From vilas.tadoori.ext at siemens.com Wed Jul 1 09:54:22 2009 From: vilas.tadoori.ext at siemens.com (Tadoori (EXT), Vilas) Date: Wed, 1 Jul 2009 09:54:22 -0400 Subject: War files with kerbros. Message-ID: <6344D3A1F3677A429F994D643E17F84F26D07EAF23@USCIMMBX001.net.plm.eds.com> Dear All, My application generates a .WAR file and we deploy the same on TOMCAT or WEBLOGIC. I have written a client application using the JAAS and GSSAPI framework which talks to the KDC/Kerberos server that I have setup on the Suse Linux. The MIT Kerberos version is krb5-1.6.3 My application gets the token from Kerberos and writes it to my hard disk. My question is: How can I register the .WAR file running on a webserver like TOMCAT with MIT Kerberos version krb5-1.6.3 Appreciate your participation. Thanks Vilas From nicolas.michel at lemail.be Mon Jul 6 03:35:26 2009 From: nicolas.michel at lemail.be (Nicolas Michel) Date: Mon, 06 Jul 2009 09:35:26 +0200 Subject: Linux kerberos authentication ; gdm Message-ID: <1246865726.5299.20.camel@nm-laptop> Hi here, I want to authenticate some linux computers (ubuntu) on a kerberos server, linked to an ldap one. I see how to do that with pam. But I have two questions : - is there an "offline" mode? (if I have no access to the internet I want to have access to my session) - with gdm, is it possible to get a window when the password must be changed (and where must I configure that password policy? On the kerberos server?) Thank you very much From nicolas.michel at lemail.be Mon Jul 6 03:56:20 2009 From: nicolas.michel at lemail.be (Nicolas Michel) Date: Mon, 06 Jul 2009 09:56:20 +0200 Subject: Linux kerberos authentication ; gdm In-Reply-To: <1246865726.5299.20.camel@nm-laptop> References: <1246865726.5299.20.camel@nm-laptop> Message-ID: <1246866980.5299.21.camel@nm-laptop> I must tell that there is no windows server in that network neither any windows client. Le lundi 06 juillet 2009 ? 09:35 +0200, Nicolas Michel a ?crit : > Hi here, > > I want to authenticate some linux computers (ubuntu) on a kerberos > server, linked to an ldap one. I see how to do that with pam. > But I have two questions : > - is there an "offline" mode? (if I have no access to the internet I > want to have access to my session) > - with gdm, is it possible to get a window when the password must be > changed (and where must I configure that password policy? On the > kerberos server?) > > Thank you very much > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From bjorn.sund at it.uib.no Mon Jul 6 04:16:45 2009 From: bjorn.sund at it.uib.no (Bjoern Tore Sund) Date: Mon, 06 Jul 2009 10:16:45 +0200 Subject: Linux kerberos authentication ; gdm In-Reply-To: <1246865726.5299.20.camel@nm-laptop> References: <1246865726.5299.20.camel@nm-laptop> Message-ID: <4A51B2ED.1040504@it.uib.no> Nicolas Michel wrote: > Hi here, > > I want to authenticate some linux computers (ubuntu) on a kerberos > server, linked to an ldap one. I see how to do that with pam. > But I have two questions : > - is there an "offline" mode? (if I have no access to the internet I > want to have access to my session) Not with Kerberos itself, unless you start configuring a Kerberos server slave on each client... You may want to have a look at pam_usersync, https://sourceforge.net/projects/pam-usersync/develop - there are man pages in the code explaining how to use it. It syncronises user data into local passwd files if a successful network login is done. Works with any network authentication system, we're using it with Kerberos for our Linux laptops. > - with gdm, is it possible to get a window when the password must be > changed (and where must I configure that password policy? On the > kerberos server?) Sorry, outside of what I've looked at. -BT -- Bj?rn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no IT department VIP: 81724 Support: http://bs.uib.no Univ. of Bergen When in fear and when in doubt, run in circles, scream and shout. From tpmetz at ucdavis.edu Tue Jul 7 13:06:06 2009 From: tpmetz at ucdavis.edu (Tim Metz) Date: Tue, 07 Jul 2009 10:06:06 -0700 Subject: Disable kpasswd5 portion of kadmind ? Message-ID: <4A53807E.1030308@ucdavis.edu> Greetings, As I understand it, the MIT kadmind daemon provides both the kerberos-adm(tcp/749) and the kpasswd5(udp/464) servers. Is there any way to turn off the kpasswd5 portion of the daemon? For instance, if we wanted to run only the kerberos-adm portion of the daemon? We could just firewall the kpasswd5 service, just wondering however if there is a way to have kadmind run only the kerberos-adm server, and not the kpasswd server? Thanks, - Tim From jjasen at realityfailure.org Wed Jul 8 15:06:46 2009 From: jjasen at realityfailure.org (John Jasen) Date: Wed, 08 Jul 2009 15:06:46 -0400 Subject: Linux kerberos authentication ; gdm In-Reply-To: <4A51B2ED.1040504@it.uib.no> References: <1246865726.5299.20.camel@nm-laptop> <4A51B2ED.1040504@it.uib.no> Message-ID: <4A54EE46.906@realityfailure.org> Bjoern Tore Sund wrote: > Nicolas Michel wrote: >> Hi here, >> >> I want to authenticate some linux computers (ubuntu) on a kerberos >> server, linked to an ldap one. I see how to do that with pam. >> But I have two questions : >> - is there an "offline" mode? (if I have no access to the internet I >> want to have access to my session) > > > Not with Kerberos itself, unless you start configuring a Kerberos server > slave on each client... You may want to have a look at pam_usersync, Maybe pam_ccreds would do what you're looking for? -- -- John E. Jasen (jjasen at realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From scott at scottgrizzard.com Wed Jul 8 16:10:57 2009 From: scott at scottgrizzard.com (Scott Grizzard) Date: Wed, 08 Jul 2009 16:10:57 -0400 Subject: Linux kerberos authentication ; gdm In-Reply-To: <4A54EE46.906@realityfailure.org> References: <1246865726.5299.20.camel@nm-laptop> <4A51B2ED.1040504@it.uib.no> <4A54EE46.906@realityfailure.org> Message-ID: <4A54FD51.4030401@scottgrizzard.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://help.ubuntu.com/community/SingleSignOn is a good tutorial on how to do it. John Jasen wrote: > Bjoern Tore Sund wrote: >> Nicolas Michel wrote: >>> Hi here, >>> >>> I want to authenticate some linux computers (ubuntu) on a kerberos >>> server, linked to an ldap one. I see how to do that with pam. >>> But I have two questions : >>> - is there an "offline" mode? (if I have no access to the internet I >>> want to have access to my session) >> >> Not with Kerberos itself, unless you start configuring a Kerberos server >> slave on each client... You may want to have a look at pam_usersync, > > Maybe pam_ccreds would do what you're looking for? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpU/U0ACgkQARR1QiSWUG5pygCeNNV9ZJHHj9ujDs2vCkuishM0 21IAoI0A8vtShBqO+xbxJH+fiCkDdaCM =2R1P -----END PGP SIGNATURE----- From suma.s.gururaj at gmail.com Thu Jul 9 23:32:27 2009 From: suma.s.gururaj at gmail.com (suma) Date: Thu, 9 Jul 2009 20:32:27 -0700 (PDT) Subject: Does Kerberos version 5 support i18n specifications? Message-ID: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Hi, I am unable to authenticate users with non-ASCII character names. The error that I got for kinit was: -------------------------------------- Exception: krb_error 6 Client not found in Kerberos database (6) Client not found in Kerberos database KrbException: Client not found in Kerberos database (6) ------------------------------------ I am using kerberos login module from JAAS for authentication. I have no issues authenticating the users that contains ASCII. I also checked the RFC-4120 and looks like the names to be ASCII-specific. Do I need a patch, to make my implementation support wide characters. Thanks, --Suma From Weijun.Wang at Sun.COM Fri Jul 10 00:08:37 2009 From: Weijun.Wang at Sun.COM (Weijun Wang) Date: Fri, 10 Jul 2009 12:08:37 +0800 Subject: Does Kerberos version 5 support i18n specifications? In-Reply-To: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> References: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Message-ID: <4A56BEC5.9070109@sun.com> No support and no patch, RFC 4120 says a solution will be in future revisions, and we're waiting. Thanks Max (of Sun Java team) suma wrote: > Hi, > > I am unable to authenticate users with non-ASCII character names. The > error that I got for kinit was: > -------------------------------------- > Exception: krb_error 6 Client not found in Kerberos database (6) > Client not found in Kerberos database > KrbException: Client not found in Kerberos database (6) > ------------------------------------ > > I am using kerberos login module from JAAS for authentication. I have > no issues authenticating the users that contains ASCII. I also > checked the RFC-4120 and looks like the names to be ASCII-specific. > Do I need a patch, to make my implementation support wide characters. > > Thanks, > --Suma > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From suma.s.gururaj at gmail.com Fri Jul 10 00:25:07 2009 From: suma.s.gururaj at gmail.com (suma) Date: Thu, 9 Jul 2009 21:25:07 -0700 (PDT) Subject: Does Kerberos version 5 support i18n specifications? References: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Message-ID: Thanks, Max for your reply. I appreciate it. Until we get a solution for i18n, how are folks out there solving the issue of authenticating users that have nultibyte characters. Is there a workaround? Thanks in advance, --Suma On Jul 10, 9:08?am, Weijun Wang wrote: > No support and no patch, RFC 4120 says a solution will be in future > revisions, and we're waiting. > > Thanks > Max (of Sun Java team) > > > > suma wrote: > > Hi, > > > I am unable to authenticate users with non-ASCII character names. ?The > > error that I got for kinit was: > > -------------------------------------- > > Exception: krb_error 6 Client not found in Kerberos database (6) > > Client not found in Kerberos database > > KrbException: Client not found in Kerberos database (6) > > ------------------------------------ > > > I am using kerberos login module from JAAS for authentication. ?I have > > no issues authenticating the users that contains ASCII. ?I also > > checked the RFC-4120 and looks like the names to be ASCII-specific. > > Do I need a patch, to make my implementation support wide characters. > > > Thanks, > > --Suma > > ________________________________________________ > > Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text - > > - Show quoted text - From Weijun.Wang at Sun.COM Fri Jul 10 01:25:16 2009 From: Weijun.Wang at Sun.COM (Weijun Wang) Date: Fri, 10 Jul 2009 13:25:16 +0800 Subject: Does Kerberos version 5 support i18n specifications? In-Reply-To: References: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Message-ID: <4A56D0BC.8050405@sun.com> I don't know a solution. Java uses String.getBytes("ASCII") to encode the principal name. Unless your KDC also uses the same encoding, there's no workaround. Or, you can grab OpenJDK and create your own patch. :) Max suma wrote: > Thanks, Max for your reply. I appreciate it. > > Until we get a solution for i18n, how are folks out there solving the > issue of authenticating users that have nultibyte characters. Is > there a workaround? > > Thanks in advance, > --Suma > > On Jul 10, 9:08 am, Weijun Wang wrote: >> No support and no patch, RFC 4120 says a solution will be in future >> revisions, and we're waiting. >> >> Thanks >> Max (of Sun Java team) >> >> >> >> suma wrote: >>> Hi, >>> I am unable to authenticate users with non-ASCII character names. The >>> error that I got for kinit was: >>> -------------------------------------- >>> Exception: krb_error 6 Client not found in Kerberos database (6) >>> Client not found in Kerberos database >>> KrbException: Client not found in Kerberos database (6) >>> ------------------------------------ >>> I am using kerberos login module from JAAS for authentication. I have >>> no issues authenticating the users that contains ASCII. I also >>> checked the RFC-4120 and looks like the names to be ASCII-specific. >>> Do I need a patch, to make my implementation support wide characters. >>> Thanks, >>> --Suma >>> ________________________________________________ >>> Kerberos mailing list Kerbe... at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text - >> - Show quoted text - > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From ahmar_nauman at hotmail.com Fri Jul 10 11:20:30 2009 From: ahmar_nauman at hotmail.com (Ahmar Nauman) Date: Fri, 10 Jul 2009 21:20:30 +0600 Subject: windows 2003 domain controller, mod_auth_kerb in linux, issue witt kerberos In-Reply-To: References: Message-ID: Hi, I'm using windows server 2003 as domain controller, i've succesfully followed all the necessary steps required for setting up an SSO, generated keytab files which gives me correct info if i type klist -k , integrated mod_auth_kerb and configured machines. My browser setting are just fine as well, My httpd.conf is like References: Message-ID: And you are enabled "Integrated windows authentication" option in IE6, don't you? On 10.07.2009 19:20, Ahmar Nauman wrote: > > Hi, > > I'm using windows server 2003 as domain controller, > i've succesfully followed all the necessary steps required for setting up an SSO, generated keytab files which gives me correct info if i type klist -k , integrated mod_auth_kerb and configured machines. > My browser setting are just fine as well, > > > My httpd.conf is like > AuthType Kerberos > AuthName "Test Kerberos Login" > KrbVerifyKDC off # it doesn't work if i remove this line > KrbMethodNegotiate On > KrbMethodK5Passwd On > KrbAuthRealms LAB1.DIGIDENT-SOLUTIONS.COM > Krb5KeyTab /etc/krb5.keytab > KrbSaveCredentials On > KrbServiceName HTTP > require valid-user > > Now when i tried to test from IE(v 6) it open a login box, if i supply username and password as setup in active directory, it allows me to enter. I dont want to get this login box, so if i change KrbMethodK5Passwd to Off, it simply refuses me to get in by Authorization Required message in browser and in apache logs, i get the following errors, > > [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1266): [client x.x.x.x] Verifying client data using KRB5 GSS-API > [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1282): [client ......] Verification returned code 589824 > [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1309): [client ......] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. > [Fri Jul 10 20:31:25 2009] [error] [client ......9] gss_accept_sec_context() failed: Invalid token was supplied (No error) > > I'm trying to resolve this issue, but nothing work out so far. > Can anybody please help here?? > > regards > - Ahmar > > _________________________________________________________________ > Drag n? drop?Get easy photo sharing with Windows Live? Photos. > > http://www.microsoft.com/windows/windowslive/products/photos.aspx > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From lloyd at cdactvm.in Wed Jul 15 08:38:18 2009 From: lloyd at cdactvm.in (Lloyd) Date: Wed, 15 Jul 2009 18:08:18 +0530 Subject: ftp client: authentication failed Message-ID: Hi, I am new to kerberos and trying to set up in a sample scenario as part of learning. I have downloaded and installed Kerberos 5 on a Linux system. As per the install guide I have successfully configured KDC and Application server. in the application server the "ftpd" daemon is also started successfully. Now I dont know how to connect a client to the ftpd server. This is the output of klist in client side klist: You have no tickets cached Ticket cache: FILE:/tmp/krb5cc_0 Default principal: lloyd/admin at EFS.CYBER Valid starting Expires Service principal 07/15/09 17:09:01 07/16/09 17:08:55 krbtgt/EFS.CYBER at EFS.CYBER Kerberos 4 ticket cache: /tmp/tkt0 And this is the output when I try ftp command in client side Connected to ftpserver.efs.cyber. 220 KDC FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No principal in keytab matches desired name GSSAPI error: acquiring credentials GSSAPI ADAT failed GSSAPI authentication failed Kerberos V4 krb_mk_req failed: You have no tickets cached Login failed. KERBEROS_V4 accepted as authentication type Name (ftpserver.efs.cyber:root): Remote system type is UNIX. Using binary mode to transfer files. ftp> Am I missing something in Application server, KDC or in client? Any help is very much appreciated Thanks, Lloyd ______________________________________ Scanned and protected by Email scanner From Matthew.GARRETT at external.total.com Wed Jul 15 10:40:15 2009 From: Matthew.GARRETT at external.total.com (Matthew.GARRETT@external.total.com) Date: Wed, 15 Jul 2009 15:40:15 +0100 Subject: kprop: Software caused connection abort while reading response from server Message-ID: Folks I have had Kerberos and Replication working fine for the last 6 months or so , with out any problems. However on the master KDC the root file system filled up 100% , which is now fixed However the cron job that replicated the Master and Slave kdc generate the following error /usr/kerberos/sbin/kprop -d -f /var/kerberos/krb5kdc/slave_datatrans FQDN /usr/kerberos/sbin/kprop: Software caused connection abort while reading response from server On the Slave KDC the transited file is the same size as the master ls -al /var/kerberos/krb5kdc/from_master -rw------- 1 root root 233048 Jul 15 15:27 /var/kerberos/krb5kdc/from_master Doing the following seems to work. /usr/kerberos/sbin/kdb5_util -r REALM -d /var/kerberos/krb5kdc/principal load -verbose -update /var/kerberos/krb5kdc/from_master Can any body suggest what might be wrong with the kprop transfer Thanks Matthew Registered in England and Wales No.811900????????? Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information.? If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached. From cclausen at acm.org Wed Jul 15 11:58:51 2009 From: cclausen at acm.org (Christopher D. Clausen) Date: Wed, 15 Jul 2009 10:58:51 -0500 Subject: ftp client: authentication failed References: Message-ID: <098F58BB778747A780F42BA0086603EB@CDCHOME> Lloyd wrote: > Hi, > I am new to kerberos and trying to set up in a sample scenario as > part of learning. I have downloaded and installed Kerberos 5 on a > Linux system. As per the install guide I have successfully configured > KDC and Application server. in the application server the "ftpd" > daemon is also started successfully. Now I dont know how to connect a > client to the ftpd server. > > This is the output of klist in client side > > klist: You have no tickets cached > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: lloyd/admin at EFS.CYBER > Valid starting Expires Service principal > 07/15/09 17:09:01 07/16/09 17:08:55 krbtgt/EFS.CYBER at EFS.CYBER > > > Kerberos 4 ticket cache: /tmp/tkt0 > > And this is the output when I try ftp command in client side > > GSSAPI error minor: No principal in keytab matches desired name > > Am I missing something in Application server, KDC or in client? The above is your problem. Your client thinks your FTP server has a different name than what the keytab has a principal for. Check the KDC log to see which principal the client requested and then fix your keytab and/or DNS and/or /etc/hosts on these systems. < Message-ID: <0ABA8A379105482E824452D80B870C3C@CDCHOME> Windows AD accounts require "allow this account to be trusted for delegation" to have Internet Explore actually delegate credentials to the web server (which you are requesting via the KrbSaveCredentials On parameter.) Try turning this off and see if it does what you want. Also, (and this is probably more likely the problem) if you need to enable KrbVerifyKDC off, something is probably broken with your keytab. You should fix it and enable the verification step. This will probably allow IE to work better and actually send GSSAPI and not NTLM data. < wrote: > And you are enabled "Integrated windows authentication" option in IE6, > don't you? > > On 10.07.2009 19:20, Ahmar Nauman wrote: >> >> Hi, >> >> I'm using windows server 2003 as domain controller, >> i've succesfully followed all the necessary steps required for >> setting up an SSO, generated keytab files which gives me correct >> info if i type klist -k , integrated mod_auth_kerb and configured >> machines. My browser setting are just fine as well, >> >> >> My httpd.conf is like >> > AuthType Kerberos >> AuthName "Test Kerberos Login" >> KrbVerifyKDC off # it doesn't work if i remove this line >> KrbMethodNegotiate On >> KrbMethodK5Passwd On >> KrbAuthRealms LAB1.DIGIDENT-SOLUTIONS.COM >> Krb5KeyTab /etc/krb5.keytab >> KrbSaveCredentials On >> KrbServiceName HTTP >> require valid-user >> > >> Now when i tried to test from IE(v 6) it open a login box, if i >> supply username and password as setup in active directory, it allows >> me to enter. I dont want to get this login box, so if i change >> KrbMethodK5Passwd to Off, it simply refuses me to get in by >> Authorization Required message in browser and in apache logs, i get >> the following errors, >> >> [Fri Jul 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1266): >> [client x.x.x.x] Verifying client data using KRB5 GSS-API [Fri Jul >> 10 20:31:25 2009] [debug] src/mod_auth_kerb.c(1282): [client >> ......] Verification returned code 589824 [Fri Jul 10 20:31:25 >> 2009] [debug] src/mod_auth_kerb.c(1309): [client ......] Warning: >> received token seems to be NTLM, which isn't supported by the >> Kerberos module. Check your IE configuration. [Fri Jul 10 20:31:25 >> 2009] [error] [client ......9] gss_accept_sec_context() failed: >> Invalid token was supplied (No error) >> >> I'm trying to resolve this issue, but nothing work out so far. >> Can anybody please help here?? >> >> regards >> - Ahmar From kerberos at noopy.org Wed Jul 15 12:36:01 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Wed, 15 Jul 2009 12:36:01 -0400 Subject: Problem writing keyblock to krb5.keytab w/keytab binary format. Message-ID: Hello, I've reviewed the following document about the binary format used in Kerberos keytab: http://www.gnu.org/software/shishi/manual/html_node/The-Keytab-Binary-File-Format.html In my Java code I am able to read a file stream (e.g. for /etc/krb5.keytab) and starting with the 16-bit header (0x502) I am able to view the entries in my keytab -- including the keyblock (I format it as a hex string) one by one. I'm having problems understanding how to generate a keyblock and write it to a keytab. Basically, I'm able to write everything correctly to new.keytab *except for the keyblock*. That is to say: klist displays everything correctly (well, except for the keyblock) for new.keytab but kinit gives key mismatch errors. When I analyze new.keytab versus /etc/krb5.keytab with a binary editor, I've confirmed that everything matches up in new.keytab except for the keyblock. :-( I am able to create keytabs under Windows w/ktpass but my preference is to generate a keytab on the client, for a variety of reasons. I know the salt, the passphrase, and the kvno that were used w/ktpass and from there I'd assume that I could generate a key w/my application on the client. I created the keytab w/ktpass using type DES-CBC-MD5 and I'm using the Java DES functionality to create the key and write it to new.keytab. Still, the keyblock is not matching up. I checked my endianness on the client and that was not the issue. Without spamming everybody here with Java code, here's what I'm attempting to do to write the keyblock: - princ name: princ/myhost.fqdn at REALM - salt (same as what's used by ktpass): REALMhostmyhost.realm - password: test1234 - kvno: 19 In my DES calls I: - pad and convert the salt from string to unsigned long to byte[8]. - use the converted salt as the key and initialization vector. - use a cipher mode of CBC. - write password to crypto stream. - return array of bytes that reflect my encrypted key. - binary write keyblock to new.keytab. Since my keyblock doesn't match what's in /etc/krb5.keytab, I can only assume that either something is wrong with how I'm encrypting the key or how I'm writing new.keytab. I'm leaning towards the former. Does anyone have any suggestions as to how I might encrypt the keyblock w/DES or as to what I might be doing wrong? -- K From raeburn at MIT.EDU Wed Jul 15 15:16:40 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 15 Jul 2009 15:16:40 -0400 Subject: Problem writing keyblock to krb5.keytab w/keytab binary format. In-Reply-To: References: Message-ID: On Jul 15, 2009, at 12:36, kerberos at noopy.org wrote: > In my DES calls I: > - pad and convert the salt from string to unsigned long to byte[8]. > - use the converted salt as the key and initialization vector. > - use a cipher mode of CBC. > - write password to crypto stream. > - return array of bytes that reflect my encrypted key. > - binary write keyblock to new.keytab. This is not the mechanism Kerberos uses for generating a DES key from a password and salt. Check RFC 3961, particularly section 6.2. -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From kerberos at noopy.org Wed Jul 15 19:44:33 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Wed, 15 Jul 2009 19:44:33 -0400 Subject: Problem writing keyblock to krb5.keytab w/keytab binary format. In-Reply-To: References: Message-ID: On Wed, Jul 15, 2009 at 3:16 PM, Ken Raeburn wrote: > On Jul 15, 2009, at 12:36, kerberos at noopy.org wrote: >> > > This is not the mechanism Kerberos uses for generating a DES key from a > password and salt. ?Check RFC 3961, particularly section 6.2. Uggh, you're right. Followed the RFC and things are looking better now. Thanks! -- K From linuxtrap at yahoo.co.in Thu Jul 16 10:55:05 2009 From: linuxtrap at yahoo.co.in (satish patel) Date: Thu, 16 Jul 2009 20:25:05 +0530 (IST) Subject: Kerborse + Change user passwd at next logon Message-ID: <842208.12133.qm@web94912.mail.in2.yahoo.com> Hi All, We have Active directory kerbrose + Linux authenitcation client's and evrything working fine but problem is i am not able to that oftion in active directory about "Change user password at next logon" option when i set this option user not able to login I need to be done is this bug or can you suggest what should i do on this? Thanks Satish? See the Web's breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/ From suma.s.gururaj at gmail.com Thu Jul 16 00:44:22 2009 From: suma.s.gururaj at gmail.com (suma) Date: Wed, 15 Jul 2009 21:44:22 -0700 (PDT) Subject: Does Kerberos version 5 support i18n specifications? References: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Message-ID: On Jul 10, 10:25?am, Weijun Wang wrote: > I don't know a solution. Java uses String.getBytes("ASCII") to encode > the principal name. Unless your KDC also uses the same encoding, there's > no workaround. > > Or, you can grab OpenJDK and create your own patch. :) > > Max > > > > suma wrote: > > Thanks, Max for your reply. ?I appreciate it. > > > Until we get a solution for i18n, how are folks out there solving the > > issue of authenticating users that have nultibyte characters. ?Is > > there a workaround? > > > Thanks in advance, > > --Suma > > > On Jul 10, 9:08 am, Weijun Wang wrote: > >> No support and no patch, RFC 4120 says a solution will be in future > >> revisions, and we're waiting. > > >> Thanks > >> Max (of Sun Java team) > > >> suma wrote: > >>> Hi, > >>> I am unable to authenticate users with non-ASCII character names. ?The > >>> error that I got for kinit was: > >>> -------------------------------------- > >>> Exception: krb_error 6 Client not found in Kerberos database (6) > >>> Client not found in Kerberos database > >>> KrbException: Client not found in Kerberos database (6) > >>> ------------------------------------ > >>> I am using kerberos login module from JAAS for authentication. ?I have > >>> no issues authenticating the users that contains ASCII. ?I also > >>> checked the RFC-4120 and looks like the names to be ASCII-specific. > >>> Do I need a patch, to make my implementation support wide characters. > >>> Thanks, > >>> --Suma > >>> ________________________________________________ > >>> Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >>>https://mailman.mit.edu/mailman/listinfo/kerberos-Hide quoted text - > >> - Show quoted text - > > > ________________________________________________ > > Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text - > > - Show quoted text - Hi, I was told by some folks that some of the organizations such as Microsoft, Oracle etc., have implemented a kerberos solution to authenticate users with multibyte characters. Is anyone aware of it? If I were to provide support to authenticate multibyte characters; do I need to not use MIT kerberos libraries. Please advice how do I go about? Thanks in advance, --Suma From Shahezad_Mirkar at bmc.com Thu Jul 16 11:38:02 2009 From: Shahezad_Mirkar at bmc.com (Mirkar, Shahezad) Date: Thu, 16 Jul 2009 21:08:02 +0530 Subject: Does Kerberos version 5 support i18n specifications? In-Reply-To: References: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Message-ID: Dear suma, I don't think so Kerberos authentication supports multibyte, since its based on the principle which is nothing but Kerberos user and server name would never had multibyte in it....... Please correct me if m wrong. Thanks and Regards Shahezad Mirkar -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of suma Sent: Thursday, July 16, 2009 10:14 AM To: kerberos at mit.edu Subject: Re: Does Kerberos version 5 support i18n specifications? On Jul 10, 10:25?am, Weijun Wang wrote: > I don't know a solution. Java uses String.getBytes("ASCII") to encode > the principal name. Unless your KDC also uses the same encoding, there's > no workaround. > > Or, you can grab OpenJDK and create your own patch. :) > > Max > > > > suma wrote: > > Thanks, Max for your reply. ?I appreciate it. > > > Until we get a solution for i18n, how are folks out there solving the > > issue of authenticating users that have nultibyte characters. ?Is > > there a workaround? > > > Thanks in advance, > > --Suma > > > On Jul 10, 9:08 am, Weijun Wang wrote: > >> No support and no patch, RFC 4120 says a solution will be in future > >> revisions, and we're waiting. > > >> Thanks > >> Max (of Sun Java team) > > >> suma wrote: > >>> Hi, > >>> I am unable to authenticate users with non-ASCII character names. ?The > >>> error that I got for kinit was: > >>> -------------------------------------- > >>> Exception: krb_error 6 Client not found in Kerberos database (6) > >>> Client not found in Kerberos database > >>> KrbException: Client not found in Kerberos database (6) > >>> ------------------------------------ > >>> I am using kerberos login module from JAAS for authentication. ?I have > >>> no issues authenticating the users that contains ASCII. ?I also > >>> checked the RFC-4120 and looks like the names to be ASCII-specific. > >>> Do I need a patch, to make my implementation support wide characters. > >>> Thanks, > >>> --Suma > >>> ________________________________________________ > >>> Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >>>https://mailman.mit.edu/mailman/listinfo/kerberos-Hide quoted text - > >> - Show quoted text - > > > ________________________________________________ > > Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >https://mailman.mit.edu/mailman/listinfo/kerberos- Hide quoted text - > > - Show quoted text - Hi, I was told by some folks that some of the organizations such as Microsoft, Oracle etc., have implemented a kerberos solution to authenticate users with multibyte characters. Is anyone aware of it? If I were to provide support to authenticate multibyte characters; do I need to not use MIT kerberos libraries. Please advice how do I go about? Thanks in advance, --Suma ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From tlyu at MIT.EDU Thu Jul 16 11:46:29 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 16 Jul 2009 11:46:29 -0400 Subject: Does Kerberos version 5 support i18n specifications? In-Reply-To: (suma.s.gururaj@gmail.com's message of "Wed, 15 Jul 2009 21:44:22 -0700 (PDT)") References: <701f458a-80ce-4475-bb7d-5165b00f5458@y7g2000yqa.googlegroups.com> Message-ID: suma writes: > I was told by some folks that some of the organizations such as > Microsoft, Oracle etc., have implemented a kerberos solution to > authenticate users with multibyte characters. Is anyone aware of it? > If I were to provide support to authenticate multibyte characters; do > I need to not use MIT kerberos libraries. Please advice how do I go > about? The Kerberos protocol (RFC 4120) allows only ASCII strings in principal names. The earlier specification, RFC 1510, had an unconstrained GeneralString type for principal names; this ASN.1 type has a specific meaning (a certain subset of the ISO 2022 "shift" encoding schemes), but early implementors misinterpreted the meaning of this type. In practice, this meant that implementors, including MIT Kerberos, used whatever character encoding was in effect in the operating environment, whether that was UTF-8, ISO 8859-1, etc., thus creating an interoperability problem. There is no easy resolution to this interoperability problem. If you have suggestions on how to improve this character encoding situation, we will be pleased to consider them. From dave at boostpro.com Sat Jul 18 13:21:01 2009 From: dave at boostpro.com (David Abrahams) Date: Sat, 18 Jul 2009 13:21:01 -0400 Subject: kerberos+laptop Message-ID: Hi, I'm trying to find out what's needed to make Kerberos work well on a laptop that may run disconnected from its master KDC, and occasionally, from everything (NIC turned off). In particular, a Mac laptop, which is apparently already running an LKDC (http://www.afp548.com/article.php?story=20080709091503862). I've done all the googling, and got nothing conclusive. I mention the LKDC in part because one of the few ideas I did find was to run a slave KDC on the laptop, but I'm not sure whether that's even possible, given the required presence of the LKDC. Any help would be much appreciated, and I'd be happy to document anything I learn in a public place so the next guy doesn't have to pester this list about it. Thanks in advance, -- Dave Abrahams BoostPro Computing http://www.boostpro.com From rra at stanford.edu Sat Jul 18 19:17:36 2009 From: rra at stanford.edu (Russ Allbery) Date: Sat, 18 Jul 2009 16:17:36 -0700 Subject: pam-krb5 3.14 released Message-ID: <87ljmlh97z.fsf@windlord.stanford.edu> I'm pleased to announce release 3.14 of pam-krb5. pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports configuration either by PAM options or in krb5.conf or both. Changes from previous release: Return PAM_IGNORE instead of PAM_PERM_DENIED from pam_chauthtok for ignored users. This allows making the Kerberos PAM module mandatory for password changes and still falling back to other PAM modules for ignored users. Thanks, Steve Langasek. Always treat the empty password as an authentication failure rather than passing it to the Kerberos libraries. The Kerberos libraries may treat it as equivalent to no password and prompt for a password without our knowledge, leading to the user authenticating with a different password than the one stored in the PAM stack. This could cause unexpected problems with some PAM configurations. It's safer to make the assumption that the empty password is always invalid and reject it outside of the Kerberos libraries. Thanks, Sanjay Sha. Fix error handling if ticket cache initialization fails. Authentication will still fail, but this avoids a segfault from a double-free of the ticket cache structure. The most common cause of this problem was having the attempt to initialize the ticket cache be blocked by AppArmor. Thanks to Alex Mauer for the report. Call krb5_free_error_string correctly, fixing a portability issue when building against Heimdal. Thanks, Andrew Drake. Work around a deficiency in pam_putenv on FreeBSD 7.2 that doesn't allow deleting environment variables, only setting them to empty values. Thanks, Andrew Elble. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From linuxtrap at yahoo.co.in Sun Jul 19 11:33:44 2009 From: linuxtrap at yahoo.co.in (satish patel) Date: Sun, 19 Jul 2009 21:03:44 +0530 (IST) Subject: kerberos+laptop In-Reply-To: Message-ID: <612367.21904.qm@web94902.mail.in2.yahoo.com> Dave Only solution is slave KDC. Not sure KDC doing any cashing method for a while when master unavailable. David Abrahams wrote: > Hi, > I'm trying to find out what's needed to make Kerberos work well on a > laptop that may run disconnected from its master KDC, and occasionally, > from everything (NIC turned off). In particular, a Mac laptop, which is > apparently already running an LKDC > (http://www.afp548.com/article.php?story=20080709091503862). I've done > all the googling, and got nothing conclusive. I mention the LKDC in part > because one of the few ideas I did find was to run a slave KDC on the > laptop, but I'm not sure whether that's even possible, given the > required presence of the LKDC. > Any help would be much appreciated, and I'd be happy to document > anything I learn in a public place so the next guy doesn't have to > pester this list about it. > Thanks in advance, > -- > Dave Abrahams > BoostPro Computing > http://www.boostpro.com > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos See the Web's breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/ From priya_zambre at tjx.com Sun Jul 19 11:41:11 2009 From: priya_zambre at tjx.com (priya_zambre@tjx.com) Date: Sun, 19 Jul 2009 11:41:11 -0400 Subject: Kerberos data base bakup Message-ID: Hi All, I want to migrate kerberos database to new box and retire old box. Kdb5_util dump help to to take bakup but I guess to impot it to new box need KDC master password which I don't have so any other way to migrate existing data base to new box without master kdc password. Appriciate your help From jjasen at realityfailure.org Mon Jul 20 10:47:46 2009 From: jjasen at realityfailure.org (John Jasen) Date: Mon, 20 Jul 2009 10:47:46 -0400 Subject: kerberos+laptop In-Reply-To: References: Message-ID: <4A648392.5030104@realityfailure.org> David Abrahams wrote: > Hi, > > I'm trying to find out what's needed to make Kerberos work well on a > laptop that may run disconnected from its master KDC, and occasionally, > from everything (NIC turned off). In particular, a Mac laptop, which is > apparently already running an LKDC > (http://www.afp548.com/article.php?story=20080709091503862). I've done > all the googling, and got nothing conclusive. I mention the LKDC in part > because one of the few ideas I did find was to run a slave KDC on the > laptop, but I'm not sure whether that's even possible, given the > required presence of the LKDC. > > Any help would be much appreciated, and I'd be happy to document > anything I learn in a public place so the next guy doesn't have to > pester this list about it. If you create or change the user accounts to mobile accounts, won't OSC cache the login credentials? -- -- John E. Jasen (jjasen at realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From jjasen at realityfailure.org Mon Jul 20 14:24:51 2009 From: jjasen at realityfailure.org (John Jasen) Date: Mon, 20 Jul 2009 14:24:51 -0400 Subject: kerberos+laptop In-Reply-To: <34C306EA-C5DA-4418-892B-B9A5E6ED2800@boostpro.com> References: <4A648392.5030104@realityfailure.org> <34C306EA-C5DA-4418-892B-B9A5E6ED2800@boostpro.com> Message-ID: <4A64B673.5010208@realityfailure.org> David Abrahams wrote: >> If you create or change the user accounts to mobile accounts, > > I'm sorry, I don't know what that means. Kerberos has some formal > notion of "mobile accounts?" OSX supports a notion of something called "mobile accounts", which is supposed to allow things like caching login credentials when they're nowhere near an LDAP or AD server. I don't remember the exact method or syntax, as I'm not really a mac guy. >> won't OSC >> cache the login credentials? > > Sorry for my ignorance, but I don't know what OSC is. A typo, due to the C key being next to the X, and the user in question not having enough coffee. -- -- John E. Jasen (jjasen at realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From kerberos at noopy.org Mon Jul 20 14:23:42 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Mon, 20 Jul 2009 14:23:42 -0400 Subject: Kerberos auth against AD, keytabs, and service principal names Message-ID: I've been able to use ktpass.exe on the Windows (2003R2) side to create working keytabs for my NFSv4 environment. I'd like to have both host/ and nfs/ service principal names for each host.fqdn in my (DNS) domain. To this end I ran 'setspn -A ...' to create a SPN for host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a keytab for each of host/host.fqdn and nfs/host.fqdn. Then I copied the keytabs to my Linux system and tested kinit for host/host.fqdn and nfs/host.fqdn. kinit for nfs/host.fqdn worked but kinit for host/host.fqdn *failed*. What?! Looking at my entries in AD, it appears that ktpass.exe sets both userprincipal name and serviceprincipal name to *the same thing* and merely adding SPNs to the host.fqdn entry in AD doesn't fix the problem with kinit -- if princ/host.fqdn doesn't exist in AD as a UPN. That is to say, only UPNs are consulted when I kinit some princ/host.fqdn? Is my assessment right about this? Is the only solution to have multiple AD entries, one for each SPN you intend to support? -- K From dave at boostpro.com Mon Jul 20 12:24:02 2009 From: dave at boostpro.com (David Abrahams) Date: Mon, 20 Jul 2009 12:24:02 -0400 Subject: kerberos+laptop In-Reply-To: <4A648392.5030104@realityfailure.org> References: <4A648392.5030104@realityfailure.org> Message-ID: <34C306EA-C5DA-4418-892B-B9A5E6ED2800@boostpro.com> On Jul 20, 2009, at 10:47 AM, John Jasen wrote: > David Abrahams wrote: >> Hi, >> >> I'm trying to find out what's needed to make Kerberos work well on a >> laptop that may run disconnected from its master KDC, and >> occasionally, >> from everything (NIC turned off). In particular, a Mac laptop, >> which is >> apparently already running an LKDC >> (http://www.afp548.com/article.php?story=20080709091503862). I've >> done >> all the googling, and got nothing conclusive. I mention the LKDC in >> part >> because one of the few ideas I did find was to run a slave KDC on the >> laptop, but I'm not sure whether that's even possible, given the >> required presence of the LKDC. >> >> Any help would be much appreciated, and I'd be happy to document >> anything I learn in a public place so the next guy doesn't have to >> pester this list about it. > > If you create or change the user accounts to mobile accounts, I'm sorry, I don't know what that means. Kerberos has some formal notion of "mobile accounts?" > won't OSC > cache the login credentials? Sorry for my ignorance, but I don't know what OSC is. -- David Abrahams BoostPro Computing http://boostpro.com From ioplex at gmail.com Mon Jul 20 15:23:38 2009 From: ioplex at gmail.com (Michael B Allen) Date: Mon, 20 Jul 2009 15:23:38 -0400 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: References: Message-ID: <78c6bd860907201223i71a5f16bx84a608b2fbc2c689@mail.gmail.com> On Mon, Jul 20, 2009 at 2:23 PM, wrote: > I've been able to use ktpass.exe on the Windows (2003R2) side to > create working keytabs for my NFSv4 environment. ?I'd like to have > both host/ and nfs/ service principal names for each host.fqdn in my > (DNS) domain. ?To this end I ran 'setspn -A ...' to create a SPN for > host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a > keytab for each of host/host.fqdn and nfs/host.fqdn. Ktpass sets the password on an account and not an SPN. SPNs are linked to an account. Meaning, each time you run ktpass.exe it invalidates whatever keytab you generated with a previous invocation of ktpass.exe so that's why it doesn't work. > Then I copied the keytabs to my Linux system and tested kinit for > host/host.fqdn and nfs/host.fqdn. ?kinit for nfs/host.fqdn worked but > kinit for host/host.fqdn *failed*. ? What?! ?Looking at my entries in > AD, it appears that ktpass.exe sets both userprincipal name and > serviceprincipal name to *the same thing* and merely adding SPNs to > the host.fqdn entry in AD doesn't fix the problem with kinit -- if > princ/host.fqdn doesn't exist in AD as a UPN. ?That is to say, only > UPNs are consulted when I kinit some princ/host.fqdn? Ktpass is a very simple program and cannot be used for what you are doing. You need to generate a single keytab with multiple entries - one for each SPN. You can do this by setting the password on the service account to a known value and then using ktutil to create a keytab with multiple entries with principals for each SPN but with the same key. Note that if you have PHP running somewhere there is a product called Plexcel (one installation free for up to 25 users) that can generate keytabs with an entry for each SPN in AD. The exact function is described here: http://www.ioplex.com/api/plexcel_gen_service_keytab.html but you can also commandeer the included setup.php to do this without writing any code. After you set the password in setup.php there will be a keytab in the Plexcel tmp directory with an entry for each SPN in AD for the account. And you can create the service account and set the password entirely from Plexcel. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From deengert at anl.gov Mon Jul 20 15:29:47 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 20 Jul 2009 14:29:47 -0500 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: References: Message-ID: <4A64C5AB.7060205@anl.gov> kerberos at noopy.org wrote: > I've been able to use ktpass.exe on the Windows (2003R2) side to > create working keytabs for my NFSv4 environment. I'd like to have > both host/ and nfs/ service principal names for each host.fqdn in my > (DNS) domain. To this end I ran 'setspn -A ...' to create a SPN for > host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a > keytab for each of host/host.fqdn and nfs/host.fqdn. > > Then I copied the keytabs to my Linux system and tested kinit for > host/host.fqdn and nfs/host.fqdn. kinit for nfs/host.fqdn worked but > kinit for host/host.fqdn *failed*. What?! Looking at my entries in > AD, it appears that ktpass.exe sets both userprincipal name and > serviceprincipal name to *the same thing* and merely adding SPNs to > the host.fqdn entry in AD doesn't fix the problem with kinit -- if > princ/host.fqdn doesn't exist in AD as a UPN. That is to say, only > UPNs are consulted when I kinit some princ/host.fqdn? > > Is my assessment right about this? Pretty much. An account in AD has a single password, single UPN and maybe multiple SPNs. Kerberos keys are generated on the fly from the password. A keytab has the SPN and the key. When you kinit using a keytab to AD, you are using the SPN, but AD is looking it up as a UPN. Note the since there is only one password, all the SPNs share the same key, and all enctypes use the same password to generate the keys. Is the only solution to have > multiple AD entries, one for each SPN you intend to support? That may not be so bad, as you may want different keys for different principals. Just have a good account name naming convention for all these accounts. > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From deengert at anl.gov Mon Jul 20 15:36:44 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 20 Jul 2009 14:36:44 -0500 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: <4A64C5AB.7060205@anl.gov> References: <4A64C5AB.7060205@anl.gov> Message-ID: <4A64C74C.4050509@anl.gov> P.S. Also see the msktutil program that uses OpenLDAP and Kerberos to create and modify keytabs and AD accounts. The 0.3.16-7 version is a Debian distribution that can work with AD2008 and create AES keys too: http://download.systemimager.org/~finley/msktutil/ Douglas E. Engert wrote: > > kerberos at noopy.org wrote: >> I've been able to use ktpass.exe on the Windows (2003R2) side to >> create working keytabs for my NFSv4 environment. I'd like to have >> both host/ and nfs/ service principal names for each host.fqdn in my >> (DNS) domain. To this end I ran 'setspn -A ...' to create a SPN for >> host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a >> keytab for each of host/host.fqdn and nfs/host.fqdn. >> >> Then I copied the keytabs to my Linux system and tested kinit for >> host/host.fqdn and nfs/host.fqdn. kinit for nfs/host.fqdn worked but >> kinit for host/host.fqdn *failed*. What?! Looking at my entries in >> AD, it appears that ktpass.exe sets both userprincipal name and >> serviceprincipal name to *the same thing* and merely adding SPNs to >> the host.fqdn entry in AD doesn't fix the problem with kinit -- if >> princ/host.fqdn doesn't exist in AD as a UPN. That is to say, only >> UPNs are consulted when I kinit some princ/host.fqdn? >> >> Is my assessment right about this? > > Pretty much. > > An account in AD has a single password, single UPN and maybe multiple SPNs. > Kerberos keys are generated on the fly from the password. > > A keytab has the SPN and the key. > > When you kinit using a keytab to AD, you are using the SPN, but AD > is looking it up as a UPN. > > Note the since there is only one password, all the SPNs share the same > key, and all enctypes use the same password to generate the keys. > > Is the only solution to have >> multiple AD entries, one for each SPN you intend to support? > > That may not be so bad, as you may want different keys for different > principals. Just have a good account name naming convention for all > these accounts. > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From kerberos at noopy.org Mon Jul 20 15:44:05 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Mon, 20 Jul 2009 15:44:05 -0400 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: <78c6bd860907201223i71a5f16bx84a608b2fbc2c689@mail.gmail.com> References: <78c6bd860907201223i71a5f16bx84a608b2fbc2c689@mail.gmail.com> Message-ID: Thanks for your message! On Mon, Jul 20, 2009 at 3:23 PM, Michael B Allen wrote: > On Mon, Jul 20, 2009 at 2:23 PM, wrote: >> I've been able to use ktpass.exe on the Windows (2003R2) side to >> create working keytabs for my NFSv4 environment. ?I'd like to have [snip] > > Ktpass sets the password on an account and not an SPN. SPNs are linked > to an account. Meaning, each time you run ktpass.exe it invalidates > whatever keytab you generated with a previous invocation of ktpass.exe > so that's why it doesn't work. I'm pretty sure I didn't mention that passwords were related to the SPN, so I apologize if I was misleading. > > Ktpass is a very simple program and cannot be used for what you are doing. This much I am beginning to understand. :-) > You need to generate a single keytab with multiple entries - one for > each SPN. You can do this by setting the password on the service > account to a known value and then using ktutil to create a keytab with > multiple entries with principals for each SPN but with the same key. Let's say for the sake of argument that I've already done this. Scenario #1: - I set a known password for the account. - I set 2 SPNs for the account (host/host.fqdn, nfs/host.fqdn). - I *didn't* set a UPN for the account. - I hashed a keytab w/host and nfs principals. ** kinit fails in both cases and yes, I know the key is correct. Scenario #2: - I set a known password for the account. - I set 2 SPNs for the account (host/host.fqdn, nfs/host.fqdn). - I *set* a UPN for the account (host/host.fqdn at REALM). - I hashed a keytab w/host and nfs principals. ** kinit works for host but NOT for nfs. In the scenarios above, I believe the UPN is what's consulted in AD and is done regardless of the contents of servicePrincipalName. In fact, it believe servicePrincipalName is consulted exactly not at all. That was really the gist of my original message. > Note that if you have PHP running somewhere there is a product called > Plexcel (one installation free for up to 25 users) that can generate > keytabs with an entry for each SPN in AD. The exact function is > described here: I will definitely try this as I am curious to know what it's doing -- and what works -- versus what I'm doing and what's not working for me. -- K From kerberos at noopy.org Mon Jul 20 15:51:55 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Mon, 20 Jul 2009 15:51:55 -0400 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: <4A64C5AB.7060205@anl.gov> References: <4A64C5AB.7060205@anl.gov> Message-ID: On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert wrote: > [snip > > A keytab has the SPN and the key. I know this much as I've been writing out my own keytabs. :-) > When you kinit using a keytab to AD, you are using the SPN, but AD > is looking it up as a UPN. So this means servicePrincipalName is effectively useless in AD for non-Windows systems, right -- in particular when you have X number of principals in a keytab but only the one that matches the UPN will work? That's all I'm really trying to determine before... >> ?Is the only solution to have multiple AD entries, one for each SPN you intend to support? > > That may not be so bad, as you may want different keys for different > principals. Just have a good account name naming convention for all > these accounts. ... I try to implement the above. -- K From deengert at anl.gov Mon Jul 20 16:10:51 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 20 Jul 2009 15:10:51 -0500 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: References: <4A64C5AB.7060205@anl.gov> Message-ID: <4A64CF4B.5010202@anl.gov> kerberos at noopy.org wrote: > On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert wrote: > [snip >> A keytab has the SPN and the key. > > I know this much as I've been writing out my own keytabs. :-) > >> When you kinit using a keytab to AD, you are using the SPN, but AD >> is looking it up as a UPN. > > So this means servicePrincipalName is effectively useless in AD for > non-Windows systems, right No. Its is useless if you are trying to do a kinit, but not if you want host/FQDN, HTTP/FQDN and ldap/FQDN to be the same for use as service principals. As Michael Allen said: "Ktpass is a very simple program and cannot be used for what you are doing." -- in particular when you have X number of > principals in a keytab but only the one that matches the UPN will > work? > > That's all I'm really trying to determine before... > >>> Is the only solution to have multiple AD entries, one for each SPN you intend to support? >> That may not be so bad, as you may want different keys for different >> principals. Just have a good account name naming convention for all >> these accounts. > > ... I try to implement the above. > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jjasen at realityfailure.org Mon Jul 20 16:28:31 2009 From: jjasen at realityfailure.org (John Jasen) Date: Mon, 20 Jul 2009 16:28:31 -0400 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: References: <4A64C5AB.7060205@anl.gov> Message-ID: <4A64D36F.20401@realityfailure.org> kerberos at noopy.org wrote: > On Mon, Jul 20, 2009 at 3:29 PM, Douglas E. Engert wrote: > [snip >> A keytab has the SPN and the key. > > I know this much as I've been writing out my own keytabs. :-) > >> When you kinit using a keytab to AD, you are using the SPN, but AD >> is looking it up as a UPN. > > So this means servicePrincipalName is effectively useless in AD for > non-Windows systems, right -- in particular when you have X number of > principals in a keytab but only the one that matches the UPN will > work? No. I asked questions along the same vein a while back. : Apparently you should be doing a kinit -S serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a service ticket for the appropriate service. -- -- John E. Jasen (jjasen at realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From kerberos at noopy.org Mon Jul 20 16:46:17 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Mon, 20 Jul 2009 16:46:17 -0400 Subject: Kerberos auth against AD, keytabs, and service principal names In-Reply-To: <4A64D36F.20401@realityfailure.org> References: <4A64C5AB.7060205@anl.gov> <4A64D36F.20401@realityfailure.org> Message-ID: On Mon, Jul 20, 2009 at 4:28 PM, John Jasen wrote: > kerberos at noopy.org wrote: >> >> So this means servicePrincipalName is effectively useless in AD for >> non-Windows systems, right -- in particular when you have X number of >> principals in a keytab but only the one that matches the UPN will >> work? > > No. I asked questions along the same vein a while back. : > > Apparently you should be doing a kinit -S > serviceprinciplename/hostname.fqdn (ie: nfs/foo.noopy.org), to get a > service ticket for the appropriate service. Ah ha! So this is the magic test I'd been misunderstanding. So now I can do the following and everything works in the way I'd hope: kinit -k -t /some/keytab princ/host.fqdn at REALM kinit -S otherprinc/host.fqdn at REALM myprinc at REALM Thanks everyone! (And yes, I agree that ktpass.exe isn't the right tool for this job. msktutil would seem to work nicely in an environment where one has admin access to AD.) -- Nathan Patwardhan "There should be a dating service for unusual-in-a-good-way people." ~~ Anne Kadet - http://www.noopy.org/quotes/q.cgi?tag=annedating From rra at stanford.edu Tue Jul 21 12:40:27 2009 From: rra at stanford.edu (Russ Allbery) Date: Tue, 21 Jul 2009 09:40:27 -0700 Subject: pam-krb5 3.15 released Message-ID: <873a8q9eh0.fsf@windlord.stanford.edu> I'm pleased to announce release 3.15 of pam-krb5. This is a pure bug-fix release, fixing a crash in pam-krb5 in a particular PAM configuration. pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports configuration either by PAM options or in krb5.conf or both. Changes from previous release: Fix a segfault (null pointer dereference) if pam-krb5 is configured with use_first_pass or use_authtok and there is no password stored in the PAM stack. Thanks to Jonathan Guthrie for the bug report. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From harris at ucdavis.edu Tue Jul 21 14:27:43 2009 From: harris at ucdavis.edu (John Harris) Date: Tue, 21 Jul 2009 11:27:43 -0700 Subject: MIT KDC Password History Policies Message-ID: <4A66089F.3010901@ucdavis.edu> Greetings, We'd like to manage our password history separate from the MIT KDC implementation. It looks like the default history number the MIT KDC keeps is one, but is not settable to zero; even if we create new policies. How do we remove this functionality from the MIT KDC? John From suma.s.gururaj at gmail.com Thu Jul 23 04:59:46 2009 From: suma.s.gururaj at gmail.com (suma) Date: Thu, 23 Jul 2009 01:59:46 -0700 (PDT) Subject: KrbException : Request is a replay Message-ID: Hi All, I am unable to successfully authenticate user in concurrent threads from the same client. One of the thread would fail with error; while other requests are successful. ========================= KrbException: request is a replay ========================= Is KDC thinking that it is a replay attack and discarding one of my authentication request? I am using kerberos login module from JAAS for authentication. Appreciate your time, Thanks in advance, --Suma From akhan at acoe.org Fri Jul 24 20:25:13 2009 From: akhan at acoe.org (Am Khan) Date: Fri, 24 Jul 2009 17:25:13 -0700 Subject: New to Kerberos, need help with single sign on Message-ID: <5E40738E35F8C6468E5526A3DC710EBE355343B5B3@MAILDATA.acoe.k12.ca.us> Hi, I have instance of Sakai and uPortal running. Sakai is using the Kerberos module to authenticate users using Kerberos. I would like to have single sign on for both Sakai and uPortal and wonder how to setup the servers for single sign on. Thanks and regards AK From sxw at inf.ed.ac.uk Sun Jul 26 08:45:03 2009 From: sxw at inf.ed.ac.uk (Simon Wilkinson) Date: Sun, 26 Jul 2009 13:45:03 +0100 Subject: GSSAPI Key Exchange Patch for OpenSSH 5.2p1 Message-ID: <629BA332-BB9F-41E0-BC9C-B9D87CD5F173@inf.ed.ac.uk> Somewhat belatedly, I'm pleased to announce the availability of my GSSAPI key exchange patches for OpenSSH 5.2p1. Apologies for the delay in getting these out, a honeymoon, followed by the pressure of work, made the first half of this year rather busy! Whilst OpenSSH contains support for GSSAPI user authentication, this still relies upon SSH host keys to authenticate the server to the user. For sites with a deployed Kerberos infrastructure this adds an additional, unnecessary, key management burden. GSSAPI key exchange allows the use of security mechanisms such as Kerberos to authenticate the server to the user, removing the need for trusted ssh host keys, and allowing the use of a single security architecture. This patch adds support for the RFC4462 GSSAPI key exchange mechanisms to OpenSSH, along with adding some additional, generic, GSSAPI features. It implements *) gss-group1-sha1-*, gss-group14-sha1-* and gss-gex-sha1-* key exchange mechanisms. (#1242) *) Support for the null host key type (#1242) *) Support for CCAPI credentials caches on Mac OS X (#1245) *) Support for better error handling when an authentication exchange fails due to server misconfiguration (#1244) *) Support for GSSAPI connections to hosts behind a round-robin load balancer (#1008) *) Support for GSSAPI connections to multi-homed hosts, where each interface has a unique name (#928) *) Support for cascading credentials renewal (bugzilla.mindrot.org bug numbers are in brackets) Since the last release ---------------------- Greg Hudson, of the Kerberos Consortium, kindly performed a code review of this patch at the beginning of the year. This release addresses a number of minor issues he identified. In addition a new option "GSSAPIClientIdentity" is implemented. This allows the user to set which GSSAPI identity should be used to contact a particular host - it will only work on systems whose Kerberos libraries support the concept of multiple identities (such as Mac OS X). Cascading credentials renewal is now supported as part of the main patch. As usual, the code is available from http://www.sxw.org.uk/computing/patches/openssh.html Two patches are available, one containing cascading credentials support, and one without. In addition, the quilt patch series that makes up this release is also provided, for those who wish to pick and choose! Sorry once again for the delay, and thanks to all those who have been patiently waiting (and nagging) for me to get this out. Cheers, Simon. From bryan-boone at msn.com Mon Jul 27 18:07:32 2009 From: bryan-boone at msn.com (Bryan Boone) Date: Mon, 27 Jul 2009 15:07:32 -0700 Subject: noob question on where to start with Kerberos Message-ID: Hi everyone I have a noob question for ya. I need to develop a website for a company that uses kerberos login, the web server resides on a different server than the kerberos server. Unfortunatly I cannot use the built in PHP functions for kerberos, so I need to write my own C kerberos client as a PHP extension. Also to eliminate possible man-in-the-middle attacks, I need to have the keytab file manually uploaded to the web server. So this web page will simply authenticate the users username and password and then pull that users group name from the kerberos server (while having the keytab on the web server). There is no need to kerberize any application here. Also I will not be needing to cache tickets or pass any tickets here. I will use PHP sessions for the website. I just need the authentication side of kerberos once per user login on the website. I read the O'Reilly Kerberos book and still have some questions. My question is, what methods are best for accomplishing my task. Can this be accomplished with the pam_krb5 api, the SASL for GSSAPI, or do I need to stick with native GSSAPI? Which one would be easier for a noob? thanks _________________________________________________________________ Windows Live? SkyDrive?: Store, access, and share your photos. See how. http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 From edward at murrell.co.nz Mon Jul 27 18:44:59 2009 From: edward at murrell.co.nz (Edward Murrell) Date: Tue, 28 Jul 2009 10:44:59 +1200 Subject: noob question on where to start with Kerberos In-Reply-To: References: Message-ID: <1248734700.27815.10.camel@entropy> For Apache: http://modauthkerb.sourceforge.net/ Should do everything you want already. Also, since group information is not stored on a Kerberos server, I assume you're going to be looking up LDAP information. I have some code that simplifies this somewhat, if you are using RFC 2307 (posix/NIS) compliant LDAP schemas. Other people have already written (and to be fair, support much better) php libraries for handling active directory LDAP lookups. Cheers, Edward Murrell On Mon, 2009-07-27 at 15:07 -0700, Bryan Boone wrote: > Hi everyone I have a noob question for ya. > > > > I need to develop a website for a company that uses kerberos login, the web server resides on a different > server than the kerberos server. Unfortunatly I cannot use the built in PHP functions for kerberos, so > I need to write my own C kerberos client as a PHP extension. Also to eliminate possible man-in-the-middle > attacks, I need to have the keytab file manually uploaded to the web server. > > > > So this web page will simply authenticate the users username and password and then pull that users group name > from the kerberos server (while having the keytab on the web server). There is no need to kerberize any > application here. Also I will not be needing to cache tickets or pass any tickets here. I will use > PHP sessions for the website. I just need the authentication side of kerberos once per user login on the website. > > > > I read the O'Reilly Kerberos book and still have some questions. > > > > My question is, what methods are best for accomplishing my task. Can this be accomplished with the > pam_krb5 api, the SASL for GSSAPI, or do I need to stick with native GSSAPI? Which one would be > easier for a noob? > > > > thanks > > _________________________________________________________________ > Windows Live? SkyDrive?: Store, access, and share your photos. See how. > http://windowslive.com/Online/SkyDrive?ocid=TXT_TAGLM_WL_CS_SD_photos_072009 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From ioplex at gmail.com Mon Jul 27 19:00:11 2009 From: ioplex at gmail.com (Michael B Allen) Date: Mon, 27 Jul 2009 19:00:11 -0400 Subject: noob question on where to start with Kerberos In-Reply-To: References: Message-ID: <78c6bd860907271600l4f113dc7peb995d4b6ac83878@mail.gmail.com> On Mon, Jul 27, 2009 at 6:07 PM, Bryan Boone wrote: > > Hi everyone I have a noob question for ya. > > > > I need to develop a website for a company that uses kerberos login, the web server resides on a different server than the kerberos server. ?Unfortunatly I cannot use the built in PHP functions for kerberos, so I need to write my own C kerberos client as a PHP extension. Hi Bryan, You don't need a full-blown kerberos client. For SSO you just need an "accept_sec_context" function that consumes the base64 encoded tokens supplied by the browser and emits base64 encoded tokens to send to the browser. This function would largely call GSSAPI's gss_accept_sec_context or Windows' AcceptSecurityContext. For explicit username / password based logins you just need to call krb5_get_init_creds_password. However, it sounds like you're using Apache in which case there are already a few modules that do GSSAPI authentication. In particular there's mod_auth_kerb. You also mention PHP in which case check out http://www.ioplex.com/plexcel.html which does everything you want and a whole lot more. > Also to eliminate possible man-in-the-middle attacks, I need to have the keytab file manually uploaded to the web server. The keytab is required to participate in any form of Kerberos authentication. By MITM I believe you're referring to validating the client supplied ticket. There's a verify-something-or-other function in the krb5 API for this. I don't recall the name of it. Someone else will probably chime in with the name of it. I don't know if mod_auth_kerb does explicit logins using krb5_get_init_creds_password. > My question is, what methods are best for accomplishing my task. ?Can this be accomplished with the pam_krb5 api, the SASL for GSSAPI, or do I need to stick with native GSSAPI? ?Which one would be easier for a noob? There are two methods. There is the explicit username and password based login as I mentioned which would require using krb5_get_init_creds_password or on Windows I believe you would have to do InitSecurityContext and AcceptSecurityContext in a loop (is there a short cut for this?). But there is also something called SPNEGO (which IE and MS call "Negotiate"). SPNEGO is a Single Sign-On (SSO) form of authentication which ultimately means that, with a properly configured browser, the user goes straight in without entering a password at all. On corporate intranets this is a highly desirable feature. You do not want to do anything with PAM or SASL. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From jarek at nospam.pl Thu Jul 30 07:40:43 2009 From: jarek at nospam.pl (jarek) Date: Thu, 30 Jul 2009 13:40:43 +0200 Subject: Authenticating debian users against AD Message-ID: Hi all! I've configured Debian with pam_krb5, and I can login using username and password to sshd. I've tried to use also ticket login, and I have problem with it. As I understand I need for this keytab file. But whenever I put krb5.keytab into /etc I can't login at all (even with password). auth.log says: (pam_krb5): none: pam_sm_authenticate: entry (0x1) (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL (pam_krb5): apache: credential verification failed: Server not found in Kerberos database (pam_krb5): apache: pam_sm_authenticate: exit (failure) pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.181 user=apache I've created keytab for apache, which is used by libapache2-mod-auth-kerb and it works - I can login with kerberos ticket. The keytab was created on W2008 server with the following command: ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL -mapuser host-test-nms at TEST.LOCAL -mapOp set -pass -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly By the way, can someone tell me what for is this password in ktpass command ? Best regards J. From jarek at nospam.pl Thu Jul 30 07:49:00 2009 From: jarek at nospam.pl (jarek) Date: Thu, 30 Jul 2009 13:49:00 +0200 Subject: CISCO and kerberos Message-ID: Hi all! I'd like to configure CISCO Catalyst to use kerberos against AD server W2008. I'd like to login to cisco using ticket and telnet.krb5 from krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm getting: [ Kerberos V5 refuses authentication ] kerberos_server_auth: Couldn't authenticate client from test-nms.test.local. What can be wrong ? Has someone working example of CISCO config for such scenario ? J. From bodik at civ.zcu.cz Thu Jul 30 08:20:38 2009 From: bodik at civ.zcu.cz (bodik) Date: Thu, 30 Jul 2009 14:20:38 +0200 Subject: Authenticating debian users against AD In-Reply-To: References: Message-ID: <4A719016.3090003@civ.zcu.cz> jarek wrote: > Hi all! > > I've configured Debian with pam_krb5, and I can login using username and > password to sshd. I've tried to use also ticket login, and I have > problem with it. As I understand I need for this keytab file. But > whenever I put krb5.keytab into /etc I can't login at all (even with > password). auth.log says: and what's content of your keytab ? i think there has to be host/@ key for ssh ... also, if you debug ssh access try to start sshd in debug mode `-d -vvv` and client as well (with -vvv) .. you get a lot of messages what's goin on > (pam_krb5): none: pam_sm_authenticate: entry (0x1) > (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL > (pam_krb5): apache: credential verification failed: Server not found in > Kerberos database this stats that you messed up some naming in user/principals usage ? there is no such pric in KDC (apache at TEST.LOCAL). i'm not sure since i don't see a big picture. hope this helps .. bodik From deengert at anl.gov Thu Jul 30 10:34:06 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 30 Jul 2009 09:34:06 -0500 Subject: Authenticating debian users against AD In-Reply-To: References: Message-ID: <4A71AF5E.8040900@anl.gov> jarek wrote: > Hi all! > > I've configured Debian with pam_krb5, and I can login using username and > password to sshd. I've tried to use also ticket login, and I have > problem with it. As I understand I need for this keytab file. But > whenever I put krb5.keytab into /etc I can't login at all (even with > password). auth.log says: > > (pam_krb5): none: pam_sm_authenticate: entry (0x1) > (pam_krb5): apache: attempting authentication as apache at TEST.LOCAL > (pam_krb5): apache: credential verification failed: Server not found in > Kerberos database > (pam_krb5): apache: pam_sm_authenticate: exit (failure) > pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 > tty=ssh ruser= rhost=192.168.1.181 user=apache > > I've created keytab for apache, which is used by > libapache2-mod-auth-kerb and it works - I can login with kerberos ticket. > > The keytab was created on W2008 server with the following command: > > ktpass -out host-nms.keytab -princ host/test-nms.test.local at TEST.LOCAL > -mapuser host-test-nms at TEST.LOCAL -mapOp set -pass -crypto > DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly I don't thing you are understanding what the ktpass is doing. You need a user or computer account in AD that will have a password, and (usually only one) servicePrincipalName. The -mapuser is the name of this account. > > By the way, can someone tell me what for is this password in ktpass > command ? The -pass option is used to change the password stored in the account, and to create the key in the keytab file. So you must be an AD admin to run this (Unlike most KDCS which store the key, AD generates the key on the fly from the stored password when a service ticket is created.) The password in AD and the key in the keytab must be kept in sync. The kvno in the keytab and the msDS-keyVersionNumber in the account must also match. If you are going to be adding a lot of hosts to AD, have a look at the msktutil package. A debian version is available that works with W2008 and can generate AES keys too. msktutil-0.3.16-7 http://download.systemimager.org/~finley/msktutil/ > > Best regards > J. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444