message-ID: >>>>> "NS" == neelsmail writes: NS> Hi, I wanted to know whether there are any recommendations NS> regarding following scenario: NS> - In order to Linux daemons to be running in kerberos/Active NS> Directory users' context, a (krbtgt) ticket is needed and is NS> fetched by kinit. - But this ticket is usually valid for some NS> time depending on user configuration and it needs to be renewed. NS> Is there a recommended way of renewing/getting new ticket for the NS> user? Yes. The user reauthenticates with his or her password, typically once a day. NS> One of the ways suggested to me was run kinit externally as NS> cronjob for every user you want every n hours. But that seems NS> dangerous to me. NS> Putting kinit call to .bashrc sounds good to me but that will NS> fetch ticket only for default duration. Is there a better way? Or NS> how do admins do it usually? NS> Thanks in advance, -Neel. -- Richard Silverman res at qoxp.net From sanjayk.cse at gmail.com Wed Apr 8 08:51:46 2009 From: sanjayk.cse at gmail.com (sanjayk.cse@gmail.com) Date: Wed, 8 Apr 2009 05:51:46 -0700 (PDT) Subject: computer account change password with Windows 2008 domain Message-ID: I have migrated from Windows 2003 AD server to Windows 2008 AD server. With Windows 2003 AD , every thing is working fine . With the Windows 2008 AD server I am getting "KRB5_KPASSWD_AUTHERROR" error in reply of KPASSWD . I had earlier heimdal0.6 . I learn that heimdal 1.2 is compatible with windows2008/vista . I integrated the heimdal 1.2 . but no improvement .Have some experience the similar kind of issue? From emmanuel.bouillon at cea.fr Wed Apr 8 08:51:55 2009 From: emmanuel.bouillon at cea.fr (manu) Date: Wed, 08 Apr 2009 14:51:55 +0200 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> Message-ID: Hello, You can try: kinit -kt computerA.keytab COMPUTERA\$ For principals like host/..., cifs/..., HTTP/... created by default with every computer account, AD only allows TS. If you want a TGT you need to use the "real" principal name: COMPUTERA\$. I don't think the step with ktpass is required. Hoping this will help, Best regards, Emmanuel John Hefferman a ?crit : > Dear All, > > I'm not sure if this is the correct place to ask this question - it > involves the MIT kinit program, but also Active Directory as the KDC > (Server 2008). > > The problem I am experiencing, is that I can't seem to 'kinit -k' using > an spn of an instance type such as host/ when using an AD domain > controller. > > The procedure is as follows: > - I create a new account in active directory, such as 'computerA' > - I run ktpass (or msktutil) to associate a host/ principal name with > this account (host/computerA.fqdn at REALM) and create a keytab > - I securely transfer this keytab to the Linux computer (if msktutil was > not used) > - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM > > Kinit returns: kinit(v5): Client not found in Kerberos database while > getting initial credentials > > Some additional information: > > - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA > -pass +rndPass -out computerA.keytab > > - Name specified through -princ argument is definitely associated with > computerA (checked in computerA's attribute list > > - kvno works against host/computerA.fqdn at REALM > > - computerA.keytab contains key and principal name specified through > -princ > > - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory > event viewer logs (on the Domain Controller) shows the 'Account Name' > that is attempting to acquire the TGT as 'host', instead of > host/.... at ... It appears to omit anything that comes after the forward > slash. > > - I've tried ktpass with all encryption types - same result. > > - Same result with user or computer objects in AD. > > - Same result when both -ptype's are specified when running ktpass > > Just wondering if anyone had had any experience with TGT acquisition and > principal names containing forward slashes. No problem if this is the > wrong place to ask. Maybe it's not even possible to do this with AD, but > I doubt that's the case. > > Thanks in advance for any help, > > John > > > > > > > > From rwilper at stanford.edu Wed Apr 8 12:00:56 2009 From: rwilper at stanford.edu (Wilper, Ross A) Date: Wed, 8 Apr 2009 09:00:56 -0700 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> Message-ID: There is a bug in Windows 2008 KDC that prevents any principal name with a "/" in it from authenticating from a non-Windows client. KB Article Number(s): 951191 This is a public hotfix, but you may need to contact Microsoft to get the hotfix. The hotfix is included in SP2. -Ross -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of manu Sent: Wednesday, April 08, 2009 5:52 AM To: kerberos at mit.edu Subject: Re: Aqcuiring a TGT for a host/ principal using Active Directory Hello, You can try: kinit -kt computerA.keytab COMPUTERA\$ For principals like host/..., cifs/..., HTTP/... created by default with every computer account, AD only allows TS. If you want a TGT you need to use the "real" principal name: COMPUTERA\$. I don't think the step with ktpass is required. Hoping this will help, Best regards, Emmanuel John Hefferman a ?crit : > Dear All, > > I'm not sure if this is the correct place to ask this question - it > involves the MIT kinit program, but also Active Directory as the KDC > (Server 2008). > > The problem I am experiencing, is that I can't seem to 'kinit -k' using > an spn of an instance type such as host/ when using an AD domain > controller. > > The procedure is as follows: > - I create a new account in active directory, such as 'computerA' > - I run ktpass (or msktutil) to associate a host/ principal name with > this account (host/computerA.fqdn at REALM) and create a keytab > - I securely transfer this keytab to the Linux computer (if msktutil was > not used) > - I run kinit -kt computerA.keytab host/computerA.fqdn at REALM > > Kinit returns: kinit(v5): Client not found in Kerberos database while > getting initial credentials > > Some additional information: > > - Ktpass args: -princ host/computerA.fqdn at REALM -mapuser computerA > -pass +rndPass -out computerA.keytab > > - Name specified through -princ argument is definitely associated with > computerA (checked in computerA's attribute list > > - kvno works against host/computerA.fqdn at REALM > > - computerA.keytab contains key and principal name specified through > -princ > > - when kinit -k host/computerA.fqdn at REALM is executed, Active Directory > event viewer logs (on the Domain Controller) shows the 'Account Name' > that is attempting to acquire the TGT as 'host', instead of > host/.... at ... It appears to omit anything that comes after the forward > slash. > > - I've tried ktpass with all encryption types - same result. > > - Same result with user or computer objects in AD. > > - Same result when both -ptype's are specified when running ktpass > > Just wondering if anyone had had any experience with TGT acquisition and > principal names containing forward slashes. No problem if this is the > wrong place to ask. Maybe it's not even possible to do this with AD, but > I doubt that's the case. > > Thanks in advance for any help, > > John > > > > > > > > ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From javiplx at gmail.com Wed Apr 8 12:17:32 2009 From: javiplx at gmail.com (Javier Palacios) Date: Wed, 8 Apr 2009 18:17:32 +0200 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> Message-ID: On Wed, Apr 8, 2009 at 11:52 AM, John Hefferman wrote: > Dear All, > > The problem I am experiencing, is that I can't seem to 'kinit -k' using > an spn of an instance type such as host/ when using an AD domain > controller. > > The procedure is as follows: > - I create a new account in active directory, such as 'computerA' > - I run ktpass (or msktutil) to associate a host/ principal name with > this account (host/computerA.fqdn at REALM) and create a keytab You can try to install samba at the unix server, configure for kerberos security and join it to the domain, an also try with css_adkadmin. Javier Palacios From john.hefferman at cern.ch Wed Apr 8 12:54:26 2009 From: john.hefferman at cern.ch (John Hefferman) Date: Wed, 8 Apr 2009 18:54:26 +0200 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> Message-ID: <5DEBEADA3C05964F9A8D57D1B4DE467D02EA4A07@cernxchg42.cern.ch> Dear All, The problem was definitely related to the bug with SP1, as after applying the hotfix and specifying +DesOnly when running ktpass, kinit -kt works fine. Thank you all for your time and the information, John -----Original Message----- From: Javier Palacios [mailto:javiplx at gmail.com] Sent: 08 April 2009 18:18 To: John Hefferman Cc: kerberos at mit.edu Subject: Re: Aqcuiring a TGT for a host/ principal using Active Directory On Wed, Apr 8, 2009 at 11:52 AM, John Hefferman wrote: > The problem I am experiencing, is that I can't seem to 'kinit -k' using > an spn of an instance type such as host/ when using an AD domain > controller. > > The procedure is as follows: > - I create a new account in active directory, such as 'computerA' > - I run ktpass (or msktutil) to associate a host/ principal name with > this account (host/computerA.fqdn at REALM) and create a keytab You can try to install samba at the unix server, configure for kerberos security and join it to the domain, an also try with css_adkadmin. Javier Palacios From ioplex at gmail.com Wed Apr 8 13:35:16 2009 From: ioplex at gmail.com (Michael B Allen) Date: Wed, 8 Apr 2009 13:35:16 -0400 Subject: Aqcuiring a TGT for a host/ principal using Active Directory In-Reply-To: <5DEBEADA3C05964F9A8D57D1B4DE467D02EA4A07@cernxchg42.cern.ch> References: <86h6a6-fm4.ln1@nb2.stroeder.com> <49D1C28A.6030904@rcs-rds.ro> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA49F3@cernxchg42.cern.ch> <5DEBEADA3C05964F9A8D57D1B4DE467D02EA4A07@cernxchg42.cern.ch> Message-ID: <78c6bd860904081035o4d56b914we97f17631960f656@mail.gmail.com> On Wed, Apr 8, 2009 at 12:54 PM, John Hefferman wrote: > Dear All, > > The problem was definitely related to the bug with SP1, as after > applying the hotfix and specifying +DesOnly when running ktpass, kinit > -kt works fine. I don't know why you should have to specify DES. The default of RC4 should work just fine unless you're using a very old Kerberos library on the client. Or maybe you accidentally specified in your krb5.conf that only DES enctypes should be used? DES is basically deprecated. If I'm not mistaken I think Heimdal has actually removed DES support. You're setting yourself up for a migration migraine. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From deengert at anl.gov Wed Apr 8 17:11:58 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 08 Apr 2009 16:11:58 -0500 Subject: computer account change password with Windows 2008 domain In-Reply-To: References: Message-ID: <49DD131E.5050901@anl.gov> I have run it to a similar problem in the last two day, as we have some W2008 DCs and some W2003 DCs. The msktutil program to add computer accounts and create keytab files then change the password uses the krb5_set_password_using_ccache with the admin creds and the change_password_for set to the principal of the machine. This is the same method used by the MIT ksetpwd command that is bbuilt but not installed. Both the ksetpwd and msktutil fail with an error of 3 "Autnenticatrion Error" to W2008 DCs but work on W2003 DCs. But if instead of the host/fqdn at realm as the principal, I can use samAccountName (without the $) and it will change the password. So can you try the kpasswd with the account name? I think this is a known bug in W2008, but have not tracked down the hotfix if any yet. This may have something to do with with smart card support in W2008, where the userPrincipalName is now being used to match what is in the UPN of a certificate and it does not have to be in the local realm! sanjayk.cse at gmail.com wrote: > I have migrated from Windows 2003 AD server to Windows 2008 AD > server. > With Windows 2003 AD , every thing is working fine . With the > Windows 2008 AD server I am getting "KRB5_KPASSWD_AUTHERROR" > error in reply of KPASSWD . > I had earlier heimdal0.6 . I learn that heimdal 1.2 is > compatible with windows2008/vista . I integrated the heimdal 1.2 . > but no improvement .Have some experience the similar kind of issue? > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Wed Apr 8 17:43:23 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 08 Apr 2009 16:43:23 -0500 Subject: computer account change password with Windows 2008 domain In-Reply-To: <49DD131E.5050901@anl.gov> References: <49DD131E.5050901@anl.gov> Message-ID: <49DD1A7B.6090700@anl.gov> The hotfix 951191 fixed this problem too... Douglas E. Engert wrote: > I have run it to a similar problem in the last two day, as we have some W2008 DCs > and some W2003 DCs. The msktutil program to add computer accounts and create keytab > files then change the password uses the krb5_set_password_using_ccache with the > admin creds and the change_password_for set to the principal of the machine. > > This is the same method used by the MIT ksetpwd command that is bbuilt but > not installed. > > Both the ksetpwd and msktutil fail with an error of 3 "Autnenticatrion Error" > to W2008 DCs but work on W2003 DCs. > > But if instead of the host/fqdn at realm as the principal, > I can use samAccountName (without the $) and it will change the password. > > So can you try the kpasswd with the account name? > > I think this is a known bug in W2008, but have not tracked down the hotfix if any yet. > > This may have something to do with with smart card support in W2008, where > the userPrincipalName is now being used to match what is in the > UPN of a certificate and it does not have to be in the local realm! > > > sanjayk.cse at gmail.com wrote: >> I have migrated from Windows 2003 AD server to Windows 2008 AD >> server. >> With Windows 2003 AD , every thing is working fine . With the >> Windows 2008 AD server I am getting "KRB5_KPASSWD_AUTHERROR" >> error in reply of KPASSWD . >> I had earlier heimdal0.6 . I learn that heimdal 1.2 is >> compatible with windows2008/vista . I integrated the heimdal 1.2 . >> but no improvement .Have some experience the similar kind of issue? >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From javiplx at gmail.com Thu Apr 9 04:05:33 2009 From: javiplx at gmail.com (Javier Palacios) Date: Thu, 9 Apr 2009 10:05:33 +0200 Subject: Linux Daemons and Kerberos Tickets In-Reply-To: References: Message-ID: On Tue, Apr 7, 2009 at 3:10 PM, wrote: > Hi, > > I wanted to know whether there are any recommendations regarding > following scenario: > > - In order to Linux daemons to be running in kerberos/Active Directory > users' context, a (krbtgt) ticket is needed and is fetched by kinit. > - But this ticket is usually valid for some time depending on user > configuration and it needs to be renewed. > > Is there a recommended way of renewing/getting new ticket for the > user? > > One of the ways suggested to me was run kinit externally as cronjob > for every user you want every n hours. But that seems dangerous to me. If you mean a daemon which requires kerberos authentication (for example sshd or httpd) you don't need to kinit anything but use a keytab, that is read when required. If you mean a daemon which acts as a client, then you need a TGT for that user/daemon, and either you code the kinit stuff whithin, or you use kinit from an external cron. I don't see any other alternatives. Javier Palacios From fmendez at qualitytech.com Thu Apr 9 08:15:10 2009 From: fmendez at qualitytech.com (Mendez, Franklyn) Date: Thu, 9 Apr 2009 08:15:10 -0400 Subject: kpasswd: Authentication error: Failed reading application request In-Reply-To: <5888FCB767AD5F41A65DC0DCFE91C9210EC40DF4@EDC-SUW-EXCH.edeltacom.biz> References: <1239117038.26768.0.camel@localhost.localdomain> <5888FCB767AD5F41A65DC0DCFE91C9210EC40DF4@EDC-SUW-EXCH.edeltacom.biz> Message-ID: <5888FCB767AD5F41A65DC0DCFE91C9210ECE4D1D@EDC-SUW-EXCH.edeltacom.biz> Any ideas anyone? Thanks, Franklyn Mendez Sr. UNIX Engineer 95 Christopher Columbus Drive * 16th Floor * Jersey City, NJ, 07302 Direct: 212.625.7327 * Fax: 212.625.7246 P THINK GREEN | Don't print this email unless absolutely necessary -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Mendez, Franklyn Sent: Tuesday, April 07, 2009 12:09 PM To: kerberos at mit.edu Subject: kpasswd: Authentication error: Failed reading application request Need assistance solving this issue. My Kerberos users can't change their password running kpasswd userid The client users can successfully login with their accounts. They can run kinit to acquire a token, but even though they do, they can't change their password. The client is configured to use PAM. Password for user at DOMAININT.COM: Enter new password: Enter it again: Authentication error: Failed reading application request On the Server's side I do see the client trying to change the user's password but no more detail: Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16 ses=16}, user at DOMAININT.COM for kadmin/changepw at DOMAININT.COM Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18 3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16 ses=16}, user at DOMAININT.COM for kadmin/changepw at DOMAININT.COM Any ideas? Thanks all, QUALITY TECHNOLOGY SERVICES CONFIDENTIALITY NOTICE: This e-mail message including its attachments is classified COMPANY CONFIDENTIAL. It is intended for the person or entity to which it is addressed and may contain confidential material. Quality Technology Services controls the distribution of COMPANY CONFIDENTIAL assets, as such, any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact us at irt at qualitytech.com or 866-239-5000 and destroy all copies of the original message. Thank you. From rra at stanford.edu Thu Apr 9 14:10:15 2009 From: rra at stanford.edu (Russ Allbery) Date: Thu, 09 Apr 2009 11:10:15 -0700 Subject: Linux Daemons and Kerberos Tickets In-Reply-To: (neelsmail@rediffmail.com's message of "Tue\, 7 Apr 2009 06\:10\:12 -0700 $PDT$") References: Message-ID: <87eiw1hf5k.fsf@windlord.stanford.edu> neelsmail at rediffmail.com writes: > I wanted to know whether there are any recommendations regarding > following scenario: > > - In order to Linux daemons to be running in kerberos/Active Directory > users' context, a (krbtgt) ticket is needed and is fetched by kinit. > - But this ticket is usually valid for some time depending on user > configuration and it needs to be renewed. > > Is there a recommended way of renewing/getting new ticket for the > user? We use: http://www.eyrie.org/~eagle/software/kstart/ -- Russ Allbery (rra at stanford.edu) From rra at stanford.edu Thu Apr 9 14:11:14 2009 From: rra at stanford.edu (Russ Allbery) Date: Thu, 09 Apr 2009 11:11:14 -0700 Subject: kpasswd: Authentication error: Failed reading application request In-Reply-To: <5888FCB767AD5F41A65DC0DCFE91C9210ECE4D1D@EDC-SUW-EXCH.edeltacom.biz> (Franklyn Mendez's message of "Thu\, 9 Apr 2009 08\:15\:10 -0400") References: <1239117038.26768.0.camel@localhost.localdomain> <5888FCB767AD5F41A65DC0DCFE91C9210EC40DF4@EDC-SUW-EXCH.edeltacom.biz> <5888FCB767AD5F41A65DC0DCFE91C9210ECE4D1D@EDC-SUW-EXCH.edeltacom.biz> Message-ID: <87ab6phf3x.fsf@windlord.stanford.edu> "Mendez, Franklyn" writes: > Any ideas anyone? > Password for user at DOMAININT.COM: > Enter new password: > Enter it again: > Authentication error: Failed reading application request > > On the Server's side I do see the client trying to change the user's > password but no more detail: > > Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18 > 3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16 > ses=16}, user at DOMAININT.COM for kadmin/changepw at DOMAININT.COM > Apr 07 11:54:17 host02 krb5kdc[13289](info): AS_REQ (5 etypes {16 23 18 > 3 1}) 10.x.x.x: ISSUE: authtime 1239119657, etypes {rep=16 tkt=16 > ses=16}, user at DOMAININT.COM for kadmin/changepw at DOMAININT.COM Kind of an obvious question, but are you running kadmind on the server? Your logs show the KDC traffic that would happen prior to the the kadmind connection, but nothing logged from kadmind. -- Russ Allbery (rra at stanford.edu) From devine.steve at gmail.com Sat Apr 11 09:46:28 2009 From: devine.steve at gmail.com (Steve Devine) Date: Sat, 11 Apr 2009 06:46:28 -0700 (PDT) Subject: SA-2009-001 and SA-2009-002 Message-ID: Seems both of these patches expect the src tree to start with a or b IE: diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/ spnego/spnego_mech.c What am I missing? Is this for a diff dist? /sd From tlyu at MIT.EDU Mon Apr 13 14:57:02 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Mon, 13 Apr 2009 14:57:02 -0400 Subject: SA-2009-001 and SA-2009-002 In-Reply-To: (Steve Devine's message of "Sat, 11 Apr 2009 06:46:28 -0700 (PDT)") References: Message-ID: Steve Devine writes: > Seems both of these patches expect the src tree to start with a or b > IE: > diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/ > spnego/spnego_mech.c > What am I missing? Is this for a diff dist? Does using "patch -p1" work? This is the diff format generated by git-diff. You might think of "a" and "b" as "old" and "new". From devine.steve at gmail.com Tue Apr 14 11:22:44 2009 From: devine.steve at gmail.com (Steve Devine) Date: Tue, 14 Apr 2009 08:22:44 -0700 (PDT) Subject: SA-2009-001 and SA-2009-002 References: Message-ID: <62f3bfcd-5e1e-4b41-a8aa-b88de19bae96@y9g2000yqg.googlegroups.com> On Apr 13, 2:57?pm, Tom Yu wrote: > Steve Devine writes: > > Seems both of these patches expect the src tree to start with a or b > > IE: > > diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/ > > spnego/spnego_mech.c > > What am I missing? Is this for a diff dist? > > Does using "patch -p1" work? ?This is the diff format generated by > git-diff. ?You might think of "a" and "b" as "old" and "new". Yes that worked perfectly .. thanks. From jasonmc at sei.cmu.edu Thu Apr 16 10:36:47 2009 From: jasonmc at sei.cmu.edu (Jason D. McCormick) Date: Thu, 16 Apr 2009 10:36:47 -0400 Subject: MIT Kerberos + Windows 2K3 AD Kerberos Cross-Realm TGT Issue using SSPI Message-ID: <81BFFE1EFAD6894D9992C1B6D2A255B5CFEFFF27BE@EXCHANGE.sei.cmu.edu> Hello all, Haven't found the answer to this one on Google or in mailing list archives. If someone has a ready-made answer for me, just point the way.... I'm working on a project that is consolidating two different authentication domains, their users and their services. There is a long-standing MIT Kerberos realm that for this question I'll call EXAMPLE1.COM. There is also a new Windows 2003R2 Active Directory Forest comprising of two domains, a top-level "empty" forest root AD-ROOT.EXAMPLE2.COM and the populated general domain AD.EXAMPLE2.COM. We've established a bi-directional trust between EXAMPLE1.COM and AD.EXAMPLE2.COM (but not between AD-ROOT.EXAMPLE2.COM and EXAMPLE1.COM). There is appropriate Kerberos-related DNS records published for both domains example1.com and example2.com. Users in either domain/realm using Linux have no problems getting and using Kerberos tickets, TGTs and subsequent service tickets in either direction - EXAMPLE1.COM users -> AD.EXAMPLE2.COM services and AD.EXAMPLE2.COM users -> EXAMPLE1.COM services. Additionally, users on Windows XP using Kerberos for Windows/Network Identity Manager *and* using services/applications that reply on the "API" credential cache have no problems working in either direction. An example is OpenAFS or Firefox with network.auth.use-sspi=false set. This all works fine and seamlessly as one would expect. However we are having problems with users of Windows XP who are logging in to AD.EXAMPLE2.COM acquiring the cross-realm TGTs (i.e. ktbtgt/EXAMPLE1.COM at AD.EXAMPLE2.COM) and service tickets to use EXAMPLE1.COM for any application that uses the MSLSA/SSPI credential cache (e.g. Internet Explorer, Outlook, Firefox with network.auth.use-sspi=true). From our investigation, Windows never appears to be making any DNS-based domain/realm lookups (based on wireshark and DNS query logging) nor does there appear to be any way to hard-code domain-realm mappings into the registry to tell the SSPI cache how to act. We do have hard-coded domain-realm mappings in Network ID Manager, but SSPI (rightfully I believe) ignored this. Any GSSAPI or SPNEGO authentication attempt fails with a general error about lacking authorized credentials. We've explored various netdom.exe settings (many of which require the trust to be at the forest root level), some registry settings, user mapping changes and other items all with no effect. We've contemplated adding a trust between AD-ROOT.EXAMPLE2.COM and EXAMPLE1.COM but there's no documentation that we can find that indicates that'll be helpful. I guess my question is how do we either force domain-realm DNS lookups to happen or otherwise force the SSPI credential cache to get a TGT for the cross-realm trust? Can anyone point me to our configuration error or help out? Thanks in advance. - Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6321 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090416/649c4af8/smime.bin From rwilper at stanford.edu Thu Apr 16 11:08:22 2009 From: rwilper at stanford.edu (Wilper, Ross A) Date: Thu, 16 Apr 2009 08:08:22 -0700 Subject: MIT Kerberos + Windows 2K3 AD Kerberos Cross-Realm TGT Issue usingSSPI In-Reply-To: <81BFFE1EFAD6894D9992C1B6D2A255B5CFEFFF27BE@EXCHANGE.sei.cmu.edu> References: <81BFFE1EFAD6894D9992C1B6D2A255B5CFEFFF27BE@EXCHANGE.sei.cmu.edu> Message-ID: I will comment on two things. "Empty" root domains in an Active Directory forest - They are worthless and will cause you headaches down the line if you implement them. Use other controls to protect your EA accounts. On the trust problem, by default, Windows clients rely on the Active Directory to do the host-to-realm mappings. Do you have a top-level-name forward configured on the two-way external trust in AD? These are done automatically for Windows forest trusts, but not always for external trusts. (Trust needs to be forest transitive) Netdom trust AD.EXAMPLE2.COM /domain:EXAMPLE1.COM /AddTLN:EXAMPLE1.COM -Ross -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Jason D. McCormick Sent: Thursday, April 16, 2009 7:37 AM To: 'kerberos at mit.edu' Subject: MIT Kerberos + Windows 2K3 AD Kerberos Cross-Realm TGT Issue usingSSPI Hello all, Haven't found the answer to this one on Google or in mailing list archives. If someone has a ready-made answer for me, just point the way.... I'm working on a project that is consolidating two different authentication domains, their users and their services. There is a long-standing MIT Kerberos realm that for this question I'll call EXAMPLE1.COM. There is also a new Windows 2003R2 Active Directory Forest comprising of two domains, a top-level "empty" forest root AD-ROOT.EXAMPLE2.COM and the populated general domain AD.EXAMPLE2.COM. We've established a bi-directional trust between EXAMPLE1.COM and AD.EXAMPLE2.COM (but not between AD-ROOT.EXAMPLE2.COM and EXAMPLE1.COM). There is appropriate Kerberos-related DNS records published for both domains example1.com and example2.com. Users in either domain/realm using Linux have no problems getting and using Kerberos tickets, TGTs and subsequent service tickets in either direction - EXAMPLE1.COM users -> AD.EXAMPLE2.COM services and AD.EXAMPLE2.COM users -> EXAMPLE1.COM services. Additionally, users on Windows XP using Kerberos for Windows/Network Identity Manager *and* using services/applications that reply on the "API" credential cache have no problems working in either direction. An example is OpenAFS or Firefox with network.auth.use-sspi=false set. This all works fine and seamlessly as one would expect. However we are having problems with users of Windows XP who are logging in to AD.EXAMPLE2.COM acquiring the cross-realm TGTs (i.e. ktbtgt/EXAMPLE1.COM at AD.EXAMPLE2.COM) and service tickets to use EXAMPLE1.COM for any application that uses the MSLSA/SSPI credential cache (e.g. Internet Explorer, Outlook, Firefox with network.auth.use-sspi=true). From our investigation, Windows never appears to be making any DNS-based domain/realm lookups (based on wireshark and DNS query logging) nor does there appear to be any way to hard-code domain-realm mappings into the registry to tell the SSPI cache how to act. We do have hard-coded domain-realm mappings in Network ID Manager, but SSPI (rightfully I believe) ignored this. Any GSSAPI or SPNEGO authentication attempt fails with a general error about lacking authorized credentials. We've explored various netdom.exe settings (many of which require the trust to be at the forest root level), some registry settings, user mapping changes and other items all with no effect. We've contemplated adding a trust between AD-ROOT.EXAMPLE2.COM and EXAMPLE1.COM but there's no documentation that we can find that indicates that'll be helpful. I guess my question is how do we either force domain-realm DNS lookups to happen or otherwise force the SSPI credential cache to get a TGT for the cross-realm trust? Can anyone point me to our configuration error or help out? Thanks in advance. - Jason From zarafield at sky.com Thu Apr 16 18:30:21 2009 From: zarafield at sky.com (kerbie_newbie) Date: Thu, 16 Apr 2009 15:30:21 -0700 (PDT) Subject: Linux/Apache - combine mod_auth_kerb and ldap - to be or not to be??? In-Reply-To: References: <22914739.post@talk.nabble.com> <1239119426.5453.8.camel@mentor.gurulabs.com> <22938291.post@talk.nabble.com> Message-ID: <23087770.post@talk.nabble.com> Will be setting up ldap authentication and trying the suggestions to mix the two ... Looking back to the main reason for this query - Windows users with expired TGT's. (Env: Apache2, MIT Kerberos 5, mod_auth_kerb, IE7, Active Directory KDC) Current directives: AuthType Kerberos AuthName "... login" KrbMethodNegotiate on KrbAuthRealms x y z KrbMethodK5Passwd on require valid-user Krb5Keytab /etc/krb5.keytab KrbServiceName HTTP/webservice at x KrbSaveCredentials on I am also connecting to AD on its Global port ... I have users from several realms, eg. me at x.x.x, you at y.y.y I have a keytab 'x|webservice' which, seems to me, relates to realm x. (?) For authentication across realms with valid TGT's, they keytab realm does not pose any issues as I have several realms included in my KrbAuthRealms directive. However, if a user's ticket granting ticket has expired - can Kerberos not obtain a new ticket granting ticket? I thought this was happening when some users were prompted for their usr/pwd and that Kerberos was using it's internal kinit to get a new TGT from Active Directory? If it can, is it restricted to the domain on the keytab or by some delegation setting in Active Directory? If it can't, why is it prompting for a usr/pwd instead of just showing the 404 error? Another theory I had was related to DNS suffix search lists ... most, if not all of the users that cannot authenticate when being prompted do not have their active directory domain at the top of the list. I read that this is how Kerberos creates tickets and was thinking that if they were trying to get a TGT with a realm that is not in the 'trusted realms', then this is why they could not authenticate. This was further spurred on by the error logs containing something along the lines of 'could not find requested realm'. I have since been 'advised' that the DNS should bear no relevance but this similarity keep appearing. Final concern (for this evening at least) is that these users are getting expired TGT's in the first place. For me, locking/unlocking (CTL-AlT-Delete) AND when it is automatically locked (company policy after 10 mins)through idle, I get a renewed ticket with a new expire time 7 days in the future. Could this whole problem be stemming from some issue on their PC or Active Directory account? Thanks in advance for your thoughts! Richard E. Silverman wrote: > > kn> Actually, since you say > > >>> Anyway, take into account that both fallbacks require a secure > >>> server, which is not the case for credential based authentication. > > kn> you mean that I would need to have some local storage (on my Linux > kn> box) of all user ids or some sort of synchronization with Active > kn> Directory? (... or have I misunderstood?). There are more than > kn> 50,000 users ... > > No; mod_auth_kerb will do the equivalent of kinit to validate the user's > password (as well as an anti-spoof check on the KDC). > > - Richard > > > kn> Thanks again > > > kn> kerbie_newbie wrote: > >> >> Thanks for the responses ... still a little confused though. In another > >> thread I've read > >> > >> " Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap > >> > >> ... > >> > >> At least in Apache 2.0, it is extremely difficult in Apache to get > >> two authentication modules to co-exist; Apache by and large > >> considers any particular portion of the URL space to be protected > >> by only one authentication scheme (possibly combined with IP > >> address restrictions). This is partly a limitation of Apache > >> (particularly the configuration syntax) and partly related to > >> difficulties in the HTTP protocol (you can't easily negotiate and > >> attempt multiple authentication protocols in turn). > >> > >> However, that being said, mod_auth_kerb does support: > >> > >> KrbDelegateBasic on | off (set to off by default) If set to 'on' > >> this options causes that Basic authentication is always offered > >> regardless setting the KrbMethodK[45]Pass directives. Then, if a > >> Basic authentication header arrives authentication decision is > >> passed along to another modules. This option is a work-around for > >> insufficient authentication scheme in Apache (Apache 2.1 seems to > >> provide better support for multiple various authentication > >> mechanisms). > >> > >> The trick is that for this to work properly, mod_auth_kerb needs to > >> go first and then the other authentication module needs to follow > >> afterwards in the processing stack. That's something that modules > >> can control in their own C code to some extent, but I don't know > >> how you'd control this from outside without making code > >> modifications." > >> > >> ... " > >> > >> Also, my server is not secure so Basic Authentication (which by my > >> reckoning does not authenticate against AD) is not an option. > >> > >> Thanks again. > >> > >> > >> Javier Palacios-2 wrote: > >>> >>> On Tue, Apr 7, 2009 at 5:50 PM, Dax Kelson wrote: >>>> On Mon, 2009-04-06 at 11:47 -0700, kerbie_newbie wrote: >>>> >>>>> As far as I can tell, when using mod_auth_kerb and selecting kerberos >>>>> as the >>>>> authtype it is pretty much Kerberos or nothing ... is this correct? I >>>>> can >>>>> see no way to intercept the failure. >>>> >>>> This not correct. What you want are these two directives: >>>> >>>> KrbMethodNegotiate On >>>> KrbMethodK5Passwd On >>> >>> If I remember right, there is a directive called something like >>> authoritative. >>> I did never use it but it is used to pass authentication to other >>> modules (again, if I remember well). >>> That is exactly what you need so instead of enabling password >>> authentication, you need to stack the ldap authentication also, and >>> let proceed if negotiate fails. >>> >>> Anyway, take into account that both fallbacks require a secure server, >>> which is not the case for credential based authentication. >>> >>> Javier Palacios >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> >> > > -- > View this message in context: > http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p22938708.html > Sent from the Kerberos - General mailing list archive at Nabble.com. > > > -- > Richard Silverman > res at qoxp.net > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://www.nabble.com/Linux-Apache---combine-mod_auth_kerb-and-ldap---to-be-or-not-to-be----tp22914739p23087770.html Sent from the Kerberos - General mailing list archive at Nabble.com. From acirulli at gmail.com Fri Apr 17 04:36:56 2009 From: acirulli at gmail.com (Andrea Cirulli) Date: Fri, 17 Apr 2009 10:36:56 +0200 Subject: kerberos and time zone Message-ID: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> Hi all, I have the following problem: We are managing the authentication of several servers with Kerberos. The issue lies in the fact that the servers are in different time-zone, so we have problem with clock skew errors. Are there any solution or workaround that accomplish this requirement using different ntp in different time zone in a way that the KDC server knows which is the real clock skew between two different time zone? Let's say i have a server located in Rome and its time is synch with an italian ntp and we have a server located in New York with time synch with an American NTP. Considering the time zone the two times are synch, however for kerberos are desynch. Is there any workaround or solution to this issue? We are planning to use a bigger clock skew which will cover the difference between the two time zones ( this is the worst solution). Any hint would be helpful. Thanks in advance. -- Andrea Cirulli From Qiang.Xu at fujixerox.com Fri Apr 17 04:43:40 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Fri, 17 Apr 2009 16:43:40 +0800 Subject: kerberos and time zone In-Reply-To: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> References: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> Message-ID: Why not let your server sync with American NTP server? > -----Original Message----- > From: kerberos-bounces at mit.edu > [mailto:kerberos-bounces at mit.edu] On Behalf Of Andrea Cirulli > Sent: Friday, April 17, 2009 4:37 PM > To: kerberos at mit.edu > Subject: kerberos and time zone > > Hi all, > > I have the following problem: > > We are managing the authentication of several servers with > Kerberos. The issue lies in the fact that the servers are in > different time-zone, so we have problem with clock skew > errors. Are there any solution or workaround that accomplish > this requirement using different ntp in different time zone > in a way that the KDC server knows which is the real clock > skew between two different time zone? > > Let's say i have a server located in Rome and its time is > synch with an italian ntp and we have a server located in New > York with time synch with an American NTP. Considering the > time zone the two times are synch, however for kerberos are desynch. > > Is there any workaround or solution to this issue? > > We are planning to use a bigger clock skew which will cover > the difference between the two time zones ( this is the worst > solution). > > Any hint would be helpful. > > Thanks in advance. > > -- > Andrea Cirulli > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From acirulli at gmail.com Fri Apr 17 04:51:59 2009 From: acirulli at gmail.com (Andrea Cirulli) Date: Fri, 17 Apr 2009 10:51:59 +0200 Subject: kerberos and time zone In-Reply-To: References: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> Message-ID: <191a80d00904170151o44e7239cub279589dafcf998f@mail.gmail.com> Obviously it is not possible....I cannot make such a decision, because there are sensible data that needs that time is synch with the country in which are located. So there is no solution? On Fri, Apr 17, 2009 at 10:43 AM, Xu, Qiang (FXSGSC) wrote: > Why not let your server sync with American NTP server? > > > -----Original Message----- > > From: kerberos-bounces at mit.edu > > [mailto:kerberos-bounces at mit.edu] On Behalf Of Andrea Cirulli > > Sent: Friday, April 17, 2009 4:37 PM > > To: kerberos at mit.edu > > Subject: kerberos and time zone > > > > Hi all, > > > > I have the following problem: > > > > We are managing the authentication of several servers with > > Kerberos. The issue lies in the fact that the servers are in > > different time-zone, so we have problem with clock skew > > errors. Are there any solution or workaround that accomplish > > this requirement using different ntp in different time zone > > in a way that the KDC server knows which is the real clock > > skew between two different time zone? > > > > Let's say i have a server located in Rome and its time is > > synch with an italian ntp and we have a server located in New > > York with time synch with an American NTP. Considering the > > time zone the two times are synch, however for kerberos are desynch. > > > > Is there any workaround or solution to this issue? > > > > We are planning to use a bigger clock skew which will cover > > the difference between the two time zones ( this is the worst > > solution). > > > > Any hint would be helpful. > > > > Thanks in advance. > > > > -- > > Andrea Cirulli > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Andrea Cirulli From Qiang.Xu at fujixerox.com Fri Apr 17 04:59:27 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Fri, 17 Apr 2009 16:59:27 +0800 Subject: kerberos and time zone In-Reply-To: <191a80d00904170151o44e7239cub279589dafcf998f@mail.gmail.com> References: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> <191a80d00904170151o44e7239cub279589dafcf998f@mail.gmail.com> Message-ID: Another walkaround I can think of is to adjust the time zone difference specifically when you do Kerberos authentication. Let's say there is an application called netAuthService that takes care of authentication. Then if you can detect your authentication type is Kerberos, then you tweak your time in your authentication request to within the timezone of your Kerberos server. Is this feasible? ________________________________ From: Andrea Cirulli [mailto:acirulli at gmail.com] Sent: Friday, April 17, 2009 4:52 PM To: Xu, Qiang (FXSGSC); kerberos at mit.edu Subject: Re: kerberos and time zone Obviously it is not possible....I cannot make such a decision, because there are sensible data that needs that time is synch with the country in which are located. So there is no solution? On Fri, Apr 17, 2009 at 10:43 AM, Xu, Qiang (FXSGSC) > wrote: Why not let your server sync with American NTP server? > -----Original Message----- > From: kerberos-bounces at mit.edu > [mailto:kerberos-bounces at mit.edu] On Behalf Of Andrea Cirulli > Sent: Friday, April 17, 2009 4:37 PM > To: kerberos at mit.edu > Subject: kerberos and time zone > > Hi all, > > I have the following problem: > > We are managing the authentication of several servers with > Kerberos. The issue lies in the fact that the servers are in > different time-zone, so we have problem with clock skew > errors. Are there any solution or workaround that accomplish > this requirement using different ntp in different time zone > in a way that the KDC server knows which is the real clock > skew between two different time zone? > > Let's say i have a server located in Rome and its time is > synch with an italian ntp and we have a server located in New > York with time synch with an American NTP. Considering the > time zone the two times are synch, however for kerberos are desynch. > > Is there any workaround or solution to this issue? > > We are planning to use a bigger clock skew which will cover > the difference between the two time zones ( this is the worst > solution). > > Any hint would be helpful. > > Thanks in advance. > > -- > Andrea Cirulli > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Andrea Cirulli From raeburn at MIT.EDU Fri Apr 17 05:02:11 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 17 Apr 2009 05:02:11 -0400 Subject: kerberos and time zone In-Reply-To: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> References: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> Message-ID: On Apr 17, 2009, at 04:36, Andrea Cirulli wrote: > Hi all, > > I have the following problem: > > We are managing the authentication of several servers with Kerberos. > The > issue lies in the fact that the servers are in different time-zone, > so we > have problem with clock skew errors. Are there any solution or > workaround > that accomplish this requirement using different ntp in different > time zone > in a way that the KDC server knows which is the real clock skew > between two > different time zone? The time synchronized by NTP is not zone-dependent. Think of it as getting all machines to agree on what the current UTC time is; the local time each machine displays will be correct as long as the machine (including the NTP service) is configured correctly. > Let's say i have a server located in Rome and its time is synch with > an > italian ntp and we have a server located in New York with time synch > with an > American NTP. Considering the time zone the two times are synch, > however for > kerberos are desynch. That shouldn't be a problem if the NTP servers are accurate. A common time-sync problem we used to see in Kerberos is for machines in different time zones to have their clocks set by hand to the correct local time, but for the local time zone information to be set incorrectly so that the machines' ideas of UTC differ. (You'd also see a local display of the time zone to be incorrect, but since many clock programs only display the time and not the time zone, it would be easy to miss.) This can happen, for example, if your OS installation software sets some default time zone and you don't fix it, or if you move an installed machine across time zones and "fix" the clock instead of setting the correct time zone. I've never heard of this happening with NTP though; the implementations should be using the operating system's notion of UTC. If you're still seeing this problem with NTP, I strongly suggest you investigate why the NTP servers disagree. (One possibility that occurs to me is that they might be mistakenly configured to synchronize to locally-set servers that have bad time zone settings and no synchronization to stratum-1 time servers.) Ken From raeburn at MIT.EDU Fri Apr 17 05:15:43 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 17 Apr 2009 05:15:43 -0400 Subject: kerberos and time zone In-Reply-To: References: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> Message-ID: <605215DE-5882-4D3B-883A-D48B81542CFB@mit.edu> On Apr 17, 2009, at 05:02, Ken Raeburn wrote: > On Apr 17, 2009, at 04:36, Andrea Cirulli wrote: >> Hi all, >> >> I have the following problem: >> >> We are managing the authentication of several servers with >> Kerberos. The >> issue lies in the fact that the servers are in different time-zone, >> so we >> have problem with clock skew errors. Are there any solution or >> workaround >> that accomplish this requirement using different ntp in different >> time zone >> in a way that the KDC server knows which is the real clock skew >> between two >> different time zone? > > The time synchronized by NTP is not zone-dependent. Think of it as > getting all machines to agree on what the current UTC time is; the > local time each machine displays will be correct as long as the > machine (including the NTP service) is configured correctly. I neglected to mention this in my previous message, but the Kerberos protocol uses UTC time. This is why getting all machines to agree on UTC (which NTP should do, when configured correctly) is important, and the time-zone problems we used to see (mostly on really old Windows systems, I think) were important even if the displayed local time was correct. Ken From jasonmc at sei.cmu.edu Mon Apr 20 17:20:00 2009 From: jasonmc at sei.cmu.edu (Jason D. McCormick) Date: Mon, 20 Apr 2009 17:20:00 -0400 Subject: MIT Kerberos + Windows 2K3 AD Kerberos Cross-Realm TGT Issue usingSSPI In-Reply-To: References: <81BFFE1EFAD6894D9992C1B6D2A255B5CFEFFF27BE@EXCHANGE.sei.cmu.edu> Message-ID: <81BFFE1EFAD6894D9992C1B6D2A255B5CFEFFF2A75@EXCHANGE.sei.cmu.edu> > On the trust problem, by default, Windows clients rely on the > Active Directory to do the host-to-realm mappings. Do you have > a top-level-name forward configured on the two-way external > trust in AD? These are done automatically for Windows forest > trusts, but not always for external trusts. > > (Trust needs to be forest transitive) > Netdom trust AD.EXAMPLE2.COM /domain:EXAMPLE1.COM > /AddTLN:EXAMPLE1.COM You can only do this operation with the top-level forest root and based on reading, we didn't think it would do anything. We went ahead and defined a two-way external trust for AD-ROOT.EXAMPLE2.COM <-> EXAMPLE1.COM and added this trust type and it didn't have any affect. Is there any additional documentation you're aware of that has configuration directives that my force a trust at non-forest-level domains? - Jason -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6321 bytes Desc: not available Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090420/d7dcfe93/smime.bin From mizmoose at gmail.com Mon Apr 20 18:26:05 2009 From: mizmoose at gmail.com (Esther Filderman) Date: Mon, 20 Apr 2009 18:26:05 -0400 Subject: Early Bird Registration for ABPW09 ends 4/21 Message-ID: Folks-- The "Early Bird" pricing for the Workshop ends tomorrow, April 21. If you haven't registered, do it quickly to avoid paying a higher price. Also, rooms are still available at the Stanford Guest House. We really need to fill rooms there. Hope to see you at the Workshop! Moose From jamen.mcgranahan at Vanderbilt.Edu Wed Apr 22 12:58:10 2009 From: jamen.mcgranahan at Vanderbilt.Edu (McGranahan, Jamen) Date: Wed, 22 Apr 2009 11:58:10 -0500 Subject: KRB5 & Sun Solaris 9 Message-ID: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> I've installed the MIT KRB5-1.6.3 on our Sun Solaris 9 sparc server Server: SunOS 5.9 Generic_122300-08 sun4u sparc SUNW,Sun-Fire-V240 When I run kinit to connect to our domain, I get the following error: kinit: Can't send request (send_to_kdc) for principal xxxxxx at DS.VANDERBILT.EDU (I'm running this command from /usr/local/krb5-1.6.3/bin) Now I have looked through my krb5.conf file over and over again and all of the settings appear there, so I'm not sure why this is failing. I've scoured Google looking for answers and everything I have come across has not worked. Our ultimate goal is to create shares on this server for Active Directory and I've installed Samba for this purpose, but my next step is to configure Keberos. Please advise. Thank you! *********************************** * Jamen McGranahan * Systems Services Librarian * Library Information Technology Services * Vanderbilt University * Suite 700 * 110 21st Avenue South * Nashville, TN 37240 * (615) 343-1614 * (615) 343-8834 (fax) * jamen.mcgranahan at vanderbilt.edu *********************************** From deengert at anl.gov Wed Apr 22 15:55:34 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 22 Apr 2009 14:55:34 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> Message-ID: <49EF7636.50006@anl.gov> McGranahan, Jamen wrote: > I've installed the MIT KRB5-1.6.3 on our Sun Solaris 9 sparc server > > > > Server: > > SunOS 5.9 Generic_122300-08 sun4u sparc SUNW,Sun-Fire-V240 > > > > When I run kinit to connect to our domain, I get the following error: > > > > kinit: Can't send request (send_to_kdc) for principal > xxxxxx at DS.VANDERBILT.EDU > > > > (I'm running this command from /usr/local/krb5-1.6.3/bin) > > > > Now I have looked through my krb5.conf file over and over again and all > of the settings appear there, so I'm not sure why this is failing. I've > scoured Google looking for answers and everything I have come across has > not worked. Our ultimate goal is to create shares on this server for > Active Directory and I've installed Samba for this purpose, but my next > step is to configure Kerberos. Please advise. Thank you! > What options to configure did you use? Where is the krb5.conf? Is it world readable? Firewall issues? Is you realm name DS.VANDERBILT.EDU? Is the KDC for DS.VANDERBUILT.ED Windows AD? May another set of eyes looking at the krb5.conf might help. 1.6.3 works here on Solaris 9. > > > *********************************** > > * Jamen McGranahan > > * Systems Services Librarian > > * Library Information Technology Services > > * Vanderbilt University > > * Suite 700 > > * 110 21st Avenue South > > * Nashville, TN 37240 > > * (615) 343-1614 > > * (615) 343-8834 (fax) > > * jamen.mcgranahan at vanderbilt.edu > > *********************************** > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jamen.mcgranahan at Vanderbilt.Edu Wed Apr 22 16:12:51 2009 From: jamen.mcgranahan at Vanderbilt.Edu (McGranahan, Jamen) Date: Wed, 22 Apr 2009 15:12:51 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <49EF7636.50006@anl.gov> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> Message-ID: <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu> What options to configure did you use? -- $ ./configure CC=gcc --prefix=/usr/local/krb5-1.6.3 Where is the krb5.conf? -- /etc/krb5 Is it world readable? -- unknown Firewall issues? -- I've wondered about that, but thought I would check here first. Is you realm name DS.VANDERBILT.EDU? -- yes Is the KDC for DS.VANDERBUILT.ED Windows AD? -- yes (I've got 2 other Sun boxes setup already with the same settings, but they're running Sun Solaris 10) Jamen McGranahan Systems Services Librarian Vanderbilt University > > > *********************************** > > * Jamen McGranahan > > * Systems Services Librarian > > * Library Information Technology Services > > * Vanderbilt University > > * Suite 700 > > * 110 21st Avenue South > > * Nashville, TN 37240 > > * (615) 343-1614 > > * (615) 343-8834 (fax) > > * jamen.mcgranahan at vanderbilt.edu > > *********************************** > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From mayer at ntp.isc.org Wed Apr 22 19:57:22 2009 From: mayer at ntp.isc.org (Danny Mayer) Date: Wed, 22 Apr 2009 19:57:22 -0400 Subject: kerberos and time zone In-Reply-To: <605215DE-5882-4D3B-883A-D48B81542CFB@mit.edu> References: <191a80d00904170136t48f98036t4ec283f3f8fd07e5@mail.gmail.com> <605215DE-5882-4D3B-883A-D48B81542CFB@mit.edu> Message-ID: <49EFAEE2.2080702@ntp.isc.org> Ken Raeburn wrote: > On Apr 17, 2009, at 05:02, Ken Raeburn wrote: >> On Apr 17, 2009, at 04:36, Andrea Cirulli wrote: >>> Hi all, >>> >>> I have the following problem: >>> >>> We are managing the authentication of several servers with >>> Kerberos. The >>> issue lies in the fact that the servers are in different time-zone, >>> so we >>> have problem with clock skew errors. Are there any solution or >>> workaround >>> that accomplish this requirement using different ntp in different >>> time zone >>> in a way that the KDC server knows which is the real clock skew >>> between two >>> different time zone? >> The time synchronized by NTP is not zone-dependent. Think of it as >> getting all machines to agree on what the current UTC time is; the >> local time each machine displays will be correct as long as the >> machine (including the NTP service) is configured correctly. > > I neglected to mention this in my previous message, but the Kerberos > protocol uses UTC time. This is why getting all machines to agree on > UTC (which NTP should do, when configured correctly) is important, and > the time-zone problems we used to see (mostly on really old Windows > systems, I think) were important even if the displayed local time was > correct. Let me respond in my capacity as one of the NTP developers. NTP deals only with UTC. It knows nothing about local timezones. All national labs that have time standard setups have atomic clocks that agree with each other to the order of nanoseconds based on the weighted average of about 250 atomic clocks at the International Bureau of Weights and Measures in Paris. Kerberos only needs to two systems to be within 5 minutes of each other by default, which is hardly an onerous requirement since ntp will keep the clocks within milliseconds of each other. In other words, as long as you are running NTP on each system and they are synching to their servers you have nothing to worry about. Disagreements between ntp servers based in different countries are too small for you to measure using ordinary methods. I hope this helps. Danny -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Qiang.Xu at fujixerox.com Thu Apr 23 03:32:09 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 23 Apr 2009 15:32:09 +0800 Subject: ticket renew Message-ID: Hi, all: I have done a kerberos authentication successfully, and get a TGT. And I also can use the TGT to do SASL binding in LDAP query now. The ticket looks like: =========================================== MBC107:/var/log/nc <135> /tmp/dlms/kerberos/apps/klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: xuan at SESSWIN2003.COM Valid starting Expires Service principal 04/23/09 15:14:53 04/24/09 01:13:50 krbtgt/SESSWIN2003.COM at SESSWIN2003.COM renew until 04/24/09 15:14:53 04/23/09 15:13:50 04/24/09 01:13:50 ldap/sesswin2003.sesswin2003.com at SESSWIN2003.COM renew until 04/24/09 15:14:53 =========================================== It said the ticket is renewable until somewhen. But how to do it in code? Is there any function to use, to renew the ticket? Looking forward to help, Xu Qiang From William.Fiveash at Sun.COM Thu Apr 23 11:35:56 2009 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Thu, 23 Apr 2009 10:35:56 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu> Message-ID: <20090423153556.GA14904@sun.com> On Wed, Apr 22, 2009 at 03:12:51PM -0500, McGranahan, Jamen wrote: > > > What options to configure did you use? > -- $ ./configure CC=gcc --prefix=/usr/local/krb5-1.6.3 > > Where is the krb5.conf? > -- /etc/krb5 /etc/krb5 is where the native Solaris krb5.conf file exists. By default MIT krb looks for /etc/krb5.conf not /etc/krb5/krb5.conf. You should also take care not to mix and match use of native Solaris services that use native Solaris krb while using MIT krb on the same system. For example it's best to avoid using the native Solaris pam_krb5.so.1 module when one is using some version of MIT krb kinit on the system. In general, I'd suggest using the native Solaris krb support unless you need a feature not supported by that krb (more on this below). > Is it world readable? > -- unknown > > Firewall issues? > -- I've wondered about that, but thought I would check here first. > > Is you realm name DS.VANDERBILT.EDU? > -- yes > > Is the KDC for DS.VANDERBUILT.ED Windows AD? > -- yes (I've got 2 other Sun boxes setup already with the same settings, > but they're running Sun Solaris 10) One issue we've seen when a MS AD is the KDC is that the AD may use TCP to send krb messages depending on how large the message is. This is a problem for Solaris 9 krb which only expects UDP to be used for krb messages. This issue has been addressed in Solaris 10 and OpenSolaris along with a number of krb related enhancements. The 1.6 MIT krb also supports this so I can understand why one may want to use MIT krb in this situation but you may want to consider upgrading Solaris. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From corsac at corsac.net Thu Apr 23 10:16:35 2009 From: corsac at corsac.net (Yves-Alexis Perez) Date: Thu, 23 Apr 2009 16:16:35 +0200 Subject: [mod_auth_kerb] Use of Kerberos with multiple vhost Message-ID: <1240496195.27076.12.camel@miria> Hi, I'm trying to setup a system where users are in an active directory and we use some Linux servers, using apache and mod_auth_kerb. I've successfully managed to use kerberos to authenticate from a Windows XP workstation (and from a kerberized Linux box) to the webserver if I use the fqdn of the server. Using a virtualhost which doesn't point to the fqdn doesn't work. I've created the keytab using the ktpass util on the PDC, and the principal name is HTTP/fqdn.example.net at REALM.EXAMPLE.NET I then use: AuthType Kerberos KrbMethodNegotiate On KrbServiceName HTTP/fqdn.example.net KrbAuthRealms REALM require valid-user to protect a directory accessible from http://fqdn.example.net/~user/ and another directory accessible using http://vhost.example.net/. The former works while the latter doesn't fqdn.example.net has a correct reverse while vhost.example.net doesn't, but forcing it in the various /etc/hosts involved doesn't work. Looking at the logs it seems that firefox and internet explorer don't even try to start to negociate Kerberos auth from the vhost one. I'm wondering if I should use one principal per vhost (which doesn't scale very well). oh, btw I'm using krb5 1.6.1 from RHEL5. Thanks for any help (please let my CC: on reply cause I'm not subsribed to the list). Cheers, -- Yves-Alexis From corsac at corsac.net Fri Apr 24 09:07:06 2009 From: corsac at corsac.net (Yves-Alexis Perez) Date: Fri, 24 Apr 2009 15:07:06 +0200 Subject: [mod_auth_kerb] Use of Kerberos with multiple vhost In-Reply-To: <1240496195.27076.12.camel@miria> References: <1240496195.27076.12.camel@miria> Message-ID: <1240578426.30143.10.camel@miria> On jeu, 2009-04-23 at 16:16 +0200, Yves-Alexis Perez wrote: > fqdn.example.net has a correct reverse while vhost.example.net doesn't, > but forcing it in the various /etc/hosts involved doesn't work. > > Looking at the logs it seems that firefox and internet explorer don't > even try to start to negociate Kerberos auth from the vhost one. > > I'm wondering if I should use one principal per vhost (which doesn't > scale very well). I tried to create another user in AD and map the fdqn.example.net to that user, creating another keytab. Then use that second keytab in the vhost protection, and it worked. So kerberos auth works fine, and the config as well. But Having to create an user per service doesn't scale very well (especially if you multiply the vhost number by various criticity dev/qa/test/prod/...) so it'd be nice if I could use only one AD user per server. Having one service principal name per server would be even better, but I guess I could do with one SPN per vhost if I can map all of them to the same AD user. Any idea on how to do that? Cheers, -- Yves-Alexis From jmcgranahan at gmail.com Fri Apr 24 11:46:03 2009 From: jmcgranahan at gmail.com (Jamen) Date: Fri, 24 Apr 2009 08:46:03 -0700 (PDT) Subject: KRB5 & Sun Solaris 9 References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu> Message-ID: In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's will not work with Samba on Solaris 9. I've been told that there is a version on 10 that does work, but I couldn't get it to work on our box, but did with MIT's. Our goal is to create share drives on these servers through Active Directory, and we're utilizing Samba, KRB, and OpenLDAP for this purpose. I've installed Samba and Samba is seeing all of the resources, but Keberos fails when I issue the kinit command. Currently, we are not able to upgrade the box to 10 since it is a heavily used server. Any other guidance would be greatly appreciated! Jamen McGranahan --------------------- One issue we've seen when a MS AD is the KDC is that the AD may use TCP to send krb messages depending on how large the message is. ?This is a problem for Solaris 9 krb which only expects UDP to be used for krb messages. ?This issue has been addressed in Solaris 10 and OpenSolaris along with a number of krb related enhancements. ?The 1.6 MIT krb also supports this so I can understand why one may want to use MIT krb in this situation but you may want to consider upgrading Solaris. -- Will Fiveash Sun Microsystems Inc.http://opensolaris.org/os/project/kerberos/ From deengert at anl.gov Fri Apr 24 15:32:36 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 24 Apr 2009 14:32:36 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu>

Message-ID: <49F213D4.6030904@anl.gov> Jamen wrote: > In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's > will not work with Samba on Solaris 9. I've been told that there is a > version on 10 that does work, but I couldn't get it to work on our > box, but did with MIT's. Our goal is to create share drives on these > servers through Active Directory, and we're utilizing Samba, KRB, and > OpenLDAP for this purpose. I've installed Samba and Samba is seeing > all of the resources, but Keberos fails when I issue the kinit > command. The MIT kinit should work. What is the error again? What does ldd /usr/local/krb5-1.6.3/bin/kinit show? You have not sent a copy of the krb5.conf to the list, are you willing to do so? Or to selected individuals? As Will said below, it might be a UDP/TCP issue. Have you added a udp_preference_limit = 1 to the [libdefaults] section? This says prefer UDP if the packet size is less then 1. In other words always use TCP. Wireshark (or other network trace program) can be is very handy yo see packets sent by kinit, and to where it is sending them. It will also show DNS activity trying to locate the KDCs. > Currently, we are not able to upgrade the box to 10 since it > is a heavily used server. Any other guidance would be greatly > appreciated! > > Jamen McGranahan > > --------------------- > > One issue we've seen when a MS AD is the KDC is that the AD may use > TCP to send krb messages depending on how large the message is. This > is a problem for Solaris 9 krb which only expects UDP to be used for > krb messages. This issue has been addressed in Solaris 10 and > OpenSolaris along with a number of krb related enhancements. The 1.6 > MIT krb also supports this so I can understand why one may want to use > MIT krb in this situation but you may want to consider upgrading > Solaris. > -- > Will Fiveash > Sun Microsystems Inc.http://opensolaris.org/os/project/kerberos/ > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jamen.mcgranahan at Vanderbilt.Edu Fri Apr 24 15:50:47 2009 From: jamen.mcgranahan at Vanderbilt.Edu (McGranahan, Jamen) Date: Fri, 24 Apr 2009 14:50:47 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <49F213D4.6030904@anl.gov> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu>

<49F213D4.6030904@anl.gov> Message-ID: <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu> Error: lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj at DS.VANDERBILT.EDU Kerberos initialization on lib240 kinit: Can't send request (send_to_kdc) for principal mcgranj at DS.VANDERBILT.EDU Ldd command: lib240:/usr/local/krb5-1.6.3/bin#ldd kinit libkrb4.so.2 => /usr/local/krb5-1.6.3/lib/libkrb4.so.2 libdes425.so.3 => /usr/local/krb5-1.6.3/lib/libdes425.so.3 libkrb5.so.3 => /usr/local/krb5-1.6.3/lib/libkrb5.so.3 libk5crypto.so.3 => /usr/local/krb5-1.6.3/lib/libk5crypto.so.3 libcom_err.so.3 => /usr/local/krb5-1.6.3/lib/libcom_err.so.3 libkrb5support.so.0 => /usr/local/krb5-1.6.3/lib/libkrb5support.so.0 libresolv.so.2 => /lib/libresolv.so.2 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 libdl.so.1 => /lib/libdl.so.1 libc.so.1 => /lib/libc.so.1 libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1 libmp.so.2 => /lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1 Krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DS.VANDERBILT.EDU dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC udp_preference_limit = 1 [realms] DS.VANDERBILT.EDU = { kdc = 129.59.1.26 admin_server = ds.vanderbilt.edu default_domain = vanderbilt.edu } VANDERBILT.EDU = { kdc = ds.vanderbilt.edu admin_server = ds.vanderbilt.edu default_domain = vanderbilt.edu } [domain_realm] .vanderbilt.edu = DS.VANDERBILT.EDU vanderbilt.edu = DS.VANDERBILT.EDU [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } kinit = { renewable = true forwardable = true } ------------------- Jamen McGranahan Systems Services Librarian Vanderbilt University -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert Sent: Friday, April 24, 2009 2:33 PM To: Jamen Cc: kerberos at mit.edu Subject: Re: KRB5 & Sun Solaris 9 Jamen wrote: > In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's > will not work with Samba on Solaris 9. I've been told that there is a > version on 10 that does work, but I couldn't get it to work on our > box, but did with MIT's. Our goal is to create share drives on these > servers through Active Directory, and we're utilizing Samba, KRB, and > OpenLDAP for this purpose. I've installed Samba and Samba is seeing > all of the resources, but Keberos fails when I issue the kinit > command. The MIT kinit should work. What is the error again? What does ldd /usr/local/krb5-1.6.3/bin/kinit show? You have not sent a copy of the krb5.conf to the list, are you willing to do so? Or to selected individuals? As Will said below, it might be a UDP/TCP issue. Have you added a udp_preference_limit = 1 to the [libdefaults] section? This says prefer UDP if the packet size is less then 1. In other words always use TCP. Wireshark (or other network trace program) can be is very handy yo see packets sent by kinit, and to where it is sending them. It will also show DNS activity trying to locate the KDCs. From William.Fiveash at Sun.COM Fri Apr 24 15:50:31 2009 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Fri, 24 Apr 2009 14:50:31 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu>

Message-ID: <20090424195031.GC14904@sun.com> On Fri, Apr 24, 2009 at 08:46:03AM -0700, Jamen wrote: > In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's > will not work with Samba on Solaris 9. I've been told that there is a > version on 10 that does work, but I couldn't get it to work on our > box, but did with MIT's. Our goal is to create share drives on these > servers through Active Directory, and we're utilizing Samba, KRB, and > OpenLDAP for this purpose. I've installed Samba and Samba is seeing > all of the resources, but Keberos fails when I issue the kinit > command. Currently, we are not able to upgrade the box to 10 since it > is a heavily used server. Any other guidance would be greatly > appreciated! A couple points: 1. Which kinit are you running? Make sure you're running the MIT kinit and not the Solaris version. 2. It's my impression samba for Solaris 10 has been enhanced and supports krb auth. When I get more info on this I'll pass it on. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From deengert at anl.gov Fri Apr 24 16:14:58 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 24 Apr 2009 15:14:58 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu>

<49F213D4.6030904@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu> Message-ID: <49F21DC2.4010705@anl.gov> McGranahan, Jamen wrote: > Error: > lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj at DS.VANDERBILT.EDU > Kerberos initialization on lib240 > kinit: Can't send request (send_to_kdc) for principal > mcgranj at DS.VANDERBILT.EDU > > Ldd command: > lib240:/usr/local/krb5-1.6.3/bin#ldd kinit > libkrb4.so.2 => /usr/local/krb5-1.6.3/lib/libkrb4.so.2 > libdes425.so.3 => > /usr/local/krb5-1.6.3/lib/libdes425.so.3 > libkrb5.so.3 => /usr/local/krb5-1.6.3/lib/libkrb5.so.3 > libk5crypto.so.3 => > /usr/local/krb5-1.6.3/lib/libk5crypto.so.3 > libcom_err.so.3 => > /usr/local/krb5-1.6.3/lib/libcom_err.so.3 > libkrb5support.so.0 => > /usr/local/krb5-1.6.3/lib/libkrb5support.so.0 > libresolv.so.2 => /lib/libresolv.so.2 > libsocket.so.1 => /lib/libsocket.so.1 > libnsl.so.1 => /lib/libnsl.so.1 > libdl.so.1 => /lib/libdl.so.1 > libc.so.1 => /lib/libc.so.1 > libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1 > libmp.so.2 => /lib/libmp.so.2 > /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1 > Above looks OK. So you have two realms? Which one is AD? Are both? Do you have cross realm setup? (But should not effect kinit if the user is in realm DS.VANDERBUILT.EDU Why the IP number for the kdc in DS.VANDERBUILT.EDU? Why are the admin_servers the same for both realms? This can work if the KDC services both realms, but you said you wanted to use AD! I hope you are not trying to have two realms one AD and the other based MIT both with the same realm name? > Krb5.conf: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = DS.VANDERBILT.EDU > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > udp_preference_limit = 1 > > [realms] > DS.VANDERBILT.EDU = { > kdc = 129.59.1.26 > admin_server = ds.vanderbilt.edu > default_domain = vanderbilt.edu > } > VANDERBILT.EDU = { > kdc = ds.vanderbilt.edu > admin_server = ds.vanderbilt.edu > default_domain = vanderbilt.edu > } > > [domain_realm] > .vanderbilt.edu = DS.VANDERBILT.EDU > vanderbilt.edu = DS.VANDERBILT.EDU > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > kinit = { > renewable = true > forwardable = true > } > > ------------------- > > Jamen McGranahan > Systems Services Librarian > Vanderbilt University > > > -----Original Message----- > From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On > Behalf Of Douglas E. Engert > Sent: Friday, April 24, 2009 2:33 PM > To: Jamen > Cc: kerberos at mit.edu > Subject: Re: KRB5 & Sun Solaris 9 > > > > Jamen wrote: >> In order to utilize Samba, we have to use MIT or Heimdal's KRB. Sun's >> will not work with Samba on Solaris 9. I've been told that there is a >> version on 10 that does work, but I couldn't get it to work on our >> box, but did with MIT's. Our goal is to create share drives on these >> servers through Active Directory, and we're utilizing Samba, KRB, and >> OpenLDAP for this purpose. I've installed Samba and Samba is seeing >> all of the resources, but Keberos fails when I issue the kinit >> command. > > The MIT kinit should work. What is the error again? > What does > ldd /usr/local/krb5-1.6.3/bin/kinit > show? > > You have not sent a copy of the krb5.conf to the list, > are you willing to do so? Or to selected individuals? > > As Will said below, it might be a UDP/TCP issue. > Have you added a udp_preference_limit = 1 > to the [libdefaults] section? This says prefer UDP > if the packet size is less then 1. In other words > always use TCP. > > Wireshark (or other network trace program) can be is very handy > yo see packets sent by kinit, and to where it is sending > them. It will also show DNS activity trying to locate the KDCs. > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From William.Fiveash at Sun.COM Fri Apr 24 16:17:25 2009 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Fri, 24 Apr 2009 15:17:25 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu>

<49F213D4.6030904@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu> Message-ID: <20090424201725.GD14904@sun.com> On Fri, Apr 24, 2009 at 02:50:47PM -0500, McGranahan, Jamen wrote: > Error: > lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj at DS.VANDERBILT.EDU > Kerberos initialization on lib240 > kinit: Can't send request (send_to_kdc) for principal > mcgranj at DS.VANDERBILT.EDU Can you ping the kdc below? kdc = 129.59.1.26 > Krb5.conf: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = DS.VANDERBILT.EDU > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC It may not make a difference but I've always seen the enctypes as all lower case strings. > udp_preference_limit = 1 > > [realms] > DS.VANDERBILT.EDU = { > kdc = 129.59.1.26 > admin_server = ds.vanderbilt.edu > default_domain = vanderbilt.edu > } > VANDERBILT.EDU = { > kdc = ds.vanderbilt.edu > admin_server = ds.vanderbilt.edu > default_domain = vanderbilt.edu > } > > [domain_realm] > .vanderbilt.edu = DS.VANDERBILT.EDU > vanderbilt.edu = DS.VANDERBILT.EDU > -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From jamen.mcgranahan at Vanderbilt.Edu Fri Apr 24 16:45:00 2009 From: jamen.mcgranahan at Vanderbilt.Edu (McGranahan, Jamen) Date: Fri, 24 Apr 2009 15:45:00 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <20090424201725.GD14904@sun.com> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu>

<49F213D4.6030904@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu> <20090424201725.GD14904@sun.com> Message-ID: <63566160FBD1BE43873B5A100A4222DF0AF32491@mailbe17.email.Vanderbilt.edu> * Yes, I can ping the kdc. * Doug: as for the IP address use, we found that for some reason, it worked better with the IP on the other 2 boxes we have this installed & working. So, keeping the same settings, logic would suggest it should work here too. I've also tried changing the VANDERBILT.EDU realm with just an IP address for the KDC, but that gave me no change. As for why we have 2 realms, etc., this was all pre-configured and found to work on our other 2 Sun boxes. I really don't know the reasoning behind it. Sorry. Jamen McGranahan Systems Services Librarian Vanderbilt University -----Original Message----- From: Will Fiveash [mailto:William.Fiveash at Sun.COM] Sent: Friday, April 24, 2009 3:17 PM To: McGranahan, Jamen Cc: Douglas E. Engert; kerberos at mit.edu Subject: Re: KRB5 & Sun Solaris 9 On Fri, Apr 24, 2009 at 02:50:47PM -0500, McGranahan, Jamen wrote: > Error: > lib240:/usr/local/krb5-1.6.3/bin#kinit mcgranj at DS.VANDERBILT.EDU > Kerberos initialization on lib240 > kinit: Can't send request (send_to_kdc) for principal > mcgranj at DS.VANDERBILT.EDU Can you ping the kdc below? kdc = 129.59.1.26 > Krb5.conf: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = DS.VANDERBILT.EDU > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC It may not make a difference but I've always seen the enctypes as all lower case strings. > udp_preference_limit = 1 > > [realms] > DS.VANDERBILT.EDU = { > kdc = 129.59.1.26 > admin_server = ds.vanderbilt.edu > default_domain = vanderbilt.edu > } > VANDERBILT.EDU = { > kdc = ds.vanderbilt.edu > admin_server = ds.vanderbilt.edu > default_domain = vanderbilt.edu > } > > [domain_realm] > .vanderbilt.edu = DS.VANDERBILT.EDU > vanderbilt.edu = DS.VANDERBILT.EDU > -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From William.Fiveash at Sun.COM Fri Apr 24 17:09:48 2009 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Fri, 24 Apr 2009 16:09:48 -0500 Subject: KRB5 & Sun Solaris 9 In-Reply-To: <63566160FBD1BE43873B5A100A4222DF0AF32491@mailbe17.email.Vanderbilt.edu> References: <63566160FBD1BE43873B5A100A4222DF0AE33659@mailbe17.email.Vanderbilt.edu> <49EF7636.50006@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AE85115@mailbe17.email.Vanderbilt.edu>

<49F213D4.6030904@anl.gov> <63566160FBD1BE43873B5A100A4222DF0AF32317@mailbe17.email.Vanderbilt.edu> <20090424201725.GD14904@sun.com> <63566160FBD1BE43873B5A100A4222DF0AF32491@mailbe17.email.Vanderbilt.edu> <20090424210948.GE14904@sun.com> Message-ID: <63566160FBD1BE43873B5A100A4222DF0AF3266B@mailbe17.email.Vanderbilt.edu> That was a HUGE help! Thanks Will. What I learned was the kinit command was launching the default Sun KRB program instead of the one I installed. So, when I used the full path for the new kinit (/usr/local/krb5-1.6.3/bin/kinit mcgranj at DS.VANDERBILT.EDU), it worked! Thanks for the tip! Jamen McGranahan -----Original Message----- On Fri, Apr 24, 2009 at 03:45:00PM -0500, McGranahan, Jamen wrote: > * Yes, I can ping the kdc. Try: truss -o /tmp/truss.out -u:: kinit which will show all the functions called and their return values (well, if they have a non-void return value). This may help pin down why kinit is failing. > * Doug: as for the IP address use, we found that for some reason, it > worked better with the IP on the other 2 boxes we have this installed & > working. So, keeping the same settings, logic would suggest it should > work here too. Well, it really depends on your DNS configuration. Does nslookup work for the KDC hostname on the Solaris systems? In general it should. Use of a IP address for the kdc usually indicates a distrust of the DNS servers. --> PS. Nslookup worked, by the way. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From isanamespace at gmail.com Mon Apr 27 15:05:03 2009 From: isanamespace at gmail.com (Rob) Date: Mon, 27 Apr 2009 12:05:03 -0700 (PDT) Subject: kadmind: Stored master key is corrupted while initializing, aborting Message-ID: Hi: I'm trying to get kerberos V up and running and I've been hitting weird problems on solaris 10. The latest is this error when trying to start kadmind: kadmind: Stored master key is corrupted while initializing, aborting Any suggestions on why this is happening and how to fix it? FWIW I am building kerberos from source. TIA! From isanamespace at gmail.com Mon Apr 27 17:21:51 2009 From: isanamespace at gmail.com (Rob) Date: Mon, 27 Apr 2009 14:21:51 -0700 (PDT) Subject: kadmind: Stored master key is corrupted while initializing, aborting References: Message-ID: On Apr 27, 3:05?pm, Rob wrote: > Hi: > > I'm trying to get kerberos V up and running and I've been hitting > weird problems on solaris 10. > > The latest is this error when trying to start kadmind: > kadmind: Stored master key is corrupted while initializing, aborting > > Any suggestions on why this is happening and how to fix it? > > FWIW I am building kerberos from source. > > TIA! There is probably value in adding that I'm using MIT Kerberos of which I downloaded and compiled from MIT's site. From William.Fiveash at Sun.COM Mon Apr 27 19:02:24 2009 From: William.Fiveash at Sun.COM (Will Fiveash) Date: Mon, 27 Apr 2009 18:02:24 -0500 Subject: kadmind: Stored master key is corrupted while initializing, aborting In-Reply-To: References:

Message-ID: <20090427230224.GA1348@sun.com> On Mon, Apr 27, 2009 at 02:21:51PM -0700, Rob wrote: > On Apr 27, 3:05?pm, Rob wrote: > > Hi: > > > > I'm trying to get kerberos V up and running and I've been hitting > > weird problems on solaris 10. > > > > The latest is this error when trying to start kadmind: > > kadmind: Stored master key is corrupted while initializing, aborting > > > > Any suggestions on why this is happening and how to fix it? > > > > FWIW I am building kerberos from source. > > > > TIA! > > There is probably value in adding that I'm using MIT Kerberos of which > I downloaded and compiled from MIT's site. Why not use the native Solaris Kerberos? Second, you need to be very, very careful when following the manual instructions for configuring an MIT KDC. Double check that. Third, sometimes the native Solaris truss command can be useful in seeing what is wrong with a user space program. One quick way of using it is to do: truss -o /tmp/truss.out -u:: -fea kadmind and look through the truss.out for functions that appear to be returning error codes. One thing that can confuse is the fact that truss reports some random return code for functions that return void i.e. have no return value. 'man truss' has more info. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ From miguel.sanders at arcelormittal.com Tue Apr 28 09:29:14 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Tue, 28 Apr 2009 15:29:14 +0200 Subject: RC4HMAC Issue To AD Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6E8DA@GEN-MXB-V04.msad.arcelor.net> Hi folks I'm observing a rather odd situation when using the RC4HMAC encryption type to AD. What I can see from the key exchanges is the following: 1) MIT Client performs AS-REQ and mentions aes256-cts-hmac-sha1-96, rc4-hmac and des3-cbc-sha1 as supported enctypes. 2) AD responds with an AS-REP which holds the TGT and states it has been encrypted with rc4-hmac. 3) Now the MIT client want to verify the TGT and performs a TGS REQ to obtain the cross realm ticket, and mentions aes256-cts-hmac-sha1-96, rc4-hmac and des3-cbc-sha1 as supported enctypes. 4) AD responds now with KRB5KDC_ERR_ETYPE_NOSUPP, even though in step 1) and 2) we are use it understands rc4-hmac. I was pretty convinced that AD supported both DES (no option for us) and RC4-HMAC for cross realm situations... Any idea what I am doing wrong? Thanks! Miguel **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From rwilper at stanford.edu Tue Apr 28 11:41:43 2009 From: rwilper at stanford.edu (Wilper, Ross A) Date: Tue, 28 Apr 2009 08:41:43 -0700 Subject: RC4HMAC Issue To AD In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B6E8DA@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B6E8DA@GEN-MXB-V04.msad.arcelor.net> Message-ID: Is the external trust from Windows configured to use RC4-HMAC? If I remember correctly, the default is DES-CBC-CRC (At least in Windows 2000 - 2003 R2). HMAC-RC4 for external trust requires Windows 2003 SP1 or later domain controllers. For Pre-Windows 2008, there was a later version of "ktpass" to set the encryption type for the trust (DES or RC4). In Windows 2008+, multiple enctypes can be active on the trust and they can be set using "ksetup". -Ross -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of miguel.sanders at arcelormittal.com Sent: Tuesday, April 28, 2009 6:29 AM To: kerberos at mit.edu Subject: RC4HMAC Issue To AD Hi folks I'm observing a rather odd situation when using the RC4HMAC encryption type to AD. What I can see from the key exchanges is the following: 1) MIT Client performs AS-REQ and mentions aes256-cts-hmac-sha1-96, rc4-hmac and des3-cbc-sha1 as supported enctypes. 2) AD responds with an AS-REP which holds the TGT and states it has been encrypted with rc4-hmac. 3) Now the MIT client want to verify the TGT and performs a TGS REQ to obtain the cross realm ticket, and mentions aes256-cts-hmac-sha1-96, rc4-hmac and des3-cbc-sha1 as supported enctypes. 4) AD responds now with KRB5KDC_ERR_ETYPE_NOSUPP, even though in step 1) and 2) we are use it understands rc4-hmac. I was pretty convinced that AD supported both DES (no option for us) and RC4-HMAC for cross realm situations... Any idea what I am doing wrong? Thanks! Miguel **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From frank.gruellich at navteq.com Tue Apr 28 13:04:08 2009 From: frank.gruellich at navteq.com (Frank Gruellich) Date: Tue, 28 Apr 2009 19:04:08 +0200 Subject: Principal for Apache httpd vhost Message-ID: <49F73708.5080004@navteq.com> Hi, I have a Linux server which is named goofy (as in the output of hostname command) with full qualified hostname goofy.example.com (as indicated by hostname -f on the server itself). DNS has an A record pointing from goofy.example.com to 191.168.0.123, including reverse lookup (dig confirms this, even at other machines). This server runs an Apache httpd with several vhosts configured, one of them www.example.com. This is configured to use mod_auth_kerb for authentication. A CNAME www.example.com is pointing to goofy.example.com. Which principal do I add to the KDC database and export to mod_auth_kerb's keytab? Howtos suggest to use the full qualified hostname, eg. HTTP/goofy.example.com at EXAMPLE.COM. However, browsers have different opinions about that. Firefox/Seamonkey (I guess all Gecko based browsers) on Linux use HTTP/goofy.example.com at EXAMPLE.COM. Safari on Apples Mac OSX requests HTTP/www.example.com at EXAMPLE.COM from KDC. Firefox on Mac OSX behaves like the Linux version. I don't have more browsers available right now, but I will test others. What is the correct behavior and configuration? Thanks for your help. Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems and Networks Duesseldorfer Strasse 40a 65760 Eschborn Germany Phone: +49 6196 77756-414 Fax: +49 6196 77756-100 USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob, Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090428/476d3db4/signature.bin From miguel.sanders at arcelormittal.com Tue Apr 28 12:26:40 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Tue, 28 Apr 2009 18:26:40 +0200 Subject: RC4HMAC Issue To AD In-Reply-To: References: <7DF29B50FFF41848BB2281EC2E71A206B6E8DA@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6E951@GEN-MXB-V04.msad.arcelor.net> Hi Ross Thanks a lot for your help. Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: Wilper, Ross A [mailto:rwilper at stanford.edu] Verzonden: dinsdag 28 april 2009 17:42 Aan: SANDERS Miguel; kerberos at mit.edu Onderwerp: RE: RC4HMAC Issue To AD Is the external trust from Windows configured to use RC4-HMAC? If I remember correctly, the default is DES-CBC-CRC (At least in Windows 2000 - 2003 R2). HMAC-RC4 for external trust requires Windows 2003 SP1 or later domain controllers. For Pre-Windows 2008, there was a later version of "ktpass" to set the encryption type for the trust (DES or RC4). In Windows 2008+, multiple enctypes can be active on the trust and they can be set using "ksetup". -Ross -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of miguel.sanders at arcelormittal.com Sent: Tuesday, April 28, 2009 6:29 AM To: kerberos at mit.edu Subject: RC4HMAC Issue To AD Hi folks I'm observing a rather odd situation when using the RC4HMAC encryption type to AD. What I can see from the key exchanges is the following: 1) MIT Client performs AS-REQ and mentions aes256-cts-hmac-sha1-96, rc4-hmac and des3-cbc-sha1 as supported enctypes. 2) AD responds with an AS-REP which holds the TGT and states it has been encrypted with rc4-hmac. 3) Now the MIT client want to verify the TGT and performs a TGS REQ to obtain the cross realm ticket, and mentions aes256-cts-hmac-sha1-96, rc4-hmac and des3-cbc-sha1 as supported enctypes. 4) AD responds now with KRB5KDC_ERR_ETYPE_NOSUPP, even though in step 1) and 2) we are use it understands rc4-hmac. I was pretty convinced that AD supported both DES (no option for us) and RC4-HMAC for cross realm situations... Any idea what I am doing wrong? Thanks! Miguel **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From tlyu at MIT.EDU Tue Apr 28 16:15:12 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 28 Apr 2009 16:15:12 -0400 Subject: does mit or heimdal have something like constrained delegation? In-Reply-To: <49f7581c$0$1111$4fafbaef@reader2.news.tin.it> (some.r@ndom.mail.invalid.net's message of "28 Apr 2009 19:25:16 GMT") References: <49f7581c$0$1111$4fafbaef@reader2.news.tin.it> Message-ID: S2 writes: > is there an implementation of a kdc that has support for something like > ad does with constrined delegation? MIT krb5-1.7 will contain S4U support, for installations where the KDB backend supports it. From tlyu at MIT.EDU Wed Apr 29 14:57:33 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 29 Apr 2009 14:57:33 -0400 Subject: ticket renew In-Reply-To: (Qiang Xu's message of "Thu, 23 Apr 2009 15:32:09 +0800") References: Message-ID: "Xu, Qiang (FXSGSC)" writes: > Hi, all: > > I have done a kerberos authentication successfully, and get a TGT. And I also can use the TGT to do SASL binding in LDAP query now. > > The ticket looks like: > =========================================== > MBC107:/var/log/nc <135> /tmp/dlms/kerberos/apps/klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: xuan at SESSWIN2003.COM > > Valid starting Expires Service principal > 04/23/09 15:14:53 04/24/09 01:13:50 krbtgt/SESSWIN2003.COM at SESSWIN2003.COM > renew until 04/24/09 15:14:53 > 04/23/09 15:13:50 04/24/09 01:13:50 ldap/sesswin2003.sesswin2003.com at SESSWIN2003.COM > renew until 04/24/09 15:14:53 > =========================================== > It said the ticket is renewable until somewhen. But how to do it in code? Is there any function to use, to renew the ticket? kinit -R can renew a renewable ticket. Are you asking if there is an API for renewing tickets? From peter.djalaliev at gmail.com Wed Apr 29 08:35:15 2009 From: peter.djalaliev at gmail.com (Peter Djalaliev) Date: Wed, 29 Apr 2009 05:35:15 -0700 (PDT) Subject: does mit or heimdal have something like constrained delegation? References: <49f7581c$0$1111$4fafbaef@reader2.news.tin.it> <49f769c2$0$1111$4fafbaef@reader2.news.tin.it> Message-ID: <9bbeee79-37a2-4c87-9821-75fef528af0b@z8g2000prd.googlegroups.com> Heimdal supports S4U and constrained delegation, but I haven't tested this feature, so I don't know if it is fully supported. I believe the goal was to make Heimdal compatible with the AD Kerberos implementation. Regards, Peter Djalaliev On Apr 28, 4:40?pm, S2 wrote: > On Tue, 28 Apr 2009 16:15:12 -0400, Tom Yu wrote: > > MIT krb5-1.7 will contain S4U support, for installations where the KDB > > backend supports it. > > thanks. do you know if s4u will be integrated in gss-api as well? From Qiang.Xu at fujixerox.com Thu Apr 30 00:34:32 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 30 Apr 2009 12:34:32 +0800 Subject: ticket renew In-Reply-To: References:

Message-ID: > -----Original Message----- > From: Tom Yu [mailto:tlyu at MIT.EDU] > Sent: Thursday, April 30, 2009 2:58 AM > To: Xu, Qiang (FXSGSC) > Cc: kerberos at mit.edu > Subject: Re: ticket renew > > kinit -R Thank you, Tommy. > can renew a renewable ticket. Are you asking if there is an > API for renewing tickets? Yes. If possible, I'd like to know if there is any API that can be used to renew tickets. Thanks a lot, Xu Qiang From rra at stanford.edu Thu Apr 30 01:54:50 2009 From: rra at stanford.edu (Russ Allbery) Date: Wed, 29 Apr 2009 22:54:50 -0700 Subject: ticket renew In-Reply-To: (Qiang Xu's message of "Thu\, 30 Apr 2009 12\:34\:32 +0800") References:

Message-ID: <87ab5ysn2t.fsf@windlord.stanford.edu> "Xu, Qiang (FXSGSC)" writes: > Yes. If possible, I'd like to know if there is any API that can be > used to renew tickets. krb5_get_renewed_creds() is the API to call to get renewed credentials. -- Russ Allbery (rra at stanford.edu) From Qiang.Xu at fujixerox.com Thu Apr 30 02:18:09 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 30 Apr 2009 14:18:09 +0800 Subject: ticket renew In-Reply-To: <87ab5ysn2t.fsf@windlord.stanford.edu> References:

<87ab5ysn2t.fsf@windlord.stanford.edu> Message-ID: > -----Original Message----- > From: Russ Allbery [mailto:rra at stanford.edu] > Sent: Thursday, April 30, 2009 1:55 PM > To: Xu, Qiang (FXSGSC) > Cc: kerberos at mit.edu > Subject: Re: ticket renew > > krb5_get_renewed_creds() is the API to call to get renewed > credentials. It seems this function can only be called in kerberos distribution, like in "kinit.c", right? If my application uses "kinit" to do kerberos authentication, there seems no way for it to directly call this API. Maybe, I should stick to the method of Tommy, i.e. use "kinit -R" to renew the ticket? Thanks, Xu Qiang From isanamespace at gmail.com Thu Apr 30 09:03:16 2009 From: isanamespace at gmail.com (Rob) Date: Thu, 30 Apr 2009 06:03:16 -0700 (PDT) Subject: MIT Kerberos: Cannot resolve network address for KDC in realm Message-ID: <6940d10d-5cf0-4186-ba64-7a0d2e807087@d38g2000prn.googlegroups.com> Hi: I've been having a hard time getting MIT Kerberos up and running on solaris 10. The latest of my problems is this error when i run kinit from the KDC. dsldap01$ /krb5/bin/kinit rob/admin at alezeo.com kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials This sounds like a DNS problem, but I don't think it is. dsldap01$ host -t A dsldap01.alezeo.com dsldap01.alezeo.com has address 10.93.120.72 Also in my hosts file: 127.0.0.1 localhost 10.93.120.72 dsldap01.alezeo.com dsldap01 loghost Here is my krb5.conf ============= [libdefaults] dns_lookup_realm = false default_realm = ALEZEO.COM ticket_lifetime = 600 kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [kdc] profile = /krb5/var/krb5kdc/kdc.conf [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/krb5/adm.log [realms] ALEZEO.COM = { kdc = dsldap01.alezeo.com:88 admin_server = dsldap01.alezeo.com:749 default_domain = alezeo.com } [domain_realm] .alezeo.com = ALEZEO.COM alezeo.com = ALEZEO.COM [login] krb4_convert = 0 Here is my kdc.conf ============ [kdcdefaults] kdc_ports = 88 [realms] alezeo.com = { profile = /etc/krb5.conf database_name = /krb5/var/krb5kdc/principal admin_database_name = /krb5/var/krb5kdc/kadm5_adb admin_database_lockfile = /krb5/var/krb5kdc/ kadm5_adb.lock admin_keytab = FILE:/krb5/var/krb5kdc/kadm5.keytab acl_file = /krb5/var/krb5kdc/kadm5.acl kdc_ports = 88 kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:v4 } Any suggestions are appreciated! TIA! From miguel.sanders at arcelormittal.com Thu Apr 30 10:15:00 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu, 30 Apr 2009 16:15:00 +0200 Subject: MIT Kerberos: Cannot resolve network address for KDC in realm In-Reply-To: <6940d10d-5cf0-4186-ba64-7a0d2e807087@d38g2000prn.googlegroups.com> References: <6940d10d-5cf0-4186-ba64-7a0d2e807087@d38g2000prn.googlegroups.com> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6ED4C@GEN-MXB-V04.msad.arcelor.net> alezeo.com should be upper case. Realm names are always upper case! Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders at arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Namens Rob Verzonden: donderdag 30 april 2009 15:03 Aan: kerberos at mit.edu Onderwerp: MIT Kerberos: Cannot resolve network address for KDC in realm Hi: I've been having a hard time getting MIT Kerberos up and running on solaris 10. The latest of my problems is this error when i run kinit from the KDC. dsldap01$ /krb5/bin/kinit rob/admin at alezeo.com kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials This sounds like a DNS problem, but I don't think it is. dsldap01$ host -t A dsldap01.alezeo.com dsldap01.alezeo.com has address 10.93.120.72 Also in my hosts file: 127.0.0.1 localhost 10.93.120.72 dsldap01.alezeo.com dsldap01 loghost Here is my krb5.conf ============= [libdefaults] dns_lookup_realm = false default_realm = ALEZEO.COM ticket_lifetime = 600 kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [kdc] profile = /krb5/var/krb5kdc/kdc.conf [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log admin_server = FILE:/var/krb5/adm.log [realms] ALEZEO.COM = { kdc = dsldap01.alezeo.com:88 admin_server = dsldap01.alezeo.com:749 default_domain = alezeo.com } [domain_realm] .alezeo.com = ALEZEO.COM alezeo.com = ALEZEO.COM [login] krb4_convert = 0 Here is my kdc.conf ============ [kdcdefaults] kdc_ports = 88 [realms] alezeo.com = { profile = /etc/krb5.conf database_name = /krb5/var/krb5kdc/principal admin_database_name = /krb5/var/krb5kdc/kadm5_adb admin_database_lockfile = /krb5/var/krb5kdc/ kadm5_adb.lock admin_keytab = FILE:/krb5/var/krb5kdc/kadm5.keytab acl_file = /krb5/var/krb5kdc/kadm5.acl kdc_ports = 88 kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:v4 } Any suggestions are appreciated! TIA! ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From hy93 at cornell.edu Thu Apr 30 11:10:19 2009 From: hy93 at cornell.edu (Hong Ye) Date: Thu, 30 Apr 2009 11:10:19 -0400 Subject: Race condition in /ccache/cc_memory.c Message-ID: <49F9BF5B.3070608@cornell.edu> Hi, Our authentication application developed using MIT kerberos crashed in multi-thread environment on Windows. I found this post which describes the same problem as we were seeing. The post was dated Nov,2005. Has this problem been resolved in latest Kerberos library. If not, is there work around? "Using the MEMORY credentials cache from multiple threads is not thread-safe and crashes." http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html Any suggestions are appreciated, Hong From ghudson at MIT.EDU Thu Apr 30 11:53:14 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 30 Apr 2009 11:53:14 -0400 (EDT) Subject: Race condition in /ccache/cc_memory.c In-Reply-To: <49F9BF5B.3070608@cornell.edu> References: <49F9BF5B.3070608@cornell.edu> Message-ID: <200904301553.n3UFrEAo003970@outgoing.mit.edu> > Our authentication application developed using MIT kerberos crashed > in multi-thread environment on Windows. I found this post which > describes the same problem as we were seeing. The post was dated > Nov,2005. Has this problem been resolved in latest Kerberos > library. If not, is there work around? I believe this was fixed in krb5 1.6. See RT tickets #4805 and #3089. r18887 | tlyu | 2006-11-30 17:42:16 -0500 (Thu, 30 Nov 2006) | 10 lines ticket: 4805 tags: pullup component: krb5-libs * src/lib/krb5/krb/vfy_increds.c (krb5_verify_init_creds): Use krb5_cc_new_unique(). * src/lib/gssapi/krb5/accept_sec_context.c: (rd_and_store_for_creds): Use krb5_cc_new_unique(). From jaltman at secure-endpoints.com Thu Apr 30 15:34:24 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 30 Apr 2009 15:34:24 -0400 Subject: Race condition in /ccache/cc_memory.c In-Reply-To: <49F9BF5B.3070608@cornell.edu> References: <49F9BF5B.3070608@cornell.edu> Message-ID: <49F9FD40.3030601@secure-endpoints.com> Hong Ye wrote: > Hi, > > Our authentication application developed using MIT kerberos crashed in > multi-thread environment on Windows. I found this post which describes > the same problem as we were seeing. The post was dated Nov,2005. Has > this problem been resolved in latest Kerberos library. If not, is there > work around? > > "Using the MEMORY credentials cache from multiple threads is not > thread-safe and crashes." > http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html > > Any suggestions are appreciated, > > Hong > What version of KFW are you using? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090430/f4f7e1b7/smime.bin From hy93 at cornell.edu Thu Apr 30 15:46:36 2009 From: hy93 at cornell.edu (Hong Ye) Date: Thu, 30 Apr 2009 15:46:36 -0400 Subject: Race condition in /ccache/cc_memory.c In-Reply-To: <49F9FD40.3030601@secure-endpoints.com> References: <49F9BF5B.3070608@cornell.edu> <49F9FD40.3030601@secure-endpoints.com> Message-ID: <49FA001C.4070408@cornell.edu> latest release KFW 3.2.2. Jeffrey Altman wrote: > Hong Ye wrote: > >> Hi, >> >> Our authentication application developed using MIT kerberos crashed in >> multi-thread environment on Windows. I found this post which describes >> the same problem as we were seeing. The post was dated Nov,2005. Has >> this problem been resolved in latest Kerberos library. If not, is there >> work around? >> >> "Using the MEMORY credentials cache from multiple threads is not >> thread-safe and crashes." >> http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html >> >> Any suggestions are appreciated, >> >> Hong >> >> > What version of KFW are you using? > > > From jaltman at secure-endpoints.com Thu Apr 30 15:59:34 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 30 Apr 2009 15:59:34 -0400 Subject: Race condition in /ccache/cc_memory.c In-Reply-To: <49FA001C.4070408@cornell.edu> References: <49F9BF5B.3070608@cornell.edu> <49F9FD40.3030601@secure-endpoints.com> <49FA001C.4070408@cornell.edu> Message-ID: <49FA0326.8040108@secure-endpoints.com> How have you confirmed that the issue you are experiencing is the one described in the Nov 2005? do you have a stack trace or a crash dump from the application? Hong Ye wrote: > latest release KFW 3.2.2. > > Jeffrey Altman wrote: >> Hong Ye wrote: >> >>> Hi, >>> >>> Our authentication application developed using MIT kerberos crashed >>> in multi-thread environment on Windows. I found this post which >>> describes the same problem as we were seeing. The post was dated >>> Nov,2005. Has this problem been resolved in latest Kerberos library. >>> If not, is there work around? >>> >>> "Using the MEMORY credentials cache from multiple threads is not >>> thread-safe and crashes." >>> http://mailman.mit.edu/pipermail/krb5-bugs/2005-November/004061.html >>> >>> Any suggestions are appreciated, >>> >>> Hong >>> >>> >> What version of KFW are you using? >> >> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090430/d0f75958/smime.bin From David.Bear at asu.edu Thu Apr 30 17:36:16 2009 From: David.Bear at asu.edu (David Bear) Date: Thu, 30 Apr 2009 14:36:16 -0700 Subject: KfW and NiM getting mutliple TGT's Message-ID: <1d1a54bf0904301436n353873b9v6911b2f37641dfb9@mail.gmail.com> Normally, when we install KfW (currently using 3.2.2) on windows, we include a krb5.ini file that is mostly the same as the krb5.conf we use on linux. Our krb5.ini only has asu.edu realm information in it. We also have an AD domain to which our windows clients are joined. When a user does a domain logon, they normally get 2 credentials automatically, one for the AD domain, and one for our ASU.EDU realm. This is the behavior we like. However, today, using the same configuration file, NiM is only reporting credentials for the AD domain -- it is not automatically getting credentials from the ASU.EDU realm. We have selected (obtain new creds at startup) and (destroy all creds on exit) but this makes no difference. For some reason, KfW is not getting all the creds we are used to at startup. Any advice on how to get the behavior back that we want? -- David Bear College of Public Programs at ASU 602-464-0424 From isanamespace at gmail.com Thu Apr 30 13:33:02 2009 From: isanamespace at gmail.com (Rob) Date: Thu, 30 Apr 2009 10:33:02 -0700 (PDT) Subject: MIT Kerberos: Cannot resolve network address for KDC in realm References: <6940d10d-5cf0-4186-ba64-7a0d2e807087@d38g2000prn.googlegroups.com> Message-ID: On Apr 30, 10:15?am, miguel.sand... at arcelormittal.com wrote: > alezeo.com should be upper case. > Realm names are always upper case! > Thanks, that was it! From jaltman at secure-endpoints.com Thu Apr 30 19:41:42 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 30 Apr 2009 19:41:42 -0400 Subject: KfW and NiM getting mutliple TGT's In-Reply-To: <1d1a54bf0904301436n353873b9v6911b2f37641dfb9@mail.gmail.com> References: <1d1a54bf0904301436n353873b9v6911b2f37641dfb9@mail.gmail.com> Message-ID: <49FA3736.7070108@secure-endpoints.com> David Bear wrote: > Normally, when we install KfW (currently using 3.2.2) on windows, we include > a krb5.ini file that is mostly the same as the krb5.conf we use on linux. > Our krb5.ini only has asu.edu realm information in it. We also have an AD > domain to which our windows clients are joined. When a user does a domain > logon, they normally get 2 credentials automatically, one for the AD domain, > and one for our ASU.EDU realm. This is the behavior we like. > > However, today, using the same configuration file, NiM is only reporting > credentials for the AD domain -- it is not automatically getting credentials > from the ASU.EDU realm. We have selected (obtain new creds at startup) and > (destroy all creds on exit) but this makes no difference. For some reason, > KfW is not getting all the creds we are used to at startup. Any advice on > how to get the behavior back that we want? > NIM does not obtain the credentials. The KFW network provider (kfwlogon.dll) does this if and only if: 1. the password for the AD and MIT realms are the same 2. kfwlogon.dll is installed 3. the default realm in the krb5.ini file is the MIT realm The NIM obtain new creds at startup does not affect the kfwlogon.dll. What it does is prompt the user for credentials if there are none available at startup. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3355 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090430/a1378798/smime-0001.bin