From omair at omairsajid.com  Tue Feb  3 10:50:54 2009
From: omair at omairsajid.com (Omair Sajid)
Date: Tue, 3 Feb 2009 20:50:54 +0500
Subject: Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor
	code may provide more information (Unknown code krb5 230
Message-ID: <54680ff20902030750o73e1ab52i92389c56e27216c4@mail.gmail.com>

 I have been trying to setup kerberos client on RedHat machine with Apache
mod_auth_kerb.
I have tested kerberos client configuration using kinit, klist etc. and its
working and the Linux machine is getting tickets. But the problem is when I
try to access the reousrce page from Windows (domain machine) using Internet
explorer I get the following error

"gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may
provide more information (Unknown code krb5 230)"

Can somebody please help?

From omair at omairsajid.com  Tue Feb  3 11:15:39 2009
From: omair at omairsajid.com (Omair Sajid)
Date: Tue, 3 Feb 2009 21:15:39 +0500
Subject: Help: gss_accept_sec_context() failed: Unspecified GSS failure. 
	Minor code may provide more information (Unknown code krb5 230
In-Reply-To: <54680ff20902030750o73e1ab52i92389c56e27216c4@mail.gmail.com>
References: <54680ff20902030750o73e1ab52i92389c56e27216c4@mail.gmail.com>
Message-ID: <54680ff20902030815g2b63a057jf68b8e79595a53f6@mail.gmail.com>

Detailed error message from apache error log, we are on red hat enterprise 5

[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
*.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432):
[client *.*.*.*] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147):
[client *.*.*.*] Acquiring creds for HTTP@*.*.*.*
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266):
[client *.*.*.*] Verifying client data using KRB5 GSS-API
[Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282):
[client *.*.*.*] Verification returned code 851968
[Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*] gss_accept_sec_context()
failed: Unspecified GSS failure.  Minor code may provide more information
(Unknown code krb5 230)


On Tue, Feb 3, 2009 at 8:50 PM, Omair Sajid <omair at omairsajid.com> wrote:

>  I have been trying to setup kerberos client on RedHat machine with Apache
> mod_auth_kerb.
> I have tested kerberos client configuration using kinit, klist etc. and its
> working and the Linux machine is getting tickets. But the problem is when I
> try to access the reousrce page from Windows (domain machine) using Internet
> explorer I get the following error
>
> "gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may
> provide more information (Unknown code krb5 230)"
>
> Can somebody please help?
>
>
>

From raeburn at MIT.EDU  Tue Feb  3 11:29:35 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Tue, 3 Feb 2009 11:29:35 -0500
Subject: Help: gss_accept_sec_context() failed: Unspecified GSS failure.
	Minor code may provide more information (Unknown code krb5 230
In-Reply-To: <54680ff20902030815g2b63a057jf68b8e79595a53f6@mail.gmail.com>
References: <54680ff20902030750o73e1ab52i92389c56e27216c4@mail.gmail.com>
	<54680ff20902030815g2b63a057jf68b8e79595a53f6@mail.gmail.com>
Message-ID: <269894C2-952F-4D28-A906-5E0A52C1B52E@mit.edu>

On Feb 3, 2009, at 11:15, Omair Sajid wrote:
> Detailed error message from apache error log, we are on red hat  
> enterprise 5
>
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
> *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
> Kerberos
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432):
> [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147):
> [client *.*.*.*] Acquiring creds for HTTP@*.*.*.*
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266):
> [client *.*.*.*] Verifying client data using KRB5 GSS-API
> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282):
> [client *.*.*.*] Verification returned code 851968
> [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*]  
> gss_accept_sec_context()
> failed: Unspecified GSS failure.  Minor code may provide more  
> information
> (Unknown code krb5 230)

There may be some problem with initialization causing the error  
strings not to be accessible.  Error 230 in the krb5 table is  
KRB5_KT_KVNONOTFOUND, "Key version number for principal in key table  
is incorrect".  How did you set up the keytab file on the server?   
And, is the KDC for this realm an MIT KDC or Windows AD?  (If it's AD,  
I'm not familiar with the proper procedure for setting up a keytab for  
an application server running MIT code, but I'm sure others on this  
list are.)

Note that in the MIT code, the kadmin option for generating a keytab  
changes the key in the process, so if you ran it more than once (maybe  
on different machines?), then only the last one generated is going to  
be useful.

Also, check in case the client showing the problem has old credentials  
for the service cached using an earlier key version number and maybe  
the server only has a newer key; logging out and back in on the  
Windows box should avoid that problem.

Ken

From omair at omairsajid.com  Tue Feb  3 12:51:30 2009
From: omair at omairsajid.com (Omair Sajid)
Date: Tue, 3 Feb 2009 22:51:30 +0500
Subject: Help: gss_accept_sec_context() failed: Unspecified GSS failure. 
	Minor code may provide more information (Unknown code krb5 230
In-Reply-To: <269894C2-952F-4D28-A906-5E0A52C1B52E@mit.edu>
References: <54680ff20902030750o73e1ab52i92389c56e27216c4@mail.gmail.com>
	<54680ff20902030815g2b63a057jf68b8e79595a53f6@mail.gmail.com>
	<269894C2-952F-4D28-A906-5E0A52C1B52E@mit.edu>
Message-ID: <54680ff20902030951w7997e8adkdf7da2c5d68b1437@mail.gmail.com>

Hi Ken,

I have asked the domain admin to give me details on how the key was
generated will let you know once i have full details. Also can you point me
to the krb5 error table from where you got the mapping for Error 230.
Because when i google it i get something different.
Also if there is some problem with keytab file then i assume that kinit
using this keytab should not work. If i do

kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de

then it works fine. I only get error if when going through apache.
Also kinit user@*.* also works fine red hat machine.

I am new at this so please let me know if i am asking stupid questions
or am missing something basic :)



On Tue, Feb 3, 2009 at 9:29 PM, Ken Raeburn <raeburn at mit.edu> wrote:

> On Feb 3, 2009, at 11:15, Omair Sajid wrote:
>
>> Detailed error message from apache error log, we are on red hat enterprise
>> 5
>>
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432): [client
>> *.*.*.*] kerb_authenticate_user entered with user (NULL) and auth_type
>> Kerberos
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1432):
>> [client *.*.*.*] kerb_authenticate_user entered with user (NULL) and
>> auth_type Kerberos
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1147):
>> [client *.*.*.*] Acquiring creds for HTTP@*.*.*.*
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1266):
>> [client *.*.*.*] Verifying client data using KRB5 GSS-API
>> [Tue Feb 03 10:41:21 2009] [debug] src/mod_auth_kerb.c(1282):
>> [client *.*.*.*] Verification returned code 851968
>> [Tue Feb 03 10:41:21 2009] [error] [client *.*.*.*]
>> gss_accept_sec_context()
>> failed: Unspecified GSS failure.  Minor code may provide more information
>> (Unknown code krb5 230)
>>
>
> There may be some problem with initialization causing the error strings not
> to be accessible.  Error 230 in the krb5 table is KRB5_KT_KVNONOTFOUND, "Key
> version number for principal in key table is incorrect".  How did you set up
> the keytab file on the server?  And, is the KDC for this realm an MIT KDC or
> Windows AD?  (If it's AD, I'm not familiar with the proper procedure for
> setting up a keytab for an application server running MIT code, but I'm sure
> others on this list are.)
>
> Note that in the MIT code, the kadmin option for generating a keytab
> changes the key in the process, so if you ran it more than once (maybe on
> different machines?), then only the last one generated is going to be
> useful.
>
> Also, check in case the client showing the problem has old credentials for
> the service cached using an earlier key version number and maybe the server
> only has a newer key; logging out and back in on the Windows box should
> avoid that problem.
>
> Ken
>

From slaindevil at kabelmail.de  Tue Feb  3 14:28:05 2009
From: slaindevil at kabelmail.de (slaindevil@kabelmail.de)
Date: Tue, 03 Feb 2009 14:28:05
Subject: Prob: failed to verify krb5 credentials: Server not found in Kerb
Message-ID: <100407D902030D1C0599@kabelmail.de>

Hey guys,

I am short before dispairing :(

Maybe someone has time and likes to help me? :)

I am trying to set up kerberos to authenticate a
TWiki running on Unix against an Windows Server 2003 Active Directory...

I configured the krb5.conf like this:

[logging]
 ...

[libdefaults]
 default_realm = SRV.TEST.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24000
 forwardable = yes

[realms]
 SRV.TEST.LAN = {
  kdc = location.srv.test.lan:88
  admin_server =  location.srv.test.lan:749
  default_domain = SRV.TEST.LAN
 }

[domain_realm]
 .test.lan = SRV.TEST.LAN
 test.lan = SRV.TEST.LAN

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

When I use "kinit" everything works fine. With every valid login I get a ticket...


Then I created the keytab file, set with a valid user and password for
the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

http://wiki.test.lan:8080/bin is the url I type into the browser...

When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080 everything works fine... I get a ticket...

Now I wanna setup the twiki to use kerberos to authenticate with...
The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/ is like following:
Order Deny,Allow
Allow from all
   
AuthType Kerberos
KrbAuthRealms SRV.TEST.LAN
KrbServiceName HTTP
Krb5Keytab /etc/http.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
Require valid-user

When I browse to "http://wiki.srv.lan:8080/bin" the login box prompts...
I enter a valid login, but the box stays...

In the log it says:
failed to verify krb5 credentials: Server not found in Kerberos database

What is wrong? Can someone help me?! :(

Greets,



From matthieu.hautreux at gmail.com  Tue Feb  3 14:48:07 2009
From: matthieu.hautreux at gmail.com (matthieu)
Date: Tue, 3 Feb 2009 11:48:07 -0800 (PST)
Subject: How to disable replay cache in a kerberized client-server app ?
Message-ID: <257842c2-a788-4908-906e-ac30ffd78aa9@r37g2000prr.googlegroups.com>

Hi,

I'm currently writing a kerberized daemon and would like to disable
replay cache. I'm using krb5-1.6.1 (RedHat 5.2).

I did not find any relevant function in the API. I finally find the
krb5_rc_resolve_full function in the krb5 source code and use it for
now with a replay cache file name like "none:nofile". It works quite
great. I just have to free the returned krb5_rcache structure manually
to prevent a memory leak.

Is there an other way to do that ? The reason why I have to do this is
that I need to write a scalable deamon and that replay cache mechanism
provides a huge contention in my multithreaded application. I first
searched for a way to use a different replay cache file per thread but
didn't find a way to do it either.

I also have an other question. Is it possible to get an addressless
TGT using a non addressless one. A kind of forward that give you back
an addressless ticket ?

Thank you for your help.

Regards,
Matthieu

From raeburn at MIT.EDU  Tue Feb  3 16:16:55 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Tue, 3 Feb 2009 16:16:55 -0500
Subject: How to disable replay cache in a kerberized client-server app ?
In-Reply-To: <257842c2-a788-4908-906e-ac30ffd78aa9@r37g2000prr.googlegroups.com>
References: <257842c2-a788-4908-906e-ac30ffd78aa9@r37g2000prr.googlegroups.com>
Message-ID: <541795F9-E202-4E66-91AA-C598FD15D320@mit.edu>

On Feb 3, 2009, at 14:48, matthieu wrote:
> I'm currently writing a kerberized daemon and would like to disable
> replay cache. I'm using krb5-1.6.1 (RedHat 5.2).
>
> I did not find any relevant function in the API. I finally find the
> krb5_rc_resolve_full function in the krb5 source code and use it for
> now with a replay cache file name like "none:nofile". It works quite
> great. I just have to free the returned krb5_rcache structure manually
> to prevent a memory leak.

There's an environment variable you can set -- three, actually, though  
you only need one here.  The library looks for KRB5RCACHETYPE,  
KRB5RCACHENAME, and KRB5RCACHEDIR.  If you set KRB5RCACHETYPE to  
"none" it should disable the cache.

Unfortunately, as you've noticed, the public API doesn't have good  
hooks for managing this.

I recall writing up some notes once about how we might specify replay  
caches per service via the config file -- so multiple services using  
the same key could be told to use the same non-default cache without  
hacking the code or environment for each one in sync -- but after  
poking around with google a little I can't find a public record of  
it.  If you're interested in writing some code to do something like  
this, let me know. :-)

> Is there an other way to do that ? The reason why I have to do this is
> that I need to write a scalable deamon and that replay cache mechanism
> provides a huge contention in my multithreaded application. I first
> searched for a way to use a different replay cache file per thread but
> didn't find a way to do it either.

The problem is, all threads really should be looking at the same data;  
sending replay attacks and having them pass undetected because they  
were processed by different threads would be poor.  Of course, it's  
probably still better from a security perspective than completely  
disabling the replay cache....

> I also have an other question. Is it possible to get an addressless
> TGT using a non addressless one. A kind of forward that give you back
> an addressless ticket ?

Yes, it should be, I think.  We don't have any separate programs for  
just doing the forwarding and dumping the new TGT into a credentials  
cache or anything like that; it tends to be built into programs that  
actually send the new credentials.

Ken

From peter.djalaliev at gmail.com  Tue Feb  3 16:24:53 2009
From: peter.djalaliev at gmail.com (Peter Djalaliev)
Date: Tue, 3 Feb 2009 13:24:53 -0800 (PST)
Subject: are referrals implemented in the MIT Kerberos KDC?
Message-ID: <68b94e6a-cf4d-417a-a141-4797975b94b5@v39g2000pro.googlegroups.com>

Hello,

I saw some messages on this mailing from 2005 and last year on this
topic, but I wanted to check what the current status of this is.

Does the MIT Kerberos KDC currently implement client or server
referrals, as per Internet draft http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-11
?

I can see that the MIT Kerberos client-side library implements
referrals (at least server referrals) by setting hthe "canonicalize"
bit in KDC requests.  However, I can't see any code in the Kerberos
KDC source code that checks this bit and canonicalizes the name.  I am
using the MIT Kerberos 1.6.3. release.  The release notes say "Partial
client implementation to handle server name referrals"

Can you please shed a little light on this or point me to something
that explains this?  Thank you.

Best Regards,
Peter Djalaliev

From paul.moore at centrify.com  Tue Feb  3 16:39:39 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Tue, 3 Feb 2009 13:39:39 -0800
Subject: Prob: failed to verify krb5 credentials: Server not found in Kerb
In-Reply-To: <100407D902030D1C0599@kabelmail.de>
References: <100407D902030D1C0599@kabelmail.de>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02A77ED1@exch-one.centrify.com>

is there an AD account with that SPN?
HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of slaindevil at kabelmail.de
Sent: Tuesday, February 03, 2009 6:28 AM
To: kerberos at mit.edu
Subject: Prob: failed to verify krb5 credentials: Server not found in
Kerb

Hey guys,

I am short before dispairing :(

Maybe someone has time and likes to help me? :)

I am trying to set up kerberos to authenticate a
TWiki running on Unix against an Windows Server 2003 Active Directory...

I configured the krb5.conf like this:

[logging]
 ...

[libdefaults]
 default_realm = SRV.TEST.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24000
 forwardable = yes

[realms]
 SRV.TEST.LAN = {
  kdc = location.srv.test.lan:88
  admin_server =  location.srv.test.lan:749
  default_domain = SRV.TEST.LAN
 }

[domain_realm]
 .test.lan = SRV.TEST.LAN
 test.lan = SRV.TEST.LAN

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

When I use "kinit" everything works fine. With every valid login I get a
ticket...


Then I created the keytab file, set with a valid user and password for
the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

http://wiki.test.lan:8080/bin is the url I type into the browser...

When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
everything works fine... I get a ticket...

Now I wanna setup the twiki to use kerberos to authenticate with...
The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/ is
like following:
Order Deny,Allow
Allow from all
   
AuthType Kerberos
KrbAuthRealms SRV.TEST.LAN
KrbServiceName HTTP
Krb5Keytab /etc/http.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
Require valid-user

When I browse to "http://wiki.srv.lan:8080/bin" the login box prompts...
I enter a valid login, but the box stays...

In the log it says:
failed to verify krb5 credentials: Server not found in Kerberos database

What is wrong? Can someone help me?! :(

Greets,


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


From deengert at anl.gov  Tue Feb  3 17:12:53 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Tue, 03 Feb 2009 16:12:53 -0600
Subject: Prob: failed to verify krb5 credentials: Server not found in Kerb
In-Reply-To: <BB7E16A14DE689469A181EC770AFBF4D02A77ED1@exch-one.centrify.com>
References: <100407D902030D1C0599@kabelmail.de>
	<BB7E16A14DE689469A181EC770AFBF4D02A77ED1@exch-one.centrify.com>
Message-ID: <4988C165.5000006@anl.gov>



Paul Moore wrote:
> is there an AD account with that SPN?
> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

The port number :8080 is usually not part of the principal name.
So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN


> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of slaindevil at kabelmail.de
> Sent: Tuesday, February 03, 2009 6:28 AM
> To: kerberos at mit.edu
> Subject: Prob: failed to verify krb5 credentials: Server not found in
> Kerb
> 
> Hey guys,
> 
> I am short before dispairing :(
> 
> Maybe someone has time and likes to help me? :)
> 
> I am trying to set up kerberos to authenticate a
> TWiki running on Unix against an Windows Server 2003 Active Directory...
> 
> I configured the krb5.conf like this:
> 
> [logging]
>  ...
> 
> [libdefaults]
>  default_realm = SRV.TEST.LAN
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24000
>  forwardable = yes
> 
> [realms]
>  SRV.TEST.LAN = {
>   kdc = location.srv.test.lan:88
>   admin_server =  location.srv.test.lan:749
>   default_domain = SRV.TEST.LAN
>  }
> 
> [domain_realm]
>  .test.lan = SRV.TEST.LAN
>  test.lan = SRV.TEST.LAN
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 24000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> When I use "kinit" everything works fine. With every valid login I get a
> ticket...
> 
> 
> Then I created the keytab file, set with a valid user and password for
> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

Leave  off the :8080

> 
> http://wiki.test.lan:8080/bin is the url I type into the browser...
> 
> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
> everything works fine... I get a ticket...
> 
> Now I wanna setup the twiki to use kerberos to authenticate with...
> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/ is
> like following:
> Order Deny,Allow
> Allow from all
>    
> AuthType Kerberos
> KrbAuthRealms SRV.TEST.LAN
> KrbServiceName HTTP
> Krb5Keytab /etc/http.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> Require valid-user
> 
> When I browse to "http://wiki.srv.lan:8080/bin" the login box prompts...
> I enter a valid login, but the box stays...
> 
> In the log it says:
> failed to verify krb5 credentials: Server not found in Kerberos database
> 
> What is wrong? Can someone help me?! :(
> 
> Greets,
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From paul.moore at centrify.com  Tue Feb  3 17:14:02 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Tue, 3 Feb 2009 14:14:02 -0800
Subject: Prob: failed to verify krb5 credentials: Server not found in Kerb
In-Reply-To: <4988C165.5000006@anl.gov>
References: <100407D902030D1C0599@kabelmail.de>
	<BB7E16A14DE689469A181EC770AFBF4D02A77ED1@exch-one.centrify.com>
	<4988C165.5000006@anl.gov>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02A77EF3@exch-one.centrify.com>

for sure the port number should not be in the SPN. I didnt even notice
that. I was wondering if there is any principal at all

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, February 03, 2009 2:13 PM
To: Paul Moore
Cc: slaindevil at kabelmail.de; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in Kerb



Paul Moore wrote:
> is there an AD account with that SPN?
> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

The port number :8080 is usually not part of the principal name.
So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN


> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of slaindevil at kabelmail.de
> Sent: Tuesday, February 03, 2009 6:28 AM
> To: kerberos at mit.edu
> Subject: Prob: failed to verify krb5 credentials: Server not found in
> Kerb
> 
> Hey guys,
> 
> I am short before dispairing :(
> 
> Maybe someone has time and likes to help me? :)
> 
> I am trying to set up kerberos to authenticate a
> TWiki running on Unix against an Windows Server 2003 Active
Directory...
> 
> I configured the krb5.conf like this:
> 
> [logging]
>  ...
> 
> [libdefaults]
>  default_realm = SRV.TEST.LAN
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24000
>  forwardable = yes
> 
> [realms]
>  SRV.TEST.LAN = {
>   kdc = location.srv.test.lan:88
>   admin_server =  location.srv.test.lan:749
>   default_domain = SRV.TEST.LAN
>  }
> 
> [domain_realm]
>  .test.lan = SRV.TEST.LAN
>  test.lan = SRV.TEST.LAN
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 24000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> When I use "kinit" everything works fine. With every valid login I get
a
> ticket...
> 
> 
> Then I created the keytab file, set with a valid user and password for
> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

Leave  off the :8080

> 
> http://wiki.test.lan:8080/bin is the url I type into the browser...
> 
> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
> everything works fine... I get a ticket...
> 
> Now I wanna setup the twiki to use kerberos to authenticate with...
> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
is
> like following:
> Order Deny,Allow
> Allow from all
>    
> AuthType Kerberos
> KrbAuthRealms SRV.TEST.LAN
> KrbServiceName HTTP
> Krb5Keytab /etc/http.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> Require valid-user
> 
> When I browse to "http://wiki.srv.lan:8080/bin" the login box
prompts...
> I enter a valid login, but the box stays...
> 
> In the log it says:
> failed to verify krb5 credentials: Server not found in Kerberos
database
> 
> What is wrong? Can someone help me?! :(
> 
> Greets,
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


From paul.moore at centrify.com  Tue Feb  3 17:46:44 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Tue, 3 Feb 2009 14:46:44 -0800
Subject: Prob: failed to verify krb5 credentials: Server not found in=20
In-Reply-To: <0B0407D90203162A11269@kabelmail.de>
References: <0B0407D90203162A11269@kabelmail.de>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02A77F12@exch-one.centrify.com>

there needs to be a principal (user or computer) in AD with a Service
Principal Name equal to http/wiki.test.len

this gets created for a windows machine when the machine joins

you seem to be doing this by hand. So you must use setspn (addspn? I
forget) to add an SPN to the user or machine account for which you have
created the keytab. Or adsiedit will do it

shameless commercial plug: you could always use a commercial solution
such as Centrify DirectControl , it will do the right thing
automatically for you



-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 3:42 PM
To: Paul Moore; deengert at anl.gov
Cc: kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20

First of all, thanks for your answers and interest.

I already tried it without the port, because I realized, short after I
sent my first mail, that the port is really not part of the name.

So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
Kinit still works, but the "Server not in kerberos database" problem
still remains.

@Paul Moore: What do you mean, with "an AD account with that SPN"? Could
you be just a little more specific? Its late over here in germany ;)

I had created an extra user and password at the AD. This login is saved
inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN

BTW: Is there a way, to find out, what adress the server is looking for?


Greets,


----- Original Message ----- 
From: "Paul Moore" <paul.moore at centrify.com>
To: "Douglas E. Engert" <deengert at anl.gov>
Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
Sent: Tuesday, February 03, 2009 11:14 PM
Subject: RE: Prob: failed to verify krb5 credentials: Server not found
in Kerb


for sure the port number should not be in the SPN. I didnt even notice
that. I was wondering if there is any principal at all

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, February 03, 2009 2:13 PM
To: Paul Moore
Cc: slaindevil at kabelmail.de; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in Kerb



Paul Moore wrote:
> is there an AD account with that SPN?
> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

The port number :8080 is usually not part of the principal name.
So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN


> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of slaindevil at kabelmail.de
> Sent: Tuesday, February 03, 2009 6:28 AM
> To: kerberos at mit.edu
> Subject: Prob: failed to verify krb5 credentials: Server not found in
> Kerb
> 
> Hey guys,
> 
> I am short before dispairing :(
> 
> Maybe someone has time and likes to help me? :)
> 
> I am trying to set up kerberos to authenticate a
> TWiki running on Unix against an Windows Server 2003 Active
Directory...
> 
> I configured the krb5.conf like this:
> 
> [logging]
>  ...
> 
> [libdefaults]
>  default_realm = SRV.TEST.LAN
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24000
>  forwardable = yes
> 
> [realms]
>  SRV.TEST.LAN = {
>   kdc = location.srv.test.lan:88
>   admin_server =  location.srv.test.lan:749
>   default_domain = SRV.TEST.LAN
>  }
> 
> [domain_realm]
>  .test.lan = SRV.TEST.LAN
>  test.lan = SRV.TEST.LAN
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 24000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> When I use "kinit" everything works fine. With every valid login I get
a
> ticket...
> 
> 
> Then I created the keytab file, set with a valid user and password for
> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

Leave  off the :8080

> 
> http://wiki.test.lan:8080/bin is the url I type into the browser...
> 
> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
> everything works fine... I get a ticket...
> 
> Now I wanna setup the twiki to use kerberos to authenticate with...
> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
is
> like following:
> Order Deny,Allow
> Allow from all
>    
> AuthType Kerberos
> KrbAuthRealms SRV.TEST.LAN
> KrbServiceName HTTP
> Krb5Keytab /etc/http.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> Require valid-user
> 
> When I browse to "http://wiki.srv.lan:8080/bin" the login box
prompts...
> I enter a valid login, but the box stays...
> 
> In the log it says:
> failed to verify krb5 credentials: Server not found in Kerberos
database
> 
> What is wrong? Can someone help me?! :(
> 
> Greets,
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




From paul.moore at centrify.com  Tue Feb  3 17:48:25 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Tue, 3 Feb 2009 14:48:25 -0800
Subject: Prob: failed to verify krb5 credentials: Server not found in=20
In-Reply-To: <0B0407D90203162A11269@kabelmail.de>
References: <0B0407D90203162A11269@kabelmail.de>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02A77F14@exch-one.centrify.com>

>>BTW: Is there a way, to find out, what adress the server is looking
for?
wireshark

-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 3:42 PM
To: Paul Moore; deengert at anl.gov
Cc: kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20

First of all, thanks for your answers and interest.

I already tried it without the port, because I realized, short after I
sent my first mail, that the port is really not part of the name.

So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
Kinit still works, but the "Server not in kerberos database" problem
still remains.

@Paul Moore: What do you mean, with "an AD account with that SPN"? Could
you be just a little more specific? Its late over here in germany ;)

I had created an extra user and password at the AD. This login is saved
inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN

BTW: Is there a way, to find out, what adress the server is looking for?


Greets,


----- Original Message ----- 
From: "Paul Moore" <paul.moore at centrify.com>
To: "Douglas E. Engert" <deengert at anl.gov>
Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
Sent: Tuesday, February 03, 2009 11:14 PM
Subject: RE: Prob: failed to verify krb5 credentials: Server not found
in Kerb


for sure the port number should not be in the SPN. I didnt even notice
that. I was wondering if there is any principal at all

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, February 03, 2009 2:13 PM
To: Paul Moore
Cc: slaindevil at kabelmail.de; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in Kerb



Paul Moore wrote:
> is there an AD account with that SPN?
> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

The port number :8080 is usually not part of the principal name.
So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN


> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of slaindevil at kabelmail.de
> Sent: Tuesday, February 03, 2009 6:28 AM
> To: kerberos at mit.edu
> Subject: Prob: failed to verify krb5 credentials: Server not found in
> Kerb
> 
> Hey guys,
> 
> I am short before dispairing :(
> 
> Maybe someone has time and likes to help me? :)
> 
> I am trying to set up kerberos to authenticate a
> TWiki running on Unix against an Windows Server 2003 Active
Directory...
> 
> I configured the krb5.conf like this:
> 
> [logging]
>  ...
> 
> [libdefaults]
>  default_realm = SRV.TEST.LAN
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24000
>  forwardable = yes
> 
> [realms]
>  SRV.TEST.LAN = {
>   kdc = location.srv.test.lan:88
>   admin_server =  location.srv.test.lan:749
>   default_domain = SRV.TEST.LAN
>  }
> 
> [domain_realm]
>  .test.lan = SRV.TEST.LAN
>  test.lan = SRV.TEST.LAN
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 24000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> When I use "kinit" everything works fine. With every valid login I get
a
> ticket...
> 
> 
> Then I created the keytab file, set with a valid user and password for
> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

Leave  off the :8080

> 
> http://wiki.test.lan:8080/bin is the url I type into the browser...
> 
> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
> everything works fine... I get a ticket...
> 
> Now I wanna setup the twiki to use kerberos to authenticate with...
> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
is
> like following:
> Order Deny,Allow
> Allow from all
>    
> AuthType Kerberos
> KrbAuthRealms SRV.TEST.LAN
> KrbServiceName HTTP
> Krb5Keytab /etc/http.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> Require valid-user
> 
> When I browse to "http://wiki.srv.lan:8080/bin" the login box
prompts...
> I enter a valid login, but the box stays...
> 
> In the log it says:
> failed to verify krb5 credentials: Server not found in Kerberos
database
> 
> What is wrong? Can someone help me?! :(
> 
> Greets,
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




From hardjono at MIT.EDU  Tue Feb  3 14:11:21 2009
From: hardjono at MIT.EDU (Thomas Hardjono)
Date: Tue, 3 Feb 2009 14:11:21 -0500
Subject: New whitepaper on Kerberos-on-the-Web
Message-ID: <001701c98633$33ba9610$9b2fc230$@edu>

MIT-KC publishes new whitepaper on Kerberos-on-the-Web.

 

One of the major goals of the MIT-KC is to establish Kerberos as a
ubiquitous authentication mechanism on the Internet and also to make
Kerberos appropriate for new environments. One of the key efforts within the
MIT-KC directed at this goal is the Kerberos-on-the-Web (Kerb-Web) project.

 

The Kerberos-on-the-web project seeks initially to investigate the various
aspects of the development and deployment of Kerberos within the Web space.
This includes, among others:

(a) the use of the Kerberos authentication paradigm within the context of
web-authentication and web-services security,

(b) the possible architecture integration and interactions between the
Kerberos infrastructure and web-services security infrastructure,

(c) the possible enhancements of the Kerberos authentication protocol and
Kerberos token in order to address the requirements for Single-Sign-On (SSO)
on the Web and Web Identity Federation, and

(d) the potential re-use of existing Kerberos infrastructure investments in
enterprises and other organizations to support the deployment of
Kerberos-on-the-Web solutions.

 

In order to provide a starting point and context for discussions going
forward regarding Kerberos-on-the-web, the MIT-KC has published a whitepaper
on this topic.  The whitepaper can be found in the following location:

 

http://kerberos.org/software/kerbweb.pdf

 

The MIT-KC would appreciate your inputs and comments regarding this
whitepaper, and also your suggestions and recommendations more broadly
regarding the Kerberos-on-the-Web project.

 

Regards.

 

Thomas Hardjono

 

 

 

 

 

__________________________________________

Thomas Hardjono

MIT Kerberos Consortium

Massachusetts Institute of Technology

77 Massachusetts Ave W92-152

Cambridge, MA 02139

 

email:  hardjono[at]mit.edu

web:    http://www.kerberos.org

mobile: +1 781.729.9559

__________________________________________

 

 

-------------- next part --------------
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce

From matthieu.hautreux at gmail.com  Tue Feb  3 17:03:59 2009
From: matthieu.hautreux at gmail.com (Matthieu Hautreux)
Date: Tue, 3 Feb 2009 14:03:59 -0800 (PST)
Subject: How to disable replay cache in a kerberized client-server app ?
References: <257842c2-a788-4908-906e-ac30ffd78aa9@r37g2000prr.googlegroups.com>
	<mailman.29.1233695864.5762.kerberos@mit.edu>
Message-ID: <4128124d-9bf3-4592-907f-2c33d1253b89@z27g2000prd.googlegroups.com>

On 3 f?v, 22:16, Ken Raeburn <raeb... at MIT.EDU> wrote:
> On Feb 3, 2009, at 14:48, matthieu wrote:
>
> > I'm currently writing a kerberized daemon and would like to disable
> > replay cache. I'm using krb5-1.6.1 (RedHat 5.2).
>
> > I did not find any relevant function in the API. I finally find the
> > krb5_rc_resolve_full function in the krb5 source code and use it for
> > now with a replay cache file name like "none:nofile". It works quite
> > great. I just have to free the returned krb5_rcache structure manually
> > to prevent a memory leak.
>
> There's an environment variable you can set -- three, actually, though
> you only need one here.  The library looks for KRB5RCACHETYPE,
> KRB5RCACHENAME, and KRB5RCACHEDIR.  If you set KRB5RCACHETYPE to
> "none" it should disable the cache.
>

Tank you, that could be a good solution. The only drawback is that I
wrote an API that encapsulate kerberos stuff on TCP stream and that
doing it this way it would disable replay cache for all an
application, not just scalability concerned parts.

> Unfortunately, as you've noticed, the public API doesn't have good
> hooks for managing this.
>
> I recall writing up some notes once about how we might specify replay
> caches per service via the config file -- so multiple services using
> the same key could be told to use the same non-default cache without
> hacking the code or environment for each one in sync -- but after
> poking around with google a little I can't find a public record of
> it.  If you're interested in writing some code to do something like
> this, let me know. :-)

I will be much better interested, on a short term basis, in a way to
do replay cache configuration using the kerberos API.
I would rather help you writing this part and let you do the config
file one ;)

>
> > Is there an other way to do that ? The reason why I have to do this is
> > that I need to write a scalable deamon and that replay cache mechanism
> > provides a huge contention in my multithreaded application. I first
> > searched for a way to use a different replay cache file per thread but
> > didn't find a way to do it either.
>
> The problem is, all threads really should be looking at the same data;
> sending replay attacks and having them pass undetected because they
> were processed by different threads would be poor.  Of course, it's
> probably still better from a security perspective than completely
> disabling the replay cache....

You are right, I came to the same conclusion. Furthermore, as I plan
to launch several hundred threads, using numerous replay caches or no
replay cache at all would roughly be the same. I saw in the source
code that there is a "memory" replay cache type. Is it working ? do
you have examples of how to use it ? perhaps the scalability would be
better this way without impacting security.

>
> > I also have an other question. Is it possible to get an addressless
> > TGT using a non addressless one. A kind of forward that give you back
> > an addressless ticket ?
>
> Yes, it should be, I think.  We don't have any separate programs for
> just doing the forwarding and dumping the new TGT into a credentials
> cache or anything like that; it tends to be built into programs that
> actually send the new credentials.
>

Thank you, I will take a closer look ASAP and let you know about the
results if you are interested in.

Matthieu

> Ken


From peter.djalaliev at gmail.com  Tue Feb  3 17:32:59 2009
From: peter.djalaliev at gmail.com (Peter Djalaliev)
Date: Tue, 3 Feb 2009 14:32:59 -0800 (PST)
Subject: question about MIT Kerberos KDC processing PROXY KDC requests
Message-ID: <082edaa9-24f3-4f52-9780-2f1b1019d314@w1g2000prm.googlegroups.com>

Hello,

I understand that proxiable/proxy tickets are rarely used and the
corresponding code in the MIT Kerberos implementation is not very well
tested.  However, I found two possibly buggy places in the KDC code,
so I think this is worth asking about.

I used the MIT Kerberos distribution and was able to make proxiable/
proxy tickets work, but had two make two changes in the KDC source
code.  I would like to ask if these are really bugs or not.  We use
the MIT Kerberos 1.6.3 release.  Both suspicious places are in kdc/
kdc_util.c, validate_tgs_request():

1. line 1144:

if (request->kdc_options & NO_TGT_OPTION) {
    if (!krb5_principal_compare(kdc_context, ticket->server,
request_server)) {
        *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC";
        return(KDC_ERR_SERVER_NOMATCH);
    }
}

NOT_TGT_OPTION is defined as:

#define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY |
KDC_OPT_RENEW | KDC_OPT_VALIDATE)

The KDC returns an error here if the server principal in the ticket
does not match the one in the KDC request.  I can see how this check
is required for the "forwarded", "renew" and "validate" KDC requests.
However, for a proxy ticket request, it seems that:
 - the ticket must be a TGT with ticket->server = krbtgt/R1 at R2, for
some R1 and R2
 - the KDC request must have a server principal request->server = the
target application server's Kerberos principal

Should the #define NO_TGT_OPTION really include KDC_OPT_PROXY?


2. line 1236:

if (isflagset(request->kdc_options, KDC_OPT_PROXY) &&
    (!request->server->data ||
      request->server->data[0].length != KRB5_TGS_NAME_SIZE ||
      memcmp(request->server->data[0].data, KRB5_TGS_NAME,
KRB5_TGS_NAME_SIZE))) {

    *status = "CAN'T PROXY TGT";
    return KDC_ERR_BAD_OPTION;
}

KRB5_TGS_NAME is #define-d as "krbtgt"
KRB5_TGS_NAME_SIZE is #define-d as 6

Isn't the boolean logic inverted here?  We should return an error if
KDC_OPT_PROXY is set and request->server->data[0] is "krbtgt", which
would indicate a request for a TGT.  Is that correct?

Best Regards,
Peter Djalaliev

From slaindevil at kabelmail.de  Tue Feb  3 23:42:17 2009
From: slaindevil at kabelmail.de (slaindevil@kabelmail.de)
Date: Tue, 03 Feb 2009 23:42:17
Subject: Prob: failed to verify krb5 credentials: Server not found in=20
Message-ID: <0B0407D90203162A11269@kabelmail.de>

First of all, thanks for your answers and interest.

I already tried it without the port, because I realized, short after I sent my first mail, that the port is really not part of the name.

So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
Kinit still works, but the "Server not in kerberos database" problem still remains.

@Paul Moore: What do you mean, with "an AD account with that SPN"? Could you be just a little more specific? Its late over here in germany ;)

I had created an extra user and password at the AD. This login is saved inside of the keytab together with the SPN: HTTP/wiki.test.lan at SRV.TEST.LAN

BTW: Is there a way, to find out, what adress the server is looking for? 

Greets,


----- Original Message ----- 
From: "Paul Moore" <paul.moore at centrify.com>
To: "Douglas E. Engert" <deengert at anl.gov>
Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
Sent: Tuesday, February 03, 2009 11:14 PM
Subject: RE: Prob: failed to verify krb5 credentials: Server not found in Kerb


for sure the port number should not be in the SPN. I didnt even notice
that. I was wondering if there is any principal at all

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Tuesday, February 03, 2009 2:13 PM
To: Paul Moore
Cc: slaindevil at kabelmail.de; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in Kerb



Paul Moore wrote:
> is there an AD account with that SPN?
> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

The port number :8080 is usually not part of the principal name.
So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN


> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of slaindevil at kabelmail.de
> Sent: Tuesday, February 03, 2009 6:28 AM
> To: kerberos at mit.edu
> Subject: Prob: failed to verify krb5 credentials: Server not found in
> Kerb
> 
> Hey guys,
> 
> I am short before dispairing :(
> 
> Maybe someone has time and likes to help me? :)
> 
> I am trying to set up kerberos to authenticate a
> TWiki running on Unix against an Windows Server 2003 Active
Directory...
> 
> I configured the krb5.conf like this:
> 
> [logging]
>  ...
> 
> [libdefaults]
>  default_realm = SRV.TEST.LAN
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24000
>  forwardable = yes
> 
> [realms]
>  SRV.TEST.LAN = {
>   kdc = location.srv.test.lan:88
>   admin_server =  location.srv.test.lan:749
>   default_domain = SRV.TEST.LAN
>  }
> 
> [domain_realm]
>  .test.lan = SRV.TEST.LAN
>  test.lan = SRV.TEST.LAN
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 24000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> When I use "kinit" everything works fine. With every valid login I get
a
> ticket...
> 
> 
> Then I created the keytab file, set with a valid user and password for
> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN

Leave  off the :8080

> 
> http://wiki.test.lan:8080/bin is the url I type into the browser...
> 
> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
> everything works fine... I get a ticket...
> 
> Now I wanna setup the twiki to use kerberos to authenticate with...
> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
is
> like following:
> Order Deny,Allow
> Allow from all
>    
> AuthType Kerberos
> KrbAuthRealms SRV.TEST.LAN
> KrbServiceName HTTP
> Krb5Keytab /etc/http.keytab
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> Require valid-user
> 
> When I browse to "http://wiki.srv.lan:8080/bin" the login box
prompts...
> I enter a valid login, but the box stays...
> 
> In the log it says:
> failed to verify krb5 credentials: Server not found in Kerberos
database
> 
> What is wrong? Can someone help me?! :(
> 
> Greets,
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444




From deengert at anl.gov  Tue Feb  3 18:01:02 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Tue, 03 Feb 2009 17:01:02 -0600
Subject: Prob: failed to verify krb5 credentials: Server not found in=20
In-Reply-To: <0B0407D90203162A11269@kabelmail.de>
References: <0B0407D90203162A11269@kabelmail.de>
Message-ID: <4988CCAE.6030800@anl.gov>



slaindevil at kabelmail.de wrote:
> First of all, thanks for your answers and interest.
> 
> I already tried it without the port, because I realized, short after I sent my first mail, that the port is really not part of the name.
> 
> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
> Kinit still works, but the "Server not in kerberos database" problem still remains.
> 
> @Paul Moore: What do you mean, with "an AD account with that SPN"? Could you be just a little more specific? Its late over here in germany ;)
> 
> I had created an extra user and password at the AD. This login is saved inside of the keytab together with the SPN: HTTP/wiki.test.lan at SRV.TEST.LAN
> 

How did you create this account, and why do you think the key and kvno in the keytab matche what is in AD?
Good place to start:
    http://technet.microsoft.com/en-us/library/bb742433.aspx
then look at latest ktpass command syntax.

> BTW: Is there a way, to find out, what adress the server is looking for? 

As Paul said:  Wireshark. It can parse Kerberos packets.

> 
> Greets,
> 
> 
> ----- Original Message ----- 
> From: "Paul Moore" <paul.moore at centrify.com>
> To: "Douglas E. Engert" <deengert at anl.gov>
> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
> Sent: Tuesday, February 03, 2009 11:14 PM
> Subject: RE: Prob: failed to verify krb5 credentials: Server not found in Kerb
> 
> 
> for sure the port number should not be in the SPN. I didnt even notice
> that. I was wondering if there is any principal at all
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Tuesday, February 03, 2009 2:13 PM
> To: Paul Moore
> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
> Subject: Re: Prob: failed to verify krb5 credentials: Server not found
> in Kerb
> 
> 
> 
> Paul Moore wrote:
>> is there an AD account with that SPN?
>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
> 
> The port number :8080 is usually not part of the principal name.
> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
> 
> 
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>> Behalf Of slaindevil at kabelmail.de
>> Sent: Tuesday, February 03, 2009 6:28 AM
>> To: kerberos at mit.edu
>> Subject: Prob: failed to verify krb5 credentials: Server not found in
>> Kerb
>>
>> Hey guys,
>>
>> I am short before dispairing :(
>>
>> Maybe someone has time and likes to help me? :)
>>
>> I am trying to set up kerberos to authenticate a
>> TWiki running on Unix against an Windows Server 2003 Active
> Directory...
>> I configured the krb5.conf like this:
>>
>> [logging]
>>  ...
>>
>> [libdefaults]
>>  default_realm = SRV.TEST.LAN
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>  ticket_lifetime = 24000
>>  forwardable = yes
>>
>> [realms]
>>  SRV.TEST.LAN = {
>>   kdc = location.srv.test.lan:88
>>   admin_server =  location.srv.test.lan:749
>>   default_domain = SRV.TEST.LAN
>>  }
>>
>> [domain_realm]
>>  .test.lan = SRV.TEST.LAN
>>  test.lan = SRV.TEST.LAN
>>
>> [appdefaults]
>>  pam = {
>>    debug = false
>>    ticket_lifetime = 24000
>>    renew_lifetime = 36000
>>    forwardable = true
>>    krb4_convert = false
>>  }
>>
>> When I use "kinit" everything works fine. With every valid login I get
> a
>> ticket...
>>
>>
>> Then I created the keytab file, set with a valid user and password for
>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
> 
> Leave  off the :8080
> 
>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>
>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>> everything works fine... I get a ticket...
>>
>> Now I wanna setup the twiki to use kerberos to authenticate with...
>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
> is
>> like following:
>> Order Deny,Allow
>> Allow from all
>>    
>> AuthType Kerberos
>> KrbAuthRealms SRV.TEST.LAN
>> KrbServiceName HTTP
>> Krb5Keytab /etc/http.keytab
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> Require valid-user
>>
>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
> prompts...
>> I enter a valid login, but the box stays...
>>
>> In the log it says:
>> failed to verify krb5 credentials: Server not found in Kerberos
> database
>> What is wrong? Can someone help me?! :(
>>
>> Greets,
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From deengert at anl.gov  Tue Feb  3 18:07:56 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Tue, 03 Feb 2009 17:07:56 -0600
Subject: Prob: failed to verify krb5 credentials: Server not found in=20
In-Reply-To: <0B0407D90203162A11269@kabelmail.de>
References: <0B0407D90203162A11269@kabelmail.de>
Message-ID: <4988CE4C.3000303@anl.gov>

Two more things:
  Who owns /etc/http.keytab? Apache needs access to the file.

Does hostname on the unix system show the FQDN: wiki.test.lan?



slaindevil at kabelmail.de wrote:
> First of all, thanks for your answers and interest.
> 
> I already tried it without the port, because I realized, short after I sent my first mail, that the port is really not part of the name.
> 
> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
> Kinit still works, but the "Server not in kerberos database" problem still remains.
> 
> @Paul Moore: What do you mean, with "an AD account with that SPN"? Could you be just a little more specific? Its late over here in germany ;)
> 
> I had created an extra user and password at the AD. This login is saved inside of the keytab together with the SPN: HTTP/wiki.test.lan at SRV.TEST.LAN
> 
> BTW: Is there a way, to find out, what adress the server is looking for? 
> 
> Greets,
> 
> 
> ----- Original Message ----- 
> From: "Paul Moore" <paul.moore at centrify.com>
> To: "Douglas E. Engert" <deengert at anl.gov>
> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
> Sent: Tuesday, February 03, 2009 11:14 PM
> Subject: RE: Prob: failed to verify krb5 credentials: Server not found in Kerb
> 
> 
> for sure the port number should not be in the SPN. I didnt even notice
> that. I was wondering if there is any principal at all
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Tuesday, February 03, 2009 2:13 PM
> To: Paul Moore
> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
> Subject: Re: Prob: failed to verify krb5 credentials: Server not found
> in Kerb
> 
> 
> 
> Paul Moore wrote:
>> is there an AD account with that SPN?
>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
> 
> The port number :8080 is usually not part of the principal name.
> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
> 
> 
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>> Behalf Of slaindevil at kabelmail.de
>> Sent: Tuesday, February 03, 2009 6:28 AM
>> To: kerberos at mit.edu
>> Subject: Prob: failed to verify krb5 credentials: Server not found in
>> Kerb
>>
>> Hey guys,
>>
>> I am short before dispairing :(
>>
>> Maybe someone has time and likes to help me? :)
>>
>> I am trying to set up kerberos to authenticate a
>> TWiki running on Unix against an Windows Server 2003 Active
> Directory...
>> I configured the krb5.conf like this:
>>
>> [logging]
>>  ...
>>
>> [libdefaults]
>>  default_realm = SRV.TEST.LAN
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>  ticket_lifetime = 24000
>>  forwardable = yes
>>
>> [realms]
>>  SRV.TEST.LAN = {
>>   kdc = location.srv.test.lan:88
>>   admin_server =  location.srv.test.lan:749
>>   default_domain = SRV.TEST.LAN
>>  }
>>
>> [domain_realm]
>>  .test.lan = SRV.TEST.LAN
>>  test.lan = SRV.TEST.LAN
>>
>> [appdefaults]
>>  pam = {
>>    debug = false
>>    ticket_lifetime = 24000
>>    renew_lifetime = 36000
>>    forwardable = true
>>    krb4_convert = false
>>  }
>>
>> When I use "kinit" everything works fine. With every valid login I get
> a
>> ticket...
>>
>>
>> Then I created the keytab file, set with a valid user and password for
>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
> 
> Leave  off the :8080
> 
>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>
>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>> everything works fine... I get a ticket...
>>
>> Now I wanna setup the twiki to use kerberos to authenticate with...
>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
> is
>> like following:
>> Order Deny,Allow
>> Allow from all
>>    
>> AuthType Kerberos
>> KrbAuthRealms SRV.TEST.LAN
>> KrbServiceName HTTP
>> Krb5Keytab /etc/http.keytab
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> Require valid-user
>>
>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
> prompts...
>> I enter a valid login, but the box stays...
>>
>> In the log it says:
>> failed to verify krb5 credentials: Server not found in Kerberos
> database
>> What is wrong? Can someone help me?! :(
>>
>> Greets,
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From paul.moore at centrify.com  Tue Feb  3 18:29:20 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Tue, 3 Feb 2009 15:29:20 -0800
Subject: Prob: failed to verify krb5 credentials: Server not in=
In-Reply-To: <0B0407D902031714262D3@kabelmail.de>
References: <0B0407D902031714262D3@kabelmail.de>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02A77F34@exch-one.centrify.com>

there are 2 user accounts

a) one for the application 
b) one (or more) for the user you are logging on with

user (a) must have an SPD of http/wiki.test.lan , the actual upn does
not matter wikiwebserver will do nicely
user (b) is just a regular use




-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 4:21 PM
To: deengert at anl.gov
Cc: Paul Moore; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not in=

>  Who owns /etc/http.keytab? Apache needs access to the file.

The apache has access to the keytab. I also put the keytab directly into
the twiki web directory itself. Made no change...

> Does hostname on the unix system show the FQDN: wiki.test.lan?

I did a nslookup on the unix system and it showed me the server as
wiki.test.lan.
I thought this would be enough on finding out the FQDN... Am I wrong
with that?

> How did you create this account, and why do you think the key and kvno
in the
> keytab matche what is in AD?

I created the account on the AD manually... Then I created the keytab
file by using ktpass with the SPN, the username, the password and some
other things for the encryption. I can give you the complete exact
information tomorrow...

> As Paul said:  Wireshark. It can parse Kerberos packets.

Okay, I got some experience with wireshark, just did not think about
it...
Ill try it out :)

> there needs to be a principal (user or computer) in AD with a Service
> Principal Name equal to http/wiki.test.len
>
> this gets created for a windows machine when the machine joins
>
> you seem to be doing this by hand. So you must use setspn (addspn? I
> forget) to add an SPN to the user or machine account for which you
have
> created the keytab. Or adsiedit will do it
>
> shameless commercial plug: you could always use a commercial solution
> such as Centrify DirectControl , it will do the right thing
> automatically for you

Mh... I dont know if I get you right... Currently the users name at the
AD, thats also in the keytab file, is TWikiUser. So I have to change its
username to http/wiki.test.lan?

Greets,


----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: <slaindevil at kabelmail.de>
Cc: <paul.moore at centrify.com>; <kerberos at mit.edu>
Sent: Wednesday, February 04, 2009 12:07 AM
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20


> Two more things:
>  Who owns /etc/http.keytab? Apache needs access to the file.
> 
> Does hostname on the unix system show the FQDN: wiki.test.lan?
> 
> 
> 
> slaindevil at kabelmail.de wrote:
>> First of all, thanks for your answers and interest.
>> 
>> I already tried it without the port, because I realized, short after
I sent my first mail, that the port is really not part of the name.
>> 
>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
>> Kinit still works, but the "Server not in kerberos database" problem
still remains.
>> 
>> @Paul Moore: What do you mean, with "an AD account with that SPN"?
Could you be just a little more specific? Its late over here in germany
;)
>> 
>> I had created an extra user and password at the AD. This login is
saved inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> BTW: Is there a way, to find out, what adress the server is looking
for? 
>> 
>> Greets,
>> 
>> 
>> ----- Original Message ----- 
>> From: "Paul Moore" <paul.moore at centrify.com>
>> To: "Douglas E. Engert" <deengert at anl.gov>
>> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
>> Sent: Tuesday, February 03, 2009 11:14 PM
>> Subject: RE: Prob: failed to verify krb5 credentials: Server not
found in Kerb
>> 
>> 
>> for sure the port number should not be in the SPN. I didnt even
notice
>> that. I was wondering if there is any principal at all
>> 
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Tuesday, February 03, 2009 2:13 PM
>> To: Paul Moore
>> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
>> Subject: Re: Prob: failed to verify krb5 credentials: Server not
found
>> in Kerb
>> 
>> 
>> 
>> Paul Moore wrote:
>>> is there an AD account with that SPN?
>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> The port number :8080 is usually not part of the principal name.
>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> 
>>> -----Original Message-----
>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>>> Behalf Of slaindevil at kabelmail.de
>>> Sent: Tuesday, February 03, 2009 6:28 AM
>>> To: kerberos at mit.edu
>>> Subject: Prob: failed to verify krb5 credentials: Server not found
in
>>> Kerb
>>>
>>> Hey guys,
>>>
>>> I am short before dispairing :(
>>>
>>> Maybe someone has time and likes to help me? :)
>>>
>>> I am trying to set up kerberos to authenticate a
>>> TWiki running on Unix against an Windows Server 2003 Active
>> Directory...
>>> I configured the krb5.conf like this:
>>>
>>> [logging]
>>>  ...
>>>
>>> [libdefaults]
>>>  default_realm = SRV.TEST.LAN
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>  ticket_lifetime = 24000
>>>  forwardable = yes
>>>
>>> [realms]
>>>  SRV.TEST.LAN = {
>>>   kdc = location.srv.test.lan:88
>>>   admin_server =  location.srv.test.lan:749
>>>   default_domain = SRV.TEST.LAN
>>>  }
>>>
>>> [domain_realm]
>>>  .test.lan = SRV.TEST.LAN
>>>  test.lan = SRV.TEST.LAN
>>>
>>> [appdefaults]
>>>  pam = {
>>>    debug = false
>>>    ticket_lifetime = 24000
>>>    renew_lifetime = 36000
>>>    forwardable = true
>>>    krb4_convert = false
>>>  }
>>>
>>> When I use "kinit" everything works fine. With every valid login I
get
>> a
>>> ticket...
>>>
>>>
>>> Then I created the keytab file, set with a valid user and password
for
>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> Leave  off the :8080
>> 
>>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>>
>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>>> everything works fine... I get a ticket...
>>>
>>> Now I wanna setup the twiki to use kerberos to authenticate with...
>>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
>> is
>>> like following:
>>> Order Deny,Allow
>>> Allow from all
>>>    
>>> AuthType Kerberos
>>> KrbAuthRealms SRV.TEST.LAN
>>> KrbServiceName HTTP
>>> Krb5Keytab /etc/http.keytab
>>> KrbMethodNegotiate on
>>> KrbMethodK5Passwd on
>>> Require valid-user
>>>
>>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
>> prompts...
>>> I enter a valid login, but the box stays...
>>>
>>> In the log it says:
>>> failed to verify krb5 credentials: Server not found in Kerberos
>> database
>>> What is wrong? Can someone help me?! :(
>>>
>>> Greets,
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>



From deengert at anl.gov  Wed Feb  4 10:00:30 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Wed, 04 Feb 2009 09:00:30 -0600
Subject: Prob: failed to verify krb5 credentials: Server not
In-Reply-To: <03DC07D90204093834385@kabelmail.de>
References: <03DC07D90204093834385@kabelmail.de>
Message-ID: <4989AD8E.8010400@anl.gov>

Your problem is the host name is not a FQDN. It is returning wiki.
which the server tries to user in a principal name: HTTP/wiki.
This is not found in the KDC.

type the command hostname and see what it says.

Usually changing the /etc/hosts file from:
n.n.n.n  wiki
to:
n.n.n.n wiki.test.lan wiki

Also read man page on hostname, as there may be a hostname.something
with the name wike.



slaindevil at kabelmail.de wrote:
> Okay... I used "tcpdump -s 65535 -w out.dump" to generate a dump of the network traffic and loaded it into Wireshark with the kerberos filter on...
> 
> I get the following:
> The ticket:
> Client Realm: SRV.TEST.LAN
> Client Name (Principal): SlainDevil
> Tkt-vno: 5
> Realm: SRV.TEST.LAN
> Server Name (Unknown): krbtgt/SRV.TEST.LAN
> Encryption type: rc4-hmac (23)
> Encryption type: des-cbc-md5 (3)
> 
> And then the error message:
> error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Realm: SRV.TEST.LAN
> Server Name (Service and Host): HTTP/wiki
> 
> I guess the last point is the mistake, isnt it? It should be HTTP/wiki.test.lan?
> Anyone got a clue how to fix that? Currently I got no idea why this happens... :(
> 
> 
> -------- Kabel E-Mail Reply ---------------
> From: paul.moore at centrify.com
> To  : slaindevil at kabelmail.de;deengert at anl.gov
> Date: 04.02.2009 01:35:12
> 
> 
> <html>
>     <text>So does that user have the correct spn. Adsiedit will tell you</text>
>     <br />
>     <br />
>     <text>----- Original Message -----</text>
>     <br />
>     <text>From:</text>
>     <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
>         <text>slaindevil at kabelmail.de</text>
>     </a>
>     <slaindevil at kabelmail.de />
>     <br />
>     <text>To: Paul Moore;</text>
>     <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov ">
>         <text>deengert at anl.gov</text>
>     </a>
>     <deengert at anl.gov>
>         <br />
>         <text>Cc:</text>
>         <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu ">
>             <text>kerberos at mit.edu</text>
>         </a>
>         <kerberos at mit.edu />
>         <br />
>         <text>Sent: Tue Feb 03 16:57:02 2009</text>
>         <br />
>         <text>Subject: Re: RE: Prob: failed to verify krb5 credentials: Server not</text>
>         <br />
>         <br />
>         <text>Yeah, I got several accounts.</text>
>         <br />
>         <br />
>         <text>The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.</text>
>         <br />
>         <br />
>         <text>Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit</text>
>         <a target="_blank" href="http://wiki.test.lan:8080">
>             <text>http://wiki.test.lan:8080</text>
>         </a>
>         <text>.</text>
>         <br />
>         <br />
>         <br />
>         <br />
>         <text>-------- Kabel E-Mail Reply ---------------</text>
>         <br />
>         <text>From:</text>
>         <a href="/sites/mybox/forms/newmail.asp?sendto= paul.moore at centrify.com">
>             <text>paul.moore at centrify.com</text>
>         </a>
>         <text>To  : slaindevil at kabelmail.de;deengert at anl.gov</text>
>         <br />
>         <text>Date: 04.02.2009 00:29:27</text>
>         <br />
>         <br />
>         <text>there are 2 user accounts</text>
>         <br />
>         <br />
>         <text>a) one for the application</text>
>         <br />
>         <text>b) one (or more) for the user you are logging on with</text>
>         <br />
>         <br />
>         <text>user (a) must have an SPD of http/wiki.test.lan , the actual upn does</text>
>         <br />
>         <text>not matter wikiwebserver will do nicely</text>
>         <br />
>         <text>user (b) is just a regular use</text>
>         <br />
>         <br />
>         <br />
>         <br />
>         <br />
>         <text>-----Original Message-----</text>
>         <br />
>         <text>From:</text>
>         <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
>             <text>slaindevil at kabelmail.de</text>
>         </a>
>         <text>[mailto:slaindevil at kabelmail.de]</text>
>         <br />
>         <text>Sent: Tuesday, February 03, 2009 4:21 PM</text>
>         <br />
>         <text>To:</text>
>         <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov">
>             <text>deengert at anl.gov</text>
>         </a>
>         <text>Cc: Paul Moore;</text>
>         <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
>             <text>kerberos at mit.edu</text>
>         </a>
>         <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not in=</text>
>         <br />
>         <br />
>         <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
>         <br />
>         <br />
>         <text>The apache has access to the keytab. I also put the keytab directly into</text>
>         <br />
>         <text>the twiki web directory itself. Made no change...</text>
>         <br />
>         <br />
>         <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
>         <br />
>         <br />
>         <text>I did a nslookup on the unix system and it showed me the server as</text>
>         <br />
>         <text>wiki.test.lan.</text>
>         <br />
>         <text>I thought this would be enough on finding out the FQDN... Am I wrong</text>
>         <br />
>         <text>with that?</text>
>         <br />
>         <br />
>         <text>> How did you create this account, and why do you think the key and kvno</text>
>         <br />
>         <text>in the</text>
>         <br />
>         <text>> keytab matche what is in AD?</text>
>         <br />
>         <br />
>         <text>I created the account on the AD manually... Then I created the keytab</text>
>         <br />
>         <text>file by using ktpass with the SPN, the username, the password and some</text>
>         <br />
>         <text>other things for the encryption. I can give you the complete exact</text>
>         <br />
>         <text>information tomorrow...</text>
>         <br />
>         <br />
>         <text>> As Paul said:  Wireshark. It can parse Kerberos packets.</text>
>         <br />
>         <br />
>         <text>Okay, I got some experience with wireshark, just did not think about</text>
>         <br />
>         <text>it...</text>
>         <br />
>         <text>Ill try it out :)</text>
>         <br />
>         <br />
>         <text>> there needs to be a principal (user or computer) in AD with a Service</text>
>         <br />
>         <text>> Principal Name equal to http/wiki.test.len</text>
>         <br />
>         <text>></text>
>         <br />
>         <text>> this gets created for a windows machine when the machine joins</text>
>         <br />
>         <text>></text>
>         <br />
>         <text>> you seem to be doing this by hand. So you must use setspn (addspn? I</text>
>         <br />
>         <text>> forget) to add an SPN to the user or machine account for which you</text>
>         <br />
>         <text>have</text>
>         <br />
>         <text>> created the keytab. Or adsiedit will do it</text>
>         <br />
>         <text>></text>
>         <br />
>         <text>> shameless commercial plug: you could always use a commercial solution</text>
>         <br />
>         <text>> such as Centrify DirectControl , it will do the right thing</text>
>         <br />
>         <text>> automatically for you</text>
>         <br />
>         <br />
>         <text>Mh... I dont know if I get you right... Currently the users name at the</text>
>         <br />
>         <text>AD, thats also in the keytab file, is TWikiUser. So I have to change its</text>
>         <br />
>         <text>username to http/wiki.test.lan?</text>
>         <br />
>         <br />
>         <text>Greets,</text>
>         <br />
>         <br />
>         <br />
>         <text>----- Original Message -----</text>
>         <br />
>         <text>From: "Douglas E. Engert"</text>
>         <deengert at anl.gov>
>             <br />
>             <text>To:</text>
>             <slaindevil at kabelmail.de />
>             <br />
>             <text>Cc:</text>
>             <paul.moore at centrify.com />
>             <text>;</text>
>             <kerberos at mit.edu />
>             <br />
>             <text>Sent: Wednesday, February 04, 2009 12:07 AM</text>
>             <br />
>             <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not found</text>
>             <br />
>             <text>in=20</text>
>             <br />
>             <br />
>             <br />
>             <text>> Two more things:</text>
>             <br />
>             <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
>             <br />
>             <text>></text>
>             <br />
>             <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
>             <br />
>             <text>></text>
>             <br />
>             <text>></text>
>             <br />
>             <text>></text>
>             <br />
>             <text>></text>
>             <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
>                 <text>slaindevil at kabelmail.de</text>
>             </a>
>             <text>wrote:</text>
>             <br />
>             <text>>> First of all, thanks for your answers and interest.</text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>> I already tried it without the port, because I realized, short after</text>
>             <br />
>             <text>I sent my first mail, that the port is really not part of the name.</text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.</text>
>             <br />
>             <text>>> Kinit still works, but the "Server not in kerberos database" problem</text>
>             <br />
>             <text>still remains.</text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>> @Paul Moore: What do you mean, with "an AD account with that SPN"?</text>
>             <br />
>             <text>Could you be just a little more specific? Its late over here in germany</text>
>             <br />
>             <text>;)</text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>> I had created an extra user and password at the AD. This login is</text>
>             <br />
>             <text>saved inside of the keytab together with the SPN:</text>
>             <br />
>             <text>HTTP/wiki.test.lan at SRV.TEST.LAN</text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>> BTW: Is there a way, to find out, what adress the server is looking</text>
>             <br />
>             <text>for?</text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>> Greets,</text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>></text>
>             <br />
>             <text>>> ----- Original Message -----</text>
>             <br />
>             <text>>> From: "Paul Moore"</text>
>             <paul.moore at centrify.com />
>             <br />
>             <text>>> To: "Douglas E. Engert"</text>
>             <deengert at anl.gov>
>                 <br />
>                 <text>>> Cc:</text>
>                 <slaindevil at kabelmail.de />
>                 <text>;</text>
>                 <kerberos at mit.edu />
>                 <br />
>                 <text>>> Sent: Tuesday, February 03, 2009 11:14 PM</text>
>                 <br />
>                 <text>>> Subject: RE: Prob: failed to verify krb5 credentials: Server not</text>
>                 <br />
>                 <text>found in Kerb</text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>> for sure the port number should not be in the SPN. I didnt even</text>
>                 <br />
>                 <text>notice</text>
>                 <br />
>                 <text>>> that. I was wondering if there is any principal at all</text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>> -----Original Message-----</text>
>                 <br />
>                 <text>>> From: Douglas E. Engert [mailto:deengert at anl.gov]</text>
>                 <br />
>                 <text>>> Sent: Tuesday, February 03, 2009 2:13 PM</text>
>                 <br />
>                 <text>>> To: Paul Moore</text>
>                 <br />
>                 <text>>> Cc: slaindevil at kabelmail.de;</text>
>                 <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
>                     <text>kerberos at mit.edu</text>
>                 </a>
>                 <text>>> Subject: Re: Prob: failed to verify krb5 credentials: Server not</text>
>                 <br />
>                 <text>found</text>
>                 <br />
>                 <text>>> in Kerb</text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>> Paul Moore wrote:</text>
>                 <br />
>                 <text>>>> is there an AD account with that SPN?</text>
>                 <br />
>                 <text>>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>> The port number :8080 is usually not part of the principal name.</text>
>                 <br />
>                 <text>>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN</text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>>> -----Original Message-----</text>
>                 <br />
>                 <text>>>> From:</text>
>                 <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos-bounces at mit.edu ">
>                     <text>kerberos-bounces at mit.edu</text>
>                 </a>
>                 <text>[mailto:kerberos-bounces at mit.edu] On</text>
>                 <br />
>                 <text>>>> Behalf Of</text>
>                 <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de">
>                     <text>slaindevil at kabelmail.de</text>
>                 </a>
>                 <text>>>> Sent: Tuesday, February 03, 2009 6:28 AM</text>
>                 <br />
>                 <text>>>> To:</text>
>                 <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
>                     <text>kerberos at mit.edu</text>
>                 </a>
>                 <text>>>> Subject: Prob: failed to verify krb5 credentials: Server not found</text>
>                 <br />
>                 <text>in</text>
>                 <br />
>                 <text>>>> Kerb</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> Hey guys,</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> I am short before dispairing :(</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> Maybe someone has time and likes to help me? :)</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> I am trying to set up kerberos to authenticate a</text>
>                 <br />
>                 <text>>>> TWiki running on Unix against an Windows Server 2003 Active</text>
>                 <br />
>                 <text>>> Directory...</text>
>                 <br />
>                 <text>>>> I configured the krb5.conf like this:</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> [logging]</text>
>                 <br />
>                 <text>>>>  ...</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> [libdefaults]</text>
>                 <br />
>                 <text>>>>  default_realm = SRV.TEST.LAN</text>
>                 <br />
>                 <text>>>>  dns_lookup_realm = false</text>
>                 <br />
>                 <text>>>>  dns_lookup_kdc = false</text>
>                 <br />
>                 <text>>>>  ticket_lifetime = 24000</text>
>                 <br />
>                 <text>>>>  forwardable = yes</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> [realms]</text>
>                 <br />
>                 <text>>>>  SRV.TEST.LAN = {</text>
>                 <br />
>                 <text>>>>   kdc = location.srv.test.lan:88</text>
>                 <br />
>                 <text>>>>   admin_server =  location.srv.test.lan:749</text>
>                 <br />
>                 <text>>>>   default_domain = SRV.TEST.LAN</text>
>                 <br />
>                 <text>>>>  }</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> [domain_realm]</text>
>                 <br />
>                 <text>>>>  .test.lan = SRV.TEST.LAN</text>
>                 <br />
>                 <text>>>>  test.lan = SRV.TEST.LAN</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> [appdefaults]</text>
>                 <br />
>                 <text>>>>  pam = {</text>
>                 <br />
>                 <text>>>>    debug = false</text>
>                 <br />
>                 <text>>>>    ticket_lifetime = 24000</text>
>                 <br />
>                 <text>>>>    renew_lifetime = 36000</text>
>                 <br />
>                 <text>>>>    forwardable = true</text>
>                 <br />
>                 <text>>>>    krb4_convert = false</text>
>                 <br />
>                 <text>>>>  }</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> When I use "kinit" everything works fine. With every valid login I</text>
>                 <br />
>                 <text>get</text>
>                 <br />
>                 <text>>> a</text>
>                 <br />
>                 <text>>>> ticket...</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> Then I created the keytab file, set with a valid user and password</text>
>                 <br />
>                 <text>for</text>
>                 <br />
>                 <text>>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>> Leave  off the :8080</text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>>>></text>
>                 <a target="_blank" href="http://wiki.test.lan:8080/bin">
>                     <text>http://wiki.test.lan:8080/bin</text>
>                 </a>
>                 <text>is the url I type into the browser...</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080</text>
>                 <br />
>                 <text>>>> everything works fine... I get a ticket...</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> Now I wanna setup the twiki to use kerberos to authenticate with...</text>
>                 <br />
>                 <text>>>> The httpd.conf for the "bin" directory at</text>
>                 <a target="_blank" href="http://wiki.test.lan:8080/">
>                     <text>http://wiki.test.lan:8080/</text>
>                 </a>
>                 <br />
>                 <text>>> is</text>
>                 <br />
>                 <text>>>> like following:</text>
>                 <br />
>                 <text>>>> Order Deny,Allow</text>
>                 <br />
>                 <text>>>> Allow from all</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> AuthType Kerberos</text>
>                 <br />
>                 <text>>>> KrbAuthRealms SRV.TEST.LAN</text>
>                 <br />
>                 <text>>>> KrbServiceName HTTP</text>
>                 <br />
>                 <text>>>> Krb5Keytab /etc/http.keytab</text>
>                 <br />
>                 <text>>>> KrbMethodNegotiate on</text>
>                 <br />
>                 <text>>>> KrbMethodK5Passwd on</text>
>                 <br />
>                 <text>>>> Require valid-user</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> When I browse to "</text>
>                 <a target="_blank" href="http://wiki.srv.lan:8080/bin">
>                     <text>http://wiki.srv.lan:8080/bin</text>
>                 </a>
>                 <text>" the login box</text>
>                 <br />
>                 <text>>> prompts...</text>
>                 <br />
>                 <text>>>> I enter a valid login, but the box stays...</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> In the log it says:</text>
>                 <br />
>                 <text>>>> failed to verify krb5 credentials: Server not found in Kerberos</text>
>                 <br />
>                 <text>>> database</text>
>                 <br />
>                 <text>>>> What is wrong? Can someone help me?! :(</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> Greets,</text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> ________________________________________________</text>
>                 <br />
>                 <text>>>> Kerberos mailing list</text>
>                 <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
>                     <text>Kerberos at mit.edu</text>
>                 </a>
>                 <text>>>></text>
>                 <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
>                     <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
>                 </a>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>> ________________________________________________</text>
>                 <br />
>                 <text>>>> Kerberos mailing list</text>
>                 <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
>                     <text>Kerberos at mit.edu</text>
>                 </a>
>                 <text>>>></text>
>                 <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
>                     <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
>                 </a>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>>></text>
>                 <br />
>                 <text>>></text>
>                 <br />
>                 <text>></text>
>                 <br />
>                 <text>> --</text>
>                 <br />
>                 <text>></text>
>                 <br />
>                 <text>>  Douglas E. Engert</text>
>                 <deengert at anl.gov>
>                     <br />
>                     <text>>  Argonne National Laboratory</text>
>                     <br />
>                     <text>>  9700 South Cass Avenue</text>
>                     <br />
>                     <text>>  Argonne, Illinois  60439</text>
>                     <br />
>                     <text>>  (630) 252-5444</text>
>                     <br />
>                     <text>></text>
>                     <br />
>                     <br />
>                     <br />
>                     <br />
>                 </deengert at anl.gov>
>             </deengert at anl.gov>
>         </deengert at anl.gov>
>     </deengert at anl.gov>
> </html>
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From michael at stroeder.com  Tue Feb  3 18:22:05 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Wed, 04 Feb 2009 00:22:05 +0100
Subject: Prob: failed to verify krb5 credentials: Server not found in=20
In-Reply-To: <mailman.36.1233701398.5762.kerberos@mit.edu>
References: <mailman.36.1233701398.5762.kerberos@mit.edu>
Message-ID: <t50n56-234.ln1@nb2.stroeder.com>

slaindevil at kabelmail.de wrote:
> @Paul Moore: What do you mean, with "an AD account with that SPN"?

He meant an AD user entry for this service with the appropriate service
principal name set in (LDAP attribute) 'servicePrincipalName'.

> I had created an extra user and password at the AD. This login is
> saved inside of the keytab together with the SPN:
> HTTP/wiki.test.lan at SRV.TEST.LAN

I guess you used setspn.exe or ktpass.exe to map the AD user account to
the service principal name?

Ciao, Michael.

From slaindevil at kabelmail.de  Wed Feb  4 00:20:38 2009
From: slaindevil at kabelmail.de (slaindevil@kabelmail.de)
Date: Wed, 04 Feb 2009 00:20:38
Subject: =?ISO-8859-1?Q?Re:_Prob:_failed_to_verify_krb5_credentials:_Server_not_?=
	=?ISO-8859-1?Q?in=3D?=
Message-ID: <0B0407D902031714262D3@kabelmail.de>

>  Who owns /etc/http.keytab? Apache needs access to the file.

The apache has access to the keytab. I also put the keytab directly into the twiki web directory itself. Made no change...

> Does hostname on the unix system show the FQDN: wiki.test.lan?

I did a nslookup on the unix system and it showed me the server as wiki.test.lan.
I thought this would be enough on finding out the FQDN... Am I wrong with that?

> How did you create this account, and why do you think the key and kvno in the
> keytab matche what is in AD?

I created the account on the AD manually... Then I created the keytab file by using ktpass with the SPN, the username, the password and some other things for the encryption. I can give you the complete exact information tomorrow...

> As Paul said:  Wireshark. It can parse Kerberos packets.

Okay, I got some experience with wireshark, just did not think about it...
Ill try it out :)

> there needs to be a principal (user or computer) in AD with a Service
> Principal Name equal to http/wiki.test.len
>
> this gets created for a windows machine when the machine joins
>
> you seem to be doing this by hand. So you must use setspn (addspn? I
> forget) to add an SPN to the user or machine account for which you have
> created the keytab. Or adsiedit will do it
>
> shameless commercial plug: you could always use a commercial solution
> such as Centrify DirectControl , it will do the right thing
> automatically for you

Mh... I dont know if I get you right... Currently the users name at the AD, thats also in the keytab file, is TWikiUser. So I have to change its username to http/wiki.test.lan?

Greets,


----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: <slaindevil at kabelmail.de>
Cc: <paul.moore at centrify.com>; <kerberos at mit.edu>
Sent: Wednesday, February 04, 2009 12:07 AM
Subject: Re: Prob: failed to verify krb5 credentials: Server not found in=20


> Two more things:
>  Who owns /etc/http.keytab? Apache needs access to the file.
> 
> Does hostname on the unix system show the FQDN: wiki.test.lan?
> 
> 
> 
> slaindevil at kabelmail.de wrote:
>> First of all, thanks for your answers and interest.
>> 
>> I already tried it without the port, because I realized, short after I sent my first mail, that the port is really not part of the name.
>> 
>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
>> Kinit still works, but the "Server not in kerberos database" problem still remains.
>> 
>> @Paul Moore: What do you mean, with "an AD account with that SPN"? Could you be just a little more specific? Its late over here in germany ;)
>> 
>> I had created an extra user and password at the AD. This login is saved inside of the keytab together with the SPN: HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> BTW: Is there a way, to find out, what adress the server is looking for? 
>> 
>> Greets,
>> 
>> 
>> ----- Original Message ----- 
>> From: "Paul Moore" <paul.moore at centrify.com>
>> To: "Douglas E. Engert" <deengert at anl.gov>
>> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
>> Sent: Tuesday, February 03, 2009 11:14 PM
>> Subject: RE: Prob: failed to verify krb5 credentials: Server not found in Kerb
>> 
>> 
>> for sure the port number should not be in the SPN. I didnt even notice
>> that. I was wondering if there is any principal at all
>> 
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Tuesday, February 03, 2009 2:13 PM
>> To: Paul Moore
>> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
>> Subject: Re: Prob: failed to verify krb5 credentials: Server not found
>> in Kerb
>> 
>> 
>> 
>> Paul Moore wrote:
>>> is there an AD account with that SPN?
>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> The port number :8080 is usually not part of the principal name.
>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> 
>>> -----Original Message-----
>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>>> Behalf Of slaindevil at kabelmail.de
>>> Sent: Tuesday, February 03, 2009 6:28 AM
>>> To: kerberos at mit.edu
>>> Subject: Prob: failed to verify krb5 credentials: Server not found in
>>> Kerb
>>>
>>> Hey guys,
>>>
>>> I am short before dispairing :(
>>>
>>> Maybe someone has time and likes to help me? :)
>>>
>>> I am trying to set up kerberos to authenticate a
>>> TWiki running on Unix against an Windows Server 2003 Active
>> Directory...
>>> I configured the krb5.conf like this:
>>>
>>> [logging]
>>>  ...
>>>
>>> [libdefaults]
>>>  default_realm = SRV.TEST.LAN
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>  ticket_lifetime = 24000
>>>  forwardable = yes
>>>
>>> [realms]
>>>  SRV.TEST.LAN = {
>>>   kdc = location.srv.test.lan:88
>>>   admin_server =  location.srv.test.lan:749
>>>   default_domain = SRV.TEST.LAN
>>>  }
>>>
>>> [domain_realm]
>>>  .test.lan = SRV.TEST.LAN
>>>  test.lan = SRV.TEST.LAN
>>>
>>> [appdefaults]
>>>  pam = {
>>>    debug = false
>>>    ticket_lifetime = 24000
>>>    renew_lifetime = 36000
>>>    forwardable = true
>>>    krb4_convert = false
>>>  }
>>>
>>> When I use "kinit" everything works fine. With every valid login I get
>> a
>>> ticket...
>>>
>>>
>>> Then I created the keytab file, set with a valid user and password for
>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> Leave  off the :8080
>> 
>>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>>
>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>>> everything works fine... I get a ticket...
>>>
>>> Now I wanna setup the twiki to use kerberos to authenticate with...
>>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
>> is
>>> like following:
>>> Order Deny,Allow
>>> Allow from all
>>>    
>>> AuthType Kerberos
>>> KrbAuthRealms SRV.TEST.LAN
>>> KrbServiceName HTTP
>>> Krb5Keytab /etc/http.keytab
>>> KrbMethodNegotiate on
>>> KrbMethodK5Passwd on
>>> Require valid-user
>>>
>>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
>> prompts...
>>> I enter a valid login, but the box stays...
>>>
>>> In the log it says:
>>> failed to verify krb5 credentials: Server not found in Kerberos
>> database
>>> What is wrong? Can someone help me?! :(
>>>
>>> Greets,
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>



From slaindevil at kabelmail.de  Wed Feb  4 00:57:02 2009
From: slaindevil at kabelmail.de (slaindevil@kabelmail.de)
Date: Wed, 04 Feb 2009 00:57:02
Subject: =?ISO-8859-1?Q?Re:_RE:_Prob:_failed_to_verify_krb5_credentials:_Server_not_?=
	=?ISO-8859-1?Q??=
Message-ID: <0B0407D90203173902160@kabelmail.de>

Yeah, I got several accounts.

The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.

Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit http://wiki.test.lan:8080.



-------- Kabel E-Mail Reply ---------------
From: paul.moore at centrify.com
To  : slaindevil at kabelmail.de;deengert at anl.gov
Date: 04.02.2009 00:29:27

there are 2 user accounts

a) one for the application 
b) one (or more) for the user you are logging on with

user (a) must have an SPD of http/wiki.test.lan , the actual upn does
not matter wikiwebserver will do nicely
user (b) is just a regular use




-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 4:21 PM
To: deengert at anl.gov
Cc: Paul Moore; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not in=

>  Who owns /etc/http.keytab? Apache needs access to the file.

The apache has access to the keytab. I also put the keytab directly into
the twiki web directory itself. Made no change...

> Does hostname on the unix system show the FQDN: wiki.test.lan?

I did a nslookup on the unix system and it showed me the server as
wiki.test.lan.
I thought this would be enough on finding out the FQDN... Am I wrong
with that?

> How did you create this account, and why do you think the key and kvno
in the
> keytab matche what is in AD?

I created the account on the AD manually... Then I created the keytab
file by using ktpass with the SPN, the username, the password and some
other things for the encryption. I can give you the complete exact
information tomorrow...

> As Paul said:  Wireshark. It can parse Kerberos packets.

Okay, I got some experience with wireshark, just did not think about
it...
Ill try it out :)

> there needs to be a principal (user or computer) in AD with a Service
> Principal Name equal to http/wiki.test.len
>
> this gets created for a windows machine when the machine joins
>
> you seem to be doing this by hand. So you must use setspn (addspn? I
> forget) to add an SPN to the user or machine account for which you
have
> created the keytab. Or adsiedit will do it
>
> shameless commercial plug: you could always use a commercial solution
> such as Centrify DirectControl , it will do the right thing
> automatically for you

Mh... I dont know if I get you right... Currently the users name at the
AD, thats also in the keytab file, is TWikiUser. So I have to change its
username to http/wiki.test.lan?

Greets,


----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: <slaindevil at kabelmail.de>
Cc: <paul.moore at centrify.com>; <kerberos at mit.edu>
Sent: Wednesday, February 04, 2009 12:07 AM
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20


> Two more things:
>  Who owns /etc/http.keytab? Apache needs access to the file.
> 
> Does hostname on the unix system show the FQDN: wiki.test.lan?
> 
> 
> 
> slaindevil at kabelmail.de wrote:
>> First of all, thanks for your answers and interest.
>> 
>> I already tried it without the port, because I realized, short after
I sent my first mail, that the port is really not part of the name.
>> 
>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
>> Kinit still works, but the "Server not in kerberos database" problem
still remains.
>> 
>> @Paul Moore: What do you mean, with "an AD account with that SPN"?
Could you be just a little more specific? Its late over here in germany
;)
>> 
>> I had created an extra user and password at the AD. This login is
saved inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> BTW: Is there a way, to find out, what adress the server is looking
for? 
>> 
>> Greets,
>> 
>> 
>> ----- Original Message ----- 
>> From: "Paul Moore" <paul.moore at centrify.com>
>> To: "Douglas E. Engert" <deengert at anl.gov>
>> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
>> Sent: Tuesday, February 03, 2009 11:14 PM
>> Subject: RE: Prob: failed to verify krb5 credentials: Server not
found in Kerb
>> 
>> 
>> for sure the port number should not be in the SPN. I didnt even
notice
>> that. I was wondering if there is any principal at all
>> 
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Tuesday, February 03, 2009 2:13 PM
>> To: Paul Moore
>> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
>> Subject: Re: Prob: failed to verify krb5 credentials: Server not
found
>> in Kerb
>> 
>> 
>> 
>> Paul Moore wrote:
>>> is there an AD account with that SPN?
>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> The port number :8080 is usually not part of the principal name.
>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> 
>>> -----Original Message-----
>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>>> Behalf Of slaindevil at kabelmail.de
>>> Sent: Tuesday, February 03, 2009 6:28 AM
>>> To: kerberos at mit.edu
>>> Subject: Prob: failed to verify krb5 credentials: Server not found
in
>>> Kerb
>>>
>>> Hey guys,
>>>
>>> I am short before dispairing :(
>>>
>>> Maybe someone has time and likes to help me? :)
>>>
>>> I am trying to set up kerberos to authenticate a
>>> TWiki running on Unix against an Windows Server 2003 Active
>> Directory...
>>> I configured the krb5.conf like this:
>>>
>>> [logging]
>>>  ...
>>>
>>> [libdefaults]
>>>  default_realm = SRV.TEST.LAN
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>  ticket_lifetime = 24000
>>>  forwardable = yes
>>>
>>> [realms]
>>>  SRV.TEST.LAN = {
>>>   kdc = location.srv.test.lan:88
>>>   admin_server =  location.srv.test.lan:749
>>>   default_domain = SRV.TEST.LAN
>>>  }
>>>
>>> [domain_realm]
>>>  .test.lan = SRV.TEST.LAN
>>>  test.lan = SRV.TEST.LAN
>>>
>>> [appdefaults]
>>>  pam = {
>>>    debug = false
>>>    ticket_lifetime = 24000
>>>    renew_lifetime = 36000
>>>    forwardable = true
>>>    krb4_convert = false
>>>  }
>>>
>>> When I use "kinit" everything works fine. With every valid login I
get
>> a
>>> ticket...
>>>
>>>
>>> Then I created the keytab file, set with a valid user and password
for
>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> Leave  off the :8080
>> 
>>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>>
>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>>> everything works fine... I get a ticket...
>>>
>>> Now I wanna setup the twiki to use kerberos to authenticate with...
>>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
>> is
>>> like following:
>>> Order Deny,Allow
>>> Allow from all
>>>    
>>> AuthType Kerberos
>>> KrbAuthRealms SRV.TEST.LAN
>>> KrbServiceName HTTP
>>> Krb5Keytab /etc/http.keytab
>>> KrbMethodNegotiate on
>>> KrbMethodK5Passwd on
>>> Require valid-user
>>>
>>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
>> prompts...
>>> I enter a valid login, but the box stays...
>>>
>>> In the log it says:
>>> failed to verify krb5 credentials: Server not found in Kerberos
>> database
>>> What is wrong? Can someone help me?! :(
>>>
>>> Greets,
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>





From slaindevil at kabelmail.de  Wed Feb  4 10:56:52 2009
From: slaindevil at kabelmail.de (slaindevil@kabelmail.de)
Date: Wed, 04 Feb 2009 10:56:52
Subject: Prob: failed to verify krb5 credentials: Server not
Message-ID: <03DC07D90204093834385@kabelmail.de>

Okay... I used "tcpdump -s 65535 -w out.dump" to generate a dump of the network traffic and loaded it into Wireshark with the kerberos filter on...

I get the following:
The ticket:
Client Realm: SRV.TEST.LAN
Client Name (Principal): SlainDevil
Tkt-vno: 5
Realm: SRV.TEST.LAN
Server Name (Unknown): krbtgt/SRV.TEST.LAN
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-md5 (3)

And then the error message:
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: SRV.TEST.LAN
Server Name (Service and Host): HTTP/wiki

I guess the last point is the mistake, isnt it? It should be HTTP/wiki.test.lan?
Anyone got a clue how to fix that? Currently I got no idea why this happens... :(


-------- Kabel E-Mail Reply ---------------
From: paul.moore at centrify.com
To  : slaindevil at kabelmail.de;deengert at anl.gov
Date: 04.02.2009 01:35:12


<html>
    <text>So does that user have the correct spn. Adsiedit will tell you</text>
    <br />
    <br />
    <text>----- Original Message -----</text>
    <br />
    <text>From:</text>
    <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
        <text>slaindevil at kabelmail.de</text>
    </a>
    <slaindevil at kabelmail.de />
    <br />
    <text>To: Paul Moore;</text>
    <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov ">
        <text>deengert at anl.gov</text>
    </a>
    <deengert at anl.gov>
        <br />
        <text>Cc:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu ">
            <text>kerberos at mit.edu</text>
        </a>
        <kerberos at mit.edu />
        <br />
        <text>Sent: Tue Feb 03 16:57:02 2009</text>
        <br />
        <text>Subject: Re: RE: Prob: failed to verify krb5 credentials: Server not</text>
        <br />
        <br />
        <text>Yeah, I got several accounts.</text>
        <br />
        <br />
        <text>The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.</text>
        <br />
        <br />
        <text>Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit</text>
        <a target="_blank" href="http://wiki.test.lan:8080">
            <text>http://wiki.test.lan:8080</text>
        </a>
        <text>.</text>
        <br />
        <br />
        <br />
        <br />
        <text>-------- Kabel E-Mail Reply ---------------</text>
        <br />
        <text>From:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= paul.moore at centrify.com">
            <text>paul.moore at centrify.com</text>
        </a>
        <text>To  : slaindevil at kabelmail.de;deengert at anl.gov</text>
        <br />
        <text>Date: 04.02.2009 00:29:27</text>
        <br />
        <br />
        <text>there are 2 user accounts</text>
        <br />
        <br />
        <text>a) one for the application</text>
        <br />
        <text>b) one (or more) for the user you are logging on with</text>
        <br />
        <br />
        <text>user (a) must have an SPD of http/wiki.test.lan , the actual upn does</text>
        <br />
        <text>not matter wikiwebserver will do nicely</text>
        <br />
        <text>user (b) is just a regular use</text>
        <br />
        <br />
        <br />
        <br />
        <br />
        <text>-----Original Message-----</text>
        <br />
        <text>From:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
            <text>slaindevil at kabelmail.de</text>
        </a>
        <text>[mailto:slaindevil at kabelmail.de]</text>
        <br />
        <text>Sent: Tuesday, February 03, 2009 4:21 PM</text>
        <br />
        <text>To:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov">
            <text>deengert at anl.gov</text>
        </a>
        <text>Cc: Paul Moore;</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
            <text>kerberos at mit.edu</text>
        </a>
        <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not in=</text>
        <br />
        <br />
        <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
        <br />
        <br />
        <text>The apache has access to the keytab. I also put the keytab directly into</text>
        <br />
        <text>the twiki web directory itself. Made no change...</text>
        <br />
        <br />
        <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
        <br />
        <br />
        <text>I did a nslookup on the unix system and it showed me the server as</text>
        <br />
        <text>wiki.test.lan.</text>
        <br />
        <text>I thought this would be enough on finding out the FQDN... Am I wrong</text>
        <br />
        <text>with that?</text>
        <br />
        <br />
        <text>> How did you create this account, and why do you think the key and kvno</text>
        <br />
        <text>in the</text>
        <br />
        <text>> keytab matche what is in AD?</text>
        <br />
        <br />
        <text>I created the account on the AD manually... Then I created the keytab</text>
        <br />
        <text>file by using ktpass with the SPN, the username, the password and some</text>
        <br />
        <text>other things for the encryption. I can give you the complete exact</text>
        <br />
        <text>information tomorrow...</text>
        <br />
        <br />
        <text>> As Paul said:  Wireshark. It can parse Kerberos packets.</text>
        <br />
        <br />
        <text>Okay, I got some experience with wireshark, just did not think about</text>
        <br />
        <text>it...</text>
        <br />
        <text>Ill try it out :)</text>
        <br />
        <br />
        <text>> there needs to be a principal (user or computer) in AD with a Service</text>
        <br />
        <text>> Principal Name equal to http/wiki.test.len</text>
        <br />
        <text>></text>
        <br />
        <text>> this gets created for a windows machine when the machine joins</text>
        <br />
        <text>></text>
        <br />
        <text>> you seem to be doing this by hand. So you must use setspn (addspn? I</text>
        <br />
        <text>> forget) to add an SPN to the user or machine account for which you</text>
        <br />
        <text>have</text>
        <br />
        <text>> created the keytab. Or adsiedit will do it</text>
        <br />
        <text>></text>
        <br />
        <text>> shameless commercial plug: you could always use a commercial solution</text>
        <br />
        <text>> such as Centrify DirectControl , it will do the right thing</text>
        <br />
        <text>> automatically for you</text>
        <br />
        <br />
        <text>Mh... I dont know if I get you right... Currently the users name at the</text>
        <br />
        <text>AD, thats also in the keytab file, is TWikiUser. So I have to change its</text>
        <br />
        <text>username to http/wiki.test.lan?</text>
        <br />
        <br />
        <text>Greets,</text>
        <br />
        <br />
        <br />
        <text>----- Original Message -----</text>
        <br />
        <text>From: "Douglas E. Engert"</text>
        <deengert at anl.gov>
            <br />
            <text>To:</text>
            <slaindevil at kabelmail.de />
            <br />
            <text>Cc:</text>
            <paul.moore at centrify.com />
            <text>;</text>
            <kerberos at mit.edu />
            <br />
            <text>Sent: Wednesday, February 04, 2009 12:07 AM</text>
            <br />
            <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not found</text>
            <br />
            <text>in=20</text>
            <br />
            <br />
            <br />
            <text>> Two more things:</text>
            <br />
            <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
            <br />
            <text>></text>
            <br />
            <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
            <br />
            <text>></text>
            <br />
            <text>></text>
            <br />
            <text>></text>
            <br />
            <text>></text>
            <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
                <text>slaindevil at kabelmail.de</text>
            </a>
            <text>wrote:</text>
            <br />
            <text>>> First of all, thanks for your answers and interest.</text>
            <br />
            <text>>></text>
            <br />
            <text>>> I already tried it without the port, because I realized, short after</text>
            <br />
            <text>I sent my first mail, that the port is really not part of the name.</text>
            <br />
            <text>>></text>
            <br />
            <text>>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.</text>
            <br />
            <text>>> Kinit still works, but the "Server not in kerberos database" problem</text>
            <br />
            <text>still remains.</text>
            <br />
            <text>>></text>
            <br />
            <text>>> @Paul Moore: What do you mean, with "an AD account with that SPN"?</text>
            <br />
            <text>Could you be just a little more specific? Its late over here in germany</text>
            <br />
            <text>;)</text>
            <br />
            <text>>></text>
            <br />
            <text>>> I had created an extra user and password at the AD. This login is</text>
            <br />
            <text>saved inside of the keytab together with the SPN:</text>
            <br />
            <text>HTTP/wiki.test.lan at SRV.TEST.LAN</text>
            <br />
            <text>>></text>
            <br />
            <text>>> BTW: Is there a way, to find out, what adress the server is looking</text>
            <br />
            <text>for?</text>
            <br />
            <text>>></text>
            <br />
            <text>>> Greets,</text>
            <br />
            <text>>></text>
            <br />
            <text>>></text>
            <br />
            <text>>> ----- Original Message -----</text>
            <br />
            <text>>> From: "Paul Moore"</text>
            <paul.moore at centrify.com />
            <br />
            <text>>> To: "Douglas E. Engert"</text>
            <deengert at anl.gov>
                <br />
                <text>>> Cc:</text>
                <slaindevil at kabelmail.de />
                <text>;</text>
                <kerberos at mit.edu />
                <br />
                <text>>> Sent: Tuesday, February 03, 2009 11:14 PM</text>
                <br />
                <text>>> Subject: RE: Prob: failed to verify krb5 credentials: Server not</text>
                <br />
                <text>found in Kerb</text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>> for sure the port number should not be in the SPN. I didnt even</text>
                <br />
                <text>notice</text>
                <br />
                <text>>> that. I was wondering if there is any principal at all</text>
                <br />
                <text>>></text>
                <br />
                <text>>> -----Original Message-----</text>
                <br />
                <text>>> From: Douglas E. Engert [mailto:deengert at anl.gov]</text>
                <br />
                <text>>> Sent: Tuesday, February 03, 2009 2:13 PM</text>
                <br />
                <text>>> To: Paul Moore</text>
                <br />
                <text>>> Cc: slaindevil at kabelmail.de;</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
                    <text>kerberos at mit.edu</text>
                </a>
                <text>>> Subject: Re: Prob: failed to verify krb5 credentials: Server not</text>
                <br />
                <text>found</text>
                <br />
                <text>>> in Kerb</text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>> Paul Moore wrote:</text>
                <br />
                <text>>>> is there an AD account with that SPN?</text>
                <br />
                <text>>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
                <br />
                <text>>></text>
                <br />
                <text>>> The port number :8080 is usually not part of the principal name.</text>
                <br />
                <text>>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN</text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>>> -----Original Message-----</text>
                <br />
                <text>>>> From:</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos-bounces at mit.edu ">
                    <text>kerberos-bounces at mit.edu</text>
                </a>
                <text>[mailto:kerberos-bounces at mit.edu] On</text>
                <br />
                <text>>>> Behalf Of</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de">
                    <text>slaindevil at kabelmail.de</text>
                </a>
                <text>>>> Sent: Tuesday, February 03, 2009 6:28 AM</text>
                <br />
                <text>>>> To:</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
                    <text>kerberos at mit.edu</text>
                </a>
                <text>>>> Subject: Prob: failed to verify krb5 credentials: Server not found</text>
                <br />
                <text>in</text>
                <br />
                <text>>>> Kerb</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Hey guys,</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> I am short before dispairing :(</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Maybe someone has time and likes to help me? :)</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> I am trying to set up kerberos to authenticate a</text>
                <br />
                <text>>>> TWiki running on Unix against an Windows Server 2003 Active</text>
                <br />
                <text>>> Directory...</text>
                <br />
                <text>>>> I configured the krb5.conf like this:</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [logging]</text>
                <br />
                <text>>>>  ...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [libdefaults]</text>
                <br />
                <text>>>>  default_realm = SRV.TEST.LAN</text>
                <br />
                <text>>>>  dns_lookup_realm = false</text>
                <br />
                <text>>>>  dns_lookup_kdc = false</text>
                <br />
                <text>>>>  ticket_lifetime = 24000</text>
                <br />
                <text>>>>  forwardable = yes</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [realms]</text>
                <br />
                <text>>>>  SRV.TEST.LAN = {</text>
                <br />
                <text>>>>   kdc = location.srv.test.lan:88</text>
                <br />
                <text>>>>   admin_server =  location.srv.test.lan:749</text>
                <br />
                <text>>>>   default_domain = SRV.TEST.LAN</text>
                <br />
                <text>>>>  }</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [domain_realm]</text>
                <br />
                <text>>>>  .test.lan = SRV.TEST.LAN</text>
                <br />
                <text>>>>  test.lan = SRV.TEST.LAN</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [appdefaults]</text>
                <br />
                <text>>>>  pam = {</text>
                <br />
                <text>>>>    debug = false</text>
                <br />
                <text>>>>    ticket_lifetime = 24000</text>
                <br />
                <text>>>>    renew_lifetime = 36000</text>
                <br />
                <text>>>>    forwardable = true</text>
                <br />
                <text>>>>    krb4_convert = false</text>
                <br />
                <text>>>>  }</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> When I use "kinit" everything works fine. With every valid login I</text>
                <br />
                <text>get</text>
                <br />
                <text>>> a</text>
                <br />
                <text>>>> ticket...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Then I created the keytab file, set with a valid user and password</text>
                <br />
                <text>for</text>
                <br />
                <text>>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
                <br />
                <text>>></text>
                <br />
                <text>>> Leave  off the :8080</text>
                <br />
                <text>>></text>
                <br />
                <text>>>></text>
                <a target="_blank" href="http://wiki.test.lan:8080/bin">
                    <text>http://wiki.test.lan:8080/bin</text>
                </a>
                <text>is the url I type into the browser...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080</text>
                <br />
                <text>>>> everything works fine... I get a ticket...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Now I wanna setup the twiki to use kerberos to authenticate with...</text>
                <br />
                <text>>>> The httpd.conf for the "bin" directory at</text>
                <a target="_blank" href="http://wiki.test.lan:8080/">
                    <text>http://wiki.test.lan:8080/</text>
                </a>
                <br />
                <text>>> is</text>
                <br />
                <text>>>> like following:</text>
                <br />
                <text>>>> Order Deny,Allow</text>
                <br />
                <text>>>> Allow from all</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> AuthType Kerberos</text>
                <br />
                <text>>>> KrbAuthRealms SRV.TEST.LAN</text>
                <br />
                <text>>>> KrbServiceName HTTP</text>
                <br />
                <text>>>> Krb5Keytab /etc/http.keytab</text>
                <br />
                <text>>>> KrbMethodNegotiate on</text>
                <br />
                <text>>>> KrbMethodK5Passwd on</text>
                <br />
                <text>>>> Require valid-user</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> When I browse to "</text>
                <a target="_blank" href="http://wiki.srv.lan:8080/bin">
                    <text>http://wiki.srv.lan:8080/bin</text>
                </a>
                <text>" the login box</text>
                <br />
                <text>>> prompts...</text>
                <br />
                <text>>>> I enter a valid login, but the box stays...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> In the log it says:</text>
                <br />
                <text>>>> failed to verify krb5 credentials: Server not found in Kerberos</text>
                <br />
                <text>>> database</text>
                <br />
                <text>>>> What is wrong? Can someone help me?! :(</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Greets,</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> ________________________________________________</text>
                <br />
                <text>>>> Kerberos mailing list</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
                    <text>Kerberos at mit.edu</text>
                </a>
                <text>>>></text>
                <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
                    <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
                </a>
                <br />
                <text>>>></text>
                <br />
                <text>>>> ________________________________________________</text>
                <br />
                <text>>>> Kerberos mailing list</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
                    <text>Kerberos at mit.edu</text>
                </a>
                <text>>>></text>
                <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
                    <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
                </a>
                <br />
                <text>>>></text>
                <br />
                <text>>>></text>
                <br />
                <text>>></text>
                <br />
                <text>></text>
                <br />
                <text>> --</text>
                <br />
                <text>></text>
                <br />
                <text>>  Douglas E. Engert</text>
                <deengert at anl.gov>
                    <br />
                    <text>>  Argonne National Laboratory</text>
                    <br />
                    <text>>  9700 South Cass Avenue</text>
                    <br />
                    <text>>  Argonne, Illinois  60439</text>
                    <br />
                    <text>>  (630) 252-5444</text>
                    <br />
                    <text>></text>
                    <br />
                    <br />
                    <br />
                    <br />
                </deengert at anl.gov>
            </deengert at anl.gov>
        </deengert at anl.gov>
    </deengert at anl.gov>
</html>




From slaindevil at kabelmail.de  Wed Feb  4 11:19:39 2009
From: slaindevil at kabelmail.de (slaindevil@kabelmail.de)
Date: Wed, 04 Feb 2009 11:19:39
Subject: Prob: failed to verify krb5 credentials: Server not
Message-ID: <03DC07D902040A1327146@kabelmail.de>

> So does that user have the correct spn. Adsiedit will tell you

Okay, I tried it with adsiedit and I got the following for TWikiUser:
http/wiki.test.lan

Greets,

-------- Kabel E-Mail Reply ---------------
From: paul.moore at centrify.com
To  : slaindevil at kabelmail.de;deengert at anl.gov
Date: 04.02.2009 01:35:12


<html>
    <text>So does that user have the correct spn. Adsiedit will tell you</text>
    <br />
    <br />
    <text>----- Original Message -----</text>
    <br />
    <text>From:</text>
    <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
        <text>slaindevil at kabelmail.de</text>
    </a>
    <slaindevil at kabelmail.de />
    <br />
    <text>To: Paul Moore;</text>
    <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov ">
        <text>deengert at anl.gov</text>
    </a>
    <deengert at anl.gov>
        <br />
        <text>Cc:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu ">
            <text>kerberos at mit.edu</text>
        </a>
        <kerberos at mit.edu />
        <br />
        <text>Sent: Tue Feb 03 16:57:02 2009</text>
        <br />
        <text>Subject: Re: RE: Prob: failed to verify krb5 credentials: Server not</text>
        <br />
        <br />
        <text>Yeah, I got several accounts.</text>
        <br />
        <br />
        <text>The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.</text>
        <br />
        <br />
        <text>Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit</text>
        <a target="_blank" href="http://wiki.test.lan:8080">
            <text>http://wiki.test.lan:8080</text>
        </a>
        <text>.</text>
        <br />
        <br />
        <br />
        <br />
        <text>-------- Kabel E-Mail Reply ---------------</text>
        <br />
        <text>From:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= paul.moore at centrify.com">
            <text>paul.moore at centrify.com</text>
        </a>
        <text>To  : slaindevil at kabelmail.de;deengert at anl.gov</text>
        <br />
        <text>Date: 04.02.2009 00:29:27</text>
        <br />
        <br />
        <text>there are 2 user accounts</text>
        <br />
        <br />
        <text>a) one for the application</text>
        <br />
        <text>b) one (or more) for the user you are logging on with</text>
        <br />
        <br />
        <text>user (a) must have an SPD of http/wiki.test.lan , the actual upn does</text>
        <br />
        <text>not matter wikiwebserver will do nicely</text>
        <br />
        <text>user (b) is just a regular use</text>
        <br />
        <br />
        <br />
        <br />
        <br />
        <text>-----Original Message-----</text>
        <br />
        <text>From:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
            <text>slaindevil at kabelmail.de</text>
        </a>
        <text>[mailto:slaindevil at kabelmail.de]</text>
        <br />
        <text>Sent: Tuesday, February 03, 2009 4:21 PM</text>
        <br />
        <text>To:</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov">
            <text>deengert at anl.gov</text>
        </a>
        <text>Cc: Paul Moore;</text>
        <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
            <text>kerberos at mit.edu</text>
        </a>
        <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not in=</text>
        <br />
        <br />
        <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
        <br />
        <br />
        <text>The apache has access to the keytab. I also put the keytab directly into</text>
        <br />
        <text>the twiki web directory itself. Made no change...</text>
        <br />
        <br />
        <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
        <br />
        <br />
        <text>I did a nslookup on the unix system and it showed me the server as</text>
        <br />
        <text>wiki.test.lan.</text>
        <br />
        <text>I thought this would be enough on finding out the FQDN... Am I wrong</text>
        <br />
        <text>with that?</text>
        <br />
        <br />
        <text>> How did you create this account, and why do you think the key and kvno</text>
        <br />
        <text>in the</text>
        <br />
        <text>> keytab matche what is in AD?</text>
        <br />
        <br />
        <text>I created the account on the AD manually... Then I created the keytab</text>
        <br />
        <text>file by using ktpass with the SPN, the username, the password and some</text>
        <br />
        <text>other things for the encryption. I can give you the complete exact</text>
        <br />
        <text>information tomorrow...</text>
        <br />
        <br />
        <text>> As Paul said:  Wireshark. It can parse Kerberos packets.</text>
        <br />
        <br />
        <text>Okay, I got some experience with wireshark, just did not think about</text>
        <br />
        <text>it...</text>
        <br />
        <text>Ill try it out :)</text>
        <br />
        <br />
        <text>> there needs to be a principal (user or computer) in AD with a Service</text>
        <br />
        <text>> Principal Name equal to http/wiki.test.len</text>
        <br />
        <text>></text>
        <br />
        <text>> this gets created for a windows machine when the machine joins</text>
        <br />
        <text>></text>
        <br />
        <text>> you seem to be doing this by hand. So you must use setspn (addspn? I</text>
        <br />
        <text>> forget) to add an SPN to the user or machine account for which you</text>
        <br />
        <text>have</text>
        <br />
        <text>> created the keytab. Or adsiedit will do it</text>
        <br />
        <text>></text>
        <br />
        <text>> shameless commercial plug: you could always use a commercial solution</text>
        <br />
        <text>> such as Centrify DirectControl , it will do the right thing</text>
        <br />
        <text>> automatically for you</text>
        <br />
        <br />
        <text>Mh... I dont know if I get you right... Currently the users name at the</text>
        <br />
        <text>AD, thats also in the keytab file, is TWikiUser. So I have to change its</text>
        <br />
        <text>username to http/wiki.test.lan?</text>
        <br />
        <br />
        <text>Greets,</text>
        <br />
        <br />
        <br />
        <text>----- Original Message -----</text>
        <br />
        <text>From: "Douglas E. Engert"</text>
        <deengert at anl.gov>
            <br />
            <text>To:</text>
            <slaindevil at kabelmail.de />
            <br />
            <text>Cc:</text>
            <paul.moore at centrify.com />
            <text>;</text>
            <kerberos at mit.edu />
            <br />
            <text>Sent: Wednesday, February 04, 2009 12:07 AM</text>
            <br />
            <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not found</text>
            <br />
            <text>in=20</text>
            <br />
            <br />
            <br />
            <text>> Two more things:</text>
            <br />
            <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
            <br />
            <text>></text>
            <br />
            <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
            <br />
            <text>></text>
            <br />
            <text>></text>
            <br />
            <text>></text>
            <br />
            <text>></text>
            <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
                <text>slaindevil at kabelmail.de</text>
            </a>
            <text>wrote:</text>
            <br />
            <text>>> First of all, thanks for your answers and interest.</text>
            <br />
            <text>>></text>
            <br />
            <text>>> I already tried it without the port, because I realized, short after</text>
            <br />
            <text>I sent my first mail, that the port is really not part of the name.</text>
            <br />
            <text>>></text>
            <br />
            <text>>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.</text>
            <br />
            <text>>> Kinit still works, but the "Server not in kerberos database" problem</text>
            <br />
            <text>still remains.</text>
            <br />
            <text>>></text>
            <br />
            <text>>> @Paul Moore: What do you mean, with "an AD account with that SPN"?</text>
            <br />
            <text>Could you be just a little more specific? Its late over here in germany</text>
            <br />
            <text>;)</text>
            <br />
            <text>>></text>
            <br />
            <text>>> I had created an extra user and password at the AD. This login is</text>
            <br />
            <text>saved inside of the keytab together with the SPN:</text>
            <br />
            <text>HTTP/wiki.test.lan at SRV.TEST.LAN</text>
            <br />
            <text>>></text>
            <br />
            <text>>> BTW: Is there a way, to find out, what adress the server is looking</text>
            <br />
            <text>for?</text>
            <br />
            <text>>></text>
            <br />
            <text>>> Greets,</text>
            <br />
            <text>>></text>
            <br />
            <text>>></text>
            <br />
            <text>>> ----- Original Message -----</text>
            <br />
            <text>>> From: "Paul Moore"</text>
            <paul.moore at centrify.com />
            <br />
            <text>>> To: "Douglas E. Engert"</text>
            <deengert at anl.gov>
                <br />
                <text>>> Cc:</text>
                <slaindevil at kabelmail.de />
                <text>;</text>
                <kerberos at mit.edu />
                <br />
                <text>>> Sent: Tuesday, February 03, 2009 11:14 PM</text>
                <br />
                <text>>> Subject: RE: Prob: failed to verify krb5 credentials: Server not</text>
                <br />
                <text>found in Kerb</text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>> for sure the port number should not be in the SPN. I didnt even</text>
                <br />
                <text>notice</text>
                <br />
                <text>>> that. I was wondering if there is any principal at all</text>
                <br />
                <text>>></text>
                <br />
                <text>>> -----Original Message-----</text>
                <br />
                <text>>> From: Douglas E. Engert [mailto:deengert at anl.gov]</text>
                <br />
                <text>>> Sent: Tuesday, February 03, 2009 2:13 PM</text>
                <br />
                <text>>> To: Paul Moore</text>
                <br />
                <text>>> Cc: slaindevil at kabelmail.de;</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
                    <text>kerberos at mit.edu</text>
                </a>
                <text>>> Subject: Re: Prob: failed to verify krb5 credentials: Server not</text>
                <br />
                <text>found</text>
                <br />
                <text>>> in Kerb</text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>> Paul Moore wrote:</text>
                <br />
                <text>>>> is there an AD account with that SPN?</text>
                <br />
                <text>>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
                <br />
                <text>>></text>
                <br />
                <text>>> The port number :8080 is usually not part of the principal name.</text>
                <br />
                <text>>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN</text>
                <br />
                <text>>></text>
                <br />
                <text>>></text>
                <br />
                <text>>>> -----Original Message-----</text>
                <br />
                <text>>>> From:</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos-bounces at mit.edu ">
                    <text>kerberos-bounces at mit.edu</text>
                </a>
                <text>[mailto:kerberos-bounces at mit.edu] On</text>
                <br />
                <text>>>> Behalf Of</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de">
                    <text>slaindevil at kabelmail.de</text>
                </a>
                <text>>>> Sent: Tuesday, February 03, 2009 6:28 AM</text>
                <br />
                <text>>>> To:</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
                    <text>kerberos at mit.edu</text>
                </a>
                <text>>>> Subject: Prob: failed to verify krb5 credentials: Server not found</text>
                <br />
                <text>in</text>
                <br />
                <text>>>> Kerb</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Hey guys,</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> I am short before dispairing :(</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Maybe someone has time and likes to help me? :)</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> I am trying to set up kerberos to authenticate a</text>
                <br />
                <text>>>> TWiki running on Unix against an Windows Server 2003 Active</text>
                <br />
                <text>>> Directory...</text>
                <br />
                <text>>>> I configured the krb5.conf like this:</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [logging]</text>
                <br />
                <text>>>>  ...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [libdefaults]</text>
                <br />
                <text>>>>  default_realm = SRV.TEST.LAN</text>
                <br />
                <text>>>>  dns_lookup_realm = false</text>
                <br />
                <text>>>>  dns_lookup_kdc = false</text>
                <br />
                <text>>>>  ticket_lifetime = 24000</text>
                <br />
                <text>>>>  forwardable = yes</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [realms]</text>
                <br />
                <text>>>>  SRV.TEST.LAN = {</text>
                <br />
                <text>>>>   kdc = location.srv.test.lan:88</text>
                <br />
                <text>>>>   admin_server =  location.srv.test.lan:749</text>
                <br />
                <text>>>>   default_domain = SRV.TEST.LAN</text>
                <br />
                <text>>>>  }</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [domain_realm]</text>
                <br />
                <text>>>>  .test.lan = SRV.TEST.LAN</text>
                <br />
                <text>>>>  test.lan = SRV.TEST.LAN</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> [appdefaults]</text>
                <br />
                <text>>>>  pam = {</text>
                <br />
                <text>>>>    debug = false</text>
                <br />
                <text>>>>    ticket_lifetime = 24000</text>
                <br />
                <text>>>>    renew_lifetime = 36000</text>
                <br />
                <text>>>>    forwardable = true</text>
                <br />
                <text>>>>    krb4_convert = false</text>
                <br />
                <text>>>>  }</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> When I use "kinit" everything works fine. With every valid login I</text>
                <br />
                <text>get</text>
                <br />
                <text>>> a</text>
                <br />
                <text>>>> ticket...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Then I created the keytab file, set with a valid user and password</text>
                <br />
                <text>for</text>
                <br />
                <text>>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
                <br />
                <text>>></text>
                <br />
                <text>>> Leave  off the :8080</text>
                <br />
                <text>>></text>
                <br />
                <text>>>></text>
                <a target="_blank" href="http://wiki.test.lan:8080/bin">
                    <text>http://wiki.test.lan:8080/bin</text>
                </a>
                <text>is the url I type into the browser...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080</text>
                <br />
                <text>>>> everything works fine... I get a ticket...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Now I wanna setup the twiki to use kerberos to authenticate with...</text>
                <br />
                <text>>>> The httpd.conf for the "bin" directory at</text>
                <a target="_blank" href="http://wiki.test.lan:8080/">
                    <text>http://wiki.test.lan:8080/</text>
                </a>
                <br />
                <text>>> is</text>
                <br />
                <text>>>> like following:</text>
                <br />
                <text>>>> Order Deny,Allow</text>
                <br />
                <text>>>> Allow from all</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> AuthType Kerberos</text>
                <br />
                <text>>>> KrbAuthRealms SRV.TEST.LAN</text>
                <br />
                <text>>>> KrbServiceName HTTP</text>
                <br />
                <text>>>> Krb5Keytab /etc/http.keytab</text>
                <br />
                <text>>>> KrbMethodNegotiate on</text>
                <br />
                <text>>>> KrbMethodK5Passwd on</text>
                <br />
                <text>>>> Require valid-user</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> When I browse to "</text>
                <a target="_blank" href="http://wiki.srv.lan:8080/bin">
                    <text>http://wiki.srv.lan:8080/bin</text>
                </a>
                <text>" the login box</text>
                <br />
                <text>>> prompts...</text>
                <br />
                <text>>>> I enter a valid login, but the box stays...</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> In the log it says:</text>
                <br />
                <text>>>> failed to verify krb5 credentials: Server not found in Kerberos</text>
                <br />
                <text>>> database</text>
                <br />
                <text>>>> What is wrong? Can someone help me?! :(</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> Greets,</text>
                <br />
                <text>>>></text>
                <br />
                <text>>>></text>
                <br />
                <text>>>> ________________________________________________</text>
                <br />
                <text>>>> Kerberos mailing list</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
                    <text>Kerberos at mit.edu</text>
                </a>
                <text>>>></text>
                <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
                    <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
                </a>
                <br />
                <text>>>></text>
                <br />
                <text>>>> ________________________________________________</text>
                <br />
                <text>>>> Kerberos mailing list</text>
                <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
                    <text>Kerberos at mit.edu</text>
                </a>
                <text>>>></text>
                <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
                    <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
                </a>
                <br />
                <text>>>></text>
                <br />
                <text>>>></text>
                <br />
                <text>>></text>
                <br />
                <text>></text>
                <br />
                <text>> --</text>
                <br />
                <text>></text>
                <br />
                <text>>  Douglas E. Engert</text>
                <deengert at anl.gov>
                    <br />
                    <text>>  Argonne National Laboratory</text>
                    <br />
                    <text>>  9700 South Cass Avenue</text>
                    <br />
                    <text>>  Argonne, Illinois  60439</text>
                    <br />
                    <text>>  (630) 252-5444</text>
                    <br />
                    <text>></text>
                    <br />
                    <br />
                    <br />
                    <br />
                </deengert at anl.gov>
            </deengert at anl.gov>
        </deengert at anl.gov>
    </deengert at anl.gov>
</html>




From paul.moore at centrify.com  Tue Feb  3 19:34:57 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Tue, 3 Feb 2009 16:34:57 -0800
Subject: Prob: failed to verify krb5 credentials: Server not
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D092ECA@exch-one.centrify.com>

So does that user have the correct spn. Adsiedit will tell you

----- Original Message -----
From: slaindevil at kabelmail.de <slaindevil at kabelmail.de>
To: Paul Moore; deengert at anl.gov <deengert at anl.gov>
Cc: kerberos at mit.edu <kerberos at mit.edu>
Sent: Tue Feb 03 16:57:02 2009
Subject: Re: RE: Prob: failed to verify krb5 credentials: Server not 

Yeah, I got several accounts.

The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.

Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit http://wiki.test.lan:8080.



-------- Kabel E-Mail Reply ---------------
From: paul.moore at centrify.com
To  : slaindevil at kabelmail.de;deengert at anl.gov
Date: 04.02.2009 00:29:27

there are 2 user accounts

a) one for the application 
b) one (or more) for the user you are logging on with

user (a) must have an SPD of http/wiki.test.lan , the actual upn does
not matter wikiwebserver will do nicely
user (b) is just a regular use




-----Original Message-----
From: slaindevil at kabelmail.de [mailto:slaindevil at kabelmail.de] 
Sent: Tuesday, February 03, 2009 4:21 PM
To: deengert at anl.gov
Cc: Paul Moore; kerberos at mit.edu
Subject: Re: Prob: failed to verify krb5 credentials: Server not in=

>  Who owns /etc/http.keytab? Apache needs access to the file.

The apache has access to the keytab. I also put the keytab directly into
the twiki web directory itself. Made no change...

> Does hostname on the unix system show the FQDN: wiki.test.lan?

I did a nslookup on the unix system and it showed me the server as
wiki.test.lan.
I thought this would be enough on finding out the FQDN... Am I wrong
with that?

> How did you create this account, and why do you think the key and kvno
in the
> keytab matche what is in AD?

I created the account on the AD manually... Then I created the keytab
file by using ktpass with the SPN, the username, the password and some
other things for the encryption. I can give you the complete exact
information tomorrow...

> As Paul said:  Wireshark. It can parse Kerberos packets.

Okay, I got some experience with wireshark, just did not think about
it...
Ill try it out :)

> there needs to be a principal (user or computer) in AD with a Service
> Principal Name equal to http/wiki.test.len
>
> this gets created for a windows machine when the machine joins
>
> you seem to be doing this by hand. So you must use setspn (addspn? I
> forget) to add an SPN to the user or machine account for which you
have
> created the keytab. Or adsiedit will do it
>
> shameless commercial plug: you could always use a commercial solution
> such as Centrify DirectControl , it will do the right thing
> automatically for you

Mh... I dont know if I get you right... Currently the users name at the
AD, thats also in the keytab file, is TWikiUser. So I have to change its
username to http/wiki.test.lan?

Greets,


----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: <slaindevil at kabelmail.de>
Cc: <paul.moore at centrify.com>; <kerberos at mit.edu>
Sent: Wednesday, February 04, 2009 12:07 AM
Subject: Re: Prob: failed to verify krb5 credentials: Server not found
in=20


> Two more things:
>  Who owns /etc/http.keytab? Apache needs access to the file.
> 
> Does hostname on the unix system show the FQDN: wiki.test.lan?
> 
> 
> 
> slaindevil at kabelmail.de wrote:
>> First of all, thanks for your answers and interest.
>> 
>> I already tried it without the port, because I realized, short after
I sent my first mail, that the port is really not part of the name.
>> 
>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.
>> Kinit still works, but the "Server not in kerberos database" problem
still remains.
>> 
>> @Paul Moore: What do you mean, with "an AD account with that SPN"?
Could you be just a little more specific? Its late over here in germany
;)
>> 
>> I had created an extra user and password at the AD. This login is
saved inside of the keytab together with the SPN:
HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> BTW: Is there a way, to find out, what adress the server is looking
for? 
>> 
>> Greets,
>> 
>> 
>> ----- Original Message ----- 
>> From: "Paul Moore" <paul.moore at centrify.com>
>> To: "Douglas E. Engert" <deengert at anl.gov>
>> Cc: <slaindevil at kabelmail.de>; <kerberos at mit.edu>
>> Sent: Tuesday, February 03, 2009 11:14 PM
>> Subject: RE: Prob: failed to verify krb5 credentials: Server not
found in Kerb
>> 
>> 
>> for sure the port number should not be in the SPN. I didnt even
notice
>> that. I was wondering if there is any principal at all
>> 
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Tuesday, February 03, 2009 2:13 PM
>> To: Paul Moore
>> Cc: slaindevil at kabelmail.de; kerberos at mit.edu
>> Subject: Re: Prob: failed to verify krb5 credentials: Server not
found
>> in Kerb
>> 
>> 
>> 
>> Paul Moore wrote:
>>> is there an AD account with that SPN?
>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> The port number :8080 is usually not part of the principal name.
>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN
>> 
>> 
>>> -----Original Message-----
>>> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
>>> Behalf Of slaindevil at kabelmail.de
>>> Sent: Tuesday, February 03, 2009 6:28 AM
>>> To: kerberos at mit.edu
>>> Subject: Prob: failed to verify krb5 credentials: Server not found
in
>>> Kerb
>>>
>>> Hey guys,
>>>
>>> I am short before dispairing :(
>>>
>>> Maybe someone has time and likes to help me? :)
>>>
>>> I am trying to set up kerberos to authenticate a
>>> TWiki running on Unix against an Windows Server 2003 Active
>> Directory...
>>> I configured the krb5.conf like this:
>>>
>>> [logging]
>>>  ...
>>>
>>> [libdefaults]
>>>  default_realm = SRV.TEST.LAN
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>  ticket_lifetime = 24000
>>>  forwardable = yes
>>>
>>> [realms]
>>>  SRV.TEST.LAN = {
>>>   kdc = location.srv.test.lan:88
>>>   admin_server =  location.srv.test.lan:749
>>>   default_domain = SRV.TEST.LAN
>>>  }
>>>
>>> [domain_realm]
>>>  .test.lan = SRV.TEST.LAN
>>>  test.lan = SRV.TEST.LAN
>>>
>>> [appdefaults]
>>>  pam = {
>>>    debug = false
>>>    ticket_lifetime = 24000
>>>    renew_lifetime = 36000
>>>    forwardable = true
>>>    krb4_convert = false
>>>  }
>>>
>>> When I use "kinit" everything works fine. With every valid login I
get
>> a
>>> ticket...
>>>
>>>
>>> Then I created the keytab file, set with a valid user and password
for
>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN
>> 
>> Leave  off the :8080
>> 
>>> http://wiki.test.lan:8080/bin is the url I type into the browser...
>>>
>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080
>>> everything works fine... I get a ticket...
>>>
>>> Now I wanna setup the twiki to use kerberos to authenticate with...
>>> The httpd.conf for the "bin" directory at http://wiki.test.lan:8080/
>> is
>>> like following:
>>> Order Deny,Allow
>>> Allow from all
>>>    
>>> AuthType Kerberos
>>> KrbAuthRealms SRV.TEST.LAN
>>> KrbServiceName HTTP
>>> Krb5Keytab /etc/http.keytab
>>> KrbMethodNegotiate on
>>> KrbMethodK5Passwd on
>>> Require valid-user
>>>
>>> When I browse to "http://wiki.srv.lan:8080/bin" the login box
>> prompts...
>>> I enter a valid login, but the box stays...
>>>
>>> In the log it says:
>>> failed to verify krb5 credentials: Server not found in Kerberos
>> database
>>> What is wrong? Can someone help me?! :(
>>>
>>> Greets,
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>




From anguyen at redhat.com  Fri Feb  6 11:31:41 2009
From: anguyen at redhat.com (Anh Nguyen)
Date: Fri, 06 Feb 2009 08:31:41 -0800
Subject: KDC Configuration Questions
Message-ID: <498C65ED.2080405@redhat.com>

Hi,
Sorry for the following newbies questions, but thanks in advance for 
your comments and suggestions:
1. Could we set up multiple KDC per single realm?
2. Is it possible to set up multiple independent sets of KDC/realm's 
working against a single database managed by directory server?
3. Is there a plan to multi-thread KDC?

Anh-

From slaindevil at kabelmail.de  Thu Feb  5 20:13:46 2009
From: slaindevil at kabelmail.de (slaindevil@kabelmail.de)
Date: Thu, 05 Feb 2009 20:13:46
Subject: Prob: failed to verify krb5 credentials: Server not
Message-ID: <11CC07D90205130D2E347@kabelmail.de>

Ok, it works fine now! I changed the FQDN!

Thank you very much for your effort and time!

Greets,


----- Original Message ----- 
From: "Douglas E. Engert" <deengert at anl.gov>
To: <slaindevil at kabelmail.de>
Cc: <paul.moore at centrify.com>; <kerberos at mit.edu>
Sent: Wednesday, February 04, 2009 4:00 PM
Subject: Re: Prob: failed to verify krb5 credentials: Server not


> Your problem is the host name is not a FQDN. It is returning wiki.
> which the server tries to user in a principal name: HTTP/wiki.
> This is not found in the KDC.
> 
> type the command hostname and see what it says.
> 
> Usually changing the /etc/hosts file from:
> n.n.n.n  wiki
> to:
> n.n.n.n wiki.test.lan wiki
> 
> Also read man page on hostname, as there may be a hostname.something
> with the name wike.
> 
> 
> 
> slaindevil at kabelmail.de wrote:
>> Okay... I used "tcpdump -s 65535 -w out.dump" to generate a dump of the network traffic and loaded it into Wireshark with the kerberos filter on...
>> 
>> I get the following:
>> The ticket:
>> Client Realm: SRV.TEST.LAN
>> Client Name (Principal): SlainDevil
>> Tkt-vno: 5
>> Realm: SRV.TEST.LAN
>> Server Name (Unknown): krbtgt/SRV.TEST.LAN
>> Encryption type: rc4-hmac (23)
>> Encryption type: des-cbc-md5 (3)
>> 
>> And then the error message:
>> error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
>> Realm: SRV.TEST.LAN
>> Server Name (Service and Host): HTTP/wiki
>> 
>> I guess the last point is the mistake, isnt it? It should be HTTP/wiki.test.lan?
>> Anyone got a clue how to fix that? Currently I got no idea why this happens... :(
>> 
>> 
>> -------- Kabel E-Mail Reply ---------------
>> From: paul.moore at centrify.com
>> To  : slaindevil at kabelmail.de;deengert at anl.gov
>> Date: 04.02.2009 01:35:12
>> 
>> 
>> <html>
>>     <text>So does that user have the correct spn. Adsiedit will tell you</text>
>>     <br />
>>     <br />
>>     <text>----- Original Message -----</text>
>>     <br />
>>     <text>From:</text>
>>     <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
>>         <text>slaindevil at kabelmail.de</text>
>>     </a>
>>     <slaindevil at kabelmail.de />
>>     <br />
>>     <text>To: Paul Moore;</text>
>>     <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov ">
>>         <text>deengert at anl.gov</text>
>>     </a>
>>     <deengert at anl.gov>
>>         <br />
>>         <text>Cc:</text>
>>         <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu ">
>>             <text>kerberos at mit.edu</text>
>>         </a>
>>         <kerberos at mit.edu />
>>         <br />
>>         <text>Sent: Tue Feb 03 16:57:02 2009</text>
>>         <br />
>>         <text>Subject: Re: RE: Prob: failed to verify krb5 credentials: Server not</text>
>>         <br />
>>         <br />
>>         <text>Yeah, I got several accounts.</text>
>>         <br />
>>         <br />
>>         <text>The one for the application. Its name is TWikiUser. This name and its password is in the keytab file for the authentication via Kerberos. The authentication via the keytab file works. I tried it with "kinit -k -t /etc/http.keytab HTTP/wiki.test.lan". I got the ticket from the AD. KVNO and encryption type were allright.</text>
>>         <br />
>>         <br />
>>         <text>Every user shall login with its already existing AD accounts. These are the logins, which I try to enter in the login prompt when I visit</text>
>>         <a target="_blank" href="http://wiki.test.lan:8080">
>>             <text>http://wiki.test.lan:8080</text>
>>         </a>
>>         <text>.</text>
>>         <br />
>>         <br />
>>         <br />
>>         <br />
>>         <text>-------- Kabel E-Mail Reply ---------------</text>
>>         <br />
>>         <text>From:</text>
>>         <a href="/sites/mybox/forms/newmail.asp?sendto= paul.moore at centrify.com">
>>             <text>paul.moore at centrify.com</text>
>>         </a>
>>         <text>To  : slaindevil at kabelmail.de;deengert at anl.gov</text>
>>         <br />
>>         <text>Date: 04.02.2009 00:29:27</text>
>>         <br />
>>         <br />
>>         <text>there are 2 user accounts</text>
>>         <br />
>>         <br />
>>         <text>a) one for the application</text>
>>         <br />
>>         <text>b) one (or more) for the user you are logging on with</text>
>>         <br />
>>         <br />
>>         <text>user (a) must have an SPD of http/wiki.test.lan , the actual upn does</text>
>>         <br />
>>         <text>not matter wikiwebserver will do nicely</text>
>>         <br />
>>         <text>user (b) is just a regular use</text>
>>         <br />
>>         <br />
>>         <br />
>>         <br />
>>         <br />
>>         <text>-----Original Message-----</text>
>>         <br />
>>         <text>From:</text>
>>         <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
>>             <text>slaindevil at kabelmail.de</text>
>>         </a>
>>         <text>[mailto:slaindevil at kabelmail.de]</text>
>>         <br />
>>         <text>Sent: Tuesday, February 03, 2009 4:21 PM</text>
>>         <br />
>>         <text>To:</text>
>>         <a href="/sites/mybox/forms/newmail.asp?sendto= deengert at anl.gov">
>>             <text>deengert at anl.gov</text>
>>         </a>
>>         <text>Cc: Paul Moore;</text>
>>         <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
>>             <text>kerberos at mit.edu</text>
>>         </a>
>>         <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not in=</text>
>>         <br />
>>         <br />
>>         <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
>>         <br />
>>         <br />
>>         <text>The apache has access to the keytab. I also put the keytab directly into</text>
>>         <br />
>>         <text>the twiki web directory itself. Made no change...</text>
>>         <br />
>>         <br />
>>         <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
>>         <br />
>>         <br />
>>         <text>I did a nslookup on the unix system and it showed me the server as</text>
>>         <br />
>>         <text>wiki.test.lan.</text>
>>         <br />
>>         <text>I thought this would be enough on finding out the FQDN... Am I wrong</text>
>>         <br />
>>         <text>with that?</text>
>>         <br />
>>         <br />
>>         <text>> How did you create this account, and why do you think the key and kvno</text>
>>         <br />
>>         <text>in the</text>
>>         <br />
>>         <text>> keytab matche what is in AD?</text>
>>         <br />
>>         <br />
>>         <text>I created the account on the AD manually... Then I created the keytab</text>
>>         <br />
>>         <text>file by using ktpass with the SPN, the username, the password and some</text>
>>         <br />
>>         <text>other things for the encryption. I can give you the complete exact</text>
>>         <br />
>>         <text>information tomorrow...</text>
>>         <br />
>>         <br />
>>         <text>> As Paul said:  Wireshark. It can parse Kerberos packets.</text>
>>         <br />
>>         <br />
>>         <text>Okay, I got some experience with wireshark, just did not think about</text>
>>         <br />
>>         <text>it...</text>
>>         <br />
>>         <text>Ill try it out :)</text>
>>         <br />
>>         <br />
>>         <text>> there needs to be a principal (user or computer) in AD with a Service</text>
>>         <br />
>>         <text>> Principal Name equal to http/wiki.test.len</text>
>>         <br />
>>         <text>></text>
>>         <br />
>>         <text>> this gets created for a windows machine when the machine joins</text>
>>         <br />
>>         <text>></text>
>>         <br />
>>         <text>> you seem to be doing this by hand. So you must use setspn (addspn? I</text>
>>         <br />
>>         <text>> forget) to add an SPN to the user or machine account for which you</text>
>>         <br />
>>         <text>have</text>
>>         <br />
>>         <text>> created the keytab. Or adsiedit will do it</text>
>>         <br />
>>         <text>></text>
>>         <br />
>>         <text>> shameless commercial plug: you could always use a commercial solution</text>
>>         <br />
>>         <text>> such as Centrify DirectControl , it will do the right thing</text>
>>         <br />
>>         <text>> automatically for you</text>
>>         <br />
>>         <br />
>>         <text>Mh... I dont know if I get you right... Currently the users name at the</text>
>>         <br />
>>         <text>AD, thats also in the keytab file, is TWikiUser. So I have to change its</text>
>>         <br />
>>         <text>username to http/wiki.test.lan?</text>
>>         <br />
>>         <br />
>>         <text>Greets,</text>
>>         <br />
>>         <br />
>>         <br />
>>         <text>----- Original Message -----</text>
>>         <br />
>>         <text>From: "Douglas E. Engert"</text>
>>         <deengert at anl.gov>
>>             <br />
>>             <text>To:</text>
>>             <slaindevil at kabelmail.de />
>>             <br />
>>             <text>Cc:</text>
>>             <paul.moore at centrify.com />
>>             <text>;</text>
>>             <kerberos at mit.edu />
>>             <br />
>>             <text>Sent: Wednesday, February 04, 2009 12:07 AM</text>
>>             <br />
>>             <text>Subject: Re: Prob: failed to verify krb5 credentials: Server not found</text>
>>             <br />
>>             <text>in=20</text>
>>             <br />
>>             <br />
>>             <br />
>>             <text>> Two more things:</text>
>>             <br />
>>             <text>>  Who owns /etc/http.keytab? Apache needs access to the file.</text>
>>             <br />
>>             <text>></text>
>>             <br />
>>             <text>> Does hostname on the unix system show the FQDN: wiki.test.lan?</text>
>>             <br />
>>             <text>></text>
>>             <br />
>>             <text>></text>
>>             <br />
>>             <text>></text>
>>             <br />
>>             <text>></text>
>>             <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de ">
>>                 <text>slaindevil at kabelmail.de</text>
>>             </a>
>>             <text>wrote:</text>
>>             <br />
>>             <text>>> First of all, thanks for your answers and interest.</text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>> I already tried it without the port, because I realized, short after</text>
>>             <br />
>>             <text>I sent my first mail, that the port is really not part of the name.</text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>> So I recreated the keytab file with HTTP/wiki.test.lan at SRV.TEST.LAN.</text>
>>             <br />
>>             <text>>> Kinit still works, but the "Server not in kerberos database" problem</text>
>>             <br />
>>             <text>still remains.</text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>> @Paul Moore: What do you mean, with "an AD account with that SPN"?</text>
>>             <br />
>>             <text>Could you be just a little more specific? Its late over here in germany</text>
>>             <br />
>>             <text>;)</text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>> I had created an extra user and password at the AD. This login is</text>
>>             <br />
>>             <text>saved inside of the keytab together with the SPN:</text>
>>             <br />
>>             <text>HTTP/wiki.test.lan at SRV.TEST.LAN</text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>> BTW: Is there a way, to find out, what adress the server is looking</text>
>>             <br />
>>             <text>for?</text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>> Greets,</text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>></text>
>>             <br />
>>             <text>>> ----- Original Message -----</text>
>>             <br />
>>             <text>>> From: "Paul Moore"</text>
>>             <paul.moore at centrify.com />
>>             <br />
>>             <text>>> To: "Douglas E. Engert"</text>
>>             <deengert at anl.gov>
>>                 <br />
>>                 <text>>> Cc:</text>
>>                 <slaindevil at kabelmail.de />
>>                 <text>;</text>
>>                 <kerberos at mit.edu />
>>                 <br />
>>                 <text>>> Sent: Tuesday, February 03, 2009 11:14 PM</text>
>>                 <br />
>>                 <text>>> Subject: RE: Prob: failed to verify krb5 credentials: Server not</text>
>>                 <br />
>>                 <text>found in Kerb</text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>> for sure the port number should not be in the SPN. I didnt even</text>
>>                 <br />
>>                 <text>notice</text>
>>                 <br />
>>                 <text>>> that. I was wondering if there is any principal at all</text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>> -----Original Message-----</text>
>>                 <br />
>>                 <text>>> From: Douglas E. Engert [mailto:deengert at anl.gov]</text>
>>                 <br />
>>                 <text>>> Sent: Tuesday, February 03, 2009 2:13 PM</text>
>>                 <br />
>>                 <text>>> To: Paul Moore</text>
>>                 <br />
>>                 <text>>> Cc: slaindevil at kabelmail.de;</text>
>>                 <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
>>                     <text>kerberos at mit.edu</text>
>>                 </a>
>>                 <text>>> Subject: Re: Prob: failed to verify krb5 credentials: Server not</text>
>>                 <br />
>>                 <text>found</text>
>>                 <br />
>>                 <text>>> in Kerb</text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>> Paul Moore wrote:</text>
>>                 <br />
>>                 <text>>>> is there an AD account with that SPN?</text>
>>                 <br />
>>                 <text>>>> HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>> The port number :8080 is usually not part of the principal name.</text>
>>                 <br />
>>                 <text>>> So the browser may be looking for HTTP/wiki.test.lan at SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>>> -----Original Message-----</text>
>>                 <br />
>>                 <text>>>> From:</text>
>>                 <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos-bounces at mit.edu ">
>>                     <text>kerberos-bounces at mit.edu</text>
>>                 </a>
>>                 <text>[mailto:kerberos-bounces at mit.edu] On</text>
>>                 <br />
>>                 <text>>>> Behalf Of</text>
>>                 <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil at kabelmail.de">
>>                     <text>slaindevil at kabelmail.de</text>
>>                 </a>
>>                 <text>>>> Sent: Tuesday, February 03, 2009 6:28 AM</text>
>>                 <br />
>>                 <text>>>> To:</text>
>>                 <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos at mit.edu">
>>                     <text>kerberos at mit.edu</text>
>>                 </a>
>>                 <text>>>> Subject: Prob: failed to verify krb5 credentials: Server not found</text>
>>                 <br />
>>                 <text>in</text>
>>                 <br />
>>                 <text>>>> Kerb</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> Hey guys,</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> I am short before dispairing :(</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> Maybe someone has time and likes to help me? :)</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> I am trying to set up kerberos to authenticate a</text>
>>                 <br />
>>                 <text>>>> TWiki running on Unix against an Windows Server 2003 Active</text>
>>                 <br />
>>                 <text>>> Directory...</text>
>>                 <br />
>>                 <text>>>> I configured the krb5.conf like this:</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> [logging]</text>
>>                 <br />
>>                 <text>>>>  ...</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> [libdefaults]</text>
>>                 <br />
>>                 <text>>>>  default_realm = SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>>>  dns_lookup_realm = false</text>
>>                 <br />
>>                 <text>>>>  dns_lookup_kdc = false</text>
>>                 <br />
>>                 <text>>>>  ticket_lifetime = 24000</text>
>>                 <br />
>>                 <text>>>>  forwardable = yes</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> [realms]</text>
>>                 <br />
>>                 <text>>>>  SRV.TEST.LAN = {</text>
>>                 <br />
>>                 <text>>>>   kdc = location.srv.test.lan:88</text>
>>                 <br />
>>                 <text>>>>   admin_server =  location.srv.test.lan:749</text>
>>                 <br />
>>                 <text>>>>   default_domain = SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>>>  }</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> [domain_realm]</text>
>>                 <br />
>>                 <text>>>>  .test.lan = SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>>>  test.lan = SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> [appdefaults]</text>
>>                 <br />
>>                 <text>>>>  pam = {</text>
>>                 <br />
>>                 <text>>>>    debug = false</text>
>>                 <br />
>>                 <text>>>>    ticket_lifetime = 24000</text>
>>                 <br />
>>                 <text>>>>    renew_lifetime = 36000</text>
>>                 <br />
>>                 <text>>>>    forwardable = true</text>
>>                 <br />
>>                 <text>>>>    krb4_convert = false</text>
>>                 <br />
>>                 <text>>>>  }</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> When I use "kinit" everything works fine. With every valid login I</text>
>>                 <br />
>>                 <text>get</text>
>>                 <br />
>>                 <text>>> a</text>
>>                 <br />
>>                 <text>>>> ticket...</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> Then I created the keytab file, set with a valid user and password</text>
>>                 <br />
>>                 <text>for</text>
>>                 <br />
>>                 <text>>>> the service: HTTP/wiki.test.lan:8080 at SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>> Leave  off the :8080</text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>>>></text>
>>                 <a target="_blank" href="http://wiki.test.lan:8080/bin">
>>                     <text>http://wiki.test.lan:8080/bin</text>
>>                 </a>
>>                 <text>is the url I type into the browser...</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> When I use "kinit" with the keytab and HTTP/wiki.test.lan:8080</text>
>>                 <br />
>>                 <text>>>> everything works fine... I get a ticket...</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> Now I wanna setup the twiki to use kerberos to authenticate with...</text>
>>                 <br />
>>                 <text>>>> The httpd.conf for the "bin" directory at</text>
>>                 <a target="_blank" href="http://wiki.test.lan:8080/">
>>                     <text>http://wiki.test.lan:8080/</text>
>>                 </a>
>>                 <br />
>>                 <text>>> is</text>
>>                 <br />
>>                 <text>>>> like following:</text>
>>                 <br />
>>                 <text>>>> Order Deny,Allow</text>
>>                 <br />
>>                 <text>>>> Allow from all</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> AuthType Kerberos</text>
>>                 <br />
>>                 <text>>>> KrbAuthRealms SRV.TEST.LAN</text>
>>                 <br />
>>                 <text>>>> KrbServiceName HTTP</text>
>>                 <br />
>>                 <text>>>> Krb5Keytab /etc/http.keytab</text>
>>                 <br />
>>                 <text>>>> KrbMethodNegotiate on</text>
>>                 <br />
>>                 <text>>>> KrbMethodK5Passwd on</text>
>>                 <br />
>>                 <text>>>> Require valid-user</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> When I browse to "</text>
>>                 <a target="_blank" href="http://wiki.srv.lan:8080/bin">
>>                     <text>http://wiki.srv.lan:8080/bin</text>
>>                 </a>
>>                 <text>" the login box</text>
>>                 <br />
>>                 <text>>> prompts...</text>
>>                 <br />
>>                 <text>>>> I enter a valid login, but the box stays...</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> In the log it says:</text>
>>                 <br />
>>                 <text>>>> failed to verify krb5 credentials: Server not found in Kerberos</text>
>>                 <br />
>>                 <text>>> database</text>
>>                 <br />
>>                 <text>>>> What is wrong? Can someone help me?! :(</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> Greets,</text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> ________________________________________________</text>
>>                 <br />
>>                 <text>>>> Kerberos mailing list</text>
>>                 <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
>>                     <text>Kerberos at mit.edu</text>
>>                 </a>
>>                 <text>>>></text>
>>                 <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
>>                     <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
>>                 </a>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>> ________________________________________________</text>
>>                 <br />
>>                 <text>>>> Kerberos mailing list</text>
>>                 <a href="/sites/mybox/forms/newmail.asp?sendto= Kerberos at mit.edu">
>>                     <text>Kerberos at mit.edu</text>
>>                 </a>
>>                 <text>>>></text>
>>                 <a target="_blank" href="https://mailman.mit.edu/mailman/listinfo/kerberos">
>>                     <text>https://mailman.mit.edu/mailman/listinfo/kerberos</text>
>>                 </a>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>>></text>
>>                 <br />
>>                 <text>>></text>
>>                 <br />
>>                 <text>></text>
>>                 <br />
>>                 <text>> --</text>
>>                 <br />
>>                 <text>></text>
>>                 <br />
>>                 <text>>  Douglas E. Engert</text>
>>                 <deengert at anl.gov>
>>                     <br />
>>                     <text>>  Argonne National Laboratory</text>
>>                     <br />
>>                     <text>>  9700 South Cass Avenue</text>
>>                     <br />
>>                     <text>>  Argonne, Illinois  60439</text>
>>                     <br />
>>                     <text>>  (630) 252-5444</text>
>>                     <br />
>>                     <text>></text>
>>                     <br />
>>                     <br />
>>                     <br />
>>                     <br />
>>                 </deengert at anl.gov>
>>             </deengert at anl.gov>
>>         </deengert at anl.gov>
>>     </deengert at anl.gov>
>> </html>
>> 
>> 
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>



From raeburn at MIT.EDU  Fri Feb  6 17:51:23 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Fri, 6 Feb 2009 17:51:23 -0500
Subject: KDC Configuration Questions
In-Reply-To: <498C65ED.2080405@redhat.com>
References: <498C65ED.2080405@redhat.com>
Message-ID: <95A84443-839A-4E89-9809-149F097576C7@mit.edu>

On Feb 6, 2009, at 11:31, Anh Nguyen wrote:
> Hi,
> Sorry for the following newbies questions, but thanks in advance for
> your comments and suggestions:
> 1. Could we set up multiple KDC per single realm?

Absolutely; at most sites I think it's the normal way of doing  
things.  You just set up additional DNS SRV records for the realm, or  
(in the MIT client implementation) multiple "kdc = <host>" lines in  
the config file.  I think MIT's administration manual (or possibly  
installation manual, I haven't checked in a while) should describe both.

With multiple SRV records, unless you set different priorities, the  
clients should try the KDCs in random order, thus spreading the load.   
With config file entries, for historical reasons, the client will try  
them in order, so the second only gets tried if a response doesn't  
come back from the first quickly enough, etc.

> 2. Is it possible to set up multiple independent sets of KDC/realm's
> working against a single database managed by directory server?

If you use the LDAP database back end, yes, just point all the KDCs in  
a realm to the same LDAP server(s) and data.  I'm pretty sure you  
could also do multiple realms in one LDAP directory, but I don't know  
what subtle issues might lie there; I'm more familiar with our more  
traditional Berkeley DB back end.

Technically, with the Berkeley DB back end, you could probably set up  
multiple KDCs too, but all KDCs need access to the same DB files, and  
for security reasons they probably shouldn't be exported over the net,  
so you'd be talking about running multiple KDCs on one machine, which  
is not as useful if you're looking to improve availability in cases of  
machine failure.

> 3. Is there a plan to multi-thread KDC?

Well, that's an interesting question....  It's been discussed, since  
waiting for LDAP query results could make your KDC slow down.  We've  
even had some code donated, but changing a sensitive security service  
like the KDC in such a drastic way makes a lot of people nervous for  
good reasons (ignoring the actual code we got -- going from a big  
single-threaded program with a bunch of global storage to a multi- 
threaded program with work queues between different parts is a  
significant restructuring and likely to have subtle problems), so  
we've held off on it for now, until we can take a better look at the  
issue and possible approaches.

In the meantime, actually, that might be a good use case for running  
multiple KDC processes on one host.  You could spread out the load  
somewhat, among, say, three processes on host A on different port  
numbers, and three processes on host B on different port numbers.   
You'd be relying on this load-sharing to reduce the problems from LDAP  
latency, so you'd really want to go with the SRV records rather than  
config file entries.

I've got a couple other ideas about less drastic code changes we might  
be able to make to allow for some parallel processing, by forking the  
KDC process, but there are some interactions with the way we're  
handling network interfaces that need a little thought.  If you're  
interested in working on some code, let me know. :-)

Ken

From zhangweiwu at realss.com  Sat Feb  7 23:34:41 2009
From: zhangweiwu at realss.com (zhangweiwu@realss.com)
Date: Sun, 08 Feb 2009 12:34:41 +0800
Subject: mit kerberos running on Gentoo Linux
Message-ID: <6v75n1Fih126U2@mid.individual.net>

Dear all. I've installed mit version of kerberos V on my Gentoo Linux
through the package repository (called portage in Gentoo). krlogin works
but krsh strangely quit with a message I don't understand:

zhangweiwu at esmeralda:~$ krlogin emerson.realss.com
Last login: Fri Feb  6 14:09:47 from 123.116.113.65
Linux Pyrrhus 2.6.18.1-fl2f-v1.02 #41 Thu Jul 3 10:13:18 CST 2008 mips64

The programs included with the RAYS GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

RAYS GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
zhangweiwu at Pyrrhus:~$ exit
logout
Connection closed.
zhangweiwu at esmeralda:~$ krsh emerson.realss.com
usage: rlogin [ -8EL] [-e char] [ -l username ] host

Should I complain to Gentoo packager or MIT or have problem of my own?

Thanks.

From raeburn at MIT.EDU  Mon Feb  9 12:00:08 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 9 Feb 2009 12:00:08 -0500
Subject: mit kerberos running on Gentoo Linux
In-Reply-To: <6v75n1Fih126U2@mid.individual.net>
References: <6v75n1Fih126U2@mid.individual.net>
Message-ID: <5E989D39-C9E3-49D3-8DC9-442A4F0552D8@mit.edu>

On Feb 7, 2009, at 23:34, zhangweiwu at realss.com wrote:
> Dear all. I've installed mit version of kerberos V on my Gentoo Linux
> through the package repository (called portage in Gentoo). krlogin  
> works
> but krsh strangely quit with a message I don't understand:
>
> zhangweiwu at esmeralda:~$ krlogin emerson.realss.com
> Last login: Fri Feb  6 14:09:47 from 123.116.113.65
> Linux Pyrrhus 2.6.18.1-fl2f-v1.02 #41 Thu Jul 3 10:13:18 CST 2008  
> mips64
>
> The programs included with the RAYS GNU/Linux system are free  
> software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
>
> RAYS GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> zhangweiwu at Pyrrhus:~$ exit
> logout
> Connection closed.
> zhangweiwu at esmeralda:~$ krsh emerson.realss.com
> usage: rlogin [ -8EL] [-e char] [ -l username ] host
>
> Should I complain to Gentoo packager or MIT or have problem of my own?

Kerberos rsh, like traditional BSD rsh, will run rlogin if you give it  
only a host name and no command to run.  So it needs to know the right  
rlogin program to run.  The one it's getting is clearly not the  
Kerberos rlogin program, so the Gentoo packager should be patching the  
rlogin source at the same time as renaming the installed commands.

It's probably complaining because krsh runs rlogin with the original  
argv[] argument list, with argv[0] still set to "krsh".  Traditional  
BSD rlogin and rsh -- but not MIT's Kerberos versions, because of the  
tendency of some sites to rename these Kerberos versions -- has the  
"feature" that you can invoke the rlogin program under another name,  
and it'll assume that that's the hostname, so you could run "emerson  
w" instead of "rsh emerson w" as a shorthand.  The programs figure  
this out by looking at argv[0] to see if it's "rsh" or "rlogin".  I  
expect the Gentoo "rlogin" program is doing the same, and since "krsh"  
isn't what it thinks is the program name, it thinks you've supplied  
two hostnames, "krsh" and "emerson.realss.com", so you get an error.   
(Since you *should* be running the Kerberos rlogin program which  
doesn't do this, we shouldn't really need to patch up the argv[] array  
to change the program name, but you're getting the wrong rlogin, so it  
matters.)

That's my guess... I haven't looked at the Gentoo rlogin program to  
see if that's what's really going on.  But you are getting the wrong  
rlogin program.

Ken

From zhangweiwu at realss.com  Mon Feb  9 19:52:06 2009
From: zhangweiwu at realss.com (zhangweiwu@realss.com)
Date: Tue, 10 Feb 2009 08:52:06 +0800
Subject: mit kerberos running on Gentoo Linux
In-Reply-To: <mailman.49.1234198831.5762.kerberos@mit.edu>
References: <6v75n1Fih126U2@mid.individual.net>
	<mailman.49.1234198831.5762.kerberos@mit.edu>
Message-ID: <4990CFB6.1080300@realss.com>

Ken Raeburn schrieb:
> On Feb 7, 2009, at 23:34, zhangweiwu at realss.com wrote:
>> Dear all. I've installed mit version of kerberos V on my Gentoo Linux
>> through the package repository (called portage in Gentoo). krlogin works
>> but krsh strangely quit with a message I don't understand:
>>
>> zhangweiwu at esmeralda:~$ krlogin emerson.realss.com
>> Last login: Fri Feb  6 14:09:47 from 123.116.113.65
>> Linux Pyrrhus 2.6.18.1-fl2f-v1.02 #41 Thu Jul 3 10:13:18 CST 2008 mips64
>>
>> The programs included with the RAYS GNU/Linux system are free software;
>> the exact distribution terms for each program are described in the
>> individual files in /usr/share/doc/*/copyright.
>>
>> RAYS GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
>> permitted by applicable law.
>> zhangweiwu at Pyrrhus:~$ exit
>> logout
>> Connection closed.
>> zhangweiwu at esmeralda:~$ krsh emerson.realss.com
>> usage: rlogin [ -8EL] [-e char] [ -l username ] host
>>
>> Should I complain to Gentoo packager or MIT or have problem of my own?
> 
> Kerberos rsh, like traditional BSD rsh, will run rlogin if you give it
> only a host name and no command to run.  So it needs to know the right
> rlogin program to run.  The one it's getting is clearly not the Kerberos
> rlogin program, so the Gentoo packager should be patching the rlogin
> source at the same time as renaming the installed commands.

Hi, You are right about it! See:

{0}zhangweiwu at esmeralda:~$ which rlogin
/usr/bin/rlogin
{0}zhangweiwu at esmeralda:~$ sudo ln -s /usr/bin/krlogin /usr/local/bin/rlogin
{0}zhangweiwu at esmeralda:~$ which rlogin
/usr/local/bin/rlogin
{0}zhangweiwu at esmeralda:~$ kinit
Password for zhangweiwu at REALSS.COM:
{0}zhangweiwu at esmeralda:~$ krsh emerson.realss.com
usage: rlogin [ -8EL] [-e char] [ -l username ] host
{1}zhangweiwu at esmeralda:~$ What the hell??
-bash: What: command not found
{127}zhangweiwu at esmeralda:~$ sudo mv /usr/bin/rlogin /usr/bin/rlogin.dist
{0}zhangweiwu at esmeralda:~$ sudo mv /usr/local/bin/rlogin  /usr/bin/
{0}zhangweiwu at esmeralda:~$ krsh emerson.realss.com
Last login: Mon Feb  9 17:28:22 from 192.168.1.106
Linux Pyrrhus 2.6.18.1-fl2f-v1.02 #41 Thu Jul 3 10:13:18 CST 2008 mips64

The programs included with the RAYS GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

RAYS GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
zhangweiwu at Pyrrhus:~$ Thank god now it works.
-sh: Thank: command not found
zhangweiwu at Pyrrhus:~$ logout
Connection closed.

> It's probably complaining because krsh runs rlogin with the original
> argv[] argument list, with argv[0] still set to "krsh".  Traditional BSD
> rlogin and rsh -- but not MIT's Kerberos versions, because of the
> tendency of some sites to rename these Kerberos versions -- has the
> "feature" that you can invoke the rlogin program under another name, and
> it'll assume that that's the hostname, so you could run "emerson w"
> instead of "rsh emerson w" as a shorthand.  The programs figure this out
> by looking at argv[0] to see if it's "rsh" or "rlogin".  I expect the
> Gentoo "rlogin" program is doing the same, and since "krsh" isn't what
> it thinks is the program name, it thinks you've supplied two hostnames,
> "krsh" and "emerson.realss.com", so you get an error.

Isn't it looking strange? I mean from the poor grade-one-level C
programming language course I managed, arguments are taken by constantly
calling optargs and go through each parameter with a "switch-case"
statement, which means later argument would automatically overwrite
previously ones unless programmer specifically wrote otherwise. Isn't it
more sane to, in that case, take the first parameter instead of argv[0]
for hostname?

> Since you
> *should* be running the Kerberos rlogin program which doesn't do this,
> we shouldn't really need to patch up the argv[] array to change the
> program name, but you're getting the wrong rlogin, so it matters.

Emm. If gentoo people do not want to overwrite non-kerberos
/usr/bin/rlogin (for package management reasons, because that means they
need to write a meta-selection package to let user choose from one of
netkit-rsh and kerberos-rsh, making it look more complicated), they
should patch /usr/bin/rsh to make it calls /usr/bin/krlogin instead of
/usr/bin/rlogin.

Thanks for your "guess"! I'll submit a bug report to gentoo if there
isn't already one.

From William.Fiveash at Sun.COM  Mon Feb  9 23:37:36 2009
From: William.Fiveash at Sun.COM (Will Fiveash)
Date: Mon, 9 Feb 2009 22:37:36 -0600
Subject: MIT e-mail phish attempt
Message-ID: <20090210043735.GA19787@sun.com>

Just got the attached e-mail (which I bzip2ed) that contained:

 Date: Mon, 09 Feb 2009 23:23:12 -0500 (EST)
 From: MIT Support Team <supportteam at MIT.EDU>
 Subject:
 To: undisclosed-recipients: ;

Dear mit.edu User,

Your email account has been used to send numerous Spam mails recently from
a foreign IP. As a result, the mit.edu has received advice to suspend your
account. However, you might not be the one promoting this Spam, as your
email account might have been compromised. To protect your account from
sending spam mails, you are to confirm your true ownership of this account
by providing your original username (*******) and PASSWORD (*******) as a
reply to this message. On receipt of the requested information, the
"mit.edu" web email support shall block your account from Spam.

Failure to do this will violate the mit.edu email terms & conditions. This
will render your account inactive.

Thanks for using mit.edu

The MIT Webmail
Copyright \251 2004-2008 The Massachusetts Institute Of Technology.
=================================================================

Note the Reply-to: is webaceess at ymail.com.  Just letting y'all know.
-- 
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/

From tlyu at MIT.EDU  Mon Feb  9 23:51:35 2009
From: tlyu at MIT.EDU (Tom Yu)
Date: Mon, 09 Feb 2009 23:51:35 -0500
Subject: MIT e-mail phish attempt
In-Reply-To: <20090210043735.GA19787@sun.com> (Will Fiveash's message of "Mon,
	9 Feb 2009 22:37:36 -0600")
References: <20090210043735.GA19787@sun.com>
Message-ID: <ldvvdrij3mw.fsf@cathode-dark-space.mit.edu>

Will Fiveash <William.Fiveash at Sun.COM> writes:

> From: Will Fiveash <William.Fiveash at Sun.COM>
> Subject: MIT e-mail phish attempt
> To: Tom Yu <tlyu at mit.edu>, Ken Raeburn <raeburn at mit.edu>
> Cc: MIT Kerberos Dev List <krbdev at mit.edu>,        MIT Kerberos List <kerberos at mit.edu>
> Date: Mon, 9 Feb 2009 22:37:36 -0600
> Mail-Followup-To: Tom Yu <tlyu at mit.edu>, Ken Raeburn <raeburn at MIT.EDU>, MIT Kerberos Dev List <krbdev at MIT.EDU>, MIT Kerberos List <kerberos at MIT.EDU>
>
> Just got the attached e-mail (which I bzip2ed) that contained:

[...]

This is an obvious forgery that did not originate at MIT.  Please
ignore it.

From D.H.Davis at bath.ac.uk  Tue Feb 10 04:13:44 2009
From: D.H.Davis at bath.ac.uk (Dennis Davis)
Date: Tue, 10 Feb 2009 09:13:44 +0000 (GMT)
Subject: MIT e-mail phish attempt
In-Reply-To: <20090210043735.GA19787@sun.com>
References: <20090210043735.GA19787@sun.com>
Message-ID: <alpine.BSO.2.00.0902100905080.2709@hinault.bath.ac.uk>

On Mon, 9 Feb 2009, Will Fiveash wrote:

> From: Will Fiveash <William.Fiveash at sun.com>
> To: Tom Yu <tlyu at mit.edu>, Ken Raeburn <raeburn at mit.edu>
> Cc: MIT Kerberos Dev List <krbdev at mit.edu>,
>     MIT Kerberos List <kerberos at mit.edu>
> Date: Mon, 9 Feb 2009 22:37:36 -0600
> Subject: MIT e-mail phish attempt
> 
> Just got the attached e-mail (which I bzip2ed) that contained:
> 
>  Date: Mon, 09 Feb 2009 23:23:12 -0500 (EST)
>  From: MIT Support Team <supportteam at MIT.EDU>
>  Subject:
>  To: undisclosed-recipients: ;
> 
> Dear mit.edu User,
> 
> Your email account has been used to send numerous Spam mails recently from
> a foreign IP. As a result, the mit.edu has received advice to suspend your
> account. However, you might not be the one promoting this Spam, as your
> email account might have been compromised. To protect your account from
> sending spam mails, you are to confirm your true ownership of this account
> by providing your original username (*******) and PASSWORD (*******) as a
> reply to this message. On receipt of the requested information, the
> "mit.edu" web email support shall block your account from Spam.
> 
> Failure to do this will violate the mit.edu email terms & conditions. This
> will render your account inactive.

This is a very common attack against usernames/passwords.  We, and
others, are seeing a lot of these.  Usually the Reply-To address is
set to a separate account used to capture account details from the
reply.

See:

http://code.google.com/p/anti-phishing-email-reply/

for a project which targets the Reply-To address.  I also believe
the Sanesecurity anti-phishing signatures at:

http://www.sanesecurity.com/

will defend against some of these attacks.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk               Phone: +44 1225 386101

From rra at stanford.edu  Wed Feb 11 15:04:09 2009
From: rra at stanford.edu (Russ Allbery)
Date: Wed, 11 Feb 2009 12:04:09 -0800
Subject: pam-krb5 security advisory (3.12 and earlier)
Message-ID: <87bpt8yc3q.fsf@windlord.stanford.edu>

                     pam-krb5 security vulnerability

  Vulerability type: Local privilege escalation, local file overwrite
  Versions affected: All versions prior to 3.13
     Versions fixed: 3.13 and later
           Reported: 2009-01-29
Public announcement: 2009-02-11
            CVE IDs: CVE-2009-0360, CVE-2009-0361

A security vulnerability in pam-krb5 allowing overwrite and chown of
arbitrary files via Solaris su was discovered by Derek Chan and reported
by Steven Luo on 2009-01-29.  Subsequent code auditing for behavior in
setuid applications uncovered another, more general and more serious bug
that could result in privilege escalation.

This advisory is only for my pam-krb5 module, as distributed from my web
site and packaged by Debian, Ubuntu, and Gentoo.  These vulnerabilities
will likely also affect any PAM modules derived from mine, but I'm not
personally aware of any such modules in widespread use.  The Red Hat,
Sourceforge, and Solaris pam_krb5 and pam_krb5afs modules have completely
different lineages and code and would need to be checked separately for
the presence or absence of these problems.  I urge all Kerberos PAM module
developers to check their modules for similar problems.

The following two vulnerbilities are present in all versions of my
pam-krb5 module prior to 3.13:

CVE-2009-0360

    When linked with MIT Kerberos, pam-krb5 did not use the correct API
    for initializing the Kerberos libraries in a setuid context.  This
    meant the MIT Kerberos libraries would trust environmental variables
    to locate the Kerberos configuration.  An attacker could exploit this
    to bypass authentication checks in setuid applications using PAM for
    authentication, resulting in privilege escalation.  This vulnerability
    was not present if pam-krb5 was linked with the Heimdal Kerberos
    implementation.

CVE-2009-0361

    pam_setcred with PAM_REINITIALIZE_CREDS or PAM_REFRESH_CREDS is used
    to refresh existing credentials for a user, such as when releasing a
    locked screen.  It therefore honors the existing KRB5CCNAME
    environment variable to locate the existing Kerberos credential cache.
    This means, however, that if those APIs were called by a setuid
    application without first calling PAM_ESTABLISH_CREDS or dropping
    privileges, pam-krb5 may overwrite and chown the file specified by
    KRB5CCNAME to an attacker.  This PAM calling sequence is unusual, but
    it's known to be used by Solaris 10 su.  pam-krb5 3.13 and later will
    log an error message and return success without taking any action when
    a program attempts to reinitialize credentials in a setuid context.

I'm not aware of any exploits in the wild for either problem, but I have
working exploits for both.  An exploit of the first vulnerability is
straightforward for anyone with knowledge of Kerberos.  An exploit for the
second vulnerability requires identifying an application that uses the
vulnerable PAM calling sequence but is completely trivial once such an
application has been identified.

These problems have been corrected in pam-krb5 3.13, available from:

    http://www.eyrie.org/~eagle/software/pam-krb5/

Direct download links to the release and the PGP signature of the release:

    http://archives.eyrie.org/software/kerberos/pam-krb5-3.13.tar.gz
    http://archives.eyrie.org/software/kerberos/pam-krb5-3.13.tar.gz.asc

pam-krb5 was released as the libpam-krb5 package with Debian 4.0 (etch).
These vulnerabilities have been fixed in the 2.6-1etch1 version of the
libpam-krb5 Debian package for Debian 4.0.  They have also been fixed in
the 3.11-4 package for the upcoming Debian 5.0 (lenny) release and for
Debian unstable (sid).

pam-krb5 linked with the Heimdal Kerberos implementation was also released
as the libpam-heimdal package with Debian 4.0 (etch).  This package is not
vulnerable to the first problem (CVE-2009-0360).  The second problem
(CVE-2009-0361) has been fixed in the 2.5-1etch1 version of the
libpam-heimdal Debian package for Debian 4.0 and in the 3.10-2.1 version
for the upcoming Debian 5.0 (lenny) release and Debian unstable (sid).

Please accept my personal apologies for these vulnerabilities.  The first
vulnerability in particular was an error I should have known about and
fixed some time previous.  I even followed a BUGTRAQ discussion of a
closely related problem with Kerberos authentication in sudo, did some
investigation at the time, and apparently forgot or misremembered the
results of my investigation.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090211/89df1b33/attachment.bin

From rra at stanford.edu  Wed Feb 11 15:08:33 2009
From: rra at stanford.edu (Russ Allbery)
Date: Wed, 11 Feb 2009 12:08:33 -0800
Subject: pam-krb5 3.13 released
Message-ID: <877i3wybwe.fsf@windlord.stanford.edu>

I'm pleased to announce release 3.13 of pam-krb5.  This is an urgent
security update.  Everyone using this module should upgrade to either 3.13
or to a fixed package available from a package provider.

See:

    http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html

for more details.

pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
It supports ticket refreshing by screen savers, configurable authorization
handling, authentication of non-local accounts for network services,
password changing, and password expiration, as well as all the standard
expected PAM features.  It works correctly with OpenSSH, even with
ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
supports configuration either by PAM options or in krb5.conf or both.

Changes from previous release:

    SECURITY: When built against MIT Kerberos, if pam_krb5 is called in a
    setuid context (effective UID or GID doesn't match the real UID or
    GID), use krb5_init_secure_context instead of krb5_init_context.  This
    ignores environment variable settings for the local Kerberos
    configuration and keytab.  Previous versions could allow a local
    attacker to point a setuid program that used PAM authentication at a
    different Kerberos configuration under the attacker's control,
    possibly resulting in privilege escalation.  Heimdal handles this
    logic within the Kerberos libraries and therefore was not affected.

    SECURITY: Disable pam_setcred(PAM_REINITIALIZE_CREDS) for setuid
    applications.  If pam_krb5 detects this call in a setuid context, it
    now logs an error and returns success without doing anything.  Solaris
    su calls pam_setcred with that option rather than PAM_ESTABLISH_CREDS
    after authentication and without wiping the environment, leading
    previous versions of pam_krb5 to trust the KRB5CCNAME environment
    variable for the ticket cache location.  This permitted an attacker to
    use previous versions of pam_krb5 to overwrite arbitrary files with
    Kerberos credential caches that were left owned by the attacker.
    Setuid screen lock programs may also be affected.  Discovered by Derek
    Chan and reported by Steven Luo.  Thanks to Sam Hartman and Jeffrey
    Hutzelman for additional analysis.

    If a prefix of /usr is requested at configure time, install the PAM
    module into /lib/security or /lib64/security on Linux, matching the
    standard Linux-PAM module location.  Use lib64 instead of lib on
    64-bit SPARC, PowerPC, and S390 Linux as well as x86_64.  Patch from
    Peter Breitenlohner.

    Fix a build problem when builddir != srcdir introduced in 3.11.  Patch
    from Peter Breitenlohner.

    Add support for the old Heimdal krb5_get_error_string interface.
    Thanks, Chaskiel Grundman.

    Add --with-krb5-include and --with-krb5-lib configure options to allow
    more specific setting of paths if necessary.

    If krb5-config isn't available, attempt to determine if the library
    directory for the Kerberos libraries is lib32 or lib64 instead of lib
    and set LDFLAGS accordingly.  Based on an idea from the CMU Autoconf
    macros.

You can download it from:

    <http://www.eyrie.org/~eagle/software/pam-krb5/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian experimental.  The security
vulnerabilities will be separately fixed shortly in Debian stable (etch),
Debian testing (lenny), and Debian unstable (sid).

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090211/bb8c839b/attachment.bin

From eirvine at tpg.com.au  Wed Feb 11 16:15:13 2009
From: eirvine at tpg.com.au (Edward Irvine)
Date: Thu, 12 Feb 2009 08:15:13 +1100
Subject: Kerberised NFS
Message-ID: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>

Hi Folks,

Is there a ticket beween client and server that expires? If so, how  
does it get renewed?

Kerberised NFS presumably requires authentication and (optionally)  
encryption between client and server, so presumably the client needs  
to get a ticket prior to contacting the server.

I appear to be successfully using sharing out /export/home from a  
server with kerberos security options, and successfully automounting  
user's home directories on client machines when they log in. However,  
first thing in the morning the home directories on client machines  
are inaccessable (i.e. when I ssh in my home directory is  
unavaliable). Restarting automountd fixes things for the rest of the  
day.

This is Solaris 10 u6 on client and server, and using the Solaris 10  
u6 Kerberos server. There is no NIS or LDAP naming going on (yet) -  
nsswitch is to files and DNS. The mapid domain name is set in /etc/ 
defaults/nfs.

Any pointers greatly appreciated.

Eddie


From msimovic at concurrent-thinking.com  Thu Feb 12 05:59:23 2009
From: msimovic at concurrent-thinking.com (Martin Simovic)
Date: Thu, 12 Feb 2009 10:59:23 +0000
Subject: Kerberised NFS
In-Reply-To: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
References: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
Message-ID: <1234436363.6559.5.camel@latitude>

Hi,

the client needs to get his ticket initially somehow. (yes, the ticket
expires). Ideally this happens during logon (here you have to play with
pam settings). On the other hand client can always run 'kinit' from
console to get his ticket (after that his mounted directory will became
accessible)

I can't tell you much about how to achieve this on solaris. However can
post the pam.conf for linux I use myself;
the result is that client (me) gets kerberos ticket during GDM logon -
no need to provide the credentials twice. After that, all the kerberized
services (NFS, IMAP, HTTP, autheticated SMTP, SSH) are available
immediately as all the tickets needed for given service are
automatically requested an granted on the basis that user (me) has
already TGT (ticket granting ticket)

M. 



On Thu, 2009-02-12 at 08:15 +1100, Edward Irvine wrote:
> Hi Folks,
> 
> Is there a ticket beween client and server that expires? If so, how  
> does it get renewed?
> 
> Kerberised NFS presumably requires authentication and (optionally)  
> encryption between client and server, so presumably the client needs  
> to get a ticket prior to contacting the server.
> 
> I appear to be successfully using sharing out /export/home from a  
> server with kerberos security options, and successfully automounting  
> user's home directories on client machines when they log in. However,  
> first thing in the morning the home directories on client machines  
> are inaccessable (i.e. when I ssh in my home directory is  
> unavaliable). Restarting automountd fixes things for the rest of the  
> day.
> 
> This is Solaris 10 u6 on client and server, and using the Solaris 10  
> u6 Kerberos server. There is no NIS or LDAP naming going on (yet) -  
> nsswitch is to files and DNS. The mapid domain name is set in /etc/ 
> defaults/nfs.
> 
> Any pointers greatly appreciated.
> 
> Eddie
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



This e-mail message may contain confidential and/or privileged information. If you are not an addressee or otherwise authorized to receive this message, you should not use, copy, disclose or take any action based on this e-mail or any information contained in the message.
If you have received this material in error, please advise the sender immediately by reply e-mail and delete this message. Thank you.
Allinea Software and Streamline Computing are trading divisions of Concurrent Thinking Limited: Registered in England and Wales No: 03913912
Registered Address: The Innovation Centre, Warwick Technology Park, Gallows Hill, Warwick, CV34 6UW, United Kingdom

From ro at techfak.uni-bielefeld.de  Thu Feb 12 06:07:08 2009
From: ro at techfak.uni-bielefeld.de (Rainer Orth)
Date: 12 Feb 2009 12:07:08 +0100
Subject: Kerberised NFS
In-Reply-To: Edward Irvine's message of "Thu, 12 Feb 2009 08:15:13 +1100"
References: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
Message-ID: <ydd7i3v7w2r.fsf@manam.TechFak.Uni-Bielefeld.DE>

Edward Irvine <eirvine at tpg.com.au> writes:

> This is Solaris 10 u6 on client and server, and using the Solaris 10  
> u6 Kerberos server. There is no NIS or LDAP naming going on (yet) -  
> nsswitch is to files and DNS. The mapid domain name is set in /etc/ 
> defaults/nfs.

Check warn.conf(4) for the renew option.  This was first added in
OpenSolaris and now backported to S10U6 and uses ktkt_warnd(1M) to not only
warn about tickets about to expire, but to also renew them within their
renewable lifetime.

Hope this helps.

	Rainer

-- 
-----------------------------------------------------------------------------
Rainer Orth, Faculty of Technology, Bielefeld University

From deengert at anl.gov  Thu Feb 12 11:52:20 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Thu, 12 Feb 2009 10:52:20 -0600
Subject: Kerberised NFS
In-Reply-To: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
References: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
Message-ID: <499453C4.3030704@anl.gov>



Edward Irvine wrote:
> Hi Folks,
> 
> Is there a ticket beween client and server that expires? If so, how  
> does it get renewed?
> 
> Kerberised NFS presumably requires authentication and (optionally)  
> encryption between client and server, so presumably the client needs  
> to get a ticket prior to contacting the server.

Are you talking NFSv4 or NFSv3?
> 
> I appear to be successfully using sharing out /export/home from a  
> server with kerberos security options, and successfully automounting  
> user's home directories on client machines when they log in. However,  
> first thing in the morning the home directories on client machines  
> are inaccessable (i.e. when I ssh in my home directory is  
> unavaliable). Restarting automountd fixes things for the rest of the  
> day.

First of all the sshd must get a kerberos ticket, either by
delegated gssapi credentials( i.e. forwarded kerberos ticket),
or by keyboard interactive. You will need to setup pam.conf for sshd-*


On Solairs the sshd has multiple entries in pam.conf depending on
which authentication method was used see the man page for sshd at the end
for sshd-gssapi and sshd-kbdint.

dtlogin can also call pam_krb5  see the man page on pam_krb5.

> 
> This is Solaris 10 u6 on client and server, and using the Solaris 10  
> u6 Kerberos server. There is no NIS or LDAP naming going on (yet) -  
> nsswitch is to files and DNS. The mapid domain name is set in /etc/ 
> defaults/nfs.

Solaris with NFSv4 will only use the default Kerberos ticket cache,
for a user: /tmp/krb5cc_<uid>  Even if you have KRB5CCNAME set.
(Personally, I consider this a step backwards and have expressed this
to Sun many times.)

Having said all the above, we do get tickets at login, sshd and screen
unlock, but use AFS (which uses Kerberos V5) for home directories,
not NFS. I would expect that if pam is setup to get the tickets,
the NFS code would use them for home directory access.


> 
> Any pointers greatly appreciated.
> 
> Eddie
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From eirvine at tpg.com.au  Fri Feb 13 06:21:41 2009
From: eirvine at tpg.com.au (Edward Irvine)
Date: Fri, 13 Feb 2009 22:21:41 +1100
Subject: Solved: Kerberised NFS
In-Reply-To: <499453C4.3030704@anl.gov>
References: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
	<499453C4.3030704@anl.gov>
Message-ID: <DE85EA74-3A47-482A-931C-BD6F1A80662C@tpg.com.au>

Hi Folks,

Thanks for the feedback everyone.

On 13/02/2009, at 3:52 AM, Douglas E. Engert wrote:

>
>
> Edward Irvine wrote:
>> Hi Folks,
>> Is there a ticket beween client and server that expires? If so,  
>> how  does it get renewed?
>> Kerberised NFS presumably requires authentication and  
>> (optionally)  encryption between client and server, so presumably  
>> the client needs  to get a ticket prior to contacting the server.
>
> Are you talking NFSv4 or NFSv3?

NFSv4: nothing was done to downgrade it to NFSv3

>> I appear to be successfully using sharing out /export/home from a   
>> server with kerberos security options, and successfully  
>> automounting  user's home directories on client machines when they  
>> log in. However,  first thing in the morning the home directories  
>> on client machines  are inaccessable (i.e. when I ssh in my home  
>> directory is  unavaliable). Restarting automountd fixes things for  
>> the rest of the  day.
>
> First of all the sshd must get a kerberos ticket, either by
> delegated gssapi credentials( i.e. forwarded kerberos ticket),
> or by keyboard interactive. You will need to setup pam.conf for sshd-*

Yes and no. When I logged in with ssh I *thought* I got a ticket. But  
now I suspect the TGT I saw yesterday was a stale one.

Turns out when I logged in directly to the machine using username/ 
password I got a TGT (via pam_krb5). Home directory mounting worked  
as expected. However, when I logged in to the target via another  
kerberised machine I authenticated "seamlessly" via GSSAPI. In which  
case I did not have a TGT on the target as it was not being forwarded  
by my workstation. Thus, my Kerberos protected home directory on the  
target was not being automounted.

>
> On Solairs the sshd has multiple entries in pam.conf depending on
> which authentication method was used see the man page for sshd at  
> the end
> for sshd-gssapi and sshd-kbdint.
>
> dtlogin can also call pam_krb5  see the man page on pam_krb5.
>
>> This is Solaris 10 u6 on client and server, and using the Solaris  
>> 10  u6 Kerberos server. There is no NIS or LDAP naming going on  
>> (yet) -  nsswitch is to files and DNS. The mapid domain name is  
>> set in /etc/ defaults/nfs.
>
> Solaris with NFSv4 will only use the default Kerberos ticket cache,
> for a user: /tmp/krb5cc_<uid>  Even if you have KRB5CCNAME set.
> (Personally, I consider this a step backwards and have expressed this
> to Sun many times.)
>
> Having said all the above, we do get tickets at login, sshd and screen
> unlock, but use AFS (which uses Kerberos V5) for home directories,
> not NFS. I would expect that if pam is setup to get the tickets,
> the NFS code would use them for home directory access.
>
>
>> Any pointers greatly appreciated.
>> Eddie



On my workstation (and all kerberos clients) I have now inserted:

a)  "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/ 
ssh_config, and;
b)  "forwardable = true" in the [libdefaults] section of /etc/krb/ 
krb5.conf, and;
c)  Played around with /etc/krb5/warn.conf so that tickets are  
automatically renewed.

The end result is that I now have a TGT on the target, even when I  
log in to an intermediate machine first.

I also did a little experiment. After logging in to the target  
machine, (with the GSSAPIDelegateCredentials working and all), I ran  
the "kdestroy" command. As expected, my home directory became  
immediately unreadable until I got a new TGT with the "kinit"  
command. Cool...


>


From lorenzo.c at temporaryforwarding.com  Fri Feb 13 09:47:24 2009
From: lorenzo.c at temporaryforwarding.com (Lorenzo Costanzia)
Date: Fri, 13 Feb 2009 15:47:24 +0100
Subject: Kerberos service principal canonicalization
Message-ID: <499587fc$0$1112$4fafbaef@reader4.news.tin.it>

Hi,

is there a way with MIT kerberos to create an "alias" for e.g. 
service/myhost.priv. at REALM (mind the trailing dot in the SPN) to 
service/myhost.priv at REALM (without dot), so that a request (with 
canonicalization flag set) for the former principal returns a ticket 
for the latter?

Best regards,
Lorenzo Costanzia


From lorenzo.costanzia at gmail.com  Fri Feb 13 06:23:41 2009
From: lorenzo.costanzia at gmail.com (Lorenzo Costanzia)
Date: Fri, 13 Feb 2009 12:23:41 +0100
Subject: Kerberos canonicalization problem
Message-ID: <4995583d$0$844$4fafbaef@reader5.news.tin.it>

Hi everybody,

I'm trying to set up a AFP server with (MIT) Kerberos authentication 
and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in 
my home network (which uses a private .lan top level domain). The AFP 
server works beautifully when connecting "directly" to it.

But when I try to connect to the AFP after discovery via dns-sd, the 
client tries to fetch a
"afpserver/afp.lan. at MYREALM.LAN" ticket (note the trailing dot in the 
SPN), which doesn't exist, so authentication fails. (This is btw the 
correct behavior of dns-sd, which always gives back the more verbose 
"form" of the hostname with trailing dot.)

Now I can't simply add "afpserver/afp.lan." principal, as the AFP 
server accepts only one principal, and I want to be able to connect 
both "directly" and via dns-sd.

However, when the client connects to the KDC asking for that 
nonexistent service principal, the "canonicalization" flag is set, but 
the KDC doesn't care and reports KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.

Now is there a way to activate kdc-side canonicalization and/or setup a 
static alias between "afpserver/afp.lan." and "afpserver/afp.lan"?

Thanks in advance,
Lorenzo Costanzia


From peter at ifm.liu.se  Fri Feb 13 03:56:43 2009
From: peter at ifm.liu.se (Peter Eriksson)
Date: Fri, 13 Feb 2009 08:56:43 +0000 (UTC)
Subject: Solved: Kerberised NFS
References: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
	<499453C4.3030704@anl.gov>
	<mailman.59.1234524161.5762.kerberos@mit.edu>
Message-ID: <gn3ckb$2e4$1@news.lysator.liu.se>

Edward Irvine <eirvine at tpg.com.au> writes:

>On my workstation (and all kerberos clients) I have now inserted:

>a)  "GSSAPIDelegateCredentials yes" parameter into /etc/ssh/ 
>ssh_config, and;
>b)  "forwardable = true" in the [libdefaults] section of /etc/krb/ 
>krb5.conf, and;
>c)  Played around with /etc/krb5/warn.conf so that tickets are  
>automatically renewed.

>The end result is that I now have a TGT on the target, even when I  
>log in to an intermediate machine first.

>I also did a little experiment. After logging in to the target  
>machine, (with the GSSAPIDelegateCredentials working and all), I ran  
>the "kdestroy" command. As expected, my home directory became  
>immediately unreadable until I got a new TGT with the "kinit"  
>command. Cool...

Next you'll discovery the fun side effects of having a Secure NFS'd
home directory (I've been running with that for about a year now).

Most things work just as expected but then there are the warts...

Firefox:
  When Firefox loses access to $HOME (for example if you are away from
  your computer long enough for the ticket to expire) then the Google
  search box will magically stop working. Solution: Restart Firefox.

Thunderbird:
  When Thunderbird loses access to $HOME due to expiring tickets then
  it will you from being able to delete new mail in your IMAP inboxes.
  New mail will show up fine though... Solution: Restart Thunderbird.

xscreensaver:
  When $HOME goes away then xscreensaver will fail you launch the
  password dialog application when you wish to login again (since
  it can't read the .Xauthority file   in your $HOME so it will
  not be allowed access to your X server). Blank window forever...
  Solution: ssh in from another machine and 'kill' xscreensaver.

crontab jobs, Grid Engine Jobs:
  You'd better make sure you have tickets on the machines where they
  are going to start your jobs and that the tickets won't expire
  while the jobs are running. Solution: ?

ssh with S/Key (one time password):
  Sure, you are let in after a successful authentication. But you will
  still need to enter your password to get the ticket - allowing someone
  to sniff it...

- Peter

-- 
-- 
Peter Eriksson <peter at ifm.liu.se>            Phone:    +46 13  28 2786
Computer Systems Manager/BOFH                Cell/GSM: +46 705 18 2786
Physics Department, Linköping University     Room:     Building F, F203

From ziapannocchia at gmail.com  Fri Feb 13 06:41:28 2009
From: ziapannocchia at gmail.com (cloc3)
Date: Fri, 13 Feb 2009 03:41:28 -0800 (PST)
Subject: kdm cannot access to openldap database
Message-ID: <14cf240e-c919-44fd-a567-696a8cf84422@x9g2000yqk.googlegroups.com>

I've put all my user in a openldap database, and the database is
accessible with a kerberos ticket.

but, at startup, kdm have no ticket to access openldap database, so no
users are listed in kdm userlist. in this moment the only way to have
a complete userlist is to login as root, to take a ticket with kinit
for a normal kerberos user and restart kdm.

which is the better way to solve this problem?

From Nicolas.Williams at sun.com  Fri Feb 13 12:34:42 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Fri, 13 Feb 2009 11:34:42 -0600
Subject: Solved: Kerberised NFS
In-Reply-To: <gn3ckb$2e4$1@news.lysator.liu.se>
References: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
	<499453C4.3030704@anl.gov>
	<mailman.59.1234524161.5762.kerberos@mit.edu>
	<gn3ckb$2e4$1@news.lysator.liu.se>
Message-ID: <20090213173442.GR9992@Sun.COM>

On Fri, Feb 13, 2009 at 08:56:43AM +0000, Peter Eriksson wrote:
> Edward Irvine <eirvine at tpg.com.au> writes:
> >I also did a little experiment. After logging in to the target  
> >machine, (with the GSSAPIDelegateCredentials working and all), I ran  
> >the "kdestroy" command. As expected, my home directory became  
> >immediately unreadable until I got a new TGT with the "kinit"  
> >command. Cool...

Sorry I'm late to this thread (and thanks Doug!).

> Next you'll discovery the fun side effects of having a Secure NFS'd
> home directory (I've been running with that for about a year now).

I've been running with one for a long time also.

> Most things work just as expected but then there are the warts...
> 
> Firefox:
>   When Firefox loses access to $HOME (for example if you are away from
>   your computer long enough for the ticket to expire) then the Google
>   search box will magically stop working. Solution: Restart Firefox.

I've never noticed this.  Partly that's because I have renewable TGTs
with a fairly long renewable lifetime so that ktkt_warnd does the right
thing and either I'm never away for too long or I logout if I will be.

> Thunderbird:
>   When Thunderbird loses access to $HOME due to expiring tickets then
>   it will you from being able to delete new mail in your IMAP inboxes.
>   New mail will show up fine though... Solution: Restart Thunderbird.

I use mutt :)

> xscreensaver:
>   When $HOME goes away then xscreensaver will fail you launch the
>   password dialog application when you wish to login again (since
>   it can't read the .Xauthority file   in your $HOME so it will
>   not be allowed access to your X server). Blank window forever...
>   Solution: ssh in from another machine and 'kill' xscreensaver.

Never had this problem on Solaris.

> crontab jobs, Grid Engine Jobs:
>   You'd better make sure you have tickets on the machines where they
>   are going to start your jobs and that the tickets won't expire
>   while the jobs are running. Solution: ?

Yup, this is a problem.  Arguably you shouldn't have cron jobs if they
will need to use authentication mechanisms that either require
interaction every time or which use credentials that can expire such
that interaction is required to obtain fresh ones.  Or you need to be
very aware of the issue.  Or the system needs to give you a way to cache
your password/keys for cronjobs.  None of those options is very
satisfying.

> ssh with S/Key (one time password):
>   Sure, you are let in after a successful authentication. But you will
>   still need to enter your password to get the ticket - allowing someone
>   to sniff it...

I'm not sure I get this one.

But ssh with pubkey userauth does fail if your home directory can't be
accessed on the remote system (Solaris' sshd does a seteuid(your-UID)
before accessing your authorized_keys file, IIRC).

Nico
-- 

From nalin at redhat.com  Fri Feb 13 13:12:34 2009
From: nalin at redhat.com (Nalin Dahyabhai)
Date: Fri, 13 Feb 2009 13:12:34 -0500
Subject: Solved: Kerberised NFS
In-Reply-To: <gn3ckb$2e4$1@news.lysator.liu.se>
References: <957426E6-F28F-46A3-B233-6E70A4B1B960@tpg.com.au>
	<499453C4.3030704@anl.gov>
	<mailman.59.1234524161.5762.kerberos@mit.edu>
	<gn3ckb$2e4$1@news.lysator.liu.se>
Message-ID: <20090213181234.GB3178@redhat.com>

On Fri, Feb 13, 2009 at 08:56:43AM +0000, Peter Eriksson wrote:
> xscreensaver:
>   When $HOME goes away then xscreensaver will fail you launch the
>   password dialog application when you wish to login again (since
>   it can't read the .Xauthority file   in your $HOME so it will
>   not be allowed access to your X server). Blank window forever...
>   Solution: ssh in from another machine and 'kill' xscreensaver.

If your X implementation supports it, you should be able to work around
this by running "xhost +SI:localuser:username", which also grants access
to clients running under the specified user's UID.

HTH,

Nalin

From raeburn at MIT.EDU  Fri Feb 13 13:41:41 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Fri, 13 Feb 2009 13:41:41 -0500
Subject: Kerberos canonicalization problem
In-Reply-To: <4995583d$0$844$4fafbaef@reader5.news.tin.it>
References: <4995583d$0$844$4fafbaef@reader5.news.tin.it>
Message-ID: <3BB67131-B3E1-4479-8E3A-D1C3D52B67E5@mit.edu>


On Feb 13, 2009, at 06:23, Lorenzo Costanzia wrote:

> Hi everybody,
>
> I'm trying to set up a AFP server with (MIT) Kerberos authentication
> and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in
> my home network (which uses a private .lan top level domain). The AFP
> server works beautifully when connecting "directly" to it.
>
> But when I try to connect to the AFP after discovery via dns-sd, the
> client tries to fetch a
> "afpserver/afp.lan. at MYREALM.LAN" ticket (note the trailing dot in the
> SPN), which doesn't exist, so authentication fails. (This is btw the
> correct behavior of dns-sd, which always gives back the more verbose
> "form" of the hostname with trailing dot.)

I'm not familiar with dns-sd, but my first thought would be that the  
correct behavior for the resolver APIs for producing fully-qualified  
DNS names is to omit the dot.  (There is the argument that the  
trailing dot indicates it's anchored at the root instead of possibly a  
relative name, but in some cases where a name is unambiguously known  
to be fully-qualified, including some standard APIs, the trailing dot  
is omitted.)  I've looked at a few pages on the dns-sd.org web pages,  
and it just sounds to me like they're just being aggressive about  
making the names explicitly fully-qualified when the option is  
available.  But they're talking about GUIs like web browsers, and I'm  
interested in programming APIs.

The standard DNS-host-based principal representation in Kerberos is  
for the second component to be the fully-qualified domain name,  
without the trailing dot.

At some point, the hostname gets translated into a principal name.  It  
might be the right answer for the trailing dot to be omitted at that  
point -- but then, without knowing why or how dns-sd is special in one  
case, I have no idea whether it should be treated specially in the  
other case.

Actually, it looks like we *have* code in one of the code paths (in  
the library function krb5_sname_to_principal) for removing a trailing  
dot, because the Windows APIs (in at least one beta version) behaved  
differently from everyone else.  So I don't think they're using that  
function to generate principal names.  Which leads to the question of  
how the AFP client *is* generating principal names; perhaps it's a bug  
in that code?  Do you have access to the AFP client code, to see what  
it's doing?

> Now I can't simply add "afpserver/afp.lan." principal, as the AFP
> server accepts only one principal,

That's arguably a bug, as even with ordinary DNS a host could have  
multiple names mapping to its IP address(es).

> and I want to be able to connect
> both "directly" and via dns-sd.


> However, when the client connects to the KDC asking for that
> nonexistent service principal, the "canonicalization" flag is set, but
> the KDC doesn't care and reports KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
>
> Now is there a way to activate kdc-side canonicalization and/or  
> setup a
> static alias between "afpserver/afp.lan." and "afpserver/afp.lan"?

Not currently, no.  In the 1.7 alpha release we recently put out,  
there are hooks for the database back end (which may be turning into  
"the interface to the rest of all your infrastructure including  
Kerberos principal data and other things") to do alias processing, but  
we don't have any alias processing currently defined in the database  
back ends we ship, nor any general heuristics applied in the main KDC  
code.

If you feel like writing KDC code, I could probably tell you where to  
look to drop it in...

Ken

From luke.scharf at clusterbee.net  Fri Feb 13 16:16:36 2009
From: luke.scharf at clusterbee.net (Luke Scharf)
Date: Fri, 13 Feb 2009 15:16:36 -0600
Subject: kdm cannot access to openldap database
In-Reply-To: <14cf240e-c919-44fd-a567-696a8cf84422@x9g2000yqk.googlegroups.com>
References: <14cf240e-c919-44fd-a567-696a8cf84422@x9g2000yqk.googlegroups.com>
Message-ID: <4995E334.8040803@clusterbee.net>

cloc3 wrote:
> I've put all my user in a openldap database, and the database is
> accessible with a kerberos ticket.
>
> but, at startup, kdm have no ticket to access openldap database, so no
> users are listed in kdm userlist. in this moment the only way to have
> a complete userlist is to login as root, to take a ticket with kinit
> for a normal kerberos user and restart kdm.
>
> which is the better way to solve this problem?
>   

Using an x509 host-certificate for host-level authentication?

-Luke

From lorenzo.c at temporaryforwarding.com  Sat Feb 14 06:38:45 2009
From: lorenzo.c at temporaryforwarding.com (Lorenzo Costanzia)
Date: Sat, 14 Feb 2009 12:38:45 +0100
Subject: Kerberos canonicalization problem
References: <4995583d$0$844$4fafbaef@reader5.news.tin.it>
	<mailman.62.1234550514.5762.kerberos@mit.edu>
Message-ID: <4996ad42$0$844$4fafbaef@reader5.news.tin.it>

On 2009-02-13 19:41:41 +0100, Ken Raeburn <raeburn at MIT.EDU> said:

> 
> On Feb 13, 2009, at 06:23, Lorenzo Costanzia wrote:
> 
>> Hi everybody,
>> 
>> I'm trying to set up a AFP server with (MIT) Kerberos authentication
>> and DNS service discovery (aka Bonjour, see http://www.dns-sd.org/) in
>> my home network (which uses a private .lan top level domain). The AFP
>> server works beautifully when connecting "directly" to it.
>> 
>> But when I try to connect to the AFP after discovery via dns-sd, the
>> client tries to fetch a
>> "afpserver/afp.lan. at MYREALM.LAN" ticket (note the trailing dot in the
>> SPN), which doesn't exist, so authentication fails. (This is btw the
>> correct behavior of dns-sd, which always gives back the more verbose
>> "form" of the hostname with trailing dot.)
> 
> I'm not familiar with dns-sd, but my first thought would be that the  
> correct behavior for the resolver APIs for producing fully-qualified  
> DNS names is to omit the dot.  (There is the argument that the  
> trailing dot indicates it's anchored at the root instead of possibly a  
> relative name, but in some cases where a name is unambiguously known  
> to be fully-qualified, including some standard APIs, the trailing dot  
> is omitted.)  I've looked at a few pages on the dns-sd.org web pages,  
> and it just sounds to me like they're just being aggressive about  
> making the names explicitly fully-qualified when the option is  
> available.  But they're talking about GUIs like web browsers, and I'm  
> interested in programming APIs.

You're right. I stated above that the "dotted form" is the correct 
behavior, but in the RFC doesn't explicitly say so. But as far as I 
understood, Apples implementation (which is the main proponent of 
Bonjour) _does_ return the dotted form, so their applications like 
Safari, iChat and especially the AFP client built into the Finder use 
also this form. There is not much I can do about it.

> The standard DNS-host-based principal representation in Kerberos is  
> for the second component to be the fully-qualified domain name,  
> without the trailing dot.
> 
> At some point, the hostname gets translated into a principal name.  It  
> might be the right answer for the trailing dot to be omitted at that  
> point -- but then, without knowing why or how dns-sd is special in one  
> case, I have no idea whether it should be treated specially in the  
> other case.

I personally think this would be the right way, as the dot explicitly 
states: this is a FQDN, there's no need to canonicalize the hostname 
further, simply remove the trailing dot and use it. And I guess there 
are not many way this root label (the dot) would get appended if it 
_were not_ a FQDN, so it should work out in most situations.
But your mileage may vary, and of course when introducing a new 
arbitrary (albeit somewhat understandable) rule one should always 
balance benefits and drawbacks (in this case potential confusion)...

> Actually, it looks like we *have* code in one of the code paths (in  
> the library function krb5_sname_to_principal) for removing a trailing  
> dot, because the Windows APIs (in at least one beta version) behaved  
> differently from everyone else.  So I don't think they're using that  
> function to generate principal names.  Which leads to the question of  
> how the AFP client *is* generating principal names; perhaps it's a bug  
> in that code?  Do you have access to the AFP client code, to see what  
> it's doing?

No, it's proprietary software, and I'm using Mac OS X. As said above, I 
guess that this behavior is intentional, see 
http://developer.apple.com/documentation/Cocoa/Conceptual/NetServices/Articles/domainnames.html#//apple_ref/doc/uid/TP40002460 
where they explain specifically the meaning of the trailing dot.

>> Now I can't simply add "afpserver/afp.lan." principal, as the AFP
>> server accepts only one principal,
> 
> That's arguably a bug, as even with ordinary DNS a host could have  
> multiple names mapping to its IP address(es).

I agree.

>> and I want to be able to connect
>> both "directly" and via dns-sd.
> 
> 
>> However, when the client connects to the KDC asking for that
>> nonexistent service principal, the "canonicalization" flag is set, but
>> the KDC doesn't care and reports KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.
>> 
>> Now is there a way to activate kdc-side canonicalization and/or  setup a
>> static alias between "afpserver/afp.lan." and "afpserver/afp.lan"?
> 
> Not currently, no.  In the 1.7 alpha release we recently put out,  
> there are hooks for the database back end (which may be turning into  
> "the interface to the rest of all your infrastructure including  
> Kerberos principal data and other things") to do alias processing, but  
> we don't have any alias processing currently defined in the database  
> back ends we ship, nor any general heuristics applied in the main KDC  
> code.
> 
> If you feel like writing KDC code, I could probably tell you where to  
> look to drop it in...

Thanks for the offer, however, I'm not a programmer...
> 
> Ken

Thank you for your long and informative answer.

Take care,
Lorenzo Costanzia


From ziapannocchia at gmail.com  Fri Feb 13 21:25:23 2009
From: ziapannocchia at gmail.com (cloc3)
Date: Fri, 13 Feb 2009 18:25:23 -0800 (PST)
Subject: kdm cannot access to openldap database
References: <14cf240e-c919-44fd-a567-696a8cf84422@x9g2000yqk.googlegroups.com>
	<mailman.63.1234559841.5762.kerberos@mit.edu>
Message-ID: <c6c021b1-8675-4056-a1bb-0feabbc23f72@f3g2000yqf.googlegroups.com>

On Feb 13, 10:16?pm, Luke Scharf <luke.sch... at clusterbee.net> wrote:
>
> Using an x509 host-certificate for host-level authentication?
>
> -Luke

I've done something simpler.
first of alll, I've created a kerberos user for pam services, with a
random key and I've added it to /etc/ldap/ldap.keytab file.

kadmin.local -q "addprinc -randkey pam at EXAMPLE.COM"
kadmin.local -q "ktadd -k /etc/ldap/ldap.keytab"

after, I've added a kinit instruction in /etc/init.d/kdm service
script:

kinit -kt /etc/ldap/ldap.keytab pam at EXAMPLE.COM

at the end, I have a problem for kdm(-3.5): the program needs to
access the loginShell openldap attribute to add the user to the
userlist. But loginShel has often a limited access.
So, I added this to slapd.access:

access to attrs=loginShell
	by dn=uid=pam,cn=paschini.edu,cn=gssapi,cn=auth read
        by dn="cn=admin,dc=paschini,dc=edu" write
        by anonymous auth
        by self write
        by * none

From pspinler at gmail.com  Sun Feb 15 15:28:19 2009
From: pspinler at gmail.com (pspinler)
Date: Sun, 15 Feb 2009 12:28:19 -0800 (PST)
Subject: Assistance configuring kerberos services on Solaris 10
Message-ID: <484fc8e5-9734-4ccd-8ddf-ff7b0bc8244a@r34g2000vbp.googlegroups.com>


Hi:

Please forgive my newbie question - I'm just now teaching myself
kerberos concepts.

I've just successfully created a proof of concept kerberos domain, and
successfully configured a rhel 4.6 linux to authenticate to it, in
that I can log into the redhat host, do a kinit, klist, etc.

Now I'm trying to similarly configure a solaris host.  I've created a
host principle, loaded the machine's keytab, and once I've logged in
via a non-kerberos account, I can do a 'kinit some_kerb_principle'
successfully.  I've additionally started a kerberized shell service,
e.g. 'svcadm disable rlogin ; svcadm enable klogin'

Now, once I have a tgt (as shown by klist) I'm attempting to use
either solaris's or redhat's kerberized rsh to connect to the solaris
box (either via loopback or across the network, respectively).
However, I get rejected, e.g.:

-- On solaris, rsh'ing back to itself: --

pjs11 at kwanyin ~ $ kinit testuser01
Password for testuser01 at KWANYIN.MAYO.EDU:
localhost: RPC: Rpcbind failure - RPC: Success
kinit:  no ktkt_warnd warning possible

pjs11 at kwanyin ~ $ klist
Ticket cache: FILE:/tmp/krb5cc_100
Default principal: testuser01 at KWANYIN.MAYO.EDU

Valid starting                Expires                Service principal
02/15/09 14:13:40  02/15/09 22:13:40  krbtgt/
KWANYIN.MAYO.EDU at KWANYIN.MAYO.EDU
        renew until 02/22/09 14:13:40

pjs11 at kwanyin ~ $ rsh -a kwanyin
Note: The -a option nullifies all other Kerberos-specific
options you may have used.
kwanyin: Connection refused

No errors appear in the system error log when I attempt the rsh.

Can anyone please advise me how I would best debug this?

Thanks!
-- Pat

From delislestephane at gmail.com  Mon Feb 16 11:10:00 2009
From: delislestephane at gmail.com (delislestephane@gmail.com)
Date: Mon, 16 Feb 2009 08:10:00 -0800 (PST)
Subject: computer account change password with Windows 2008 domain
References: <B9FF9EF243E4FA488E3C48DEC932F49137698D35DC@EXCHANGE.wwu.de> 
	<87wsd73qgm.fsf@windlord.stanford.edu>
	<mailman.77.1231356733.15569.kerberos@mit.edu>
Message-ID: <e35213b2-37c3-40a6-a42e-2f71e15c2fe4@x10g2000yqk.googlegroups.com>

Hi,

We have the same issue and we would like test this Hotfix. Do you have
the link to download it ?

Stephane

From mizmoose at gmail.com  Tue Feb 17 01:14:32 2009
From: mizmoose at gmail.com (Esther Filderman)
Date: Tue, 17 Feb 2009 01:14:32 -0500
Subject: Register for the OpenAFS & Kerberos Best Practices Workshop 2009
Message-ID: <cff20b320902162214l6b6ff3fdh493e672a59fbcaee@mail.gmail.com>

Registration for the OpenAFS & Kerberos Best Practices Workshop is now
available on the website, http://workshop.openafs.org/.

Register by April 21, 2009 to get the best prices.  AFS and Kerberos
tutorials are $100 each, the Workshop itself is $150, or register for
all three for only $300.

After April 21, 2009 prices will go up, so register early.

A tentative schedule is available. Further details, including
evening/social events, will be forthcoming.

Hotel and travel information is also available.

We look forward to seeing you at Stanford University this June.

The Workshop Organizers
http://workshop.openafs.org/

From paul at xk7.net  Mon Feb 16 06:32:29 2009
From: paul at xk7.net (Paul Waring)
Date: Mon, 16 Feb 2009 03:32:29 -0800 (PST)
Subject: Tue 24 Mar: Kerberos training tutorial (London, UK)
Message-ID: <b1a98837-9339-4138-8743-99b914137d9d@d32g2000yqe.googlegroups.com>

This may be of some interest to people in this group - full day
Kerberos training tutorial in London on Tuesday 24th March:

http://www.ukuug.org/events/spring2009/tutorial/

Thanks,

Paul

From jason at rampaginggeek.com  Tue Feb 17 12:42:22 2009
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Tue, 17 Feb 2009 12:42:22 -0500
Subject: How do I change the ticket lifetime in the default policy?
Message-ID: <499AF6FE.8070302@rampaginggeek.com>

Hi everyone,

We are extending the ticket lifetime for all of the users in our realm
from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
"modprinc -maxlife 7day user at REALM.COM" will extend the ticket lifetime
for an existing user, but how to I make it the default for new users?

To handle our existing users, I plan to script the modprinc command for
all of our users. the users have a mix of ticket lifetimes from 1day to
7 days. Is there a more elegant way than to run modprinc on everybody?

Thanks,
Jason


From rra at stanford.edu  Tue Feb 17 13:21:40 2009
From: rra at stanford.edu (Russ Allbery)
Date: Tue, 17 Feb 2009 10:21:40 -0800
Subject: How do I change the ticket lifetime in the default policy?
In-Reply-To: <499AF6FE.8070302@rampaginggeek.com> (Jason Edgecombe's message
	of "Tue\, 17 Feb 2009 12\:42\:22 -0500")
References: <499AF6FE.8070302@rampaginggeek.com>
Message-ID: <87tz6sc4az.fsf@windlord.stanford.edu>

Jason Edgecombe <jason at rampaginggeek.com> writes:

> We are extending the ticket lifetime for all of the users in our realm
> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
> "modprinc -maxlife 7day user at REALM.COM" will extend the ticket lifetime
> for an existing user, but how to I make it the default for new users?

I believe the default for new users is taken from the max_life setting in
kdc.conf.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From jason at rampaginggeek.com  Tue Feb 17 16:49:35 2009
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Tue, 17 Feb 2009 16:49:35 -0500
Subject: How do I change the ticket lifetime in the default policy?
In-Reply-To: <87tz6sc4az.fsf@windlord.stanford.edu>
References: <499AF6FE.8070302@rampaginggeek.com>
	<87tz6sc4az.fsf@windlord.stanford.edu>
Message-ID: <499B30EF.4090407@rampaginggeek.com>

Russ Allbery wrote:
> Jason Edgecombe <jason at rampaginggeek.com> writes:
>
>   
>> We are extending the ticket lifetime for all of the users in our realm
>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>> "modprinc -maxlife 7day user at REALM.COM" will extend the ticket lifetime
>> for an existing user, but how to I make it the default for new users?
>>     
>
> I believe the default for new users is taken from the max_life setting in
> kdc.conf.
>
>   
hmm,

my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
7 day tickets by default. Am I missing something?

Thanks,
Jason

From jason at rampaginggeek.com  Tue Feb 17 20:43:24 2009
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Tue, 17 Feb 2009 20:43:24 -0500
Subject: How do I change the ticket lifetime in the default policy?
In-Reply-To: <4d569c330902171435j674380fib151052df0ad7c18@mail.gmail.com>
References: <499AF6FE.8070302@rampaginggeek.com>	
	<87tz6sc4az.fsf@windlord.stanford.edu>	
	<499B30EF.4090407@rampaginggeek.com>
	<4d569c330902171435j674380fib151052df0ad7c18@mail.gmail.com>
Message-ID: <499B67BC.4090905@rampaginggeek.com>

Kevin Coffman wrote:
> On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
> <jason at rampaginggeek.com> wrote:
>   
>> Russ Allbery wrote:
>>     
>>> Jason Edgecombe <jason at rampaginggeek.com> writes:
>>>
>>>
>>>       
>>>> We are extending the ticket lifetime for all of the users in our realm
>>>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>>>> "modprinc -maxlife 7day user at REALM.COM" will extend the ticket lifetime
>>>> for an existing user, but how to I make it the default for new users?
>>>>
>>>>         
>>> I believe the default for new users is taken from the max_life setting in
>>> kdc.conf.
>>>
>>>
>>>       
>> hmm,
>>
>> my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
>> 7 day tickets by default. Am I missing something?
>>     
>
> The ticket lifetime is the minimum of 4 values:
> 1) maxlife for the user principal
> 2) maxlife for the service [principal]
> 3) max_life in the kdc.conf
> 4) requested lifetime in the ticket request
>
> Sounds like you have changed 1) and 3).  You'll also need to modify
> the maxlife for principal krbtgt/<REALM>@<REALM> to get TGTs with a
> longer lifetime.  (You will have to alter other service principals if
> you want to issue service tickets with longer lifetimes for those
> services.)
>
> I believe there is a default (requested) lifetime in kinit as well, so
> you may need to specify a longer requested lifetime there ("kinit -l
> 7d").
>   
I can already get a 7 day ticket length when I kinit because my 
principal is set for 7 days lifetime. That works. I'm just wondering how 
I can run "addprinc user -maxlife 7day" without having to specify 
"-maxlife 7day" or modprinc user -maxlife 7day after the addprinc.

Thanks,
Jason

From fcocquyt at stanford.edu  Wed Feb 18 01:11:18 2009
From: fcocquyt at stanford.edu (Fletcher Cocquyt)
Date: Wed, 18 Feb 2009 06:11:18 +0000 (UTC)
Subject: webauthldap(SUNetID): cannot get ticket: Too many open files (24)
Message-ID: <loom.20090218T055149-837@post.gmane.org>

Hi, I am following the code now on this one - after posting to the webauth list
a couple weeks ago we are still experiencing  several hundred of these errors
per day - we have maxed out our file descriptors hard and soft limits at 64k and
verified with running plimit.

webauthldap(SUNetID): cannot get ticket: Too many open files (24)

Env: Solaris 9, apache 2.0.52, webauth 3.5.4, MIT kerberos krb5-1.4.1

Our apache threads are now approaching 250-300 open files (as reported by lsof).

I suspect the issue may be isolated to the webauth and associated kerberos calls
to related to keytab and ticket cache operations.  this suspicion is based on:
1) error only occurs on mod_webauth protected URLs
2) error is always associated with webauthldap(SUNetID): cannot get ticket: Too
many open files (24) messages

Hypothesis: This version of webauth & kerberos is somehow not using the 64k file
descriptor limit, but is using a 256 file limit and throwing the error on the
ticket operations when the apache thread has more than 256 files open.

there are other threads related to the use of char vs int resulting in return
value overflow...is there a kerberos bug in 1.4.1 version which is since fixed?

thanks


From jaltman at secure-endpoints.com  Wed Feb 18 01:34:19 2009
From: jaltman at secure-endpoints.com (Jeffrey Altman)
Date: Wed, 18 Feb 2009 01:34:19 -0500
Subject: webauthldap(SUNetID): cannot get ticket: Too many open files (24)
In-Reply-To: <loom.20090218T055149-837@post.gmane.org>
References: <loom.20090218T055149-837@post.gmane.org>
Message-ID: <499BABEB.1050901@secure-endpoints.com>

Fletcher Cocquyt wrote:
> Hi, I am following the code now on this one - after posting to the webauth list
> a couple weeks ago we are still experiencing  several hundred of these errors
> per day - we have maxed out our file descriptors hard and soft limits at 64k and
> verified with running plimit.
>
> webauthldap(SUNetID): cannot get ticket: Too many open files (24)
>
> Env: Solaris 9, apache 2.0.52, webauth 3.5.4, MIT kerberos krb5-1.4.1
>
> Our apache threads are now approaching 250-300 open files (as reported by lsof).
>
> I suspect the issue may be isolated to the webauth and associated kerberos calls
> to related to keytab and ticket cache operations.  this suspicion is based on:
> 1) error only occurs on mod_webauth protected URLs
> 2) error is always associated with webauthldap(SUNetID): cannot get ticket: Too
> many open files (24) messages
>
> Hypothesis: This version of webauth & kerberos is somehow not using the 64k file
> descriptor limit, but is using a 256 file limit and throwing the error on the
> ticket operations when the apache thread has more than 256 files open.
>
> there are other threads related to the use of char vs int resulting in return
> value overflow...is there a kerberos bug in 1.4.1 version which is since fixed?
>
> thanks
>
I'm going to hazard a guess that the problem is gssapi maintaining an
open file descriptor per context for the replay cache
or that you are experiencing a leak of file descriptors to the replay
cache.  I do not remember exactly the version
that plugged the leak and fixed it by maintaining a rcache fd per gss
context. 

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090218/bb4bb9d7/smime.bin

From rra at stanford.edu  Wed Feb 18 01:47:17 2009
From: rra at stanford.edu (Russ Allbery)
Date: Tue, 17 Feb 2009 22:47:17 -0800
Subject: webauthldap(SUNetID): cannot get ticket: Too many open files (24)
In-Reply-To: <loom.20090218T055149-837@post.gmane.org> (Fletcher Cocquyt's
	message of "Wed\, 18 Feb 2009 06\:11\:18 +0000 \(UTC\)")
References: <loom.20090218T055149-837@post.gmane.org>
Message-ID: <87wsbodyx6.fsf@windlord.stanford.edu>

Fletcher Cocquyt <fcocquyt at stanford.edu> writes:

> Hi, I am following the code now on this one - after posting to the
> webauth list a couple weeks ago we are still experiencing several
> hundred of these errors per day - we have maxed out our file descriptors
> hard and soft limits at 64k and verified with running plimit.
>
> webauthldap(SUNetID): cannot get ticket: Too many open files (24)
>
> Env: Solaris 9, apache 2.0.52, webauth 3.5.4, MIT kerberos krb5-1.4.1
>
> Our apache threads are now approaching 250-300 open files (as reported
> by lsof).

What does lsof say that these open files are?  Are they all legitimate
open files that you expect?

> Hypothesis: This version of webauth & kerberos is somehow not using the
> 64k file descriptor limit, but is using a 256 file limit and throwing
> the error on the ticket operations when the apache thread has more than
> 256 files open.

Oh, good call.  I should have thought of that.

With Solaris 9, this can happen with things that use stdio.  I don't know
if Kerberos 1.4.1 uses stdio to open its ticket cache files.  As near as I
can tell, current development versions of Kerberos don't, and I don't see
any sign of it in 1.4.4, but I may be missing something.

> there are other threads related to the use of char vs int resulting in
> return value overflow...

Solaris 9 uses a char to store the file descriptor number in the FILE
struct used in stdio and hence has an artificial limit on the number of
open file descriptors that can be addressed by stdio.

If this is the case and Kerberos is using stdio, then there aren't a lot
of good solutions that I'm aware of.  64-bit builds will also not have
this problem.  It might be fixed in Solaris 10, but part of the problem is
that it's hard to fix without changing the binary ABI.  I think there are
build-time hacks you can use to change the FILE struct, but you have to
rebuild everything with those hacks and I don't remember the details.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From kwcoffman at gmail.com  Tue Feb 17 17:35:37 2009
From: kwcoffman at gmail.com (Kevin Coffman)
Date: Tue, 17 Feb 2009 17:35:37 -0500
Subject: How do I change the ticket lifetime in the default policy?
In-Reply-To: <499B30EF.4090407@rampaginggeek.com>
References: <499AF6FE.8070302@rampaginggeek.com>
	<87tz6sc4az.fsf@windlord.stanford.edu>
	<499B30EF.4090407@rampaginggeek.com>
Message-ID: <4d569c330902171435j674380fib151052df0ad7c18@mail.gmail.com>

On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
<jason at rampaginggeek.com> wrote:
> Russ Allbery wrote:
>> Jason Edgecombe <jason at rampaginggeek.com> writes:
>>
>>
>>> We are extending the ticket lifetime for all of the users in our realm
>>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>>> "modprinc -maxlife 7day user at REALM.COM" will extend the ticket lifetime
>>> for an existing user, but how to I make it the default for new users?
>>>
>>
>> I believe the default for new users is taken from the max_life setting in
>> kdc.conf.
>>
>>
> hmm,
>
> my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
> 7 day tickets by default. Am I missing something?

The ticket lifetime is the minimum of 4 values:
1) maxlife for the user principal
2) maxlife for the service [principal]
3) max_life in the kdc.conf
4) requested lifetime in the ticket request

Sounds like you have changed 1) and 3).  You'll also need to modify
the maxlife for principal krbtgt/<REALM>@<REALM> to get TGTs with a
longer lifetime.  (You will have to alter other service principals if
you want to issue service tickets with longer lifetimes for those
services.)

I believe there is a default (requested) lifetime in kinit as well, so
you may need to specify a longer requested lifetime there ("kinit -l
7d").

K.C.

From fcocquyt at stanford.edu  Wed Feb 18 16:54:16 2009
From: fcocquyt at stanford.edu (Fletcher Cocquyt)
Date: Wed, 18 Feb 2009 21:54:16 +0000 (UTC)
Subject: webauthldap(SUNetID): cannot get ticket: Too many open files (24)
References: <loom.20090218T055149-837@post.gmane.org>
	<87wsbodyx6.fsf@windlord.stanford.edu>
Message-ID: <loom.20090218T213651-258@post.gmane.org>

Russ Allbery <rra <at> stanford.edu> writes:

> 
> Fletcher Cocquyt <fcocquyt <at> stanford.edu> writes:
> 
> > Hi, I am following the code now on this one - after posting to the
> > webauth list a couple weeks ago we are still experiencing several
> > hundred of these errors per day - we have maxed out our file descriptors
> > hard and soft limits at 64k and verified with running plimit.
> >
> > webauthldap(SUNetID): cannot get ticket: Too many open files (24)
> >
> > Env: Solaris 9, apache 2.0.52, webauth 3.5.4, MIT kerberos krb5-1.4.1
> >
> > Our apache threads are now approaching 250-300 open files (as reported
> > by lsof).
> 
> What does lsof say that these open files are?  Are they all legitimate
> open files that you expect?

yes, they are libraries and many fifofs PIPEs (we use cronolog)
httpd     10260      www    6u  FIFO 0xdb0d3e60        0t0  16070378 (fifofs)
PIPE->0xdb0d3ef4
httpd     10260      www    8u  FIFO 0xd093a340      0t287  16070380 (fifofs)
PIPE->0xd093a3d4
httpd     10260      www    9u  FIFO 0xd0b0e6d4      0t100  16070379 (fifofs)
PIPE->0xd0b0e640
httpd     10260      www   10u  FIFO 0xd093a3d4      0t287  16070380 (fifofs)
PIPE->0xd093a340
httpd     10260      www   11u  FIFO 0xd093a080      0t148  16070382 (fifofs)
PIPE->0xd093a114

> 
> > Hypothesis: This version of webauth & kerberos is somehow not using the
> > 64k file descriptor limit, but is using a 256 file limit and throwing
> > the error on the ticket operations when the apache thread has more than
> > 256 files open.
> 
> Oh, good call.  I should have thought of that.
> 
> Solaris 9 uses a char to store the file descriptor number in the FILE
> struct used in stdio and hence has an artificial limit on the number of
> open file descriptors that can be addressed by stdio.
> 
> If this is the case and Kerberos is using stdio, then there aren't a lot
> of good solutions that I'm aware of.  64-bit builds will also not have
> this problem.  It might be fixed in Solaris 10, but part of the problem is
> that it's hard to fix without changing the binary ABI.  I think there are
> build-time hacks you can use to change the FILE struct, but you have to
> rebuild everything with those hacks and I don't remember the details.
> 

So I recompiled webauth3.5.4 with the latest krb5-1.6.3 and still get the 
error:

[Wed Feb 18 13:32:43 2009] [info] webauthldap: invoked for user SUNetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): filter template is 
uid=USER
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): filter is uid=SUNetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): initialized sucessfully
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): begins ldap bind
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): set ticket to 
KRB5CCNAME=FILE:/opt/httpd/conf/webauth/krb5cc_ldap
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): search returned 2
 messages
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): retrieved entry DN = 
suRegID=,cn=people,dc=stanford,dc=edu
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: 
displayName
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: mail
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib:
 suAffiliation
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: 
suDisplayNameLF
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: suRegID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: 
suRegisteredName
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: 
suRegisteredNameLF
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: 
suSunetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: uid
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got attrib: 
suPrivilegeGroup
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): search returned 1 
entries
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): found: require 
privgroup

med-irt:dcswiki
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): SUCCEEDED comparing

suPrivilegeGroup=med-irt:dcswiki in suRegID=0a82322c45f946b3bf6e2a996694a2d6,

cn=people,dc=stanford,dc=edu
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): cached this conn - 
cache

size 1
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): returning OK
[Wed Feb 18 13:32:43 2009] [info] webauthldap: finished for user SUNetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): getting new ticket
[Wed Feb 18 13:32:43 2009] [error] webauthldap(SUNetID): cannot get ticket: 
Too many open files (24)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2363): mod_webauth: in 
check_user_id hook(/errordocs/500err.html)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2405): mod_webauth: found 
note, user(SUNetID)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2420): mod_webauth: 
check_user_id_hook setting user(SUNetID)
[Wed Feb 18 13:32:43 2009] [warn] mod_webauth: mwa_setenv: (WEBAUTH_USER) 
(SUNetID)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2473): mod_webauth:
check_user_id_hook: no_cache(0) dont_cache(0) dont_cache_ex(0)
[Wed Feb 18 13:32:43 2009] [info] webauthldap: invoked for user SUNetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): filter template is 
uid=USER
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): filter is uid=SUNetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): initialized sucessfully
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): begins ldap bind
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): set ticket to
 KRB5CCNAME=FILE:/opt/httpd/conf/webauth/krb5cc_ldap
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): getting new ticket
[Wed Feb 18 13:32:43 2009] [error] webauthldap(SUNetID): 
cannot get ticket: Too many open files (24)
[Wed Feb 18 13:32:43 2009] [debug] mod_deflate.c(467): [client 171.65.1.170]
Zlib: Compressed 922 to 536 : URL /bb/gifs/bkg-red.gif, referer: http://irt
-bb.stanford.edu/bb/bb2.html
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2363): mod_webauth: in
check_user_id hook(/bb/gifs/bbnav2.gif)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(1342): mod_webauth:
parse_app_token_cookie: found valid webauth_at cookie for (SUNetID)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2397): mod_webauth: stash note,
user(SUNetID)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2420): mod_webauth:
check_user_id_hook setting user(SUNetID)
[Wed Feb 18 13:32:43 2009] [warn] mod_webauth: mwa_setenv: (WEBAUTH_USER) 
(SUNetID)
[Wed Feb 18 13:32:43 2009] [warn] mod_webauth: mwa_setenv: 
(WEBAUTH_TOKEN_EXPIRATION) (1235034932)
[Wed Feb 18 13:32:43 2009] [warn] mod_webauth: mwa_setenv: 
(WEBAUTH_TOKEN_CREATION) (1234991732)
[Wed Feb 18 13:32:43 2009] [debug] mod_webauth.c(2473): mod_webauth:
check_user_id_hook: no_cache(0) dont_cache(0) dont_cache_ex(0)
[Wed Feb 18 13:32:43 2009] [info] webauthldap: invoked for user SUNetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): filter template is 
uid=USER
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): filter is uid=SUNetID
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): initialized sucessfully

[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): got cached conn - cache 
size 0
[Wed Feb 18 13:32:43 2009] [info] webauthldap(SUNetID): search returned 2 
messages

thanks


From rra at stanford.edu  Wed Feb 18 17:49:26 2009
From: rra at stanford.edu (Russ Allbery)
Date: Wed, 18 Feb 2009 14:49:26 -0800
Subject: webauthldap(SUNetID): cannot get ticket: Too many open files (24)
In-Reply-To: <loom.20090218T213651-258@post.gmane.org> (Fletcher Cocquyt's
	message of "Wed\, 18 Feb 2009 21\:54\:16 +0000 \(UTC\)")
References: <loom.20090218T055149-837@post.gmane.org>
	<87wsbodyx6.fsf@windlord.stanford.edu>
	<loom.20090218T213651-258@post.gmane.org>
Message-ID: <87iqn7fjih.fsf@windlord.stanford.edu>

Fletcher Cocquyt <fcocquyt at stanford.edu> writes:

> [Wed Feb 18 13:32:43 2009] [error] webauthldap(SUNetID): cannot get ticket: 
> Too many open files (24)

Aha.  It's the MIT Kerberos keytab code.  src/lib/krb5/keytab/kt_file.c
uses stdio.

mod_webauthldap might potentially be able to work around this by opening
the keytab at startup and caching the keytab object, but it allows using
different keytabs per virtual host, so that's not a simple change.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From fcocquyt at Stanford.edu  Wed Feb 18 21:15:29 2009
From: fcocquyt at Stanford.edu (Fletcher Cocquyt)
Date: Thu, 19 Feb 2009 02:15:29 +0000 (UTC)
Subject: webauthldap(SUNetID): cannot get ticket: Too many open files (24)
References: <loom.20090218T055149-837@post.gmane.org>
	<87wsbodyx6.fsf@windlord.stanford.edu>
	<loom.20090218T213651-258@post.gmane.org>
	<87iqn7fjih.fsf@windlord.stanford.edu>
Message-ID: <loom.20090219T020948-203@post.gmane.org>

Russ Allbery <rra <at> stanford.edu> writes:

> 
> Fletcher Cocquyt <fcocquyt <at> stanford.edu> writes:
> 
> > [Wed Feb 18 13:32:43 2009] [error] webauthldap(SUNetID): cannot get ticket: 
> > Too many open files (24)
> 
I was able to reduce the descriptor use by removing redundant
Logfile configs

> Aha.  It's the MIT Kerberos keytab code.  src/lib/krb5/keytab/kt_file.c
> uses stdio.
> 
> mod_webauthldap might potentially be able to work around this by opening
> the keytab at startup and caching the keytab object, but it allows using
> different keytabs per virtual host, so that's not a simple change.
> 
Thanks to Russ for his help






From jim.sifferle at tektronix.com  Thu Feb 19 12:58:06 2009
From: jim.sifferle at tektronix.com (jim.sifferle@tektronix.com)
Date: Thu, 19 Feb 2009 09:58:06 -0800
Subject: Cross Realm Auth problems
Message-ID: <95948F47ECC185449EE89E2CC4F7C6EC2286023B6A@us-bv-m10.global.tektronix.net>

Hi All,

I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate against two AD forests.  Here's what I'm hoping to accomplish:


-          Default Realm = REALM1.COM

-          Second Realm = REALM2.COM

-          User1 at REALM1.COM can authenticate as User1 or User1 at REALM1.COM

-          User2 at REALM2.COM can authenticate as User2 at REALM2.COM

-          REALM1.COM and REALM2.COM are stripped during auth so that User1 at REALM1.COM or User2 at REALM2.COM are resolved to local UIDs User1 and User2

I can run kinit to get a ticket for either realm.  I see the valid ticket with klist.  I can authenticate as User1 or User2 against either realm when it's set to the default realm.  I cannot login when the user string is User1 at REALM1.COM or User2 at REALM2.COM.  I get an error from PAM saying "Invalid user User1 at REALM1.COM..." I think because PAM expects User1 at REALM1.COM to be a local UID.

I've looked through the man pages and some other info online.  I think the auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or .k5login might be part of the solution, but the various configurations I've tried have all failed with the PAM Invalid User error for fully qualified user names.  Any suggestions and help would be greatly appreciated.

Here is my current simple krb5.conf:

[libdefaults]
 clockskew     = 300
 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_realm = REALM1.COM

[appdefaults]
 pam = {
  ticket_lifetime    = 1d
  renew_lifetime     = 1d
  forwardable        = true
  proxiable          = false
  retain_after_close = false
  minimum_uid        = 0
 }

Thanks,

Jim Sifferle



From mathew_rowley at cable.comcast.com  Thu Feb 19 14:09:41 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Thu, 19 Feb 2009 12:09:41 -0700
Subject: High availability? Primary/Primary with LDAP backend?
Message-ID: <C5C2FC85.81AE%mathew_rowley@cable.comcast.com>

>From the documentation I have seen, it seems that HA for Kerberos is in the
Primary/Slave form.  With LDAP 2.4, there is the ability to do a multi
master sync.  Has anyone used this LDAP HA architecture, along with a
Primary/Primary Kerberos implementation?  Theoretically it seems like it
should work ? just wanted to see if anyone has dove into it yet, or if there
is something im missing.  Thanks.

-- 
MAT


From deengert at anl.gov  Thu Feb 19 14:14:54 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Thu, 19 Feb 2009 13:14:54 -0600
Subject: Cross Realm Auth problems
In-Reply-To: <95948F47ECC185449EE89E2CC4F7C6EC2286023B6A@us-bv-m10.global.tektronix.net>
References: <95948F47ECC185449EE89E2CC4F7C6EC2286023B6A@us-bv-m10.global.tektronix.net>
Message-ID: <499DAFAE.6020609@anl.gov>



jim.sifferle at tektronix.com wrote:
> Hi All,
> 
> I'm trying to configure Kerberos clients on CentOS 5.2 to authenticate against two AD forests.  Here's what I'm hoping to accomplish:
> 
> 
> -          Default Realm = REALM1.COM
> 
> -          Second Realm = REALM2.COM
> 
> -          User1 at REALM1.COM can authenticate as User1 or User1 at REALM1.COM
> 
> -          User2 at REALM2.COM can authenticate as User2 at REALM2.COM
> 
> -          REALM1.COM and REALM2.COM are stripped during auth so that User1 at REALM1.COM or User2 at REALM2.COM are resolved to local UIDs User1 and User2
> 
> I can run kinit to get a ticket for either realm.  I see the valid ticket with klist.  I can authenticate as User1 or User2 against either realm when it's set to the default realm.  I cannot login when the user string is User1 at REALM1.COM or User2 at REALM2.COM.  I get an error from PAM saying "Invalid user User1 at REALM1.COM..." I think because PAM expects User1 at REALM1.COM to be a local UID.
> 
> I've looked through the man pages and some other info online.  I think the auth_to_local, auth_to_local_names, or auth_to_local_realm directives and/or .k5login might be part of the solution, but the various configurations I've tried have all failed with the PAM Invalid User error for fully qualified user names.  Any suggestions and help would be greatly appreciated.
> 

What version of pam_krb5 are you using?
It may or may not accept a principal in place of a name. Some
versions of pam_krb5 can add an additional prompt to
prompt for the principal, so that the local user name does noit
have to match the principal, and can be fro a different realm.


Russ's version has the above feature and is in Debian:
     <http://www.eyrie.org/~eagle/software/pam-krb5/>

You also did not say if you created a host keytab and registered
the host in AD. pam_krb5 will try and get a service ticket
for the loccal host.






wil normally try and get a
> Here is my current simple krb5.conf:
> 
> [libdefaults]
>  clockskew     = 300
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  default_realm = REALM1.COM
> 
> [appdefaults]
>  pam = {
>   ticket_lifetime    = 1d
>   renew_lifetime     = 1d
>   forwardable        = true
>   proxiable          = false
>   retain_after_close = false
>   minimum_uid        = 0
>  }
> 
> Thanks,
> 
> Jim Sifferle
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From jim.sifferle at tektronix.com  Thu Feb 19 15:16:54 2009
From: jim.sifferle at tektronix.com (jim.sifferle@tektronix.com)
Date: Thu, 19 Feb 2009 12:16:54 -0800
Subject: Cross Realm Auth problems
In-Reply-To: <499DAFAE.6020609@anl.gov>
References: <95948F47ECC185449EE89E2CC4F7C6EC2286023B6A@us-bv-m10.global.tektronix.net>,
	<499DAFAE.6020609@anl.gov>
Message-ID: <95948F47ECC185449EE89E2CC4F7C6EC22860568DF@us-bv-m10.global.tektronix.net>


deengert at anl.gov wrote: 

> What version of pam_krb5 are you using?
> It may or may not accept a principal in place of a name. Some
> versions of pam_krb5 can add an additional prompt to
> prompt for the principal, so that the local user name does noit
> have to match the principal, and can be fro a different realm.

> Russ's version has the above feature and is in Debian:
>      <http://www.eyrie.org/~eagle/software/pam-krb5/>

I'm using the default pam_krb5 that comes with CentOS 5.2... 2.2.14.  I take it that I will need to update to 3.13 to get this added feature to prompt for principal?  I'll have to hunt for a RHEL/CentOS compatible RPM or build one myself.

> You also did not say if you created a host keytab and registered
> the host in AD. pam_krb5 will try and get a service ticket
> for the loccal host.

I did not create a keytab, nor have I registered the host in AD.  I was under the impression that I didn't need to unless I wanted to use other features such as password changes.  The use case I'm dealing with doesn't require this feature.  Am I incorrect in saying I don't need a keytab or to add the client host to AD in this case?

Thanks for your help,

Jim


From deengert at anl.gov  Fri Feb 20 11:01:08 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Fri, 20 Feb 2009 10:01:08 -0600
Subject: Cross Realm Auth problems
In-Reply-To: <95948F47ECC185449EE89E2CC4F7C6EC22860568DF@us-bv-m10.global.tektronix.net>
References: <95948F47ECC185449EE89E2CC4F7C6EC2286023B6A@us-bv-m10.global.tektronix.net>,
	<499DAFAE.6020609@anl.gov>
	<95948F47ECC185449EE89E2CC4F7C6EC22860568DF@us-bv-m10.global.tektronix.net>
Message-ID: <499ED3C4.2080006@anl.gov>



jim.sifferle at tektronix.com wrote:
> deengert at anl.gov wrote: 
> 
>> What version of pam_krb5 are you using?
>> It may or may not accept a principal in place of a name. Some
>> versions of pam_krb5 can add an additional prompt to
>> prompt for the principal, so that the local user name does noit
>> have to match the principal, and can be fro a different realm.
> 
>> Russ's version has the above feature and is in Debian:
>>      <http://www.eyrie.org/~eagle/software/pam-krb5/>
> 
> I'm using the default pam_krb5 that comes with CentOS 5.2... 2.2.14.  I take it that I will need to update to 3.13 to get this added feature to prompt for principal?  I'll have to hunt for a RHEL/CentOS compatible RPM or build one myself.
> 
Not sure what the 2.2.14 version does. There are a number of
pam_krb5 modules available with different code linages.
The one I sited is used with Debian, and has the feature to
prompting.


>> You also did not say if you created a host keytab and registered
>> the host in AD. pam_krb5 will try and get a service ticket
>> for the loccal host.
> 
> I did not create a keytab, nor have I registered the host in AD.  I was under the impression that I didn't need to unless I wanted to use other features such as password changes.  The use case I'm dealing with doesn't require this feature.  Am I incorrect in saying I don't need a keytab or to add the client host to AD in this case?
> 

The login pam_krb5 get a service ticket for the host, to double check that
the machine is talking to the real KDC. Without this, an attacker
could attach a machine to his own network, with his own bogus KDC
and login as any valid user, as his password would match whats in his bogus KDC.

This test can be turned off with some pam_krb5 version. Look for the verify_*
in the man pages. It depends on the pam_krb5.


> Thanks for your help,
> 
> Jim
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From chriscorbell at gmail.com  Fri Feb 20 16:24:06 2009
From: chriscorbell at gmail.com (Chris)
Date: Fri, 20 Feb 2009 13:24:06 -0800 (PST)
Subject: Establishing client credentials (TGT etc.) with GSSAPI
Message-ID: <873ae429-4e89-493b-9836-ebc3c6724318@33g2000yqm.googlegroups.com>

I'm working on implementing Kerberos authentication from a C++ client
to a Java service.  The Java service wants a GSSAPI context.

Is it correct that, if you can't rely on default GSSAPI credentials
(i.e. login identity and pre-cached TGT), then a client should use
gss_acquire_credentials() to establish this?  I have tried this but
haven't had success and just want to make sure I'm on the right path.

I need to be able to explicitly set the client principal, realm, and
KDC - not just rely on login and client machine configuration - and
obtain a TGT (whether from local cache or the AS, possibly with a
password prompt), and then use this to call gss_init_context() which I
expect to request the actual service ticket.

Is gss_acquire_credentials() the right call?  Anyone know of any
sample code for this kind of explicit credentials configuration on the
client (i.e. gss_init_context) side?

TIA
- Chris


From Nicolas.Williams at sun.com  Fri Feb 20 19:17:53 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Fri, 20 Feb 2009 18:17:53 -0600
Subject: Establishing client credentials (TGT etc.) with GSSAPI
In-Reply-To: <873ae429-4e89-493b-9836-ebc3c6724318@33g2000yqm.googlegroups.com>
References: <873ae429-4e89-493b-9836-ebc3c6724318@33g2000yqm.googlegroups.com>
Message-ID: <20090221001753.GH9992@Sun.COM>

On Fri, Feb 20, 2009 at 01:24:06PM -0800, Chris wrote:
> I'm working on implementing Kerberos authentication from a C++ client
> to a Java service.  The Java service wants a GSSAPI context.
> 
> Is it correct that, if you can't rely on default GSSAPI credentials
> (i.e. login identity and pre-cached TGT), then a client should use
> gss_acquire_credentials() to establish this?  I have tried this but
> haven't had success and just want to make sure I'm on the right path.

The GSS-API does not give you a way to acqiure initial credentials
(i.e., anything involving interaction with the user to obtain things
like principal name, password, smartcard/token PIN, ...).  That's out of
scope for the GSS-API.

IIRC JAAS does give you a way to do that, but I don't remember exactly.

What the GSS_Acquire_cred() and GSS_Add_cred() functions allow you to do
is to choose a credential to use when many are available.

Nico
-- 

From Dave_Brown at lbl.gov  Sun Feb 22 12:23:46 2009
From: Dave_Brown at lbl.gov (David Brown)
Date: Sun, 22 Feb 2009 09:23:46 -0800
Subject: MacOS kinit problem
Message-ID: <99F3F686-442E-45A4-9B52-AC8C41CABB3D@lbl.gov>

I recently transfered ownership of a MacOSX 10.5.6 laptop by  
installing a new admin user, after which I deleted the original admin  
user.  The new user is unable to run kinit, getting an error message:

kinit: Unable to initialize kerberos login options: Unable to read  
Kerberos Login preferences.  The file may be missing, inaccessible or  
corrupted.
kinit: Error getting initial tickets: Operation not permitted

kinit works if run with sudo, which shows the file is not missing or  
corrupted, so I guess it is 'inaccessible'.  The protections and  
ownership of ~/Library/Preferences/ 
edu.mit.Kerberos.KerberosLogin.plist look fine.  I guess there must be  
some utility applications or files which are still owned by the  
original admin user and which are protected, does anyone have any idea  
what those might be?

From raeburn at MIT.EDU  Mon Feb 23 00:12:57 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 23 Feb 2009 00:12:57 -0500
Subject: MacOS kinit problem
In-Reply-To: <99F3F686-442E-45A4-9B52-AC8C41CABB3D@lbl.gov>
References: <99F3F686-442E-45A4-9B52-AC8C41CABB3D@lbl.gov>
Message-ID: <EA5FB95B-59D9-4D11-B041-7B335C1B4E60@mit.edu>

On Feb 22, 2009, at 12:23, David Brown wrote:
> kinit: Unable to initialize kerberos login options: Unable to read
> Kerberos Login preferences.  The file may be missing, inaccessible or
> corrupted.
> kinit: Error getting initial tickets: Operation not permitted
>
> kinit works if run with sudo, which shows the file is not missing or
> corrupted, so I guess it is 'inaccessible'.  The protections and
> ownership of ~/Library/Preferences/
> edu.mit.Kerberos.KerberosLogin.plist look fine.  I guess there must be
> some utility applications or files which are still owned by the
> original admin user and which are protected, does anyone have any idea
> what those might be?

Check in /Library/Preferences also for system-wide configuration files.

Ken

From speedogoo at gmail.com  Mon Feb 23 04:39:32 2009
From: speedogoo at gmail.com (Speedo)
Date: Mon, 23 Feb 2009 01:39:32 -0800 (PST)
Subject: WS-Security and GSS-API: How do I get the session key?
Message-ID: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>

Hi All

I guess this issue had been discussed before: WS-Security negotiates
with Kerberos 5 but uses the session key in a different way from GSS
tokens. Since GSS-API is the public API to access Kerberos 5, is there
any recent progress in enhancing the GSS-API to provide a function
like gss_get_session_key()?

How do you guys program WS-Security nowadays?

Thanks
Speedo

From raeburn at MIT.EDU  Mon Feb 23 11:11:17 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 23 Feb 2009 11:11:17 -0500
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
Message-ID: <2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>

On Feb 23, 2009, at 04:39, Speedo wrote:
> I guess this issue had been discussed before: WS-Security negotiates
> with Kerberos 5 but uses the session key in a different way from GSS
> tokens. Since GSS-API is the public API to access Kerberos 5, is there
> any recent progress in enhancing the GSS-API to provide a function
> like gss_get_session_key()?

I wouldn't say that "GSS-API is the public API to access Kerberos 5",  
though I think it's generally preferred that you write application  
*protocols* to GSS-API.  (Which means, among other things, not  
assuming you can extract the session key and do with it what you like  
-- or even assuming that there is such a thing as a "session key".)

If you write non-GSSAPI application protocols, there are still non- 
GSSAPI programming interfaces....

That said, I believe the MIT 1.7 release will include an API for  
extracting a session key if there is one, but no earlier release from  
MIT will, and I'm not sure how portable that API will be to other  
implementations.

Ken

From chriscorbell at gmail.com  Mon Feb 23 17:00:55 2009
From: chriscorbell at gmail.com (Chris)
Date: Mon, 23 Feb 2009 14:00:55 -0800 (PST)
Subject: Establishing client credentials (TGT etc.) with GSSAPI
References: <873ae429-4e89-493b-9836-ebc3c6724318@33g2000yqm.googlegroups.com>
	<mailman.81.1235176524.5762.kerberos@mit.edu>
Message-ID: <93127135-56ce-44b1-830b-49ee66f844c5@v19g2000yqn.googlegroups.com>

On Feb 20, 4:17?pm, Nicolas Williams <Nicolas.Willi... at sun.com> wrote:
> On Fri, Feb 20, 2009 at 01:24:06PM -0800, Chris wrote:
> > ...
> > Is it correct that, if you can't rely on default GSSAPI credentials
> > (i.e. login identity and pre-cached TGT), then a client should use
> > gss_acquire_credentials() to establish this? ...
>
> The GSS-API does not give you a way to acqiure initial credentials
> (i.e., anything involving interaction with the user to obtain things
> like principal name, password, smartcard/token PIN, ...). ?That's out of
> scope for the GSS-API.

Thanks for the reply (and also for the offline reply).

Since this is the case (and btw the client is in C/C++) I added an
upstream call to KLAcquireInitialTicketsWithPassword(), and that did
the trick - the subsequent call to gss_acquire_cred() for the same
principal works now.

FWIW, I was slightly confused with the language in the GSSAPI RFC
which seems to indicate that an implementation of a mechanism (e.g.
Kerberos) is not necessarily compatible with that mechanism used on
its own.  Turns out in this case (at least in C), it's not only
compatible but *required* that you use the API for that mechanism on
its own to make credentials available before using GSSAPI.

- Chris

From Nicolas.Williams at sun.com  Mon Feb 23 18:08:41 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Mon, 23 Feb 2009 17:08:41 -0600
Subject: Establishing client credentials (TGT etc.) with GSSAPI
In-Reply-To: <93127135-56ce-44b1-830b-49ee66f844c5@v19g2000yqn.googlegroups.com>
References: <873ae429-4e89-493b-9836-ebc3c6724318@33g2000yqm.googlegroups.com>
	<mailman.81.1235176524.5762.kerberos@mit.edu>
	<93127135-56ce-44b1-830b-49ee66f844c5@v19g2000yqn.googlegroups.com>
Message-ID: <20090223230840.GZ9992@Sun.COM>

On Mon, Feb 23, 2009 at 02:00:55PM -0800, Chris wrote:
> FWIW, I was slightly confused with the language in the GSSAPI RFC
> which seems to indicate that an implementation of a mechanism (e.g.
> Kerberos) is not necessarily compatible with that mechanism used on
> its own.  [...]

I suspect that may have been a reference to how the Kerberos V GSS-API
mechanism is not wire compatible with raw Kerberos V.  Do you remember
what specific text you're referring to, and can you point me at it?

From raeburn at MIT.EDU  Mon Feb 23 19:30:40 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 23 Feb 2009 19:30:40 -0500
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
Message-ID: <296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>

On Feb 23, 2009, at 19:05, Goo wrote:
>> That said, I believe the MIT 1.7 release will include an API for  
>> extracting
>> a session key if there is one, but no earlier release from MIT  
>> will, and I'm
>> not sure how portable that API will be to other implementations.
>
> Nice to hear that. Do you know if there's a alpha/beta version with
> the new API? Also, is there any IETF draft extending RFC 2743?

There's an alpha out, yes; see http://web.mit.edu/Kerberos/krb5-1.7/krb5-1.7.html 
  for details.

I don't recall offhand if there's been an IETF draft proposing the  
specific extension we've got for extracting the session key.

Ken

From chriscorbell at gmail.com  Mon Feb 23 18:52:16 2009
From: chriscorbell at gmail.com (Chris)
Date: Mon, 23 Feb 2009 15:52:16 -0800 (PST)
Subject: Establishing client credentials (TGT etc.) with GSSAPI
References: <873ae429-4e89-493b-9836-ebc3c6724318@33g2000yqm.googlegroups.com>
	<mailman.81.1235176524.5762.kerberos@mit.edu>
	<93127135-56ce-44b1-830b-49ee66f844c5@v19g2000yqn.googlegroups.com>
	<mailman.3.1235431561.14058.kerberos@mit.edu>
Message-ID: <a50b6eb4-15de-4c48-b414-c238659edb98@13g2000yql.googlegroups.com>

On Feb 23, 3:08?pm, Nicolas Williams <Nicolas.Willi... at sun.com> wrote:
> On Mon, Feb 23, 2009 at 02:00:55PM -0800, Chris wrote:
> > FWIW, I was slightly confused with the language in the GSSAPI RFC
> > which seems to indicate that an implementation of a mechanism (e.g.
> > Kerberos) is not necessarily compatible with that mechanism used on
> > its own. ?[...]
>
> I suspect that may have been a reference to how the Kerberos V GSS-API
> mechanism is not wire compatible with raw Kerberos V. ?Do you remember
> what specific text you're referring to, and can you point me at it?

The main spot is in RFC 2743, near the end of section 1.1.3. Tokens:

" The format of GSS-API tokens defined in conjunction with a
particular mechanism,
   and the techniques used to integrate those tokens into callers?
   protocols, may not be interoperable with the tokens used by non-
GSS-
   API callers of the same underlying technique."

I read that as suggesting that e.g. a Kerberos Ticket (including a
TGT) obtained
via native Kerberos calls might not be interoperable with GSS context-
wrapped
Kerberos tickets, so I wrongly assumed there must be some way to
acquire
a TGT via GSSAPI.

Also, RFC 1964 section 3 throws me off a little - I thought the last
sentence
was saying that the mechanism should be implemented to request a TGT,
but perhaps it's actually a directive for what the client application
should do:

  "However, when the Kerberos V5 mechanism attempts to obtain
initiating
   credentials for a service principal which are not available in a
   credentials cache, and the key for that service principal is
   available in a Kerberos V5 key table, the mechanism should use the
   service key to obtain initiating credentials for that service.
This
   should be accomplished by requesting a ticket-granting-ticket from
   the Kerberos Key Distribution Center (KDC), and decrypting the
KDC's
   reply using the service key."

Chris

From speedogoo at gmail.com  Mon Feb 23 19:05:33 2009
From: speedogoo at gmail.com (Goo)
Date: Tue, 24 Feb 2009 08:05:33 +0800
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
Message-ID: <d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>

> That said, I believe the MIT 1.7 release will include an API for extracting
> a session key if there is one, but no earlier release from MIT will, and I'm
> not sure how portable that API will be to other implementations.

Nice to hear that. Do you know if there's a alpha/beta version with
the new API? Also, is there any IETF draft extending RFC 2743?

Thanks
Speedo

On Tue, Feb 24, 2009 at 00:11, Ken Raeburn <raeburn at mit.edu> wrote:
> On Feb 23, 2009, at 04:39, Speedo wrote:
>>
>> I guess this issue had been discussed before: WS-Security negotiates
>> with Kerberos 5 but uses the session key in a different way from GSS
>> tokens. Since GSS-API is the public API to access Kerberos 5, is there
>> any recent progress in enhancing the GSS-API to provide a function
>> like gss_get_session_key()?
>
> I wouldn't say that "GSS-API is the public API to access Kerberos 5", though
> I think it's generally preferred that you write application *protocols* to
> GSS-API.  (Which means, among other things, not assuming you can extract the
> session key and do with it what you like -- or even assuming that there is
> such a thing as a "session key".)
>
> If you write non-GSSAPI application protocols, there are still non-GSSAPI
> programming interfaces....
>
> That said, I believe the MIT 1.7 release will include an API for extracting
> a session key if there is one, but no earlier release from MIT will, and I'm
> not sure how portable that API will be to other implementations.
>
> Ken
>

From Thomas.Maslen at quest.com  Tue Feb 24 00:59:24 2009
From: Thomas.Maslen at quest.com (Thomas Maslen)
Date: Mon, 23 Feb 2009 21:59:24 -0800
Subject: WS-Security and GSS-API: How do I get the session key?
Message-ID: <723530449330F342A68634ADF3CE8DE203395D134D@alvxmbw02.prod.quest.corp>

On Feb 23, 2009, at 04:39, Speedo wrote:
> I guess this issue had been discussed before: WS-Security negotiates
> with Kerberos 5 but uses the session key in a different way from GSS
> tokens. Since GSS-API is the public API to access Kerberos 5, is there
> any recent progress in enhancing the GSS-API to provide a function
> like gss_get_session_key()?

Yes, we bumped up against this with our Java implementation of Kerberos,
GSSAPI, etc.

Since we have our own implementation (c.f. the ones that Sun and IBM ship
in their respective JDKs), I added a home-grown API[*] to extract the session
key from the GSSContext once the context is established, precisely to 
support the WS-Security Kerberos Token Profile.

But if that isn't an option...  the initial context token for the Kerberos 5
GSSAPI mechanism is essentially just an AP-REQ with a bit of GSSAPI
framing prepended, so perhaps you can strip off the GSSAPI cruft
(including the non-ASN.1 bytes), leaving you with the AP-REQ, and 
you probably have lots of tasty APIs to process that and then give you
the session key?




[*] I wish that the Java GSSAPI had an escape mechanism akin to
XMLReader.setProperty(String,Object) in SAX2

From lukeh at padl.com  Tue Feb 24 08:31:30 2009
From: lukeh at padl.com (Luke Howard)
Date: Wed, 25 Feb 2009 00:31:30 +1100
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <723530449330F342A68634ADF3CE8DE203395D134D@alvxmbw02.prod.quest.corp>
References: <723530449330F342A68634ADF3CE8DE203395D134D@alvxmbw02.prod.quest.corp>
Message-ID: <DBDBC30C-FAC6-4A3E-BC26-C8929E0B4489@padl.com>

In MIT Kerberos 1.7, you can use  
gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY).

-- Luke

On 24/02/2009, at 4:59 PM, Thomas Maslen wrote:

> On Feb 23, 2009, at 04:39, Speedo wrote:
>> I guess this issue had been discussed before: WS-Security negotiates
>> with Kerberos 5 but uses the session key in a different way from GSS
>> tokens. Since GSS-API is the public API to access Kerberos 5, is  
>> there
>> any recent progress in enhancing the GSS-API to provide a function
>> like gss_get_session_key()?
>
> Yes, we bumped up against this with our Java implementation of  
> Kerberos,
> GSSAPI, etc.
>
> Since we have our own implementation (c.f. the ones that Sun and IBM  
> ship
> in their respective JDKs), I added a home-grown API[*] to extract  
> the session
> key from the GSSContext once the context is established, precisely to
> support the WS-Security Kerberos Token Profile.
>
> But if that isn't an option...  the initial context token for the  
> Kerberos 5
> GSSAPI mechanism is essentially just an AP-REQ with a bit of GSSAPI
> framing prepended, so perhaps you can strip off the GSSAPI cruft
> (including the non-ASN.1 bytes), leaving you with the AP-REQ, and
> you probably have lots of tasty APIs to process that and then give you
> the session key?

From lukeh at padl.com  Tue Feb 24 08:36:54 2009
From: lukeh at padl.com (Luke Howard)
Date: Wed, 25 Feb 2009 00:36:54 +1100
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
Message-ID: <9717BF6F-62C6-4D99-B0C4-C5DD194886B7@padl.com>

> I don't recall offhand if there's been an IETF draft proposing the
> specific extension we've got for extracting the session key.

Something like:

#include <gssapi/gssapi.h>
#include <gssapi/gssapi_ext.h>

{
   OM_uint32 major, minor;
   gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
   gss_buffer_set_t skey = GSS_C_NO_BUFFER_SET;

...

   major = gss_inquire_sec_context_by_oid(&minor,
					 ctx,
					 GSS_C_INQ_SSPI_SESSION_KEY,
					 &skey);
   if (GSS_ERROR(major))
     // handle error

   if (skey == GSS_C_NO_BUFFER_SET ||
       skey->count < 1 ||
       skey->elements[0].value == NULL)
     // optional paranoid error checking

   // session key can be found in skey->elements[0]
   // OID corresponding to enctype can be found in skey->elements[1]

   gss_release_buffer_set(&minor, &skey);

...
}

-- Luke

From nikhilm at gs-lab.com  Tue Feb 24 13:05:52 2009
From: nikhilm at gs-lab.com (Nikhil Mishra)
Date: Tue, 24 Feb 2009 23:35:52 +0530
Subject: authentic man in the middle
In-Reply-To: <49A42677.5060601@secure-endpoints.com>
References: <49A3CE64.4020804@gs-lab.com>
	<49A42677.5060601@secure-endpoints.com>
Message-ID: <49A43700.6040501@gs-lab.com>

Thanks Jeffrey.

I am fine with the limited lifetime part . I completely understand
the solution will be unstable enough to be useful. Nevertheless
I still need a tool to  retrieve long term service keys to  see
what is being said below is true .
 
I will move this discussion to kerberos at mit.edu.
My apologies for the trouble.

Thanks

Nikhil

Jeffrey Altman wrote:
> Nikhil:
>
> The problem you are facing is that you do not control the
> key management of the Windows Domain.  Windows services
> do not use fixed keys.  They use long term passwords that
> are assigned to each account and which are then used with
> the necessary enc-type and service principal name to compute
> the appropriate key on-the-fly.  This permits an account to
> have multiple names all of which do not need to be known
> at account registration time.  For example, a mobile machine
> that obtains a different hostname at each boot and registers
> it with dynamic dns which in turn updates the machine's
> entry in the active directory.
>
> The passwords are also periodically updated.  Therefore,
> even if you were to extract the machine's password from
> the registry its lifetime would be limited.  You would
> have to do it again whenever the password was replaced.
>
> As a side note, this discussion really has nothing to do
> with the development of MIT Kerberos.  Therefore, it is
> my opinion that it should be held either on the kerberos at mit.edu
> mailing list or one of the Windows Security Groups.
>
> Jeffrey Altman
> Secure Endpoints Inc.
>
> Nikhil Mishra wrote:
>   
>> Hi All,
>>
>> We have an issue with generating a valid keytab for windows based
>> services which can be used on unix based machines to decrypt AP-REQ.
>> I understand this issue is more on windows side but since I am trying
>> to implement sort of man in the middle on MIT kerberos I think 
>> someone could lend me some helping hand here.Any related references
>> might also do some good to me.-
>>
>>  
>> Following is our setup :
>>
>> 1. Windows XP cifs client
>> 2. Windows 2003 KDC and domain controller 64 bit
>> 3. Windows XP cifs server 64 bit.
>> 4. Linux FC7 machine with MIT kerberos 1.6.3
>>
>> We have the admin privileges for all the machines mentioned above.
>>
>> What we are trying to do ?
>>
>> 1. We request a kerberized traffic from cifs client to cifs server
>>     which we want to route through linux box.
>>
>> 2. We want to do some processing with the AP-REQ.  Evidently  for
>>     which we need to authenticate the client in AP_REQ on linux machine.
>>
>> 3. Now to authenticate the client in AP-REQ on linux machine we
>>     propose to use GSSAPI calls using corresponding service keytab.
>>
>> The problem :
>>
>> 1. Our understanding is, all windows based services are registered
>>     under corresponding computer name with their corresponding SPN.
>>
>> 2. This registration occurs whenever the machine joins the domain. So
>>     basically , whenever the  server is up and running and is in domain
>>     all its services are registered with windows domain controller and
>>     are mapped to its computer name.
>>
>> 3. The exchange of long term keys for service between service and KDC
>>     occurs at the same time.
>>
>> 4. We understand the definition of ktpass is "To generate keytab for
>>     UNIX based services " but with no other option to generate a keytab,
>>     we run ktpass for this windows based service which creates a new
>>     long term service key for the service which  is not communicated back
>>     to service.
>>  
>>     When I use this keytab on linux machine through GSSAPI calls to
>>     decrypt the AP-REQ , I get KRB5KRB_AP_ERR_BAD_INTEGRITY.
>>    
>>     which is obvious since key used by KDC to encrypt the ticket for
>>     service is different(Its the old key ) than what is in keytab.
>>
>> Questions :
>>
>> 1. Is there a way to bring KDC and  service in sync in terms of the
>>     service key being used ? To be more precise , If I change the
>>     service key for a service at KDC Is there a way to communicate 
>>     this back to service so that the service starts using this new key
>>     for all further requests ?
>>
>> 2. We understand ktpass is a tool to generate a keytab for unix based
>>    services. Do we have any similar tool for windows based services ?
>>
>> 3. Since windows based service SPN's are registered under computer name
>>     at the time of logon It can be mapped to some other user as well without
>>     creating a duplicate SPN. Is it possible for a service to run under
>>     a user account and obtain a service key in windows ?
>>
>> 4. We understand "man in the middle" is not possible with kerberos but 
>>    when we own all components of traffic ( KDC , server , client , DC 
>>    with admin privileges ) should't I be allowed to extract a service key
>>    for the given SPN from KDC without disturbing the existing setup ? 
>>
>> Any help is deeply appreciated.
>>
>> Thanks & Regards
>>
>> Nikhil
>>
>>
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>     


From nikhilm at gs-lab.com  Wed Feb 25 07:08:18 2009
From: nikhilm at gs-lab.com (Nikhil Mishra)
Date: Wed, 25 Feb 2009 17:38:18 +0530
Subject: [Fwd: Re: authentic man in the middle]
Message-ID: <49A534B2.8080907@gs-lab.com>

Any help is appreciated .

-------- Original Message --------
Subject: 	Re: authentic man in the middle
Date: 	Tue, 24 Feb 2009 23:35:52 +0530
From: 	Nikhil Mishra <nikhilm at gs-lab.com>
To: 	jaltman at secure-endpoints.com
CC: 	krbdev at mit.edu, kerberos at mit.edu
References: 	<49A3CE64.4020804 at gs-lab.com>
<49A42677.5060601 at secure-endpoints.com>



Thanks Jeffrey.

I am fine with the limited lifetime part . I completely understand
the solution will be unstable enough to be useful. Nevertheless
I still need a tool to  retrieve long term service keys to  see
what is being said below is true .
 
I will move this discussion to kerberos at mit.edu.
My apologies for the trouble.

Thanks

Nikhil

Jeffrey Altman wrote:
> Nikhil:
>
> The problem you are facing is that you do not control the
> key management of the Windows Domain.  Windows services
> do not use fixed keys.  They use long term passwords that
> are assigned to each account and which are then used with
> the necessary enc-type and service principal name to compute
> the appropriate key on-the-fly.  This permits an account to
> have multiple names all of which do not need to be known
> at account registration time.  For example, a mobile machine
> that obtains a different hostname at each boot and registers
> it with dynamic dns which in turn updates the machine's
> entry in the active directory.
>
> The passwords are also periodically updated.  Therefore,
> even if you were to extract the machine's password from
> the registry its lifetime would be limited.  You would
> have to do it again whenever the password was replaced.
>
> As a side note, this discussion really has nothing to do
> with the development of MIT Kerberos.  Therefore, it is
> my opinion that it should be held either on the kerberos at mit.edu
> mailing list or one of the Windows Security Groups.
>
> Jeffrey Altman
> Secure Endpoints Inc.
>
> Nikhil Mishra wrote:
>   
>> Hi All,
>>
>> We have an issue with generating a valid keytab for windows based
>> services which can be used on unix based machines to decrypt AP-REQ.
>> I understand this issue is more on windows side but since I am trying
>> to implement sort of man in the middle on MIT kerberos I think 
>> someone could lend me some helping hand here.Any related references
>> might also do some good to me.-
>>
>>  
>> Following is our setup :
>>
>> 1. Windows XP cifs client
>> 2. Windows 2003 KDC and domain controller 64 bit
>> 3. Windows XP cifs server 64 bit.
>> 4. Linux FC7 machine with MIT kerberos 1.6.3
>>
>> We have the admin privileges for all the machines mentioned above.
>>
>> What we are trying to do ?
>>
>> 1. We request a kerberized traffic from cifs client to cifs server
>>     which we want to route through linux box.
>>
>> 2. We want to do some processing with the AP-REQ.  Evidently  for
>>     which we need to authenticate the client in AP_REQ on linux machine.
>>
>> 3. Now to authenticate the client in AP-REQ on linux machine we
>>     propose to use GSSAPI calls using corresponding service keytab.
>>
>> The problem :
>>
>> 1. Our understanding is, all windows based services are registered
>>     under corresponding computer name with their corresponding SPN.
>>
>> 2. This registration occurs whenever the machine joins the domain. So
>>     basically , whenever the  server is up and running and is in domain
>>     all its services are registered with windows domain controller and
>>     are mapped to its computer name.
>>
>> 3. The exchange of long term keys for service between service and KDC
>>     occurs at the same time.
>>
>> 4. We understand the definition of ktpass is "To generate keytab for
>>     UNIX based services " but with no other option to generate a keytab,
>>     we run ktpass for this windows based service which creates a new
>>     long term service key for the service which  is not communicated back
>>     to service.
>>  
>>     When I use this keytab on linux machine through GSSAPI calls to
>>     decrypt the AP-REQ , I get KRB5KRB_AP_ERR_BAD_INTEGRITY.
>>    
>>     which is obvious since key used by KDC to encrypt the ticket for
>>     service is different(Its the old key ) than what is in keytab.
>>
>> Questions :
>>
>> 1. Is there a way to bring KDC and  service in sync in terms of the
>>     service key being used ? To be more precise , If I change the
>>     service key for a service at KDC Is there a way to communicate 
>>     this back to service so that the service starts using this new key
>>     for all further requests ?
>>
>> 2. We understand ktpass is a tool to generate a keytab for unix based
>>    services. Do we have any similar tool for windows based services ?
>>
>> 3. Since windows based service SPN's are registered under computer name
>>     at the time of logon It can be mapped to some other user as well without
>>     creating a duplicate SPN. Is it possible for a service to run under
>>     a user account and obtain a service key in windows ?
>>
>> 4. We understand "man in the middle" is not possible with kerberos but 
>>    when we own all components of traffic ( KDC , server , client , DC 
>>    with admin privileges ) should't I be allowed to extract a service key
>>    for the given SPN from KDC without disturbing the existing setup ? 
>>
>> Any help is deeply appreciated.
>>
>> Thanks & Regards
>>
>> Nikhil
>>
>>
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>     




From nikhilm at gs-lab.com  Wed Feb 25 09:04:21 2009
From: nikhilm at gs-lab.com (Nikhil Mishra)
Date: Wed, 25 Feb 2009 19:34:21 +0530
Subject: changing long term keys for services on windows 
Message-ID: <49A54FE5.8040206@gs-lab.com>

Hi All ,

Can a windows service long term key be changed on the fly? 


What I mean is when the machine hosting service joins the domain
long term keys are exchanged between service and KDC ( This is what
I understand . Please correct me If I am not ).

If as a KDC admin I would like to change the key being used for
encrypting service tickets for the service , Is there a way to do it ?

If I somehow change the key for given SPN ( using ktpass ) on KDC
is it possible to communicate this back to service ?Does KDC do it
automatically ?Is there some event it waits for before syncing keys with
service ?


Thanks

Nikhil

From magbenitez at sellmytimesharenow.com  Fri Feb 27 11:48:37 2009
From: magbenitez at sellmytimesharenow.com (Magdaleno Benitez)
Date: Fri, 27 Feb 2009 11:48:37 -0500
Subject: how to
Message-ID: <49A81965.1000800@sellmytimesharenow.com>

Is there a tutorial that will instruct me on how to install kerberos on 
a windows 2003 enterprise server x64, i think i have it installed but 
being a newcomer not sure. I am like a babe in the woods with this 
learning as i go so please be kind and don't scream too much.

From rturner at amalfisystems.com  Sat Feb 28 00:29:15 2009
From: rturner at amalfisystems.com (Randy Turner)
Date: Fri, 27 Feb 2009 21:29:15 -0800
Subject: FIPS certification
In-Reply-To: <alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
References: <alpine.BSF.1.10.0812111239030.81298@brillig.security.berkeley.edu>
	<ldvr644nekl.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901271531220.81507@brillig.security.berkeley.edu>
	<ldvfxj1u7qn.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
Message-ID: <4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>


Hello List,

I am working on a project that combines a number of different open- 
source libraries, all of which utilize some form of the same  
cryptographic operations, most notably symmetric ciphers, hashes, and  
public key cryptography.  The core of this project uses a FIPS- 
certified OpenSSL codebase.

The problem with combining open-source projects is that they seem to  
all come with their own implementation of crypto algorithms.

I haven't completely analyzed MIT Kerberos, but I was wondering if it  
would be possible to get the MIT Kerberos subsystem to use the OpenSSL  
crypto API for any cryptographic support needed for Kerberos?

I'm assuming that MIT Kerberos has not been FIPS certified.

Thanks!
Randy



From rra at stanford.edu  Sat Feb 28 00:45:21 2009
From: rra at stanford.edu (Russ Allbery)
Date: Fri, 27 Feb 2009 21:45:21 -0800
Subject: FIPS certification
In-Reply-To: <4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com> (Randy
	Turner's message of "Fri\, 27 Feb 2009 21\:29\:15 -0800")
References: <alpine.BSF.1.10.0812111239030.81298@brillig.security.berkeley.edu>
	<ldvr644nekl.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901271531220.81507@brillig.security.berkeley.edu>
	<ldvfxj1u7qn.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
Message-ID: <87y6vr3yj2.fsf@windlord.stanford.edu>

Randy Turner <rturner at amalfisystems.com> writes:

> I haven't completely analyzed MIT Kerberos, but I was wondering if it
> would be possible to get the MIT Kerberos subsystem to use the OpenSSL
> crypto API for any cryptographic support needed for Kerberos?

I believe it would be extremely difficult (although maybe someone has made
changes on this front and I've missed them).  If you want Kerberos
libraries that use OpenSSL crypto, you'll probably find it easier to just
use Heimdal, which already does so, than trying to change MIT Kerberos to
do so.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From raeburn at MIT.EDU  Sat Feb 28 00:46:48 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Sat, 28 Feb 2009 00:46:48 -0500
Subject: FIPS certification
In-Reply-To: <4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
References: <alpine.BSF.1.10.0812111239030.81298@brillig.security.berkeley.edu>
	<ldvr644nekl.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901271531220.81507@brillig.security.berkeley.edu>
	<ldvfxj1u7qn.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
Message-ID: <EFF8FF6C-A655-4F1B-A28B-9DCC830BAA67@mit.edu>

On Feb 28, 2009, at 00:29, Randy Turner wrote:
> I haven't completely analyzed MIT Kerberos, but I was wondering if  
> it would be possible to get the MIT Kerberos subsystem to use the  
> OpenSSL crypto API for any cryptographic support needed for Kerberos?

Not trivially.  There's no reason it couldn't be adapted to the  
OpenSSL crypto API (or the Apple CommonCrypto API, or anybody else's,  
providing they provide all the basic functions), and it's been  
discussed before, but the work hasn't been done yet.

> I'm assuming that MIT Kerberos has not been FIPS certified.

That's correct.

Ken


-- 
Ken Raeburn, Senior Programmer Analyst
MIT Kerberos Consortium http://www.kerberos.org/


From Nicolas.Williams at sun.com  Sat Feb 28 00:51:06 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Fri, 27 Feb 2009 23:51:06 -0600
Subject: FIPS certification
In-Reply-To: <4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
References: <alpine.BSF.1.10.0901271531220.81507@brillig.security.berkeley.edu>
	<ldvfxj1u7qn.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
Message-ID: <20090228055105.GV9992@Sun.COM>

On Fri, Feb 27, 2009 at 09:29:15PM -0800, Randy Turner wrote:
> I haven't completely analyzed MIT Kerberos, but I was wondering if it  
> would be possible to get the MIT Kerberos subsystem to use the OpenSSL  
> crypto API for any cryptographic support needed for Kerberos?

MIT Kerberos has its own crypto code, yes.

Solaris Kerberos is based on MIT Kerberos and replaced the crypto with
calls to PKCS#11 (in user-land).  I believe the Solaris Kebreros team
wants to integrate these changes (challenging though it is) into MIT
krb5, but I don't know when it will happen.  That would be your best
bet.  The Solaris Kerberos stack is opensource, like most things in
OpenSolaris (though some parts under the CDDL, which MIT has in the past
considered incompatible with its aims, so Sun has donated code to MIT in
the past, meaning placed it under MIT's license).

If you're interested we can talk about the challenges in revamping MIT
krb5 to not use its own crypto code.

Nico
-- 

From Nicolas.Williams at sun.com  Sat Feb 28 01:01:46 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sat, 28 Feb 2009 00:01:46 -0600
Subject: FIPS certification
In-Reply-To: <87y6vr3yj2.fsf@windlord.stanford.edu>
References: <ldvfxj1u7qn.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
	<87y6vr3yj2.fsf@windlord.stanford.edu>
Message-ID: <20090228060146.GX9992@Sun.COM>

On Fri, Feb 27, 2009 at 09:45:21PM -0800, Russ Allbery wrote:
> Randy Turner <rturner at amalfisystems.com> writes:
> > I haven't completely analyzed MIT Kerberos, but I was wondering if it
> > would be possible to get the MIT Kerberos subsystem to use the OpenSSL
> > crypto API for any cryptographic support needed for Kerberos?
> 
> I believe it would be extremely difficult (although maybe someone has made
> changes on this front and I've missed them).  If you want Kerberos
> libraries that use OpenSSL crypto, you'll probably find it easier to just
> use Heimdal, which already does so, than trying to change MIT Kerberos to
> do so.

Wyllys Ingersoll did it for Solaris a few years ago.  In Solaris the
Kerberos stack uses PKCS#11 (in user-land -- the kernel-land crypto
interfaces are different, but in the kernel Kerberos still uses the
Solaris crypto framework, instead of the MIT krb5 crypto code).

The biggest challenge _by far_ is krb5_keyblock.  The size of that
structure is part of the ABI because it was always in a public header
and code used (and still might) allocate krb5_keyblock variables as
automatics.  IIRC its layout too is part of the ABI.

Solaris at the time did not expose a krb5 API, so it was trivial for us
(Wyllys) to change krb5_keyblock and to add initializers for it.  But
when it comes to contributing these changes to MIT we'll run into this
problem.  There are solutions that preserve compatibility with code that
allocates krb5_keyblock on the stack, but they aren't pretty.  Breaking
the ABI could be considered -- it'd be a smallish break, but it won't be
Sun deciding that, but the MIT Kerberos community.

Sun would love for MIT to adopt changes to make MIT krb5 use PKCS#11.
Even using OpenSSL might work for us because we have the OpenSSL PKCS#11
ENGINE.

Nico
-- 

From tytso at MIT.EDU  Sat Feb 28 12:43:48 2009
From: tytso at MIT.EDU (Theodore Tso)
Date: Sat, 28 Feb 2009 12:43:48 -0500
Subject: FIPS certification
In-Reply-To: <20090228060146.GX9992@Sun.COM>
References: <alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
	<87y6vr3yj2.fsf@windlord.stanford.edu>
	<20090228060146.GX9992@Sun.COM>
Message-ID: <20090228174348.GB6935@mit.edu>

On Sat, Feb 28, 2009 at 12:01:46AM -0600, Nicolas Williams wrote:
> 
> Solaris at the time did not expose a krb5 API, so it was trivial for us
> (Wyllys) to change krb5_keyblock and to add initializers for it.  But
> when it comes to contributing these changes to MIT we'll run into this
> problem.  There are solutions that preserve compatibility with code that
> allocates krb5_keyblock on the stack, but they aren't pretty.  Breaking
> the ABI could be considered -- it'd be a smallish break, but it won't be
> Sun deciding that, but the MIT Kerberos community.

It might be possible to dispatch on krb5_keyblock->magic to determine
whether it the new fields are there, and in places where a passed in
krb5_keyblock is allocated on the stack, the called function could
allocate a new-style krb5_keyblock and import the key.  (How many such
places are there?  I didn't think there would be that many.)  It
wouldn't be that pretty, yes, but if it's considered important to
preserve the ABI, it's probably doable...

							- Ted

From raeburn at MIT.EDU  Sat Feb 28 13:07:50 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Sat, 28 Feb 2009 13:07:50 -0500
Subject: FIPS certification
In-Reply-To: <20090228174348.GB6935@mit.edu>
References: <alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
	<87y6vr3yj2.fsf@windlord.stanford.edu>
	<20090228060146.GX9992@Sun.COM> <20090228174348.GB6935@mit.edu>
Message-ID: <70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>

On Feb 28, 2009, at 12:43, Theodore Tso wrote:
> It might be possible to dispatch on krb5_keyblock->magic to determine
> whether it the new fields are there, and in places where a passed in
> krb5_keyblock is allocated on the stack, the called function could
> allocate a new-style krb5_keyblock and import the key.  (How many such
> places are there?  I didn't think there would be that many.)  It
> wouldn't be that pretty, yes, but if it's considered important to
> preserve the ABI, it's probably doable...

Yeah, that's been considered.  It's a little risky in that sometimes  
the "magic" field just isn't initialized (especially in an application- 
provided keyblock), and adding a dependence on it (at least on it  
*not* having a certain 32-bit value that indicates the extended form)  
would be a minor ABI change.  I think the risk is probably low, and  
it'd probably be worth the extra ugliness to get the benefits.

We'd also still need to handle the krb5_keyblock structure embedded in  
krb5_creds; in that instance it wouldn't be extensible.

It'd be so nice to be able to do a new API for a v2.0 someday. :-)

Ken

From Nicolas.Williams at sun.com  Sat Feb 28 14:18:50 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sat, 28 Feb 2009 13:18:50 -0600
Subject: FIPS certification
In-Reply-To: <70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>
References: <alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
	<87y6vr3yj2.fsf@windlord.stanford.edu>
	<20090228060146.GX9992@Sun.COM> <20090228174348.GB6935@mit.edu>
	<70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>
Message-ID: <20090228191850.GZ9992@Sun.COM>

On Sat, Feb 28, 2009 at 01:07:50PM -0500, Ken Raeburn wrote:
> On Feb 28, 2009, at 12:43, Theodore Tso wrote:
> > It might be possible to dispatch on krb5_keyblock->magic to determine
> > whether it the new fields are there, and in places where a passed in
> > krb5_keyblock is allocated on the stack, the called function could
> > allocate a new-style krb5_keyblock and import the key.  (How many such
> > places are there?  I didn't think there would be that many.)  It
> > wouldn't be that pretty, yes, but if it's considered important to
> > preserve the ABI, it's probably doable...
> 
> Yeah, that's been considered.  It's a little risky in that sometimes  
> the "magic" field just isn't initialized (especially in an application- 
> provided keyblock), and adding a dependence on it (at least on it  

Actually, is it ever initialized when allocated on the stack?  I suspect
not.

It's been pointed out to me that it's not necessary to change
krb5_keyblock just to use OpenSSL, and I think one could argue the same
for PKCS#11.  However, leaving krb5_keyblock unchanged is sub-optimal,
and, most importantly for performance, means you can't cache derived
keys in the keyblock itself (you could have a hash table).

> *not* having a certain 32-bit value that indicates the extended form)  
> would be a minor ABI change.  I think the risk is probably low, and  
> it'd probably be worth the extra ugliness to get the benefits.
> 
> We'd also still need to handle the krb5_keyblock structure embedded in  
> krb5_creds; in that instance it wouldn't be extensible.
> 
> It'd be so nice to be able to do a new API for a v2.0 someday. :-)

Yes.

From Nicolas.Williams at sun.com  Sat Feb 28 14:56:22 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sat, 28 Feb 2009 13:56:22 -0600
Subject: FIPS certification
In-Reply-To: <70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>
References: <alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
	<87y6vr3yj2.fsf@windlord.stanford.edu>
	<20090228060146.GX9992@Sun.COM> <20090228174348.GB6935@mit.edu>
	<70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>
Message-ID: <20090228195621.GD9992@Sun.COM>

On Sat, Feb 28, 2009 at 01:07:50PM -0500, Ken Raeburn wrote:
> We'd also still need to handle the krb5_keyblock structure embedded in  
> krb5_creds; in that instance it wouldn't be extensible.

I suspect we can handle that by having a new krb5_keyblock for all
non-krb5_creds uses of it, and krb5_keyblock_old for krb5_creds.  It's
only the auth_context and the GSS mech where we need to be able to cache
derived keys and what not (crypto library handles).

Nico
-- 

From tytso at MIT.EDU  Sat Feb 28 16:03:25 2009
From: tytso at MIT.EDU (Theodore Tso)
Date: Sat, 28 Feb 2009 16:03:25 -0500
Subject: FIPS certification
In-Reply-To: <70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>
References: <alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
	<87y6vr3yj2.fsf@windlord.stanford.edu>
	<20090228060146.GX9992@Sun.COM> <20090228174348.GB6935@mit.edu>
	<70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>
Message-ID: <20090228210325.GF6935@mit.edu>

On Sat, Feb 28, 2009 at 01:07:50PM -0500, Ken Raeburn wrote:
> We'd also still need to handle the krb5_keyblock structure embedded in  
> krb5_creds; in that instance it wouldn't be extensible.
> 
> It'd be so nice to be able to do a new API for a v2.0 someday. :-)

But then I wouldn't be able to use Krb5 as the poster child for badly
designed legacy API's that make ABI compatibility really hard any
more.  <grin>

(My excuse, since a large amount of it was my fault, was that I was
young and folish....  :-)

Seriously, that might not be a bad idea, one of these days....

	   	      	       	   - Ted

From Nicolas.Williams at sun.com  Sat Feb 28 16:23:47 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Sat, 28 Feb 2009 15:23:47 -0600
Subject: FIPS certification
In-Reply-To: <20090228195621.GD9992@Sun.COM>
References: <ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
	<87y6vr3yj2.fsf@windlord.stanford.edu>
	<20090228060146.GX9992@Sun.COM> <20090228174348.GB6935@mit.edu>
	<70288C02-967E-4F6E-A512-BBC2BECC21F9@mit.edu>
	<20090228195621.GD9992@Sun.COM>
Message-ID: <20090228212346.GJ9992@Sun.COM>

On Sat, Feb 28, 2009 at 01:56:22PM -0600, Nicolas Williams wrote:
> On Sat, Feb 28, 2009 at 01:07:50PM -0500, Ken Raeburn wrote:
> > We'd also still need to handle the krb5_keyblock structure embedded in  
> > krb5_creds; in that instance it wouldn't be extensible.
> 
> I suspect we can handle that by having a new krb5_keyblock for all
> non-krb5_creds uses of it, and krb5_keyblock_old for krb5_creds.  It's
> only the auth_context and the GSS mech where we need to be able to cache
> derived keys and what not (crypto library handles).

There is another way...

If we only care about performance in the GSS mechanism then there's no
need to change krb5_keyblock.  That means crypto in the raw krb5 API
apps will not be as good, mostly because of the lack of derived key
caching and because of the lack of caching of crypto library handles
(including key schedules).  But MIT krb5 already suffers from this
anyways.

Nico
-- 

From jason at rampaginggeek.com  Sat Feb 28 17:42:58 2009
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Sat, 28 Feb 2009 17:42:58 -0500
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
Message-ID: <49A9BDF2.6030402@rampaginggeek.com>

We have users who need to run long-running jobs and store their files in 
AFS during the run.

I've read the k5start and k5renew man pages, but I don't see how I can 
have users type in their password when they start a job and have the 
tickets and tokens keep being renewed.

How can I do this?

Thanks,
Jason

From kula at tproa.net  Sat Feb 28 18:04:38 2009
From: kula at tproa.net (Thomas Kula)
Date: Sat, 28 Feb 2009 18:04:38 -0500
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <49A9BDF2.6030402@rampaginggeek.com>
References: <49A9BDF2.6030402@rampaginggeek.com>
Message-ID: <20090228230438.GJ9102@mcketrick.tproa.net>

On Sat, Feb 28, 2009 at 05:42:58PM -0500, Jason Edgecombe wrote:
> We have users who need to run long-running jobs and store their files in 
> AFS during the run.
> 
> I've read the k5start and k5renew man pages, but I don't see how I can 
> have users type in their password when they start a job and have the 
> tickets and tokens keep being renewed.
> 
> How can I do this?

Give them a keytab, but not one for their normal identity (this
breaks things). Create, rather, an instance for them that can
be put in a keytab, give that instance permission to do whatever
it needs to do in AFS, and use the option to k5start that has it
use a keytab instead of asking for a password.

For example, here's what I do for cronjobs that need to access
AFS:

 - create a principal user/cron (e.g. kula/cron)
 - extract that into a keytab
 - put the keytab somewhere on local disk where only the
   user can get to it
 - Do what you need to do to give user/cron access to 
   files in AFS (create the PTS identity user.cron, put
   that on the appropriate ACLs)
 - Teach the user how to give the proper incantation to 
   k5start to get credentials from they keytab and keep
   renewing them until the job finishes.

This presumes, of course, that it works in your setup to put
that keytab somewhere on local disk and that the user will 
start the job from a machine that has the keytab on local
disk. Also, remember off course, that access to the keytab
gives access to the files, so protect it accordingly.

I've also had good luck starting a screen session inside of
it's own pag and with it's own credentials cache, and in one
window have something that runs the job and in another window
something renewing the user's credentials. That could be
something as simple as "user must remember to attach the screen
session every N hours and renew their credentails" to using
k5start with the keytab idea above. I don't think k5start has
an option that prompts you for a password *and* remembers it
to keep renewing credentials on your behalf, but since I always
just use the keytab option I'm not as familiar with that use
of k5start. If there is such an option, remember to treat the
environment it runs in as securely as you would treat the user's
credentials cache, since, well, that process has the user's 
password.

There are probably several other ways of doing this, but these
are a couple that have worked well for me, and at work we've
helped a couple users do the screen option, so at least someone
other than me can understand the process well enough to use
it (your users, of course, may vary).


-- 
Thomas L. Kula | kula at tproa.net | http://kula.tproa.net/

From rra at stanford.edu  Sat Feb 28 18:35:08 2009
From: rra at stanford.edu (Russ Allbery)
Date: Sat, 28 Feb 2009 15:35:08 -0800
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <49A9BDF2.6030402@rampaginggeek.com> (Jason Edgecombe's message
	of "Sat\, 28 Feb 2009 17\:42\:58 -0500")
References: <49A9BDF2.6030402@rampaginggeek.com>
Message-ID: <874oyeb0er.fsf@windlord.stanford.edu>

Jason Edgecombe <jason at rampaginggeek.com> writes:

> We have users who need to run long-running jobs and store their files in
> AFS during the run.
>
> I've read the k5start and k5renew man pages, but I don't see how I can
> have users type in their password when they start a job and have the
> tickets and tokens keep being renewed.
>
> How can I do this?

If you're not dealing with a batch environment, where the execution
happens some time after the user authenticates, then krenew is what you
want.  It just doesn't do the initial ticket acquisition.

You configure your PAM module and krb5.conf to get renewable tickets by
default, so that the user already has renewable tickets when they start
the job.  Then run the job under krenew.  It will make a private copy of
the existing ticket cache and then keep renewing tickets and tokens until
either it can't any more or the job ends.

If you *are* dealing with a batch environment, you want Kula's approach.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From rra at stanford.edu  Sat Feb 28 18:35:48 2009
From: rra at stanford.edu (Russ Allbery)
Date: Sat, 28 Feb 2009 15:35:48 -0800
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <20090228230438.GJ9102@mcketrick.tproa.net> (Thomas Kula's
	message of "Sat\, 28 Feb 2009 18\:04\:38 -0500")
References: <49A9BDF2.6030402@rampaginggeek.com>
	<20090228230438.GJ9102@mcketrick.tproa.net>
Message-ID: <87zlg69lt7.fsf@windlord.stanford.edu>

Thomas Kula <kula at tproa.net> writes:

> I don't think k5start has an option that prompts you for a password
> *and* remembers it to keep renewing credentials on your behalf, but
> since I always just use the keytab option I'm not as familiar with that
> use of k5start.

k5start intentionally doesn't support this because I think it undermines
the Kerberos security model.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From jason at rampaginggeek.com  Sat Feb 28 23:40:26 2009
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Sat, 28 Feb 2009 23:40:26 -0500
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <874oyeb0er.fsf@windlord.stanford.edu>
References: <49A9BDF2.6030402@rampaginggeek.com>
	<874oyeb0er.fsf@windlord.stanford.edu>
Message-ID: <49AA11BA.3060509@rampaginggeek.com>

Russ Allbery wrote:
> Jason Edgecombe <jason at rampaginggeek.com> writes:
>
>   
>> We have users who need to run long-running jobs and store their files in
>> AFS during the run.
>>
>> I've read the k5start and k5renew man pages, but I don't see how I can
>> have users type in their password when they start a job and have the
>> tickets and tokens keep being renewed.
>>
>> How can I do this?
>>     
>
> If you're not dealing with a batch environment, where the execution
> happens some time after the user authenticates, then krenew is what you
> want.  It just doesn't do the initial ticket acquisition.
>
> You configure your PAM module and krb5.conf to get renewable tickets by
> default, so that the user already has renewable tickets when they start
> the job.  Then run the job under krenew.  It will make a private copy of
> the existing ticket cache and then keep renewing tickets and tokens until
> either it can't any more or the job ends.
>
> If you *are* dealing with a batch environment, you want Kula's approach.
>   
Sigh,

I guess setting things for renewable tickets longer than 7 days or 
running the jobs in local disk will be easiest.

We have a 7 day normal/renewable lifetime. What length do other sites have?

I might need use the job scheduler approach, but that's a pain. I would 
guess 10-20 people would want that ability. I ether need to modify our 
account maintenance processes or do it all manually.

Has anyone automated the management of user.cron principals? 
unfortunately, I have had to tell people that they can't have an 
infinite ticket lifetime. :P

Thanks for the help!

Thanks,
Jason

From rra at stanford.edu  Sat Feb 28 23:43:49 2009
From: rra at stanford.edu (Russ Allbery)
Date: Sat, 28 Feb 2009 20:43:49 -0800
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <49AA11BA.3060509@rampaginggeek.com> (Jason Edgecombe's message
	of "Sat\, 28 Feb 2009 23\:40\:26 -0500")
References: <49A9BDF2.6030402@rampaginggeek.com>
	<874oyeb0er.fsf@windlord.stanford.edu>
	<49AA11BA.3060509@rampaginggeek.com>
Message-ID: <87wsb97sze.fsf@windlord.stanford.edu>

Jason Edgecombe <jason at rampaginggeek.com> writes:

> I guess setting things for renewable tickets longer than 7 days or
> running the jobs in local disk will be easiest.
>
> We have a 7 day normal/renewable lifetime. What length do other sites
> have?

Seven days here as well.  That's also our limit on how long we let compute
jobs run on our normal timeshare systems.  We're working on a batch
queuing system that will use separate cron instances.

> I might need use the job scheduler approach, but that's a pain. I would
> guess 10-20 people would want that ability. I ether need to modify our
> account maintenance processes or do it all manually.
>
> Has anyone automated the management of user.cron principals?
> unfortunately, I have had to tell people that they can't have an
> infinite ticket lifetime. :P

We've automated similar things here and there's some support for it in the
kadmin-remctl package.  I'm hoping to clean that up substantially at some
point, but haven't had the time (and it's not in the top hundred on my
priority list at the moment).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From hugo at chem.leidenuniv.nl  Sat Feb 28 18:04:27 2009
From: hugo at chem.leidenuniv.nl (Hugo Meiland)
Date: Sun, 01 Mar 2009 00:04:27 +0100
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <49A9BDF2.6030402@rampaginggeek.com>
References: <49A9BDF2.6030402@rampaginggeek.com>
Message-ID: <49A9C2FB.8000105@chem.leidenuniv.nl>

Jason Edgecombe wrote:
> We have users who need to run long-running jobs and store their files in 
> AFS during the run.
>
> I've read the k5start and k5renew man pages, but I don't see how I can 
> have users type in their password when they start a job and have the 
> tickets and tokens keep being renewed.
>
>   


Hi John,

I'm forcing an 'at' job in the .cshrc script to 'k5renew' and 'afs5log' 
every 8 hours or so for the max lifetime of a week. This works only for 
interactively started jobs of course; jobs running through a scheduler 
such as pbs or condor  need some other tricks...

Hugo