From edward at murrell.co.nz Sat Aug 1 00:29:29 2009 From: edward at murrell.co.nz (Edward Murrell) Date: Sat, 01 Aug 2009 16:29:29 +1200 Subject: noob question on where to start with Kerberos In-Reply-To: References: <1248734700.27815.10.camel@entropy> Message-ID: <1249100969.6228.13.camel@fusion> Hi Bryan, The code is fairly tightly integrated with the Apache kerberos handler, so probably won't work for you. I intend to put it up on sourceforge at some point (lack of arounds to it, not withstanding). At that point it should be available to all. On Mon, 2009-07-27 at 16:08 -0700, Bryan Boone wrote: > Hi Edward thanks for the reply. Unfortunatly due to certain > restrictions at this company I cannot use the apache mod. Also I > meant the LDAP group, sorry about the wrong use of > terminology. However the sample code you have would be very helpful > for me to learn from if you don't mind. > > > > > > > > > > Subject: Re: noob question on where to start with Kerberos > > From: edward at murrell.co.nz > > To: kerberos at mit.edu > > Date: Tue, 28 Jul 2009 10:44:59 +1200 > > > > For Apache: > > http://modauthkerb.sourceforge.net/ > > > > Should do everything you want already. > > > > Also, since group information is not stored on a Kerberos server, I > > assume you're going to be looking up LDAP information. I have some > code > > that simplifies this somewhat, if you are using RFC 2307 (posix/NIS) > > compliant LDAP schemas. Other people have already written (and to be > > fair, support much better) php libraries for handling active > directory > > LDAP lookups. > > > > Cheers, > > Edward Murrell > > > > On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote: > > > Hi everyone I have a noob question for ya. > > > > > > > > > > > > I need to develop a website for a company that uses kerberos > login, the web server resides on a different > > > server than the kerberos server. Unfortunatly I cannot use the > built in PHP functions for kerberos, so > > > I need to write my own C kerberos client as a PHP extension. Also > to eliminate possible man-in-the-middle > > > attacks, I need to have the keytab file manually uploaded to the > web server. > > > > > > > > > > > > So this web page will simply authenticate the users username and > password and then pull that users group name > > > from the kerberos server (while having the keytab on the web > server). There is no need to kerberize any > > > application here. Also I will not be needing to cache tickets or > pass any tickets here. I will use > > > PHP sessions for the website. I just need the authentication side > of kerberos once per user login on the website. > > > > > > > > > > > > I read the O'Reilly Kerberos book and still have some questions. > > > > > > > > > > > > My question is, what methods are best for accomplishing my task. > Can this be accomplished with the > > > pam_krb5 api, the SASL for GSSAPI, or do I need to stick with > native GSSAPI? Which one would be > > > easier for a noob? > > > > > > > > > > > > thanks > > > > > > _________________________________________________________________ > > > Windows Live? SkyDrive?: Store, access, and share your photos. See > how. > > > > http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 > > > ________________________________________________ > > > Kerberos mailing list Kerberos at mit.edu > > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > ________________________________________________ > > Kerberos mailing list Kerberos at mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > ______________________________________________________________________ > Windows Live? Hotmail?: Search, add, and share the web?s latest sports > videos. Check it out. From marcus.nilsson at pulsen.se Sat Aug 1 03:45:37 2009 From: marcus.nilsson at pulsen.se (marcus.nilsson@pulsen.se) Date: Sat, 1 Aug 2009 09:45:37 +0200 Subject: krenew: error renewing credentials: KDC returned error string: NO PREAUTH Message-ID: Hi list, I'm running MIT Kerberos KDC version 1.7dfsg~beta3-1 on Debian squeeze/sid. I'm not able to renew TGT's: mani at irit:~$ klist Ticket cache: FILE:/tmp/krb5cc_502_jLNe7k Default principal: mani at MERA.NU Valid starting Expires Service principal 08/01/09 09:25:00 08/01/09 19:25:00 krbtgt/MERA.NU at MERA.NU renew until 08/08/09 09:25:00 08/01/09 09:25:01 08/01/09 19:25:00 afs at MERA.NU renew until 08/08/09 09:25:00 mani at irit:~$ krenew krenew: error renewing credentials: KDC returned error string: NO PREAUTH auth.log: Aug 1 09:38:07 irit krb5kdc[20495]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 195.198.192.25: NO PREAUTH: authtime 0, mani at MERA.NU for krbtgt/MERA.NU at MERA.NU, Generic error (see e-text) Aug 1 09:38:07 irit krb5kdc[20495]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 195.198.192.25: NO PREAUTH: authtime 0, mani at MERA.NU for krbtgt/MERA.NU at MERA.NU, Generic error (see e-text) kadmin: getprinc mani Principal: mani at MERA.NU Expiration date: [never] Last password change: Wed Feb 18 22:20:03 CET 2009 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Feb 18 22:20:03 CET 2009 (kadmind at MERA.NU) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 8 Key: vno 5, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 5, ArcFour with HMAC/md5, no salt Key: vno 5, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 5, DES cbc mode with CRC-32, no salt Key: vno 5, DES cbc mode with RSA-MD5, Version 4 Key: vno 5, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 5, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 5, DES cbc mode with RSA-MD5, AFS version 3 MKey: vno 1 Attributes: Policy: [none] /etc/krb5kdc/kdc.conf: [kdcdefaults] kdc_ports = 750,88 [realms] MERA.NU = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth,+forwardable,+renewable } /etc/krb5.conf: [libdefaults] default_realm = MERA.NU dns_lookup_realm = false dns_lookup_kdc = false renew_lifetime = 36000 forwardable = true [realms] MERA.NU = { kdc = 195.198.192.25 admin_server = 195.198.192.25 default_domain = mera.nu } [domain_realm] .mera.nu = MERA.NU [appdefaults] pam = { ticket_lifetime = 24h renew_lifetime = 8760h forwardable = true krb4_convert = true } Any help appreciated! Thanks / Marcus From ghudson at MIT.EDU Sat Aug 1 08:15:51 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Sat, 01 Aug 2009 08:15:51 -0400 Subject: krenew: error renewing credentials: KDC returned error string: NO PREAUTH In-Reply-To: References: Message-ID: <1249128951.7683.6.camel@ray> On Sat, 2009-08-01 at 03:45 -0400, marcus.nilsson at pulsen.se wrote: > I'm not able to renew TGT's: [...] > mani at irit:~$ krenew > krenew: error renewing credentials: KDC returned error string: NO PREAUTH Is the requires-preauth bit set on your krbtgt/MERA.NU principal? For reasons I don't personally understand, the "NO PREAUTH" error happens when a TGS request with no preauth comes in for a service (not client) principal with requires-preauth set. Also, although I don't think this is at all relevant, krenew comes from a different source package from MIT Kerberos, so you might test with "kinit -R" just to remove that variable. From marcus.nilsson at pulsen.se Sat Aug 1 09:39:32 2009 From: marcus.nilsson at pulsen.se (marcus.nilsson@pulsen.se) Date: Sat, 1 Aug 2009 15:39:32 +0200 Subject: krenew: error renewing credentials: KDC returned error string: NO PREAUTH In-Reply-To: <1249128951.7683.6.camel@ray> References: , <1249128951.7683.6.camel@ray> Message-ID: -----Greg Hudson wrote: ----- >Is?the?requires-preauth?bit?set?on?your?krbtgt/MERA.NU?principal? kadmin: getprinc krbtgt/MERA.NU Principal: krbtgt/MERA.NU at MERA.NU Expiration date: [never] Last password change: [never] Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Feb 09 15:24:45 CET 2009 (db_creation at MERA.NU) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with RSA-MD5, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] >Also,?although?I?don't?think?this?is?at?all?relevant,?krenew?comes >from >a?different?source?package?from?MIT?Kerberos,?so?you?might?test?with >"kinit?-R"?just?to?remove?that?variable. mani at irit:~$ kinit -R kinit: KDC returned error string: NO PREAUTH while renewing credentials / Marcus From ghudson at MIT.EDU Sat Aug 1 10:15:38 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Sat, 01 Aug 2009 10:15:38 -0400 Subject: krenew: error renewing credentials: KDC returned error string: NO PREAUTH In-Reply-To: References: , <1249128951.7683.6.camel@ray> Message-ID: <1249136138.7683.16.camel@ray> On Sat, 2009-08-01 at 09:39 -0400, marcus.nilsson at pulsen.se wrote: > -----Greg Hudson wrote: ----- > > >Is the requires-preauth bit set on your krbtgt/MERA.NU principal? > kadmin: getprinc krbtgt/MERA.NU > [...] > Attributes: REQUIRES_PRE_AUTH > Policy: [none] So... yes. Do you have any idea why? I believe this is why ticket renewal is failing. From marcus.nilsson at pulsen.se Sat Aug 1 10:36:39 2009 From: marcus.nilsson at pulsen.se (marcus.nilsson@pulsen.se) Date: Sat, 1 Aug 2009 16:36:39 +0200 Subject: krenew: error renewing credentials: KDC returned error string: NO PREAUTH In-Reply-To: <1249136138.7683.16.camel@ray> References: , <1249128951.7683.6.camel@ray> , <1249136138.7683.16.camel@ray> Message-ID: -----Greg Hudson wrote: ----- >So...?yes.??Do?you?have?any?idea?why???I?believe?this?is?why?ticket >renewal?is?failing. I have no idea why that option wold be set. "modprinc -requires_preauth krbtgt/MERA.NU at MERA.NU" solved the problem. Users can now renew their TGT's! Thanks a lot! Best regards Marcus From ltc.eterovick at gmail.com Mon Aug 3 09:56:45 2009 From: ltc.eterovick at gmail.com (=?ISO-8859-1?Q?Lu=EDs_Eterovick?=) Date: Mon, 3 Aug 2009 10:56:45 -0300 Subject: How to set up NIS->Krb5 user migration? Message-ID: <10a91d0c0908030656l1aa6d7aeu2846f77c4979f49e@mail.gmail.com> Hello, what I need is to create Kerberos principals for every NIS user in a network. I have a working MIT Kerberos 5 in my computer that i made to test. I've read about pam_krb5_migrate, but i didn't use pam for anything until now. How can I do this user creation and is it possible to test it in my own Kerberos realm using the NIS information? From bbense at stanford.edu Mon Aug 3 17:50:57 2009 From: bbense at stanford.edu (Booker Bense) Date: Mon, 3 Aug 2009 14:50:57 -0700 Subject: Openssh v5.2p1 and krb5 1.7 In-Reply-To: <10a91d0c0908030656l1aa6d7aeu2846f77c4979f49e@mail.gmail.com> References: <10a91d0c0908030656l1aa6d7aeu2846f77c4979f49e@mail.gmail.com> Message-ID: I'm trying to build Openssh with mit krb5 1.7 on Solaris 5.10 machines and am getting sigkill's when the child ssh client attempts to start up a session. Does anyone else have this combo of software working on any platform? thanks, _ Booker C. Bense From Weijun.Wang at Sun.COM Mon Aug 3 21:30:08 2009 From: Weijun.Wang at Sun.COM (Wang Weijun) Date: Tue, 04 Aug 2009 09:30:08 +0800 Subject: Does Kerberos version 5 support i18n specifications? In-Reply-To: References: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Message-ID: <3202AE45-3727-4687-9FBB-4153EAAF2E3E@sun.com> > an interoperability problem. There is no easy resolution to this > interoperability problem. If you have suggestions on how to improve > this character encoding situation, we will be pleased to consider > them. Maybe punycode? Max From Qiang.Xu at fujixerox.com Thu Aug 6 04:36:50 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 6 Aug 2009 16:36:50 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: References: <87ab5ysn2t.fsf@windlord.stanford.edu> Message-ID: Hi, all: I found SASL LDAP binding will fail mad if an IPv6 address of Kerberos authentication server is passed to it. It just can't recognize the IPv6 address, and would take it as a hostname. For example, the IPv6 address of the Kerberos server is "3ffe:2000:0:1:e0be:1872:d4f8:6b2c", and the authentication domain is "xcipv6.com". When this IPv6 address is passed in, the address would be looked on as in a form of "hostname:port", so would split the address at the first colon, and combine it with the domain name, to form an FQDN "3ffe.xcipv6.com". Then it would try to resolve this FQDN to get the IPv4 address. Of course, the resolving would lead to an error. And SASL binding can't go through. When I configure the printer to use IPv4 address of the Kerberos server, SASL LDAP binding works well. P.S. I am using MozLDAP 6.0.5 plus Cyrus-SASL 2.1.22, plus MIT Kerberos v5 libraries. Could it be a problem arising from MIT distribution? Thanks, Xu Qiang From rra at stanford.edu Thu Aug 6 11:55:40 2009 From: rra at stanford.edu (Russ Allbery) Date: Thu, 06 Aug 2009 08:55:40 -0700 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: (Qiang Xu's message of "Thu\, 6 Aug 2009 16\:36\:50 +0800") References: <87ab5ysn2t.fsf@windlord.stanford.edu> Message-ID: <87ocqtdjib.fsf@windlord.stanford.edu> "Xu, Qiang (FXSGSC)" writes: > For example, the IPv6 address of the Kerberos server is > "3ffe:2000:0:1:e0be:1872:d4f8:6b2c", and the authentication domain is > "xcipv6.com". When this IPv6 address is passed in, the address would be > looked on as in a form of "hostname:port", so would split the address at > the first colon, and combine it with the domain name, to form an FQDN > "3ffe.xcipv6.com". Then it would try to resolve this FQDN to get the > IPv4 address. Of course, the resolving would lead to an error. And SASL > binding can't go through. I have no idea if Cyrus SASL supports IPv6 or not, but try using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead. The brackets disambiguate IPv6 address literals from hostnames with ports. -- Russ Allbery (rra at stanford.edu) From Qiang.Xu at fujixerox.com Thu Aug 6 21:27:35 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Fri, 7 Aug 2009 09:27:35 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <87ocqtdjib.fsf@windlord.stanford.edu> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> Message-ID: > -----Original Message----- > From: kerberos-bounces at mit.edu > [mailto:kerberos-bounces at mit.edu] On Behalf Of Russ Allbery > Sent: Thursday, August 06, 2009 11:56 PM > To: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > I have no idea if Cyrus SASL supports IPv6 or not, but try > using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead. The > brackets disambiguate > IPv6 address literals from hostnames with ports. I have seeked help from Cyrus SASL community. Some ppl told me that this seems not a bug of Cyrus-SASL libraries, e.g. "/usr/lib/sasl2/libgssapiv2.so is calling /lib/libgssapi_krb5.so to locate the Kerberos authentication server". By the way, I can't add brackets to the IPv6 address. In fact, the real scenario is that the Kerberos server is configured with a hostname. And there is an option in our DNS setting to enable "Prefer IPv6 address over IPv4 address". This way, when DNS resolves the Kerberos server's hostname, it gets IPv6 address, and this is used to located the Kerberos server and initiate the TGS-REQ request. But, alas, since the server can't be located with IPv6 address, TGS-REQ is never sent out, and SASL binding fails. Could you tell me if the plugin "/lib/libgssapi_krb5.so" can handle IPv6 address? Thanks, Xu Qiang From Qiang.Xu at fujixerox.com Thu Aug 6 23:50:18 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Fri, 7 Aug 2009 11:50:18 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <87ocqtdjib.fsf@windlord.stanford.edu> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> Message-ID: > -----Original Message----- > From: kerberos-bounces at mit.edu > [mailto:kerberos-bounces at mit.edu] On Behalf Of Russ Allbery > Sent: Thursday, August 06, 2009 11:56 PM > To: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > I have no idea if Cyrus SASL supports IPv6 or not, but try > using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead. The > brackets disambiguate > IPv6 address literals from hostnames with ports. Actually, I am not so sure that it is the fault of MIT Kerberos plugin, because when I configured the Kerberos server with hostname, and DNS resolves it to an IPv6 address, authentication runs well. The user can logs in. I guess kinit and libgssapi_krb5.so are both parts of MIT Kerberos distribution, right? If kinit can handle IPv6 address, libgssapi_krb5.so should as well. Am I right? Thanks, Xu Qiang From Qiang.Xu at fujixerox.com Thu Aug 6 23:53:57 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Fri, 7 Aug 2009 11:53:57 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <87ocqtdjib.fsf@windlord.stanford.edu> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> Message-ID: > -----Original Message----- > From: kerberos-bounces at mit.edu > [mailto:kerberos-bounces at mit.edu] On Behalf Of Russ Allbery > Sent: Thursday, August 06, 2009 11:56 PM > To: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > I have no idea if Cyrus SASL supports IPv6 or not, but try > using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead. The > brackets disambiguate > IPv6 address literals from hostnames with ports. And Russ, could you tell me that in the process of SASL interaction, who is responsible in locating the Kerberos authentication server? Thanks, Xu Qiang From Qiang.Xu at fujixerox.com Fri Aug 7 04:28:36 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Fri, 7 Aug 2009 16:28:36 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <87ocqtdjib.fsf@windlord.stanford.edu> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> Message-ID: > -----Original Message----- > From: kerberos-bounces at mit.edu > [mailto:kerberos-bounces at mit.edu] On Behalf Of Russ Allbery > Sent: Thursday, August 06, 2009 11:56 PM > To: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > I have no idea if Cyrus SASL supports IPv6 or not, but try > using [3ffe:2000:0:1:e0be:1872:d4f8:6b2c] instead. The > brackets disambiguate > IPv6 address literals from hostnames with ports. After kinit, there is a Kerberos TGT: =================================================== qxu at durian(pts/2):/usr/lib[115]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100 at XCIPV6.COM Valid starting Expires Service principal 08/07/09 13:19:18 08/07/09 23:20:45 krbtgt/XCIPV6.COM at XCIPV6.COM renew until 08/08/09 13:19:18 08/07/09 13:22:00 08/07/09 23:20:45 ldap/crius.xcipv6.com at XCIPV6.COM renew until 08/08/09 13:19:18 Kerberos 4 ticket cache: /tmp/tkt20153 klist: You have no tickets cached =================================================== Since it seems MozLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com at XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it? My problem is that after the user logs in, Cyrus-SASL can't find the Kerberos server to send out TGS-REQ. However, locating the Kerberos server seems somewhat beyond MozLDAP and Cyrus-SASL. Thus, I feel something is wrong in MIT Kerberos plugin "libgssapi_krb5.so". Still, it is strange that although DNS resolves the Kerberos server's hostname to IPv6 address, kinit is successful shows that the server can be located. How come when in doing SASL binding the server (with IPv6 address) can't be located? Kind of confused... Xu Qiang From phalenor at gmail.com Fri Aug 7 09:00:19 2009 From: phalenor at gmail.com (Andrew Cobaugh) Date: Fri, 7 Aug 2009 09:00:19 -0400 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> Message-ID: <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> On Fri, Aug 7, 2009 at 4:28 AM, Xu, Qiang (FXSGSC) wrote: > Since it seems MozLDAP didn't pass any info related to Kerberos authentication server to Cyrus-SASL, can I understand that Cyrus-SASL obtain the Kerberos authentication server's whereabout from the ticket? But there is only an LDAP server's service principle in the ticket (ldap/crius.xcipv6.com at XCIPV6.COM). It doesn't reveal the authentication server's address or hostname, does it? MozLDAP, so are you using thunderbird or something then? I think there is a bug in MozLDAP where it's unable to perform any queries over IPv6 when the given hostname has both AAAA and A records. A colleague of mine just came across this the other day. Can you try eliminating SASL from the equation altogether and see if whatever you're using can query over IPv6 while doing an anonymous bind? When you say things like "configured the Kerberos server with hostname" what do you mean? Changing kdc lines in /etc/krb5.conf ? MIT kerberos and their GSSAPI library definitely support IPv6. Tools like ldapsearch work fine while doing a SASL/GSSAPI bind using a hostname with AAAA records as well as specifying the v6 address in brackets, so I think you can eliminate all of these as problems. The only difference is if you're using one of mozilla's products to do LDAP, they have their own LDAP library, MozLDAP as you mentioned. --andy From javiplx at gmail.com Sat Aug 8 05:51:12 2009 From: javiplx at gmail.com (Javier Palacios) Date: Sat, 8 Aug 2009 11:51:12 +0200 Subject: Authenticating debian users against AD In-Reply-To: <4A71AF5E.8040900@anl.gov> References: <4A71AF5E.8040900@anl.gov> Message-ID: Personally, I got many problems while using ktpass to create a keytab. You could try to use samba in AD mode, or CSS adkadmin. Javier Palacios On Thu, Jul 30, 2009 at 4:34 PM, Douglas E. Engert wrote: > > > jarek wrote: >> Hi all! >> >> I've configured Debian with pam_krb5, and I can login using username and >> password to sshd. I've tried to use also ticket login, and I have >> problem with it. As I understand I need for this keytab file. But >> whenever I put krb5.keytab into /etc I can't login at all (even with >> password). auth.log says: >> >> (pam_krb5): none: pam_sm_authenticate: entry (0x1) >> (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL >> (pam_krb5): apache: credential verification failed: Server not found in >> Kerberos database >> (pam_krb5): apache: pam_sm_authenticate: exit (failure) >> pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 >> tty=ssh ruser= rhost=192.168.1.181 ?user=apache >> >> I've created keytab for apache, which is used by >> libapache2-mod-auth-kerb and it works - I can login with kerberos ticket. >> >> The keytab was created on W2008 server with the following command: >> >> ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL >> -mapuser host-test-nms at TEST.LOCAL -mapOp set -pass -crypto >> DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly > > > I don't thing you are understanding what the ktpass is doing. > You need a user or computer account in AD that will have a password, > and (usually only one) servicePrincipalName. ?The -mapuser is the name > of this account. > >> >> By the way, can someone tell me what for is this password in ktpass >> command ? > > The -pass option is used to change the password stored in the account, > and to create the key in the keytab file. So you must be an AD admin > to run this (Unlike most KDCS which store the key, AD generates the key > on the fly from the stored password when a service ticket is created.) The > password in AD and the key in the keytab must be kept in sync. The kvno > in the keytab and the msDS-keyVersionNumber in the account must also match. > > If you are going to be adding a lot of hosts to AD, have a look at the > msktutil package. A debian version is available that works with W2008 > and can generate AES keys too. msktutil-0.3.16-7 > > ?http://download.systemimager.org/~finley/msktutil/ > >> >> Best regards >> J. >> ________________________________________________ >> Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > ?Douglas E. Engert ? > ?Argonne National Laboratory > ?9700 South Cass Avenue > ?Argonne, Illinois ?60439 > ?(630) 252-5444 > ________________________________________________ > Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From deengert at anl.gov Mon Aug 10 09:39:19 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 10 Aug 2009 08:39:19 -0500 Subject: Authenticating debian users against AD In-Reply-To: References: <4A71AF5E.8040900@anl.gov> Message-ID: <4A802307.9010301@anl.gov> Javier Palacios wrote: > Personally, I got many problems while using ktpass to create a keytab. We don't use it either, but msktutil instead. But Jarek was using ktpass so my suggestion was to understand what is going on under the covers and use ktpass correctly. > > You could try to use samba in AD mode, or CSS adkadmin. > > Javier Palacios > > > On Thu, Jul 30, 2009 at 4:34 PM, Douglas E. Engert wrote: >> >> jarek wrote: >>> Hi all! >>> >>> I've configured Debian with pam_krb5, and I can login using username and >>> password to sshd. I've tried to use also ticket login, and I have >>> problem with it. As I understand I need for this keytab file. But >>> whenever I put krb5.keytab into /etc I can't login at all (even with >>> password). auth.log says: >>> >>> (pam_krb5): none: pam_sm_authenticate: entry (0x1) >>> (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL >>> (pam_krb5): apache: credential verification failed: Server not found in >>> Kerberos database >>> (pam_krb5): apache: pam_sm_authenticate: exit (failure) >>> pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 >>> tty=ssh ruser= rhost=192.168.1.181 user=apache >>> >>> I've created keytab for apache, which is used by >>> libapache2-mod-auth-kerb and it works - I can login with kerberos ticket. >>> >>> The keytab was created on W2008 server with the following command: >>> >>> ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL >>> -mapuser host-test-nms at TEST.LOCAL -mapOp set -pass -crypto >>> DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly >> >> I don't thing you are understanding what the ktpass is doing. >> You need a user or computer account in AD that will have a password, >> and (usually only one) servicePrincipalName. The -mapuser is the name >> of this account. >> >>> By the way, can someone tell me what for is this password in ktpass >>> command ? >> The -pass option is used to change the password stored in the account, >> and to create the key in the keytab file. So you must be an AD admin >> to run this (Unlike most KDCS which store the key, AD generates the key >> on the fly from the stored password when a service ticket is created.) The >> password in AD and the key in the keytab must be kept in sync. The kvno >> in the keytab and the msDS-keyVersionNumber in the account must also match. >> >> If you are going to be adding a lot of hosts to AD, have a look at the >> msktutil package. A debian version is available that works with W2008 >> and can generate AES keys too. msktutil-0.3.16-7 >> >> http://download.systemimager.org/~finley/msktutil/ >> >>> Best regards >>> J. >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> -- >> >> Douglas E. Engert >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From kerberos at noopy.org Mon Aug 10 10:42:18 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Mon, 10 Aug 2009 10:42:18 -0400 Subject: Authenticating debian users against AD In-Reply-To: <4A802307.9010301@anl.gov> References: <4A71AF5E.8040900@anl.gov> <4A802307.9010301@anl.gov> Message-ID: On Mon, Aug 10, 2009 at 9:39 AM, Douglas E. Engert wrote: > > > Javier Palacios wrote: >> Personally, I got many problems while using ktpass to create a keytab. > > We don't use it either, but msktutil instead. But Jarek was using ktpass > so my suggestion was to understand what is going on under the covers > and use ktpass correctly. I like msktutil a lot but it's not always the case that one has rights to change objects in AD. ktpass.exe (when used w/SP2 under Windows 2003) *can* simplify the process of keytab creation but OTOH I don't think it solves the problem entirely/completely. -- K From deengert at anl.gov Mon Aug 10 11:40:23 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 10 Aug 2009 10:40:23 -0500 Subject: Authenticating debian users against AD In-Reply-To: References: <4A71AF5E.8040900@anl.gov> <4A802307.9010301@anl.gov> Message-ID: <4A803F67.4060308@anl.gov> kerberos at noopy.org wrote: > On Mon, Aug 10, 2009 at 9:39 AM, Douglas E. Engert wrote: >> >> Javier Palacios wrote: >>> Personally, I got many problems while using ktpass to create a keytab. >> We don't use it either, but msktutil instead. But Jarek was using ktpass >> so my suggestion was to understand what is going on under the covers >> and use ktpass correctly. > > I like msktutil a lot but it's not always the case that one has rights > to change objects in AD. Then all of these tools are all but useless, as the intent is to create a keytab that matches what is in AD. Most of these tools will change the password to a random password, update AD, and create a keytab at the same time. The password and the msDS-KeyVersionNumber in AD must be in sync with the the key and KVNO in the keytab for Kerberos to work. So only of you knew the password, KeyVersionNumber and salt could you create a keytab that matched. I don't think that is his case. If it was he could also use ktutil to create a keytab. > ktpass.exe (when used w/SP2 under Windows > 2003) *can* simplify the process of keytab creation but OTOH I don't > think it solves the problem entirely/completely. I think his problem was misunderstanding of how Kerberos works. > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Qiang.Xu at fujixerox.com Mon Aug 10 22:11:44 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Tue, 11 Aug 2009 10:11:44 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> Message-ID: > -----Original Message----- > From: Andrew Cobaugh [mailto:phalenor at gmail.com] > Sent: Friday, August 07, 2009 9:00 PM > To: Xu, Qiang (FXSGSC) > Cc: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding Sorry to reply late. Just come back from a long weekend. > MozLDAP, so are you using thunderbird or something then? I > think there is a bug in MozLDAP where it's unable to perform > any queries over IPv6 when the given hostname has both AAAA > and A records. A colleague of mine just came across this the > other day. I am referring to Mozilla LDAP libraries. Yes, I have hit the problem as well. We walked around it by initializing a simple binding first, to retrieve the LDAP server's dnsHostname attribute, then we passed this value to prldap_init(), and SASL binding is successful. Anyway, in SASL binding, the server's FQDN is preferred. > Can you try eliminating SASL from the equation altogether and > see if whatever you're using can query over IPv6 while doing > an anonymous bind? It seems a defect of MozLDAP library. And strangely, IPv6 address can be handled in simple binding. > When you say things like "configured the Kerberos server with > hostname" what do you mean? Changing kdc lines in > /etc/krb5.conf ? MIT kerberos and their GSSAPI library > definitely support IPv6. Tools like ldapsearch work fine > while doing a SASL/GSSAPI bind using a hostname with AAAA > records as well as specifying the v6 address in brackets, so > I think you can eliminate all of these as problems. The only > difference is if you're using one of mozilla's products to do > LDAP, they have their own LDAP library, MozLDAP as you mentioned. Our printer has a WebUI, that enables us to configure Kerberos server through web page. By "configured the Kerberos server with hostname", I mean doing it from WebUI. Our printer has another DNS option, "Prefer IPv6 address over IPv4 address", to prioritize on IPv6 address in resolving hostnames. Thus, when the Kerberos server's hostname is configured by hostname, DNS will return an IPv6 address in response, and write the value into "/tc/krb5.conf". When "/etc/krb5.conf" is configured with IPv4 address: ================================================ [libdefaults] default_realm = XCIPV6.COM [realms] XCIPV6.COM = { kdc = 13.198.97.42:88 } ================================================ SASL binding is successful, with all network traffic on IPv4 protocol. In contrast, when "/etc/krb5.conf" has kdc in IPv6 form: ================================================ [libdefaults] default_realm = XCIPV6.COM [realms] XCIPV6.COM = { kdc = [3ffe:2000:0:1::100]:88 } ================================================ SASL binding will fail. The failing network trace has the following DNS query: ================================================ 953 29.970599 13.198.98.117 13.198.97.42 DNS Standard query AAAA [3ffe.xcipv6.com 954 29.970621 13.198.97.42 13.198.98.117 DNS Standard query response, No such name ================================================ Note that the AAAA DNS query begins with "[3ffe", which is retrieved from "/etc/krb5.conf". The failure of this DNS query is expected. The problem in SASL LDAP binding is it can't locate the Kerberos server (due to the above reason), hence TGS-REQ can't be initiated. To my knowledge, the locating of Kerberos server is done by Cyrus-SASL plugin (libgssapiv2.so) calling MIT Kerberos V5 plugin (libgssapi_krb5.so), so I guess the former has some problem in handling IPv6 address configured in "/etc/krb5.conf". Still, the IPv6 address can be handled correctly by "kinit" and the Kerberos server can be found when authentication is done. I am not sure if kinit and libgssapi_krb5.so are compiled in the same MIT source package. If the answer is yes, then it is quite weird that kinit can handle IPv6 address, while libgssapi_krb5.so can't. If the answer is no, then it is more understandable. Another question, in order to enable libgssapi_krb5.so to handle IPv6 address, should its source code be configured with --enable-ipv6 option (i.e. ./configure --enable-ipv6=yes)? Thanks, Xu Qiang From aspenbr at gmail.com Tue Aug 11 05:32:28 2009 From: aspenbr at gmail.com (Bruno Steven) Date: Tue, 11 Aug 2009 06:32:28 -0300 Subject: Problem in get ticket from Kerberos Message-ID: Hello I have problem for get tickets from kerberos in my Centos 5.2, when I type this command /usr/local/kerberos/bin/kinit admin at LABCOM.UNASP Show this message kinit(v5): Cannot resolve network address for KDC in realm LABCOM.UNASP while getting initial credentials I don?t understand why this message !!! My DNS is work , I can resolve the domain (LABCOM.UNASP) nslookup labcom.unasp Server: 192.168.4.66 Address: 192.168.4.66#53 Name: labcom.unasp Address: 192.168.4.2 My DNS server is on Windows 2003 Server , this command kinit was tested from the server Linux with Centos 5.2 using version keberos 1.6 of MIT , follow I paste kr5b.conf [libdefaults] # determines your default realm name default_realm = LABCOM.UNASP default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] LABCOM.UNASP = { # specifies where the servers are and on # which ports they listen (88 and 749 are # the standard ports) kdc = kdc.AmbLivre:88 admin_server = kdc.AmbLivre:749 default_domain = labcom.unasp } [domain_realm] # maps your DNS domain name to your Kerberos # realm name .labcom.unasp = LABCOM.UNASP labcom. = LABCOM.UNASP [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [logging] # determines where each service should write its # logging info kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON and kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 750,88 [realms] LABCOM.UNASP = { database_name = /var/kerberos/krb5kdc/principal key_stash_file = /var/kerberos/krb5kdc/.k5.LABCOM.UNASP master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:a fs3 kdc_ports = 750,88 max_file = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } I try resolv but I can?t resolve this problem , somebody can helpme get ticket from keberos !!! Thanks -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx From ravi.channavajhala at dciera.com Tue Aug 11 06:17:41 2009 From: ravi.channavajhala at dciera.com (ravi channavajhala) Date: Tue, 11 Aug 2009 15:47:41 +0530 Subject: Problem in get ticket from Kerberos In-Reply-To: Message-ID: <4a814549.1f538c0a.3340.ffffdd89@mx.google.com> /etc/resolv.conf and /etc/host.conf might have clues about this. -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Bruno Steven Sent: Tuesday, August 11, 2009 3:02 PM To: kerberos at mit.edu Subject: Problem in get ticket from Kerberos Hello I have problem for get tickets from kerberos in my Centos 5.2, when I type this command /usr/local/kerberos/bin/kinit admin at LABCOM.UNASP Show this message kinit(v5): Cannot resolve network address for KDC in realm LABCOM.UNASP while getting initial credentials I don?t understand why this message !!! My DNS is work , I can resolve the domain (LABCOM.UNASP) nslookup labcom.unasp Server: 192.168.4.66 Address: 192.168.4.66#53 Name: labcom.unasp Address: 192.168.4.2 My DNS server is on Windows 2003 Server , this command kinit was tested from the server Linux with Centos 5.2 using version keberos 1.6 of MIT , follow I paste kr5b.conf [libdefaults] # determines your default realm name default_realm = LABCOM.UNASP default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] LABCOM.UNASP = { # specifies where the servers are and on # which ports they listen (88 and 749 are # the standard ports) kdc = kdc.AmbLivre:88 admin_server = kdc.AmbLivre:749 default_domain = labcom.unasp } [domain_realm] # maps your DNS domain name to your Kerberos # realm name .labcom.unasp = LABCOM.UNASP labcom. = LABCOM.UNASP [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [logging] # determines where each service should write its # logging info kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON and kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 750,88 [realms] LABCOM.UNASP = { database_name = /var/kerberos/krb5kdc/principal key_stash_file = /var/kerberos/krb5kdc/.k5.LABCOM.UNASP master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:a fs3 kdc_ports = 750,88 max_file = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } I try resolv but I can?t resolve this problem , somebody can helpme get ticket from keberos !!! Thanks -- Bruno Steven - Administrador de sistemas. LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4 https://www.lpi.org/caf/Xamman/certification MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100 https://mcp.microsoft.com/authenticate/validatemcp.aspx ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From bodik at civ.zcu.cz Tue Aug 11 06:38:12 2009 From: bodik at civ.zcu.cz (bodik) Date: Tue, 11 Aug 2009 12:38:12 +0200 Subject: Problem in get ticket from Kerberos In-Reply-To: <4a814549.1f538c0a.3340.ffffdd89@mx.google.com> References: <4a814549.1f538c0a.3340.ffffdd89@mx.google.com> Message-ID: <4A814A14.8000907@civ.zcu.cz> do you resolve kdc.AmbLivre properly ??? b ravi channavajhala wrote: > I don?t understand why this message !!! My DNS is work , I can resolve the > domain (LABCOM.UNASP) > > nslookup labcom.unasp > Server: 192.168.4.66 > Address: 192.168.4.66#53 > > Name: labcom.unasp > Address: 192.168.4.2 > ... > kdc = kdc.AmbLivre:88 > admin_server = kdc.AmbLivre:749 > default_domain = labcom.unasp From kiwuff at googlemail.com Tue Aug 11 10:21:18 2009 From: kiwuff at googlemail.com (Wolfgang) Date: Tue, 11 Aug 2009 07:21:18 -0700 (PDT) Subject: Kerberos auth against AD, keytabs, and service principal names References: <4A64C5AB.7060205@anl.gov> <4A64D36F.20401@realityfailure.org> Message-ID: <0da3bfad-db5c-4846-9334-50e57042cc14@o15g2000yqm.googlegroups.com> On 20 Jul., 22:46, kerbe... at noopy.org wrote: > On Mon, Jul 20, 2009 at 4:28 PM, John Jasen wrote: > > kerbe... at noopy.org wrote: > > >> So this means servicePrincipalName is effectively useless in AD for > >> non-Windows systems, right -- in particular when you have X number of > >> principals in a keytab but only the one that matches the UPN will > >> work? > > > No. I asked questions along the same vein a while back. : > > > Apparently you should be doing a kinit -S > > serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a > > service ticket for the appropriate service. > > Ah ha! ?So this is the magic test I'd been misunderstanding. > > So now I can do the following and everything works in the way I'd hope: > > ? kinit -k -t /some/keytab princ/host.fqdn at REALM > ? kinit -S otherprinc/host.fqdn at REALM myprinc at REALM > > Thanks everyone! > > (And yes, I agree that ktpass.exe isn't the right tool for this job. > msktutil would seem to work nicely in an environment where one has > admin access to AD.) > > -- > Nathan Patwardhan > "There should be a dating service for unusual-in-a-good-way people." > ~~ Anne Kadet ?-http://www.noopy.org/quotes/q.cgi?tag=annedating There is another way to create the keytabs i prefer: Using ktutil (on linux): ktutil ktutil: addent -password -p HTTP/host.fqdn at MY.REALM -k -e arcfour-hmac-md5 Password for HTTP/host.fqdn at MY.REALM: ktutil: addent -password -p HTTP/host.fqdn at MY.REALM -k -e des-cbc-md5 Password for HTTP/host.fqdn at MY.REALM: ktutil: wkt host.fqdn.keytab ktutil: quit klist -k -t host.fqdn.keytab shows the following: Keytab name: FILE:host.fqdn.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 08/11/09 16:14:57 HTTP/host.fqdn at MY.REALM 2 08/11/09 16:14:57 HTTP/host.fqdn at MY.REALM Of course, you have to set the ServicePrincipalName and UserPrincipalName, too. I use adsiedit.msc for this, there you can also get the right key version number for this Principal. This way, you don't need to copy files around, don't have to worry about the key version numbers, and you can put more Principals in one keytab. From hans at woefdram.nl Tue Aug 11 05:50:33 2009 From: hans at woefdram.nl (Hans van Zijst) Date: Tue, 11 Aug 2009 11:50:33 +0200 Subject: Problem in get ticket from Kerberos In-Reply-To: References: Message-ID: <4A813EE9.5030700@woefdram.nl> Hi Bruno, Looks like Kerberos can't figure out which server(s) to contact. You can resolve the domain, but according to krb5.conf you use kdc.AmbLivre as your KDC. You have to make sure Kerberos can find the IP address of kdc.AmbLivre, either by specifying it in /etc/hosts (which means it's still available should DNS fail) or make sure it can be found through DNS. See http://www.gnu.org/software/shishi/manual/html_node/Configuring-DNS-for-KDC.html for some more info on what you could (should?) put into DNS. Kind regards, Hans Bruno Steven wrote: > Hello > > I have problem for get tickets from kerberos in my Centos 5.2, when I type > this command /usr/local/kerberos/bin/kinit admin at LABCOM.UNASP > Show this message > > kinit(v5): Cannot resolve network address for KDC in realm LABCOM.UNASP > while getting initial credentials > > I don?t understand why this message !!! My DNS is work , I can resolve the > domain (LABCOM.UNASP) > > nslookup labcom.unasp > Server: 192.168.4.66 > Address: 192.168.4.66#53 > > Name: labcom.unasp > Address: 192.168.4.2 > > > My DNS server is on Windows 2003 Server , this command kinit was tested from > the server Linux with Centos 5.2 using version keberos 1.6 of MIT , follow I > paste kr5b.conf > > [libdefaults] > # determines your default realm name > default_realm = LABCOM.UNASP > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > kdc_timesync = 1 > ccache_type = 4 > forwardable = true > proxiable = true > > [realms] > LABCOM.UNASP = { > # specifies where the servers are and on > # which ports they listen (88 and 749 are > # the standard ports) > kdc = kdc.AmbLivre:88 > admin_server = kdc.AmbLivre:749 > default_domain = labcom.unasp > } > > [domain_realm] > # maps your DNS domain name to your Kerberos > # realm name > .labcom.unasp = LABCOM.UNASP > labcom. = LABCOM.UNASP > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > [logging] > # determines where each service should write its > # logging info > kdc = SYSLOG:INFO:DAEMON > admin_server = SYSLOG:INFO:DAEMON > default = SYSLOG:INFO:DAEMON > > > and kdc.conf > > [kdcdefaults] > v4_mode = nopreauth > kdc_tcp_ports = 750,88 > > [realms] > LABCOM.UNASP = { > database_name = /var/kerberos/krb5kdc/principal > key_stash_file = /var/kerberos/krb5kdc/.k5.LABCOM.UNASP > master_key_type = des3-hmac-sha1 > acl_file = /var/kerberos/krb5kdc/kadm5.acl > dict_file = /usr/share/dict/words > admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab > supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal > des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 > des-cbc-crc:a > fs3 > kdc_ports = 750,88 > max_file = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > } > > I try resolv but I can?t resolve this problem , somebody can helpme get > ticket from keberos !!! > > Thanks > From edward at murrell.co.nz Tue Aug 11 16:51:05 2009 From: edward at murrell.co.nz (Edward Murrell) Date: Wed, 12 Aug 2009 08:51:05 +1200 Subject: kerberos+laptop In-Reply-To: References: Message-ID: <1250023865.25839.15.camel@entropy> I've been wondering about this problem for a while. My current solution on my laptop is to use a normal /etc/passwd login, and run kinit once I'm logged in. What I would like is to allow some method of transparently caching passwords, then creating a TGT once network connectivity if established. Doing so would require some smarts beyond what is available using the current pam_krb5 and /tmp/ ccache tickets. The solution I came up with would need something like heimdal's KCM daemon. For arguments sake, the following procedure assumes KCM; 1) User attempts to log in on an network disconnected laptop 2) pam_krb5 connects to the local KCM daemon 3) KCM daemon discovers that network is unavailable, and checks previously cached* password 4) If login password and cache password match, then the user can log in. 5) At some point, network connectivity is established, KCM will then will automatically connect to the KDC via the normal methods and generate a TGT. 6) If the account is locked or the password changed, this will be noted, and KCM will disallow future logins and/or notify the appropriate system (probably via D-Bus) to force a log/lock out of the user. * The password would need to be encrypted, possibly using itself. + KCM would need to notice when a user has changed their own password, and update the itself accordingly. Presumably this could be done via PAM. Any thoughts on this? Cheers, Edward On Sat, 2009-07-18 at 13:21 -0400, David Abrahams wrote: > Hi, > > I'm trying to find out what's needed to make Kerberos work well on a > laptop that may run disconnected from its master KDC, and occasionally, > from everything (NIC turned off). In particular, a Mac laptop, which is > apparently already running an LKDC > (http://www.afp548.com/article.php?story=20080709091503862). I've done > all the googling, and got nothing conclusive. I mention the LKDC in part > because one of the few ideas I did find was to run a slave KDC on the > laptop, but I'm not sure whether that's even possible, given the > required presence of the LKDC. > > Any help would be much appreciated, and I'd be happy to document > anything I learn in a public place so the next guy doesn't have to > pester this list about it. > > Thanks in advance, > From rra at stanford.edu Tue Aug 11 17:03:25 2009 From: rra at stanford.edu (Russ Allbery) Date: Tue, 11 Aug 2009 14:03:25 -0700 Subject: kerberos+laptop In-Reply-To: <1250023865.25839.15.camel@entropy> (Edward Murrell's message of "Wed\, 12 Aug 2009 08\:51\:05 +1200") References: <1250023865.25839.15.camel@entropy> Message-ID: <878whq5ahu.fsf@windlord.stanford.edu> Edward Murrell writes: > I've been wondering about this problem for a while. My current solution > on my laptop is to use a normal /etc/passwd login, and run kinit once > I'm logged in. > > What I would like is to allow some method of transparently caching > passwords, then creating a TGT once network connectivity if established. This wouldn't be as neat, and I don't want to discourage you from pursuing the neat solution, but have you considered just stacking pam_unix and pam_krb5, setting your local password to match your Kerberos password, and then attempting pam_krb5 first and falling back on pam_unix if pam_krb5 fails? It does have the drawback of opening your Kerberos password up to an off-line brute force attack by someone who steals your laptop and hence has access to the local /etc/shadow file, but that doesn't seem like too huge of a security drawback to me. -- Russ Allbery (rra at stanford.edu) From edward at murrell.co.nz Tue Aug 11 17:16:58 2009 From: edward at murrell.co.nz (Edward Murrell) Date: Wed, 12 Aug 2009 09:16:58 +1200 Subject: kerberos+laptop In-Reply-To: <878whq5ahu.fsf@windlord.stanford.edu> References: <1250023865.25839.15.camel@entropy> <878whq5ahu.fsf@windlord.stanford.edu> Message-ID: <1250025418.25839.19.camel@entropy> On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote: > Edward Murrell writes: > > > I've been wondering about this problem for a while. My current solution > > on my laptop is to use a normal /etc/passwd login, and run kinit once > > I'm logged in. > > > > What I would like is to allow some method of transparently caching > > passwords, then creating a TGT once network connectivity if established. > > This wouldn't be as neat, and I don't want to discourage you from pursuing > the neat solution, but have you considered just stacking pam_unix and > pam_krb5, setting your local password to match your Kerberos password, and > then attempting pam_krb5 first and falling back on pam_unix if pam_krb5 > fails? > > It does have the drawback of opening your Kerberos password up to an > off-line brute force attack by someone who steals your laptop and hence > has access to the local /etc/shadow file, but that doesn't seem like too > huge of a security drawback to me. > Yep. The problem is that I don't get network (wifi) connectivity till after I'm logged in. I guess there's some argument as to weather this is good or bad design, but that's how it is. From rra at stanford.edu Tue Aug 11 17:23:31 2009 From: rra at stanford.edu (Russ Allbery) Date: Tue, 11 Aug 2009 14:23:31 -0700 Subject: kerberos+laptop In-Reply-To: <1250025418.25839.19.camel@entropy> (Edward Murrell's message of "Wed\, 12 Aug 2009 09\:16\:58 +1200") References: <1250023865.25839.15.camel@entropy> <878whq5ahu.fsf@windlord.stanford.edu> <1250025418.25839.19.camel@entropy> Message-ID: <87skfy3uzw.fsf@windlord.stanford.edu> Edward Murrell writes: > On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote: >> This wouldn't be as neat, and I don't want to discourage you from >> pursuing the neat solution, but have you considered just stacking >> pam_unix and pam_krb5, setting your local password to match your >> Kerberos password, and then attempting pam_krb5 first and falling back >> on pam_unix if pam_krb5 fails? >> It does have the drawback of opening your Kerberos password up to an >> off-line brute force attack by someone who steals your laptop and hence >> has access to the local /etc/shadow file, but that doesn't seem like >> too huge of a security drawback to me. > Yep. The problem is that I don't get network (wifi) connectivity till > after I'm logged in. I guess there's some argument as to weather this is > good or bad design, but that's how it is. Oh, I see, and then you don't get tickets because you've already authenticated. Right, that makes sense now. -- Russ Allbery (rra at stanford.edu) From lists at deksai.com Tue Aug 11 22:01:50 2009 From: lists at deksai.com (Chris) Date: Tue, 11 Aug 2009 22:01:50 -0400 Subject: Can I get more debug output from kadmin.local? Message-ID: <20090812020150.GA5736@chris-laptop.a2hosting.com> I have a problem in which I cannot get kadmin.local to start with the ldap backend. It was working once upon a time! I started over after going through the setup both with ldap and without. Both times it worked. Now that I want to do it again with ldap, it's broken. I've removed the old stuff from the ldap servers, erased all key files and such. I obviously did something bad, but I have no idea what it is. The problem is that the output I'm getting is a cruel joke. When I launch kadmin.local, all I get is "kadmin.local: Server error while initializing kadmin.local interface" Doing an strace doesn't show much either... munmap(0x2b2cfd8fe000, 32790) = 0 access("/opt/kerberos/etc/service.keyfile", F_OK) = 0 access("/opt/kerberos/etc/service.keyfile", R_OK) = 0 open("/opt/kerberos/etc/service.keyfile", O_RDONLY) = 4 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0600, st_size=69, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b2cfd8fe000 read(4, "cn=kdc,ou=security,dc=someplace,dc=com#{HEX}abcdef...\n", 4096) = 69 read(4, "", 4096) = 0 close(4) = 0 munmap(0x2b2cfd8fe000, 4096) = 0 write(2, "kadmin.local: Server error ", 27kadmin.local: Server error ) = 27 write(2, "while initializing kadmin.local interface", 41while initializing kadmin.local interface) = 41 write(2, "\n", 1 ) = 1 exit_group(1) I can bind to ldap using the stashed passwords just fine, and read/write what I'm supposed to in the container and subtrees. Is there any way to get some more output out of the program, just a little clue? Thanks, Chris From lists at deksai.com Wed Aug 12 00:11:18 2009 From: lists at deksai.com (Chris) Date: Wed, 12 Aug 2009 00:11:18 -0400 Subject: Can I get more debug output from kadmin.local? In-Reply-To: <20090812020150.GA5736@chris-laptop.a2hosting.com> References: <20090812020150.GA5736@chris-laptop.a2hosting.com> Message-ID: <20090812041117.GA6387@chris-laptop.a2hosting.com> > I can bind to ldap using the stashed passwords just fine, and read/write > what I'm supposed to in the container and subtrees. > > Is there any way to get some more output out of the program, just a > little clue? > OK, as usual, this was really a stupid problem, and I figured it out about the most painful way possible. I had my dn's turned around, and was stashing the password for the kdc instead of the admin service (it pays to not be blind to your bash history). I found my problem by tracing to here in plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c around line 105: if (entryfound == 0) { st = KRB5_KDB_SERVER_INTERNAL_ERR; krb5_set_error_message (context, st, "Bind DN entry missing in stash file"); goto rp_exit; } As it turns out the source is full of all kinds of wonderful information about what is going wrong, but none of it prints. Still have to figure out why that isn't happening correctly... Chris From ghudson at MIT.EDU Wed Aug 12 00:30:59 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 12 Aug 2009 00:30:59 -0400 Subject: Can I get more debug output from kadmin.local? In-Reply-To: <20090812041117.GA6387@chris-laptop.a2hosting.com> References: <20090812020150.GA5736@chris-laptop.a2hosting.com> <20090812041117.GA6387@chris-laptop.a2hosting.com> Message-ID: <1250051459.28911.97.camel@ray> On Wed, 2009-08-12 at 00:11 -0400, Chris wrote: > As it turns out the source is full of all kinds of wonderful information > about what is going wrong, but none of it prints. Still have to figure > out why that isn't happening correctly... It looks like it's because libkadm5 is doing internal krb5 context management, which leads to krb5_get_error_message being called with a different context than the one which was in use at the time of the error. It's not obvious to me how to fix this, though it may become clearer if I stare at the code a bit harder. From jblaine at kickflop.net Wed Aug 12 11:01:31 2009 From: jblaine at kickflop.net (jblaine@kickflop.net) Date: Wed, 12 Aug 2009 08:01:31 -0700 Subject: Password expiration problem Message-ID: <1f115fbfc0793e0f6813eaee5ffd20c5.squirrel@webmail.kickflop.net> I'm confused about password expiration. We have users who are getting their future password expiration date set to 14 days from the last time they changed it. What are we doing wrong? This is MIT Kerberos 1.6.x kadmin: getprinc gut Principal: gut at FOO.COM Expiration date: [never] Last password change: Mon Aug 10 15:25:44 EDT 2009 Password expiration date: Mon Aug 24 15:25:44 EDT 2009 Maximum ticket life: 7 days 00:00:00 Maximum renewable life: 14 days 00:00:00 Last modified: Mon Aug 10 15:25:44 EDT 2009 (kadmind at FOO.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 7, DES cbc mode with CRC-32, no salt Attributes: Policy: RCFUsers kadmin: getpol RCFUsers Policy: RCFUsers Maximum password life: 1209600 Minimum password life: 0 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 1 Reference count: 130 kadmin: From tlyu at MIT.EDU Wed Aug 12 11:10:53 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 12 Aug 2009 11:10:53 -0400 Subject: Password expiration problem In-Reply-To: <1f115fbfc0793e0f6813eaee5ffd20c5.squirrel@webmail.kickflop.net> (jblaine@kickflop.net's message of "Wed, 12 Aug 2009 08:01:31 -0700") References: <1f115fbfc0793e0f6813eaee5ffd20c5.squirrel@webmail.kickflop.net> Message-ID: jblaine at kickflop.net writes: > I'm confused about password expiration. We have users > who are getting their future password expiration date set > to 14 days from the last time they changed it. What are > we doing wrong? > > This is MIT Kerberos 1.6.x > > kadmin: getprinc gut > Principal: gut at FOO.COM > Expiration date: [never] > Last password change: Mon Aug 10 15:25:44 EDT 2009 > Password expiration date: Mon Aug 24 15:25:44 EDT 2009 > Maximum ticket life: 7 days 00:00:00 > Maximum renewable life: 14 days 00:00:00 > Last modified: Mon Aug 10 15:25:44 EDT 2009 (kadmind at FOO.COM) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 2 > Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt > Key: vno 7, DES cbc mode with CRC-32, no salt > Attributes: > Policy: RCFUsers > > kadmin: getpol RCFUsers > Policy: RCFUsers > Maximum password life: 1209600 = 60 * 60 * 24 * 14 It looks to me like it's doing exactly as you asked it to, unless I'm misunderstanding your question. > Minimum password life: 0 > Minimum password length: 6 > Minimum number of password character classes: 2 > Number of old keys kept: 1 > Reference count: 130 From jblaine at kickflop.net Wed Aug 12 13:52:31 2009 From: jblaine at kickflop.net (jblaine@kickflop.net) Date: Wed, 12 Aug 2009 10:52:31 -0700 Subject: Password expiration problem In-Reply-To: References: <1f115fbfc0793e0f6813eaee5ffd20c5.squirrel@webmail.kickflop.net> Message-ID: <5536b1bc53d6009b7148eb14208188dd.squirrel@webmail.kickflop.net> Oops. Thanks Tom. > jblaine at kickflop.net writes: > >> I'm confused about password expiration. We have users >> who are getting their future password expiration date set >> to 14 days from the last time they changed it. What are >> we doing wrong? >> >> This is MIT Kerberos 1.6.x >> >> kadmin: getprinc gut >> Principal: gut at FOO.COM >> Expiration date: [never] >> Last password change: Mon Aug 10 15:25:44 EDT 2009 >> Password expiration date: Mon Aug 24 15:25:44 EDT 2009 >> Maximum ticket life: 7 days 00:00:00 >> Maximum renewable life: 14 days 00:00:00 >> Last modified: Mon Aug 10 15:25:44 EDT 2009 (kadmind at FOO.COM) >> Last successful authentication: [never] >> Last failed authentication: [never] >> Failed password attempts: 0 >> Number of keys: 2 >> Key: vno 7, Triple DES cbc mode with HMAC/sha1, no salt >> Key: vno 7, DES cbc mode with CRC-32, no salt >> Attributes: >> Policy: RCFUsers >> >> kadmin: getpol RCFUsers >> Policy: RCFUsers >> Maximum password life: 1209600 > > = 60 * 60 * 24 * 14 > > It looks to me like it's doing exactly as you asked it to, unless I'm > misunderstanding your question. > >> Minimum password life: 0 >> Minimum password length: 6 >> Minimum number of password character classes: 2 >> Number of old keys kept: 1 >> Reference count: 130 > > From Qiang.Xu at fujixerox.com Thu Aug 13 03:26:51 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 13 Aug 2009 15:26:51 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> Message-ID: > -----Original Message----- > From: kerberos-bounces at mit.edu > [mailto:kerberos-bounces at mit.edu] On Behalf Of Xu, Qiang (FXSGSC) > Sent: Tuesday, August 11, 2009 10:12 AM > To: Andrew Cobaugh > Cc: kerberos at mit.edu > Subject: RE: IPv6 handling in SASL LDAP binding > > Our printer has a WebUI, that enables us to configure > Kerberos server through web page. By "configured the Kerberos > server with hostname", I mean doing it from WebUI. Our > printer has another DNS option, "Prefer IPv6 address over > IPv4 address", to prioritize on IPv6 address in resolving > hostnames. Thus, when the Kerberos server's hostname is > configured by hostname, DNS will return an IPv6 address in > response, and write the value into "/etc/krb5.conf". > > When "/etc/krb5.conf" is configured with IPv4 address: > ================================================ > [libdefaults] > default_realm = XCIPV6.COM > > [realms] > XCIPV6.COM = { > kdc = 13.198.97.42:88 > } > ================================================ > SASL binding is successful, with all network traffic on IPv4 protocol. > > In contrast, when "/etc/krb5.conf" has kdc in IPv6 form: > ================================================ > [libdefaults] > default_realm = XCIPV6.COM > > [realms] > XCIPV6.COM = { > kdc = [3ffe:2000:0:1::100]:88 > } > ================================================ > SASL binding will fail. > > The failing network trace has the following DNS query: > ================================================ > 953 29.970599 13.198.98.117 13.198.97.42 DNS > Standard query AAAA [3ffe.xcipv6.com > 954 29.970621 13.198.97.42 13.198.98.117 DNS > Standard query response, No such name > ================================================ > Note that the AAAA DNS query begins with "[3ffe", which is > retrieved from "/etc/krb5.conf". The failure of this DNS > query is expected. > > The problem in SASL LDAP binding is it can't locate the > Kerberos server (due to the above reason), hence TGS-REQ > can't be initiated. To my knowledge, the locating of Kerberos > server is done by Cyrus-SASL plugin (libgssapiv2.so) calling > MIT Kerberos V5 plugin (libgssapi_krb5.so), so I guess the > former has some problem in handling IPv6 address configured > in "/etc/krb5.conf". > > Still, the IPv6 address can be handled correctly by "kinit" > and the Kerberos server can be found when authentication is > done. I am not sure if kinit and libgssapi_krb5.so are > compiled in the same MIT source package. If the answer is > yes, then it is quite weird that kinit can handle IPv6 > address, while libgssapi_krb5.so can't. If the answer is no, > then it is more understandable. Could anyone tell me which function in libgssapi_krb5.so is supposed to use /etc/krb5.conf to find whereabout of the server? Thanks, Xu Qiang From Qiang.Xu at fujixerox.com Thu Aug 13 04:21:53 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 13 Aug 2009 16:21:53 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> Message-ID: > -----Original Message----- > From: Andrew Cobaugh [mailto:phalenor at gmail.com] > Sent: Friday, August 07, 2009 9:00 PM > To: Xu, Qiang (FXSGSC) > Cc: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > When you say things like "configured the Kerberos server with > hostname" what do you mean? Changing kdc lines in > /etc/krb5.conf ? MIT kerberos and their GSSAPI library > definitely support IPv6. Tools like ldapsearch work fine > while doing a SASL/GSSAPI bind using a hostname with AAAA > records as well as specifying the v6 address in brackets, so > I think you can eliminate all of these as problems. The only > difference is if you're using one of mozilla's products to do > LDAP, they have their own LDAP library, MozLDAP as you mentioned. Yes, in my testing, OpenLDAP utility ldapsearch also works well with IPv6 address in /etc/krb5.conf when doing SASL binding. Although we are using Mozilla LDAP library, I don't think it is MozLDAP's fault, coz it doesn't pass anything related to Kerberos authentication server to Cyrus-SASL library. And Cyrus-SASL can be cleared of any wrongdoing as well, coz the same package is used in OpenLDAP testing. In the machine where I did OpenLDAP testing, it was using original MIT distribtution, so MIT Kerberos package should be good. Our printer fails to locate Kerberos server in SASL binding, probably due to we are using a customized MIT distribution. I've got to check with OS team about this. By the way, I downloaded MIT Kerberos v1.7 distribtution, in which I found the possible place to locate the Kerberos server is in "krb5-1.7/src/lib/krb5/locate_kdc.c". In that file, getaddrinfo() is used to resolve the kdc entry in /etc/krb5.conf. Maybe some other files are also related, I am not very sure. Anyway, this seems the only library that is tasked to resolve hostname to IP address and find the Kerberos server. Am I right on this? But I don't know how to compile this module to support IPv6. In the makefile, I didn't find any related switch, like "--enable-ipv6". Is the support for IPv6 built-in? If not, is there a way to turn on the support? Thanks, Xu Qiang From Qiang.Xu at fujixerox.com Thu Aug 13 04:37:09 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 13 Aug 2009 16:37:09 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> Message-ID: > -----Original Message----- > From: Andrew Cobaugh [mailto:phalenor at gmail.com] > Sent: Friday, August 07, 2009 9:00 PM > To: Xu, Qiang (FXSGSC) > Cc: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > When you say things like "configured the Kerberos server with > hostname" what do you mean? Changing kdc lines in > /etc/krb5.conf ? MIT kerberos and their GSSAPI library > definitely support IPv6. Tools like ldapsearch work fine > while doing a SASL/GSSAPI bind using a hostname with AAAA > records as well as specifying the v6 address in brackets, so > I think you can eliminate all of these as problems. The only > difference is if you're using one of mozilla's products to do > LDAP, they have their own LDAP library, MozLDAP as you mentioned. Digging further in "krb5-1.7/src/lib/krb5/locate_kdc.c", I found to enable IPv6 support, "KRB5_USE_INET6" must be defined: ======================================================== static int module_callback (void *cbdata, int socktype, struct sockaddr *sa) { struct module_callback_data *d = cbdata; struct { struct addrinfo ai; union { struct sockaddr_in sin; #ifdef KRB5_USE_INET6 struct sockaddr_in6 sin6; #endif } u; } *x; if (socktype != SOCK_STREAM && socktype != SOCK_DGRAM) return 0; if (sa->sa_family != AF_INET #ifdef KRB5_USE_INET6 && sa->sa_family != AF_INET6 #endif ) return 0; x = calloc (1, sizeof (*x)); if (x == 0) { d->out_of_mem = 1; return 1; } x->ai.ai_addr = (struct sockaddr *) &x->u; x->ai.ai_socktype = socktype; x->ai.ai_family = sa->sa_family; if (sa->sa_family == AF_INET) { x->u.sin = *(struct sockaddr_in *)sa; x->ai.ai_addrlen = sizeof(struct sockaddr_in); } #ifdef KRB5_USE_INET6 if (sa->sa_family == AF_INET6) { x->u.sin6 = *(struct sockaddr_in6 *)sa; x->ai.ai_addrlen = sizeof(struct sockaddr_in6); } #endif if (add_addrinfo_to_list (d->lp, &x->ai, free, x) != 0) { /* Assumes only error is ENOMEM. */ d->out_of_mem = 1; return 1; } return 0; } ======================================================== So I must add "-DKRB5_USE_INET6" in CFLAGS, right? I found in our own kinit compilation (customized from MIT distribution), "-DKRB5_USE_INET6" is defined in krb5/src/Makefile. The library generated is a static one and will be linked into the executable kinit. Maybe that's why our Kerberos authentication can pass. When doing SASL binding, we are using the dynamic one libkrb5.so, which is not compiled from the module contained in kinit folder in our baseline. I guess "-DKRB5_USE_INET6" was not added into the CFLAGS when libkrb5.so was compiled. Anyway, I will go to check it with OS team, who is building the dynamic library. Thanks, Xu Qiang From Qiang.Xu at fujixerox.com Thu Aug 13 06:41:03 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Thu, 13 Aug 2009 18:41:03 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> Message-ID: > -----Original Message----- > From: Andrew Cobaugh [mailto:phalenor at gmail.com] > Sent: Friday, August 07, 2009 9:00 PM > To: Xu, Qiang (FXSGSC) > Cc: kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > When you say things like "configured the Kerberos server with > hostname" what do you mean? Changing kdc lines in > /etc/krb5.conf ? MIT kerberos and their GSSAPI library > definitely support IPv6. Tools like ldapsearch work fine > while doing a SASL/GSSAPI bind using a hostname with AAAA > records as well as specifying the v6 address in brackets, so > I think you can eliminate all of these as problems. The only > difference is if you're using one of mozilla's products to do > LDAP, they have their own LDAP library, MozLDAP as you mentioned. Just realized that MIT Kerberos distribution doesn't support the numerical IPv6 address in /etc/krb5.conf: ========================================================= [libdefaults] default_realm = XCIPV6.COM [realms] XCIPV6.COM = { kdc = [3ffe:2000:0:1::100]:88 } ========================================================= This is because the code in krb5-1.7/src/lib/krb5/os/locate_kdc.c doesn't support this kdc form. Kerberos authentication from our printer is successful with this kind of configuration, is due to customization made by Xerox developers. Since LDAP SASL binding uses the dynamic libkrb5.so without this customization, while the authentication uses the static libkrb5.a (linked to the executable kinit), it is no wonder the results are different. My testing with OpenLDAP is successful, because kdc is set into hostname: ========================================================= [realms] XCIPV6.COM = { kdc = crius:88 default_domain = xcipv6.com } ========================================================= I remember that in my testing, I manually filled numerical IPv6 address "[3ffe:2000:0:1::100]:88" into the kdc entry, but ldapsearch would report an error. Everything is clear now. I will turn to OS team to seek help. P.S. Can I ask why the numerical IPv6 address is not supported in MIT distribution? Thanks, Xu Qiang From phalenor at gmail.com Thu Aug 13 08:36:26 2009 From: phalenor at gmail.com (Andrew Cobaugh) Date: Thu, 13 Aug 2009 08:36:26 -0400 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> Message-ID: <1b8d56200908130536q3335c4b5l1d2e327f9f7a7d3a@mail.gmail.com> On Thu, Aug 13, 2009 at 6:41 AM, Xu, Qiang (FXSGSC) wrote: > > P.S. Can I ask why the numerical IPv6 address is not supported in MIT distribution? Using IP addresses in files like krb5.conf is generally discouraged, as it's easier to change a single entry in dns than it is to change a file on every machine. We don't even specify the kdcs in krb5.conf in our environment, relying entirely on srv records for kdc discovery. I suppose this could be considered a bug, if anyone cared. --andy From phalenor at gmail.com Thu Aug 13 09:13:13 2009 From: phalenor at gmail.com (Andrew Cobaugh) Date: Thu, 13 Aug 2009 09:13:13 -0400 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> Message-ID: <1b8d56200908130613s1b881979td31385515dffa6a2@mail.gmail.com> On Thu, Aug 13, 2009 at 4:21 AM, Xu, Qiang (FXSGSC) wrote: > Yes, in my testing, OpenLDAP utility ldapsearch also works well with IPv6 address in /etc/krb5.conf when doing SASL binding. > > Although we are using Mozilla LDAP library, I don't think it is MozLDAP's fault, coz it doesn't pass anything related to Kerberos authentication server to Cyrus-SASL library. And Cyrus-SASL can be cleared of any wrongdoing as well, coz the same package is used in OpenLDAP testing. SASL does not imply Kerberos. SASL accepts a mechanism, in this case GSSAPI, so you're actually performing a SASL/GSSAPI bind. GSSAPI also does not imply Kerberos, though krb5 is the predominant GSSAPI mechanism. In short, SASL does not interact with kerberos in any way, and doesn't need to know anything about the kerberos servers, that's all done in libkrb5, with libgssapi_krb5 in front of that. I'm fairly certain there is a bug in MozLDAP where it won't use IPv6 for LDAP queries, at least as reported by a colleague of mine. That doesn't look like your problem here, though. > In the machine where I did OpenLDAP testing, it was using original MIT distribtution, so MIT Kerberos package should be good. Our printer fails to locate Kerberos server in SASL binding, probably due to we are using a customized MIT distribution. I've got to check with OS team about this. > > By the way, I downloaded MIT Kerberos v1.7 distribtution, in which I found the possible place to locate the Kerberos server is in "krb5-1.7/src/lib/krb5/locate_kdc.c". In that file, getaddrinfo() is used to resolve the kdc entry in /etc/krb5.conf. Maybe some other files are also related, I am not very sure. Anyway, this seems the only library that is tasked to resolve hostname to IP address and find the Kerberos server. Am I right on this? getaddrinfo() doesn't do the name lookup, getnameinfo() is what actually does that. I'm not sure if that's the function MIT Kerberos uses, but getnameinfo() should be protocol agnostic. --andy From Farzad.Kohantorabi at interfacing.com Thu Aug 13 17:50:57 2009 From: Farzad.Kohantorabi at interfacing.com (Farzad Kohantorabi) Date: Thu, 13 Aug 2009 17:50:57 -0400 Subject: multiple domain authentication scenario Message-ID: Hello, I have a web application that negotiates a principal with the user's browsers and then uses Kerberos for authentication. This works fine when there is only one domain. Now I am wondering if this holds water if the user is coming from a different domain than the web server's domain (the web server is not supposed to be a public server so users come in from internal networks). The thing that confuses me is that my server has a keytab for communication with its own KDC, and I am not sure if it is possible to authenticate a user from a different domain with the web server's KDC? Cheers, Farzad- From edward at murrell.co.nz Thu Aug 13 18:21:02 2009 From: edward at murrell.co.nz (Edward Murrell) Date: Fri, 14 Aug 2009 10:21:02 +1200 Subject: multiple domain authentication scenario In-Reply-To: References: Message-ID: <1250202063.18052.1.camel@entropy> You can either add service principles for the other domains to the keytab, or establish cross realm trusts between the realms. The latter is probably better if you expect to have lots of places where you need interoperate. Cheers, Edward On Thu, 2009-08-13 at 17:50 -0400, Farzad Kohantorabi wrote: > Hello, > > > I have a web application that negotiates a principal with the user's browsers > and then uses Kerberos for authentication. This works fine when there is only > one domain. Now I am wondering if this holds water if the user is coming from > a different domain than the web server's domain (the web server is not supposed > to be a public server so users come in from internal networks). The thing that > confuses me is that my server has a keytab for communication with its own KDC, > and I am not sure if it is possible to authenticate a user from a different > domain with the web server's KDC? > > > > > Cheers, > Farzad- > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From Qiang.Xu at fujixerox.com Thu Aug 13 21:22:33 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Fri, 14 Aug 2009 09:22:33 +0800 Subject: IPv6 handling in SASL LDAP binding In-Reply-To: <1b8d56200908130536q3335c4b5l1d2e327f9f7a7d3a@mail.gmail.com> References: <87ab5ysn2t.fsf@windlord.stanford.edu> <87ocqtdjib.fsf@windlord.stanford.edu> <1b8d56200908070600q71031ea1jebc679b98ef6729e@mail.gmail.com> <1b8d56200908130536q3335c4b5l1d2e327f9f7a7d3a@mail.gmail.com> Message-ID: > -----Original Message----- > From: Andrew Cobaugh [mailto:phalenor at gmail.com] > Sent: Thursday, August 13, 2009 8:36 PM > To: Xu, Qiang (FXSGSC) > Cc: Alexey Melnikov; kerberos at mit.edu > Subject: Re: IPv6 handling in SASL LDAP binding > > On Thu, Aug 13, 2009 at 6:41 AM, Xu, Qiang > (FXSGSC) wrote: > > > > P.S. Can I ask why the numerical IPv6 address is not > supported in MIT distribution? > > Using IP addresses in files like krb5.conf is generally > discouraged, as it's easier to change a single entry in dns > than it is to change a file on every machine. We don't even > specify the kdcs in krb5.conf in our environment, relying > entirely on srv records for kdc discovery. > > I suppose this could be considered a bug, if anyone cared. In my testing, I found both hostname and IPv4 address works for kinit (in original MIT distribution), but not IPv6 address: ========================================================= /* The content of /etc/krb5.conf with hostname */ [realms] XCIPV6.COM = { kdc = crius:88 default_domain = xcipv6.com } /* Kerberos authentication result */ qxu at durian(pts/3):/etc[117]$ kinit XCTEST100 at XCIPV6.COM Password for XCTEST100 at XCIPV6.COM: qxu at durian(pts/3):/etc[118]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100 at XCIPV6.COM Valid starting Expires Service principal 08/14/09 09:02:48 08/14/09 19:03:53 krbtgt/XCIPV6.COM at XCIPV6.COM renew until 08/15/09 09:02:48 /* The content of /etc/krb5.conf with IPv4 */ [realms] XCIPV6.COM = { kdc = 13.198.97.42:88 default_domain = xcipv6.com } /* Kerberos authentication result */ qxu at durian(pts/3):/etc[122]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100 at XCIPV6.COM Valid starting Expires Service principal 08/14/09 09:05:14 08/14/09 19:05:39 krbtgt/XCIPV6.COM at XCIPV6.COM renew until 08/15/09 09:05:14 /* The content of /etc/krb5.conf with IPv6 address */ [realms] XCIPV6.COM = { kdc = [3ffe:2000:0:1::100]:88 default_domain = xcipv6.com } /* Kerberos authentication result */ qxu at durian(pts/3):/etc[112]$ kinit XCTEST100 at XCIPV6.COM kinit(v5): Cannot resolve network address for KDC in realm XCIPV6.COM while getting initial credentials ========================================================= Personally, I think if numerical IPv4 address is supported for kdc entry in /etc/krb5.conf, so should be for numerical IPv6 address. Would MIT developers want to fix this as a bug? The related source code is the function "krb5_locate_srv_conf_1()" in the file "krb5-1.7/src/lib/krb5/os/locate_kdc.c". Thanks, Xu Qiang From jblaine at kickflop.net Fri Aug 14 10:55:47 2009 From: jblaine at kickflop.net (Jeff Blaine) Date: Fri, 14 Aug 2009 10:55:47 -0400 Subject: ktadd then principal's password no longer works? Message-ID: <4A857AF3.8080203@kickflop.net> Again, I must really not understand something. This principal's password is getting trashed after I use ktadd % sudo kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin at FOO.COM: kadmin: ktadd -k admin.kt admin/admin Entry for principal admin/admin with kvno 9, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt. Entry for principal admin/admin with kvno 9, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:admin.kt. kadmin: quit % sudo kadmin -p admin/admin Authenticating as principal admin/admin with password. Password for admin/admin at FOO.COM: kadmin: Incorrect password while initializing kadmin interface ^^^ tried many times -- had to fix via kadmin.local From shuque at isc.upenn.edu Fri Aug 14 11:12:07 2009 From: shuque at isc.upenn.edu (Shumon Huque) Date: Fri, 14 Aug 2009 11:12:07 -0400 Subject: ktadd then principal's password no longer works? In-Reply-To: <4A857AF3.8080203@kickflop.net> References: <4A857AF3.8080203@kickflop.net> Message-ID: <20090814151207.GA15104@isc.upenn.edu> On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote: > Again, I must really not understand something. This > principal's password is getting trashed after I use > ktadd > > % sudo kadmin -p admin/admin > Authenticating as principal admin/admin with password. > Password for admin/admin at FOO.COM: > kadmin: ktadd -k admin.kt admin/admin > Entry for principal admin/admin with kvno 9, encryption type Triple DES > cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt. > Entry for principal admin/admin with kvno 9, encryption type DES cbc > mode with CRC-32 added to keytab WRFILE:admin.kt. > kadmin: quit > > % sudo kadmin -p admin/admin > Authenticating as principal admin/admin with password. > Password for admin/admin at FOO.COM: > kadmin: Incorrect password while initializing kadmin interface > > ^^^ tried many times -- had to fix via kadmin.local This won't work. ktadd creates a new random key everytime it is invoked, thus destroying your earlier password derived key. The manpage says: ktadd [-k keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...] Adds a principal or all principals matching princ-exp to a keytab, randomizing each principal's key in the process. ... I don't think the MIT distro has any tool to do what you want. You'd probably need to write a program to extract the password derived key directly from the KDB. --Shumon. From deengert at anl.gov Fri Aug 14 11:24:04 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 14 Aug 2009 10:24:04 -0500 Subject: ktadd then principal's password no longer works? In-Reply-To: <20090814151207.GA15104@isc.upenn.edu> References: <4A857AF3.8080203@kickflop.net> <20090814151207.GA15104@isc.upenn.edu> Message-ID: <4A858194.6050904@anl.gov> Shumon Huque wrote: > On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote: >> Again, I must really not understand something. This >> principal's password is getting trashed after I use >> ktadd >> >> % sudo kadmin -p admin/admin >> Authenticating as principal admin/admin with password. >> Password for admin/admin at FOO.COM: >> kadmin: ktadd -k admin.kt admin/admin You are creating a keytab to be used as the admin? with a random password? I think you are trying to create a keytab for the admin using the current password, so you can use either the password or the keytab. If so look at the ktutil addent It does not have to change the KDC database. >> Entry for principal admin/admin with kvno 9, encryption type Triple DES >> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt. >> Entry for principal admin/admin with kvno 9, encryption type DES cbc >> mode with CRC-32 added to keytab WRFILE:admin.kt. >> kadmin: quit >> >> % sudo kadmin -p admin/admin >> Authenticating as principal admin/admin with password. >> Password for admin/admin at FOO.COM: >> kadmin: Incorrect password while initializing kadmin interface >> >> ^^^ tried many times -- had to fix via kadmin.local > > This won't work. ktadd creates a new random key everytime it > is invoked, thus destroying your earlier password derived > key. The manpage says: > > ktadd [-k keytab] [-q] [-e keysaltlist] > [principal | -glob princ-exp] [...] > > Adds a principal or all principals matching princ-exp > to a keytab, randomizing each principal's key in the > process. ... > > I don't think the MIT distro has any tool to do what you want. > You'd probably need to write a program to extract the password > derived key directly from the KDB. > > --Shumon. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jblaine at kickflop.net Fri Aug 14 11:26:22 2009 From: jblaine at kickflop.net (Jeff Blaine) Date: Fri, 14 Aug 2009 11:26:22 -0400 Subject: ktadd then principal's password no longer works? In-Reply-To: <20090814151207.GA15104@isc.upenn.edu> References: <4A857AF3.8080203@kickflop.net> <20090814151207.GA15104@isc.upenn.edu> Message-ID: <4A85821E.1080601@kickflop.net> Goofy :/ I wonder how people script kadmin queries with MIT-krb5. You know, like, setting every principal's password expiration. Shumon Huque wrote: > On Fri, Aug 14, 2009 at 10:55:47AM -0400, Jeff Blaine wrote: >> Again, I must really not understand something. This >> principal's password is getting trashed after I use >> ktadd >> >> % sudo kadmin -p admin/admin >> Authenticating as principal admin/admin with password. >> Password for admin/admin at FOO.COM: >> kadmin: ktadd -k admin.kt admin/admin >> Entry for principal admin/admin with kvno 9, encryption type Triple DES >> cbc mode with HMAC/sha1 added to keytab WRFILE:admin.kt. >> Entry for principal admin/admin with kvno 9, encryption type DES cbc >> mode with CRC-32 added to keytab WRFILE:admin.kt. >> kadmin: quit >> >> % sudo kadmin -p admin/admin >> Authenticating as principal admin/admin with password. >> Password for admin/admin at FOO.COM: >> kadmin: Incorrect password while initializing kadmin interface >> >> ^^^ tried many times -- had to fix via kadmin.local > > This won't work. ktadd creates a new random key everytime it > is invoked, thus destroying your earlier password derived > key. The manpage says: > > ktadd [-k keytab] [-q] [-e keysaltlist] > [principal | -glob princ-exp] [...] > > Adds a principal or all principals matching princ-exp > to a keytab, randomizing each principal's key in the > process. ... > > I don't think the MIT distro has any tool to do what you want. > You'd probably need to write a program to extract the password > derived key directly from the KDB. > > --Shumon. > From shuque at isc.upenn.edu Fri Aug 14 11:30:54 2009 From: shuque at isc.upenn.edu (Shumon Huque) Date: Fri, 14 Aug 2009 11:30:54 -0400 Subject: ktadd then principal's password no longer works? In-Reply-To: <4A85821E.1080601@kickflop.net> References: <4A857AF3.8080203@kickflop.net> <20090814151207.GA15104@isc.upenn.edu> <4A85821E.1080601@kickflop.net> Message-ID: <20090814153054.GA15763@isc.upenn.edu> On Fri, Aug 14, 2009 at 11:26:22AM -0400, Jeff Blaine wrote: > Goofy :/ > > I wonder how people script kadmin queries with MIT-krb5. > > You know, like, setting every principal's password expiration. Can't you use "kadmin -k -t /path/to/keytab .."? It also has "-w password" thus exposing the password on the command line .. --Shumon. From rra at stanford.edu Fri Aug 14 12:57:28 2009 From: rra at stanford.edu (Russ Allbery) Date: Fri, 14 Aug 2009 09:57:28 -0700 Subject: ktadd then principal's password no longer works? In-Reply-To: <20090814151207.GA15104@isc.upenn.edu> (Shumon Huque's message of "Fri, 14 Aug 2009 11:12:07 -0400") References: <4A857AF3.8080203@kickflop.net> <20090814151207.GA15104@isc.upenn.edu> Message-ID: <873a7umiyv.fsf@windlord.stanford.edu> Shumon Huque writes: > This won't work. ktadd creates a new random key everytime it > is invoked, thus destroying your earlier password derived > key. The manpage says: > ktadd [-k keytab] [-q] [-e keysaltlist] > [principal | -glob princ-exp] [...] > Adds a principal or all principals matching princ-exp > to a keytab, randomizing each principal's key in the > process. ... > I don't think the MIT distro has any tool to do what you want. ktadd -norandkey. It's only available via kadmin.local. -- Russ Allbery (rra at stanford.edu) From jblaine at kickflop.net Fri Aug 14 14:18:33 2009 From: jblaine at kickflop.net (Jeff Blaine) Date: Fri, 14 Aug 2009 14:18:33 -0400 Subject: ktadd then principal's password no longer works? In-Reply-To: <4A858194.6050904@anl.gov> References: <4A857AF3.8080203@kickflop.net> <20090814151207.GA15104@isc.upenn.edu> <4A858194.6050904@anl.gov> Message-ID: <4A85AA79.2050309@kickflop.net> >>> % sudo kadmin -p admin/admin >>> Authenticating as principal admin/admin with password. >>> Password for admin/admin at FOO.COM: >>> kadmin: ktadd -k admin.kt admin/admin > > You are creating a keytab to be used as the admin? > with a random password? > > I think you are trying to create a keytab for the admin > using the current password, so you can use either the > password or the keytab. > > If so look at the ktutil addent > It does not have to change the KDC database. Thank you. That works as I wanted. I probably knew this at some point but forgot. From ghudson at MIT.EDU Fri Aug 14 16:33:10 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Fri, 14 Aug 2009 16:33:10 -0400 Subject: ktadd then principal's password no longer works? In-Reply-To: <4A85AA79.2050309@kickflop.net> References: <4A857AF3.8080203@kickflop.net> <20090814151207.GA15104@isc.upenn.edu> <4A858194.6050904@anl.gov> <4A85AA79.2050309@kickflop.net> Message-ID: <1250281990.6898.27.camel@ray> On Fri, 2009-08-14 at 14:18 -0400, Jeff Blaine wrote: > > If so look at the ktutil addent > > It does not have to change the KDC database. > Thank you. That works as I wanted. I probably knew this > at some point but forgot. A small caveat: ktutil addent doesn't contact the KDC and thus doesn't find out if the principal uses a non-default salt. From deengert at anl.gov Fri Aug 14 16:42:08 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 14 Aug 2009 15:42:08 -0500 Subject: ktadd then principal's password no longer works? In-Reply-To: <1250281990.6898.27.camel@ray> References: <4A857AF3.8080203@kickflop.net> <20090814151207.GA15104@isc.upenn.edu> <4A858194.6050904@anl.gov> <4A85AA79.2050309@kickflop.net> <1250281990.6898.27.camel@ray> Message-ID: <4A85CC20.3030302@anl.gov> If your goal was to have a admin.kt to run script from cron, maybe the best choice it to create a cronadmin/admin and give it admin privilages. Then create its keytab using ktadd. Yoiu can then change it as needed, and still have you admin/admin. Greg Hudson wrote: > On Fri, 2009-08-14 at 14:18 -0400, Jeff Blaine wrote: >>> If so look at the ktutil addent >>> It does not have to change the KDC database. > >> Thank you. That works as I wanted. I probably knew this >> at some point but forgot. > > A small caveat: ktutil addent doesn't contact the KDC and thus doesn't > find out if the principal uses a non-default salt. > > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jruss at MIT.EDU Sat Aug 15 15:40:32 2009 From: jruss at MIT.EDU (Johnny Russ) Date: Sat, 15 Aug 2009 15:40:32 -0400 Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM Message-ID: I have a desktop PC running Windows 7 32-bit and a laptop running Windows 7 64-bit. I use kerberos and network identity manager to access my AFS files. Everything seems to work fine. Except that randomly (every few days or so) I will notice my CPU is maxed out. When I check the task manager netidmgr.exe and explorer.exe will be the 2 processes that are maxing out the CPU. This usually happens when I am not even directly using netidmgr or AFS. I cannot kill them from task manager, with taskkill, or with pskill from sysinternals. I have to reboot to stop them from maxing out the CPU. I realize that Windows 7 is not officially supported or even officially released yet, but it will be soon. Network Identity Manager, Kerberos, and AFS all seem to work fine without any issues. I was just curious if anybody else is running Windows 7 and seeing this issue. How can I confirm that this is actually a bug when running under Windows 7? Or even better any ideas how to avoid it would be appreciated. From rra at stanford.edu Sat Aug 15 18:10:44 2009 From: rra at stanford.edu (Russ Allbery) Date: Sat, 15 Aug 2009 15:10:44 -0700 Subject: kstart 3.15 released Message-ID: <87hbw8k9sr.fsf@windlord.stanford.edu> I'm pleased to announce release 3.15 of kstart. k4start, k5start, and krenew are modified versions of kinit which add support for running as a daemon to maintain a ticket cache, running a command with credentials from a keytab and maintaining a ticket cache until that command completes, obtaining AFS tokens (via an external aklog) after obtaining tickets, and creating an AFS PAG for a command. They are primarily useful in conjunction with long-running jobs; for moving ticket handling code out of servers, cron jobs, or daemons; and to obtain tickets and AFS tokens with a single command. Changes from previous release: k5start and krenew now catch SIGALRM and immediately refresh the ticket cache upon receiving it, even if the ticket isn't expired. Add the -i option to krenew, which says to keep running even if there is an error renewing the ticket cache. This is useful if the ticket cache renewed by krenew may expire and then later be renewed (such as with a manual kinit) and krenew is expected to wake up again and process the new ticket cache. Re-run aklog even if the ticket is still valid when -H is used in combination with -t. We don't check whether the token is valid, so it's safer to always re-run aklog. We may be setting a token in a new PAG using an existing ticket cache. Fail with an error rather than a segfault if MIT Kerberos is unable to determine a default local realm for an unqualified principal. Based on a patch from Jason Funk. Add example krenew-agent script, which runs krenew for a given ticket cache if it isn't already running. Contributed by Tim Skirvin. Correctly declare message_fatal_cleanup extern, fixing compilation problems on some platforms (particularly Mac OS X). Document that the -b flag to all programs also changes directories to / and any paths should therefore be absolute. Add support for the old Heimdal krb5_get_error_string interface. Thanks, Chaskiel Grundman. Fix some timing issues with the test suite that caused spurious failures on fast systems and try to make it more robust in the face of different process scheduling. This probably still isn't perfect. k4start is now built optionally based on whether Kerberos v4 libraries are available, removing the need for --disable-k4start if no Kerberos v4 libraries are present. The option is still supported to explicitly disable building k4start even if Kerberos v4 libraries are found. Enable Automake silent rules. For a quieter build, pass the --enable-silent-rules option to configure or build with make V=0. Update to rra-c-util 2.0: * Redo build system for kafs replacement library and add tests. * Add --with-libkafs-include and --with-libkafs-lib configure options. * Add --with-afs-include and --with-afs-lib configure options. * Sanity-check the results of krb5-config before proceeding. * Fall back on manual probing if krb5-config results don't work. * Add --with-krb5-include and --with-krb5-lib configure options. * Add --with-krb4-include and --with-krb4-lib configure options. * Don't break if the user clobbers CPPFLAGS at build time. * Provide a proper bool type with Sun Studio 12 on Solaris 10. * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf. * Add strlcpy, strlcat, and setenv replacements. * Fix open call parameters in daemon portability test. * Update portable and util test suite for C TAP Harness 1.1. Update to C TAP Harness 1.1: * Rewrite of all test cases to use the new TAP library support. * Much improved and simplified builddir != srcdir test suite support. * Support running a single test with tests/runtests -o. * Summarize results at the end of test executions. * Correctly handle completely skipped tests, like docs/pod. * Better reporting of fatal errors in the test suite. * Consume all output from a test case before closing its descriptor. * Support aspell for spelling tests and skip them by default. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From ghudson at MIT.EDU Mon Aug 17 15:32:49 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 17 Aug 2009 15:32:49 -0400 Subject: Can I get more debug output from kadmin.local? In-Reply-To: <20090812041117.GA6387@chris-laptop.a2hosting.com> References: <20090812020150.GA5736@chris-laptop.a2hosting.com> <20090812041117.GA6387@chris-laptop.a2hosting.com> Message-ID: <1250537569.6898.57.camel@ray> On Wed, 2009-08-12 at 00:11 -0400, Chris wrote: > As it turns out the source is full of all kinds of wonderful information > about what is going wrong, but none of it prints. Still have to figure > out why that isn't happening correctly... I am about to check in a fix to the trunk, which should make it into the 1.8 release. From chantal at antenna.nl Tue Aug 18 06:00:14 2009 From: chantal at antenna.nl (Chantal Rosmuller) Date: Tue, 18 Aug 2009 12:00:14 +0200 Subject: nfs/kerberos problems Message-ID: <200908181200.14331.chantal@antenna.nl> Hi list, I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what I did: first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works changed the following on /etc/default/nfs-kernel-server: NEED_SVCGSSD=yes RPCSVCGSSDOPTS="-vvv" then I installed ntp on both servers On the nfs/kerberos server ubuntuhardy1 aptitude install krb5-admin-server krb5-kdc edit /etc/hosts 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost 192.168.0.109 ubuntuhardy1.localhost.network 192.168.0.110 ubuntuhardy2.localhost.network change hostname hostname ubuntuhardy1.localhost.network edit /etc/krb5.conf [libdefaults] default_realm = LOCALHOST.NETWORK [realms] LOCALHOST.NETWORK = { kdc = ubuntuhardy1.localhost.network admin_server = ubuntuhardy1.localhost.network default_domain = localhost.network } [domain_realm] localhost.network = LOCALHOST.NETWORK .localhost.network = LOCALHOST.NETWORK [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log change /etc/krb5kdc/kdc.conf: [kdcdefaults] kdc_ports = 750,88 [realms] LOCALHOST.NETWORK = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } create realm: kdb5_util create -s loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'LOCALHOST.NETWORK', master key name 'K/M at LOCALHOST.NETWORK' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: restarted kerberos /etc/init.d/krb5-admin-server restart /etc/init.d/krb5-kdc restart Nu kunt u uw benaderen met het volegnde commando: started kadmin kadmin.local aded user: addprinc admin/admin added Host key for the server: addprinc -randkey host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK add princial to local key table ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK output: Entry for principal host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. edit /etc/exports /var/www gss/krb5i(rw,sync) restarted nfs server on the client ubuntuhardy2: edit /etc/hosts 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost 192.168.0.110 ubuntuhardy2.localhost.network 192.168.0.109 ubuntuhardy1.localhost.network install software aptitude install krb5-user krb5-clients libpam-krb5 copied /etc/krb5.conf from server tested kerberos access: kinit admin/admin and got this output: Password for admin/admin at LOCALHOST.NETWORK: logged in again on the SERVER kadmin added principal for client ubuntuhardy2 addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey nfs/ubuntuhardy2.localhost.network client logged in on the client: kinit admin/admin Password for admin/admin at LOCALHOST.NETWORK: r add principal for client kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network WARNING: no policy specified for nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no policy Principal ?nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK? created. create key in keytab kadmin: ktadd nfs/ubuntuhardy2.localhost.network Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit then I try to mount the nfs share mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www /mnt/websites/ I get mount.nfs: access denied by server while mounting ubuntuhardy1.localhost.network:/var/www and in /var/log/daemon.log on the server ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for /var/www (/var/www) Does anyone know what I am doing wrong? From kwcoffman at gmail.com Tue Aug 18 12:50:20 2009 From: kwcoffman at gmail.com (Kevin Coffman) Date: Tue, 18 Aug 2009 12:50:20 -0400 Subject: nfs/kerberos problems In-Reply-To: <200908181200.14331.chantal@antenna.nl> References: <200908181200.14331.chantal@antenna.nl> Message-ID: <4d569c330908180950t290dd4cej4c80c63be529839c@mail.gmail.com> On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller wrote: > > > Hi list, > > > > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's what > I did: > > first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, nfs > mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works > > changed the following on /etc/default/nfs-kernel-server: > > NEED_SVCGSSD=yes > RPCSVCGSSDOPTS="-vvv" > > then I installed ntp on both servers > > On the nfs/kerberos server ubuntuhardy1 > > ?aptitude install krb5-admin-server krb5-kdc > > edit /etc/hosts > > ?127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost > ?192.168.0.109 ubuntuhardy1.localhost.network > ?192.168.0.110 ubuntuhardy2.localhost.network > > change hostname > > ?hostname ubuntuhardy1.localhost.network > > edit /etc/krb5.conf > > [libdefaults] > ? ? ? ?default_realm = LOCALHOST.NETWORK > [realms] > ? ? ? ?LOCALHOST.NETWORK = { > ? ? ? ? ? ? ? ?kdc = ubuntuhardy1.localhost.network > ? ? ? ? ? ? ? ?admin_server = ubuntuhardy1.localhost.network > ? ? ? ? ? ? ? ?default_domain = localhost.network > ? ? ? ?} > ?[domain_realm] > ? ? ? ?localhost.network = LOCALHOST.NETWORK > ? ? ? ?.localhost.network = LOCALHOST.NETWORK > ?[logging] > ? ? ? ?kdc = FILE:/var/log/krb5kdc.log > ? ? ? ?admin_server = FILE:/var/log/kadmin.log > ? ? ? ?default = FILE:/var/log/krb5lib.log > > change /etc/krb5kdc/kdc.conf: > > [kdcdefaults] > ? ?kdc_ports = 750,88 > [realms] > ? ?LOCALHOST.NETWORK = { > ? ? ? ?database_name = /var/lib/krb5kdc/principal > ? ? ? ?admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > ? ? ? ?acl_file = /etc/krb5kdc/kadm5.acl > ? ? ? ?key_stash_file = /etc/krb5kdc/stash > ? ? ? ?kdc_ports = 750,88 > ? ? ? ?max_life = 10h 0m 0s > ? ? ? ?max_renewable_life = 7d 0h 0m 0s > ? ? ? ?master_key_type = des3-hmac-sha1 > ? ? ? ?supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > des:normal des:v4 des:norealm des:onlyrealm des:afs3 > ? ? ? ?default_principal_flags = +preauth > ? ?} > > create realm: > > kdb5_util create -s > > ?loading random data > ?Initializing database '/var/lib/krb5kdc/principal' for realm > 'LOCALHOST.NETWORK', > ?master key name 'K/M at LOCALHOST.NETWORK' > ?You will be prompted for the database Master Password. > ?It is important that you NOT FORGET this password. > ?Enter KDC database master key: > > restarted kerberos > > ?/etc/init.d/krb5-admin-server restart > ?/etc/init.d/krb5-kdc restart Nu kunt u uw benaderen met het volegnde > commando: > > started kadmin > > ?kadmin.local > > aded user: > > ?addprinc admin/admin > > added Host key for the server: > > ?addprinc -randkey host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > > add princial to local key table > > ?ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > ?output: > > ?Entry for principal host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to > keytab WRFILE:/etc/krb5.keytab. Entry for principal > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, encryption > type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. > > edit /etc/exports > > ?/var/www gss/krb5i(rw,sync) > > restarted nfs server > > on the client ubuntuhardy2: > > > edit /etc/hosts > > ?127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost > ?192.168.0.110 ubuntuhardy2.localhost.network > ?192.168.0.109 ubuntuhardy1.localhost.network > > > install software > > ?aptitude install krb5-user krb5-clients libpam-krb5 > > copied /etc/krb5.conf from server > > tested kerberos access: > > ?kinit admin/admin > > and got this output: > > ?Password for admin/admin at LOCALHOST.NETWORK: > > logged in again on the SERVER > > kadmin > > added principal for client ubuntuhardy2 > > ?addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey > nfs/ubuntuhardy2.localhost.network > client > > logged in on the client: > > ?kinit admin/admin > ?Password for admin/admin at LOCALHOST.NETWORK: r > > add principal for client > > ?kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network > > ?WARNING: no policy specified for > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no policy > Principal ?nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK? created. > > create key in keytab > > ?kadmin: ktadd nfs/ubuntuhardy2.localhost.network > > ?Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > WRFILE:/etc/krb5.keytab. Entry for principal > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc mode > with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit > > then I try to mount the nfs share > > ?mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www > /mnt/websites/ > > I get > > ?mount.nfs: access denied by server while mounting > ubuntuhardy1.localhost.network:/var/www > > and in /var/log/daemon.log on the server > > ?ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 for > /var/www (/var/www) > > Does anyone know what I am doing wrong? Currently, you must limit the encryption type for the nfs principals to only des-cbc-crc. So, in both cases ktadd nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK ktadd nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK should be ktadd -e des-cbc-crc:normal nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK ktadd -e des-cbc-crc:normal nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html) K.C. From sgla9347 at gmail.com Tue Aug 18 13:21:23 2009 From: sgla9347 at gmail.com (Steve Glasser) Date: Tue, 18 Aug 2009 10:21:23 -0700 Subject: nfs/kerberos problems In-Reply-To: <200908181200.14331.chantal@antenna.nl> References: <200908181200.14331.chantal@antenna.nl> Message-ID: > added principal for client ubuntuhardy2 > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey > nfs/ubuntuhardy2.localhost.network > client > > logged in on the client: > > kinit admin/admin > Password for admin/admin at LOCALHOST.NETWORK: r > > add principal for client > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network It appears you created the host/ubuntuhardy2.localhost.network principal but did not extract the host key to the local keytab file on ubuntuhardy2, as you did with /ubuntuhardy1. I believe that is required; if I'm wrong someone please correct me. Cheers -- Steve Glasser sgla9347 at gmail.com From jaltman at secure-endpoints.com Tue Aug 18 15:00:26 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 18 Aug 2009 15:00:26 -0400 Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM In-Reply-To: References: Message-ID: <4A8AFA4A.6010901@secure-endpoints.com> Johnny Russ wrote: > I have a desktop PC running Windows 7 32-bit and a laptop running > Windows 7 64-bit. I use kerberos and network identity manager to > access my AFS files. Everything seems to work fine. Except that > randomly (every few days or so) I will notice my CPU is maxed out. > When I check the task manager netidmgr.exe and explorer.exe will be > the 2 processes that are maxing out the CPU. This usually happens when > I am not even directly using netidmgr or AFS. I cannot kill them from > task manager, with taskkill, or with pskill from sysinternals. I have > to reboot to stop them from maxing out the CPU. > > I realize that Windows 7 is not officially supported or even > officially released yet, but it will be soon. Network Identity > Manager, Kerberos, and AFS all seem to work fine without any issues. I > was just curious if anybody else is running Windows 7 and seeing this > issue. How can I confirm that this is actually a bug when running > under Windows 7? Or even better any ideas how to avoid it would be > appreciated. I haven't seen the issue but would be happy to track it down and squash it. Since you are comfortable using SysInternals tools, could you configure procdump to monitor netidmgr.exe and explorer.exe for cpu spikes and have it capture a process dump when the issue occurs? http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx Please send mail to netidmgr at secure-endpoints.com. Given that the issue affects both netidmgr.exe and explorer.exe I suspect the problem isn't actually with netidmgr but is more likely an interaction between Windows 7 and OpenAFS but we shall see. Jeffrey Altman From jruss at MIT.EDU Tue Aug 18 16:32:51 2009 From: jruss at MIT.EDU (Johnny Russ) Date: Tue, 18 Aug 2009 16:32:51 -0400 Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM In-Reply-To: <4A8AFA4A.6010901@secure-endpoints.com> References: <4A8AFA4A.6010901@secure-endpoints.com> Message-ID: > I haven't seen the issue but would be happy to track it down and squash it. > > Since you are comfortable using SysInternals tools, could you configure > procdump to monitor netidmgr.exe and explorer.exe for cpu spikes and > have it capture a process dump when the issue occurs? > > http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx > > Please send mail to netidmgr at secure-endpoints.com. ?Given that the > issue affects both netidmgr.exe and explorer.exe I suspect the problem > isn't actually with netidmgr but is more likely an interaction between > Windows 7 and OpenAFS but we shall see. I just sent an email to netidmgr at secure-endpoints.com with the requested dump files for explorer.exe and netidmgr.exe. Thanks for checking into this, I have had to stop using netidmgr until I can figure out a fix. From david.tansley at btinternet.com Tue Aug 18 16:04:33 2009 From: david.tansley at btinternet.com (dxtans) Date: Tue, 18 Aug 2009 13:04:33 -0700 (PDT) Subject: Status 0x96c73ac3 - No credentials cache found Message-ID: <97516dc7-3ed6-4dfe-954a-8d656ed1fe8a@g10g2000yqh.googlegroups.com> Hello, I have installed kerberos v5 on aix, the principle account has been created Ok on the AD server. But when I try and run kinit on the unix side I get: ktutil: rkt /etc/krb5/uk0108.keytab ktutil: list slot KVNO Principal ------ ------ ------------------------------------------------------ 1 5 host/uk0108.bxc.com at BXC.COM ktutil: wkt /etc/krb5/krb5.keytab ktutil: quit kinit -kt /etc/krb5/krb5.keytab Unable to obtain initial credentials. Status 0x96c73ab5 - Key table entry not found. Now I have googled this error, I can confirm, that I can resolv correctly both forward and reverse lookups usng dig and host for the fqdn. That the config file is correct with the domain name. I have used tcpdump on the inteface and althought I see connections to port 88 on the AD side, there is nothing being passed. I am running this as root. Should I create the principle account (uk0108) also on the unix side and run the above commands as that use? Does anybody have any other avenues I can investigate. My conf file is: [libdefaults] default_realm = BXC.COM dns_lookup_realm = false dns_lookup_kdc = false default_keytab_name = FILE:/etc/krb5/krb5.keytab default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 [realms] BXC.COM = { kdc = ukad01.bxc.com:88 admin_server = uk0108.bxc.com:749 default_domain = bxc.com } [domain_realm] .bxc.com = BXC.COM uk0108.bxc.com = BXC.COM [logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log default = FILE:/var/krb5/log/krb5lib.log thanks dxtans From edward at murrell.co.nz Tue Aug 18 17:05:25 2009 From: edward at murrell.co.nz (Edward Murrell) Date: Wed, 19 Aug 2009 09:05:25 +1200 Subject: Status 0x96c73ac3 - No credentials cache found In-Reply-To: <97516dc7-3ed6-4dfe-954a-8d656ed1fe8a@g10g2000yqh.googlegroups.com> References: <97516dc7-3ed6-4dfe-954a-8d656ed1fe8a@g10g2000yqh.googlegroups.com> Message-ID: <1250629525.3903.1.camel@entropy> You will need to specify the principle you wish to use when running kinit. This is because keytabs can contain multiple principles. ie; kinit -kt /etc/krb5/krb5.keytab host/uk0108.bxc.com at BXC.COM Hope this helps! Cheers, Edward On Tue, 2009-08-18 at 13:04 -0700, dxtans wrote: > Hello, > I have installed kerberos v5 on aix, the principle account has been > created Ok on the AD server. > But when I try and run kinit on the unix side I get: > > > ktutil: rkt /etc/krb5/uk0108.keytab > ktutil: list > slot KVNO Principal > ------ ------ ------------------------------------------------------ > 1 5 host/uk0108.bxc.com at BXC.COM > ktutil: wkt /etc/krb5/krb5.keytab > ktutil: quit > > kinit -kt /etc/krb5/krb5.keytab > Unable to obtain initial credentials. > Status 0x96c73ab5 - Key table entry not found. > > Now I have googled this error, I can confirm, that I can resolv > correctly both forward and reverse lookups usng dig and host for the > fqdn. That the config file is correct with the domain name. > > I have used tcpdump on the inteface and althought I see connections to > port 88 on the AD side, there is nothing being passed. > I am running this as root. Should I create the principle account > (uk0108) also on the unix side and run the above commands as that use? > > Does anybody have any other avenues I can investigate. > > > My conf file is: > > [libdefaults] > default_realm = BXC.COM > dns_lookup_realm = false > dns_lookup_kdc = false > default_keytab_name = FILE:/etc/krb5/krb5.keytab > default_tkt_enctypes = des-cbc-md5 > default_tgs_enctypes = des-cbc-md5 > > > [realms] > BXC.COM = { > kdc = ukad01.bxc.com:88 > admin_server = uk0108.bxc.com:749 > default_domain = bxc.com > } > > [domain_realm] > .bxc.com = BXC.COM > uk0108.bxc.com = BXC.COM > [logging] > kdc = FILE:/var/krb5/log/krb5kdc.log > admin_server = FILE:/var/krb5/log/kadmin.log > default = FILE:/var/krb5/log/krb5lib.log > > > > > > thanks > dxtans > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From mayer at ntp.isc.org Tue Aug 18 22:49:37 2009 From: mayer at ntp.isc.org (Danny Mayer) Date: Tue, 18 Aug 2009 22:49:37 -0400 Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM In-Reply-To: References: Message-ID: <4A8B6841.3090906@ntp.isc.org> Johnny Russ wrote: > I have a desktop PC running Windows 7 32-bit and a laptop running > Windows 7 64-bit. I use kerberos and network identity manager to > access my AFS files. Everything seems to work fine. Except that > randomly (every few days or so) I will notice my CPU is maxed out. > When I check the task manager netidmgr.exe and explorer.exe will be > the 2 processes that are maxing out the CPU. This usually happens when > I am not even directly using netidmgr or AFS. I cannot kill them from > task manager, with taskkill, or with pskill from sysinternals. I have > to reboot to stop them from maxing out the CPU. > I have seen something like this on my XP box and I believe it was netidmgr if that is the app that sits in the system tray. After some time (days) it seems to be grabbing all the messages in the message pump and suddenly all of my windows go crazy, flashing windows all over the screen. I have to find my DOS window and kill it off and then things return to normal. I don't think this is specific to Windows 7. I haven't had time to follow up as I have plenty of other projects on my plate. Danny > I realize that Windows 7 is not officially supported or even > officially released yet, but it will be soon. Network Identity > Manager, Kerberos, and AFS all seem to work fine without any issues. I > was just curious if anybody else is running Windows 7 and seeing this > issue. How can I confirm that this is actually a bug when running > under Windows 7? Or even better any ideas how to avoid it would be > appreciated. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaltman at secure-endpoints.com Wed Aug 19 00:12:34 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Wed, 19 Aug 2009 00:12:34 -0400 Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM In-Reply-To: <4A8B6841.3090906@ntp.isc.org> References: <4A8B6841.3090906@ntp.isc.org> Message-ID: <4A8B7BB2.1080803@secure-endpoints.com> Danny Mayer wrote: > I have seen something like this on my XP box and I believe it was > netidmgr if that is the app that sits in the system tray. After some > time (days) it seems to be grabbing all the messages in the message pump > and suddenly all of my windows go crazy, flashing windows all over the > screen. I have to find my DOS window and kill it off and then things > return to normal. I don't think this is specific to Windows 7. > > I haven't had time to follow up as I have plenty of other projects on my > plate. > > Danny Danny: I have to say this sounds extremely unlikely. If you have any evidence to back up this theory I would love to see it. The problem that Mr Russ is experiencing appears to be related to interactions with Offline Folders and OpenAFS Pioctls. I am following up with him to collect additional information. Jeffrey Altman From david.tansley at btinternet.com Wed Aug 19 08:01:34 2009 From: david.tansley at btinternet.com (dxtans) Date: Wed, 19 Aug 2009 05:01:34 -0700 (PDT) Subject: Status 0x96c73ac3 - No credentials cache found References: <97516dc7-3ed6-4dfe-954a-8d656ed1fe8a@g10g2000yqh.googlegroups.com> Message-ID: thanks, but that failed as well with the same error. I'll keep on googling... dxtans From chantal at antenna.nl Wed Aug 19 13:22:51 2009 From: chantal at antenna.nl (Chantal Rosmuller) Date: Wed, 19 Aug 2009 19:22:51 +0200 Subject: nfs/kerberos problems In-Reply-To: References: <200908181200.14331.chantal@antenna.nl> Message-ID: <200908191922.51956.chantal@antenna.nl> On Tuesday 18 August 2009 19:21:23 Steve Glasser wrote: > > added principal for client ubuntuhardy2 > > > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey > > nfs/ubuntuhardy2.localhost.network > > client > > > > logged in on the client: > > > > kinit admin/admin > > Password for admin/admin at LOCALHOST.NETWORK: r > > > > add principal for client > > > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network > > It appears you created the host/ubuntuhardy2.localhost.network > principal but did not extract the host key to the local keytab file on > ubuntuhardy2, as you did with /ubuntuhardy1. I believe that is > required; if I'm wrong someone please correct me. > > Cheers Hi Steve, I tried but it doesn't help, here are my keytabs: root at ubuntuhardy2:~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (Triple DES cbc mode with HMAC/sha1) 3 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 4 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (Triple DES cbc mode with HMAC/sha1) 4 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) root at ubuntuhardy1:~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (Triple DES cbc mode with HMAC/sha1) 3 host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 3 nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (Triple DES cbc mode with HMAC/sha1) 3 nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 4 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (Triple DES cbc mode with HMAC/sha1) 4 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 3 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (Triple DES cbc mode with HMAC/sha1) 3 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) From chantal at antenna.nl Wed Aug 19 13:28:41 2009 From: chantal at antenna.nl (Chantal Rosmuller) Date: Wed, 19 Aug 2009 19:28:41 +0200 Subject: nfs/kerberos problems In-Reply-To: <4d569c330908180950t290dd4cej4c80c63be529839c@mail.gmail.com> References: <200908181200.14331.chantal@antenna.nl> <4d569c330908180950t290dd4cej4c80c63be529839c@mail.gmail.com> Message-ID: <200908191928.41733.chantal@antenna.nl> On Tuesday 18 August 2009 18:50:20 Kevin Coffman wrote: > On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller wrote: > > Hi list, > > > > > > > > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, here's > > what I did: > > > > first I installed nfs server on ubuntuhardy1 and client on ubuntuhardy2, > > nfs mounting from ubuntuhardy2 to ubuntuhardy1 without kerberos works > > > > changed the following on /etc/default/nfs-kernel-server: > > > > NEED_SVCGSSD=yes > > RPCSVCGSSDOPTS="-vvv" > > > > then I installed ntp on both servers > > > > On the nfs/kerberos server ubuntuhardy1 > > > > aptitude install krb5-admin-server krb5-kdc > > > > edit /etc/hosts > > > > 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost > > 192.168.0.109 ubuntuhardy1.localhost.network > > 192.168.0.110 ubuntuhardy2.localhost.network > > > > change hostname > > > > hostname ubuntuhardy1.localhost.network > > > > edit /etc/krb5.conf > > > > [libdefaults] > > default_realm = LOCALHOST.NETWORK > > [realms] > > LOCALHOST.NETWORK = { > > kdc = ubuntuhardy1.localhost.network > > admin_server = ubuntuhardy1.localhost.network > > default_domain = localhost.network > > } > > [domain_realm] > > localhost.network = LOCALHOST.NETWORK > > .localhost.network = LOCALHOST.NETWORK > > [logging] > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmin.log > > default = FILE:/var/log/krb5lib.log > > > > change /etc/krb5kdc/kdc.conf: > > > > [kdcdefaults] > > kdc_ports = 750,88 > > [realms] > > LOCALHOST.NETWORK = { > > database_name = /var/lib/krb5kdc/principal > > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > > acl_file = /etc/krb5kdc/kadm5.acl > > key_stash_file = /etc/krb5kdc/stash > > kdc_ports = 750,88 > > max_life = 10h 0m 0s > > max_renewable_life = 7d 0h 0m 0s > > master_key_type = des3-hmac-sha1 > > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > > des:normal des:v4 des:norealm des:onlyrealm des:afs3 > > default_principal_flags = +preauth > > } > > > > create realm: > > > > kdb5_util create -s > > > > loading random data > > Initializing database '/var/lib/krb5kdc/principal' for realm > > 'LOCALHOST.NETWORK', > > master key name 'K/M at LOCALHOST.NETWORK' > > You will be prompted for the database Master Password. > > It is important that you NOT FORGET this password. > > Enter KDC database master key: > > > > restarted kerberos > > > > /etc/init.d/krb5-admin-server restart > > /etc/init.d/krb5-kdc restart Nu kunt u uw benaderen met het > > volegnde commando: > > > > started kadmin > > > > kadmin.local > > > > aded user: > > > > addprinc admin/admin > > > > added Host key for the server: > > > > addprinc -randkey host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > > > > add princial to local key table > > > > ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > > output: > > > > Entry for principal > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > WRFILE:/etc/krb5.keytab. Entry for principal > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, > > encryption type DES cbc mode with CRC-32 added to keytab > > WRFILE:/etc/krb5.keytab. > > > > edit /etc/exports > > > > /var/www gss/krb5i(rw,sync) > > > > restarted nfs server > > > > on the client ubuntuhardy2: > > > > > > edit /etc/hosts > > > > 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost > > 192.168.0.110 ubuntuhardy2.localhost.network > > 192.168.0.109 ubuntuhardy1.localhost.network > > > > > > install software > > > > aptitude install krb5-user krb5-clients libpam-krb5 > > > > copied /etc/krb5.conf from server > > > > tested kerberos access: > > > > kinit admin/admin > > > > and got this output: > > > > Password for admin/admin at LOCALHOST.NETWORK: > > > > logged in again on the SERVER > > > > kadmin > > > > added principal for client ubuntuhardy2 > > > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc -randkey > > nfs/ubuntuhardy2.localhost.network > > client > > > > logged in on the client: > > > > kinit admin/admin > > Password for admin/admin at LOCALHOST.NETWORK: r > > > > add principal for client > > > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network > > > > WARNING: no policy specified for > > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no > > policy Principal ?nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK? > > created. > > > > create key in keytab > > > > kadmin: ktadd nfs/ubuntuhardy2.localhost.network > > > > Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > WRFILE:/etc/krb5.keytab. Entry for principal > > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc > > mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit > > > > then I try to mount the nfs share > > > > mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www > > /mnt/websites/ > > > > I get > > > > mount.nfs: access denied by server while mounting > > ubuntuhardy1.localhost.network:/var/www > > > > and in /var/log/daemon.log on the server > > > > ubuntuhardy1 mountd[1913]: mount request from unknown host 192.168.0.110 > > for /var/www (/var/www) > > > > Does anyone know what I am doing wrong? > > Currently, you must limit the encryption type for the nfs principals > to only des-cbc-crc. > > So, in both cases > ktadd nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > ktadd nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK > should be > ktadd -e des-cbc-crc:normal > nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > ktadd -e des-cbc-crc:normal > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK > > (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html) >nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK > K.C. It does get rid of the double keys but its not working yet....... do I need to do the same for host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK and host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK? From chantal at antenna.nl Wed Aug 19 13:34:27 2009 From: chantal at antenna.nl (Chantal Rosmuller) Date: Wed, 19 Aug 2009 19:34:27 +0200 Subject: nfs/kerberos problems In-Reply-To: <200908191928.41733.chantal@antenna.nl> References: <200908181200.14331.chantal@antenna.nl> <4d569c330908180950t290dd4cej4c80c63be529839c@mail.gmail.com> <200908191928.41733.chantal@antenna.nl> Message-ID: <200908191934.27717.chantal@antenna.nl> On Wednesday 19 August 2009 19:28:41 Chantal Rosmuller wrote: > On Tuesday 18 August 2009 18:50:20 Kevin Coffman wrote: > > On Tue, Aug 18, 2009 at 6:00 AM, Chantal Rosmuller > > wrote: > > > Hi list, > > > > > > > > > > > > I cannot get nfs with kerberos working on my Ubuntu 8.04 servers, > > > here's what I did: > > > > > > first I installed nfs server on ubuntuhardy1 and client on > > > ubuntuhardy2, nfs mounting from ubuntuhardy2 to ubuntuhardy1 without > > > kerberos works > > > > > > changed the following on /etc/default/nfs-kernel-server: > > > > > > NEED_SVCGSSD=yes > > > RPCSVCGSSDOPTS="-vvv" > > > > > > then I installed ntp on both servers > > > > > > On the nfs/kerberos server ubuntuhardy1 > > > > > > aptitude install krb5-admin-server krb5-kdc > > > > > > edit /etc/hosts > > > > > > 127.0.0.1 ubuntuhardy1.localhost.network ubuntuhardy1 localhost > > > 192.168.0.109 ubuntuhardy1.localhost.network > > > 192.168.0.110 ubuntuhardy2.localhost.network > > > > > > change hostname > > > > > > hostname ubuntuhardy1.localhost.network > > > > > > edit /etc/krb5.conf > > > > > > [libdefaults] > > > default_realm = LOCALHOST.NETWORK > > > [realms] > > > LOCALHOST.NETWORK = { > > > kdc = ubuntuhardy1.localhost.network > > > admin_server = ubuntuhardy1.localhost.network > > > default_domain = localhost.network > > > } > > > [domain_realm] > > > localhost.network = LOCALHOST.NETWORK > > > .localhost.network = LOCALHOST.NETWORK > > > [logging] > > > kdc = FILE:/var/log/krb5kdc.log > > > admin_server = FILE:/var/log/kadmin.log > > > default = FILE:/var/log/krb5lib.log > > > > > > change /etc/krb5kdc/kdc.conf: > > > > > > [kdcdefaults] > > > kdc_ports = 750,88 > > > [realms] > > > LOCALHOST.NETWORK = { > > > database_name = /var/lib/krb5kdc/principal > > > admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab > > > acl_file = /etc/krb5kdc/kadm5.acl > > > key_stash_file = /etc/krb5kdc/stash > > > kdc_ports = 750,88 > > > max_life = 10h 0m 0s > > > max_renewable_life = 7d 0h 0m 0s > > > master_key_type = des3-hmac-sha1 > > > supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal > > > des:normal des:v4 des:norealm des:onlyrealm des:afs3 > > > default_principal_flags = +preauth > > > } > > > > > > create realm: > > > > > > kdb5_util create -s > > > > > > loading random data > > > Initializing database '/var/lib/krb5kdc/principal' for realm > > > 'LOCALHOST.NETWORK', > > > master key name 'K/M at LOCALHOST.NETWORK' > > > You will be prompted for the database Master Password. > > > It is important that you NOT FORGET this password. > > > Enter KDC database master key: > > > > > > restarted kerberos > > > > > > /etc/init.d/krb5-admin-server restart > > > /etc/init.d/krb5-kdc restart Nu kunt u uw benaderen met het > > > volegnde commando: > > > > > > started kadmin > > > > > > kadmin.local > > > > > > aded user: > > > > > > addprinc admin/admin > > > > > > added Host key for the server: > > > > > > addprinc -randkey > > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > > > > > > add princial to local key table > > > > > > ktadd host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > > > output: > > > > > > Entry for principal > > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, > > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > > WRFILE:/etc/krb5.keytab. Entry for principal > > > host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK with kvno 3, > > > encryption type DES cbc mode with CRC-32 added to keytab > > > WRFILE:/etc/krb5.keytab. > > > > > > edit /etc/exports > > > > > > /var/www gss/krb5i(rw,sync) > > > > > > restarted nfs server > > > > > > on the client ubuntuhardy2: > > > > > > > > > edit /etc/hosts > > > > > > 127.0.0.1 ubuntuhardy2.localhost.network ubuntuhardy2 localhost > > > 192.168.0.110 ubuntuhardy2.localhost.network > > > 192.168.0.109 ubuntuhardy1.localhost.network > > > > > > > > > install software > > > > > > aptitude install krb5-user krb5-clients libpam-krb5 > > > > > > copied /etc/krb5.conf from server > > > > > > tested kerberos access: > > > > > > kinit admin/admin > > > > > > and got this output: > > > > > > Password for admin/admin at LOCALHOST.NETWORK: > > > > > > logged in again on the SERVER > > > > > > kadmin > > > > > > added principal for client ubuntuhardy2 > > > > > > addprinc -randkey host/ubuntuhardy2.localhost.network addprinc > > > -randkey nfs/ubuntuhardy2.localhost.network > > > client > > > > > > logged in on the client: > > > > > > kinit admin/admin > > > Password for admin/admin at LOCALHOST.NETWORK: r > > > > > > add principal for client > > > > > > kadmin: addprinc -randkey nfs/ubuntuhardy2.localhost.network > > > > > > WARNING: no policy specified for > > > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK; defaulting to no > > > policy Principal ?nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK? > > > created. > > > > > > create key in keytab > > > > > > kadmin: ktadd nfs/ubuntuhardy2.localhost.network > > > > > > Entry for principal nfs/ubuntuhardy2.localhost.network with kvno 3, > > > encryption type Triple DES cbc mode with HMAC/sha1 added to keytab > > > WRFILE:/etc/krb5.keytab. Entry for principal > > > nfs/ubuntuhardy2.localhost.network with kvno 3, encryption type DES cbc > > > mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: quit > > > > > > then I try to mount the nfs share > > > > > > mount -t nfs -o sec=krb5 ubuntuhardy1.localhost.network:/var/www > > > /mnt/websites/ > > > > > > I get > > > > > > mount.nfs: access denied by server while mounting > > > ubuntuhardy1.localhost.network:/var/www > > > > > > and in /var/log/daemon.log on the server > > > > > > ubuntuhardy1 mountd[1913]: mount request from unknown host > > > 192.168.0.110 for /var/www (/var/www) > > > > > > Does anyone know what I am doing wrong? > > > > Currently, you must limit the encryption type for the nfs principals > > to only des-cbc-crc. > > > > So, in both cases > > ktadd nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > > ktadd nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK > > should be > > ktadd -e des-cbc-crc:normal > > nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK > > ktadd -e des-cbc-crc:normal > > nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK > > > > (See http://www.citi.umich.edu/projects/nfsv4/linux/krb5-setup.html) > >nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK > > K.C. > > It does get rid of the double keys but its not working yet....... do I need > to do the same for host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK > and host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK? > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos still no succes :( keytabs look like this now root at ubuntuhardy2:~# klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 6 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) klist -e -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 4 host/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 4 nfs/ubuntuhardy1.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) 5 nfs/ubuntuhardy2.localhost.network at LOCALHOST.NETWORK (DES cbc mode with CRC-32) From huaraz at moeller.plus.com Sun Aug 23 11:35:28 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 23 Aug 2009 16:35:28 +0100 Subject: Memory leak or programing error ? Message-ID: I am working on an application to do gssapi authentication and noticed increased memory usage. I created the following test application: /* */ #include #include #include #include #include #include #include #ifndef HEIMDAL #define HEIMDAL 0 #endif #if HEIMDAL #define HAVE_HEIMDAL_KERBEROS 1 #define HAVE_GSSAPI_GSSAPI_H 1 #else #define HAVE_MIT_KERBEROS 1 #define HAVE_GSSAPI_GSSAPI_GENERIC_H 1 #define HAVE_GSSAPI_GSSAPI_H 1 #define HAVE_GSSAPI_GSSAPI_KRB5_H 1 #endif #ifdef HAVE_HEIMDAL_KERBEROS #ifdef HAVE_GSSAPI_GSSAPI_H #include #elif defined(HAVE_GSSAPI_H) #include #else #error "GSSAPI header required" #endif #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #else #ifdef HAVE_SEAM_KERBEROS #ifdef HAVE_GSSAPI_GSSAPI_H #include #elif defined(HAVE_GSSAPI_H) #include #else #error "GSSAPI header required" #endif #ifdef HAVE_GSSAPI_GSSAPI_EXT_H #include #endif #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #else /*MIT*/ #ifdef HAVE_GSSAPI_GSSAPI_H #include #elif defined(HAVE_GSSAPI_H) #include #else #error "GSSAPI header required" #endif #ifdef HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif #ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif #endif #endif #include "base64.h" #ifndef MAX_AUTHTOKEN_LEN #define MAX_AUTHTOKEN_LEN 65535 #endif static const unsigned char ntlmProtocol [] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}; int main(int argc, char * const argv[]) { char buf[MAX_AUTHTOKEN_LEN]; char *c; int length=0; static int err=0; OM_uint32 ret_flags=0; char *service_name=(char *)"HTTP"; char *host_name=(char *)"opensuse11.suse.home"; char *token = NULL; OM_uint32 major_status, minor_status; gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; gss_name_t client_name = GSS_C_NO_NAME; gss_name_t server_name = GSS_C_NO_NAME; gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; gss_buffer_desc service = GSS_C_EMPTY_BUFFER; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; setbuf(stdout,NULL); setbuf(stdin,NULL); if ( !host_name ) { fprintf(stderr, "Local hostname could not be determined. Please specify the service principal\n"); exit(-1); } service.value = malloc(strlen(service_name)+strlen(host_name)+2); snprintf(service.value,strlen(service_name)+strlen(host_name)+2,"%s@%s",service_name,host_name); service.length = strlen((char *)service.value); fprintf(stderr, "Use service %.*s \n",service.length,service.value); while (1) { if (fgets(buf, sizeof(buf)-1, stdin) == NULL) { if (ferror(stdin)) { fprintf(stderr, "fgets() failed! dying..... errno=%d (%s)\n", ferror(stdin), strerror(ferror(stdin))); exit(1); /* BIIG buffer */ } exit(0); } c=memchr(buf,'\n',sizeof(buf)-1); if (c) { *c = '\0'; length = c-buf; } else { err = 1; } if (err) { fprintf(stderr, "Oversized message\n"); err = 0; continue; } if (buf[0] == '\0') { fprintf(stderr, "Invalid request\n"); continue; } if (!strncmp(buf,"QQ",2)){ gss_release_buffer(&minor_status, &input_token); gss_release_buffer(&minor_status, &output_token); gss_delete_sec_context(&minor_status, &gss_context, &output_token); gss_release_buffer(&minor_status, &output_token); gss_context = GSS_C_NO_CONTEXT; gss_release_cred(&minor_status, &server_creds); if (server_name) gss_release_name(&minor_status, &server_name); if (client_name) gss_release_name(&minor_status, &client_name); if (token) { free(token); token=NULL; } fprintf(stderr, "Quit\n"); exit (1); } input_token.length = base64_decode_len(buf); input_token.value = malloc(input_token.length); base64_decode(input_token.value,buf,input_token.length); if ((input_token.length >= sizeof ntlmProtocol + 1) && (!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { fprintf(stderr, "received type %d NTLM token\n", (int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); goto cleanup; } major_status = gss_import_name(&minor_status, &service, gss_nt_service_name, &server_name); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_import_name error\n"); goto cleanup; } major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_acquire_cred error\n"); goto cleanup; } major_status = gss_accept_sec_context(&minor_status, &gss_context, server_creds, &input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &output_token, &ret_flags, NULL, NULL); if (output_token.length) { token = malloc(base64_encode_len(output_token.length)); if (token == NULL) { fprintf(stderr, "Not enough memory\n"); goto cleanup; } base64_encode(token,(const char *)output_token.value,base64_encode_len(output_token.length),output_token.length); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_accept_sec_context error\n"); goto cleanup; } if (major_status & GSS_S_CONTINUE_NEEDED) { fprintf(stderr, "continuation needed\n"); goto cleanup; } gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_display_name error\n"); goto cleanup; } fprintf(stderr, "User %s authenticated\n", (char *)output_token.value); goto cleanup; } else { if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_accept_sec_context error\n"); goto cleanup; } if (major_status & GSS_S_CONTINUE_NEEDED) { fprintf(stderr, "continuation needed\n"); goto cleanup; } gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_display_name error\n"); goto cleanup; } fprintf(stderr, "User %s authenticated\n", (char *)output_token.value); } cleanup: gss_release_buffer(&minor_status, &input_token); gss_release_buffer(&minor_status, &output_token); gss_delete_sec_context(&minor_status, &gss_context, &output_token); gss_release_buffer(&minor_status, &output_token); gss_context = GSS_C_NO_CONTEXT; gss_release_cred(&minor_status, &server_creds); if (server_name) gss_release_name(&minor_status, &server_name); if (client_name) gss_release_name(&minor_status, &client_name); if (token) { free(token); token=NULL; } continue; } } It works fine with MIT 1.6.3 for successful authentications, but when I get errors in gss_accept_sec_context I get memory leaks when using spnego tokens as input. Find attached my valgrind output for 20 runs. In the failure case it means the first is successful and the others are replays. I also see problems when I don't use a replay cache by using export KRB5RCACHETYPE=none Thank you Markus From huaraz at moeller.plus.com Sun Aug 23 17:41:55 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 23 Aug 2009 22:41:55 +0100 Subject: Memory leak or programing error Message-ID: <375B84AD6FFC48A2A53BF6AAAB01ECB7@VAIOLaptop> I am working on an application to do gssapi authentication and noticed increased memory usage. I created the following test application: /* */ #include #include #include #include #include #include #include #ifndef HEIMDAL #define HEIMDAL 0 #endif #if HEIMDAL #define HAVE_HEIMDAL_KERBEROS 1 #define HAVE_GSSAPI_GSSAPI_H 1 #else #define HAVE_MIT_KERBEROS 1 #define HAVE_GSSAPI_GSSAPI_GENERIC_H 1 #define HAVE_GSSAPI_GSSAPI_H 1 #define HAVE_GSSAPI_GSSAPI_KRB5_H 1 #endif #ifdef HAVE_HEIMDAL_KERBEROS #ifdef HAVE_GSSAPI_GSSAPI_H #include #elif defined(HAVE_GSSAPI_H) #include #else #error "GSSAPI header required" #endif #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #else #ifdef HAVE_SEAM_KERBEROS #ifdef HAVE_GSSAPI_GSSAPI_H #include #elif defined(HAVE_GSSAPI_H) #include #else #error "GSSAPI header required" #endif #ifdef HAVE_GSSAPI_GSSAPI_EXT_H #include #endif #define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE #else /*MIT*/ #ifdef HAVE_GSSAPI_GSSAPI_H #include #elif defined(HAVE_GSSAPI_H) #include #else #error "GSSAPI header required" #endif #ifdef HAVE_GSSAPI_GSSAPI_KRB5_H #include #endif #ifdef HAVE_GSSAPI_GSSAPI_GENERIC_H #include #endif #endif #endif #include "base64.h" #ifndef MAX_AUTHTOKEN_LEN #define MAX_AUTHTOKEN_LEN 65535 #endif static const unsigned char ntlmProtocol [] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}; int main(int argc, char * const argv[]) { char buf[MAX_AUTHTOKEN_LEN]; char *c; int length=0; static int err=0; OM_uint32 ret_flags=0; char *service_name=(char *)"HTTP"; char *host_name=(char *)"opensuse11.suse.home"; char *token = NULL; OM_uint32 major_status, minor_status; gss_ctx_id_t gss_context = GSS_C_NO_CONTEXT; gss_name_t client_name = GSS_C_NO_NAME; gss_name_t server_name = GSS_C_NO_NAME; gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL; gss_buffer_desc service = GSS_C_EMPTY_BUFFER; gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; setbuf(stdout,NULL); setbuf(stdin,NULL); if ( !host_name ) { fprintf(stderr, "Local hostname could not be determined. Please specify the service principal\n"); exit(-1); } service.value = malloc(strlen(service_name)+strlen(host_name)+2); snprintf(service.value,strlen(service_name)+strlen(host_name)+2,"%s@%s",service_name,host_name); service.length = strlen((char *)service.value); fprintf(stderr, "Use service %.*s \n",service.length,service.value); while (1) { if (fgets(buf, sizeof(buf)-1, stdin) == NULL) { if (ferror(stdin)) { fprintf(stderr, "fgets() failed! dying..... errno=%d (%s)\n", ferror(stdin), strerror(ferror(stdin))); exit(1); /* BIIG buffer */ } exit(0); } c=memchr(buf,'\n',sizeof(buf)-1); if (c) { *c = '\0'; length = c-buf; } else { err = 1; } if (err) { fprintf(stderr, "Oversized message\n"); err = 0; continue; } if (buf[0] == '\0') { fprintf(stderr, "Invalid request\n"); continue; } if (!strncmp(buf,"QQ",2)){ gss_release_buffer(&minor_status, &input_token); gss_release_buffer(&minor_status, &output_token); gss_delete_sec_context(&minor_status, &gss_context, &output_token); gss_release_buffer(&minor_status, &output_token); gss_context = GSS_C_NO_CONTEXT; gss_release_cred(&minor_status, &server_creds); if (server_name) gss_release_name(&minor_status, &server_name); if (client_name) gss_release_name(&minor_status, &client_name); if (token) { free(token); token=NULL; } fprintf(stderr, "Quit\n"); exit (1); } input_token.length = base64_decode_len(buf); input_token.value = malloc(input_token.length); base64_decode(input_token.value,buf,input_token.length); if ((input_token.length >= sizeof ntlmProtocol + 1) && (!memcmp (input_token.value, ntlmProtocol, sizeof ntlmProtocol))) { fprintf(stderr, "received type %d NTLM token\n", (int) *((unsigned char *)input_token.value + sizeof ntlmProtocol)); goto cleanup; } major_status = gss_import_name(&minor_status, &service, gss_nt_service_name, &server_name); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_import_name error\n"); goto cleanup; } major_status = gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_acquire_cred error\n"); goto cleanup; } major_status = gss_accept_sec_context(&minor_status, &gss_context, server_creds, &input_token, GSS_C_NO_CHANNEL_BINDINGS, &client_name, NULL, &output_token, &ret_flags, NULL, NULL); if (output_token.length) { token = malloc(base64_encode_len(output_token.length)); if (token == NULL) { fprintf(stderr, "Not enough memory\n"); goto cleanup; } base64_encode(token,(const char *)output_token.value,base64_encode_len(output_token.length),output_token.length); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_accept_sec_context error\n"); goto cleanup; } if (major_status & GSS_S_CONTINUE_NEEDED) { fprintf(stderr, "continuation needed\n"); goto cleanup; } gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_display_name error\n"); goto cleanup; } fprintf(stderr, "User %s authenticated\n", (char *)output_token.value); goto cleanup; } else { if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_accept_sec_context error\n"); goto cleanup; } if (major_status & GSS_S_CONTINUE_NEEDED) { fprintf(stderr, "continuation needed\n"); goto cleanup; } gss_release_buffer(&minor_status, &output_token); major_status = gss_display_name(&minor_status, client_name, &output_token, NULL); if (GSS_ERROR(major_status)) { fprintf(stderr, "gss_display_name error\n"); goto cleanup; } fprintf(stderr, "User %s authenticated\n", (char *)output_token.value); } cleanup: gss_release_buffer(&minor_status, &input_token); gss_release_buffer(&minor_status, &output_token); gss_delete_sec_context(&minor_status, &gss_context, &output_token); gss_release_buffer(&minor_status, &output_token); gss_context = GSS_C_NO_CONTEXT; gss_release_cred(&minor_status, &server_creds); if (server_name) gss_release_name(&minor_status, &server_name); if (client_name) gss_release_name(&minor_status, &client_name); if (token) { free(token); token=NULL; } continue; } } It works fine with MIT 1.6.3 for successful authentications, but when I get errors in gss_accept_sec_context I get memory leaks when using spnego tokens as input. Find attached my valgrind output for 20 runs. In the failure case it means the first is successful and the others are replays. I also see problems when I don't use a replay cache by using even with no gss_accept_sec_context failure. export KRB5RCACHETYPE=none Thank you Markus From mayer at gis.net Sat Aug 22 22:05:43 2009 From: mayer at gis.net (Danny Mayer) Date: Sat, 22 Aug 2009 22:05:43 -0400 Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM In-Reply-To: <4A8B7BB2.1080803@secure-endpoints.com> References: <4A8B6841.3090906@ntp.isc.org> <4A8B7BB2.1080803@secure-endpoints.com> Message-ID: <4A90A3F7.8040804@gis.net> Jeffrey Altman wrote: > Danny Mayer wrote: >> I have seen something like this on my XP box and I believe it was >> netidmgr if that is the app that sits in the system tray. After some >> time (days) it seems to be grabbing all the messages in the message pump >> and suddenly all of my windows go crazy, flashing windows all over the >> screen. I have to find my DOS window and kill it off and then things >> return to normal. I don't think this is specific to Windows 7. >> >> I haven't had time to follow up as I have plenty of other projects on my >> plate. >> >> Danny > Danny: > > I have to say this sounds extremely unlikely. If you have any > evidence to back up this theory I would love to see it. Unfortunately, as I said, it takes days to happen and at that point, with *all* of my windows going wild it becomes extremely difficult to do anything at all. I haven't see it for a long time, but only because I stopped running it. I don't have any clues as to what's wrong but I suspect this is in the message pumping. Do you do anything explicit with message pumping? > The problem that Mr Russ is experiencing appears to be related to > interactions with Offline Folders and OpenAFS Pioctls. I am following > up with him to collect additional information. Good to know. Danny From ghudson at MIT.EDU Mon Aug 24 13:10:42 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 24 Aug 2009 13:10:42 -0400 Subject: Memory leak or programing error In-Reply-To: <375B84AD6FFC48A2A53BF6AAAB01ECB7@VAIOLaptop> References: <375B84AD6FFC48A2A53BF6AAAB01ECB7@VAIOLaptop> Message-ID: <1251133842.20047.106.camel@ray> It looks like your test program relies on base64.h and presumably some source file, which you didn't include? I'm also not seeing your valgrind output in the attachment, but that is conceivably a problem on my end. (Our mail server is known to mangle some messages.) From huaraz at moeller.plus.com Mon Aug 24 15:24:06 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Mon, 24 Aug 2009 20:24:06 +0100 Subject: Memory leak or programing error In-Reply-To: <1251133842.20047.106.camel@ray> References: <375B84AD6FFC48A2A53BF6AAAB01ECB7@VAIOLaptop> <1251133842.20047.106.camel@ray> Message-ID: "Greg Hudson" wrote in message news:1251133842.20047.106.camel at ray... > It looks like your test program relies on base64.h and presumably some > source file, which you didn't include? > > I'm also not seeing your valgrind output in the attachment, but that is > conceivably a problem on my end. (Our mail server is known to mangle > some messages.) > Ok I try to inline some valgrind output. If you want to compile the test application please let me know I can send you the base64.h and .c file. When I input GSSAPI tokens and all are successfully processed I get (the still reachable is fixed e.g. the same for inputing 1 or 20 tokens - so I think of no concern): ==15979== LEAK SUMMARY: ==15979== definitely lost: 0 bytes in 0 blocks. ==15979== possibly lost: 0 bytes in 0 blocks. ==15979== still reachable: 637 bytes in 14 blocks. ==15979== suppressed: 0 bytes in 0 blocks. When I input a SPNEGO token and all are successfully processed I get: ==15993== LEAK SUMMARY: ==15993== definitely lost: 0 bytes in 0 blocks. ==15993== possibly lost: 0 bytes in 0 blocks. ==15993== still reachable: 698 bytes in 19 blocks. ==15993== suppressed: 0 bytes in 0 blocks. Now when I input GSSAPI token where number 2,3,4,...20 is a copy of the first (e.g. a replay) I get: ==15982== LEAK SUMMARY: ==15982== definitely lost: 0 bytes in 0 blocks. ==15982== possibly lost: 0 bytes in 0 blocks. ==15982== still reachable: 637 bytes in 14 blocks. ==15982== suppressed: 0 bytes in 0 blocks. So far so good. But when I input a SPNEGO token where 2,3,4,...20 is a replay I get (which increases from 128 and 96 bytes respectively) : ==15996== LEAK SUMMARY: ==15996== definitely lost: 1,280 bytes in 20 blocks. ==15996== indirectly lost: 960 bytes in 60 blocks. ==15996== possibly lost: 0 bytes in 0 blocks. ==15996== still reachable: 698 bytes in 19 blocks. and the origin seems to be: ==15996== 2,240 (1,280 direct, 960 indirect) bytes in 20 blocks are definitely lost in loss record 10 of 10 ==15996== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==15996== by 0x406B01E: create_spnego_ctx (spnego_mech.c:297) ==15996== by 0x406C15B: spnego_gss_accept_sec_context (spnego_mech.c:941) ==15996== by 0x404E61A: gss_accept_sec_context (g_accept_sec_context.c:196) ==15996== by 0x8049173: main (gssapi_auth_test.c:179) Now lastely if I disable the replay cache (e.g. export KRB5RCACHETYPE=none) and create errors because of time skew) I get for GSSAPI tokens (increasing from 136 bytes): ==28137== LEAK SUMMARY: ==28137== definitely lost: 1,428 bytes in 21 blocks. ==28137== possibly lost: 0 bytes in 0 blocks. ==28137== still reachable: 637 bytes in 14 blocks. and the origin being: ==28137== 1,428 bytes in 21 blocks are definitely lost in loss record 5 of 5 ==28137== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==28137== by 0x40E6EC9: krb5_rc_resolve_full (rc_base.c:152) ==28137== by 0x40E411D: krb5_get_server_rcache (srv_rcache.c:107) ==28137== by 0x405C22E: krb5_gss_acquire_cred (acquire_cred.c:192) ==28137== by 0x4065E1D: k5glue_acquire_cred (krb5_gss_glue.c:460) ==28137== by 0x404ED52: gss_add_cred (g_acquire_cred.c:382) ==28137== by 0x404F2F1: gss_acquire_cred (g_acquire_cred.c:188) ==28137== by 0x80493BF: main (gssapi_auth_test.c:223) for SPNEGO tokens I get (from 400 and 96 bytes respectively): ==16108== LEAK SUMMARY: ==16108== definitely lost: 4,200 bytes in 63 blocks. ==16108== indirectly lost: 1,008 bytes in 63 blocks. ==16108== possibly lost: 0 bytes in 0 blocks. ==16108== still reachable: 698 bytes in 19 blocks. the origin seems to be: ==16108== 2,352 (1,344 direct, 1,008 indirect) bytes in 21 blocks are definitely lost in loss record 10 of 11 ==16108== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==16108== by 0x406B01E: create_spnego_ctx (spnego_mech.c:297) ==16108== by 0x406C15B: spnego_gss_accept_sec_context (spnego_mech.c:941) ==16108== by 0x404E61A: gss_accept_sec_context (g_accept_sec_context.c:196) ==16108== by 0x8049173: main (gssapi_auth_test.c:179) ==16108== ==16108== ==16108== 2,856 bytes in 42 blocks are definitely lost in loss record 11 of 11 ==16108== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==16108== by 0x40E6EC9: krb5_rc_resolve_full (rc_base.c:152) ==16108== by 0x40E411D: krb5_get_server_rcache (srv_rcache.c:107) ==16108== by 0x405C22E: krb5_gss_acquire_cred (acquire_cred.c:192) ==16108== by 0x4065E1D: k5glue_acquire_cred (krb5_gss_glue.c:460) ==16108== by 0x404ED52: gss_add_cred (g_acquire_cred.c:382) ==16108== by 0x404F2F1: gss_acquire_cred (g_acquire_cred.c:188) ==16108== by 0x80490D1: main (gssapi_auth_test.c:171) Regards Markus > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ghudson at MIT.EDU Mon Aug 24 15:53:29 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 24 Aug 2009 15:53:29 -0400 Subject: Memory leak or programing error In-Reply-To: References: <375B84AD6FFC48A2A53BF6AAAB01ECB7@VAIOLaptop> <1251133842.20047.106.camel@ray> Message-ID: <1251143609.20047.114.camel@ray> The KRB5RCACHETYPE=none leaks were fixed by Ken Raeburn in r22417 which should make it to release in 1.7.1. A brief look at the spnego code suggests those memory leaks are still present in the trunk, possibly along with other leaks. I will work on cleaning this up; please send me (private mail is fine) the base64 files you are using. Thanks for the investigation work you've done. From Maurizio_Salviato at gruppopam.it Wed Aug 26 11:42:27 2009 From: Maurizio_Salviato at gruppopam.it (Maurizio_Salviato@gruppopam.it) Date: Wed, 26 Aug 2009 17:42:27 +0200 Subject: error in make krb5-1.7 Message-ID: Hi. Please help me. I'm using an aix 5.3 and during the "make " of krb5-1.7 I have the following errors: client.c:9: warning: 'rcsid' defined but not used /usr/bin/gcc -I../../../include -I./../../../include -I. -DKRB5_DEPRECATED=1 -g -O2 -D_THREAD_SAFE -Wall -Wcast-qual -Wcast-align -Wshadow -Wmissing-prototypes -pedantic -Wno-format-zero-length -Woverflow -Wstrict-overflow -Wmissing-format-attribute -Wmissing-prototypes -Wreturn-type -Wmissing-braces -Wparentheses -Wswitch -Wunused-function -Wunused-label -Wunused-variable -Wunused-value -Wunknown-pragmas -Wsign-compare -Werror=declaration-after-statement -Werror=variadic-macros -c rpc_test_clnt.c /usr/bin/gcc -L../../../lib -Wl,-blibpath:/usr/local/lib::/usr/lib:/lib -g -O2 -D_THREAD_SAFE -o client client.o rpc_test_clnt.o -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l gssrpc ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l gssapi_krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5 ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. collect2: ld returned 255 exit status make: 1254-004 The error code from the last command is 1. Can anybody help me? Best Regards. Maurizio Salviato Servizio Supporto Sistemi Integrazione Sistemi & Office Automation Gruppo PAM s.p.a. (041-5495-226 fax.041-5496-296 * maurizio_salviato at gruppopam.it From harris at ucdavis.edu Wed Aug 26 14:05:32 2009 From: harris at ucdavis.edu (John Harris) Date: Wed, 26 Aug 2009 11:05:32 -0700 Subject: supported_enctypes question Message-ID: <4A95796C.7090406@ucdavis.edu> Greetings, I currently have a MIT KDC where I need to use the des-cbc-crc:normal encryption type on *one* service principal. The rest of my KDC all principals can be aes or rc4. I'm confused as to what I need in my config and what will work. If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf in the supported_enctypes field, I'm still able to create the des-cbc-crc:normal service principal I need. In fact, I can kinit -S for it and obtain it. My confusion lies in that I thought not having des-cbc-crc:normal in this configuration line meant the KDC wouldn't recognize or serve tickets for it. It'd be great to not have to put this in the config line so that later principals only get the aes256 and rc4 types on them, but I'm not understanding why I'm successfully obtaining a principal with only the des encryption type without adding it to this line. Any hints? John Harris From tlyu at MIT.EDU Wed Aug 26 15:05:11 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 26 Aug 2009 15:05:11 -0400 Subject: supported_enctypes question In-Reply-To: <4A95796C.7090406@ucdavis.edu> (John Harris's message of "Wed, 26 Aug 2009 14:05:32 -0400") References: <4A95796C.7090406@ucdavis.edu> Message-ID: John Harris writes: > Greetings, > > I currently have a MIT KDC where I need to use the des-cbc-crc:normal > encryption type on *one* service principal. The rest of my KDC all > principals can be aes or rc4. I'm confused as to what I need in my > config and what will work. > > If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf > in the supported_enctypes field, I'm still able to create the > des-cbc-crc:normal service principal I need. In fact, I can kinit -S > for it and obtain it. My confusion lies in that I thought not having > des-cbc-crc:normal in this configuration line meant the KDC wouldn't > recognize or serve tickets for it. > > It'd be great to not have to put this in the config line so that later > principals only get the aes256 and rc4 types on them, but I'm not > understanding why I'm successfully obtaining a principal with only the > des encryption type without adding it to this line. The "supported_enctypes" configuration variable really means "default list of enctype-salttype pairs for which the kadmin subsystem will generate keys". The name is arguably misleading; if anyone has ideas about a better name, please suggest one. From rra at stanford.edu Wed Aug 26 15:13:00 2009 From: rra at stanford.edu (Russ Allbery) Date: Wed, 26 Aug 2009 12:13:00 -0700 Subject: supported_enctypes question In-Reply-To: (Tom Yu's message of "Wed, 26 Aug 2009 15:05:11 -0400") References: <4A95796C.7090406@ucdavis.edu> Message-ID: <874oru5qyr.fsf@windlord.stanford.edu> Tom Yu writes: > John Harris writes: >> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf >> in the supported_enctypes field, I'm still able to create the >> des-cbc-crc:normal service principal I need. In fact, I can kinit -S >> for it and obtain it. My confusion lies in that I thought not having >> des-cbc-crc:normal in this configuration line meant the KDC wouldn't >> recognize or serve tickets for it. >> It'd be great to not have to put this in the config line so that later >> principals only get the aes256 and rc4 types on them, but I'm not >> understanding why I'm successfully obtaining a principal with only the >> des encryption type without adding it to this line. > The "supported_enctypes" configuration variable really means "default > list of enctype-salttype pairs for which the kadmin subsystem will > generate keys". The name is arguably misleading; if anyone has ideas > about a better name, please suggest one. default_enctypes, maybe? -- Russ Allbery (rra at stanford.edu) From tlyu at MIT.EDU Wed Aug 26 15:21:18 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 26 Aug 2009 15:21:18 -0400 Subject: supported_enctypes question In-Reply-To: <874oru5qyr.fsf@windlord.stanford.edu> (Russ Allbery's message of "Wed, 26 Aug 2009 15:13:00 -0400") References: <4A95796C.7090406@ucdavis.edu> <874oru5qyr.fsf@windlord.stanford.edu> Message-ID: Russ Allbery writes: > Tom Yu writes: >> John Harris writes: > >>> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf >>> in the supported_enctypes field, I'm still able to create the >>> des-cbc-crc:normal service principal I need. In fact, I can kinit -S >>> for it and obtain it. My confusion lies in that I thought not having >>> des-cbc-crc:normal in this configuration line meant the KDC wouldn't >>> recognize or serve tickets for it. > >>> It'd be great to not have to put this in the config line so that later >>> principals only get the aes256 and rc4 types on them, but I'm not >>> understanding why I'm successfully obtaining a principal with only the >>> des encryption type without adding it to this line. > >> The "supported_enctypes" configuration variable really means "default >> list of enctype-salttype pairs for which the kadmin subsystem will >> generate keys". The name is arguably misleading; if anyone has ideas >> about a better name, please suggest one. > > default_enctypes, maybe? Possibly... though we do already have "default_tkt_enctypes" and "default_tgs_enctypes", which mean something completely different. From kwc at citi.umich.edu Wed Aug 26 15:49:11 2009 From: kwc at citi.umich.edu (Kevin Coffman) Date: Wed, 26 Aug 2009 15:49:11 -0400 Subject: supported_enctypes question In-Reply-To: References: <4A95796C.7090406@ucdavis.edu> <874oru5qyr.fsf@windlord.stanford.edu> Message-ID: <4d569c330908261249m1e9c95d0he859bf1d6d1c00e0@mail.gmail.com> Wed, Aug 26, 2009 at 3:21 PM, Tom Yu wrote: > Russ Allbery writes: > >> Tom Yu writes: >>> John Harris writes: >> >>>> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf >>>> in the supported_enctypes field, I'm still able to create the >>>> des-cbc-crc:normal service principal I need. ?In fact, I can kinit -S >>>> for it and obtain it. ?My confusion lies in that I thought not having >>>> des-cbc-crc:normal in this configuration line meant the KDC wouldn't >>>> recognize or serve tickets for it. >> >>>> It'd be great to not have to put this in the config line so that later >>>> principals only get the aes256 and rc4 types on them, but I'm not >>>> understanding why I'm successfully obtaining a principal with only the >>>> des encryption type without adding it to this line. >> >>> The "supported_enctypes" configuration variable really means "default >>> list of enctype-salttype pairs for which the kadmin subsystem will >>> generate keys". ?The name is arguably misleading; if anyone has ideas >>> about a better name, please suggest one. >> >> default_enctypes, maybe? > > Possibly... though we do already have "default_tkt_enctypes" and > "default_tgs_enctypes", which mean something completely different. default_ktadd_enctypes ? From harris at ucdavis.edu Wed Aug 26 16:07:27 2009 From: harris at ucdavis.edu (John Harris) Date: Wed, 26 Aug 2009 13:07:27 -0700 Subject: supported_enctypes question In-Reply-To: References: <4A95796C.7090406@ucdavis.edu> Message-ID: <4A9595FF.60605@ucdavis.edu> Thanks so much Tom; that makes sense to me. I would vote for not changing it since it's been like, you know, 20 years in the making, but if we're gonna change it perhaps: harris_enctypes ? :) Tom Yu wrote: > John Harris writes: > >> Greetings, >> >> I currently have a MIT KDC where I need to use the des-cbc-crc:normal >> encryption type on *one* service principal. The rest of my KDC all >> principals can be aes or rc4. I'm confused as to what I need in my >> config and what will work. >> >> If I just have aes256-cts:normal and rc4-hmac:normal listed in kdc.conf >> in the supported_enctypes field, I'm still able to create the >> des-cbc-crc:normal service principal I need. In fact, I can kinit -S >> for it and obtain it. My confusion lies in that I thought not having >> des-cbc-crc:normal in this configuration line meant the KDC wouldn't >> recognize or serve tickets for it. >> >> It'd be great to not have to put this in the config line so that later >> principals only get the aes256 and rc4 types on them, but I'm not >> understanding why I'm successfully obtaining a principal with only the >> des encryption type without adding it to this line. > > The "supported_enctypes" configuration variable really means "default > list of enctype-salttype pairs for which the kadmin subsystem will > generate keys". The name is arguably misleading; if anyone has ideas > about a better name, please suggest one. From huaraz at moeller.plus.com Wed Aug 26 19:27:23 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Thu, 27 Aug 2009 00:27:23 +0100 Subject: Memory leak or programing error In-Reply-To: <1251143609.20047.114.camel@ray> References: <375B84AD6FFC48A2A53BF6AAAB01ECB7@VAIOLaptop><1251133842.20047.106.camel@ray> <1251143609.20047.114.camel@ray> Message-ID: Some more memory leaks in version 1.7 GSSAPI input token no error gssapi_auth_test-mit-1.7.val:==12881== definitely lost: 21 bytes in 1 blocks. gssapi_auth_test-mit-1.7.val:==12881== still reachable: 1,081 bytes in 5 blocks. gssapi_auth_test-mit-1.7-2.val:==12883== definitely lost: 42 bytes in 2 blocks. gssapi_auth_test-mit-1.7-2.val:==12883== still reachable: 1,081 bytes in 5 blocks. ==13113== 42 bytes in 2 blocks are definitely lost in loss record 5 of 6 ==13113== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13113== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13113== by 0x421CB43: (within /lib/libc-2.9.so) ==13113== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13113== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13113== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13113== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13113== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13113== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13113== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13113== by 0x80493CF: main (gssapi_auth_test.c:223) SPNEGO input token no error gssapi_auth_test-mit-1.7_spnego.val:==12889== definitely lost: 21 bytes in 1 blocks. gssapi_auth_test-mit-1.7_spnego.val:==12889== still reachable: 1,081 bytes in 5 blocks. gssapi_auth_test-mit-1.7_spnego-2.val:==12891== definitely lost: 42 bytes in 2 blocks. gssapi_auth_test-mit-1.7_spnego-2.val:==12891== still reachable: 1,081 bytes in 5 blocks. ==13113== 42 bytes in 2 blocks are definitely lost in loss record 5 of 6 ==13113== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13113== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13113== by 0x421CB43: (within /lib/libc-2.9.so) ==13113== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13113== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13113== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13113== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13113== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13113== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13113== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13113== by 0x80493CF: main (gssapi_auth_test.c:223) GSSAPI input token and replay error: gssapi_auth_test-mit-1.7-fail.val:==12900== definitely lost: 63 bytes in 3 blocks. gssapi_auth_test-mit-1.7-fail.val:==12900== still reachable: 1,113 bytes in 7 blocks. gssapi_auth_test-mit-1.7-fail-2.val:==12903== definitely lost: 84 bytes in 4 blocks. gssapi_auth_test-mit-1.7-fail-2.val:==12903== still reachable: 1,113 bytes in 7 blocks. ==13135== 84 bytes in 4 blocks are definitely lost in loss record 5 of 6 ==13135== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13135== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13135== by 0x421CB43: (within /lib/libc-2.9.so) ==13135== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13135== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13135== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13135== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13135== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13135== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13135== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13135== by 0x80493CF: main (gssapi_auth_test.c:223) SPNEGO input token and replay error: gssapi_auth_test-mit-1.7_spnego-fail.val:==12914== definitely lost: 191 bytes in 5 blocks. gssapi_auth_test-mit-1.7_spnego-fail.val:==12914== indirectly lost: 96 bytes in 6 blocks. gssapi_auth_test-mit-1.7_spnego-fail.val:==12914== still reachable: 1,113 bytes in 7 blocks. gssapi_auth_test-mit-1.7_spnego-fail-2.val:==12917== definitely lost: 276 bytes in 7 blocks. gssapi_auth_test-mit-1.7_spnego-fail-2.val:==12917== indirectly lost: 144 bytes in 9 blocks. gssapi_auth_test-mit-1.7_spnego-fail-2.val:==12917== still reachable: 1,113 bytes in 7 blocks. ==13147== 24 bytes in 3 blocks are indirectly lost in loss record 2 of 10 ==13147== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13147== by 0x4031CFE: generic_gss_copy_oid (oid_ops.c:96) ==13147== by 0x4050F81: spnego_gss_accept_sec_context (spnego_mech.c:2792) ==13147== by 0x403392D: gss_accept_sec_context (g_accept_sec_context.c:196) ==13147== by 0x8049486: main (gssapi_auth_test.c:232) ==13147== ==13147== 27 bytes in 3 blocks are indirectly lost in loss record 5 of 10 ==13147== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13147== by 0x4031D13: generic_gss_copy_oid (oid_ops.c:102) ==13147== by 0x4050F81: spnego_gss_accept_sec_context (spnego_mech.c:2792) ==13147== by 0x403392D: gss_accept_sec_context (g_accept_sec_context.c:196) ==13147== by 0x8049486: main (gssapi_auth_test.c:232) ==13147== ==13147== 84 bytes in 4 blocks are definitely lost in loss record 7 of 10 ==13147== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13147== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13147== by 0x421CB43: (within /lib/libc-2.9.so) ==13147== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13147== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13147== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13147== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13147== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13147== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13147== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13147== by 0x80493CF: main (gssapi_auth_test.c:223) ==13147== ==13147== 93 bytes in 3 blocks are indirectly lost in loss record 8 of 10 ==13147== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13147== by 0x4050C9B: spnego_gss_accept_sec_context (spnego_mech.c:2614) ==13147== by 0x403392D: gss_accept_sec_context (g_accept_sec_context.c:196) ==13147== by 0x8049486: main (gssapi_auth_test.c:232) ==13147== ==13147== 336 (192 direct, 144 indirect) bytes in 3 blocks are definitely lost in loss record 9 of 10 ==13147== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13147== by 0x404FB1E: create_spnego_ctx (spnego_mech.c:389) ==13147== by 0x4050FB8: spnego_gss_accept_sec_context (spnego_mech.c:1323) ==13147== by 0x403392D: gss_accept_sec_context (g_accept_sec_context.c:196) ==13147== by 0x8049486: main (gssapi_auth_test.c:232) GSSAPI input token and no error and no replay cache: gssapi_auth_test-mit-1.7-noreplay-cache.val:==12923== definitely lost: 57 bytes in 2 blocks. gssapi_auth_test-mit-1.7-noreplay-cache.val:==12923== still reachable: 1,081 bytes in 5 blocks. gssapi_auth_test-mit-1.7-2-noreplay-cache.val:==12925== definitely lost: 114 bytes in 4 blocks. gssapi_auth_test-mit-1.7-2-noreplay-cache.val:==12925== still reachable: 1,081 bytes in 5 blocks. ==13165== 42 bytes in 2 blocks are definitely lost in loss record 5 of 7 ==13165== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13165== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13165== by 0x421CB43: (within /lib/libc-2.9.so) ==13165== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13165== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13165== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13165== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13165== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13165== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13165== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13165== by 0x80493CF: main (gssapi_auth_test.c:223) ==13165== ==13165== 72 bytes in 2 blocks are definitely lost in loss record 6 of 7 ==13165== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13165== by 0x40B1BAB: krb5_rc_resolve_full (rc_base.c:156) ==13165== by 0x40AF9B9: krb5_get_server_rcache (srv_rcache.c:73) ==13165== by 0x403ECE8: krb5_gss_acquire_cred (acquire_cred.c:197) ==13165== by 0x403409E: gss_add_cred (g_acquire_cred.c:403) ==13165== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13165== by 0x80493CF: main (gssapi_auth_test.c:223) SPNEGO input token and no error and no replay cache: gssapi_auth_test-mit-1.7_spnego-noreplay-cache.val:==12931== definitely lost: 57 bytes in 2 blocks. gssapi_auth_test-mit-1.7_spnego-noreplay-cache.val:==12931== still reachable: 1,081 bytes in 5 blocks. gssapi_auth_test-mit-1.7_spnego-2-noreplay-cache.val:==12933== definitely lost: 114 bytes in 4 blocks. gssapi_auth_test-mit-1.7_spnego-2-noreplay-cache.val:==12933== still reachable: 1,081 bytes in 5 blocks. ==13165== 42 bytes in 2 blocks are definitely lost in loss record 5 of 7 ==13165== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13165== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13165== by 0x421CB43: (within /lib/libc-2.9.so) ==13165== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13165== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13165== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13165== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13165== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13165== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13165== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13165== by 0x80493CF: main (gssapi_auth_test.c:223) ==13165== ==13165== 72 bytes in 2 blocks are definitely lost in loss record 6 of 7 ==13165== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13165== by 0x40B1BAB: krb5_rc_resolve_full (rc_base.c:156) ==13165== by 0x40AF9B9: krb5_get_server_rcache (srv_rcache.c:73) ==13165== by 0x403ECE8: krb5_gss_acquire_cred (acquire_cred.c:197) ==13165== by 0x403409E: gss_add_cred (g_acquire_cred.c:403) ==13165== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13165== by 0x80493CF: main (gssapi_auth_test.c:223) GSSAPI input token and skew error and no replay cache: gssapi_auth_test-mit-1.7-noreplay-cache-fail.val:==12969== definitely lost: 114 bytes in 4 blocks. gssapi_auth_test-mit-1.7-noreplay-cache-fail.val:==12969== still reachable: 1,114 bytes in 7 blocks. gssapi_auth_test-mit-1.7-noreplay-cache-fail-2.val:==12971== definitely lost: 171 bytes in 6 blocks. gssapi_auth_test-mit-1.7-noreplay-cache-fail-2.val:==12971== still reachable: 1,114 bytes in 7 blocks. ==13235== 63 bytes in 3 blocks are definitely lost in loss record 5 of 7 ==13235== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13235== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13235== by 0x421CB43: (within /lib/libc-2.9.so) ==13235== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13235== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13235== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13235== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13235== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13235== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13235== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13235== by 0x80493CF: main (gssapi_auth_test.c:223) ==13235== ==13235== 108 bytes in 3 blocks are definitely lost in loss record 6 of 7 ==13235== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13235== by 0x40B1BAB: krb5_rc_resolve_full (rc_base.c:156) ==13235== by 0x40AF9B9: krb5_get_server_rcache (srv_rcache.c:73) ==13235== by 0x403ECE8: krb5_gss_acquire_cred (acquire_cred.c:197) ==13235== by 0x403409E: gss_add_cred (g_acquire_cred.c:403) ==13235== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13235== by 0x80493CF: main (gssapi_auth_test.c:223) SPNEGO input token and skew error and no replay cache: gssapi_auth_test-mit-1.7_spnego-noreplay-cache-fail.val:==12978== definitely lost: 114 bytes in 4 blocks. gssapi_auth_test-mit-1.7_spnego-noreplay-cache-fail.val:==12978== still reachable: 1,114 bytes in 7 blocks. gssapi_auth_test-mit-1.7_spnego-noreplay-cache-fail-2.val:==12980== definitely lost: 171 bytes in 6 blocks. gssapi_auth_test-mit-1.7_spnego-noreplay-cache-fail-2.val:==12980== still reachable: 1,114 bytes in 7 blocks. ==13235== 63 bytes in 3 blocks are definitely lost in loss record 5 of 7 ==13235== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13235== by 0x41D846F: strdup (in /lib/libc-2.9.so) ==13235== by 0x421CB43: (within /lib/libc-2.9.so) ==13235== by 0x421F40E: getaddrinfo (in /lib/libc-2.9.so) ==13235== by 0x42C50A2: my_fake_getaddrinfo (fake-addrinfo.c:315) ==13235== by 0x40C1FF6: krb5_sname_to_principal (sn2princ.c:112) ==13235== by 0x40416A1: krb5_gss_import_name (import_name.c:99) ==13235== by 0x40363AB: gssint_import_internal_name (g_glue.c:306) ==13235== by 0x4034022: gss_add_cred (g_acquire_cred.c:383) ==13235== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13235== by 0x80493CF: main (gssapi_auth_test.c:223) ==13235== ==13235== 108 bytes in 3 blocks are definitely lost in loss record 6 of 7 ==13235== at 0x4027DDE: malloc (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so) ==13235== by 0x40B1BAB: krb5_rc_resolve_full (rc_base.c:156) ==13235== by 0x40AF9B9: krb5_get_server_rcache (srv_rcache.c:73) ==13235== by 0x403ECE8: krb5_gss_acquire_cred (acquire_cred.c:197) ==13235== by 0x403409E: gss_add_cred (g_acquire_cred.c:403) ==13235== by 0x4034643: gss_acquire_cred (g_acquire_cred.c:198) ==13235== by 0x80493CF: main (gssapi_auth_test.c:223) Regards Markus "Greg Hudson" wrote in message news:1251143609.20047.114.camel at ray... > The KRB5RCACHETYPE=none leaks were fixed by Ken Raeburn in r22417 which > should make it to release in 1.7.1. > > A brief look at the spnego code suggests those memory leaks are still > present in the trunk, possibly along with other leaks. I will work on > cleaning this up; please send me (private mail is fine) the base64 files > you are using. > > Thanks for the investigation work you've done. > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ghudson at MIT.EDU Thu Aug 27 12:44:46 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 27 Aug 2009 12:44:46 -0400 Subject: Memory leak or programing error In-Reply-To: References: <375B84AD6FFC48A2A53BF6AAAB01ECB7@VAIOLaptop> <1251133842.20047.106.camel@ray> <1251143609.20047.114.camel@ray> Message-ID: <1251391486.20047.245.camel@ray> On Wed, 2009-08-26 at 19:27 -0400, Markus Moeller wrote: > Some more memory leaks in version 1.7 I believe these are all explained by three bugs: 1. The getaddrinfo() workaround we have for old versions of Linux glibc leaks memory with newer versions of Linux glibc. This was previously reported as RT #6534. This has not been fixed yet but I hope to do so soon. 2. SPNEGO leaks memory if the underlying mechanism returns an error in accept_sec_context. I've committed a fix to the trunk and tagged it for pullup; it is RT #6551. 3. The "none" replay cache memory leak, fixed in RT #6514 and tagged for pullup. From huaraz at moeller.plus.com Thu Aug 27 14:40:35 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Thu, 27 Aug 2009 19:40:35 +0100 Subject: MS IWA - extended protection - SSPI - channel binding Message-ID: I am reading the MS article about IWA and extended protection http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this affects GSSAPI based applications like Apache with mod_auth_kerb ? Does this mean MS has added channel bindings to SSPI ? Unfortunately I don't have Windows 7 to test. Thank you Markus From tlyu at MIT.EDU Thu Aug 27 15:23:26 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 27 Aug 2009 15:23:26 -0400 Subject: supported_enctypes question In-Reply-To: <4d569c330908261249m1e9c95d0he859bf1d6d1c00e0@mail.gmail.com> (Kevin Coffman's message of "Wed, 26 Aug 2009 15:49:11 -0400") References: <4A95796C.7090406@ucdavis.edu> <874oru5qyr.fsf@windlord.stanford.edu> <4d569c330908261249m1e9c95d0he859bf1d6d1c00e0@mail.gmail.com> Message-ID: Kevin Coffman writes: > Wed, Aug 26, 2009 at 3:21 PM, Tom Yu wrote: >> Russ Allbery writes: >>> default_enctypes, maybe? >> Possibly... though we do already have "default_tkt_enctypes" and >> "default_tgs_enctypes", which mean something completely different. > default_ktadd_enctypes ? It affects password changes as well. "default_kadm_enctypes" or similar might work. How about "default_keygen_enctypes"? From jaltman at secure-endpoints.com Thu Aug 27 15:26:39 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Thu, 27 Aug 2009 15:26:39 -0400 Subject: MS IWA - extended protection - SSPI - channel binding In-Reply-To: References: Message-ID: <4A96DDEF.2060007@secure-endpoints.com> Markus Moeller wrote: > I am reading the MS article about IWA and extended protection > http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this > affects GSSAPI based applications like Apache with mod_auth_kerb ? Does > this mean MS has added channel bindings to SSPI ? > > Unfortunately I don't have Windows 7 to test. > > Thank you > Markus You do not need Windows 7. The change was backported all the way to XP SP2 and the update was pushed as critical two weeks ago. When activated GSS-API over TLS will use channel bindings if the application requests extended protection. Jeffrey Altman From kwc at citi.umich.edu Thu Aug 27 15:45:18 2009 From: kwc at citi.umich.edu (Kevin Coffman) Date: Thu, 27 Aug 2009 15:45:18 -0400 Subject: supported_enctypes question In-Reply-To: References: <4A95796C.7090406@ucdavis.edu> <874oru5qyr.fsf@windlord.stanford.edu> <4d569c330908261249m1e9c95d0he859bf1d6d1c00e0@mail.gmail.com> Message-ID: <4d569c330908271245i7595da76tc2bbda71f41be29d@mail.gmail.com> On Thu, Aug 27, 2009 at 3:23 PM, Tom Yu wrote: > Kevin Coffman writes: > >> ?Wed, Aug 26, 2009 at 3:21 PM, Tom Yu wrote: >>> Russ Allbery writes: > >>>> default_enctypes, maybe? > >>> Possibly... though we do already have "default_tkt_enctypes" and >>> "default_tgs_enctypes", which mean something completely different. > >> default_ktadd_enctypes ? > > It affects password changes as well. ?"default_kadm_enctypes" or > similar might work. > How about "default_keygen_enctypes"? FWIW, I like it. From lists at deksai.com Thu Aug 27 19:46:31 2009 From: lists at deksai.com (Chris) Date: Thu, 27 Aug 2009 19:46:31 -0400 Subject: ldap principal aliases Message-ID: <20090827234627.GA23653@chris-laptop.a2hosting.com> Am I understanding correctly that I should be able to put several krbPrincipalNames under one dn, set the krbCanonicalName, and the KDC should return the krbCanonicalName or alias (not sure which) for any of the listed krbPrincipalNames? This is how I am trying use this, and it doesn't seem to be working. I can use the same queries I see going to the LDAP server manually as the KDC user, and they return the correct record, but the KDC always says it cannot find the service principal if I use an alias. I see a spot in the code that will set the principal name if it sees both krbcanonicalname and the KRB5_KDB_FLAG_CANONICALIZE flag. From what I think I read in the docs, this is supposed to be on for service principals by default. Any help in understanding what I'm not understanding here would be appreciated. Chris From ghudson at MIT.EDU Fri Aug 28 13:08:47 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Fri, 28 Aug 2009 13:08:47 -0400 Subject: ldap principal aliases In-Reply-To: <20090827234627.GA23653@chris-laptop.a2hosting.com> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> Message-ID: <1251479327.20047.263.camel@ray> On Thu, 2009-08-27 at 19:46 -0400, Chris wrote: > This is how I am trying use this, and it doesn't seem to be working. I > can use the same queries I see going to the LDAP server manually as the > KDC user, and they return the correct record, but the KDC always says it > cannot find the service principal if I use an alias. I see a spot in > the code that will set the principal name if it sees both > krbcanonicalname and the KRB5_KDB_FLAG_CANONICALIZE flag. From what I > think I read in the docs, this is supposed to be on for service > principals by default. How are you doing your test queries? (For instance, if you're using command line tools, what commands are you using?) In general, the expected behavior as I understand it is: kinit realname --> tgt kinit aliasname --> not-found error kinit -C aliasname --> tgt for realname kinit user; kvno realname --> service ticket for realname kinit user; kvno aliasname --> service ticket for realname (presented as ticket for aliasname because we can't change the service name in a TGS response) But there's always the possibility of bugs. From huaraz at moeller.plus.com Fri Aug 28 18:07:20 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Fri, 28 Aug 2009 23:07:20 +0100 Subject: msktutil problem with Windows 2008 Message-ID: I use the latest msktutil (0.3.16-7) and can add an entry to Windows 2008, but when I run kinit -kt test.keytab HTTP/fqdn I get KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to be changed ? Thank you Markus From huaraz at moeller.plus.com Sat Aug 29 07:02:58 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sat, 29 Aug 2009 12:02:58 +0100 Subject: Aw: msktutil problem with Windows 2008 In-Reply-To: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> References: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> Message-ID: Wolf-Agathon, I did export the keytab, but I found out the Hotfix 951191 was not installed on the 2008 DC. Markus ----- Original Message ----- From: "Wolf-Agathon Schaly" To: ; Sent: Saturday, August 29, 2009 11:27 AM Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 2008 > Howdy Markus > > Sound to me that you're trying to use a kaytab without expoting the key to > your keytab file test.keytab > > am I right ? > > cheers > Wolf-Agathon > > > ----- Original Nachricht ---- > Von: Markus Moeller > An: kerberos at mit.edu > Datum: 29.08.2009 00:07 > Betreff: msktutil problem with Windows 2008 > >> I use the latest msktutil (0.3.16-7) and can add an entry to Windows >> 2008, >> but when I run kinit -kt test.keytab HTTP/fqdn I get >> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to >> be >> >> changed ? >> >> Thank you >> Markus >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > From huaraz at moeller.plus.com Sat Aug 29 07:47:44 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sat, 29 Aug 2009 12:47:44 +0100 Subject: msktutil problem with Windows 2008 In-Reply-To: References: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> Message-ID: I was too quick. I get it to work with host/fqdn (e.g. kinit -kt /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use AES-256 CTS mode with 96-bit SHA-1 HMAC. klist -ekt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (ArcFour with HMAC/md5) 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC) klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/centos.dom.local at DOM.LOCAL Valid starting Expires Service principal 08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/DOM.LOCAL at DOM.LOCAL renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC klist -ekt /etc/HTTP.keytab Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with HMAC/md5) 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC) kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local kinit(v5): Preauthentication failed while getting initial credentials Markus "Markus Moeller" wrote in message news:CF5A795E7B16440FA314ED54D5645C0B at VAIOLaptop... > Wolf-Agathon, > > I did export the keytab, but I found out the Hotfix 951191 was not > installed on the 2008 DC. > > Markus > > ----- Original Message ----- > From: "Wolf-Agathon Schaly" > To: ; > Sent: Saturday, August 29, 2009 11:27 AM > Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows 2008 > > >> Howdy Markus >> >> Sound to me that you're trying to use a kaytab without expoting the key >> to >> your keytab file test.keytab >> >> am I right ? >> >> cheers >> Wolf-Agathon >> >> >> ----- Original Nachricht ---- >> Von: Markus Moeller >> An: kerberos at mit.edu >> Datum: 29.08.2009 00:07 >> Betreff: msktutil problem with Windows 2008 >> >>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows >>> 2008, >>> but when I run kinit -kt test.keytab HTTP/fqdn I get >>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need >>> to >>> be >>> >>> changed ? >>> >>> Thank you >>> Markus >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From huaraz at moeller.plus.com Sat Aug 29 08:24:16 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sat, 29 Aug 2009 13:24:16 +0100 Subject: msktutil problem with Windows 2008 In-Reply-To: References: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> Message-ID: Is it possible that Windows 2008 is maping HTTP principal to host principals ? With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my apache/squid module created an error "Decrypt integrity check failed" and a kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt /etc/host.keytab host/fqdn works. When I remove the AD entry which msktutil created for HTTP/fqdn and leave the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn. Now I used ktutil to create a HTTP keytab # ktutil ktutil: addent -key -p HTTP/centos.dom.local at DOM.LOCAL -k 2 -e aes256-cts-hmac-sha1-96 Key for HTTP/centos.dom.local at DOM.LOCAL (hex): 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03 ktutil: wkt /etc/HTTP.keytab ktutil: quit I can use the HTTP. keytab with kinit and I can also use it now for apache/squid. It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a request for host/fqdn and ignores entries with a serviceprincipal set to HTTP/fqdn. Can anybody confirm that ? Oe what do I do wrong ? Thank you Markus "Markus Moeller" wrote in message news:h7b5a5$tb0$1 at ger.gmane.org... >I was too quick. I get it to work with host/fqdn (e.g. kinit -kt > /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use > AES-256 CTS mode with 96-bit SHA-1 HMAC. > > klist -ekt /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- -------------------------------------------------------- > 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (ArcFour with > HMAC/md5) > 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-128 CTS mode > with 96-bit SHA-1 HMAC) > 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-256 CTS mode > with 96-bit SHA-1 HMAC) > > klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/centos.dom.local at DOM.LOCAL > > Valid starting Expires Service principal > 08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/DOM.LOCAL at DOM.LOCAL > renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode > with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC > > > > klist -ekt /etc/HTTP.keytab > Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab > KVNO Timestamp Principal > ---- ----------------- -------------------------------------------------------- > 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with > HMAC/md5) > 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode > with 96-bit SHA-1 HMAC) > 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode > with 96-bit SHA-1 HMAC) > > > kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local > kinit(v5): Preauthentication failed while getting initial credentials > > Markus > > > "Markus Moeller" wrote in message > news:CF5A795E7B16440FA314ED54D5645C0B at VAIOLaptop... >> Wolf-Agathon, >> >> I did export the keytab, but I found out the Hotfix 951191 was not >> installed on the 2008 DC. >> >> Markus >> >> ----- Original Message ----- >> From: "Wolf-Agathon Schaly" >> To: ; >> Sent: Saturday, August 29, 2009 11:27 AM >> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows >> 2008 >> >> >>> Howdy Markus >>> >>> Sound to me that you're trying to use a kaytab without expoting the key >>> to >>> your keytab file test.keytab >>> >>> am I right ? >>> >>> cheers >>> Wolf-Agathon >>> >>> >>> ----- Original Nachricht ---- >>> Von: Markus Moeller >>> An: kerberos at mit.edu >>> Datum: 29.08.2009 00:07 >>> Betreff: msktutil problem with Windows 2008 >>> >>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows >>>> 2008, >>>> but when I run kinit -kt test.keytab HTTP/fqdn I get >>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need >>>> to >>>> be >>>> >>>> changed ? >>>> >>>> Thank you >>>> Markus >>>> >>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos at mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>> >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From lists at deksai.com Sat Aug 29 11:01:19 2009 From: lists at deksai.com (Chris) Date: Sat, 29 Aug 2009 11:01:19 -0400 Subject: ldap principal aliases In-Reply-To: <1251509264.20047.273.camel@ray> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> Message-ID: <20090829150119.GA26450@chris-laptop.a2hosting.com> Sorry, I just noticed that the list was dropped from the cc in last few replies. On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote: > On Fri, 2009-08-28 at 16:04 -0400, Chris wrote: > > [root at wopr ~]# kvno host/sf9ca98.domain.com > > host/sf9ca98.domain.com at DOMAIN.COM: kvno = 7 > > [root at wopr ~]# kvno host/ns4.domain.com > > host/ns4.domain.com at DOMAIN.COM: Server not found in Kerberos > > database while getting credentials > > I just tried a simple test like this myself and it worked for me. > > However, I noted that success in the latter case depends on the client > setting KDC_OPT_CANONICALIZE in the TGS request. The client sets this > bit in krb5 1.6 and krb5 1.7, but not in krb5 1.5 and prior. So if > you're trying to get aliases to work for older versions of the client > library, that's going to be an issue. > > Yep, sure enough. The version on wopr is pretty old. Are there any known scenarios where forcing canonicalization on the KDC would be bad? I was thinking about just removing the check for that flag from our KDCs, since there are quite a few servers that have the old libraries. Chris From schaly_wolf-agathon at arcor.de Sat Aug 29 06:27:25 2009 From: schaly_wolf-agathon at arcor.de (Wolf-Agathon Schaly) Date: Sat, 29 Aug 2009 12:27:25 +0200 (CEST) Subject: Aw: msktutil problem with Windows 2008 In-Reply-To: References: Message-ID: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> Howdy Markus Sound to me that you're trying to use a kaytab without expoting the key to your keytab file test.keytab am I right ? cheers Wolf-Agathon ----- Original Nachricht ---- Von: Markus Moeller An: kerberos at mit.edu Datum: 29.08.2009 00:07 Betreff: msktutil problem with Windows 2008 > I use the latest msktutil (0.3.16-7) and can add an entry to Windows 2008, > but when I run kinit -kt test.keytab HTTP/fqdn I get > KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to be > > changed ? > > Thank you > Markus > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ghudson at MIT.EDU Sat Aug 29 20:38:21 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Sat, 29 Aug 2009 20:38:21 -0400 Subject: ldap principal aliases In-Reply-To: <20090829150119.GA26450@chris-laptop.a2hosting.com> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> <20090829150119.GA26450@chris-laptop.a2hosting.com> Message-ID: <1251592701.20047.294.camel@ray> On Sat, 2009-08-29 at 11:01 -0400, Chris wrote: > Are there any known scenarios where forcing canonicalization on the KDC > would be bad? I'm not aware of any--in fact, I couldn't tell you with confidence why our KDC is checking that flag for TGS requests without consultation with others. However, if you have old MIT Kerberos software on server machines (in the sense of a Kerberos application server), you may run into another problem: Let's say host/aliasname is an alias for host/realname. The client performs a TGS request for host/aliasname service tickets, and gets a host/aliasname service ticket encrypted in the key for host/realname. Now the client presents this ticket to the server in an AP request, saying it wants to authenticate to host/aliasname. * With krb5 1.7.x, krb5_rd_req will ignore the stated target of the AP request and look for any key in the keytab which can decode the presented ticket. It will find the host/realname key and succeed. * With krb5 1.6.x and prior, the krb5_rd_req will look specifically for a host/aliasname key in the keytab, and will fail if the keytab contains only a host/realname entry. You can work around this problem by storing host/aliasname entries in the server keytab, although I'm not sure how easy the logistics of that would be. At that point you almost might as well use separate principals for host/realname and host/aliasname. From lukeh at padl.com Sun Aug 30 03:18:23 2009 From: lukeh at padl.com (Luke Howard) Date: Sun, 30 Aug 2009 09:18:23 +0200 Subject: ldap principal aliases In-Reply-To: <1251592701.20047.294.camel@ray> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> <20090829150119.GA26450@chris-laptop.a2hosting.com> <1251592701.20047.294.camel@ray> Message-ID: <0FE8A6BC-148A-4558-9725-255A654BC594@padl.com> On 30/08/2009, at 2:38 AM, Greg Hudson wrote: > On Sat, 2009-08-29 at 11:01 -0400, Chris wrote: >> Are there any known scenarios where forcing canonicalization on the >> KDC >> would be bad? > > I'm not aware of any--in fact, I couldn't tell you with confidence why > our KDC is checking that flag for TGS requests without consultation > with > others. However, if you have old MIT Kerberos software on server > machines (in the sense of a Kerberos application server), you may run > into another problem: In the TGS, the canonicalize flag is used only for determining whether to return referrals; in a normal service principal request, it has no bearing on the returned service name. The behaviour for the AS is slightly different in respect of service names, in order to handle some Windows interoperability issues. In respect of client names, the canonicalize flag permits a different client name to be returned. -- Luke From lukeh at padl.com Sun Aug 30 03:21:22 2009 From: lukeh at padl.com (Luke Howard) Date: Sun, 30 Aug 2009 09:21:22 +0200 Subject: ldap principal aliases In-Reply-To: <20090829150119.GA26450@chris-laptop.a2hosting.com> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> <20090829150119.GA26450@chris-laptop.a2hosting.com> Message-ID: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com> > Yep, sure enough. The version on wopr is pretty old. > > Are there any known scenarios where forcing canonicalization on the > KDC > would be bad? I was thinking about just removing the check for that > flag from our KDCs, since there are quite a few servers that have the > old libraries. This will create problems in the AS path, because the client library won't expect a different principal name. In the TGS path, I think Greg is right (but if you're going to disable to check, I'd do it in libkdb_ldap rather than the KDC). -- Luke From lukeh at padl.com Sun Aug 30 04:14:40 2009 From: lukeh at padl.com (Luke Howard) Date: Sun, 30 Aug 2009 10:14:40 +0200 Subject: ldap principal aliases In-Reply-To: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> <20090829150119.GA26450@chris-laptop.a2hosting.com> <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com> Message-ID: <8A1ED1FA-7E96-4172-882C-FE8C18D25192@padl.com> > This will create problems in the AS path, because the client library > won't expect a different principal name. In the TGS path, I think Greg > is right (but if you're going to disable to check, I'd do it in > libkdb_ldap rather than the KDC). In the TGS path, it's fine a backend to always return aliases regardless of the setting of the canonicalize flag (after all, they are indistinguishable to the service from genuine principals). IIRC the DSfW backend does this. -- Luke From lukeh at padl.com Sun Aug 30 04:19:19 2009 From: lukeh at padl.com (Luke Howard) Date: Sun, 30 Aug 2009 10:19:19 +0200 Subject: ldap principal aliases In-Reply-To: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> <20090829150119.GA26450@chris-laptop.a2hosting.com> <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com> Message-ID: <63688255-E3AF-4473-822C-B34C6F2878B2@padl.com> On 30/08/2009, at 9:21 AM, Luke Howard wrote: >> Yep, sure enough. The version on wopr is pretty old. >> >> Are there any known scenarios where forcing canonicalization on the >> KDC >> would be bad? I was thinking about just removing the check for that >> flag from our KDCs, since there are quite a few servers that have the >> old libraries. > > > This will create problems in the AS path, because the client library > won't expect a different principal name. In the TGS path, I think Greg > is right (but if you're going to disable to check, I'd do it in > libkdb_ldap rather than the KDC). So, you could try the following untested patch: Index: ldap_principal2.c =================================================================== --- ldap_principal2.c (revision 22548) +++ ldap_principal2.c (working copy) @@ -160,7 +160,8 @@ if ((values=ldap_get_values(ld, ent, "krbcanonicalname")) != NULL) { if (values[0] && strcmp(values[0], user) != 0) { /* We matched an alias, not the canonical name. */ - if (flags & KRB5_KDB_FLAG_CANONICALIZE) { + if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0 || + (flags & KRB5_KDB_FLAG_CANONICALIZE)) { st = krb5_ldap_parse_principal_name(values[0], &cname); if (st != 0) goto cleanup; This always canonicalization for server names (when KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is unset). For client names, it continues to depend on the setting of KRB5_KDB_FLAG_CANONICALIZE. -- Luke From deengert at anl.gov Mon Aug 31 10:48:05 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 31 Aug 2009 09:48:05 -0500 Subject: msktutil problem with Windows 2008 In-Reply-To: References: Message-ID: <4A9BE2A5.2010002@anl.gov> Markus Moeller wrote: > I use the latest msktutil (0.3.16-7) and can add an entry to Windows 2008, > but when I run kinit -kt test.keytab HTTP/fqdn I get > KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to be > changed ? I think AD will search for the UPN of HTTP/fqdn when a TGT is requested by kinit. Do you have any output from msktutil, or any dump of the AD entry? The UPN and SPNs would be helpful. It could be that the UPN of the account is host/fqdn at realm, with SPNs of host/fqdn and HTTP/fqdn. When you ran msktutil what options did you use? Is the UPN HTTP/fqdn at realm? Did you use the --upn HTTP/fqdn option? Since AD will let an account have one UPN, with multiple SPNs deriving the keys from the same password, msktutil will assume multiple principals in a keytab are for the same account. We always have one principal per account with separate keytabs, and use the --upn service/fqdn option too. > > Thank you > Markus > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From huaraz at moeller.plus.com Mon Aug 31 16:16:46 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Mon, 31 Aug 2009 21:16:46 +0100 Subject: msktutil problem with Windows 2008 In-Reply-To: References: Message-ID: Hi Douglas, I am not sure if you saw my follow up entries. The msktutil command I used is msktutil -c -b "CN=COMPUTERS" -s HTTP/ -h -k /etc/HTTP.keytab --computer-name squid-HTTP --upn HTTP/ --server --verbose --enctypes 28 As far as I recall the upn is required for AS requests (e.g. to use kinit) and the spn is used for TGS (e.g. when you use kvno) I used it as you described or 2003 for a long time too, but now facing 2008 I noticed this difference (e.g. If AD has two entries: one for host/fqdn - with upn and spn - and one for HTTP/fqdn - with upn and spn - and a client requests a HTTP/fqdn TGS or AS the key for host/fqdn is used) Regards Markus "Douglas E. Engert" wrote in message news:mailman.43.1251730131.12456.kerberos at mit.edu... > > > > > Markus Moeller wrote: >> I use the latest msktutil (0.3.16-7) and can add an entry to Windows >> 2008, but when I run kinit -kt test.keytab HTTP/fqdn I get >> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to >> be changed ? > > I think AD will search for the UPN of HTTP/fqdn when a TGT is requested > by kinit. > > Do you have any output from msktutil, or any dump of the > AD entry? The UPN and SPNs would be helpful. > > It could be that the UPN of the account is host/fqdn at realm, > with SPNs of host/fqdn and HTTP/fqdn. When you ran > msktutil what options did you use? > > Is the UPN HTTP/fqdn at realm? > Did you use the --upn HTTP/fqdn option? > > Since AD will let an account have one UPN, with multiple SPNs > deriving the keys from the same password, msktutil will assume > multiple principals in a keytab are for the same account. > > We always have one principal per account with separate keytabs, > and use the --upn service/fqdn option too. > >> >> Thank you >> Markus ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444