From lukeh at padl.com  Sun Mar  1 02:38:40 2009
From: lukeh at padl.com (Luke Howard)
Date: Sun, 1 Mar 2009 18:38:40 +1100
Subject: FIPS certification
In-Reply-To: <4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
References: <alpine.BSF.1.10.0812111239030.81298@brillig.security.berkeley.edu>
	<ldvr644nekl.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901271531220.81507@brillig.security.berkeley.edu>
	<ldvfxj1u7qn.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291338360.7972@brillig.security.berkeley.edu>
	<ldv1vulu5lt.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291416340.7972@brillig.security.berkeley.edu>
	<ldvmyd9spev.fsf@cathode-dark-space.mit.edu>
	<alpine.BSF.1.10.0901291447460.7972@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901300833280.12685@brillig.security.berkeley.edu>
	<alpine.BSF.1.10.0901302258240.14730@brillig.security.berkeley.edu>
	<4B9CCCB7-39A7-4783-8C2F-64DFCE1E36E0@amalfisystems.com>
Message-ID: <8724AEF7-CE79-48B9-8F62-890B230BA1B3@padl.com>

> I haven't completely analyzed MIT Kerberos, but I was wondering if  
> it would be possible to get the MIT Kerberos subsystem to use the  
> OpenSSL crypto API for any cryptographic support needed for Kerberos?

Novell did this, but I'm not sure if they ever released their changes,  
or if it was done in such a way that it would be acceptable by MIT.

-- Luke

From jason at rampaginggeek.com  Sun Mar  1 10:28:05 2009
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Sun, 01 Mar 2009 10:28:05 -0500
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <87wsb97sze.fsf@windlord.stanford.edu>
References: <49A9BDF2.6030402@rampaginggeek.com>	<874oyeb0er.fsf@windlord.stanford.edu>	<49AA11BA.3060509@rampaginggeek.com>
	<87wsb97sze.fsf@windlord.stanford.edu>
Message-ID: <49AAA985.2010106@rampaginggeek.com>

Russ Allbery wrote:
> Jason Edgecombe <jason at rampaginggeek.com> writes:
>   
>> I guess setting things for renewable tickets longer than 7 days or
>> running the jobs in local disk will be easiest.
>>
>> We have a 7 day normal/renewable lifetime. What length do other sites
>> have?
>>     
>
> Seven days here as well.  That's also our limit on how long we let compute
> jobs run on our normal timeshare systems.  We're working on a batch
> queuing system that will use separate cron instances.
>
>   
>> I might need use the job scheduler approach, but that's a pain. I would
>> guess 10-20 people would want that ability. I ether need to modify our
>> account maintenance processes or do it all manually.
>>
>> Has anyone automated the management of user.cron principals?
>> unfortunately, I have had to tell people that they can't have an
>> infinite ticket lifetime. :P
>>     
>
> We've automated similar things here and there's some support for it in the
> kadmin-remctl package.  I'm hoping to clean that up substantially at some
> point, but haven't had the time (and it's not in the top hundred on my
> priority list at the moment)
Adding extra principals would probably annoy my users and my boss. 
Besides, it's not on my top 100 todo list either. I'll deal with it if 
needed and just tell people to use local disk for storage or use screen 
with weekly kinit's.

Thanks to everyone for their help!

Sincerely,
Jason

From Nicolas.Williams at sun.com  Mon Mar  2 13:54:58 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Mon, 2 Mar 2009 12:54:58 -0600
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <49AA11BA.3060509@rampaginggeek.com>
References: <49A9BDF2.6030402@rampaginggeek.com>
	<874oyeb0er.fsf@windlord.stanford.edu>
	<49AA11BA.3060509@rampaginggeek.com>
Message-ID: <20090302185458.GC9992@Sun.COM>

On Sat, Feb 28, 2009 at 11:40:26PM -0500, Jason Edgecombe wrote:
> I guess setting things for renewable tickets longer than 7 days or 
> running the jobs in local disk will be easiest.
> 
> We have a 7 day normal/renewable lifetime. What length do other sites have?

I have seen sites use on the order of months for the renewable ticket
lifetime, but still hours for normal ticket lifetime.  If you already
use seven days for renew life you might as well double it -- whatever
your threat model is, if you can accept seven days then chances are you
can accept fourteen.

Nico
-- 

From jason at rampaginggeek.com  Mon Mar  2 21:02:59 2009
From: jason at rampaginggeek.com (Jason Edgecombe)
Date: Mon, 02 Mar 2009 21:02:59 -0500
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <20090302185458.GC9992@Sun.COM>
References: <49A9BDF2.6030402@rampaginggeek.com>
	<874oyeb0er.fsf@windlord.stanford.edu>
	<49AA11BA.3060509@rampaginggeek.com>
	<20090302185458.GC9992@Sun.COM>
Message-ID: <49AC8FD3.8000701@rampaginggeek.com>

Nicolas Williams wrote:
> On Sat, Feb 28, 2009 at 11:40:26PM -0500, Jason Edgecombe wrote:
>   
>> I guess setting things for renewable tickets longer than 7 days or 
>> running the jobs in local disk will be easiest.
>>
>> We have a 7 day normal/renewable lifetime. What length do other sites have?
>>     
>
> I have seen sites use on the order of months for the renewable ticket
> lifetime, but still hours for normal ticket lifetime.  If you already
> use seven days for renew life you might as well double it -- whatever
> your threat model is, if you can accept seven days then chances are you
> can accept fourteen.
>   
Doubling it wouldn't really help. It would probably need to be on the 
order of a month. If I were to change the renewable lifetime, I need to 
change all principals, the client krb5.conf and the server kdc.conf. Is 
that correct?

Thanks,
Jason

From Nicolas.Williams at sun.com  Mon Mar  2 21:34:49 2009
From: Nicolas.Williams at sun.com (Nicolas Williams)
Date: Mon, 2 Mar 2009 20:34:49 -0600
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <49AC8FD3.8000701@rampaginggeek.com>
References: <49A9BDF2.6030402@rampaginggeek.com>
	<874oyeb0er.fsf@windlord.stanford.edu>
	<49AA11BA.3060509@rampaginggeek.com>
	<20090302185458.GC9992@Sun.COM>
	<49AC8FD3.8000701@rampaginggeek.com>
Message-ID: <20090303023449.GM9992@Sun.COM>

On Mon, Mar 02, 2009 at 09:02:59PM -0500, Jason Edgecombe wrote:
> Nicolas Williams wrote:
> >I have seen sites use on the order of months for the renewable ticket
> >lifetime, but still hours for normal ticket lifetime.  If you already
> >use seven days for renew life you might as well double it -- whatever
> >your threat model is, if you can accept seven days then chances are you
> >can accept fourteen.
> >  
> Doubling it wouldn't really help. It would probably need to be on the 
> order of a month. If I were to change the renewable lifetime, I need to 
> change all principals, the client krb5.conf and the server kdc.conf. Is 
> that correct?

Hmmm, not sure.  The client ought to ask for infinity, but I don't think
that's the default, sadly.  The kdc.conf parameters in question are best
not used -- you can use kadmin policies instead.  Also, IIRC the TGS
principal's renew life puts a bound on all, IIRC, so generally you might
want to set principals' renewable ticket life to be very long, and use
the TGS principal as a big hammer.

Nico
-- 

From anguyen at redhat.com  Mon Mar  2 22:18:40 2009
From: anguyen at redhat.com (Anh Nguyen)
Date: Mon, 02 Mar 2009 19:18:40 -0800
Subject: KDC Configuration Questions
In-Reply-To: <95A84443-839A-4E89-9809-149F097576C7@mit.edu>
References: <498C65ED.2080405@redhat.com>
	<95A84443-839A-4E89-9809-149F097576C7@mit.edu>
Message-ID: <49ACA190.7060607@redhat.com>

Ken Raeburn wrote:
> On Feb 6, 2009, at 11:31, Anh Nguyen wrote:
>> Hi,
>> Sorry for the following newbies questions, but thanks in advance for
>> your comments and suggestions:
>> 1. Could we set up multiple KDC per single realm?
>
> Absolutely; at most sites I think it's the normal way of doing 
> things.  You just set up additional DNS SRV records for the realm, or 
> (in the MIT client implementation) multiple "kdc = <host>" lines in 
> the config file.  I think MIT's administration manual (or possibly 
> installation manual, I haven't checked in a while) should describe both.
>
> With multiple SRV records, unless you set different priorities, the 
> clients should try the KDCs in random order, thus spreading the load.  
> With config file entries, for historical reasons, the client will try 
> them in order, so the second only gets tried if a response doesn't 
> come back from the first quickly enough, etc.
>
>> 2. Is it possible to set up multiple independent sets of KDC/realm's
>> working against a single database managed by directory server?
>
> If you use the LDAP database back end, yes, just point all the KDCs in 
> a realm to the same LDAP server(s) and data.  I'm pretty sure you 
> could also do multiple realms in one LDAP directory, but I don't know 
> what subtle issues might lie there; I'm more familiar with our more 
> traditional Berkeley DB back end.
>
> Technically, with the Berkeley DB back end, you could probably set up 
> multiple KDCs too, but all KDCs need access to the same DB files, and 
> for security reasons they probably shouldn't be exported over the net, 
> so you'd be talking about running multiple KDCs on one machine, which 
> is not as useful if you're looking to improve availability in cases of 
> machine failure.
>
>> 3. Is there a plan to multi-thread KDC?
>
> Well, that's an interesting question....  It's been discussed, since 
> waiting for LDAP query results could make your KDC slow down.  We've 
> even had some code donated, but changing a sensitive security service 
> like the KDC in such a drastic way makes a lot of people nervous for 
> good reasons (ignoring the actual code we got -- going from a big 
> single-threaded program with a bunch of global storage to a 
> multi-threaded program with work queues between different parts is a 
> significant restructuring and likely to have subtle problems), so 
> we've held off on it for now, until we can take a better look at the 
> issue and possible approaches.
>
> In the meantime, actually, that might be a good use case for running 
> multiple KDC processes on one host.  You could spread out the load 
> somewhat, among, say, three processes on host A on different port 
> numbers, and three processes on host B on different port numbers.  
> You'd be relying on this load-sharing to reduce the problems from LDAP 
> latency, so you'd really want to go with the SRV records rather than 
> config file entries.
>
> I've got a couple other ideas about less drastic code changes we might 
> be able to make to allow for some parallel processing, by forking the 
> KDC process, but there are some interactions with the way we're 
> handling network interfaces that need a little thought.  If you're 
> interested in working on some code, let me know. :-)
>
> Ken
Hi Ken,
I'd like to apologize for this very late reply.
Your mail was mistakenly filtered to a folder, which I just coincidently 
checked.
Thank you very much for your explanation of the potentials.
Regarding the last one for improving concurrency I will certainly relay 
the message to other teams, and will keep you posted.
Thanks again.
Anh-


From nikhilm at gs-lab.com  Tue Mar  3 01:53:13 2009
From: nikhilm at gs-lab.com (Nikhil Mishra)
Date: Tue, 03 Mar 2009 12:23:13 +0530
Subject: fetching a TGT for service principal 
Message-ID: <49ACD3D9.5020100@gs-lab.com>

Hi All ,

I have recently developed this issue while configuring
microsoft KDC in mixed environments.

My environment is  unix client and server  and windows
server 2003 KDC .

I have registered an SPN  unix/a.b.c.d under a user unix1
in windows KDC .
I fetch a keytab using ktpass  standard hotfix and I am sure
its not corrupt.
I was able to fetch a TGT for this service principal sometime
back using ,

kinit  -kt  unix.keytab unix/a.b.c.d

I did some reconfigurations on windows DC and I am not
able to fetch this TGT anymore . I am getting following error
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN .

when this command runs , Although I am able to fetch a service
ticket for this principal at the same time using kvno.

We are able to fetch a TGT for a service principal on MIT KDC.
Is it not allowed on windows ? but , I was able to fetch a TGT before
I am not sure If I was looking at something else ?

Any help is appreciated .

Thanks

Nikhil 


From zhaoyang.mao at gmail.com  Tue Mar  3 08:47:26 2009
From: zhaoyang.mao at gmail.com (zhaoyang mao)
Date: Tue, 3 Mar 2009 21:47:26 +0800
Subject: can kdc and openldap server in the same server
Message-ID: <eab35fb0903030547j3c482973sbc77c6209cf17abd@mail.gmail.com>

Can i use one machine as the kdc server and the openldap server?

From raeburn at MIT.EDU  Tue Mar  3 09:13:45 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Tue, 3 Mar 2009 09:13:45 -0500
Subject: can kdc and openldap server in the same server
In-Reply-To: <eab35fb0903030547j3c482973sbc77c6209cf17abd@mail.gmail.com>
References: <eab35fb0903030547j3c482973sbc77c6209cf17abd@mail.gmail.com>
Message-ID: <4A415110-31D9-4305-B065-34226B48C377@mit.edu>

On Mar 3, 2009, at 08:47, zhaoyang mao wrote:
> Can i use one machine as the kdc server and the openldap server?

Certainly, that should work fine.

Some people would suggest, though, that you run different services on  
different machines so that an accidental compromise of one doesn't  
impact the other (or at least not as much).

Ken

From magbenitez at sellmytimesharenow.com  Tue Mar  3 11:47:59 2009
From: magbenitez at sellmytimesharenow.com (Magdaleno Benitez)
Date: Tue, 03 Mar 2009 11:47:59 -0500
Subject: authentication
Message-ID: <49AD5F3F.9020104@sellmytimesharenow.com>

I had earlier posted about help with setting up kerberos on a windows 
2003 enterprise server R2 x64. I think I get what is and have set it up 
properly by using the group domain policy to enable and disable the 
settings i want and I had the KDC service also enabled and installed 
IIS. I also have download the Mit Kerberos for windows client to test 
pcs; being a newbie can you please tell me what remains to be done?

From deengert at anl.gov  Tue Mar  3 12:04:12 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Tue, 03 Mar 2009 11:04:12 -0600
Subject: authentication
In-Reply-To: <49AD5F3F.9020104@sellmytimesharenow.com>
References: <49AD5F3F.9020104@sellmytimesharenow.com>
Message-ID: <49AD630C.5040705@anl.gov>



Magdaleno Benitez wrote:
> I had earlier posted about help with setting up kerberos on a windows 
> 2003 enterprise server R2 x64. I think I get what is and have set it up
> properly by using the group domain policy to enable and disable the 
> settings i want and I had the KDC service also enabled and installed 
> IIS. I also have download the Mit Kerberos for windows client to test 
> pcs; being a newbie can you please tell me what remains to be done?

Do you mean you are asking about setting up the Kerberos that is part
of Active Directory?
If so you will most likely not get an answer, you would have
better response on some AD or Samba list.


> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From frank.gruellich at navteq.com  Tue Mar  3 12:47:16 2009
From: frank.gruellich at navteq.com (Frank Gruellich)
Date: Tue, 03 Mar 2009 18:47:16 +0100
Subject: Kerberos in Browser based Applications
Message-ID: <49AD6D24.1090001@navteq.com>

Hi,

I have set up a Kerberos realm.  A user and a service (let's say a
database) are both included as principals in KDC database and the
service restricts access to */dbuser at EXAMPLE.COM.  User and service can
communicate perfectly using a database CLI at the users machine.

Now these days CLIs aren't "state-of-the-art" anymore and $managers
refuse to use them.  Let's throw a long discussion and platform
independent, Web2.0 ready and more buzzwords into the pot and we get the
need for a browser based web frontend to the service.  And that's the
point where I do not get the full picture about Kerberos.

How would that work in a fully kerberized environment using all these
great features like single-sign-on and never transmitting a password
over the wire?  For sure, I would have to add the webserver to the KDC
database, but what then?  Would I add the webserver principal to the ACL
list of the service and add another authentication/authorization layer
into the web application?  Could I somehow forward the users ticket for
the service to the webserver and make the application to give it to the
service proving this way that the user requested access to the service?
That would keep all authentication on service side, but is it a good
idea to give a service ticket to another machine?  Would that even work
given that the users machine IP# is added to the tickets, AFAICS?

In the current setup the software involved are MIT Kerberos, an OpenLDAP
server as service, e.g. phpLDAPadmin as web application, Apache httpd
running it, and various browsers used to access it running on different
OS's.  But I'm more interested in the general Kerberos idea how to do
that.  However, if you point me to specific software I should use in
this setup I would be happy, too.

Thanks in advance for some enlightenment.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

From res at qoxp.net  Tue Mar  3 18:20:19 2009
From: res at qoxp.net (Richard E. Silverman)
Date: Tue, 03 Mar 2009 18:20:19 -0500
Subject: Kerberos in Browser based Applications
References: <mailman.42.1236102471.14058.kerberos@mit.edu>
Message-ID: <m2y6vm42j0.fsf@darwin.oankali.net>

>>>>> "FG" == Frank Gruellich <frank.gruellich at navteq.com> writes:

    FG> Hi, I have set up a Kerberos realm.  A user and a service (let's
    FG> say a database) are both included as principals in KDC database
    FG> and the service restricts access to */dbuser at EXAMPLE.COM.  User
    FG> and service can communicate perfectly using a database CLI at the
    FG> users machine.

    FG> Now these days CLIs aren't "state-of-the-art" anymore and
    FG> $managers refuse to use them.  Let's throw a long discussion and
    FG> platform independent, Web2.0 ready and more buzzwords into the pot
    FG> and we get the need for a browser based web frontend to the
    FG> service.  And that's the point where I do not get the full picture
    FG> about Kerberos.

    FG> How would that work in a fully kerberized environment using all
    FG> these great features like single-sign-on and never transmitting a
    FG> password over the wire?  For sure, I would have to add the
    FG> webserver to the KDC database, but what then?  Would I add the
    FG> webserver principal to the ACL list of the service and add another
    FG> authentication/authorization layer into the web application?
    FG> Could I somehow forward the users ticket for the service to the
    FG> webserver and make the application to give it to the service
    FG> proving this way that the user requested access to the service?

You can do this; it's called credential delegation, and it is supported by
this common Apache module for kerberized HTTP authentication:

http://modauthkerb.sourceforge.net/

But this is just the beginning.  To get it to work, you must convince the
browser to perform the delegation, and this gets a bit complicated.
Firefox has a configuration variable,
network.negotiate-auth.delegation-uris, which controls which URLs are
eligible for delegation.  If Firefox is using GSSAPI (e.g. on Unix or on a
Windows box with MIT Kerberos installed) then that's all you need.  If
it's on Windows and using the native SSPI interface instead, then the
service ticket must have the OK-AS-DELEGATE flag set by the KDC (same
thing with IE).  MIT Kerberos does not support this flag; I had to hack
the code to add support.  The alternative to OK-AS-DELEGATE is to set a
registry bit on the Windows client telling it to blanket delegate to the
entire realm -- not a good idea for two reasons: one, you don't want to
give out your credentials to just anyone, and two, performance.  Normally,
the client goes to the KDC only once for a ticket to the web server, which
it can present without KDC involvement thereafter (until it expires).
With delegation, the browser obtains a delegated TGT *with every page
fetch*.  Even worse, at least in my system, Windows mysteriously issues
two identical TGT requests, taking even longer.

Lest you think this is all rather far-fetched: I do have this working at
my site.  :)

    FG> That would keep all authentication on service side, but is it a
    FG> good idea to give a service ticket to another machine?  Would that
    FG> even work given that the users machine IP# is added to the
    FG> tickets, AFAICS?

With delegation, the client requests a new TGT from the KDC, with the
server's IP address in it.

    FG> In the current setup the software involved are MIT Kerberos, an
    FG> OpenLDAP server as service, e.g. phpLDAPadmin as web application,
    FG> Apache httpd running it, and various browsers used to access it
    FG> running on different OS's.  But I'm more interested in the general
    FG> Kerberos idea how to do that.  However, if you point me to
    FG> specific software I should use in this setup I would be happy,
    FG> too.

    FG> Thanks in advance for some enlightenment.

    FG> Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems
    FG> and Networks

    FG> Duesseldorfer Strasse 40a 65760 Eschborn Germany

    FG> Phone: +49 6196 77756-414 Fax: +49 6196 77756-100

    FG> USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob,
    FG> Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman

-- 
  Richard Silverman
  res at qoxp.net


From paul.moore at centrify.com  Tue Mar  3 20:34:54 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Tue, 3 Mar 2009 17:34:54 -0800
Subject: Kerberos in Browser based Applications
In-Reply-To: <m2y6vm42j0.fsf@darwin.oankali.net>
References: <mailman.42.1236102471.14058.kerberos@mit.edu>
	<m2y6vm42j0.fsf@darwin.oankali.net>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02C5C4B1@exch-one.centrify.com>

the main challenge is you need a database that supports kerberos. not
many do

oracle -> yes but you gotta pay extra and its kinda funky
db2 -> yes but kinda funky
mysql -> no (but people are working on it)
sybase - no
postgres -> I think yes

the easiest is to use IIS and MSSQL - then it just works. IIS and MSSQL
are natively kerberized
supports IE or firefox or any other kerberized browser


-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Richard E. Silverman
Sent: Tuesday, March 03, 2009 3:20 PM
To: kerberos at mit.edu
Subject: Re: Kerberos in Browser based Applications

>>>>> "FG" == Frank Gruellich <frank.gruellich at navteq.com> writes:

    FG> Hi, I have set up a Kerberos realm.  A user and a service (let's
    FG> say a database) are both included as principals in KDC database
    FG> and the service restricts access to */dbuser at EXAMPLE.COM.  User
    FG> and service can communicate perfectly using a database CLI at
the
    FG> users machine.

    FG> Now these days CLIs aren't "state-of-the-art" anymore and
    FG> $managers refuse to use them.  Let's throw a long discussion and
    FG> platform independent, Web2.0 ready and more buzzwords into the
pot
    FG> and we get the need for a browser based web frontend to the
    FG> service.  And that's the point where I do not get the full
picture
    FG> about Kerberos.

    FG> How would that work in a fully kerberized environment using all
    FG> these great features like single-sign-on and never transmitting
a
    FG> password over the wire?  For sure, I would have to add the
    FG> webserver to the KDC database, but what then?  Would I add the
    FG> webserver principal to the ACL list of the service and add
another
    FG> authentication/authorization layer into the web application?
    FG> Could I somehow forward the users ticket for the service to the
    FG> webserver and make the application to give it to the service
    FG> proving this way that the user requested access to the service?

You can do this; it's called credential delegation, and it is supported
by
this common Apache module for kerberized HTTP authentication:

http://modauthkerb.sourceforge.net/

But this is just the beginning.  To get it to work, you must convince
the
browser to perform the delegation, and this gets a bit complicated.
Firefox has a configuration variable,
network.negotiate-auth.delegation-uris, which controls which URLs are
eligible for delegation.  If Firefox is using GSSAPI (e.g. on Unix or on
a
Windows box with MIT Kerberos installed) then that's all you need.  If
it's on Windows and using the native SSPI interface instead, then the
service ticket must have the OK-AS-DELEGATE flag set by the KDC (same
thing with IE).  MIT Kerberos does not support this flag; I had to hack
the code to add support.  The alternative to OK-AS-DELEGATE is to set a
registry bit on the Windows client telling it to blanket delegate to the
entire realm -- not a good idea for two reasons: one, you don't want to
give out your credentials to just anyone, and two, performance.
Normally,
the client goes to the KDC only once for a ticket to the web server,
which
it can present without KDC involvement thereafter (until it expires).
With delegation, the browser obtains a delegated TGT *with every page
fetch*.  Even worse, at least in my system, Windows mysteriously issues
two identical TGT requests, taking even longer.

Lest you think this is all rather far-fetched: I do have this working at
my site.  :)

    FG> That would keep all authentication on service side, but is it a
    FG> good idea to give a service ticket to another machine?  Would
that
    FG> even work given that the users machine IP# is added to the
    FG> tickets, AFAICS?

With delegation, the client requests a new TGT from the KDC, with the
server's IP address in it.

    FG> In the current setup the software involved are MIT Kerberos, an
    FG> OpenLDAP server as service, e.g. phpLDAPadmin as web
application,
    FG> Apache httpd running it, and various browsers used to access it
    FG> running on different OS's.  But I'm more interested in the
general
    FG> Kerberos idea how to do that.  However, if you point me to
    FG> specific software I should use in this setup I would be happy,
    FG> too.

    FG> Thanks in advance for some enlightenment.

    FG> Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems
    FG> and Networks

    FG> Duesseldorfer Strasse 40a 65760 Eschborn Germany

    FG> Phone: +49 6196 77756-414 Fax: +49 6196 77756-100

    FG> USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob,
    FG> Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman

-- 
  Richard Silverman
  res at qoxp.net

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


From lorenl at north-winds.org  Wed Mar  4 01:49:34 2009
From: lorenl at north-winds.org (Loren M. Lang)
Date: Tue, 03 Mar 2009 22:49:34 -0800
Subject: Using Smartcard with PK-INIT does not respond
Message-ID: <1236149374.13692.273.camel@ruth.aloha.tallye.com>

I am trying to enable smartcard logins to a MIT Kerberos domain using
the recent PK-INIT preauth plugin.  I am using Ubuntu 8.10 with it's
stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
-DDEBUG.  I have a server certificate installed on the KDC with the
extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
There is one intermediate certificate between it and the root CA.
Client certificates were generated similarly only with the
id_pkinit_KPClientAuth key usage and have two intermediates between it
and the same root CA.  The client certificates are installed on a smart
card using opensc and are also enabled for the clientAuth key usage for
SSL client authentication.  I also have intermediate CAs and the root CA
installed on the smart card as well.  Firefox is able to see the smart
card including all intermediates and root CAs and is able to use it to
authenticate against a SSL website.  Running kinit with debugging output
I was able see that is was complaining that the smart card had four
matching certs.  It did not filter out certificates missing the
appropriable key usages or missing subjectAltName, maybe that's typical.
I setup a pkinit_cert_match to filter out the other certificates and now
kinit reports finding exactly one match, but bails out later due to
missing intermediate certificates so I setup pkinit_pool to point
to /etc/ssl/certs with appropriate certificates.  It did not seem to use
the intermediates already on the smart card, is this normal?  Now kinit
was complaining about some broken symlinks that exist
under /etc/ssl/certs and it bails out.  Shouldn't these just be ignored?
This symlinks point to missing certificates that have nothing to do with
the pki infrastructure I am using, but once I moved the symlinks out of
the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
preauth data, but received no response.  According to Wireshark,
following the initial AS-REQ with no preauth, the server responds with a
NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
and PA-PK-AS-REP.  The client then sends a single IP fragment response.
The fragment has a payload of 1480 bytes with flag more fragments, but
no further fragments are sent.  I have no firewall rules installed and
am at a loss as to why there are no more fragments.

-- 
Loren M. Lang
lorenl at north-winds.org
http://www.north-winds.org/


Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090303/4ec5aa75/attachment.bin

From kwcoffman at gmail.com  Wed Mar  4 08:46:20 2009
From: kwcoffman at gmail.com (Kevin Coffman)
Date: Wed, 4 Mar 2009 08:46:20 -0500
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
Message-ID: <4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>

On Wed, Mar 4, 2009 at 1:49 AM, Loren M. Lang <lorenl at north-winds.org> wrote:
> I am trying to enable smartcard logins to a MIT Kerberos domain using
> the recent PK-INIT preauth plugin. ?I am using Ubuntu 8.10 with it's
> stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
> -DDEBUG. ?I have a server certificate installed on the KDC with the
> extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
> There is one intermediate certificate between it and the root CA.
> Client certificates were generated similarly only with the
> id_pkinit_KPClientAuth key usage and have two intermediates between it
> and the same root CA. ?The client certificates are installed on a smart
> card using opensc and are also enabled for the clientAuth key usage for
> SSL client authentication. ?I also have intermediate CAs and the root CA
> installed on the smart card as well. ?Firefox is able to see the smart
> card including all intermediates and root CAs and is able to use it to
> authenticate against a SSL website. ?Running kinit with debugging output
> I was able see that is was complaining that the smart card had four
> matching certs. ?It did not filter out certificates missing the
> appropriable key usages or missing subjectAltName, maybe that's typical.
> I setup a pkinit_cert_match to filter out the other certificates and now
> kinit reports finding exactly one match, but bails out later due to
> missing intermediate certificates so I setup pkinit_pool to point
> to /etc/ssl/certs with appropriate certificates. ?It did not seem to use
> the intermediates already on the smart card, is this normal?

Normal is subjective ;-)   There is no code to deal with intermediates
or root CAs that might be found on the smartcard.

> Now kinit
> was complaining about some broken symlinks that exist
> under /etc/ssl/certs and it bails out. ?Shouldn't these just be ignored?

I thought anything that wasn't a cert was ignored w/o bailing, but
this might have been missed.

> This symlinks point to missing certificates that have nothing to do with
> the pki infrastructure I am using, but once I moved the symlinks out of
> the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> preauth data, but received no response. ?According to Wireshark,
> following the initial AS-REQ with no preauth, the server responds with a
> NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> and PA-PK-AS-REP. ?The client then sends a single IP fragment response.
> The fragment has a payload of 1480 bytes with flag more fragments, but
> no further fragments are sent. ?I have no firewall rules installed and
> am at a loss as to why there are no more fragments.

I'm not sure what might be happening here.  This would just be a
work-around, but is it possible for you to try using TCP rather than
UDP?

K.C.


From lorenl at north-winds.org  Wed Mar  4 09:33:17 2009
From: lorenl at north-winds.org (Loren M. Lang)
Date: Wed, 04 Mar 2009 06:33:17 -0800
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
	<4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
Message-ID: <1236177197.13692.2141.camel@ruth.aloha.tallye.com>

On Wed, 2009-03-04 at 08:46 -0500, Kevin Coffman wrote:
> On Wed, Mar 4, 2009 at 1:49 AM, Loren M. Lang <lorenl at north-winds.org> wrote:
> > I am trying to enable smartcard logins to a MIT Kerberos domain using
> > the recent PK-INIT preauth plugin.  I am using Ubuntu 8.10 with it's
> > stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
> > -DDEBUG.  I have a server certificate installed on the KDC with the
> > extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
> > There is one intermediate certificate between it and the root CA.
> > Client certificates were generated similarly only with the
> > id_pkinit_KPClientAuth key usage and have two intermediates between it
> > and the same root CA.  The client certificates are installed on a smart
> > card using opensc and are also enabled for the clientAuth key usage for
> > SSL client authentication.  I also have intermediate CAs and the root CA
> > installed on the smart card as well.  Firefox is able to see the smart
> > card including all intermediates and root CAs and is able to use it to
> > authenticate against a SSL website.  Running kinit with debugging output
> > I was able see that is was complaining that the smart card had four
> > matching certs.  It did not filter out certificates missing the
> > appropriable key usages or missing subjectAltName, maybe that's typical.
> > I setup a pkinit_cert_match to filter out the other certificates and now
> > kinit reports finding exactly one match, but bails out later due to
> > missing intermediate certificates so I setup pkinit_pool to point
> > to /etc/ssl/certs with appropriate certificates.  It did not seem to use
> > the intermediates already on the smart card, is this normal?
> 
> Normal is subjective ;-)   There is no code to deal with intermediates
> or root CAs that might be found on the smartcard.

Bad choice of words, I meant, how MIT's PK-INIT code is supposed to
behave.  I was assuming that this functionality was supported by
OpenSSL/OpenSC and not MIT specifically.

> 
> > Now kinit
> > was complaining about some broken symlinks that exist
> > under /etc/ssl/certs and it bails out.  Shouldn't these just be ignored?
> 
> I thought anything that wasn't a cert was ignored w/o bailing, but
> this might have been missed.
> 
> > This symlinks point to missing certificates that have nothing to do with
> > the pki infrastructure I am using, but once I moved the symlinks out of
> > the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> > preauth data, but received no response.  According to Wireshark,
> > following the initial AS-REQ with no preauth, the server responds with a
> > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> > and PA-PK-AS-REP.  The client then sends a single IP fragment response.
> > The fragment has a payload of 1480 bytes with flag more fragments, but
> > no further fragments are sent.  I have no firewall rules installed and
> > am at a loss as to why there are no more fragments.
> 
> I'm not sure what might be happening here.  This would just be a
> work-around, but is it possible for you to try using TCP rather than
> UDP?

I enabled TCP support on my KDCs and netstat confirms they are listening
on them.  I tried setting udp_preference_limit to 1480, 1000, and 50,
but kinit never uses TCP.  I put udp_preference_limit both at the very
beginning and very end of my libdefaults section in krb5.conf and even
tried using copy/paste to double check that I typed it correctly.

Also, kdc_tcp_ports is not documented in my kdc.conf man page.  I had to
look in the info pages for it.

> 
> K.C.
> 
-- 
Loren M. Lang
lorenl at north-winds.org
http://www.north-winds.org/


Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090304/4d390220/attachment-0001.bin

From deengert at anl.gov  Wed Mar  4 10:48:09 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Wed, 04 Mar 2009 09:48:09 -0600
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
Message-ID: <49AEA2B9.2020001@anl.gov>



Loren M. Lang wrote:
> I am trying to enable smartcard logins to a MIT Kerberos domain using
> the recent PK-INIT preauth plugin.  I am using Ubuntu 8.10 with it's
> stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
> -DDEBUG. 

Be careful here. If you renamed the old pkinit.so and copied
the new one in to the same directory, they might both get loaded!
The plugin code loads all the files it finds irregardless of name.


> I have a server certificate installed on the KDC with the
> extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
> There is one intermediate certificate between it and the root CA.
> Client certificates were generated similarly only with the
> id_pkinit_KPClientAuth key usage and have two intermediates between it
> and the same root CA.  The client certificates are installed on a smart
> card using opensc and are also enabled for the clientAuth key usage for
> SSL client authentication.  I also have intermediate CAs and the root CA
> installed on the smart card as well.  Firefox is able to see the smart
> card including all intermediates and root CAs and is able to use it to
> authenticate against a SSL website.  Running kinit with debugging output
> I was able see that is was complaining that the smart card had four
> matching certs.  It did not filter out certificates missing the
> appropriable key usages or missing subjectAltName, maybe that's typical.
> I setup a pkinit_cert_match to filter out the other certificates and now
> kinit reports finding exactly one match, but bails out later due to
> missing intermediate certificates so I setup pkinit_pool to point
> to /etc/ssl/certs with appropriate certificates.  It did not seem to use
> the intermediates already on the smart card, is this normal?  Now kinit
> was complaining about some broken symlinks that exist
> under /etc/ssl/certs and it bails out.  Shouldn't these just be ignored?
> This symlinks point to missing certificates that have nothing to do with
> the pki infrastructure I am using, but once I moved the symlinks out of
> the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> preauth data, but received no response.  According to Wireshark,
> following the initial AS-REQ with no preauth, the server responds with a
> NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> and PA-PK-AS-REP.  The client then sends a single IP fragment response.
> The fragment has a payload of 1480 bytes with flag more fragments, but
> no further fragments are sent.  I have no firewall rules installed and
> am at a loss as to why there are no more fragments.

As Kevin said, try TCP.

    udp_preference_limit = 1

will force use of TCP.


> 
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From lorenl at alzatex.com  Wed Mar  4 10:08:41 2009
From: lorenl at alzatex.com (Loren M. Lang)
Date: Wed, 04 Mar 2009 07:08:41 -0800
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <1236177197.13692.2141.camel@ruth.aloha.tallye.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
	<4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
	<1236177197.13692.2141.camel@ruth.aloha.tallye.com>
Message-ID: <1236179322.13692.2284.camel@ruth.aloha.tallye.com>

On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
> On Wed, 2009-03-04 at 08:46 -0500, Kevin Coffman wrote:
> > On Wed, Mar 4, 2009 at 1:49 AM, Loren M. Lang <lorenl at north-winds.org> wrote:
> > > I am trying to enable smartcard logins to a MIT Kerberos domain using
> > > the recent PK-INIT preauth plugin.  I am using Ubuntu 8.10 with it's
> > > stock Kerberos 1.6.4 packages except for pkinit.so recompiled with
> > > -DDEBUG.  I have a server certificate installed on the KDC with the
> > > extended key usage id_pkinit_KPKdc and an appropriate subjectAltName.
> > > There is one intermediate certificate between it and the root CA.
> > > Client certificates were generated similarly only with the
> > > id_pkinit_KPClientAuth key usage and have two intermediates between it
> > > and the same root CA.  The client certificates are installed on a smart
> > > card using opensc and are also enabled for the clientAuth key usage for
> > > SSL client authentication.  I also have intermediate CAs and the root CA
> > > installed on the smart card as well.  Firefox is able to see the smart
> > > card including all intermediates and root CAs and is able to use it to
> > > authenticate against a SSL website.  Running kinit with debugging output
> > > I was able see that is was complaining that the smart card had four
> > > matching certs.  It did not filter out certificates missing the
> > > appropriable key usages or missing subjectAltName, maybe that's typical.
> > > I setup a pkinit_cert_match to filter out the other certificates and now
> > > kinit reports finding exactly one match, but bails out later due to
> > > missing intermediate certificates so I setup pkinit_pool to point
> > > to /etc/ssl/certs with appropriate certificates.  It did not seem to use
> > > the intermediates already on the smart card, is this normal?
> > 
> > Normal is subjective ;-)   There is no code to deal with intermediates
> > or root CAs that might be found on the smartcard.
> 
> Bad choice of words, I meant, how MIT's PK-INIT code is supposed to
> behave.  I was assuming that this functionality was supported by
> OpenSSL/OpenSC and not MIT specifically.
> 
> > 
> > > Now kinit
> > > was complaining about some broken symlinks that exist
> > > under /etc/ssl/certs and it bails out.  Shouldn't these just be ignored?
> > 
> > I thought anything that wasn't a cert was ignored w/o bailing, but
> > this might have been missed.
> > 
> > > This symlinks point to missing certificates that have nothing to do with
> > > the pki infrastructure I am using, but once I moved the symlinks out of
> > > the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> > > preauth data, but received no response.  According to Wireshark,
> > > following the initial AS-REQ with no preauth, the server responds with a
> > > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> > > and PA-PK-AS-REP.  The client then sends a single IP fragment response.
> > > The fragment has a payload of 1480 bytes with flag more fragments, but
> > > no further fragments are sent.  I have no firewall rules installed and
> > > am at a loss as to why there are no more fragments.
> > 
> > I'm not sure what might be happening here.  This would just be a
> > work-around, but is it possible for you to try using TCP rather than
> > UDP?
> 
> I enabled TCP support on my KDCs and netstat confirms they are listening
> on them.  I tried setting udp_preference_limit to 1480, 1000, and 50,
> but kinit never uses TCP.  I put udp_preference_limit both at the very
> beginning and very end of my libdefaults section in krb5.conf and even
> tried using copy/paste to double check that I typed it correctly.

Never mind, I was using SRV records and only install _udp types.
Specifying the server in krb5.conf resolved that.  Now, the error I am
getting is KRB5KRB_ERR_GENERIC: KDC_RETURN_PADATA.

> 
> Also, kdc_tcp_ports is not documented in my kdc.conf man page.  I had to
> look in the info pages for it.
>
> > 
> > K.C.
> > 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7539 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090304/015e7455/smime.bin

From lorenl at alzatex.com  Wed Mar  4 10:24:30 2009
From: lorenl at alzatex.com (Loren M. Lang)
Date: Wed, 04 Mar 2009 07:24:30 -0800
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <1236177197.13692.2141.camel@ruth.aloha.tallye.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
	<4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
	<1236177197.13692.2141.camel@ruth.aloha.tallye.com>
Message-ID: <1236180270.13692.2352.camel@ruth.aloha.tallye.com>

On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
> > 
> > > This symlinks point to missing certificates that have nothing to do with
> > > the pki infrastructure I am using, but once I moved the symlinks out of
> > > the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> > > preauth data, but received no response.  According to Wireshark,
> > > following the initial AS-REQ with no preauth, the server responds with a
> > > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> > > and PA-PK-AS-REP.  The client then sends a single IP fragment response.
> > > The fragment has a payload of 1480 bytes with flag more fragments, but
> > > no further fragments are sent.  I have no firewall rules installed and
> > > am at a loss as to why there are no more fragments.
> > 
> > I'm not sure what might be happening here.  This would just be a
> > work-around, but is it possible for you to try using TCP rather than
> > UDP?
> 
> I enabled TCP support on my KDCs and netstat confirms they are listening
> on them.  I tried setting udp_preference_limit to 1480, 1000, and 50,
> but kinit never uses TCP.  I put udp_preference_limit both at the very
> beginning and very end of my libdefaults section in krb5.conf and even
> tried using copy/paste to double check that I typed it correctly.

Never mind, I only had UDP SRV records published, now it's using TCP.
The error I am getting now is KRB5KRB_ERR_GENERIC with e-data:
KDC_RETURN_PADATA.  The kdc log shows this relevant error:

Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory

There is no memory crunch on the server.

> 
> Also, kdc_tcp_ports is not documented in my kdc.conf man page.  I had to
> look in the info pages for it.
> 
> > 
> > K.C.
> > 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7539 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090304/5ab168fa/smime-0001.bin

From hardjono at MIT.EDU  Wed Mar  4 12:00:29 2009
From: hardjono at MIT.EDU (Thomas Hardjono)
Date: Wed, 4 Mar 2009 12:00:29 -0500
Subject: Kerberos in Browser based Applications
In-Reply-To: <49AD6D24.1090001@navteq.com>
References: <49AD6D24.1090001@navteq.com>
Message-ID: <001301c99cea$b94a62b0$2bdf2810$@edu>

Frank,

Getting Kerberos to support single-sign-on on the Web (Web-SSO) has a number
of challenges.  I'm not sure if the browsers today fully support the
trafficking of Kerberos tickets/tokens. The closest seems to be
HPPT-Negotiate, but I believe it also need more work. There are a set of
drafts in the IETF that are trying to address some of these issues. Then
there is the question of how to get all this working with the Identity
Federation infrastructures.

ps. Kerb-on-the-web is one of the initiatives at the MIT-KC.
http://kerberos.org/software/kerbweb.pdf

cheers,


/thomas/


> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> Behalf Of Frank Gruellich
> Sent: Tuesday, March 03, 2009 12:47 PM
> To: kerberos at MIT.EDU
> Subject: Kerberos in Browser based Applications
> 
> Hi,
> 
> I have set up a Kerberos realm.  A user and a service (let's say a
> database) are both included as principals in KDC database and the
> service restricts access to */dbuser at EXAMPLE.COM.  User and service can
> communicate perfectly using a database CLI at the users machine.
> 
> Now these days CLIs aren't "state-of-the-art" anymore and $managers
> refuse to use them.  Let's throw a long discussion and platform
> independent, Web2.0 ready and more buzzwords into the pot and we get the
> need for a browser based web frontend to the service.  And that's the
> point where I do not get the full picture about Kerberos.
> 
> How would that work in a fully kerberized environment using all these
> great features like single-sign-on and never transmitting a password
> over the wire?  For sure, I would have to add the webserver to the KDC
> database, but what then?  Would I add the webserver principal to the ACL
> list of the service and add another authentication/authorization layer
> into the web application?  Could I somehow forward the users ticket for
> the service to the webserver and make the application to give it to the
> service proving this way that the user requested access to the service?
> That would keep all authentication on service side, but is it a good
> idea to give a service ticket to another machine?  Would that even work
> given that the users machine IP# is added to the tickets, AFAICS?
> 
> In the current setup the software involved are MIT Kerberos, an OpenLDAP
> server as service, e.g. phpLDAPadmin as web application, Apache httpd
> running it, and various browsers used to access it running on different
> OS's.  But I'm more interested in the general Kerberos idea how to do
> that.  However, if you point me to specific software I should use in
> this setup I would be happy, too.
> 
> Thanks in advance for some enlightenment.
> 
> Kind regards,
> --
> Navteq (DE) GmbH
> Frank Gruellich
> Map24 Systems and Networks
> 
> Duesseldorfer Strasse 40a
> 65760 Eschborn
> Germany
> 
> Phone:      +49 6196 77756-414
> Fax:        +49 6196 77756-100
> 
> USt-ID-No.: DE 197947163
> Managing Directors: Thomas Golob, Alexander Wiegand,
> Hans Pieter Gieszen, Martin Robert Stockman
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


From kwcoffman at gmail.com  Wed Mar  4 12:16:32 2009
From: kwcoffman at gmail.com (Kevin Coffman)
Date: Wed, 4 Mar 2009 12:16:32 -0500
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <1236180270.13692.2352.camel@ruth.aloha.tallye.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
	<4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
	<1236177197.13692.2141.camel@ruth.aloha.tallye.com>
	<1236180270.13692.2352.camel@ruth.aloha.tallye.com>
Message-ID: <4d569c330903040916n44e5067cgc14fdfb34deae684@mail.gmail.com>

On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang <lorenl at alzatex.com> wrote:
> On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
>> >
>> > > This symlinks point to missing certificates that have nothing to do with
>> > > the pki infrastructure I am using, but once I moved the symlinks out of
>> > > the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
>> > > preauth data, but received no response. ?According to Wireshark,
>> > > following the initial AS-REQ with no preauth, the server responds with a
>> > > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
>> > > and PA-PK-AS-REP. ?The client then sends a single IP fragment response.
>> > > The fragment has a payload of 1480 bytes with flag more fragments, but
>> > > no further fragments are sent. ?I have no firewall rules installed and
>> > > am at a loss as to why there are no more fragments.
>> >
>> > I'm not sure what might be happening here. ?This would just be a
>> > work-around, but is it possible for you to try using TCP rather than
>> > UDP?
>>
>> I enabled TCP support on my KDCs and netstat confirms they are listening
>> on them. ?I tried setting udp_preference_limit to 1480, 1000, and 50,
>> but kinit never uses TCP. ?I put udp_preference_limit both at the very
>> beginning and very end of my libdefaults section in krb5.conf and even
>> tried using copy/paste to double check that I typed it correctly.
>
> Never mind, I only had UDP SRV records published, now it's using TCP.
> The error I am getting now is KRB5KRB_ERR_GENERIC with e-data:
> KDC_RETURN_PADATA. ?The kdc log shows this relevant error:
>
> Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
> 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory
>
> There is no memory crunch on the server.

After a quick glance at the code, I don't see where ENOMEM is returned
in cases where it wasn't an allocation error.  If you have output from
-DDEBUG, that might give us a clue of the problem.

K.C.


From john at iastate.edu  Wed Mar  4 13:11:41 2009
From: john at iastate.edu (John Hascall)
Date: Wed, 04 Mar 2009 12:11:41 CST
Subject: Using Smartcard with PK-INIT does not respond 
In-Reply-To: Your message of Wed, 04 Mar 2009 12:16:32 -0500.
	<4d569c330903040916n44e5067cgc14fdfb34deae684@mail.gmail.com> 
Message-ID: <18196.1236190301@malison.ait.iastate.edu>



> > Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
> > 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
> > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory

> > There is no memory crunch on the server.

> After a quick glance at the code, I don't see where ENOMEM is returned
> in cases where it wasn't an allocation error.  If you have output from
> -DDEBUG, that might give us a clue of the problem.

Typically I find this happens where something has previously gone 
amiss and "malloc" gets passed some absurd number.

John

From lorenl at alzatex.com  Wed Mar  4 19:23:22 2009
From: lorenl at alzatex.com (Loren M. Lang)
Date: Wed, 04 Mar 2009 16:23:22 -0800
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <18196.1236190301@malison.ait.iastate.edu>
References: <18196.1236190301@malison.ait.iastate.edu>
Message-ID: <1236212602.13692.4522.camel@ruth.aloha.tallye.com>

On Wed, 2009-03-04 at 12:11 -0600, John Hascall wrote:
> 
> > > Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
> > > 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
> > > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory
> 
> > > There is no memory crunch on the server.
> 
> > After a quick glance at the code, I don't see where ENOMEM is returned
> > in cases where it wasn't an allocation error.  If you have output from
> > -DDEBUG, that might give us a clue of the problem.
> 
> Typically I find this happens where something has previously gone 
> amiss and "malloc" gets passed some absurd number.

The server and client are two different machines.  I only modified the
client machine's pkinit.so and, yes, I did rename the old pkinit.so to
pkinit2.so in the same directory.  Moving the original pkinit.so
completely out of lib as Douglas suggested did not fix it.  I ran strace
-okdc.trace krb5kdc -n on the server.  Looking through the trace logs
from the accept() of the preauth connection to write() I see nothing
suspicious and no ENOMEM errors.  I see a bunch of read()s of my AS-REQ,
various access to principal* and a read() from /dev/urandom.  Nothing
between accept() and the write() of the error message even returns a
negative number.

> 
> John
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7539 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090304/905dd246/smime.bin

From kwc at citi.umich.edu  Thu Mar  5 13:26:26 2009
From: kwc at citi.umich.edu (Kevin Coffman)
Date: Thu, 5 Mar 2009 13:26:26 -0500
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <1236213612.13692.4599.camel@ruth.aloha.tallye.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
	<4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
	<1236177197.13692.2141.camel@ruth.aloha.tallye.com>
	<1236180270.13692.2352.camel@ruth.aloha.tallye.com>
	<4d569c330903040916n44e5067cgc14fdfb34deae684@mail.gmail.com>
	<1236213612.13692.4599.camel@ruth.aloha.tallye.com>
Message-ID: <4d569c330903051026m1a5cfdefwee0d1cc740d1ef9c@mail.gmail.com>

On Wed, Mar 4, 2009 at 7:40 PM, Loren M. Lang <lorenl at alzatex.com> wrote:
> On Wed, 2009-03-04 at 12:16 -0500, Kevin Coffman wrote:
>> On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang <lorenl at alzatex.com> wrote:
>> > On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
>> >> >
>> >> > > This symlinks point to missing certificates that have nothing to do with
>> >> > > the pki infrastructure I am using, but once I moved the symlinks out of
>> >> > > the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
>> >> > > preauth data, but received no response. ?According to Wireshark,
>> >> > > following the initial AS-REQ with no preauth, the server responds with a
>> >> > > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
>> >> > > and PA-PK-AS-REP. ?The client then sends a single IP fragment response.
>> >> > > The fragment has a payload of 1480 bytes with flag more fragments, but
>> >> > > no further fragments are sent. ?I have no firewall rules installed and
>> >> > > am at a loss as to why there are no more fragments.
>> >> >
>> >> > I'm not sure what might be happening here. ?This would just be a
>> >> > work-around, but is it possible for you to try using TCP rather than
>> >> > UDP?
>> >>
>> >> I enabled TCP support on my KDCs and netstat confirms they are listening
>> >> on them. ?I tried setting udp_preference_limit to 1480, 1000, and 50,
>> >> but kinit never uses TCP. ?I put udp_preference_limit both at the very
>> >> beginning and very end of my libdefaults section in krb5.conf and even
>> >> tried using copy/paste to double check that I typed it correctly.
>> >
>> > Never mind, I only had UDP SRV records published, now it's using TCP.
>> > The error I am getting now is KRB5KRB_ERR_GENERIC with e-data:
>> > KDC_RETURN_PADATA. ?The kdc log shows this relevant error:
>> >
>> > Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
>> > 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
>> > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory
>> >
>> > There is no memory crunch on the server.
>>
>> After a quick glance at the code, I don't see where ENOMEM is returned
>> in cases where it wasn't an allocation error. ?If you have output from
>> -DDEBUG, that might give us a clue of the problem.
>
> After running the server with -DDEBUG, the answer became clear, it could
> not find the intermediate certificates either. ?I setup pkinit_pool and
> now I can log in with my smartcard. ?The error message that was
> producing in the log files was out of memory, but the debug output did
> mention that it could not find a local issuer. ?The pkinit_identity file
> I am using I produced similar to the certificates I use for other
> services such as Apache and Sendmail. ?It contains the end-server
> certificate followed by intermediates with the root CA certificate at
> the bottom. ?I have found that the easiest way to deal with
> intermediates, but I guess KDC only looks at the first certificate.
>

Thanks for the followup, and sorry for the inconvenience.  If you
could send me the debug output I would like to try and figure out why
it is returning the invalid error code.

K.C.


From wyllys.ingersoll at sun.com  Thu Mar  5 14:44:39 2009
From: wyllys.ingersoll at sun.com (Wyllys Ingersoll)
Date: Thu, 05 Mar 2009 14:44:39 -0500
Subject: Kerberos in Browser based Applications
In-Reply-To: <49AD6D24.1090001@navteq.com>
References: <49AD6D24.1090001@navteq.com>
Message-ID: <49B02BA7.9000904@sun.com>


I documented using Kerberos with an Apache Web server and Firefox a while ago (for Solaris 10), 
but the ideas are very similar for Linux or non-Solaris as long as you stick with Apache, Firefox, 
and a Kerberos package that is based-on MITs codebase.

http://blogs.sun.com/wyllys/entry/kerberos_web_authentiation_with_apache

The doc may be a bit out of date, but I believe most of the steps are still correct and apply
to newer releases of Solaris as well as Linux, albeit with some slight different pathnames
and settings.

Just getting web-based authentication configured and working is only the beginning, though.
To extend the reach and the use of the tickets to other processes (such as having the
forwarded ticket then be used to authenticate to other backend services on behalf of the user)
would require additional work for both the web server and the middleware that it
needs to talk to.   Getting this to work with Tomcat or other web servers will definitely
require some additional effort and digging around, I don't know what the current state
of the art is in those areas.

-Wyllys




Frank Gruellich wrote:
> Hi,
> 
> I have set up a Kerberos realm.  A user and a service (let's say a
> database) are both included as principals in KDC database and the
> service restricts access to */dbuser at EXAMPLE.COM.  User and service can
> communicate perfectly using a database CLI at the users machine.
> 
> Now these days CLIs aren't "state-of-the-art" anymore and $managers
> refuse to use them.  Let's throw a long discussion and platform
> independent, Web2.0 ready and more buzzwords into the pot and we get the
> need for a browser based web frontend to the service.  And that's the
> point where I do not get the full picture about Kerberos.
> 
> How would that work in a fully kerberized environment using all these
> great features like single-sign-on and never transmitting a password
> over the wire?  For sure, I would have to add the webserver to the KDC
> database, but what then?  Would I add the webserver principal to the ACL
> list of the service and add another authentication/authorization layer
> into the web application?  Could I somehow forward the users ticket for
> the service to the webserver and make the application to give it to the
> service proving this way that the user requested access to the service?
> That would keep all authentication on service side, but is it a good
> idea to give a service ticket to another machine?  Would that even work
> given that the users machine IP# is added to the tickets, AFAICS?
> 
> In the current setup the software involved are MIT Kerberos, an OpenLDAP
> server as service, e.g. phpLDAPadmin as web application, Apache httpd
> running it, and various browsers used to access it running on different
> OS's.  But I'm more interested in the general Kerberos idea how to do
> that.  However, if you point me to specific software I should use in
> this setup I would be happy, too.
> 
> Thanks in advance for some enlightenment.
> 
> Kind regards,


From lha at kth.se  Thu Mar  5 15:28:47 2009
From: lha at kth.se (=?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?=)
Date: Thu, 05 Mar 2009 12:28:47 -0800
Subject: Kerberos in Browser based Applications
In-Reply-To: <49B02BA7.9000904@sun.com>
References: <49AD6D24.1090001@navteq.com> <49B02BA7.9000904@sun.com>
Message-ID: <FF470AF3-5E31-4D2E-8989-0314935F39B2@kth.se>


http://devel.it.su.se/pub/jsp/polopoly.jsp?d=1047

For tomcat, jboss, java-common, ruby examples how to get it working.

Love



5 mar 2009 kl. 11:44 skrev Wyllys Ingersoll:

>
> I documented using Kerberos with an Apache Web server and Firefox a  
> while ago (for Solaris 10),
> but the ideas are very similar for Linux or non-Solaris as long as  
> you stick with Apache, Firefox,
> and a Kerberos package that is based-on MITs codebase.
>
> http://blogs.sun.com/wyllys/entry/kerberos_web_authentiation_with_apache
>
> The doc may be a bit out of date, but I believe most of the steps  
> are still correct and apply
> to newer releases of Solaris as well as Linux, albeit with some  
> slight different pathnames
> and settings.
>
> Just getting web-based authentication configured and working is only  
> the beginning, though.
> To extend the reach and the use of the tickets to other processes  
> (such as having the
> forwarded ticket then be used to authenticate to other backend  
> services on behalf of the user)
> would require additional work for both the web server and the  
> middleware that it
> needs to talk to.   Getting this to work with Tomcat or other web  
> servers will definitely
> require some additional effort and digging around, I don't know what  
> the current state
> of the art is in those areas.
>
> -Wyllys
>
>
>
>
> Frank Gruellich wrote:
>> Hi,
>>
>> I have set up a Kerberos realm.  A user and a service (let's say a
>> database) are both included as principals in KDC database and the
>> service restricts access to */dbuser at EXAMPLE.COM.  User and service  
>> can
>> communicate perfectly using a database CLI at the users machine.
>>
>> Now these days CLIs aren't "state-of-the-art" anymore and $managers
>> refuse to use them.  Let's throw a long discussion and platform
>> independent, Web2.0 ready and more buzzwords into the pot and we  
>> get the
>> need for a browser based web frontend to the service.  And that's the
>> point where I do not get the full picture about Kerberos.
>>
>> How would that work in a fully kerberized environment using all these
>> great features like single-sign-on and never transmitting a password
>> over the wire?  For sure, I would have to add the webserver to the  
>> KDC
>> database, but what then?  Would I add the webserver principal to  
>> the ACL
>> list of the service and add another authentication/authorization  
>> layer
>> into the web application?  Could I somehow forward the users ticket  
>> for
>> the service to the webserver and make the application to give it to  
>> the
>> service proving this way that the user requested access to the  
>> service?
>> That would keep all authentication on service side, but is it a good
>> idea to give a service ticket to another machine?  Would that even  
>> work
>> given that the users machine IP# is added to the tickets, AFAICS?
>>
>> In the current setup the software involved are MIT Kerberos, an  
>> OpenLDAP
>> server as service, e.g. phpLDAPadmin as web application, Apache httpd
>> running it, and various browsers used to access it running on  
>> different
>> OS's.  But I'm more interested in the general Kerberos idea how to do
>> that.  However, if you point me to specific software I should use in
>> this setup I would be happy, too.
>>
>> Thanks in advance for some enlightenment.
>>
>> Kind regards,
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


From lorenl at alzatex.com  Wed Mar  4 19:40:12 2009
From: lorenl at alzatex.com (Loren M. Lang)
Date: Wed, 04 Mar 2009 16:40:12 -0800
Subject: Using Smartcard with PK-INIT does not respond
In-Reply-To: <4d569c330903040916n44e5067cgc14fdfb34deae684@mail.gmail.com>
References: <1236149374.13692.273.camel@ruth.aloha.tallye.com>
	<4d569c330903040546q7e3a1765nd7e697b5a6bd4a5a@mail.gmail.com>
	<1236177197.13692.2141.camel@ruth.aloha.tallye.com>
	<1236180270.13692.2352.camel@ruth.aloha.tallye.com>
	<4d569c330903040916n44e5067cgc14fdfb34deae684@mail.gmail.com>
Message-ID: <1236213612.13692.4599.camel@ruth.aloha.tallye.com>

On Wed, 2009-03-04 at 12:16 -0500, Kevin Coffman wrote:
> On Wed, Mar 4, 2009 at 10:24 AM, Loren M. Lang <lorenl at alzatex.com> wrote:
> > On Wed, 2009-03-04 at 06:33 -0800, Loren M. Lang wrote:
> >> >
> >> > > This symlinks point to missing certificates that have nothing to do with
> >> > > the pki infrastructure I am using, but once I moved the symlinks out of
> >> > > the way, kinit continued and finally sent out an AS-REQ with the PK-INIT
> >> > > preauth data, but received no response.  According to Wireshark,
> >> > > following the initial AS-REQ with no preauth, the server responds with a
> >> > > NEEDED_PREAUTH error listing six preauth types including PA-PK-AS-REQ
> >> > > and PA-PK-AS-REP.  The client then sends a single IP fragment response.
> >> > > The fragment has a payload of 1480 bytes with flag more fragments, but
> >> > > no further fragments are sent.  I have no firewall rules installed and
> >> > > am at a loss as to why there are no more fragments.
> >> >
> >> > I'm not sure what might be happening here.  This would just be a
> >> > work-around, but is it possible for you to try using TCP rather than
> >> > UDP?
> >>
> >> I enabled TCP support on my KDCs and netstat confirms they are listening
> >> on them.  I tried setting udp_preference_limit to 1480, 1000, and 50,
> >> but kinit never uses TCP.  I put udp_preference_limit both at the very
> >> beginning and very end of my libdefaults section in krb5.conf and even
> >> tried using copy/paste to double check that I typed it correctly.
> >
> > Never mind, I only had UDP SRV records published, now it's using TCP.
> > The error I am getting now is KRB5KRB_ERR_GENERIC with e-data:
> > KDC_RETURN_PADATA.  The kdc log shows this relevant error:
> >
> > Mar 04 07:04:13 server krb5kdc[18148](info): AS_REQ (7 etypes {18 17 16
> > 23 1 3 2}) 192.168.1.237: KDC_RETURN_PADATA: user at EXAMPLE.COM for
> > krbtgt/EXAMPLE.COM at EXAMPLE.COM, Cannot allocate memory
> >
> > There is no memory crunch on the server.
> 
> After a quick glance at the code, I don't see where ENOMEM is returned
> in cases where it wasn't an allocation error.  If you have output from
> -DDEBUG, that might give us a clue of the problem.

After running the server with -DDEBUG, the answer became clear, it could
not find the intermediate certificates either.  I setup pkinit_pool and
now I can log in with my smartcard.  The error message that was
producing in the log files was out of memory, but the debug output did
mention that it could not find a local issuer.  The pkinit_identity file
I am using I produced similar to the certificates I use for other
services such as Apache and Sendmail.  It contains the end-server
certificate followed by intermediates with the root CA certificate at
the bottom.  I have found that the easiest way to deal with
intermediates, but I guess KDC only looks at the first certificate.

> 
> K.C.
> 
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7539 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090304/ce2e22ab/smime-0001.bin

From dkelson at gurulabs.com  Thu Mar  5 19:03:12 2009
From: dkelson at gurulabs.com (Dax Kelson)
Date: Thu, 05 Mar 2009 17:03:12 -0700
Subject: Creating a Kerberos user principal using LDAP
Message-ID: <1236297792.3378.39.camel@mentor.gurulabs.com>

Given a KDC using the LDAP backend, has anyone created a stand alone
tool to create user principals by directly adding a LDAP entry?

Apparently the difficultly is correctly creating the ASN.1 encoded key
attribute (krbPrincipalkey) which is harder still because of the need to
encrypt it using the master key (krbMKey).

In the LDAP world, it isn't unusual that the password attribute value is
generated with a special tool (unless the plaintext password is used).

I think two tools would be interesting. 

1. A tool that only spits out the krbPrincipalkey attribute on STDOUT.

2. A tool that creates the whole user principal including the
krbPrincipalkey.

More specifically, I would like some perl or python code that I include
in a larger project.

If either tools has not been created, there is code from the FreeIPA
project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that
fetches the master key and properly create the ASN.1 encoded key. That
code could be used as a starting point or inspiration.

Dax Kelson
Guru Labs


From petesea at bigfoot.com  Fri Mar  6 13:43:55 2009
From: petesea at bigfoot.com (petesea@bigfoot.com)
Date: Fri, 06 Mar 2009 10:43:55 -0800 (PST)
Subject: Finding the version of kinit/klist
Message-ID: <alpine.OSX.2.00.0903061027450.295@nikto-air>

Is there any way to determine the version of kinit or klist?

For whatever reason, none of the kerberos commands support a "--version" 
option other than the krb5-config command.  Unfortunately, krb5-config 
isn't always available.  At least on Redhat systems it's part of the 
development package which isn't always installed.

Is there any other way to determine the version of kinit?

On systems supporting RPM I can use rpm to find the version of the package 
that contains kinit, but that means finding the version is system 
dependent.

PS. I REALLY wish the Kerberos developers would add a "--version" option 
to all the commands... or at least the most common ones 
(kinit/klist/kdestroy/kpasswd)... or at an absolute minimum - kinit.

From weijun.wang at sun.com  Thu Mar  5 21:29:17 2009
From: weijun.wang at sun.com (weijun.wang@sun.com)
Date: Thu, 5 Mar 2009 18:29:17 -0800 (PST)
Subject: WS-Security and GSS-API: How do I get the session key?
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com> 
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
Message-ID: <e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>

Hi Luke

On Feb 24, 9:36?pm, Luke Howard <lu... at padl.com> wrote:
> > I don't recall offhand if there's been an IETF draft proposing the
> > specific extension we've got for extracting the session key.
>

> ? ?major = gss_inquire_sec_context_by_oid(&minor,
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ctx,
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?GSS_C_INQ_SSPI_SESSION_KEY,
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&skey);

Cool, we (Java SE Team at Sun) are also preparing to add a new method
getSessionKey() to OpenJDK's JGSS-API for Java EE needs.

BTW, I read the krb5-1.7 codes and notice you're supporting some other
OIDs for this new function:

  KRB5_GET_TKT_FLAGS
  KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
  KRB5_EXPORT_LUCID_SEC_CONTEXT
  KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT

I wonder how widely they are required and whether we should also
support them. Can you give me some background info?

Thanks
Weijun

From michael at stroeder.com  Fri Mar  6 07:44:30 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Fri, 06 Mar 2009 13:44:30 +0100
Subject: Creating a Kerberos user principal using LDAP
In-Reply-To: <mailman.58.1236297842.14058.kerberos@mit.edu>
References: <mailman.58.1236297842.14058.kerberos@mit.edu>
Message-ID: <eei786-kh8.ln1@nb2.stroeder.com>

Dax Kelson wrote:
> If either tools has not been created, there is code from the FreeIPA
> project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that
> fetches the master key and properly create the ASN.1 encoded key. That
> code could be used as a starting point or inspiration.

Security wise catching the modify password extended operation at the
LDAP server's side is IMHO the right thing to do. FreeIPA does that for
Fedora Directory Server as backend for a MIT KDC. The overlay smbk5pwd
does it for OpenLDAP as backend for heimdal KDC.

Ciao, Michael.

From deengert at anl.gov  Fri Mar  6 14:28:04 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Fri, 06 Mar 2009 13:28:04 -0600
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
Message-ID: <49B17944.4060701@anl.gov>



weijun.wang at sun.com wrote:
> Hi Luke
> 
> On Feb 24, 9:36 pm, Luke Howard <lu... at padl.com> wrote:
>>> I don't recall offhand if there's been an IETF draft proposing the
>>> specific extension we've got for extracting the session key.
> 
>>    major = gss_inquire_sec_context_by_oid(&minor,
>>                                          ctx,
>>                                          GSS_C_INQ_SSPI_SESSION_KEY,
>>                                          &skey);
> 
> Cool, we (Java SE Team at Sun) are also preparing to add a new method
> getSessionKey() to OpenJDK's JGSS-API for Java EE needs.
> 
> BTW, I read the krb5-1.7 codes and notice you're supporting some other
> OIDs for this new function:
> 
>   KRB5_GET_TKT_FLAGS
>   KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT

Please add at least the above, as it would let the caller get the
Microsoft PAC from the Kerberos ticket if the KDC was Microsoft AD.
The PAC Contains user and group SSIDs and other info from AD.

Original W2000:
http://msdn.microsoft.com/en-us/library/aa302203.aspx
More upto ddate info:
http://technet.microsoft.com/en-us/library/cc733967.aspx
http://msdn.microsoft.com/en-us/library/cc237917(PROT.10).aspx

Google for site:microsoft.com ms-pac

Would be useful in a Samba environment which can also add a PAC.


>   KRB5_EXPORT_LUCID_SEC_CONTEXT
>   KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
> 
> I wonder how widely they are required and whether we should also
> support them. Can you give me some background info?
> 
> Thanks
> Weijun
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From ioplex at gmail.com  Fri Mar  6 15:54:21 2009
From: ioplex at gmail.com (Michael B Allen)
Date: Fri, 6 Mar 2009 15:54:21 -0500
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
Message-ID: <78c6bd860903061254u15f3c76l8792158564ec1b1@mail.gmail.com>

On Thu, Mar 5, 2009 at 9:29 PM,  <weijun.wang at sun.com> wrote:
> Hi Luke
>
> On Feb 24, 9:36?pm, Luke Howard <lu... at padl.com> wrote:
>> > I don't recall offhand if there's been an IETF draft proposing the
>> > specific extension we've got for extracting the session key.
>>
>
>> ? ?major = gss_inquire_sec_context_by_oid(&minor,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ctx,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?GSS_C_INQ_SSPI_SESSION_KEY,
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?&skey);
>
> Cool, we (Java SE Team at Sun) are also preparing to add a new method
> getSessionKey() to OpenJDK's JGSS-API for Java EE needs.

I think it would be better to have a GSSContext method that could
return an Object that is specific to the OID supplied. For example, in
the case of the session key, it would return a byte[] array like:

  Oid sspiSessionKeyOid = new Oid("1.2.840.113554.1.2.2.5.5");
  byte[] sessionKey = (byte[])ctx.inquireSecContextByOid(sspiSessionKeyOid);

Otherwise you're going to end up just adding more methods in an
already overwhelming API.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/


From raeburn at MIT.EDU  Fri Mar  6 18:34:19 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Fri, 6 Mar 2009 18:34:19 -0500
Subject: Finding the version of kinit/klist
In-Reply-To: <alpine.OSX.2.00.0903061027450.295@nikto-air>
References: <alpine.OSX.2.00.0903061027450.295@nikto-air>
Message-ID: <EE44649F-44CF-4986-8AC4-12BF1C4B312D@mit.edu>

On Mar 6, 2009, at 13:43, petesea at bigfoot.com wrote:
> Is there any way to determine the version of kinit or klist?

I'm afraid not, aside from the krb5-config option you noted.

It's still in our bug database, but hasn't gotten any attention yet. :-(
(I knew it had been reported, but took me a little digging to discover  
that the bug report was, in fact, from you, back in 2006...)

Annoyingly, our argument parsing setup doesn't handle long options on  
most platforms, and both the 'v' and 'V' one-letter options of kinit  
are in use currently.  But it looks like klist doesn't have a either  
option yet....

Ken

From cclausen at acm.org  Fri Mar  6 18:55:11 2009
From: cclausen at acm.org (Christopher D. Clausen)
Date: Fri, 6 Mar 2009 17:55:11 -0600
Subject: Finding the version of kinit/klist
References: <alpine.OSX.2.00.0903061027450.295@nikto-air>
	<EE44649F-44CF-4986-8AC4-12BF1C4B312D@mit.edu>
Message-ID: <3D4724740B614D7FB7A89F4AE380B60C@CDCHOME>

Ken Raeburn <raeburn at mit.edu> wrote:
> On Mar 6, 2009, at 13:43, petesea at bigfoot.com wrote:
>> Is there any way to determine the version of kinit or klist?
> 
> I'm afraid not, aside from the krb5-config option you noted.
> 
> It's still in our bug database, but hasn't gotten any attention yet.
> :-( (I knew it had been reported, but took me a little digging to
> discover that the bug report was, in fact, from you, back in 2006...)
> 
> Annoyingly, our argument parsing setup doesn't handle long options on
> most platforms, and both the 'v' and 'V' one-letter options of kinit
> are in use currently.  But it looks like klist doesn't have a either
> option yet....

Can the usage message display the current version?

(And maybe add a -h option to display the help screen)

<<CDC


From raeburn at MIT.EDU  Fri Mar  6 19:11:40 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Fri, 6 Mar 2009 19:11:40 -0500
Subject: Finding the version of kinit/klist
In-Reply-To: <3D4724740B614D7FB7A89F4AE380B60C@CDCHOME>
References: <alpine.OSX.2.00.0903061027450.295@nikto-air>
	<EE44649F-44CF-4986-8AC4-12BF1C4B312D@mit.edu>
	<3D4724740B614D7FB7A89F4AE380B60C@CDCHOME>
Message-ID: <76A45B4F-ADAC-4849-A16C-6F43B87B150C@mit.edu>

On Mar 6, 2009, at 18:55, Christopher D. Clausen wrote:
> Can the usage message display the current version?

That'd be an idea too... actually, standardizing *all* the usage  
messages to do this would be smart.

I just checked in (a little while ago) a patch to add "klist -V" to  
print the version info and exit.  Not sure yet if it'll get the nod  
for 1.7, since we've already branched, but it's minor, and we're still  
in alphas...

Ken

From lukeh at padl.com  Fri Mar  6 21:01:32 2009
From: lukeh at padl.com (Luke Howard)
Date: Sat, 7 Mar 2009 13:01:32 +1100
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
Message-ID: <9EDF9251-DCE2-4474-87DD-79AA1C87DE88@padl.com>

> BTW, I read the krb5-1.7 codes and notice you're supporting some other
> OIDs for this new function:
>
>  KRB5_GET_TKT_FLAGS
>  KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
>  KRB5_EXPORT_LUCID_SEC_CONTEXT
>  KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>
> I wonder how widely they are required and whether we should also
> support them. Can you give me some background info?

These are just shims for indirecting existing mechanism-specific APIs  
through the mechanism glue (so that the mechanism glue itself need not  
be polluted with mechanism specific API). They correspond to:

gss_krb5_get_tkt_flags()
gsskrb5_extract_authz_data_from_sec_context()
gss_krb5_export_lucid_sec_context()
gsskrb5_extract_authtime_from_sec_context()

I think only the extract_authXXX APIs are new for 1.7. The usage for  
gsskrb5_extract_authz_data_from_sec_context() identical to Heimdal:

http://www.daemon-systems.org/man/gsskrb5_extract_authz_data_from_sec_context.3.html

gsskrb5_extract_authtime_from_sec_context() gets the authtime from the  
ticket.

Let me know if you have further questions.

-- Luke

From henrik.hodne at gmail.com  Sat Mar  7 03:47:36 2009
From: henrik.hodne at gmail.com (Henrik Hodne)
Date: Sat, 7 Mar 2009 09:47:36 +0100
Subject: Authenticating to LDAP using a HTTP ticket
Message-ID: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>

Hello,

I am in the process of creating a web panel to change LDAP attributes. The
web panel is currently using mod_auth_kerb to authenticate, which is working
beautifully. What we need is to authenticate to the LDAP server with that
ticket. Is that even possible?

-Henrik

From mikkel at linet.dk  Sat Mar  7 04:45:54 2009
From: mikkel at linet.dk (Mikkel Kruse Johnsen)
Date: Sat, 07 Mar 2009 10:45:54 +0100
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
Message-ID: <1236419154.3965.5.camel@localhost.localdomain>

Hi Henrik

Yes, that is possible.

You need to set your LDAP to authenticate using SASL like this:

# SASL
sasl-host       kerberos.cbs.dk
sasl-realm      CBS.DK
sasl-secprop    noplain,noanonymous,minssf=112
sasl-regexp     uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
                uid=$1,ou=People,dc=cbs,dc=dk


Now put this in the HTTP config (Note the KrbSaveCredentials)


	AuthType Kerberos
	AuthName "Open Directory Login"
	KrbAuthRealms CBS.DK
	Krb5Keytab /etc/httpd/conf/httpd.keytab
	KrbSaveCredentials on
	KrbMethodNegotiate on
	KrbMethodK5Passwd on
	require valid-user

Now do this in PHP

		if (!isset($_SERVER["KRB5CCNAME"])) {
			return false;
		}
		putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);

		$ds = @ldap_connect($this->LdapHost);
		@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

		if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == false) {
         		return false
   		}



Med Venlig Hilsen / Kind Regards


Mikkel Kruse
Johnsen
Adm.Dir.

Linet
?rholmgade 6 st tv
Copenhagen N 2200
Denmark

Work: +45 21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant 


l?r, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:

> Hello,
> 
> I am in the process of creating a web panel to change LDAP attributes. The
> web panel is currently using mod_auth_kerb to authenticate, which is working
> beautifully. What we need is to authenticate to the LDAP server with that
> ticket. Is that even possible?
> 
> -Henrik
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

From henrik.hodne at gmail.com  Sat Mar  7 07:03:09 2009
From: henrik.hodne at gmail.com (Henrik Hodne)
Date: Sat, 7 Mar 2009 13:03:09 +0100
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <1236419154.3965.5.camel@localhost.localdomain>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
Message-ID: <fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>

Hello,

I have a few more questions

On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mikkel at linet.dk>wrote:

>  Hi Henrik
>
> Yes, that is possible.
>
> You need to set your LDAP to authenticate using SASL like this:
>
> # SASL
> sasl-host       kerberos.cbs.dk
> sasl-realm      CBS.DK
> sasl-secprop    noplain,noanonymous,minssf=112
> sasl-regexp     uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
>                 uid=$1,ou=People,dc=cbs,dc=dk
>

Where does the SASL stuff go?


>
>
> Now put this in the HTTP config (Note the *KrbSaveCredentials*)
>
>
> AuthType Kerberos
> AuthName "Open Directory Login"
> KrbAuthRealms CBS.DK
> Krb5Keytab /etc/httpd/conf/httpd.keytab
> * KrbSaveCredentials on*
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> require valid-user
>

This works, but I haven't got any browsers to forward tickets (that's
probably client-side though)


>
> Now do this in PHP
>
> if (!isset($_SERVER["KRB5CCNAME"])) {
> return false;
> }
> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
>

I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't exist
(mostly after the first time I view something, disappears when changing the
file).


>
> $ds = @ldap_connect($this->LdapHost);
> @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
>
> if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) == false) {
>          return false
>    }
>
>
>
>   Med Venlig Hilsen / Kind Regards
>
>
>   *Mikkel Kruse Johnsen*
> Adm.Dir.
>
> *Linet <http://www.linet.dk>*
> ?rholmgade 6 st tv<http://maps.google.com/maps?q=%D8rholmgade+6+st+tv%2CCopenhagen+N+2200%2CDenmark&hl=en>
> Copenhagen N 2200 Denmark   *Work:* +45 21287793
> *Mobile:* +45 21287793
> *Email:* mikkel at linet.dk
> *IM:* mikkel at linet.dk (MSN)
>  *Professional Profile <http://www.linkedin.com/pub/3/333/803>*
> *Healthcare <http://www.xmedicus.dk>*
>
> Network Consultant
>
> l?r, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:
>
> Hello,
>
> I am in the process of creating a web panel to change LDAP attributes. The
> web panel is currently using mod_auth_kerb to authenticate, which is working
> beautifully. What we need is to authenticate to the LDAP server with that
> ticket. Is that even possible?
>
> -Henrik
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
>
>
-Henrik

From Laatsch at uni-koeln.de  Sat Mar  7 21:49:15 2009
From: Laatsch at uni-koeln.de (Rainer Laatsch)
Date: Sun, 8 Mar 2009 03:49:15 +0100 (CET)
Subject: Finding the version of kinit/klist
In-Reply-To: <76A45B4F-ADAC-4849-A16C-6F43B87B150C@mit.edu>
References: <alpine.OSX.2.00.0903061027450.295@nikto-air>
	<EE44649F-44CF-4986-8AC4-12BF1C4B312D@mit.edu>
	<3D4724740B614D7FB7A89F4AE380B60C@CDCHOME>
	<76A45B4F-ADAC-4849-A16C-6F43B87B150C@mit.edu>
Message-ID: <alpine.LRH.2.00.0903080339110.15392@dialog5.rrz.uni-koeln.de>

The OpenAFS people force a string into their programs at compile time, no 
extra flags. Doing e.g. 'strings /usr/vice/etc/afsd | grep OpenAFS' shows 
the version. A similar setup for krb5 would suffice; just propagate the
corresponding item of krb5-config into kinit/klist/kdestroy.
In an AFS environment using ssh, almost no other krb5 programs are needed.

Best regards
Rainer Laatsch

-------------------------------------------------------------------------------

On Fri, 6 Mar 2009, Ken Raeburn wrote:

> On Mar 6, 2009, at 18:55, Christopher D. Clausen wrote:
>> Can the usage message display the current version?
>
> That'd be an idea too... actually, standardizing *all* the usage
> messages to do this would be smart.
>
> I just checked in (a little while ago) a patch to add "klist -V" to
> print the version info and exit.  Not sure yet if it'll get the nod
> for 1.7, since we've already branched, but it's minor, and we're still
> in alphas...
>
> Ken
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

From mikkel at linet.dk  Sun Mar  8 06:06:14 2009
From: mikkel at linet.dk (Mikkel Kruse Johnsen)
Date: Sun, 08 Mar 2009 11:06:14 +0100
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
Message-ID: <1236506774.3955.19.camel@localhost.localdomain>

> Hello,
> 
> I have a few more questions
> 
> 
> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen
> <mikkel at linet.dk> wrote:
> 
>         Hi Henrik
>         
>         Yes, that is possible.
>         
>         You need to set your LDAP to authenticate using SASL like
>         this:
>         
>         # SASL
>         sasl-host       kerberos.cbs.dk
>         sasl-realm      CBS.DK
>         sasl-secprop    noplain,noanonymous,minssf=112
>         sasl-regexp     uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
>                         uid=$1,ou=People,dc=cbs,dc=dk
>  
> Where does the SASL stuff go?


This goes in "/etc/openldap/slapd.conf" assuming you are using OpenLDAP.


>  
>         
>         
>         Now put this in the HTTP config (Note the KrbSaveCredentials)
>         
>         
>         AuthType Kerberos
>         AuthName "Open Directory Login"
>         KrbAuthRealms CBS.DK
>         Krb5Keytab /etc/httpd/conf/httpd.keytab
>         KrbSaveCredentials on
>         KrbMethodNegotiate on
>         KrbMethodK5Passwd on
>         require valid-user
>         
> 
> This works, but I haven't got any browsers to forward tickets (that's
> probably client-side though)
>  


To get the browsers to forward tickets you need to:

Firefox: Type "about:config" in the Location bar. Type "nego" in the
filter and dobbelt click "network.negotiate-auth.delegation-uris" and
"network.negotiate-auth.trusted-uris" and type in your domain name (in
my example I have "cbs.dk" in both)

IE: You need to change a regedit setting like this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
\Domains\CBS.DK]
"KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\
  62,00,73,00,2e,00,64,00,6b,00,00,00,00,00
"RealmFlags"=dword:00000006

(KdcNames is your list of kerberos servers)

(http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)

 RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (off
course change to your own domain)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\cbs.dk]
"*"=dword:00000001

This sets "cbs.dk" in trusted zone.



I also had a problem getting this to work and it turned out to be a
problem with "mod_auth_kerb" I had to recompile it, using it's internal
GSSAPI support and not MIT Kerberos under RHEL5
Don't know you setup, If it is not delegating then recompile with
internal GSSAPI support.

Or use these:

http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm 
http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm


I'm off for a week, so hope you can get it to work.


>         
>         Now do this in PHP
>         
>         if (!isset($_SERVER["KRB5CCNAME"])) {
>         return false;
>         }
>         putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
>         
> 
> I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't
> exist (mostly after the first time I view something, disappears when
> changing the file).
>  
> 

No sure what you mean.


>         
>         $ds = @ldap_connect($this->LdapHost);
>         @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
>         
>         if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==
>         false) {
>                  return false
>            }
>         
>         
>         
>         Med Venlig Hilsen / Kind Regards
>         
>         
>         Mikkel Kruse
>         Johnsen
>         Adm.Dir.
>         
>         Linet
>         ?rholmgade 6 st
>         tv
>         Copenhagen N
>         2200 Denmark
>         
>         Work: +45
>         21287793
>         Mobile: +45
>         21287793
>         Email:
>         mikkel at linet.dk
>         IM:
>         mikkel at linet.dk
>         (MSN)
>          Professional
>         Profile
>         Healthcare 
>         
>         
>         Network
>         Consultant 
>         
>         
>         l?r, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: 
>         
>         > Hello,
>         > 
>         > I am in the process of creating a web panel to change LDAP attributes. The
>         > web panel is currently using mod_auth_kerb to authenticate, which is working
>         > beautifully. What we need is to authenticate to the LDAP server with that
>         > ticket. Is that even possible?
>         > 
>         > -Henrik
>         > ________________________________________________
>         > Kerberos mailing list           Kerberos at mit.edu
>         > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> -Henrik 
> 
> 
> 

From rra at stanford.edu  Sun Mar  8 16:00:29 2009
From: rra at stanford.edu (Russ Allbery)
Date: Sun, 08 Mar 2009 13:00:29 -0700
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <1236506774.3955.19.camel@localhost.localdomain> (Mikkel Kruse
	Johnsen's message of "Sun\, 08 Mar 2009 11\:06\:14 +0100")
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
	<1236506774.3955.19.camel@localhost.localdomain>
Message-ID: <87y6vfu6n6.fsf@windlord.stanford.edu>

Mikkel Kruse Johnsen <mikkel at linet.dk> writes:

> Firefox: Type "about:config" in the Location bar. Type "nego" in the
> filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" and type in your domain name (in
> my example I have "cbs.dk" in both)

Be aware that doing this will cause your browser to promiscuously send
your credentials to every server in that domain with a valid HTTP/*
principal in your KDC and allow that server to impersonate you to any
other service.  This may be what you want to do, but it's worth thinking
carefully about the implications before you do it.

For example, if you're an educational site that allows students to obtain
HTTP/* principals for their own systems, you *don't* want to do this.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From raeburn at MIT.EDU  Sun Mar  8 16:21:54 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Sun, 8 Mar 2009 16:21:54 -0400
Subject: Finding the version of kinit/klist
In-Reply-To: <alpine.LRH.2.00.0903080339110.15392@dialog5.rrz.uni-koeln.de>
References: <alpine.OSX.2.00.0903061027450.295@nikto-air>
	<EE44649F-44CF-4986-8AC4-12BF1C4B312D@mit.edu>
	<3D4724740B614D7FB7A89F4AE380B60C@CDCHOME>
	<76A45B4F-ADAC-4849-A16C-6F43B87B150C@mit.edu>
	<alpine.LRH.2.00.0903080339110.15392@dialog5.rrz.uni-koeln.de>
Message-ID: <F1F6B70E-5EDB-4BA9-9B23-8A41FA8639E0@MIT.EDU>

On Mar 7, 2009, at 21:49, Rainer Laatsch wrote:
> The OpenAFS people force a string into their programs at compile  
> time, no extra flags. Doing e.g. 'strings /usr/vice/etc/afsd | grep  
> OpenAFS' shows the version. A similar setup for krb5 would suffice;  
> just propagate the
> corresponding item of krb5-config into kinit/klist/kdestroy.

We have something a little like that in the krb5 library, but (1)  
telling a user to run the right "strings" invocation is a lot less  
friendly than a --version flag, and (2) it looks like the optimizer  
can throw the string away, in the current incarnation. :-(

Ken

From res at qoxp.net  Sun Mar  8 13:32:40 2009
From: res at qoxp.net (Richard E. Silverman)
Date: Sun, 08 Mar 2009 13:32:40 -0400
Subject: Authenticating to LDAP using a HTTP ticket
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
	<mailman.70.1236506839.14058.kerberos@mit.edu>
Message-ID: <m2prgrx6mf.fsf@darwin.oankali.net>

>>>>> "MKJ" == Mikkel Kruse Johnsen <mikkel at linet.dk> writes:

    >> Hello,
    >> 
    >> I have a few more questions
    >> 
    >> 
    >> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen
    >> <mikkel at linet.dk> wrote:
    >> 
    >> Hi Henrik
    >> 
    >> Yes, that is possible.
    >> 
    >> You need to set your LDAP to authenticate using SASL like this:
    >> 
    >> # SASL sasl-host kerberos.cbs.dk sasl-realm CBS.DK sasl-secprop
    >> noplain,noanonymous,minssf=112 sasl-regexp
    >> uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth uid=$1,ou=People,dc=cbs,dc=dk
    >> 
    >> Where does the SASL stuff go?


    MKJ> This goes in "/etc/openldap/slapd.conf" assuming you are using
    MKJ> OpenLDAP.


    >> 
    >> 
    >> 
    >> Now put this in the HTTP config (Note the KrbSaveCredentials)
    >> 
    >> 
    >> AuthType Kerberos AuthName "Open Directory Login" KrbAuthRealms
    >> CBS.DK Krb5Keytab /etc/httpd/conf/httpd.keytab KrbSaveCredentials
    >> on KrbMethodNegotiate on KrbMethodK5Passwd on require valid-user
    >> 
    >> 
    >> This works, but I haven't got any browsers to forward tickets
    >> (that's probably client-side though)
    >> 


To get the browsers to forward tickets you need to:

    MKJ> Firefox: Type "about:config" in the Location bar. Type "nego" in
    MKJ> the filter and dobbelt click
    MKJ> "network.negotiate-auth.delegation-uris" and
    MKJ> "network.negotiate-auth.trusted-uris" and type in your domain
    MKJ> name (in my example I have "cbs.dk" in both)

    MKJ> IE: You need to change a regedit setting like this:

    MKJ> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
    MKJ> \Domains\CBS.DK]
    MKJ> "KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\
    MKJ> 62,00,73,00,2e,00,64,00,6b,00,00,00,00,00
    MKJ> "RealmFlags"=dword:00000006

    MKJ> (KdcNames is your list of kerberos servers)

    MKJ> (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)

    MKJ>  RealmFlags tells that it is OK to delegate for the domain
    MKJ> "cbs.dk" (off course change to your own domain)

This means that Windows will perform delegation for *every* service in the
realm.  This may not be such a good idea.  You only want to hand over your TGT
to trusted services.  For example, if you hand it to a web server that
allows users to run personal CGI's, then you've just allowed everyone to
impersonate you!

Much better to set the OK-AS-DELEGATE flag in the tickets for individual
trusted services, and keep a close watch on their configuration.

Also, there's a performance hit.  Normally the client would only have to
contac the KDC occasionally.  With delegation turned on, it will do a
round trip to the KDC for a delegated TGT *on every authenticated page
fetch*.  Even worse, in my environment anyway, SSPI repeats its query
twice every time, for some reason.

    MKJ> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    MKJ> Settings\ZoneMap\Domains\cbs.dk] "*"=dword:00000001

    MKJ> This sets "cbs.dk" in trusted zone.

    MKJ> I also had a problem getting this to work and it turned out to be
    MKJ> a problem with "mod_auth_kerb" I had to recompile it, using it's
    MKJ> internal GSSAPI support and not MIT Kerberos under RHEL5 Don't
    MKJ> know you setup, If it is not delegating then recompile with
    MKJ> internal GSSAPI support.

Same here; do use the internal SPNEGO code.

    MKJ> Or use these:

    MKJ> http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm
    MKJ> http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm


    MKJ> I'm off for a week, so hope you can get it to work.


    >> 
    >> Now do this in PHP
    >> 
    >> if (!isset($_SERVER["KRB5CCNAME"])) { return false;
    >> }
    >> putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
    >> 
    >> 
    >> I often get an error message telling me $_SERVER['KRB5CCNAME']
    >> doesn't exist (mostly after the first time I view something,
    >> disappears when changing the file).
    >> 
    >> 

No sure what you mean.


    >> 
    >> $ds = @ldap_connect($this->LdapHost); @ldap_set_option($ds,
    >> LDAP_OPT_PROTOCOL_VERSION, 3);
    >> 
    >> if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==
    >> false) { return false
    >> }
    >> 
    >> 
    >> 
    >> Med Venlig Hilsen / Kind Regards
    >> 
    >> 
    >> Mikkel Kruse Johnsen Adm.Dir.
    >> 
    >> Linet ?rholmgade 6 st tv Copenhagen N 2200 Denmark
    >> 
    >> Work: +45 21287793 Mobile: +45 21287793 Email: mikkel at linet.dk IM:
    >> mikkel at linet.dk (MSN) Professional Profile Healthcare
    >> 
    >> 
    >> Network Consultant
    >> 
    >> 
    >> l?r, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne:
    >> 
    >> > Hello,
    >> > 
    >> > I am in the process of creating a web panel to change LDAP
    >> attributes. The > web panel is currently using mod_auth_kerb to
    >> authenticate, which is working > beautifully. What we need is to
    >> authenticate to the LDAP server with that > ticket. Is that even
    >> possible?
    >> > 
    >> > -Henrik > ________________________________________________ >
    >> Kerberos mailing list Kerberos at mit.edu >
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >> 
    >> -Henrik
    >> 
    >> 
    >> 

-- 
  Richard Silverman
  res at qoxp.net


From michael at stroeder.com  Sat Mar  7 08:21:55 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Sat, 07 Mar 2009 14:21:55 +0100
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <mailman.68.1236427433.14058.kerberos@mit.edu>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>	<1236419154.3965.5.camel@localhost.localdomain>
	<mailman.68.1236427433.14058.kerberos@mit.edu>
Message-ID: <j09a86-6o5.ln1@nb2.stroeder.com>

Henrik Hodne wrote:
> On Sat, Mar 7, 2009 at 10:45 AM, Mikkel Kruse Johnsen <mikkel at linet.dk>wrote:
> 
>> Yes, that is possible.
>>
>> You need to set your LDAP to authenticate using SASL like this:
>>
>> # SASL
>> sasl-host       kerberos.cbs.dk
>> sasl-realm      CBS.DK
>> sasl-secprop    noplain,noanonymous,minssf=112
>> sasl-regexp     uid=(.*),cn=CBS.DK,cn=GSSAPI,cn=auth
>>                 uid=$1,ou=People,dc=cbs,dc=dk
> 
> Where does the SASL stuff go?

slapd.conf of OpenLDAP. If you have another LDAP server the config is
different. You don't have to do anything for MS AD.

>> Now put this in the HTTP config (Note the *KrbSaveCredentials*)
>>
>> AuthType Kerberos
>> AuthName "Open Directory Login"
>> KrbAuthRealms CBS.DK
>> Krb5Keytab /etc/httpd/conf/httpd.keytab
>> * KrbSaveCredentials on*
>> KrbMethodNegotiate on
>> KrbMethodK5Passwd on
>> require valid-user
> 
> This works, but I haven't got any browsers to forward tickets (that's
> probably client-side though)

You didn't say anything about your KDC. Is it MS AD?

Ciao, Michael.

From lukeh at padl.com  Sun Mar  8 23:49:23 2009
From: lukeh at padl.com (Luke Howard)
Date: Mon, 9 Mar 2009 14:49:23 +1100
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <C417AF39-2EE2-4496-92B6-F8BAF8569E56@Sun.COM>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
	<9EDF9251-DCE2-4474-87DD-79AA1C87DE88@padl.com>
	<C417AF39-2EE2-4496-92B6-F8BAF8569E56@Sun.COM>
Message-ID: <3A3A185F-E900-4742-9D32-5F1736E662A2@padl.com>


On 09/03/2009, at 1:45 PM, Max (Weijun) Wang wrote:

>> gss_krb5_get_tkt_flags()
>> gsskrb5_extract_authz_data_from_sec_context()
>> gsskrb5_extract_authtime_from_sec_context()
>
> I guess the tkt or authXXX above are all for the intial TGT (instead  
> of any service ticket). Right?

The service ticket; the service does not have the TGT (although the  
KDC may use the TGT in deriving those values).

-- Luke

From sansancasd at gmail.com  Mon Mar  9 07:48:55 2009
From: sansancasd at gmail.com (San tos)
Date: Mon, 9 Mar 2009 11:48:55 +0000
Subject: Authenticating using lower case domain/realm
Message-ID: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>

Hello to all.

I have successfully configured ubuntu machines to authenticate to a active
directory running windows 2k (pam_krb5/LDAP/Kerberos). The realm is
DOMAIN.COM, however in order to be user friendly and maintain the same login
address in everything, i need to authenticate using user at domain.com instead
of user at DOMAIN.COM.

It seems windows 2k, accepts either way, but maybe kerberos don't like the
response it receives:

kinit(v5): KDC reply did not match expectations while getting initial
credentials



I'm using ubuntu 8.10 and:

krb5-config 1.19 Configuration files for Kerberos Version 5
krb5-user 1.6.dfsg.4~beta1-3 Basic programs to authenticate using MIT Ker
libkrb53 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries

The krb5.conf:

[libdefaults]
        default_realm = DOMAIN.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
#       dns_lookup_realm = true
#       dns_lookup_kdc = false

[realms]
        DOMAIN.COM = {
                kdc = dc.domain.com
                admin_server = dc.domain.com
                default_domain = DOMAIN.COM
        }


[domain_realm]
        domain.com = DOMAIN.COM
        .domain.com  = DOMAIN.COM



I have googled, read the mans, tried a lot of other configurations, etc, for
days now, but can't figure it out. I will appreciate any input you got on
this.


Thanks in advance for you replies.

Santos

From raeburn at MIT.EDU  Mon Mar  9 08:05:24 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 9 Mar 2009 08:05:24 -0400
Subject: Authenticating using lower case domain/realm
In-Reply-To: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
Message-ID: <7B565FAC-75C3-419C-A568-28A159430CC4@mit.edu>

On Mar 9, 2009, at 07:48, San tos wrote:
> It seems windows 2k, accepts either way, but maybe kerberos don't  
> like the
> response it receives:
>
> kinit(v5): KDC reply did not match expectations while getting initial
> credentials

Yes, the MIT implementation treats realm names as case sensitive (as  
does the protocol).
If you just use "kinit username" without the realm, it should use the  
form from the config file; I'm not sure how much that might help.

Ken

From Tim.Alsop at CyberSafe.com  Mon Mar  9 08:07:29 2009
From: Tim.Alsop at CyberSafe.com (Tim Alsop)
Date: Mon, 9 Mar 2009 12:07:29 +0000
Subject: Authenticating using lower case domain/realm
In-Reply-To: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
Message-ID: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>

San,

You need an implementation of Kerberos, which has support for UPN authentication (using nt-enterprise principal names) and the canonical flag, as well as client side realm referrals. I guess the implementation of Kerberos on Ubuntu does not have these extensions coded.

I represent a vendor who develops and sells a commercial implementation of Kerberos, and our product works as you expect - see below:

talsop at perky:~> kinit talsop
Password for talsop at DEV.LOCAL:
talsop at perky:~> klist
          Cache Type: Kerberos V5 Credentials Cache
          Cache File: /krb5/tmp/cc/krb5cc_1000
       Cache Version: 0502
   Default Principal: talsop at DEV.LOCAL

Valid From                    Expires                       Service Principal
----------------------------  ----------------------------  -----------------
Mon 09 Mar 2009 12:06:03 GMT  Mon 09 Mar 2009 20:06:23 GMT  krbtgt/DEV.LOCAL at DEV.LOCAL
talsop at perky:~> kinit talsop at dev.local
Password for talsop\@dev.local at DEV.LOCAL:
talsop at perky:~> klist
          Cache Type: Kerberos V5 Credentials Cache
          Cache File: /krb5/tmp/cc/krb5cc_1000
       Cache Version: 0502
   Default Principal: talsop at DEV.LOCAL

Valid From                    Expires                       Service Principal
----------------------------  ----------------------------  -----------------
Mon 09 Mar 2009 12:06:16 GMT  Mon 09 Mar 2009 20:06:35 GMT  krbtgt/DEV.LOCAL at DEV.LOCAL
talsop at perky:~>

Thanks,
Tim

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of San tos
Sent: 09 March 2009 11:49
To: kerberos at mit.edu
Subject: Authenticating using lower case domain/realm

Hello to all.

I have successfully configured ubuntu machines to authenticate to a active
directory running windows 2k (pam_krb5/LDAP/Kerberos). The realm is
DOMAIN.COM, however in order to be user friendly and maintain the same login
address in everything, i need to authenticate using user at domain.com instead
of user at DOMAIN.COM.

It seems windows 2k, accepts either way, but maybe kerberos don't like the
response it receives:

kinit(v5): KDC reply did not match expectations while getting initial
credentials



I'm using ubuntu 8.10 and:

krb5-config 1.19 Configuration files for Kerberos Version 5
krb5-user 1.6.dfsg.4~beta1-3 Basic programs to authenticate using MIT Ker
libkrb53 1.6.dfsg.4~beta1-3 MIT Kerberos runtime libraries

The krb5.conf:

[libdefaults]
        default_realm = DOMAIN.COM
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
#       dns_lookup_realm = true
#       dns_lookup_kdc = false

[realms]
        DOMAIN.COM = {
                kdc = dc.domain.com
                admin_server = dc.domain.com
                default_domain = DOMAIN.COM
        }


[domain_realm]
        domain.com = DOMAIN.COM
        .domain.com  = DOMAIN.COM



I have googled, read the mans, tried a lot of other configurations, etc, for
days now, but can't figure it out. I will appreciate any input you got on
this.


Thanks in advance for you replies.

Santos
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


From sansancasd at gmail.com  Mon Mar  9 08:09:23 2009
From: sansancasd at gmail.com (San tos)
Date: Mon, 9 Mar 2009 12:09:23 +0000
Subject: Authenticating using lower case domain/realm
In-Reply-To: <7B565FAC-75C3-419C-A568-28A159430CC4@mit.edu>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<7B565FAC-75C3-419C-A568-28A159430CC4@mit.edu>
Message-ID: <d2912e600903090509k717551fcld1b2a2c57acfdeab@mail.gmail.com>

You are right Ken, i did try it without @domain.com and it worked. However,
we must use use username at domain.com.

Thanks for you reply.




On Mon, Mar 9, 2009 at 12:05 PM, Ken Raeburn <raeburn at mit.edu> wrote:

> On Mar 9, 2009, at 07:48, San tos wrote:
>
>> It seems windows 2k, accepts either way, but maybe kerberos don't like the
>> response it receives:
>>
>> kinit(v5): KDC reply did not match expectations while getting initial
>> credentials
>>
>
> Yes, the MIT implementation treats realm names as case sensitive (as does
> the protocol).
> If you just use "kinit username" without the realm, it should use the form
> from the config file; I'm not sure how much that might help.
>
> Ken
>

From lukeh at padl.com  Mon Mar  9 09:35:31 2009
From: lukeh at padl.com (Luke Howard)
Date: Tue, 10 Mar 2009 00:35:31 +1100
Subject: Authenticating using lower case domain/realm
In-Reply-To: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
Message-ID: <1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>

MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise  
principal name) options to kinit, which may help.

-- Luke

From deengert at anl.gov  Mon Mar  9 10:44:27 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Mon, 09 Mar 2009 09:44:27 -0500
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <1236506774.3955.19.camel@localhost.localdomain>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>	<1236419154.3965.5.camel@localhost.localdomain>	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
	<1236506774.3955.19.camel@localhost.localdomain>
Message-ID: <49B52B4B.6090801@anl.gov>



Mikkel Kruse Johnsen wrote:
>> Hello,
>>
>> I have a few more questions
>>
[...]
> 
> To get the browsers to forward tickets you need to:
> 
> Firefox: Type "about:config" in the Location bar. Type "nego" in the
> filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" and type in your domain name (in
> my example I have "cbs.dk" in both)
> 
> IE: You need to change a regedit setting like this:
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
> \Domains\CBS.DK]
> "KdcNames"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,2e,00,63,00,\
>   62,00,73,00,2e,00,64,00,6b,00,00,00,00,00
> "RealmFlags"=dword:00000006
> 
> (KdcNames is your list of kerberos servers)

The above can also be done using the Microsoft ksetup:
> C:\>ksetup /ListRealmFlags
> 
> Ksetup knows the following realm flags:
> 0x00 None         No Realm Flags
> 0x01 SendAddress  Include IP numbers within tickets.
>                   Useful for solving SOME compatibility issues.
> 0x02 TcpSupported Indicates that this realm supports TCP.
>                   (as opposed to just UDP)
> 0x04 Delegate     Everyone in this realm is trusted for delegation
> 0x08 NcSupported  This realm supports Name Canonicalization

But this then says IE and any SSPI applications that use Kerberos can
trust also delegate. This might not be what you want.
Microsoft checks the OK-AS-DELEGATE Kerberos ticket flag, that its KDC
will set for trusted servers. This is an advisory to the client to only
delegate to servers trusted for delegation by the domain admins.
Other versions of Kerberos are starting to add this feature to the
KDC and to the clients. So this whole area in in transition.

> 
> (http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/95141.mspx?mfr=true)
> 
>  RealmFlags tells that it is OK to delegate for the domain "cbs.dk" (off
> course change to your own domain)
> 
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
> Settings\ZoneMap\Domains\cbs.dk]
> "*"=dword:00000001
> 
> This sets "cbs.dk" in trusted zone.
> 
> 
> 
> I also had a problem getting this to work and it turned out to be a
> problem with "mod_auth_kerb" I had to recompile it, using it's internal
> GSSAPI support and not MIT Kerberos under RHEL5
> Don't know you setup, If it is not delegating then recompile with
> internal GSSAPI support.
> 
> Or use these:
> 
> http://yum.cbs.dk/rhel-5Server-x86_64/RPMS/mod_auth_kerb-5.3-6.x86_64.rpm 
> http://yum.cbs.dk/rhel-5Server-i386/RPMS/mod_auth_kerb-5.3-6.i386.rpm
> 
> 
> I'm off for a week, so hope you can get it to work.
> 
> 
>>         
>>         Now do this in PHP
>>         
>>         if (!isset($_SERVER["KRB5CCNAME"])) {
>>         return false;
>>         }
>>         putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
>>         
>>
>> I often get an error message telling me $_SERVER['KRB5CCNAME'] doesn't
>> exist (mostly after the first time I view something, disappears when
>> changing the file).
>>  
>>
> 
> No sure what you mean.
> 
> 
>>         
>>         $ds = @ldap_connect($this->LdapHost);
>>         @ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
>>         
>>         if (($linkId = @ldap_sasl_bind($ds, NULL, NULL, "GSSAPI")) ==
>>         false) {
>>                  return false
>>            }
>>         
>>         
>>         
>>         Med Venlig Hilsen / Kind Regards
>>         
>>         
>>         Mikkel Kruse
>>         Johnsen
>>         Adm.Dir.
>>         
>>         Linet
>>         ?rholmgade 6 st
>>         tv
>>         Copenhagen N
>>         2200 Denmark
>>         
>>         Work: +45
>>         21287793
>>         Mobile: +45
>>         21287793
>>         Email:
>>         mikkel at linet.dk
>>         IM:
>>         mikkel at linet.dk
>>         (MSN)
>>          Professional
>>         Profile
>>         Healthcare 
>>         
>>         
>>         Network
>>         Consultant 
>>         
>>         
>>         l?r, 07 03 2009 kl. 09:47 +0100, skrev Henrik Hodne: 
>>         
>>         > Hello,
>>         > 
>>         > I am in the process of creating a web panel to change LDAP attributes. The
>>         > web panel is currently using mod_auth_kerb to authenticate, which is working
>>         > beautifully. What we need is to authenticate to the LDAP server with that
>>         > ticket. Is that even possible?
>>         > 
>>         > -Henrik
>>         > ________________________________________________
>>         > Kerberos mailing list           Kerberos at mit.edu
>>         > https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>> -Henrik 
>>
>>
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From sansancasd at gmail.com  Mon Mar  9 12:17:08 2009
From: sansancasd at gmail.com (Santos)
Date: Mon, 9 Mar 2009 16:17:08 +0000
Subject: Authenticating using lower case domain/realm
In-Reply-To: <d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
Message-ID: <d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>

> On Mon, Mar 9, 2009 at 1:35 PM, Luke Howard <lukeh at padl.com> wrote:
>
>> MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise
>> principal name) options to kinit, which may help.
>
>

Actualy my main priority is to use pam_krb5.

If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able to use
those flags? Does the krb5.conf file have any settings to enable those
settings as default?

Thank you all for you replies.

From sansancasd at gmail.com  Mon Mar  9 12:23:29 2009
From: sansancasd at gmail.com (Santos)
Date: Mon, 9 Mar 2009 16:23:29 +0000
Subject: Authenticating using lower case domain/realm
In-Reply-To: <d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
Message-ID: <d2912e600903090923q2e9e2a5ch51ac522c2dd87b99@mail.gmail.com>

BTW, dns_lookup_realm doesn't seen to work. It could help my case, if
kerberos queried the NS for TXT records in which i could specify the realm
in upper case.

I sniffed the DNS queries but no TXT queries. Any idea why?


Is there an easy way to set the default type to 10 and set the canonical
flag in the code?



On Mon, Mar 9, 2009 at 4:17 PM, Santos <sansancasd at gmail.com> wrote:

>
>
>
>> On Mon, Mar 9, 2009 at 1:35 PM, Luke Howard <lukeh at padl.com> wrote:
>>
>>> MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise
>>> principal name) options to kinit, which may help.
>>
>>
>
> Actualy my main priority is to use pam_krb5.
>
> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able to use
> those flags? Does the krb5.conf file have any settings to enable those
> settings as default?
>
> Thank you all for you replies.
>

From raeburn at MIT.EDU  Mon Mar  9 13:53:39 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 9 Mar 2009 13:53:39 -0400
Subject: Authenticating using lower case domain/realm
In-Reply-To: <d2912e600903090923q2e9e2a5ch51ac522c2dd87b99@mail.gmail.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
	<d2912e600903090923q2e9e2a5ch51ac522c2dd87b99@mail.gmail.com>
Message-ID: <8A15E4BE-E964-4705-91D2-EBA4648386D7@mit.edu>

On Mar 9, 2009, at 12:23, Santos wrote:
> BTW, dns_lookup_realm doesn't seen to work. It could help my case, if
> kerberos queried the NS for TXT records in which i could specify the  
> realm
> in upper case.
>
> I sniffed the DNS queries but no TXT queries. Any idea why?

The TXT records are used for mapping host names to realm names, and  
are only looked up if the domain_realm section of the config file  
doesn't list the host or domain name.  If you supply a realm name on  
the command line (or wherever), then TXT records won't be looked up at  
all.

(In particular, we don't use TXT records to map the realm name to  
itself and figure out the capitalization, if that's what you were  
expecting.  It might be a heuristic to try, but it's certainly  
possible for there to be a host with a name matching a realm, and for  
that host to be in a different realm, or for there to be a wildcard  
record pointing to another realm....)

Ken

From Weijun.Wang at Sun.COM  Sun Mar  8 21:34:36 2009
From: Weijun.Wang at Sun.COM (Max (Weijun) Wang)
Date: Mon, 09 Mar 2009 09:34:36 +0800
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <78c6bd860903061254u15f3c76l8792158564ec1b1@mail.gmail.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
	<78c6bd860903061254u15f3c76l8792158564ec1b1@mail.gmail.com>
Message-ID: <BA3C5700-62F4-4571-8AE8-0937241C28E3@Sun.COM>


On Mar 7, 2009, at 4:54 AM, Michael B Allen wrote:

> On Thu, Mar 5, 2009 at 9:29 PM,  <weijun.wang at sun.com> wrote:
>> Hi Luke
>>
>> On Feb 24, 9:36 pm, Luke Howard <lu... at padl.com> wrote:
>>>> I don't recall offhand if there's been an IETF draft proposing the
>>>> specific extension we've got for extracting the session key.
>>>
>>
>>>    major = gss_inquire_sec_context_by_oid(&minor,
>>>                                          ctx,
>>>                                          GSS_C_INQ_SSPI_SESSION_KEY,
>>>                                          &skey);
>>
>> Cool, we (Java SE Team at Sun) are also preparing to add a new method
>> getSessionKey() to OpenJDK's JGSS-API for Java EE needs.
>
> I think it would be better to have a GSSContext method that could
> return an Object that is specific to the OID supplied. For example, in
> the case of the session key, it would return a byte[] array like:
>
>  Oid sspiSessionKeyOid = new Oid("1.2.840.113554.1.2.2.5.5");
>  byte[] sessionKey =  
> (byte[])ctx.inquireSecContextByOid(sspiSessionKeyOid);
>
> Otherwise you're going to end up just adding more methods in an
> already overwhelming API.

Sure, if we are going to support other OIDs, we would use a method  
name like inquireSecContext(Oid).

Weijun

>
> Mike
>
> -- 
> Michael B Allen
> Java Active Directory Integration
> http://www.ioplex.com/


From Weijun.Wang at Sun.COM  Sun Mar  8 22:45:50 2009
From: Weijun.Wang at Sun.COM (Max (Weijun) Wang)
Date: Mon, 09 Mar 2009 10:45:50 +0800
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <9EDF9251-DCE2-4474-87DD-79AA1C87DE88@padl.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
	<9EDF9251-DCE2-4474-87DD-79AA1C87DE88@padl.com>
Message-ID: <C417AF39-2EE2-4496-92B6-F8BAF8569E56@Sun.COM>

> gss_krb5_get_tkt_flags()
> gsskrb5_extract_authz_data_from_sec_context()
> gsskrb5_extract_authtime_from_sec_context()

I guess the tkt or authXXX above are all for the intial TGT (instead  
of any service ticket). Right?

Thanks
Weijun

On Mar 7, 2009, at 10:01 AM, Luke Howard wrote:

>> BTW, I read the krb5-1.7 codes and notice you're supporting some  
>> other
>> OIDs for this new function:
>>
>> KRB5_GET_TKT_FLAGS
>> KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
>> KRB5_EXPORT_LUCID_SEC_CONTEXT
>> KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT
>>
>> I wonder how widely they are required and whether we should also
>> support them. Can you give me some background info?
>
> These are just shims for indirecting existing mechanism-specific  
> APIs through the mechanism glue (so that the mechanism glue itself  
> need not be polluted with mechanism specific API). They correspond to:
>
> gss_krb5_get_tkt_flags()
> gsskrb5_extract_authz_data_from_sec_context()
> gss_krb5_export_lucid_sec_context()
> gsskrb5_extract_authtime_from_sec_context()
>
> I think only the extract_authXXX APIs are new for 1.7. The usage for  
> gsskrb5_extract_authz_data_from_sec_context() identical to Heimdal:
>
> http://www.daemon-systems.org/man/gsskrb5_extract_authz_data_from_sec_context.3.html
>
> gsskrb5_extract_authtime_from_sec_context() gets the authtime from  
> the ticket.
>
> Let me know if you have further questions.
>
> -- Luke


From lukeh at padl.com  Mon Mar  9 17:51:54 2009
From: lukeh at padl.com (Luke Howard)
Date: Tue, 10 Mar 2009 08:51:54 +1100
Subject: Authenticating using lower case domain/realm
In-Reply-To: <d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
Message-ID: <DBA6F037-B434-400E-B877-63660E6E4743@padl.com>


On 10/03/2009, at 3:17 AM, Santos wrote:

>> On Mon, Mar 9, 2009 at 1:35 PM, Luke Howard <lukeh at padl.com> wrote:
>>
>>> MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise
>>> principal name) options to kinit, which may help.
>>
>>
>
> Actualy my main priority is to use pam_krb5.
>
> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able  
> to use
> those flags? Does the krb5.conf file have any settings to enable those
> settings as default?

It doesn't but you should be able to easily modify pam_krb5 to call  
krb5_get_init_creds_opt_set_canonicalize(), and to call  
krb5_parse_name_flags(KRB5_PRINCIPAL_PARSE_ENTERPRISE) rather than  
krb5_parse_name(). Of course, this should be made configurable.

-- Luke

From rra at stanford.edu  Mon Mar  9 21:10:43 2009
From: rra at stanford.edu (Russ Allbery)
Date: Mon, 09 Mar 2009 18:10:43 -0700
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <1236640901.30350.23841.camel@ruth.aloha.tallye.com> (Loren M.
	Lang's message of "Mon\, 09 Mar 2009 16\:21\:41 -0700")
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
	<1236506774.3955.19.camel@localhost.localdomain>
	<87y6vfu6n6.fsf@windlord.stanford.edu>
	<1236640901.30350.23841.camel@ruth.aloha.tallye.com>
Message-ID: <87ocwa6v3g.fsf@windlord.stanford.edu>

"Loren M. Lang" <lorenl at alzatex.com> writes:

> Isn't a feature of Kerberos to be able to limit the powers that one
> delegates using proxiable tickets?  If I understand correctly, it should
> be possible to delegate for the server to impersonate you only to the
> LDAP service on host ldap.example.com instead of forwarding your krbtgt.

No, this is not a general feature of Kerberos implementations.  It may be
that Active Directory has support for this, however.  Active Directory has
some additional delegation control features that are not implemented in
other versions of Kerberos.  I don't know if you need to use Microsoft's
Kerberos implementation on the client for this as well, if so.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From rra at stanford.edu  Mon Mar  9 21:30:48 2009
From: rra at stanford.edu (Russ Allbery)
Date: Mon, 09 Mar 2009 18:30:48 -0700
Subject: Authenticating using lower case domain/realm
In-Reply-To: <DBA6F037-B434-400E-B877-63660E6E4743@padl.com> (Luke Howard's
	message of "Tue\, 10 Mar 2009 08\:51\:54 +1100")
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
	<DBA6F037-B434-400E-B877-63660E6E4743@padl.com>
Message-ID: <87r6165flj.fsf@windlord.stanford.edu>

Luke Howard <lukeh at padl.com> writes:
> On 10/03/2009, at 3:17 AM, Santos wrote:

>> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able to
>> use those flags? Does the krb5.conf file have any settings to enable
>> those settings as default?

> It doesn't but you should be able to easily modify pam_krb5 to call
> krb5_get_init_creds_opt_set_canonicalize(), and to call
> krb5_parse_name_flags(KRB5_PRINCIPAL_PARSE_ENTERPRISE) rather than
> krb5_parse_name(). Of course, this should be made configurable.

Patch welcome from someone who can easily test it.  :)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From lukeh at padl.com  Mon Mar  9 22:49:16 2009
From: lukeh at padl.com (Luke Howard)
Date: Tue, 10 Mar 2009 13:49:16 +1100
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <87ocwa6v3g.fsf@windlord.stanford.edu>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
	<1236506774.3955.19.camel@localhost.localdomain>
	<87y6vfu6n6.fsf@windlord.stanford.edu>
	<1236640901.30350.23841.camel@ruth.aloha.tallye.com>
	<87ocwa6v3g.fsf@windlord.stanford.edu>
Message-ID: <7AA8A304-60B0-4646-902B-422A4325F6B2@padl.com>


On 10/03/2009, at 12:10 PM, Russ Allbery wrote:

> "Loren M. Lang" <lorenl at alzatex.com> writes:
>
>> Isn't a feature of Kerberos to be able to limit the powers that one
>> delegates using proxiable tickets?  If I understand correctly, it  
>> should
>> be possible to delegate for the server to impersonate you only to the
>> LDAP service on host ldap.example.com instead of forwarding your  
>> krbtgt.
>
> No, this is not a general feature of Kerberos implementations.  It  
> may be
> that Active Directory has support for this, however.  Active  
> Directory has
> some additional delegation control features that are not implemented  
> in
> other versions of Kerberos.  I don't know if you need to use  
> Microsoft's
> Kerberos implementation on the client for this as well, if so.


W2K3 and above KDCs implement constrained delegation. The client and  
penultimate service need not change. The middle-tier services need  
library support for constrained delegation; I think only Windows has  
this (possibly Heimdal, but then I'm not sure whether it is exposed to  
GSS-API).

-- Luke

From lukeh at padl.com  Tue Mar 10 03:48:13 2009
From: lukeh at padl.com (Luke Howard)
Date: Tue, 10 Mar 2009 18:48:13 +1100
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <49B5E858.7040009@sun.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
	<9EDF9251-DCE2-4474-87DD-79AA1C87DE88@padl.com>
	<C417AF39-2EE2-4496-92B6-F8BAF8569E56@Sun.COM>
	<3A3A185F-E900-4742-9D32-5F1736E662A2@padl.com>
	<49B5E858.7040009@sun.com>
Message-ID: <988BB710-CBEA-40A5-BBA8-C772E7B60101@padl.com>

Yes, they're mostly intended for use by the acceptor (except for the  
session key API).

-- Luke

On 10/03/2009, at 3:11 PM, Weijun Wang wrote:

> I see. So after a security context is established. These functions
> should return the same results on both side. Of course, if a  
> particular
> piece of info is only available from the encrypted part of the service
> ticket, only the service side knows it and this function is not
> supported on the client side.
>
> Max
>
> Luke Howard wrote:
>>
>> On 09/03/2009, at 1:45 PM, Max (Weijun) Wang wrote:
>>
>>>> gss_krb5_get_tkt_flags()
>>>> gsskrb5_extract_authz_data_from_sec_context()
>>>> gsskrb5_extract_authtime_from_sec_context()
>>>
>>> I guess the tkt or authXXX above are all for the intial TGT (instead
>>> of any service ticket). Right?
>>
>> The service ticket; the service does not have the TGT (although the  
>> KDC
>> may use the TGT in deriving those values).
>>
>> -- Luke
>

--
www.padl.com | www.fghr.net


From sansancasd at gmail.com  Tue Mar 10 06:30:02 2009
From: sansancasd at gmail.com (Santos)
Date: Tue, 10 Mar 2009 10:30:02 +0000
Subject: Authenticating using lower case domain/realm
In-Reply-To: <DBA6F037-B434-400E-B877-63660E6E4743@padl.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
	<DBA6F037-B434-400E-B877-63660E6E4743@padl.com>
Message-ID: <d2912e600903100330o419d25dfk97fc2eaae77dfd26@mail.gmail.com>

Oh, just compiled 1.7 alpha and indeed kinit worked great with nt-enterprise
(just used the -E flag). I was trying to find the krb5.conf setting that
enabled the enterprise name for all krb apps.

But even if i do find it, you say it's useless because pam_krb5 won't use
it? Ahh what a disappointment..



On Mon, Mar 9, 2009 at 9:51 PM, Luke Howard <lukeh at padl.com> wrote:

>
> On 10/03/2009, at 3:17 AM, Santos wrote:
>
>  On Mon, Mar 9, 2009 at 1:35 PM, Luke Howard <lukeh at padl.com> wrote:
>>>
>>>  MIT Kerberos 1.7 adds the -C (canonicalize) and -E (enterprise
>>>> principal name) options to kinit, which may help.
>>>>
>>>
>>>
>>>
>> Actualy my main priority is to use pam_krb5.
>>
>> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able to use
>> those flags? Does the krb5.conf file have any settings to enable those
>> settings as default?
>>
>
> It doesn't but you should be able to easily modify pam_krb5 to call
> krb5_get_init_creds_opt_set_canonicalize(), and to call
> krb5_parse_name_flags(KRB5_PRINCIPAL_PARSE_ENTERPRISE) rather than
> krb5_parse_name(). Of course, this should be made configurable.
>
> -- Luke
>

From zhaoyang.mao at gmail.com  Tue Mar 10 07:53:05 2009
From: zhaoyang.mao at gmail.com (zhaoyang mao)
Date: Tue, 10 Mar 2009 19:53:05 +0800
Subject: OpenLDAP with Kerberos
Message-ID: <eab35fb0903100453x61c84a25ja1987bcacdbe1fe0@mail.gmail.com>

Hi:

recently I tried to configure kerberos under openldap. But it seems a lot of
trouble for me. I don't know how to configure it correctly.
i just want to add some users from openldap using kerberos authentication
method. But it always seem to fail.
*
Below is my error msg:

LDAP Connection Timeout = 5000 mili-secs
 LDAP Operation Timeout = 15 secs
 Directed to LINUX_OPENLDAP_DIRECTORY
m_strBasedn:dc=example,dc=com
m_strDomain:example.com
 Direct to Advanced Authentication mode
 Root DSE was found
Kerberos initAuthentication : krb5PrincipalName = ldapadmin at EXAMPLE.COM
ldap_sasl_bind_s: Unknown error
connect() : ldap_sasl_bind_s: Unknown error
 Error: LDAP module failed to initialize authenticaiton, please check users'
password and credential
 Error: MIT Kerberos5: connect() : ldap_sasl_bind_s: Unknown error

*
ps:My ldap server and kdc server are in the same machine. *
*

-- 
Best Regards

maozhaoyang
13770966077

No Dream too Big
No Distance too Long

From sansancasd at gmail.com  Tue Mar 10 12:30:36 2009
From: sansancasd at gmail.com (Santos)
Date: Tue, 10 Mar 2009 16:30:36 +0000
Subject: Authenticating using lower case domain/realm
In-Reply-To: <87r6165flj.fsf@windlord.stanford.edu>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
	<DBA6F037-B434-400E-B877-63660E6E4743@padl.com>
	<87r6165flj.fsf@windlord.stanford.edu>
Message-ID: <d2912e600903100930m89abf2p7ea181cdd7f6aae1@mail.gmail.com>

Does krb5.conf have a setting to have the enterprise name as default? I
tried searching about it, but no success. Anyway, if pam_krb5 doesn't
support this, the cause is lost anyway.


Thank you all for the information.



On Tue, Mar 10, 2009 at 1:30 AM, Russ Allbery <rra at stanford.edu> wrote:

> Luke Howard <lukeh at padl.com> writes:
> > On 10/03/2009, at 3:17 AM, Santos wrote:
>
> >> If i compile MIT kerberos 1.7 on ubuntu 8.10. Will pam_krb5 be able to
> >> use those flags? Does the krb5.conf file have any settings to enable
> >> those settings as default?
>
> > It doesn't but you should be able to easily modify pam_krb5 to call
> > krb5_get_init_creds_opt_set_canonicalize(), and to call
> > krb5_parse_name_flags(KRB5_PRINCIPAL_PARSE_ENTERPRISE) rather than
> > krb5_parse_name(). Of course, this should be made configurable.
>
> Patch welcome from someone who can easily test it.  :)
>
> --
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/<http://www.eyrie.org/%7Eeagle/>
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

From Weijun.Wang at Sun.COM  Tue Mar 10 00:11:04 2009
From: Weijun.Wang at Sun.COM (Weijun Wang)
Date: Tue, 10 Mar 2009 12:11:04 +0800
Subject: WS-Security and GSS-API: How do I get the session key?
In-Reply-To: <3A3A185F-E900-4742-9D32-5F1736E662A2@padl.com>
References: <0185a0ff-8215-4bce-bbdf-8262c5148814@i38g2000yqd.googlegroups.com>
	<2FA33280-CFCF-4064-AE15-2CF07C49E329@mit.edu>
	<d2ec65b00902231605tc8bfb2ele3448bcce2fe5a90@mail.gmail.com>
	<296D780F-D22E-4DDA-A537-1142FE6D353C@mit.edu>
	<mailman.8.1235482674.14058.kerberos@mit.edu>
	<e1426fee-e5a5-41a9-aafa-48653903cfb0@v35g2000pro.googlegroups.com>
	<9EDF9251-DCE2-4474-87DD-79AA1C87DE88@padl.com>
	<C417AF39-2EE2-4496-92B6-F8BAF8569E56@Sun.COM>
	<3A3A185F-E900-4742-9D32-5F1736E662A2@padl.com>
Message-ID: <49B5E858.7040009@sun.com>

I see. So after a security context is established. These functions
should return the same results on both side. Of course, if a particular
piece of info is only available from the encrypted part of the service
ticket, only the service side knows it and this function is not
supported on the client side.

Max

Luke Howard wrote:
> 
> On 09/03/2009, at 1:45 PM, Max (Weijun) Wang wrote:
> 
>>> gss_krb5_get_tkt_flags()
>>> gsskrb5_extract_authz_data_from_sec_context()
>>> gsskrb5_extract_authtime_from_sec_context()
>>
>> I guess the tkt or authXXX above are all for the intial TGT (instead
>> of any service ticket). Right?
> 
> The service ticket; the service does not have the TGT (although the KDC
> may use the TGT in deriving those values).
> 
> -- Luke

From lorenl at alzatex.com  Mon Mar  9 19:21:41 2009
From: lorenl at alzatex.com (Loren M. Lang)
Date: Mon, 09 Mar 2009 16:21:41 -0700
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <87y6vfu6n6.fsf@windlord.stanford.edu>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
	<1236506774.3955.19.camel@localhost.localdomain>
	<87y6vfu6n6.fsf@windlord.stanford.edu>
Message-ID: <1236640901.30350.23841.camel@ruth.aloha.tallye.com>

On Sun, 2009-03-08 at 13:00 -0700, Russ Allbery wrote:
> Mikkel Kruse Johnsen <mikkel at linet.dk> writes:
> 
> > Firefox: Type "about:config" in the Location bar. Type "nego" in the
> > filter and dobbelt click "network.negotiate-auth.delegation-uris" and
> > "network.negotiate-auth.trusted-uris" and type in your domain name (in
> > my example I have "cbs.dk" in both)
> 
> Be aware that doing this will cause your browser to promiscuously send
> your credentials to every server in that domain with a valid HTTP/*
> principal in your KDC and allow that server to impersonate you to any
> other service.  This may be what you want to do, but it's worth thinking
> carefully about the implications before you do it.
> 
> For example, if you're an educational site that allows students to obtain
> HTTP/* principals for their own systems, you *don't* want to do this.

Isn't a feature of Kerberos to be able to limit the powers that one
delegates using proxiable tickets?  If I understand correctly, it should
be possible to delegate for the server to impersonate you only to the
LDAP service on host ldap.example.com instead of forwarding your krbtgt.

> 
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3157 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090309/97f95daa/smime.bin

From lukeh at padl.com  Tue Mar 10 19:34:07 2009
From: lukeh at padl.com (Luke Howard)
Date: Wed, 11 Mar 2009 10:34:07 +1100
Subject: Authenticating using lower case domain/realm
In-Reply-To: <d2912e600903100930m89abf2p7ea181cdd7f6aae1@mail.gmail.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
	<DBA6F037-B434-400E-B877-63660E6E4743@padl.com>
	<87r6165flj.fsf@windlord.stanford.edu>
	<d2912e600903100930m89abf2p7ea181cdd7f6aae1@mail.gmail.com>
Message-ID: <5439879E-41AD-4913-AD44-1E0756FA1064@padl.com>


On 11/03/2009, at 3:30 AM, Santos wrote:

> Does krb5.conf have a setting to have the enterprise name as  
> default? I
> tried searching about it, but no success. Anyway, if pam_krb5 doesn't
> support this, the cause is lost anyway.

No, it doesn't (nor should it).

However, try the following (untested) patch to pam_krb5. Using 1.7, it  
should only be necessary to set the "use_upn" option, either in PAM  
libdefaults or pam.conf.

-- Luke

-------------- next part --------------


From lukeh at padl.com  Tue Mar 10 19:49:47 2009
From: lukeh at padl.com (Luke Howard)
Date: Wed, 11 Mar 2009 10:49:47 +1100
Subject: Authenticating using lower case domain/realm
In-Reply-To: <5439879E-41AD-4913-AD44-1E0756FA1064@padl.com>
References: <d2912e600903090448g5ac23a6dl5e7564652def8997@mail.gmail.com>
	<1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BD66E@exchange.cybersafe.local>
	<1AB4E900-1008-492C-9BF9-B920BE1222AC@padl.com>
	<d2912e600903090859k61f8d7cds44a1ec563c61b18f@mail.gmail.com>
	<d2912e600903090917t71df6e6dl9f637a42555fbda@mail.gmail.com>
	<DBA6F037-B434-400E-B877-63660E6E4743@padl.com>
	<87r6165flj.fsf@windlord.stanford.edu>
	<d2912e600903100930m89abf2p7ea181cdd7f6aae1@mail.gmail.com>
	<5439879E-41AD-4913-AD44-1E0756FA1064@padl.com>
Message-ID: <619F68F6-1EDB-4291-8F8D-3967BFE9C374@padl.com>

OK, looks like the patch got stripped out. I'll send it to Russ  
separately (or contact me off-list).

On 11/03/2009, at 10:34 AM, Luke Howard wrote:

>
> On 11/03/2009, at 3:30 AM, Santos wrote:
>
>> Does krb5.conf have a setting to have the enterprise name as  
>> default? I
>> tried searching about it, but no success. Anyway, if pam_krb5 doesn't
>> support this, the cause is lost anyway.
>
> No, it doesn't (nor should it).
>
> However, try the following (untested) patch to pam_krb5. Using 1.7,  
> it should only be necessary to set the "use_upn" option, either in  
> PAM libdefaults or pam.conf.
>
> -- Luke
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--
www.padl.com | www.fghr.net


From michael at stroeder.com  Tue Mar 10 18:46:29 2009
From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=)
Date: Tue, 10 Mar 2009 23:46:29 +0100
Subject: Authenticating to LDAP using a HTTP ticket
In-Reply-To: <m2prgrx6mf.fsf@darwin.oankali.net>
References: <fc641c1a0903070047h4fade047ja0f082a9f300c53e@mail.gmail.com>
	<1236419154.3965.5.camel@localhost.localdomain>
	<fc641c1a0903070403u71159e1flc0efc659bebee5e3@mail.gmail.com>
	<mailman.70.1236506839.14058.kerberos@mit.edu>
	<m2prgrx6mf.fsf@darwin.oankali.net>
Message-ID: <677j86-mgp.ln1@nb2.stroeder.com>

Richard E. Silverman wrote:
>>>>>> "MKJ" == Mikkel Kruse Johnsen <mikkel at linet.dk> writes:
>     MKJ> I also had a problem getting this to work and it turned out to be
>     MKJ> a problem with "mod_auth_kerb" I had to recompile it, using it's
>     MKJ> internal GSSAPI support and not MIT Kerberos under RHEL5 Don't
>     MKJ> know you setup, If it is not delegating then recompile with
>     MKJ> internal GSSAPI support.
> 
> Same here; do use the internal SPNEGO code.

How to compile "mod_auth_kerb" with internal GSSAPI support?

Ciao, Michael.

From mathew_rowley at cable.comcast.com  Wed Mar 11 11:15:49 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Wed, 11 Mar 2009 09:15:49 -0600
Subject: Forgetting something? krb5kdc: No such file or directory - while
	initializing database for realm COMCAST.COM
Message-ID: <C5DD31C6.938B%mathew_rowley@cable.comcast.com>

I am trying to start up a freshly installed/configured MIT kerberos
(1.6.1-31) implementation, but I am obviously missing something.  I am using
an LDAP backend, but the service will not start. Here is what I have done,
can anyone see something I am missing? Or know of a way I can get more
logging?  Thanks.

1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm

2. Modified /etc/krb5.conf to include ldap information:
[dbdefaults]
 ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
[dbmodules]
 openldap_ldapconf = {
  db_library = kldap
  ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
  ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
  # this object needs to have read rights on
  # the realm container, principal container and realm sub-trees
  ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
  # this object needs to have read and write rights on
  # the realm container, principal container and realm sub-trees
  ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile
  ldap_servers = ldap://kdc01.security.lab.comcast.net
  ldap_conns_per_server = 5
 }

3. Created the ldap users (kadmin, kdc)

4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util -H
ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create -subtrees
'dc=comcast,dc=com' -r COMCAST.NET ?s)

5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/kdc5.keyfile
using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f
/var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com')

6. Modified ldap ACL as according to
http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html but with
my kadmin/kdc name and my dn
(using ldap 2.4.15 ? with new cn=config)
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to attrs=userPassword,userPKCS12 by self write
           by * read
olcAccess: to dn.subtree="dc=comcast,dc=com" by
dn.exact="cn=kdc,dc=comcast,dc=com" read
           by dn.exact="cn=kadmin,dc=comcast,dc=com" write
           by * none
olcAccess: to dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com"
by dn.exact="cn=kdc,dc=comcast,dc=com" read
           by dn.exact="cn=kadmin,dc=comcast,dc=com" write
           by * none
olcAccess: to * by * read

7. Confirmed I can ldapsearch with kadmin and kdc ldap users

8. Tried to start krb5kdc - /etc/init.d/krb5kdc start:
[root at kdc01 krb5kdc]# /etc/init.d/krb5kdc start
Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm COMCAST.COM - see
log file for details
                                                           [FAILED]
[root at kdc01 krb5kdc]# cat /var/log/krb5kdc.log
krb5kdc: No such file or directory - while initializing database for realm
COMCAST.COM

Any ideas?  Thanks for any help.

-- 
MAT


From mathew_rowley at cable.comcast.com  Wed Mar 11 14:39:14 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Wed, 11 Mar 2009 12:39:14 -0600
Subject: Forgetting something? krb5kdc: No such file or directory -
	whileinitializing database for realm COMCAST.COM
In-Reply-To: <C5DD31C6.938B%mathew_rowley@cable.comcast.com>
Message-ID: <C5DD6172.939E%mathew_rowley@cable.comcast.com>

My problem was actually a typo.  In my realm, I had:

  database_module = opeldap_ldapconf

Which did not match ?opeNldap_ldapconf?

MAT



On 3/11/09 9:15 AM, "Mathew Rowley" <mathew_rowley at cable.comcast.com> wrote:

> I am trying to start up a freshly installed/configured MIT kerberos
> (1.6.1-31) implementation, but I am obviously missing something.  I am using
> an LDAP backend, but the service will not start. Here is what I have done,
> can anyone see something I am missing? Or know of a way I can get more
> logging?  Thanks.
> 
> 1. Modified /var/kerberos/krb5kdc/krb.conf to set up the realm
> 
> 2. Modified /etc/krb5.conf to include ldap information:
> [dbdefaults]
>  ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
> [dbmodules]
>  openldap_ldapconf = {
>   db_library = kldap
>   ldap_kerberos_container_dn = cn=krbcontainer,dc=comcast,dc=com
>   ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
>   # this object needs to have read rights on
>   # the realm container, principal container and realm sub-trees
>   ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
>   # this object needs to have read and write rights on
>   # the realm container, principal container and realm sub-trees
>   ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.keyfile
>   ldap_servers = ldap://kdc01.security.lab.comcast.net
>   ldap_conns_per_server = 5
>  }
> 
> 3. Created the ldap users (kadmin, kdc)
> 
> 4. Initialized the ldap backed with kdb5_ldap_util ( kdb5_ldap_util -H
> ldap://10.252.152.78 -D 'cn=manager,dc=comcast,dc=com' create -subtrees
> 'dc=comcast,dc=com' -r COMCAST.NET ?s)
> 
> 5. Stased kadmin and kdc passwords in /var/kerberos/krb5kdc/kdc5.keyfile
> using kdb5_ldap_util (kdb5_ldap_util stashsrvpw -f
> /var/kerberos/krb5kdc/kdc5.keyfile 'cn=kadmin,dc=comcast,dc=com')
> 
> 6. Modified ldap ACL as according to
> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html but with
> my kadmin/kdc name and my dn
> (using ldap 2.4.15 ? with new cn=config)
> olcAccess: to dn.base="" by * read
> olcAccess: to dn.base="cn=Subschema" by * read
> olcAccess: to attrs=userPassword,userPKCS12 by self write
>            by * read
> olcAccess: to dn.subtree="dc=comcast,dc=com" by
> dn.exact="cn=kdc,dc=comcast,dc=com" read
>            by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>            by * none
> olcAccess: to dn.subtree="cn=COMCAST.COM,cn=krbcontainer,dc=comcast,dc=com"
> by dn.exact="cn=kdc,dc=comcast,dc=com" read
>            by dn.exact="cn=kadmin,dc=comcast,dc=com" write
>            by * none
> olcAccess: to * by * read
> 
> 7. Confirmed I can ldapsearch with kadmin and kdc ldap users
> 
> 8. Tried to start krb5kdc - /etc/init.d/krb5kdc start:
> [root at kdc01 krb5kdc]# /etc/init.d/krb5kdc start
> Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm COMCAST.COM - see
> log file for details
>                                                            [FAILED]
> [root at kdc01 krb5kdc]# cat /var/log/krb5kdc.log
> krb5kdc: No such file or directory - while initializing database for realm
> COMCAST.COM
> 
> Any ideas?  Thanks for any help.
> 
> --
> MAT
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
MAT

From mathew_rowley at cable.comcast.com  Wed Mar 11 19:13:33 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Wed, 11 Mar 2009 17:13:33 -0600
Subject: Kerberos master/master sync using OpenLDAP N-Way Multi-Master
Message-ID: <C5DDA1BD.93B1%mathew_rowley@cable.comcast.com>

I haven?t seen this idea posted anywhere.  The new version of OpenLDAP (I?m
using 2.4.15) has the ability to run in a multi-master mode.  I was able to
set up two servers that each ran a Kerberos instance as well as an OpenLDAP
instance that had ldap and kerberos failover.  I now don?t need to worry
about doing any sync with Kerberos, as LDAP does it all. I can also run
kadmin against either of the kerberos servers. Some tests I did that were
pretty successful were:

Realm setup:
  kdc = kdc01.security.lab.comcast.net:88
  kdc = kdc02.security.lab.comcast.net:88

Turn off kdc on kdc01 -> successfully authenticated with kdc02
Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with
kdc02

The failover works exactly as a expected.

-- 
MAT

From mathew_rowley at cable.comcast.com  Wed Mar 11 19:34:32 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Wed, 11 Mar 2009 17:34:32 -0600
Subject: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
Message-ID: <C5DDA6A8.93B4%mathew_rowley@cable.comcast.com>

When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
to a RH4 box, I get the following error from ssh:

...
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database
...

When looking at the krb5kdc.log I see:

Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): TGS_REQ
(7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
1236809289,  red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server not
found in Kerberos database
krb5kdc: Interrupted system call - while selecting for network input(1)

It seems like the box I am trying to ssh to is sending ?host/10.242.142.77?
instead of what I expected ?host/rsa01.security.lab.comcast.net?.  Does
anyone have any idea why this would be happening?  I have exact same
configurations on RH5 boxes that will work properly and send host/FQDN...
Thanks.

-- 
MAT

From chriscorbell at gmail.com  Wed Mar 11 20:08:40 2009
From: chriscorbell at gmail.com (Chris)
Date: Wed, 11 Mar 2009 17:08:40 -0700 (PDT)
Subject: Java app as Windows Service w/JGSS+Kerberos - should it work?
Message-ID: <6b841767-2853-444b-8e68-56891fba7150@z8g2000prd.googlegroups.com>

I have a JBoss webservice app that's configured for GSS-API (Kerberos)
authentication of context tokens received from clients.  It gets the
GSS-API output token in a soap message and calls acceptSecContext().
GSS-API is configured wtih a Krb5LoginModule and a local keyTab file
(exported from AD). All of this works great.

What doesn't work great is running this JBoss app as an actual Windows
Service - the creation of the server's GSSCredentials fails with "No
valid credentials provided", which I think typically means the keyTab
file isn't found or can't be accessed.

I've tried every type of user for the Widnows Service (LocalSystem, a
local Admin user account w/password, etc.) and verified read perms on
the keyTab file.  I'm beginning to suspect it's just a problem with
having the JVM wrapped in a native service process. (I'm using the
Tanuki Java Service Wrapper).

I know this is a fairly specific configuration but I'm hoping someone
may have some experience to offer - have you been able to get a GSS-
API-enabled Java server application running as a Windows Service with
a local KeyTab file? If you have gotten this to work, did you ever see
the above symptom & is there a likely cause?  Or if not, could it be
that this simply won't work - is there something about the Java GSS-
API implementation that conflicts with running in a wrapping service
process?

TIA,
Chris

From raeburn at MIT.EDU  Wed Mar 11 17:38:56 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Wed, 11 Mar 2009 17:38:56 -0400
Subject: Forgetting something? krb5kdc: No such file or directory -
	whileinitializing database for realm COMCAST.COM
In-Reply-To: <C5DD6172.939E%mathew_rowley@cable.comcast.com>
References: <C5DD6172.939E%mathew_rowley@cable.comcast.com>
Message-ID: <23BB0844-F8B1-481C-B551-BD65A11F6999@mit.edu>

On Mar 11, 2009, at 14:39, Mathew Rowley wrote:
> My problem was actually a typo.  In my realm, I had:
>
>  database_module = opeldap_ldapconf
>
> Which did not match ?opeNldap_ldapconf?

Thanks for the followup.

It would definitely be better if we printed a more informative message  
about this, wouldn't it? :-)  I've forwarded your message into the bug  
database.

Ken

From thomas at chaschperli.ch  Thu Mar 12 02:09:44 2009
From: thomas at chaschperli.ch (Thomas Mueller)
Date: Thu, 12 Mar 2009 06:09:44 +0000 (UTC)
Subject: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
References: <C5DDA6A8.93B4%mathew_rowley@cable.comcast.com>
Message-ID: <gpa8v8$83l$1@ger.gmane.org>


> When looking at the krb5kdc.log I see:
> 
> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
> TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER:
> authtime 1236809289,  red at COMCAST.NET for
> host/10.252.152.77 at COMCAST.NET, Server not found in Kerberos database
> krb5kdc: Interrupted system call - while selecting for network input(1)
> 
> It seems like the box I am trying to ssh to is sending
> ?host/10.242.142.77? instead of what I expected
> ?host/rsa01.security.lab.comcast.net?.  Does anyone have any idea why
> this would be happening?  I have exact same configurations on RH5 boxes
> that will work properly and send host/FQDN... Thanks.

reverse lookup of 10.252.152.78 on the host sending the ip address 
instead of the hostname shows the expected hostname?

- Thomas


From mathew_rowley at cable.comcast.com  Thu Mar 12 10:31:02 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Thu, 12 Mar 2009 08:31:02 -0600
Subject: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
In-Reply-To: <gpa8v8$83l$1@ger.gmane.org>
Message-ID: <C5DE78C6.93F6%mathew_rowley@cable.comcast.com>

Yes, reverse lookup works correctly...


[root at rsa01 ~]# nslookup 10.252.152.78
Server:         10.252.152.70
Address:        10.252.152.70#53

78.152.252.10.in-addr.arpa      name = kdc01.security.lab.comcast.net.

MAT


On 3/12/09 12:09 AM, "Thomas Mueller" <thomas at chaschperli.ch> wrote:

> 
> 
>> > When looking at the krb5kdc.log I see:
>> >
>> > Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
>> > TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER:
>> > authtime 1236809289,  red at COMCAST.NET for
>> > host/10.252.152.77 at COMCAST.NET, Server not found in Kerberos database
>> > krb5kdc: Interrupted system call - while selecting for network input(1)
>> >
>> > It seems like the box I am trying to ssh to is sending
>> > Œhost/10.242.142.77©ö instead of what I expected
>> > Œhost/rsa01.security.lab.comcast.net©ö.  Does anyone have any idea why
>> > this would be happening?  I have exact same configurations on RH5 boxes
>> > that will work properly and send host/FQDN... Thanks.
> 
> reverse lookup of 10.252.152.78 on the host sending the ip address
> instead of the hostname shows the expected hostname?
> 
> - Thomas
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
MAT


From deengert at anl.gov  Thu Mar 12 11:15:43 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Thu, 12 Mar 2009 10:15:43 -0500
Subject: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
In-Reply-To: <C5DDA6A8.93B4%mathew_rowley@cable.comcast.com>
References: <C5DDA6A8.93B4%mathew_rowley@cable.comcast.com>
Message-ID: <49B9271F.10801@anl.gov>



Mathew Rowley wrote:
> When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
> to a RH4 box, I get the following error from ssh:
> 
> ...
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password,keyboard-interactive
> debug1: Next authentication method: gssapi-with-mic
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server not found in Kerberos database
> 
> debug1: Unspecified GSS failure.  Minor code may provide more information
> Server not found in Kerberos database
> ...
> 
> When looking at the krb5kdc.log I see:
> 
> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): TGS_REQ
> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
> 1236809289,  red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server not
> found in Kerberos database
> krb5kdc: Interrupted system call - while selecting for network input(1)
> 
> It seems like the box I am trying to ssh to is sending ?host/10.242.142.77?
> instead of what I expected ?host/rsa01.security.lab.comcast.net?.  Does
> anyone have any idea why this would be happening?  I have exact same
> configurations on RH5 boxes that will work properly and send host/FQDN...

On the client, what is the ssh command you type in?
What is in the /etc/hosts file?
What is in the krb5.conf file?
Is nsswitch.conf mapping any hosts?
What does nslookup rsa01.security.lab.comcast.net show?

Is this a private network?
Are your DNS servers doing something special and actually returning
the name as 10.242.142.77?

A Wireshark trace might show what DNS is doing here.



> Thanks.
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From mathew_rowley at cable.comcast.com  Thu Mar 12 13:43:59 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Thu, 12 Mar 2009 11:43:59 -0600
Subject: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
In-Reply-To: <49B9271F.10801@anl.gov>
Message-ID: <C5DEA5FF.9409%mathew_rowley@cable.comcast.com>

>>On the client, what is the ssh command you type in?
ssh ?v red at rsa01.security.lab.comcast.net

>>What is in the /etc/hosts file?
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6

>>What is in the krb5.conf file?
# This is kdc01.security.lab.comcast.net - client
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = COMCAST.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[realms]
 COMCAST.NET = {
  kdc = kdc01.security.lab.comcast.net:88
  kdc = kdc02.security.lab.comcast.net:88
  admin_server = kdc01.security.lab.comcast.net:749
  admin_server = kdc02.security.lab.comcast.net:749
  default_domain = security.lab.comcast.net
  database_module = openldap_ldapconf
 }

[domain_realm]
 .security.lab.comcast.net = COMCAST.NET
 security.lab.comcast.net = COMCAST.NET

[dbdefaults]
 ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
[dbmodules]
 openldap_ldapconf = {
  db_library = kldap
  ldap_kerberos_container_dn = "cn=krbcontainer,dc=comcast,dc=com"
  ldap_kdc_dn = "cn=kdc,dc=comcast,dc=com"
  # this object needs to have read rights on
  # the realm container, principal container and realm sub-trees
  ldap_kadmind_dn = "cn=kadmin,dc=comcast,dc=com"
  # this object needs to have read and write rights on
  # the realm container, principal container and realm sub-trees
  ldap_service_password_file = /var/kerberos/krb5kdc/kdc5.ldap.keytab
  ldap_servers = ldap://kdc01.security.lab.comcast.net
  ldap_conns_per_server = 5
 }

>>Is nsswitch.conf mapping any hosts?
No

>>What does nslookup rsa01.security.lab.comcast.net show?
[red at kdc01 ~]$ nslookup rsa01.security.lab.comcast.net
Server:         10.252.152.70
Address:        10.252.152.70#53

Name:   rsa01.security.lab.comcast.net
Address: 10.252.152.76

>>Is this a private network?
Yes, lab environment

>>Are your DNS servers doing something special and actually returning
>>the name as 10.242.142.77?
They shouldn?t be ? I configured it, just using named

Here is a tcpdump of communication with the dns server when attempting to
ssh: http://pastebin.com/m66ff7a28
I looked at the pcap in wireshark, and it seems like its doing a standard
query with a valid standard response (for A name)...

MAT



On 3/12/09 9:15 AM, "Douglas E. Engert" <deengert at anl.gov> wrote:

> 
> 
> 
> Mathew Rowley wrote:
>> > When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
>> > to a RH4 box, I get the following error from ssh:
>> >
>> > ...
>> > debug1: Authentications that can continue:
>> > publickey,gssapi-with-mic,password,keyboard-interactive
>> > debug1: Next authentication method: gssapi-with-mic
>> > debug1: Unspecified GSS failure.  Minor code may provide more information
>> > Server not found in Kerberos database
>> >
>> > debug1: Unspecified GSS failure.  Minor code may provide more information
>> > Server not found in Kerberos database
>> > ...
>> >
>> > When looking at the krb5kdc.log I see:
>> >
>> > Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
>> TGS_REQ
>> > (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
>> > 1236809289,  red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server not
>> > found in Kerberos database
>> > krb5kdc: Interrupted system call - while selecting for network input(1)
>> >
>> > It seems like the box I am trying to ssh to is sending ?host/10.242.142.77?
>> > instead of what I expected ?host/rsa01.security.lab.comcast.net?.  Does
>> > anyone have any idea why this would be happening?  I have exact same
>> > configurations on RH5 boxes that will work properly and send host/FQDN...
> 
> On the client, what is the ssh command you type in?
> What is in the /etc/hosts file?
> What is in the krb5.conf file?
> Is nsswitch.conf mapping any hosts?
> What does nslookup rsa01.security.lab.comcast.net show?
> 
> Is this a private network?
> Are your DNS servers doing something special and actually returning
> the name as 10.242.142.77?
> 
> A Wireshark trace might show what DNS is doing here.
> 
> 
> 
>> > Thanks.
>> >
> 
> --
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> 

-- 
MAT


From deengert at anl.gov  Thu Mar 12 17:12:59 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Thu, 12 Mar 2009 16:12:59 -0500
Subject: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
In-Reply-To: <49B9271F.10801@anl.gov>
References: <C5DDA6A8.93B4%mathew_rowley@cable.comcast.com>
	<49B9271F.10801@anl.gov>
Message-ID: <49B97ADB.7090909@anl.gov>

I bet you have an .ssh/config or in the ssh_config
with a Host section with HostName 10.52.152.77
If so ssh might be mapping the name you gave into
in to a string with the numbers. And this is being passed
to Kerberos.





Douglas E. Engert wrote:
> 
> Mathew Rowley wrote:
>> When trying to ssh with a kerberos ticket (with GSSAPI enabled and working)
>> to a RH4 box, I get the following error from ssh:
>>
>> ...
>> debug1: Authentications that can continue:
>> publickey,gssapi-with-mic,password,keyboard-interactive
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Server not found in Kerberos database
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> Server not found in Kerberos database
>> ...
>>
>> When looking at the krb5kdc.log I see:
>>
>> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info): TGS_REQ
>> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
>> 1236809289,  red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server not
>> found in Kerberos database
>> krb5kdc: Interrupted system call - while selecting for network input(1)
>>
>> It seems like the box I am trying to ssh to is sending ?host/10.242.142.77?
>> instead of what I expected ?host/rsa01.security.lab.comcast.net?.  Does
>> anyone have any idea why this would be happening?  I have exact same
>> configurations on RH5 boxes that will work properly and send host/FQDN...
> 
> On the client, what is the ssh command you type in?
> What is in the /etc/hosts file?
> What is in the krb5.conf file?
> Is nsswitch.conf mapping any hosts?
> What does nslookup rsa01.security.lab.comcast.net show?
> 
> Is this a private network?
> Are your DNS servers doing something special and actually returning
> the name as 10.242.142.77?
> 
> A Wireshark trace might show what DNS is doing here.
> 
> 
> 
>> Thanks.
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From mathew_rowley at cable.comcast.com  Thu Mar 12 22:03:45 2009
From: mathew_rowley at cable.comcast.com (Mathew Rowley)
Date: Thu, 12 Mar 2009 20:03:45 -0600
Subject: Server passing IP instead of FQDN to Kerberos (during SSH GSSAPI)
In-Reply-To: <49B97ADB.7090909@anl.gov>
Message-ID: <C5DF1B21.9430%mathew_rowley@cable.comcast.com>

The problem was actually in the sshd_config, it had the ?useDNS? line
commented out. Switching it to yes fixed the problem.

MAT


On 3/12/09 3:12 PM, "Douglas E. Engert" <deengert at anl.gov> wrote:

> I bet you have an .ssh/config or in the ssh_config
> with a Host section with HostName 10.52.152.77
> If so ssh might be mapping the name you gave into
> in to a string with the numbers. And this is being passed
> to Kerberos.
> 
> 
> 
> 
> 
> Douglas E. Engert wrote:
>> >
>> > Mathew Rowley wrote:
>>> >> When trying to ssh with a kerberos ticket (with GSSAPI enabled and
>>> working)
>>> >> to a RH4 box, I get the following error from ssh:
>>> >>
>>> >> ...
>>> >> debug1: Authentications that can continue:
>>> >> publickey,gssapi-with-mic,password,keyboard-interactive
>>> >> debug1: Next authentication method: gssapi-with-mic
>>> >> debug1: Unspecified GSS failure.  Minor code may provide more information
>>> >> Server not found in Kerberos database
>>> >>
>>> >> debug1: Unspecified GSS failure.  Minor code may provide more information
>>> >> Server not found in Kerberos database
>>> >> ...
>>> >>
>>> >> When looking at the krb5kdc.log I see:
>>> >>
>>> >> Mar 11 22:59:09 kdc01.security.lab.comcast.net krb5kdc[17694](info):
>>> TGS_REQ
>>> >> (7 etypes {18 17 16 23 1 3 2}) 10.252.152.78: UNKNOWN_SERVER: authtime
>>> >> 1236809289,  red at COMCAST.NET for host/10.252.152.77 at COMCAST.NET, Server
>>> not
>>> >> found in Kerberos database
>>> >> krb5kdc: Interrupted system call - while selecting for network input(1)
>>> >>
>>> >> It seems like the box I am trying to ssh to is sending
>>> ?host/10.242.142.77?
>>> >> instead of what I expected ?host/rsa01.security.lab.comcast.net?.  Does
>>> >> anyone have any idea why this would be happening?  I have exact same
>>> >> configurations on RH5 boxes that will work properly and send host/FQDN...
>> >
>> > On the client, what is the ssh command you type in?
>> > What is in the /etc/hosts file?
>> > What is in the krb5.conf file?
>> > Is nsswitch.conf mapping any hosts?
>> > What does nslookup rsa01.security.lab.comcast.net show?
>> >
>> > Is this a private network?
>> > Are your DNS servers doing something special and actually returning
>> > the name as 10.242.142.77?
>> >
>> > A Wireshark trace might show what DNS is doing here.
>> >
>> >
>> >
>>> >> Thanks.
>>> >>
>> >
> 
> --
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> 

-- 
MAT


From Nagendra.Krishnawat at westernasset.com  Fri Mar 13 14:15:35 2009
From: Nagendra.Krishnawat at westernasset.com (Krishnawat, Nagendra)
Date: Fri, 13 Mar 2009 11:15:35 -0700
Subject: FW: JBoss Negotiate
Message-ID: <CD466582FA6D3D4E8896E91AE7483C5D63BBA1752E@PASEXCCMS1.wam.westernasset.local>

Hi,

I am trying to implement slient authentication using SPNEGO, My app server is JBOSS, Java vs 1.6. After I was done with configuraton during testing I get the following exception:

"Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"

To enforce KDC to use DES encryption, so I recreated new user with new property of "Use DES encryption type" selected, set SPN and recreated keyTab file using crypto as DES-CBC-CRC.


[cid:657055523 at 12032009-0211]
I got the same stack trace:

Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)

This means KDC is encrypting using RC4, even if "Use DES encryption type for this account" checkbox is checked.

But I an not very sure that this is a KDC issue, because AP REQ and AP RES are the message exchange between client and server, not between client and KDC.

Can you guide do where should I make the fix, I am stuck.

-Nagendra


**********************************************************************
E-mail sent through the Internet is not secure. Western Asset
therefore recommends that you do not send any confidential or
sensitive information to us via electronic mail, including social
security numbers, account numbers, or personal identification
numbers. Delivery, and or timely delivery of Internet mail is not
guaranteed. Western Asset therefore recommends that you do not send
time sensitive or action-oriented messages to us via electronic
mail. 
**********************************************************************

From Thomas.Maslen at quest.com  Sat Mar 14 22:20:36 2009
From: Thomas.Maslen at quest.com (Thomas Maslen)
Date: Sat, 14 Mar 2009 19:20:36 -0700
Subject: JBoss Negotiate
Message-ID: <723530449330F342A68634ADF3CE8DE2033D50DA9B@alvxmbw02.prod.quest.corp>

Let me guess...  you're probably running JBoss on a Windows machine that is joined to the Active Directory domain?

If so, then the problem is:  you have got your SPN mappings wrong.  (i.e. the hostname in the URL that you are using in the browser doesn't match any SPN mapping that you have set up).

So, when the browser asks AD for a Kerberos service ticket to HTTP/foo.example.com, AD doesn't find an explicit SPN mapping on your service object, so it doesn't use your service object.  If AD doesn't find an explicit SPN mapping for HTTP/foo.example.com, it implicitly maps HTTP/foo.example.com to the AD Computer object for foo.example.com (equivalently, HOST/foo.example.com).  This works nicely for Microsoft IIS but for other SPNEGO implementations it produces the rather nonobvious error that you are seeing at present.

From chriscorbell at gmail.com  Sat Mar 14 21:29:45 2009
From: chriscorbell at gmail.com (Chris)
Date: Sat, 14 Mar 2009 18:29:45 -0700 (PDT)
Subject: FW: JBoss Negotiate
References: <mailman.108.1236969436.14058.kerberos@mit.edu>
Message-ID: <191b692c-84d7-4ad0-a9d7-ade3c8de8d76@q30g2000prq.googlegroups.com>

On Mar 13, 11:15?am, "Krishnawat, Nagendra"
<Nagendra.Krishna... at westernasset.com> wrote:
> Hi,
>
> I am trying to implement slient authentication using SPNEGO, My app server is JBOSS, Java vs 1.6. After I was done with configuraton during testing I get the following exception:
>
> "Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"
>
> To enforce KDC to use DES encryption, so I recreated new user with new property of "Use DES encryption type" selected, set SPN and recreated keyTab file using crypto as DES-CBC-CRC.

Try using DES-CBC-MD5 instead.  This worked for me when I had the same
error - apparently Windows KDC supports MD5 but not CRC.

Also if that doesn't fix it, if your AD server is Windows 2003 make
sure its upgraded with the lastest service patches (SP3 IIRC - there
was a hotfix to earlier versions to make the KDC honor the requested
encryption type).

hth,
Chris

From Qiang.Xu at fujixerox.com  Mon Mar 16 04:03:15 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Mon, 16 Mar 2009 16:03:15 +0800
Subject: SASL authentication
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727083C67A4@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

Hi, all: 

I am trying to do LDAP SASL binding to ADS in Windows 2003 server, which is where KDC resides at the same time. 

Unfortunately, an error is confusing me: 
==============================================
<apManager> (Fri Mar 13 2009 13:34:19.846) <p8124,t3078597536,aba_ldap_interface.c,2373>
     INFO>> SASL Login
<apManager> (Fri Mar 13 2009 13:35:07.089) <p8124,t3078597536,aba_ldap_interface.c,2388>
     INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 82 
<apManager> (Fri Mar 13 2009 13:35:07.089) <p8124,t3078597536,aba_ldap_interface.c,2459>
    ERROR>> LDAP BIND: Value of ldap failure status and text 82 Local error 
==============================================
Using klist, it is verified that a Kerberos ticket exists and has not expired. Besides this, what else should be done at the server's end, or at the client's end? Any set-up issue? (the client has SASL library and its GSSAPI plugin in place, already)

Looking forward to help, 
Xu Qiang

From simon at sxw.org.uk  Mon Mar 16 05:51:31 2009
From: simon at sxw.org.uk (Simon Wilkinson)
Date: Mon, 16 Mar 2009 09:51:31 +0000
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <20090228230438.GJ9102@mcketrick.tproa.net>
References: <49A9BDF2.6030402@rampaginggeek.com>
	<20090228230438.GJ9102@mcketrick.tproa.net>
Message-ID: <3C8D5C20-0791-4806-97F5-5DA79513AF24@sxw.org.uk>


On 28 Feb 2009, at 23:04, Thomas Kula wrote:

> On Sat, Feb 28, 2009 at 05:42:58PM -0500, Jason Edgecombe wrote:
>> We have users who need to run long-running jobs and store their  
>> files in
>> AFS during the run.
>>
>> I've read the k5start and k5renew man pages, but I don't see how I  
>> can
>> have users type in their password when they start a job and have the
>> tickets and tokens keep being renewed.
>>
>> How can I do this?
>
> Give them a keytab, but not one for their normal identity (this
> breaks things). Create, rather, an instance for them that can
> be put in a keytab

We (Informatics @ Edinburgh) are developing an identity management  
system which provides a user-friendly interface both to allow a user  
to create a new instance from their primary one, and to allow them to  
assign access control entitlements from their primary instance to the  
one they've just created. I'll be talking about, and demoing it, at  
this years AFS & Kerberos Best Practices Workshop.

Cheers,

Simon.


From michael at stroeder.com  Mon Mar 16 07:17:45 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Mon, 16 Mar 2009 12:17:45 +0100
Subject: SASL authentication
In-Reply-To: <mailman.110.1237190641.14058.kerberos@mit.edu>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
Message-ID: <p3p196-ukk.ln1@nb2.stroeder.com>

Xu, Qiang (FXSGSC) wrote:
> 
> I am trying to do LDAP SASL binding to ADS in Windows 2003 server, which is where KDC resides at the same time. 
> 
> Unfortunately, an error is confusing me: 
> ==============================================
> <apManager> (Fri Mar 13 2009 13:34:19.846) <p8124,t3078597536,aba_ldap_interface.c,2373>
>      INFO>> SASL Login
> <apManager> (Fri Mar 13 2009 13:35:07.089) <p8124,t3078597536,aba_ldap_interface.c,2388>
>      INFO>> SASL LDAP BIND with GSSAPI: Value of ldapStatus 82 
> <apManager> (Fri Mar 13 2009 13:35:07.089) <p8124,t3078597536,aba_ldap_interface.c,2459>
>     ERROR>> LDAP BIND: Value of ldap failure status and text 82 Local error 
> ==============================================
> Using klist, it is verified that a Kerberos ticket exists and has not expired. Besides this, what else should be done at the server's end, or at the client's end? Any set-up issue? (the client has SASL library and its GSSAPI plugin in place, already)

Try with obtaining the TGT with 'kinit -A <principal>'. I vaguely
remember that this solved some problems for me.

Ciao, Michael.

From Nagendra.Krishnawat at westernasset.com  Mon Mar 16 14:55:08 2009
From: Nagendra.Krishnawat at westernasset.com (Krishnawat, Nagendra)
Date: Mon, 16 Mar 2009 11:55:08 -0700
Subject: JBoss Negotiate
In-Reply-To: <723530449330F342A68634ADF3CE8DE2033D50DA9B@alvxmbw02.prod.quest.corp>
References: <723530449330F342A68634ADF3CE8DE2033D50DA9B@alvxmbw02.prod.quest.corp>
Message-ID: <CD466582FA6D3D4E8896E91AE7483C5D63BBA17538@PASEXCCMS1.wam.westernasset.local>

Hi,
Thank you very much for the reply.

I am using SPNEGO for silent authentication. Referring https://www.jboss.org/community/docs/DOC-10680

Environment specification:

Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
KDC               : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local                      FullName:PASKTABSVR1.wamtest.wa.local)
Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local  FullName:PASKTABCL1.wamtest.wa.local)


I basically followed the pdf document userguide downloaded from above link (https://www.jboss.org/community/docs/DOC-10680)

User properties are in mail attachment (properties.jpg).

SPN setting:

C:\Program Files\Support Tools>setspn -l PASKTABSVR1
Registered ServicePrincipalNames for CN=PASKTABSVR1,OU=Domain Controllers,DC=wamtest,DC=wa,DC=local:
    HTTP/PASKTABSVR1.wamtest.wa.local
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/PASKTABSVR1.wamtest.wa.local
    ldap/PASKTABSVR1.wamtest.wa.local/ForestDnsZones.wamtest.wa.local
    GC/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
    HOST/PASKTABSVR1.wamtest.wa.local/WAMTEST
    HOST/PASKTABSVR1
    HOST/PASKTABSVR1.wamtest.wa.local
    HOST/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
    E3514235-4B06-11D1-AB04-00C04FC2DCD2/c97c1681-4636-4d4a-b7fe-94f6bf0567cf/wamtest.wa.local
    ldap/c97c1681-4636-4d4a-b7fe-94f6bf0567cf._msdcs.wamtest.wa.local
    ldap/PASKTABSVR1.wamtest.wa.local/WAMTEST
    ldap/PASKTABSVR1
    ldap/PASKTABSVR1.wamtest.wa.local
    ldap/PASKTABSVR1.wamtest.wa.local/DomainDnsZones.wamtest.wa.local
    ldap/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
    DNS/PASKTABSVR1.wamtest.wa.local


Command used to create keytab file:

C:\Program Files\Support Tools>ktpass -crypto DES-CBC-CRC -princ host/PASKTABSVR1 at WAMTEST.WA.LOCAL -pass Autumn08 -mapus
er WAMTEST\PASKTABSVR1 -out C:\pasktabsvr1.host.keytab



Login moduoles from Jboss(login-config.xml):
.
..
......
<application-policy name="host">
                <authentication>
                <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                        <module-option name="storeKey">true</module-option>
                        <module-option name="useKeyTab">true</module-option>
                        <module-option name="principal">host/PASKTABSVR1 at WAMTEST.WA.LOCAL</module-option>
                        <module-option name="keyTab">C:/pasktabsvr1.host.keytab</module-option>
                        <module-option name="doNotPrompt">true</module-option>
                        <module-option name="debug">true</module-option>
                </login-module>
                </authentication>
        </application-policy>

        <application-policy name="SPNEGO">
                <authentication>
                        <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
                                <module-option name="password-stacking">useFirstPass</module-option>
                                <module-option name="serverSecurityDomain">host</module-option>
                        </login-module>
                        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                                <module-option name="password-stacking">useFirstPass</module-option>
                                <module-option name="usersProperties">props/spnego-users.properties</module-option>
                                <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
                        </login-module>
                        </authentication>
        </application-policy>
.....
..
.


As per document there are three tests (Attachment: Negotiation_test.jpg)

Results of test in my environment (test_results.jpg):

First and second test passes, ie the client browser gets the token, in second test host login module gets authenticated ie the second test passes.
The final test, ie "secured" which is the integrated test of both client and server fails with following exception:

Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)


As per your mail I mapped different SPN, I tried:

C:\Program Files\Support Tools>setspn.exe -a HTTP/PASKTABSVR1.wamtest.wa.local PASKTABSVR1
C:\Program Files\Support Tools>setspn.exe -a HTTP/pasktabsvr1.wamtest.wa.local PASKTABSVR1       (Small case pasktansvr1)

But it didn't help, I got same exception "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"

Am I doing anything fundamentally wrong.

-Nagendra








-----Original Message-----
From: Thomas Maslen [mailto:Thomas.Maslen at quest.com]
Sent: Saturday, March 14, 2009 7:21 PM
To: kerberos at mit.edu
Cc: Krishnawat, Nagendra
Subject: Re: JBoss Negotiate

Let me guess...  you're probably running JBoss on a Windows machine that is joined to the Active Directory domain?

If so, then the problem is:  you have got your SPN mappings wrong.  (i.e. the hostname in the URL that you are using in the browser doesn't match any SPN mapping that you have set up).

So, when the browser asks AD for a Kerberos service ticket to HTTP/foo.example.com, AD doesn't find an explicit SPN mapping on your service object, so it doesn't use your service object.  If AD doesn't find an explicit SPN mapping for HTTP/foo.example.com, it implicitly maps HTTP/foo.example.com to the AD Computer object for foo.example.com (equivalently, HOST/foo.example.com).  This works nicely for Microsoft IIS but for other SPNEGO implementations it produces the rather nonobvious error that you are seeing at present.


**********************************************************************
E-mail sent through the Internet is not secure. Western Asset
therefore recommends that you do not send any confidential or
sensitive information to us via electronic mail, including social
security numbers, account numbers, or personal identification
numbers. Delivery, and or timely delivery of Internet mail is not
guaranteed. Western Asset therefore recommends that you do not send
time sensitive or action-oriented messages to us via electronic
mail. 
**********************************************************************

From tdanderberg at gmail.com  Mon Mar 16 16:50:18 2009
From: tdanderberg at gmail.com (Tom Anderberg)
Date: Mon, 16 Mar 2009 13:50:18 -0700
Subject: gss_display_status question
Message-ID: <b850befd0903161350g715949e9j50e39c539622ec88@mail.gmail.com>

Hi all,

I work on a security library that provides access to Kerberos through
GSS-API. We are trying to log Kerberos errors using gss_display_status. We
have noticed that the same error code can, at different times, produce
either a helpful or an unhelpful error message. Sometimes this seems to
depend on the Kerberos operations that have been performed.

For example:
    - Call gss_display_status with 0x96c73a22 and get "Unknown code krb5 34"
    - Then call gss_acquire_cred (doesn't matter if it succeeds or fails)
    - Repeat the initial call to gss_display_status and get "Request is a
      replay"

However, there are platforms (such as Linux) where we always just get
"Unknown code".

Is there something that we need to do to initialize Kerberos before calling
gss_display_status? Or is there some other explanation?

Thanks,

Tom

From raeburn at MIT.EDU  Mon Mar 16 17:06:53 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Mon, 16 Mar 2009 17:06:53 -0400
Subject: gss_display_status question
In-Reply-To: <b850befd0903161350g715949e9j50e39c539622ec88@mail.gmail.com>
References: <b850befd0903161350g715949e9j50e39c539622ec88@mail.gmail.com>
Message-ID: <D00B6866-CB6D-4D3B-A330-854D5406D74B@mit.edu>

On Mar 16, 2009, at 16:50, Tom Anderberg wrote:
> I work on a security library that provides access to Kerberos through
> GSS-API. We are trying to log Kerberos errors using  
> gss_display_status. We
> have noticed that the same error code can, at different times, produce
> either a helpful or an unhelpful error message. Sometimes this seems  
> to
> depend on the Kerberos operations that have been performed.
>
> For example:
>    - Call gss_display_status with 0x96c73a22 and get "Unknown code  
> krb5 34"
>    - Then call gss_acquire_cred (doesn't matter if it succeeds or  
> fails)
>    - Repeat the initial call to gss_display_status and get "Request  
> is a
>      replay"

If you call gss_display_status as the first Kerberos-related thing in  
the process (or first thing after doing a dlopen to access the  
Kerberos library), yes, I'd expect this.  Setting up access to the  
error table strings is part of the library initialization code for  
whichever library contains the error table in question.  For start-up  
performance reasons, we delay this initialization until the first time  
certain "interesting" operations are invoked, like krb5_init_context,  
but any path that should be able to return such error codes should  
cause the initialization to be done.  If that's not happening, it's a  
bug.

We didn't really anticipate that people would be printing out error  
codes supplied from outside the process, without doing Kerberos- 
related calls first.  If that's your use case, perhaps we need to fix  
something...

(There are also library finalization functions, implemented in an OS- 
specific manner, which will discard the dynamic storage allocated by  
the library init function and other global storage used by the  
library.  So dlclose on a dynamically loaded Kerberos library will do  
the cleanup, and if you do dlopen on it again, the library internals  
are again in the uninitialized state.)

> However, there are platforms (such as Linux) where we always just get
> "Unknown code".

Even after doing Kerberos library calls?  That's probably a bug.   
(Though if you're passing in an error code from outside the process,  
and gss_acquire_cred doesn't call into the Kerberos library for  
whatever reason, it would be the expected result.)

> Is there something that we need to do to initialize Kerberos before  
> calling
> gss_display_status? Or is there some other explanation?

Most of the normal uses of the Kerberos library should do the  
initialization, as I said.  Perhaps you can describe how you're using  
it, if your usage is something unusual?

Ken

From Qiang.Xu at fujixerox.com  Mon Mar 16 22:23:35 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Tue, 17 Mar 2009 10:23:35 +0800
Subject: SASL authentication
In-Reply-To: <p3p196-ukk.ln1@nb2.stroeder.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727083C6F7E@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Monday, March 16, 2009 7:18 PM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Try with obtaining the TGT with 'kinit -A <principal>'. I 
> vaguely remember that this solved some problems for me.

What should the <principle> be? In my case, suppose the user to be authentcated is "qxu", with password "abcdefg".

Btw, from searching the web, it seems "82 Local error" may arises from the lacking of a keytab file. But should the keytab file in the server, or in the client? How to create a keytab file in Windows server 2003?

Thanks,
Xu Qiang

From mc at suse.de  Tue Mar 17 05:00:47 2009
From: mc at suse.de (Michael Calmer)
Date: Tue, 17 Mar 2009 10:00:47 +0100
Subject: gss_display_status question
In-Reply-To: <D00B6866-CB6D-4D3B-A330-854D5406D74B@mit.edu>
References: <b850befd0903161350g715949e9j50e39c539622ec88@mail.gmail.com>
	<D00B6866-CB6D-4D3B-A330-854D5406D74B@mit.edu>
Message-ID: <200903171000.47701.mc@suse.de>

Hi,

Am Montag, 16. M?rz 2009 22:06:53 schrieb Ken Raeburn:
> On Mar 16, 2009, at 16:50, Tom Anderberg wrote:

[...]

> > However, there are platforms (such as Linux) where we always just get
> > "Unknown code".
> 
> Even after doing Kerberos library calls?  That's probably a bug.   
> (Though if you're passing in an error code from outside the process,  
> and gss_acquire_cred doesn't call into the Kerberos library for  
> whatever reason, it would be the expected result.)

This maybe a bug which is already in the MIT RT system.

Ticket #5841 GSSAPI Error Display Bug

-- 
MFG

	Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - e-mail: Michael.Calmer at suse.com
--------------------------------------------------------------------------
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG N?rnberg)



From michael at stroeder.com  Tue Mar 17 08:19:57 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Tue, 17 Mar 2009 13:19:57 +0100
Subject: SASL authentication
In-Reply-To: <mailman.115.1237256662.14058.kerberos@mit.edu>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
Message-ID: <d4h496-tvf.ln1@nb2.stroeder.com>

Xu, Qiang (FXSGSC) wrote:
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu 
>> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
>> Sent: Monday, March 16, 2009 7:18 PM
>> To: kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> Try with obtaining the TGT with 'kinit -A <principal>'. I 
>> vaguely remember that this solved some problems for me.
> 
> What should the <principle> be? In my case, suppose the user to be authentcated is "qxu", with password "abcdefg".

Something like <username>@<REALM>. E.g. "qxu at MIT.EDU" (without the quotes).

> Btw, from searching the web, it seems "82 Local error" may arises
> from the lacking of a keytab file. But should the keytab file in the
> server, or in the client? How to create a keytab file in Windows
> server 2003?

First try to do a kinit with providing the password. After that you
could try using keytab files (on your LDAP client) if needed in your setup.

Ciao, Michael.

From tdanderberg at gmail.com  Tue Mar 17 16:45:02 2009
From: tdanderberg at gmail.com (Tom Anderberg)
Date: Tue, 17 Mar 2009 13:45:02 -0700
Subject: gss_display_status question
In-Reply-To: <200903171000.47701.mc@suse.de>
References: <b850befd0903161350g715949e9j50e39c539622ec88@mail.gmail.com>
	<D00B6866-CB6D-4D3B-A330-854D5406D74B@mit.edu>
	<200903171000.47701.mc@suse.de>
Message-ID: <b850befd0903171345k107c600dr3c411b9abe8c5e47@mail.gmail.com>

Ken and Michael,

Thanks for the responses.

Ken, our usage of KRB5 is actually straightforward. Trying to obtain the
codes first thing was only to try to understand the problem better. We have
no requirement to actually do this.

Michael, I believe you are correct about the MIT RT ticket #5841, expecially
since we only see the problem on 64 bit platforms. We will pass this on to
our distro provider.

Thanks!

Tom

On Tue, Mar 17, 2009 at 2:00 AM, Michael Calmer <mc at suse.de> wrote:

> Hi,
>
> Am Montag, 16. M?rz 2009 22:06:53 schrieb Ken Raeburn:
> > On Mar 16, 2009, at 16:50, Tom Anderberg wrote:
>
> [...]
>
> > > However, there are platforms (such as Linux) where we always just get
> > > "Unknown code".
> >
> > Even after doing Kerberos library calls?  That's probably a bug.
> > (Though if you're passing in an error code from outside the process,
> > and gss_acquire_cred doesn't call into the Kerberos library for
> > whatever reason, it would be the expected result.)
>
> This maybe a bug which is already in the MIT RT system.
>
> Ticket #5841 GSSAPI Error Display Bug
>
> --
> MFG
>
>        Michael Calmer
>
> --------------------------------------------------------------------------
> Michael Calmer
> SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
> T: +49 (0) 911 74053 0
> F: +49 (0) 911 74053575  - e-mail: Michael.Calmer at suse.com
> --------------------------------------------------------------------------
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG N?rnberg)
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

From Qiang.Xu at fujixerox.com  Wed Mar 18 02:18:44 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Wed, 18 Mar 2009 14:18:44 +0800
Subject: SASL authentication
In-Reply-To: <d4h496-tvf.ln1@nb2.stroeder.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172708418A64@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 17, 2009 8:20 PM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> First try to do a kinit with providing the password. After 
> that you could try using keytab files (on your LDAP client) 
> if needed in your setup.

The tutorial at http://aput.net/~jheiss/krbldap/howto.html said my SASL ldap bindingerror of "82 Local error" may be due to the lack of a service principle:
=========================================================
ldap_sasl_interactive_bind_s: Local error 
       ldap/hostname service principal not set up 
       or your Kerberos ticket is expired 
=========================================================
I am a little bit confused about it. Does it mean either the ticket is absent or the ticket has expired? Is "ldap/hostname service principal" and "kerberos ticket" here the same thing?


After kinit returns successfully, I can see there is a ticket in krb cache:
=========================================================
MBC113:/ <515> /tmp/dlms/kerberos/apps/klist -k 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: qxu at SESSWIN2003.COM
 
Valid starting     Expires            Service principal
03/17/09 17:36:50  03/18/09 03:37:35  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
        renew until 03/18/09 17:36:50
=========================================================
Isn't this ticket the service principal needed? You can see the third column's caption is "Service principal". Is it the same as or different from the "ldap/hostname service principal" mentioned in the above? 

Suppose they are different, and as you told me, the keytab file (which contains the service principal of ldap/hostname) is used by LDAP client. But where should the keytab file be generated? Should the keytab file be created in Kerberos server or LDAP server? Could you teach me how to create this keytab file, as detailed as possible? 

Thanks,
Xu Qiang

From Qiang.Xu at fujixerox.com  Wed Mar 18 05:05:32 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Wed, 18 Mar 2009 17:05:32 +0800
Subject: SASL authentication
In-Reply-To: <d4h496-tvf.ln1@nb2.stroeder.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727084678FE@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 17, 2009 8:20 PM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> First try to do a kinit with providing the password. After 
> that you could try using keytab files (on your LDAP client) 
> if needed in your setup.

Found an example on how to create the keytab file at http://docs.hp.com/en/J4269-90049/ch04s03.html: 
=============================================
Use the ktpass tool to create the keytab file and set up an identity mapping the host account. 
The following is an example showing you how to run ktpass to create the keytab file for the HP-UX host myhost with the KDC realm cup.hp.com:

C:> ktpass -princ host/myhost at CUP.HP.COM -mapuser myhost -pass mypasswd -out unix.keytab
=============================================
>From the context, this seems to be done in the author's LDAP server, which is an ADS in Windows 2003 server. 

For my case, Kerberos server and LDAP server are all in one machine with Windows 2003 server OS installed on it. Should it be the following format?
=============================================
C:> ktpass -princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser sesswin2003.com -pass mypasswd -out ldap.keytab
=============================================
sesswin2003.com is a primary domain controller, and the only machine in its domain is itself. So the domain name is the same as the hostname. But in the ADS, shall I create a user named after the computer's hostname - "sesswin2003.com"? This seems ridiculous. 

By the way, after the keytab file is generated, I would transfer it to the printer, which is the LDAP client. Which directory should I put the file in?

Or if I have missed anything? Looking forward to your help, Michael.

Thanks, 
Xu Qiang

From alan.karp at hp.com  Tue Mar 17 20:13:05 2009
From: alan.karp at hp.com (Karp, Alan H)
Date: Wed, 18 Mar 2009 00:13:05 +0000
Subject: [Mitkc-web] Kerberos in Browser based Applications
In-Reply-To: <001301c99cea$b94a62b0$2bdf2810$@edu>
References: <49AD6D24.1090001@navteq.com> <001301c99cea$b94a62b0$2bdf2810$@edu>
Message-ID: <A0BE9926384D0940BBAD4B60190CB29A5D57B7B9CF@GVW0433EXB.americas.hpqcorp.net>

Security depends on where you put the token.  If the URL is guessable, you're subject to clickjacking.  See http://www.hpl.hp.com/techreports/2009/HPL-2009-20.html. 

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp


> -----Original Message-----
> From: mitkc-web-bounces at mit.edu [mailto:mitkc-web-bounces at mit.edu] On
> Behalf Of Thomas Hardjono
> Sent: Wednesday, March 04, 2009 9:00 AM
> To: 'Frank Gruellich'; kerberos at mit.edu
> Cc: 'MIT Krb-and-Web discussion list'
> Subject: Re: [Mitkc-web] Kerberos in Browser based Applications
> 
> Frank,
> 
> Getting Kerberos to support single-sign-on on the Web (Web-SSO) has a
> number
> of challenges.  I'm not sure if the browsers today fully support the
> trafficking of Kerberos tickets/tokens. The closest seems to be
> HPPT-Negotiate, but I believe it also need more work. There are a set
> of
> drafts in the IETF that are trying to address some of these issues.
> Then
> there is the question of how to get all this working with the Identity
> Federation infrastructures.
> 
> ps. Kerb-on-the-web is one of the initiatives at the MIT-KC.
> http://kerberos.org/software/kerbweb.pdf
> 
> cheers,
> 
> 
> /thomas/
> 
> 
> > -----Original Message-----
> > From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
> > Behalf Of Frank Gruellich
> > Sent: Tuesday, March 03, 2009 12:47 PM
> > To: kerberos at MIT.EDU
> > Subject: Kerberos in Browser based Applications
> >
> > Hi,
> >
> > I have set up a Kerberos realm.  A user and a service (let's say a
> > database) are both included as principals in KDC database and the
> > service restricts access to */dbuser at EXAMPLE.COM.  User and service
> can
> > communicate perfectly using a database CLI at the users machine.
> >
> > Now these days CLIs aren't "state-of-the-art" anymore and $managers
> > refuse to use them.  Let's throw a long discussion and platform
> > independent, Web2.0 ready and more buzzwords into the pot and we get
> the
> > need for a browser based web frontend to the service.  And that's the
> > point where I do not get the full picture about Kerberos.
> >
> > How would that work in a fully kerberized environment using all these
> > great features like single-sign-on and never transmitting a password
> > over the wire?  For sure, I would have to add the webserver to the
> KDC
> > database, but what then?  Would I add the webserver principal to the
> ACL
> > list of the service and add another authentication/authorization
> layer
> > into the web application?  Could I somehow forward the users ticket
> for
> > the service to the webserver and make the application to give it to
> the
> > service proving this way that the user requested access to the
> service?
> > That would keep all authentication on service side, but is it a good
> > idea to give a service ticket to another machine?  Would that even
> work
> > given that the users machine IP# is added to the tickets, AFAICS?
> >
> > In the current setup the software involved are MIT Kerberos, an
> OpenLDAP
> > server as service, e.g. phpLDAPadmin as web application, Apache httpd
> > running it, and various browsers used to access it running on
> different
> > OS's.  But I'm more interested in the general Kerberos idea how to do
> > that.  However, if you point me to specific software I should use in
> > this setup I would be happy, too.
> >
> > Thanks in advance for some enlightenment.
> >
> > Kind regards,
> > --
> > Navteq (DE) GmbH
> > Frank Gruellich
> > Map24 Systems and Networks
> >
> > Duesseldorfer Strasse 40a
> > 65760 Eschborn
> > Germany
> >
> > Phone:      +49 6196 77756-414
> > Fax:        +49 6196 77756-100
> >
> > USt-ID-No.: DE 197947163
> > Managing Directors: Thomas Golob, Alexander Wiegand,
> > Hans Pieter Gieszen, Martin Robert Stockman
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> _______________________________________________
> MITKC-Web mailing list
> MITKC-Web at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitkc-web


From michael at stroeder.com  Wed Mar 18 02:34:14 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Wed, 18 Mar 2009 07:34:14 +0100
Subject: SASL authentication
In-Reply-To: <mailman.118.1237357164.14058.kerberos@mit.edu>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>	<mailman.115.1237256662.14058.kerberos@mit.edu>	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
Message-ID: <68h696-ul2.ln1@nb2.stroeder.com>

Xu, Qiang (FXSGSC) wrote:
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu 
>> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
>> Sent: Tuesday, March 17, 2009 8:20 PM
>> To: kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> First try to do a kinit with providing the password. After 
>> that you could try using keytab files (on your LDAP client) 
>> if needed in your setup.
> 
> The tutorial at http://aput.net/~jheiss/krbldap/howto.html said my
> SASL ldap bindingerror of "82 Local error" may be due to the lack of
> a service principle:

Did you try command-line option -A when invoking kinit as I suggested in
my previous posting? It seems you probably should read a bit more about
how Kerberos works especially regarding ticket types. There are tons of
docs out there.

Ciao, Michael.

From listmail at randomdog.net  Wed Mar 18 21:14:03 2009
From: listmail at randomdog.net (Bill Heese)
Date: Wed, 18 Mar 2009 21:14:03 -0400
Subject: Training courses 
In-Reply-To: <578733DCD150CA49998643114458BACB1892F6645E@OPTIMUS.omnitechcorp.com>
Message-ID: <C5E7149B.58B48%listmail@randomdog.net>

Sorry If this topic has been covered.. I recently ran across an issue with
Kerberos that was beyond my teams capabilities.

Can anyone recommend a solid Kerberos based training course? It doesn't have
to be platform specific... We're running it on OSX 10.5.

Thanks

Bill



From chriscorbell at gmail.com  Wed Mar 18 18:49:49 2009
From: chriscorbell at gmail.com (Chris)
Date: Wed, 18 Mar 2009 15:49:49 -0700 (PDT)
Subject: Java app as Windows Service w/JGSS+Kerberos - should it work?
References: <6b841767-2853-444b-8e68-56891fba7150@z8g2000prd.googlegroups.com>
Message-ID: <d806884c-b42e-4629-8b8e-14e015615db0@c9g2000yqm.googlegroups.com>

On Mar 11, 5:08?pm, Chris <chriscorb... at gmail.com> wrote:
> I know this is a fairly specific configuration but I'm hoping someone
> may have some experience to offer - have you been able to get a GSS-
> API-enabled Java server application running as a Windows Service with
> a local KeyTab file? If you have gotten this to work, did you ever see
> the above symptom & is there a likely cause? ?Or if not, could it be
> that this simply won't work - is there something about the Java GSS-
> API implementation that conflicts with running in a wrapping service
> process?
>
> TIA,
> Chris

To reply to the list for the record - I got it working by writing my
own service wrapper which does not launch the JBoss JVM as a child
process but simply invokes the JBoss run and shutdown scripts (from
OnStart() and OnStop() respectively) as their own processes, using
Process::Start() (C++/CLI).

Kerberos authentication now works for me with a local keyTab through
the Java GSS-API libraries in JBoss.  The service runs as Local
System. There was something incompatible in the way that the Tanuki
service wrapper launches JBoss.

From dkelson at gurulabs.com  Wed Mar 18 22:50:27 2009
From: dkelson at gurulabs.com (Dax Kelson)
Date: Wed, 18 Mar 2009 20:50:27 -0600
Subject: Training courses
In-Reply-To: <C5E7149B.58B48%listmail@randomdog.net>
References: <C5E7149B.58B48%listmail@randomdog.net>
Message-ID: <1237431027.3930.13.camel@mentor.gurulabs.com>

On Wed, 2009-03-18 at 21:14 -0400, Bill Heese wrote:
> Sorry If this topic has been covered.. I recently ran across an issue with
> Kerberos that was beyond my teams capabilities.
> 
> Can anyone recommend a solid Kerberos based training course? It doesn't have
> to be platform specific... We're running it on OSX 10.5.
> 
> Thanks
> 
> Bill

Bill,

At Guru Labs we wrote the GL550 "Enterprise Linux Security Admin" class
and have been teaching and refining it over 5 years. Kerberos is a major
part of the class. Kerberos concepts, components, implementation and
best practices are all covered. Also, configuring and using Kerberos
with many different network services such as NFS, Apache, PostgreSQL,
LDAP, Sendmail, Postfix, Dovecot, CyrusIMAP, along with the standard
services. During the course of writing the class and lab exercises we
ended up filling quite a few bugs in various bug trackers as we
exercised little used code paths.

The training class spends about 60% doing real world detailed lab
exercises and the very thick student manual is a great reference.

You can find more info on the class here:

http://www.gurulabs.com/linux-training/courses/GL550/

Dax Kelson
Guru labs




From Qiang.Xu at fujixerox.com  Wed Mar 18 23:33:40 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Thu, 19 Mar 2009 11:33:40 +0800
Subject: SASL authentication
In-Reply-To: <68h696-ul2.ln1@nb2.stroeder.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Wednesday, March 18, 2009 2:34 PM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Did you try command-line option -A when invoking kinit as I 
> suggested in my previous posting? It seems you probably 
> should read a bit more about how Kerberos works especially 
> regarding ticket types. There are tons of docs out there.

Yes, I have tried the option -A. Originally I was using "kinit -f ...". Now I am using "kinit -f -A ...". As far as I know, the option -A is "do not include addresses". I can't see any gain here. After using -A option, the error msg is still "82 Local error" when doing SASL binding.

>From Google, I can only get a small number of materials on how to create a service principal under Windows 2003 Server. But they are all somewhat ambiguous, and I still can't figure out how to create a keytab file for LDAP client's use.

Thanks,
Xu Qiang

From Laatsch at uni-koeln.de  Thu Mar 19 12:31:32 2009
From: Laatsch at uni-koeln.de (Rainer Laatsch)
Date: Thu, 19 Mar 2009 17:31:32 +0100 (CET)
Subject: Training courses
In-Reply-To: <1237431027.3930.13.camel@mentor.gurulabs.com>
References: <C5E7149B.58B48%listmail@randomdog.net>
	<1237431027.3930.13.camel@mentor.gurulabs.com>
Message-ID: <alpine.LRH.2.00.0903191729470.3160@dialog5.rrz.uni-koeln.de>

The topics are mentioned. But are the contents publicly available?

Best regards,
Rainer

----------------------------------------------------------------------------

On Wed, 18 Mar 2009, Dax Kelson wrote:

> On Wed, 2009-03-18 at 21:14 -0400, Bill Heese wrote:
>> Sorry If this topic has been covered.. I recently ran across an issue with
>> Kerberos that was beyond my teams capabilities.
>>
>> Can anyone recommend a solid Kerberos based training course? It doesn't have
>> to be platform specific... We're running it on OSX 10.5.
>>
>> Thanks
>>
>> Bill
>
> Bill,
>
> At Guru Labs we wrote the GL550 "Enterprise Linux Security Admin" class
> and have been teaching and refining it over 5 years. Kerberos is a major
> part of the class. Kerberos concepts, components, implementation and
> best practices are all covered. Also, configuring and using Kerberos
> with many different network services such as NFS, Apache, PostgreSQL,
> LDAP, Sendmail, Postfix, Dovecot, CyrusIMAP, along with the standard
> services. During the course of writing the class and lab exercises we
> ended up filling quite a few bugs in various bug trackers as we
> exercised little used code paths.
>
> The training class spends about 60% doing real world detailed lab
> exercises and the very thick student manual is a great reference.
>
> You can find more info on the class here:
>
> http://www.gurulabs.com/linux-training/courses/GL550/
>
> Dax Kelson
> Guru labs
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

From Laatsch at uni-koeln.de  Thu Mar 19 13:03:53 2009
From: Laatsch at uni-koeln.de (Rainer Laatsch)
Date: Thu, 19 Mar 2009 18:03:53 +0100 (CET)
Subject: Long-running jobs with renewal of krb5 tickets and AFS tokens
In-Reply-To: <3C8D5C20-0791-4806-97F5-5DA79513AF24@sxw.org.uk>
References: <49A9BDF2.6030402@rampaginggeek.com>
	<20090228230438.GJ9102@mcketrick.tproa.net>
	<3C8D5C20-0791-4806-97F5-5DA79513AF24@sxw.org.uk>
Message-ID: <alpine.LRH.2.00.0903191733460.3160@dialog5.rrz.uni-koeln.de>

At our AFS cell rrz.uni-koeln.de, we run Sun's batch system SGE. We expect 
on job submission the user has an AFS token. Just that. This gets 
transferred as a special encrypted comment within the job.

The SGE is AFS aware. On job start and every refresh period (say some 
hours) the job shephard, running in the same PAG as the users job, 
transmits the token to a VlServer (needs the KeyFile) for refresh. Instead 
of the former (obsolete?) arc/arcd we use SSH (with a forced command) as 
the transport medium on a separate SSHD port with special  sshd_config & 
authorized_keys files.

The token may be valid or not and will stay so; just the time validity is 
refreshed. If that was the *only* disturbation the batch will get a good 
token back.

The user job effectively needs an AFS token. The above method is 
straight forward. Fiddling with interim Krb5 tickets is no help. Keytabs
are a bad idea.

Best regards
Rainer

-------------------------------------------------------------------------------
On Mon, 16 Mar 2009, Simon Wilkinson wrote:

>
> On 28 Feb 2009, at 23:04, Thomas Kula wrote:
>
>> On Sat, Feb 28, 2009 at 05:42:58PM -0500, Jason Edgecombe wrote:
>>> We have users who need to run long-running jobs and store their
>>> files in
>>> AFS during the run.
>>>
>>> I've read the k5start and k5renew man pages, but I don't see how I
>>> can
>>> have users type in their password when they start a job and have the
>>> tickets and tokens keep being renewed.
>>>
>>> How can I do this?
>>
>> Give them a keytab, but not one for their normal identity (this
>> breaks things). Create, rather, an instance for them that can
>> be put in a keytab
>
> We (Informatics @ Edinburgh) are developing an identity management
> system which provides a user-friendly interface both to allow a user
> to create a new instance from their primary one, and to allow them to
> assign access control entitlements from their primary instance to the
> one they've just created. I'll be talking about, and demoing it, at
> this years AFS & Kerberos Best Practices Workshop.
>
> Cheers,
>
> Simon.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

From dkelson at gurulabs.com  Thu Mar 19 13:31:04 2009
From: dkelson at gurulabs.com (Dax Kelson)
Date: Thu, 19 Mar 2009 11:31:04 -0600
Subject: Training courses
In-Reply-To: <alpine.LRH.2.00.0903191729470.3160@dialog5.rrz.uni-koeln.de>
References: <C5E7149B.58B48%listmail@randomdog.net>
	<1237431027.3930.13.camel@mentor.gurulabs.com>
	<alpine.LRH.2.00.0903191729470.3160@dialog5.rrz.uni-koeln.de>
Message-ID: <1237483864.3393.20.camel@mentor.gurulabs.com>

On Thu, 2009-03-19 at 17:31 +0100, Rainer Laatsch wrote:
> The topics are mentioned. But are the contents publicly available?
> 
> Best regards,
> Rainer

You can get specific details of what is in the class here:

http://www.gurulabs.com/partner-program/courseware/GL550/

The class is typically taught over 5 days. We have open enrollment
classes in our Utah HQ, but we can also deliver the class onsite
including the ability to customize the topics taught (we have a large
selection of topics available). We have been around the world delivering
this class onsite, including Germany. That is probably because, AFAIK,
there are no other training class that covers Kerberos as in-depth.

Dax Kelson
Guru Labs


From Matthew.GARRETT at external.total.com  Thu Mar 19 12:45:13 2009
From: Matthew.GARRETT at external.total.com (Matthew.GARRETT@external.total.com)
Date: Thu, 19 Mar 2009 16:45:13 +0000
Subject: Help with trying to setup a KDC Slave
Message-ID: <OF0DD75CC8.00B0AA56-ON8025757E.005A11A8-8025757E.005C07CC@total.com>

Folks

I am struggling a bit to set up a KDC Slave and was hoping some one might 
be able to point out my mistakes.

KDC Master = starsky.uk.ad.ep.corp.local
KDC Slave   = hutch.uk.ad.ep.corp.local

On the KDC Master I have done the following
kadmin
addprinc -randkey host/starsky.uk.ad.ep.corp.local
addprinc -randkey host/hutch.uk.ad.ep.corp.local

ktadd host/hutch.uk.ad.ep.corp.local
ktadd host/starsky.uk.ad.ep.corp.local

Then copied via scp the file /etc/krb5.keytab to the KDC Slave hutch

Created on both KDC Master and Slave
/var/kerberos/krb5kdc/kpropd.acl
host/starsky.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
host/hutch.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL

Setup xinetd for krb5_prop etc etc

The Dump on the KDC Master works fine.
kdb5_util dump /var/kerberos/krb5kdc/slavedump

However when I try and do the kprop I get the following

kprop -f /var/kerberos/krb5kdc/slavedump hutch.uk.ad.ep.corp.local
kprop: Server not found in Kerberos database while getting initial ticket

DNS both forward and reverse work fine for the Slave KDC

ktutil looks correct to me.
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
   1    3 host/hutch.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
   2    3 host/hutch.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
   3    3 host/hutch.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
   4    3 host/hutch.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
   5    6 host/starsky.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
   6    6 host/starsky.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
   7    6 host/starsky.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL
   8    6 host/starsky.uk.ad.ep.corp.local at UK.AD.EP.CORP.LOCAL

NTP is setup on both Master and Slave and is working fine.

Clients can happily connect to the Master , I just can not get the dump to 
work.

Thanks in advance.

Matthew


 
Matthew Garrett
Senior IS Technical Analyst
Tel:       01224 297889
Fax:      01224 296806
Email:   Matthew.Garrett at total.com
Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG
Registered in England and Wales No.811900????????? 
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information.? If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects.  The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.

From raeburn at MIT.EDU  Thu Mar 19 15:52:23 2009
From: raeburn at MIT.EDU (Ken Raeburn)
Date: Thu, 19 Mar 2009 15:52:23 -0400
Subject: Help with trying to setup a KDC Slave
In-Reply-To: <OF0DD75CC8.00B0AA56-ON8025757E.005A11A8-8025757E.005C07CC@total.com>
References: <OF0DD75CC8.00B0AA56-ON8025757E.005A11A8-8025757E.005C07CC@total.com>
Message-ID: <3ED72BA0-5F04-4355-8658-4C29F9381FE3@mit.edu>

On Mar 19, 2009, at 12:45, Matthew.GARRETT at external.total.com wrote:
> DNS both forward and reverse work fine for the Slave KDC

By "work fine", do you mean that when you look up  
hutch.uk.ad.ep.corp.local you get an address (or more than one), and  
when you look up that address, you get back the name  
hutch.uk.ad.ep.corp.local?  Or do you just mean you get a name back?   
In the default configuration of the MIT code, the name you get back  
from looking up the address is generally the name that'll be used in  
constructing a principal name.

Does your config file or DNS data indicate that  
hutch.uk.ad.ep.corp.local is in UK.AD.EP.CORP.LOCAL?

Check the log file on the KDC.  It should indicate some kprop/*  
principal being looked up if the host name is coming out wrong, or  
possibly some krbtgt/* principal if it's coming up with the wrong  
realm name.

Ken

From simon at sxw.org.uk  Thu Mar 19 18:55:16 2009
From: simon at sxw.org.uk (Simon Wilkinson)
Date: Thu, 19 Mar 2009 22:55:16 +0000
Subject: GSSAPI LDAP support for Thunderbird
Message-ID: <78E7C4BE-A39F-4366-8696-F77B5DAD4E5B@sxw.org.uk>

Just to let folk know, support for Kerberised access to LDAP address  
books has just landed in the Thunderbird 3 tree. Any feedback (nightly  
snapshot builds are available) would be appreciated!

Thanks,

Simon.


From deengert at anl.gov  Thu Mar 19 21:09:03 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Thu, 19 Mar 2009 20:09:03 -0500
Subject: SASL authentication
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>	<mailman.115.1237256662.14058.kerberos@mit.edu>	<d4h496-tvf.ln1@nb2.stroeder.com>	<mailman.118.1237357164.14058.kerberos@mit.edu>	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Message-ID: <49C2ECAF.4080405@anl.gov>



Xu, Qiang (FXSGSC) wrote:
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu 
>> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
>> Sent: Wednesday, March 18, 2009 2:34 PM
>> To: kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> Did you try command-line option -A when invoking kinit as I 
>> suggested in my previous posting? It seems you probably 
>> should read a bit more about how Kerberos works especially 
>> regarding ticket types. There are tons of docs out there.
> 
> Yes, I have tried the option -A. Originally I was using "kinit -f ...". Now I am using "kinit -f -A ...". As far as I know, the option -A is "do not include addresses". I can't see any gain here. After using -A option, the error msg is still "82 Local error" when doing SASL binding.
> 
>>From Google, I can only get a small number of materials on how to create a service principal under Windows 2003 Server. But they are all somewhat ambiguous, and I still can't figure out how to create a keytab file for LDAP client's use.
> 

Start with:
http://technet.microsoft.com/en-us/library/bb742433.aspx
Then look for ksetup program and 2003.
Also look at Samba for net join and windbind  and also look for msktutil.
Solaris has a script to do this




> Thanks,
> Xu Qiang
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From Qiang.Xu at fujixerox.com  Fri Mar 20 00:15:37 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Fri, 20 Mar 2009 12:15:37 +0800
Subject: SASL authentication
In-Reply-To: <49C2ECAF.4080405@anl.gov>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B3461@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Friday, March 20, 2009 9:09 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Str?der; kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Start with:
> http://technet.microsoft.com/en-us/library/bb742433.aspx
> Then look for ksetup program and 2003.
> Also look at Samba for net join and windbind  and also look 
> for msktutil.
> Solaris has a script to do this

Hi, Douglas: 

Thanks for providing the URL for my reference. It is helpful, but I still have some questions. 

Here is the tutorial said: 
=============================================
To create a service instance account in Active Directory 

1. Use the Active Directory Management tool to create a user account for the UNIX service; for example, create an account with the name sampleUnix1.

2. Use the Ktpass tool to set up an identity mapping for the user account. Use this command:

    C:> Ktpass princ service-instance at REALM mapuser account-name -pass password -out unixmachine.keytab

    The format of the Kerberos service-instance name is: service/host.realm_name, for example:

    C:> ktpass princ sample/unix1.reskit.com at RESKIT.COM -mapuser sampleUnix1 pass password out unix1.keytab

    In this case, an account is created with a meaningful name sampleUnix1, and a service principal name mapping is added for sample/unix1.reskit.com. This is the purpose of using Ktpass with the princ and mapuser switches.

3. Merge the keytab file with the /etc/krb5.keytab file on the UNIX host.
=============================================
Apart from this, things like ksetup seems irrelavant to my case. 

For my case, I want to add an LDAP service principle into the keytab file, so it probably should be:
=============================================
    C:> ktpass princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab
=============================================
In our environment, there is a domain called "SESSWIN2003.COM", and there is only one machine in this domain, with the hostname called "sesswin2003.com". But to create the keytab file for the LDAP server (ADS in the same machine), what user/password should I set?

Thanks,
Xu Qiang

From Qiang.Xu at fujixerox.com  Fri Mar 20 01:18:28 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Fri, 20 Mar 2009 13:18:28 +0800
Subject: SASL authentication
In-Reply-To: <49C32212.90800@gs-lab.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B3461@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C32212.90800@gs-lab.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B3544@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: Nikhil Mishra [mailto:nikhilm at gs-lab.com] 
> Sent: Friday, March 20, 2009 12:57 PM
> To: Xu, Qiang (FXSGSC)
> Cc: Douglas E. Engert; Michael Str?der; kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Few questions before we go ahead :
> 1. What is your host server ? ( like windows server 2003 SP2 
> SE , EE ) 2. What is your ktpass version ?
> 
> I have done quite an extensive exercise on this recently and 
> so please take care of following things :
> 
> 1.Its very important you have the right version of ktpass on 
> right operating system .

How to check the version of ktpass? I typed "ktpass /?", but didn't find any option or switch to show its version number. My Kerberos server is the same as LDAP server, both integrated into ADS in the same machine (sesswin2003.com) with OS as Windows Server 2003 Enterprise Edition 5.2.3790, with Service Pack 1, Build 3790.

> 2. Please use right options with ktpass .

Could you give me some suggestions on the correct usage of ktpass command? Did I miss anything in the following command?
=====================================
       C:> ktpass princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab"?
=====================================
I am looking forward to your help.

Thanks a lot,
Xu Qiang

From Qiang.Xu at fujixerox.com  Fri Mar 20 02:14:15 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Fri, 20 Mar 2009 14:14:15 +0800
Subject: SASL authentication
In-Reply-To: <49C32CF8.8000200@gs-lab.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B3461@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C32212.90800@gs-lab.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B3544@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C32CF8.8000200@gs-lab.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B3618@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: Nikhil Mishra [mailto:nikhilm at gs-lab.com] 
> Sent: Friday, March 20, 2009 1:43 PM
> To: Xu, Qiang (FXSGSC)
> Cc: kerberos at mit.edu; Michael Str?der; Douglas E. Engert
> Subject: Re: SASL authentication
> 
> 
> Goto c:/Program Files/Support tools/  or wherever your 
> ktpass.exe is  present.
> 
>  
> right click on ktpass->Properties->Version->File Version.
> 
> "Right click does wonders on windows I didn,t even knew :-) "

As you instructed, the version of ktpass is verified to be "5.2.3790.0".
 
> Please download support tools for windows server 2003 SP2.
> This one worked in most cases .

I suspect SP1 is enough for my case. But I don't know what user should I associate with the LDAP server hostname in creating the keytab file.

Thanks,
Xu Qiang

From Qiang.Xu at fujixerox.com  Fri Mar 20 03:36:59 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Fri, 20 Mar 2009 15:36:59 +0800
Subject: SASL authentication
In-Reply-To: <49C2ECAF.4080405@anl.gov>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Friday, March 20, 2009 9:09 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Str?der; kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Start with:
> http://technet.microsoft.com/en-us/library/bb742433.aspx
> Then look for ksetup program and 2003.
> Also look at Samba for net join and windbind  and also look 
> for msktutil.
> Solaris has a script to do this

In reference to http://technet.microsoft.com/en-us/library/bb742433.aspx, it seems the only tool to use is ktpass. But the problem is, as I said before, I don't know which user to associate in creating the keytab file. 
 
Anyway, I've given it a try. First, I created a user "ldapServer/Fair123" in ADS of sesswin2003. Then: 
========================================================
C:> ktpass -princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser ldapServer -pass Fair123 -out ldap.keytab
========================================================
It finished smoothly. Then I ftp'ed it to the printer, which is LDAP client and Kerberos client. First I put it into "/etc/openldap", as suggested by http://aput.net/~jheiss/krbldap/howto.html. 
 
But when I run "klist -k" in 98.190 to find the keytab file, it told me: 
========================================================
qxu at durian(pts/3):/etc/openldap[7]$ ll *.keytab
-rw-r--r-- 1 root root 69 Mar 20 15:01 ldap.keytab

qxu at durian(pts/3):/etc/openldap[8]$ klist -k
Keytab name: FILE:/etc/krb5.keytab
klist: No such file or directory while starting keytab scan
========================================================
It seemed to try to find a file named "krb5.keytab".
 
OK, let's do it:
========================================================
qxu at durian(pts/3):/etc/openldap[9]$ sudo mv /etc/openldap/ldap.keytab /etc/krb5.keytab
Password:

qxu at durian(pts/3):/etc/openldap[10]$ cd /etc

qxu at durian(pts/3):/etc[11]$ ll krb*
-rw-r--r-- 1 root root 804 Mar 19 17:04 krb5.conf
-rw-r--r-- 1 root root  69 Mar 20 15:01 krb5.keytab
-rw-r--r-- 1 root root 143 Mar 19 16:34 krb.conf

qxu at durian(pts/3):/etc[12]$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 ldap/sesswin2003.com at SESSWIN2003.COM
========================================================
It looks good.
 
Then I tried to do Kerberos authentcation followed by ldapsearch:
========================================================
qxu at durian(pts/3):/etc[14]$ kinit -f qxu at SESSWIN2003.COM
Password for qxu at SESSWIN2003.COM: 

qxu at durian(pts/3):/etc[15]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: qxu at SESSWIN2003.COM
 
Valid starting     Expires            Service principal
03/20/09 15:07:19  03/21/09 01:06:54  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
        renew until 03/21/09 15:07:19
 

Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached

qxu at durian(pts/3):/etc[16]$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 ldap/sesswin2003.com at SESSWIN2003.COM

qxu at durian(pts/3):/etc[17]$ ldapsearch -Y GSSAPI -H 'ldap://13.198.98.35' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
========================================================
To my dismay, it still doesn't work. 

Any1 can shed some light on this?
 
Thanks,
Xu Qiang


From Thomas.Maslen at quest.com  Fri Mar 20 11:45:03 2009
From: Thomas.Maslen at quest.com (Thomas Maslen)
Date: Fri, 20 Mar 2009 08:45:03 -0700
Subject: JBoss Negotiate
In-Reply-To: <CD466582FA6D3D4E8896E91AE7483C5D63BBA17538@PASEXCCMS1.wam.westernasset.local>
References: <723530449330F342A68634ADF3CE8DE2033D50DA9B@alvxmbw02.prod.quest.corp>,
	<CD466582FA6D3D4E8896E91AE7483C5D63BBA17538@PASEXCCMS1.wam.westernasset.local>
Message-ID: <723530449330F342A68634ADF3CE8DE2033D50DAAB@alvxmbw02.prod.quest.corp>

> [...] I am using SPNEGO for silent authentication. Referring https://www.jboss.org/community/docs/DOC-10680  [...] Am I doing anything fundamentally wrong

With the caveat that I have only had a cursory look [we have our own product that supports SPNEGO and other GSSAPI / Kerberos goodness on various Java app servers (including JBoss) so we don't use the JBoss Negotiate code, nor its setup instructions]...  I _think_ the problem is that the setup instructions you followed implicitly assume that the machine where you are installing JBoss Negotiate is *not* joined to an Active Directory domain[*], and bad things happen if you try to use those same setup instructions for a machine that is joined to the Active Directory domain -- you end up with two different objects in AD that both want to be the HOST principal, e.g. HOST/PASKTABSVR1.wamtest.wa.local in your example.  (And you are going even further than that;  the machine that you're using for JBoss Negotiate isn't just any member of the AD domain, it is actually a domain controller).




[*] A plausible guess would be that the instructions were developed for running JBoss Negotiate on a Unix or Linux (e.g. Redhat...) host that is likely _not_ configured to enable MIT Kerberos (or whatever), so the host is not joined to the AD domain.


From nikhilm at gs-lab.com  Fri Mar 20 00:56:50 2009
From: nikhilm at gs-lab.com (Nikhil Mishra)
Date: Fri, 20 Mar 2009 10:26:50 +0530
Subject: SASL authentication
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B3461@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>	<mailman.115.1237256662.14058.kerberos@mit.edu>	<d4h496-tvf.ln1@nb2.stroeder.com>	<mailman.118.1237357164.14058.kerberos@mit.edu>	<68h696-ul2.ln1@nb2.stroeder.com>	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B3461@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Message-ID: <49C32212.90800@gs-lab.com>

Hi Xu ,
 
Please find my comments inline.

Xu, Qiang (FXSGSC) wrote:
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Friday, March 20, 2009 9:09 AM
>> To: Xu, Qiang (FXSGSC)
>> Cc: Michael Str?der; kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> Start with:
>> http://technet.microsoft.com/en-us/library/bb742433.aspx
>> Then look for ksetup program and 2003.
>> Also look at Samba for net join and windbind  and also look 
>> for msktutil.
>> Solaris has a script to do this
>>     
>
> Hi, Douglas: 
>
> Thanks for providing the URL for my reference. It is helpful, but I still have some questions. 
>
> Here is the tutorial said: 
> =============================================
> To create a service instance account in Active Directory 
>
> 1. Use the Active Directory Management tool to create a user account for the UNIX service; for example, create an account with the name sampleUnix1.
>   
That is correct.
> 2. Use the Ktpass tool to set up an identity mapping for the user account. Use this command:
>
>     C:> Ktpass princ service-instance at REALM mapuser account-name -pass password -out unixmachine.keytab
>
>     The format of the Kerberos service-instance name is: service/host.realm_name, for example:
>
>     C:> ktpass princ sample/unix1.reskit.com at RESKIT.COM -mapuser sampleUnix1 pass password out unix1.keytab
>
>     In this case, an account is created with a meaningful name sampleUnix1, and a service principal name mapping is added for sample/unix1.reskit.com. This is the purpose of using Ktpass with the princ and mapuser switches.
>
>   
Try -setupn -setpass /ptype KRB5_NTPRINCIPAL options as well .
> 3. Merge the keytab file with the /etc/krb5.keytab file on the UNIX host.
> =============================================
> Apart from this, things like ksetup seems irrelavant to my case. 
>
>   
Ksetup is useless in your case.It is used for a windows machine to join
a Linux KDC.
> For my case, I want to add an LDAP service principle into the keytab file, so it probably should be:
> =============================================
>     C:> ktpass princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab
> =============================================
> In our environment, there is a domain called "SESSWIN2003.COM", and there is only one machine in this domain, with the hostname called "sesswin2003.com". But to create the keytab file for the LDAP server (ADS in the same machine), what user/password should I set?
>
>   
Few questions before we go ahead :
1. What is your host server ? ( like windows server 2003 SP2 SE , EE )
2. What is your ktpass version ?

I have done quite an extensive exercise on this recently and so please take
care of following things :

1.Its very important you have the right version of ktpass on right
operating system .
2. Please use right options with ktpass .


> Thanks,
> Xu Qiang
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>   


Thanks

nikhil


From nikhilm at gs-lab.com  Fri Mar 20 01:43:20 2009
From: nikhilm at gs-lab.com (Nikhil Mishra)
Date: Fri, 20 Mar 2009 11:13:20 +0530
Subject: SASL authentication
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B3544@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>	<mailman.115.1237256662.14058.kerberos@mit.edu>	<d4h496-tvf.ln1@nb2.stroeder.com>	<mailman.118.1237357164.14058.kerberos@mit.edu>	<68h696-ul2.ln1@nb2.stroeder.com>	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>	<49C2ECAF.4080405@anl.gov>	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B3461@SGPAPHQ-EXSCC01.dc01.fujixerox.net>	<49C32212.90800@gs-lab.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B3544@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Message-ID: <49C32CF8.8000200@gs-lab.com>


Goto c:/Program Files/Support tools/  or
wherever your ktpass.exe is  present.

 
right click on ktpass->Properties->Version->File Version.

"Right click does wonders on windows I didn,t even knew :-) "

Please download support tools for windows server 2003 SP2.
This one worked in most cases .

--Nikhil

Xu, Qiang (FXSGSC) wrote:
>> -----Original Message-----
>> From: Nikhil Mishra [mailto:nikhilm at gs-lab.com] 
>> Sent: Friday, March 20, 2009 12:57 PM
>> To: Xu, Qiang (FXSGSC)
>> Cc: Douglas E. Engert; Michael Str?der; kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> Few questions before we go ahead :
>> 1. What is your host server ? ( like windows server 2003 SP2 
>> SE , EE ) 2. What is your ktpass version ?
>>
>> I have done quite an extensive exercise on this recently and 
>> so please take care of following things :
>>
>> 1.Its very important you have the right version of ktpass on 
>> right operating system .
>>     
>
> How to check the version of ktpass? I typed "ktpass /?", but didn't find any option or switch to show its version number. My Kerberos server is the same as LDAP server, both integrated into ADS in the same machine (sesswin2003.com) with OS as Windows Server 2003 Enterprise Edition 5.2.3790, with Service Pack 1, Build 3790.
>
>   
>> 2. Please use right options with ktpass .
>>     
>
> Could you give me some suggestions on the correct usage of ktpass command? Did I miss anything in the following command?
> =====================================
>        C:> ktpass princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser <what_should_i_put_here> pass <what_should_i_put_here> out ldap.keytab"?
> =====================================
> I am looking forward to your help.
>
> Thanks a lot,
> Xu Qiang
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>   



From Matthew.GARRETT at external.total.com  Fri Mar 20 06:11:04 2009
From: Matthew.GARRETT at external.total.com (Matthew.GARRETT@external.total.com)
Date: Fri, 20 Mar 2009 10:11:04 +0000
Subject: Help with trying to setup a KDC Slave
In-Reply-To: <3ED72BA0-5F04-4355-8658-4C29F9381FE3@mit.edu>
Message-ID: <OFC86D976B.110DB4C3-ON8025757F.0032F109-8025757F.003804A3@total.com>

Ken

Thanks for pointing out my stupidly
DNS was the problem.

The file /etc/nsswitch.conf had NIS then DNS
So doing a gethostbyaddr returned the short name which was in NIS but not 
the FQDN from DNS
So change /etc/nsswitch.conf file to have DNS first.


kprop -d -f slavedump hutch.uk.ad.ep.corp.local
8515 bytes sent.
Database propagation to hutch.uk.ad.ep.corp.local: SUCCEEDED

Matt

 


Ken Raeburn <rXXXXX at MIT.EDU> wrote on 19/03/2009 19:52:23:

> On Mar 19, 2009, at 12:45, Matthew.GARRETT at XXXXX.XXX.com wrote:
> > DNS both forward and reverse work fine for the Slave KDC
> 
> By "work fine", do you mean that when you look up 
> hutch.uk.ad.ep.corp.local you get an address (or more than one), and 
> when you look up that address, you get back the name 
> hutch.uk.ad.ep.corp.local?  Or do you just mean you get a name back? 
> In the default configuration of the MIT code, the name you get back 
> from looking up the address is generally the name that'll be used in 
> constructing a principal name.
> 
> Does your config file or DNS data indicate that 
> hutch.uk.ad.ep.corp.local is in UK.AD.EP.CORP.LOCAL?
> 
> Check the log file on the KDC.  It should indicate some kprop/* 
> principal being looked up if the host name is coming out wrong, or 
> possibly some krbtgt/* principal if it's coming up with the wrong 
> realm name.
> 
> Ken

Registered in England and Wales No.811900????????? 
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information.? If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects.  The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.

From n.s.krishnawat at gmail.com  Fri Mar 20 13:29:30 2009
From: n.s.krishnawat at gmail.com (n.s.krishnawat@gmail.com)
Date: Fri, 20 Mar 2009 10:29:30 -0700 (PDT)
Subject: JBoss Negotiate
References: <723530449330F342A68634ADF3CE8DE2033D50DA9B@alvxmbw02.prod.quest.corp>,
	<CD466582FA6D3D4E8896E91AE7483C5D63BBA17538@PASEXCCMS1.wam.westernasset.local>
	<mailman.135.1237563920.14058.kerberos@mit.edu>
Message-ID: <e6686c41-0549-463b-9957-d6fff2ef4d5d@d7g2000prl.googlegroups.com>

On Mar 20, 8:45?am, Thomas Maslen <Thomas.Mas... at quest.com> wrote:
> > [...] I am using SPNEGO for silent authentication. Referringhttps://www.jboss.org/community/docs/DOC-10680?[...] Am I doing anything fundamentally wrong
>
> With the caveat that I have only had a cursory look [we have our own product that supports SPNEGO and other GSSAPI / Kerberos goodness on various Java app servers (including JBoss) so we don't use the JBoss Negotiate code, nor its setup instructions]... ?I _think_ the problem is that the setup instructions you followed implicitly assume that the machine where you are installing JBoss Negotiate is *not* joined to an Active Directory domain[*], and bad things happen if you try to use those same setup instructions for a machine that is joined to the Active Directory domain -- you end up with two different objects in AD that both want to be the HOST principal, e.g. HOST/PASKTABSVR1.wamtest.wa.local in your example. ?(And you are going even further than that; ?the machine that you're using for JBoss Negotiate isn't just any member of the AD domain, it is actually a domain controller).
>
> [*] A plausible guess would be that the instructions were developed for running JBoss Negotiate on a Unix or Linux (e.g. Redhat...) host that is likely _not_ configured to enable MIT Kerberos (or whatever), so the host is not joined to the AD domain.


I really didn't get what you meant by " ....the machine where you are
installing JBoss Negotiate is *not* joined to an Active Directory
domain[*],..... ", As far as I know any machine or user in a
particular domain will be the part of active directory.  Ya I can
separate JBOSS machine from the AD (KDC), ie I will create new machine
in same domain and install JBOSS and test, hope this helps !
I actually didnt got what you meant by word "joined". I am
misunderstanding something..

From deengert at anl.gov  Fri Mar 20 15:05:18 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Fri, 20 Mar 2009 14:05:18 -0500
Subject: SASL authentication
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>	<mailman.115.1237256662.14058.kerberos@mit.edu>	<d4h496-tvf.ln1@nb2.stroeder.com>	<mailman.118.1237357164.14058.kerberos@mit.edu>	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Message-ID: <49C3E8EE.8040805@anl.gov>



Xu, Qiang (FXSGSC) wrote:
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov] 
>> Sent: Friday, March 20, 2009 9:09 AM
>> To: Xu, Qiang (FXSGSC)
>> Cc: Michael Str?der; kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> Start with:
>> http://technet.microsoft.com/en-us/library/bb742433.aspx
>> Then look for ksetup program and 2003.
>> Also look at Samba for net join and windbind  and also look 
>> for msktutil.
>> Solaris has a script to do this
> 

Michael said in an earilier note ktpass was not want you needed.
Unless I missed something, I assumed the ldap service is going to be running
on a Unix system. In which case ktpass is what you want.

> In reference to http://technet.microsoft.com/en-us/library/bb742433.aspx, it seems the only tool to use is ktpass. But the problem is, as I said before, I don't know which user to associate in creating the keytab file. 
>  

The term "user account" used by Microsoft refers to the AD objectClass user. It has nothing
to do with the user's who will be using the service.  You are in effect creating a
service account for the service, and ktpass will map the principal of the service to
the account. Since account names can not have / and have to by 19 characters or less,
you could name the account something like ldap-sesswin2003.


> Anyway, I've given it a try. First, I created a user "ldapServer/Fair123" in ADS of sesswin2003. Then:

I don't think you can  had the / in  the name. The -mapuser parameter below has to
match the account name. When you run  ktpass  it will update the AD account, *AND*and the keytab
with the new pass and update the kvno.

> ========================================================
> C:> ktpass -princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser ldapServer -pass Fair123 -out ldap.keytab
> ========================================================
> It finished smoothly. Then I ftp'ed it to the printer, which is LDAP client and Kerberos client. First I put it into "/etc/openldap", as suggested by http://aput.net/~jheiss/krbldap/howto.html. 

ftp'ed what? To where?
he ldap.keytab is for the ldap server, not the client.
The default location of a keytab is /etc/krb5.keytab
but can  be somewhere else where the ldap server can access it.
See KRB5_KTNAME env variable.


>  
> But when I run "klist -k" in 98.190 to find the keytab file, it told me: 
> ========================================================
> qxu at durian(pts/3):/etc/openldap[7]$ ll *.keytab
> -rw-r--r-- 1 root root 69 Mar 20 15:01 ldap.keytab
> 
> qxu at durian(pts/3):/etc/openldap[8]$ klist -k
> Keytab name: FILE:/etc/krb5.keytab

Its looking for the default. See kinit parameters.

> klist: No such file or directory while starting keytab scan
> ========================================================
> It seemed to try to find a file named "krb5.keytab".
>  
> OK, let's do it:
> ========================================================
> qxu at durian(pts/3):/etc/openldap[9]$ sudo mv /etc/openldap/ldap.keytab /etc/krb5.keytab
> Password:
> 
> qxu at durian(pts/3):/etc/openldap[10]$ cd /etc
> 
> qxu at durian(pts/3):/etc[11]$ ll krb*
> -rw-r--r-- 1 root root 804 Mar 19 17:04 krb5.conf
> -rw-r--r-- 1 root root  69 Mar 20 15:01 krb5.keytab
> -rw-r--r-- 1 root root 143 Mar 19 16:34 krb.conf
> 
> qxu at durian(pts/3):/etc[12]$ klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    3 ldap/sesswin2003.com at SESSWIN2003.COM
> ========================================================
> It looks good.
>  
> Then I tried to do Kerberos authentcation followed by ldapsearch:
> ========================================================
> qxu at durian(pts/3):/etc[14]$ kinit -f qxu at SESSWIN2003.COM
> Password for qxu at SESSWIN2003.COM: 
> 
> qxu at durian(pts/3):/etc[15]$ klist
> Ticket cache: FILE:/tmp/krb5cc_20153
> Default principal: qxu at SESSWIN2003.COM
>  
> Valid starting     Expires            Service principal
> 03/20/09 15:07:19  03/21/09 01:06:54  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
>         renew until 03/21/09 15:07:19
>  
> 
> Kerberos 4 ticket cache: /tmp/tkt20153
> klist: You have no tickets cached
> 
> qxu at durian(pts/3):/etc[16]$ klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    3 ldap/sesswin2003.com at SESSWIN2003.COM
> 
> qxu at durian(pts/3):/etc[17]$ ldapsearch -Y GSSAPI -H 'ldap://13.198.98.35' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail

You need to use the FQDN of the server, not the IP number. GSSAPI/Kerberos use the FQDN
to derive the principal name.

> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
>         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
> ========================================================
> To my dismay, it still doesn't work. 
> 
> Any1 can shed some light on this?
>  
> Thanks,
> Xu Qiang
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From michael at stroeder.com  Fri Mar 20 19:54:48 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Sat, 21 Mar 2009 00:54:48 +0100
Subject: SASL authentication
In-Reply-To: <mailman.139.1237575932.14058.kerberos@mit.edu>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>	<mailman.115.1237256662.14058.kerberos@mit.edu>	<d4h496-tvf.ln1@nb2.stroeder.com>	<mailman.118.1237357164.14058.kerberos@mit.edu>	<68h696-ul2.ln1@nb2.stroeder.com>	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>	<49C2ECAF.4080405@anl.gov>	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<mailman.139.1237575932.14058.kerberos@mit.edu>
Message-ID: <9vmd96-1dp.ln1@nb2.stroeder.com>

Douglas E. Engert wrote:
> Xu, Qiang (FXSGSC) wrote:
>
> Michael said in an earilier note ktpass was not want you needed. 
> Unless I missed something, I assumed the ldap service is going to be 
> running on a Unix system. In which case ktpass is what you want.

As I understood the original poster he wants to use LDAP SASL Bind with
mechanism GSSAPI in his LDAP client when accessing MS AD. For this to
work a normal kinit should be sufficient for a first test of his LDAP
client code.

If his own LDAP *client* runs as a long-running service (e.g. a
networked printer) then he would need a keytab extracted with the help
of ktpass.exe. AFAICS in these postings the first test did not succeed yet.

>> In reference to
>> http://technet.microsoft.com/en-us/library/bb742433.aspx, it seems the
>> only tool to use is ktpass. But the problem is, as I said before, I
>> don't know which user to associate in creating the keytab file.  
> 
> The term "user account" used by Microsoft refers to the AD
> objectClass user. It has nothing to do with the user's who will be
> using the service.  You are in effect creating a service account for
> the service, and ktpass will map the principal of the service to the
> account. Since account names can not have / and have to by 19 
> characters or less, you could name the account something like
> ldap-sesswin2003.

You create a user with a sAMAccountName and a userPrincipalName (LDAP
attribute names) and then use this userPrincipalName as parameter for
kinit. LDAP-bind with SASL/GSSAPI will automagically obtain a service
ticket. See my local test with OpenLDAP command-line tool below (all
names manually obfuscated).

If something fails check your DNS and /etc/krb5.conf especially
regarding enc types.

Maybe I got the original poster wrong though...

Ciao, Michael.

-----------Get Ticket Granting Ticket (TGT)-----------
$ kinit username at TESTDOMAIN.DOM
Password for username at TESTDOMAIN.DOM:

-----------List Tickets-----------
$ klist
Ticket cache: FILE:/tmp/krb5cc_4242
Default principal: username at TESTDOMAIN.DOM

Valid starting     Expires            Service principal
03/21/09 00:39:14  03/21/09 10:39:16  krbtgt/TESTDOMAIN.DOM at TESTDOMAIN.DOM
	renew until 03/22/09 00:39:14


Kerberos 4 ticket cache: /tmp/tkt4242
klist: You have no tickets cached

-----------LDAP-Bind SASL/GSSAPI-----------
$ ldapsearch -H ldap://dc1.testdomain.dom -b "" -s base -Y GSSAPI
"(objectClass=*)" namingContexts
SASL/GSSAPI authentication started
SASL username: username at TESTDOMAIN.DOM
SASL SSF: 56
SASL data security layer installed.
dn:
namingContexts: DC=testdomain,DC=dom
namingContexts: CN=Configuration,DC=testdomain,DC=dom
namingContexts: CN=Schema,CN=Configuration,DC=testdomain,DC=dom
namingContexts: DC=DomainDnsZones,DC=testdomain,DC=dom
namingContexts: DC=ForestDnsZones,DC=testdomain,DC=dom

-----------List Tickets-----------
$ klist
Ticket cache: FILE:/tmp/krb5cc_4242
Default principal: username at TESTDOMAIN.DOM

Valid starting     Expires            Service principal
03/21/09 00:39:14  03/21/09 10:39:16  krbtgt/TESTDOMAIN.DOM at TESTDOMAIN.DOM
	renew until 03/22/09 00:39:14
03/21/09 00:40:57  03/21/09 10:39:16  ldap/dc1.testdomain.dom at TESTDOMAIN.DOM
	renew until 03/22/09 00:39:14


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

From Qiang.Xu at fujixerox.com  Sun Mar 22 22:47:10 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Mon, 23 Mar 2009 10:47:10 +0800
Subject: SASL authentication
In-Reply-To: <49C3E8EE.8040805@anl.gov>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C3E8EE.8040805@anl.gov>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729054433E9@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Saturday, March 21, 2009 3:05 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Str?der; kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Michael said in an earilier note ktpass was not want you needed.
> Unless I missed something, I assumed the ldap service is 
> going to be running on a Unix system. In which case ktpass is 
> what you want.

Both LDAP service and Kerberos service are running in the same machine, equipped with Windows 2003 Server OS. So only ktpass is available to generate a keytab file. The LDAP client in the printer is running on a Wind River Linux system. 
 
> The term "user account" used by Microsoft refers to the AD 
> objectClass user. It has nothing to do with the user's who 
> will be using the service.  You are in effect creating a 
> service account for the service, and ktpass will map the 
> principal of the service to the account. Since account names 
> can not have / and have to by 19 characters or less, you 
> could name the account something like ldap-sesswin2003.
> 
> 
> > Anyway, I've given it a try. First, I created a user 
> "ldapServer/Fair123" in ADS of sesswin2003. Then:
> 
> I don't think you can  had the / in  the name. The -mapuser 
> parameter below has to match the account name. When you run  
> ktpass  it will update the AD account, *AND*and the keytab 
> with the new pass and update the kvno.

In my example, the username is "ldapServer", "Fair123" is the password associated with this user. Sorry for the confusion.
 
> > ========================================================
> > C:> ktpass -princ ldap/sesswin2003.com at SESSWIN2003.COM -mapuser 
> > ldapServer -pass Fair123 -out ldap.keytab 
> > ========================================================
> > It finished smoothly. Then I ftp'ed it to the printer, 
> which is LDAP client and Kerberos client. First I put it into 
> "/etc/openldap", as suggested by 
> http://aput.net/~jheiss/krbldap/howto.html. 
> 
> ftp'ed what? To where?
> the ldap.keytab is for the ldap server, not the client.
> The default location of a keytab is /etc/krb5.keytab but can  
> be somewhere else where the ldap server can access it.
> See KRB5_KTNAME env variable.

I ftp'ed the output of ktpass command, the keytab file "ldap.keybab" into the printer, which is an LDAP client. The client will use it to identify the LDAP server in SASL communication with the Kerberos server. Michael also pointed it out previously. The following is what Michael said before:
============================
First try to do a kinit with providing the password. After that you could try using keytab files (on your LDAP client) if needed in your setup.
============================
You mean the keytab file should be put in the LDAP server? My LDAP server is ADS in Windows 2003 Server EE, so where should I put it?

Thanks,
Xu Qiang

From Qiang.Xu at fujixerox.com  Sun Mar 22 23:15:16 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Mon, 23 Mar 2009 11:15:16 +0800
Subject: SASL authentication
In-Reply-To: <9vmd96-1dp.ln1@nb2.stroeder.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<mailman.139.1237575932.14058.kerberos@mit.edu>
	<9vmd96-1dp.ln1@nb2.stroeder.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172905443498@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Saturday, March 21, 2009 7:55 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> As I understood the original poster he wants to use LDAP SASL 
> Bind with mechanism GSSAPI in his LDAP client when accessing 
> MS AD. For this to work a normal kinit should be sufficient 
> for a first test of his LDAP client code.
> 
> If his own LDAP *client* runs as a long-running service (e.g. 
> a networked printer) then he would need a keytab extracted 
> with the help of ktpass.exe. AFAICS in these postings the 
> first test did not succeed yet.

Yes, my LDAP client runs in a networked printer, which is not in the same realm as the Kerberos server and LDAP server. Therefore, maybe a keytab file is necessary for me?

> You create a user with a sAMAccountName and a 
> userPrincipalName (LDAP attribute names) and then use this 
> userPrincipalName as parameter for kinit. LDAP-bind with 
> SASL/GSSAPI will automagically obtain a service ticket. See 
> my local test with OpenLDAP command-line tool below (all 
> names manually obfuscated).
> 
> If something fails check your DNS and /etc/krb5.conf 
> especially regarding enc types.

Basically, my test is almost the same as what you've done in the following. But in doing ldapsearch, I've met an error:
========================================================
qxu at durian(pts/3):/etc[14]$ kinit -f qxu at SESSWIN2003.COM 
Password for qxu at SESSWIN2003.COM: 

qxu at durian(pts/3):/etc[15]$ klist
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: qxu at SESSWIN2003.COM
 
Valid starting     Expires            Service principal
03/20/09 15:07:19  03/21/09 01:06:54  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
        renew until 03/21/09 15:07:19
 

Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached

qxu at durian(pts/3):/etc[17]$ ldapsearch -Y GSSAPI -H 'ldap://13.198.98.35' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database) 
========================================================
Is the message "Server not found in Kerberos database" means I need a keytab file?

Thank you, Michael!
Xu Qiang
 
> Maybe I got the original poster wrong though...
> 
> Ciao, Michael.
> 
> -----------Get Ticket Granting Ticket (TGT)----------- 
> $ kinit username at TESTDOMAIN.DOM 
> Password for username at TESTDOMAIN.DOM:
> 
> -----------List Tickets-----------
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_4242
> Default principal: username at TESTDOMAIN.DOM
> 
> Valid starting     Expires            Service principal
> 03/21/09 00:39:14  03/21/09 10:39:16  
> krbtgt/TESTDOMAIN.DOM at TESTDOMAIN.DOM
> 	renew until 03/22/09 00:39:14
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt4242
> klist: You have no tickets cached
> 
> -----------LDAP-Bind SASL/GSSAPI----------- 
> $ ldapsearch -H ldap://dc1.testdomain.dom -b "" -s base -Y 
> GSSAPI "(objectClass=*)" namingContexts 
> SASL/GSSAPI authentication started 
> SASL username: username at TESTDOMAIN.DOM 
> SASL SSF: 56 SASL data security layer installed.
> dn:
> namingContexts: DC=testdomain,DC=dom
> namingContexts: CN=Configuration,DC=testdomain,DC=dom
> namingContexts: CN=Schema,CN=Configuration,DC=testdomain,DC=dom
> namingContexts: DC=DomainDnsZones,DC=testdomain,DC=dom
> namingContexts: DC=ForestDnsZones,DC=testdomain,DC=dom
> 
> -----------List Tickets-----------
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_4242
> Default principal: username at TESTDOMAIN.DOM
> 
> Valid starting     Expires            Service principal
> 03/21/09 00:39:14  03/21/09 10:39:16  
> krbtgt/TESTDOMAIN.DOM at TESTDOMAIN.DOM
> 	renew until 03/22/09 00:39:14
> 03/21/09 00:40:57  03/21/09 10:39:16  
> ldap/dc1.testdomain.dom at TESTDOMAIN.DOM
> 	renew until 03/22/09 00:39:14
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached

From Qiang.Xu at fujixerox.com  Mon Mar 23 01:56:56 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Mon, 23 Mar 2009 13:56:56 +0800
Subject: SASL authentication
In-Reply-To: <49C3E8EE.8040805@anl.gov>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C3E8EE.8040805@anl.gov>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729054437AE@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Saturday, March 21, 2009 3:05 AM
> To: Xu, Qiang (FXSGSC)
> Cc: Michael Str?der; kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> You need to use the FQDN of the server, not the IP number. 
> GSSAPI/Kerberos use the FQDN to derive the principal name.

As you suggested, I use the following expressions:
==========================================
qxu at durian(pts/3):/etc[19]$ ldapsearch -Y GSSAPI -H 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=qxu' mail
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
==========================================
The domain name is "sesswin2003.com", the host name is "sesswin2003". Thus the FQDN in the expression is "sesswin2003.sesswin2003.com". But the result seems worse. 

Did I miss anything?

Thank you, Doug!
Xu Qiang


From Qiang.Xu at fujixerox.com  Mon Mar 23 05:31:49 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Mon, 23 Mar 2009 17:31:49 +0800
Subject: SASL authentication
In-Reply-To: <9vmd96-1dp.ln1@nb2.stroeder.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<mailman.139.1237575932.14058.kerberos@mit.edu>
	<9vmd96-1dp.ln1@nb2.stroeder.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172905443BEA@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Saturday, March 21, 2009 7:55 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> You create a user with a sAMAccountName and a 
> userPrincipalName (LDAP attribute names) and then use this 
> userPrincipalName as parameter for kinit. LDAP-bind with 
> SASL/GSSAPI will automagically obtain a service ticket. See 
> my local test with OpenLDAP command-line tool below (all 
> names manually obfuscated).
> 
> If something fails check your DNS and /etc/krb5.conf 
> especially regarding enc types.

Yes, now I am also suspecting something is wrong with DNS settings. But I don't know how to check them. Could you give me some examples?

The following is the content of my /etc/krb5.conf:
=======================================
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = durian.fujixerox.com
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 SESSWIN2003.COM = {
  kdc = 13.198.98.35:88
  default_domain = sesswin2003.com
 }

 durian.fujixerox.com = {
  kdc = kerberos.durian.fujixerox.com:88
  admin_server = kerberos.durian.fujixerox.com:749
 }


[domain_realm]
 .sesswin2003.com = SESSWIN2003.COM
 sesswin2003.com = SESSWIN2003.COM

 durian.fujixerox.com = durian.fujixerox.com
 .durian.fujixerox.com = durian.fujixerox.com
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
=======================================
In this configuration file, "durian" is the hostname of the client machine. Is there anything wrong with it?

Thanks,
Xu Qiang

From michael at stroeder.com  Mon Mar 23 15:22:06 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Mon, 23 Mar 2009 20:22:06 +0100
Subject: SASL authentication
In-Reply-To: <mailman.143.1237800736.14058.kerberos@mit.edu>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>	<p3p196-ukk.ln1@nb2.stroeder.com>	<mailman.115.1237256662.14058.kerberos@mit.edu>	<d4h496-tvf.ln1@nb2.stroeder.com>	<mailman.118.1237357164.14058.kerberos@mit.edu>	<68h696-ul2.ln1@nb2.stroeder.com>	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>	<49C2ECAF.4080405@anl.gov>	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>	<mailman.139.1237575932.14058.kerberos@mit.edu>	<9vmd96-1dp.ln1@nb2.stroeder.com>
	<mailman.143.1237800736.14058.kerberos@mit.edu>
Message-ID: <v34l96-gkf.ln1@nb2.stroeder.com>

Xu, Qiang (FXSGSC) wrote:
>
> Yes, now I am also suspecting something is wrong with DNS settings.
> But I don't know how to check them. Could you give me some examples?

Use nslookup.exe on host name and IP address. They must match.

> [libdefaults]
>  default_realm = durian.fujixerox.com
> [..]
> In this configuration file, "durian" is the hostname of the client
> machine. Is there anything wrong with it?

I'm confused. Why do you put in durian.fujixerox.com here.

default_realm MUST point to a Kerberos realm. In a MS AD environment
this is simply the upper-case DNS domain name of the AD domain.

> [realms]
>  SESSWIN2003.COM = {
>   kdc = 13.198.98.35:88
          ^^^^^^^^^^^^
Is that the IP address of your AD domain controller? Is SESSWIN2003.COM
your AD domain?

>  durian.fujixerox.com = {
>   kdc = kerberos.durian.fujixerox.com:88
>   admin_server = kerberos.durian.fujixerox.com:749
>  }

Likely you should remove that.

You should try to find a working setup with AD using your favourite
search engine. Please read a little bit more what the different
parameters really mean.

Ciao, Michael.

From huaraz at moeller.plus.com  Mon Mar 23 19:25:44 2009
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Mon, 23 Mar 2009 23:25:44 -0000
Subject: SASL authentication
In-Reply-To: <mailman.142.1237787839.14058.kerberos@mit.edu>
References: <mailman.110.1237190641.14058.kerberos@mit.edu><p3p196-ukk.ln1@nb2.stroeder.com><mailman.115.1237256662.14058.kerberos@mit.edu><d4h496-tvf.ln1@nb2.stroeder.com><mailman.118.1237357164.14058.kerberos@mit.edu><68h696-ul2.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C2ECAF.4080405@anl.gov><D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C3E8EE.8040805@anl.gov>
	<mailman.142.1237787839.14058.kerberos@mit.edu>
Message-ID: <9aednSI1rOXih1XUnZ2dnUVZ8i6WnZ2d@posted.plusnet>

Can you get a network capture with wireshark on your 2003 server of all 
traffic from your client when you do the following

On the client:
kinit qxu at SESSWIN2003.COM
ldapsearch -Y GSSAPI -H 'ldap://sesswin2003.sesswin2003.com' -b 
'dc=sesswin2003,dc=com' -s sub -LLL '(cn=qxu)' mail

Make sure that sesswin2003.sesswin2003.com resolves to the correct ip or is 
in your hosts file.

Markus

"Xu, Qiang (FXSGSC)" <Qiang.Xu at fujixerox.com> wrote in message 
news:mailman.142.1237787839.14058.kerberos at mit.edu...
>> -----Original Message-----
>> From: Douglas E. Engert [mailto:deengert at anl.gov]
>> Sent: Saturday, March 21, 2009 3:05 AM
>> To: Xu, Qiang (FXSGSC)
>> Cc: Michael Str?der; kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> You need to use the FQDN of the server, not the IP number.
>> GSSAPI/Kerberos use the FQDN to derive the principal name.
>
> As you suggested, I use the following expressions:
> ==========================================
> qxu at durian(pts/3):/etc[19]$ ldapsearch -Y GSSAPI -H 
> 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s 
> sub -LLL 'cn=qxu' mail
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
> ==========================================
> The domain name is "sesswin2003.com", the host name is "sesswin2003". Thus 
> the FQDN in the expression is "sesswin2003.sesswin2003.com". But the 
> result seems worse.
>
> Did I miss anything?
>
> Thank you, Doug!
> Xu Qiang
> 


From Qiang.Xu at fujixerox.com  Tue Mar 24 03:04:27 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Tue, 24 Mar 2009 15:04:27 +0800
Subject: SASL authentication
In-Reply-To: <9aednSI1rOXih1XUnZ2dnUVZ8i6WnZ2d@posted.plusnet>
References: <mailman.110.1237190641.14058.kerberos@mit.edu><p3p196-ukk.ln1@nb2.stroeder.com><mailman.115.1237256662.14058.kerberos@mit.edu><d4h496-tvf.ln1@nb2.stroeder.com><mailman.118.1237357164.14058.kerberos@mit.edu><68h696-ul2.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C2ECAF.4080405@anl.gov><D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C3E8EE.8040805@anl.gov>
	<mailman.142.1237787839.14058.kerberos@mit.edu>
	<9aednSI1rOXih1XUnZ2dnUVZ8i6WnZ2d@posted.plusnet>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729058B37B9@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Markus Moeller
> Sent: Tuesday, March 24, 2009 7:26 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Can you get a network capture with wireshark on your 2003 
> server of all traffic from your client when you do the following
> 
> On the client:
> kinit qxu at SESSWIN2003.COM
> ldapsearch -Y GSSAPI -H 'ldap://sesswin2003.sesswin2003.com' 
> -b 'dc=sesswin2003,dc=com' -s sub -LLL '(cn=qxu)' mail
> 
> Make sure that sesswin2003.sesswin2003.com resolves to the 
> correct ip or is in your hosts file.

Just as you guess, Markus, there is no network traffic arriving at the LDAP server when I run ldapsearch command. In contrast, when I run kinit command, ethereal can help me capture Kerberos packets. So it seems the FQDN "sesswin2003.sesswin2003.com" cannot be resolved. 

Shall I do something to the file "/etc/hosts"? Could you give me some suggestion on how to resolve this name? Please note that the client (where kinit and ldapsearch are run) is not in the domain "sesswin2003.com". 

Thanks,
Xu Qiang

From Qiang.Xu at fujixerox.com  Tue Mar 24 05:21:44 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Tue, 24 Mar 2009 17:21:44 +0800
Subject: SASL authentication
In-Reply-To: <v34l96-gkf.ln1@nb2.stroeder.com>
References: <mailman.110.1237190641.14058.kerberos@mit.edu>
	<p3p196-ukk.ln1@nb2.stroeder.com>
	<mailman.115.1237256662.14058.kerberos@mit.edu>
	<d4h496-tvf.ln1@nb2.stroeder.com>
	<mailman.118.1237357164.14058.kerberos@mit.edu>
	<68h696-ul2.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<49C2ECAF.4080405@anl.gov>
	<D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<mailman.139.1237575932.14058.kerberos@mit.edu>
	<9vmd96-1dp.ln1@nb2.stroeder.com>
	<mailman.143.1237800736.14058.kerberos@mit.edu>
	<v34l96-gkf.ln1@nb2.stroeder.com>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
> Sent: Tuesday, March 24, 2009 3:22 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> Use nslookup.exe on host name and IP address. They must match.

Thanks, Michael! Using nslookup in the client Linux box, I found it is the reason why there is no outward LDAP traffic. The LDAP server (AD in Windows 2003 Server), as I said, is the primary domain controller of its own. It is also the DNS server in its own domain. I didn't recognize that this DNS server is not in the nameserver list of the client machine. No wonder it can not resolve the name. Now it is added into the file "/etc/resolv.conf":
==========================================================
search sgp.fujixerox.com sesswin2003.com /* sesswin2003.com is the domain name of the AD server */
nameserver 13.198.8.83
nameserver 13.198.96.10
nameserver 13.198.98.35 /* This is the IP Address of the domain controller with its FQDN as sesswin2003.sesswin2003.com */
==========================================================
But strangely, with this file modified, "nslookup sesswin2003" still fails. To my surprise, even in the AD itself, this command fails. So I suspect DNS in the AD is not running properly. Could you tell me where to look at in the AD to fix the DNS issue?
 
> > [libdefaults]
> >  default_realm = durian.fujixerox.com
> > [..]
> > In this configuration file, "durian" is the hostname of the client 
> > machine. Is there anything wrong with it?
> 
> I'm confused. Why do you put in durian.fujixerox.com here.
> 
> default_realm MUST point to a Kerberos realm. In a MS AD 
> environment this is simply the upper-case DNS domain name of 
> the AD domain.

durian is the hostname of the client Linux box. fujixerox.com is the domain name in which the client lies.
Yes, I also feel this is strange setting. durian.fujixerox.com is FQDN of the client, not a domain name.

But since it has nothing to do with the LDAP traffic, I don't want to change it now.
 
> > [realms]
> >  SESSWIN2003.COM = {
> >   kdc = 13.198.98.35:88
>           ^^^^^^^^^^^^
> Is that the IP address of your AD domain controller? Is 
> SESSWIN2003.COM your AD domain?

Yes, this is the IP address of the AD domain controller. And Yes again, SESSWIN2003.COM is my AD domain.
 
> >  durian.fujixerox.com = {
> >   kdc = kerberos.durian.fujixerox.com:88
> >   admin_server = kerberos.durian.fujixerox.com:749  }
> 
> Likely you should remove that.
> 
> You should try to find a working setup with AD using your 
> favourite search engine. Please read a little bit more what 
> the different parameters really mean.

Thanks a lot,
Xu Qiang


From frank.gruellich at navteq.com  Tue Mar 24 07:48:19 2009
From: frank.gruellich at navteq.com (Frank Gruellich)
Date: Tue, 24 Mar 2009 12:48:19 +0100
Subject: Obtaining Service Ticket with TGT only (via shell commands)
Message-ID: <49C8C883.8040708@navteq.com>

Hi,

in short: are there any shell commands included in the MIT Kerberos
Distribution to obtain a specific service ticket once I have a TGT?

Long version: I'm going to write some shell scripts supporting
management of principals in our realm (combined with user management and
some more stuff).  I would like to include some basic sanity checks
before pushing anything into KDC database, eg. does the principal
already exist.  Unfortunately, every kadmin -q 'whatever' prompts me for
the password for $USER/admin principal and I'm not able to circumvent
this.  From what I understand from man kadmin I need a valid ticket for
the kadmin/admin service in my credentials cache.  And indeed, if I

 $ kinit -S kadmin/admin frank/admin

I can invoke

 $ kadmin -c "$KRB5CCNAME" -q 'listprincs'

without giving a password to kadmin.  But this way I have to supply a
password to kinit and even worse it destroys all other tickets the user
maybe already has in its cache.

My idea would be to 1. check if the shell script caller has a valid
kadmin/admin service ticket in its cache; if so use it, if not 2. check
if the caller has a valid TGT in its cache; if so use it to obtain a
kadmin/admin service ticket and use this (goto 1), if not invoke kinit
to obtain a TGT (now prompting for a password, of course) and goto 2.

I'm somewhat puzzled by all suggestions after some googling to use a
keytab for that purpose (what I consider as rather insecure and ugly).
I'm even more puzzled, that kadmin does not do the steps I mentioned on
it's own.  Of course, using kadmin should be done with caution, but that
way the -q option is pretty useless (IMHO).  Or am I missing some
important point, maybe?

Are there any shell tools to do that?  I'm kinda advanced shell freak
but (as you maybe notice due to my excessive use of goto's ;-)) a poor
coder.  But if it requires some lines of C and someone could point me to
some resources (or even better some sample lines) I would try to deal
with this, as well.

Thanks in advance.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

From Kevan.Earl at astrazeneca.com  Tue Mar 24 11:07:56 2009
From: Kevan.Earl at astrazeneca.com (Earl, Kevan C)
Date: Tue, 24 Mar 2009 15:07:56 -0000
Subject: Kerberos authetication against multiple Windows Domains
Message-ID: <3154FEBCFB92804DA39A2560E17183760341FE80@ukaprdembx02.rd.astrazeneca.net>

Hello,

I'm after some advice on how to configure Kerberos v5 to authenticate users from different Windows domains to the same Apache hosted application.  Is this possible?  If so, is there a simple guide on what needs to be done in order to achieve it that can be shared with me?

I have Kerberos v5 installed with a Kerberos-capable version of Apache on AIX 5.3.
I have had a keytab file generated in the Windows "EU" domain, and have configured the server so the application authenticates users from the "EU" domain.

/etc/krb5.conf is similar to:

[libdefaults]
        default_realm = EU.COMPANY.NET

[realms]
        EU.COMPANY.NET = {
                kdc = eudc01.eu.company.net
                admin_server = eudc01.eu.company.net
                default_domain = eu.company.net
                }

[domain_realm]
        .svr_domain.company.net = EU.COMPANY.NET
        svr_domain.company.net = EU.COMPANY.NET
 
What do I need to do in order to also authenticate users from the companies "US" domain, which is controlled by separate domain controller(s), to the application?

Any help anyone can give me would be very greatfully received.

Regards,
Kevan Earl


--------------------------------------------------------------------------
AstraZeneca UK Limited is a company incorporated in England and Wales with registered number: 03674842 and a registered office at 15 Stanhope Gate, London W1K 1LN.
Confidentiality Notice: This message is private and may contain confidential, proprietary and legally privileged information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorised use or disclosure of the contents of this message is not permitted and may be unlawful.
Disclaimer: Email messages may be subject to delays, interception, non-delivery and unauthorised alterations. Therefore, information expressed in this message is not given or endorsed by AstraZeneca UK Limited unless otherwise notified by an authorised representative independent of this message. No contractual relationship is created by this message by any person unless specifically indicated by agreement in writing other than email.
Monitoring: AstraZeneca UK Limited may monitor email traffic data and content for the purposes of the prevention and detection of crime, ensuring the security of our computer systems and checking Compliance with our Code of Conduct and Policies.


From ghudson at MIT.EDU  Tue Mar 24 11:41:49 2009
From: ghudson at MIT.EDU (Greg Hudson)
Date: Tue, 24 Mar 2009 11:41:49 -0400
Subject: Obtaining Service Ticket with TGT only (via shell commands)
In-Reply-To: <49C8C883.8040708@navteq.com>
References: <49C8C883.8040708@navteq.com>
Message-ID: <1237909309.6246.237.camel@ray>

On Tue, 2009-03-24 at 12:48 +0100, Frank Gruellich wrote:
> in short: are there any shell commands included in the MIT Kerberos
> Distribution to obtain a specific service ticket once I have a TGT?

The "kvno" command accomplishes this, if I'm understanding the question
correctly.



From frank.gruellich at navteq.com  Tue Mar 24 12:25:26 2009
From: frank.gruellich at navteq.com (Frank Gruellich)
Date: Tue, 24 Mar 2009 17:25:26 +0100
Subject: Obtaining Service Ticket with TGT only (via shell commands)
In-Reply-To: <1237909309.6246.237.camel@ray>
References: <49C8C883.8040708@navteq.com> <1237909309.6246.237.camel@ray>
Message-ID: <49C90976.9010609@navteq.com>

Hi,

thanks for your answer.

Greg Hudson wrote:
> On Tue, 2009-03-24 at 12:48 +0100, Frank Gruellich wrote:
>> in short: are there any shell commands included in the MIT Kerberos
>> Distribution to obtain a specific service ticket once I have a TGT?
> The "kvno" command accomplishes this, if I'm understanding the question
> correctly.

Oh, cool, yes, seems so, at least as a side effect.  But for some reason
it does not work with the kadmin/admin service principal:

 (0) frank at nmsng [~] % kinit frank/admin
 Password for frank/admin at EXAMPLE.COM:
 (0) frank at nmsng [~] % kvno -q host/eloy.example.com at EXAMPLE.COM
 (0) frank at nmsng [~] % kvno -q kadmin/admin at EXAMPLE.COM
 kadmin/admin at EXAMPLE.COM: KDC policy rejects request while getting credentials
 (1) frank at nmsng [~] % klist
 Ticket cache: FILE:/tmp/krb5cc_20000_0mSrwN
 Default principal: frank/admin at EXAMPLE.COM

 Valid starting     Expires            Service principal
 03/24/09 17:20:10  03/25/09 17:20:10  krbtgt/EXAMPLE.COM at EXAMPLE.COM
 03/24/09 17:20:28  03/25/09 17:20:10  host/eloy.example.com at EXAMPLE.COM


 Kerberos 4 ticket cache: /tmp/tkt20000
 klist: You have no tickets cached
 (1) frank at nmsng [~] %

It works for host/eloy.example.com, but not for kadmin/admin.  I find:

 Mar 24 17:20:40 bill krb5kdc[26337]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.39.8.15: TGT BASED NOT ALLOWED: authtime 1237911610,  frank/admin at EXAMPLE.COM for kadmin/admin at EXAMPLE.COM, KDC policy rejects request

in krb5kdc's logfile.  Any hints what this means?  Google doesn't reveal
to much for both error messages.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

From ghudson at MIT.EDU  Tue Mar 24 12:44:29 2009
From: ghudson at MIT.EDU (Greg Hudson)
Date: Tue, 24 Mar 2009 12:44:29 -0400
Subject: Obtaining Service Ticket with TGT only (via shell commands)
In-Reply-To: <49C90976.9010609@navteq.com>
References: <49C8C883.8040708@navteq.com> <1237909309.6246.237.camel@ray>
	<49C90976.9010609@navteq.com>
Message-ID: <1237913069.6246.263.camel@ray>

On Tue, 2009-03-24 at 17:25 +0100, Frank Gruellich wrote:
> Oh, cool, yes, seems so, at least as a side effect.  But for some reason
> it does not work with the kadmin/admin service principal:

If you go into kadmin and run "getprinc kadmin/admin", you should see:

        Attributes: DISALLOW_TGT_BASED

which means you can only get a ticket for this principal with an initial
ticket request and not with a TGT.  You can change this with "modprinc
+allow_tgs_req kadmin/admin" but I believe that would compromise the
requirement that people have to reenter their passwords in order to run
kadmin.

For the purposes of your script, you can either treat a "KDC policy
rejects request" error as an indication that the principal exists, or
you can assume you won't run into that situation on any of the
principals you are managing with the script.



From huaraz at moeller.plus.com  Tue Mar 24 19:52:44 2009
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Tue, 24 Mar 2009 23:52:44 -0000
Subject: SASL authentication
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
References: <mailman.110.1237190641.14058.kerberos@mit.edu><p3p196-ukk.ln1@nb2.stroeder.com><mailman.115.1237256662.14058.kerberos@mit.edu><d4h496-tvf.ln1@nb2.stroeder.com><mailman.118.1237357164.14058.kerberos@mit.edu><68h696-ul2.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C2ECAF.4080405@anl.gov><D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net><mailman.139.1237575932.14058.kerberos@mit.edu><9vmd96-1dp.ln1@nb2.stroeder.com><mailman.143.1237800736.14058.kerberos@mit.edu><v34l96-gkf.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Message-ID: <gqbroh$auj$1@ger.gmane.org>


"Xu, Qiang (FXSGSC)" <Qiang.Xu at fujixerox.com> wrote in message 
news:D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83 at SGPAPHQ-EXSCC01.dc01.fujixerox.net...
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu
>> [mailto:kerberos-bounces at mit.edu] On Behalf Of Michael Str?der
>> Sent: Tuesday, March 24, 2009 3:22 AM
>> To: kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> Use nslookup.exe on host name and IP address. They must match.
>
> Thanks, Michael! Using nslookup in the client Linux box, I found it is the 
> reason why there is no outward LDAP traffic. The LDAP server (AD in 
> Windows 2003 Server), as I said, is the primary domain controller of its 
> own. It is also the DNS server in its own domain. I didn't recognize that 
> this DNS server is not in the nameserver list of the client machine. No 
> wonder it can not resolve the name. Now it is added into the file 
> "/etc/resolv.conf":
> ==========================================================
> search sgp.fujixerox.com sesswin2003.com /* sesswin2003.com is the domain 
> name of the AD server */
> nameserver 13.198.8.83
> nameserver 13.198.96.10
> nameserver 13.198.98.35 /* This is the IP Address of the domain controller 
> with its FQDN as sesswin2003.sesswin2003.com */
> ==========================================================
> But strangely, with this file modified, "nslookup sesswin2003" still 
> fails. To my surprise, even in the AD itself, this command fails. So I 
> suspect DNS in the AD is not running properly. Could you tell me where to 
> look at in the AD to fix the DNS issue?


You need to do nslookup sesswin2003.sesswin2003.com or nslookup 
sesswin2003.com  or add a search path to your resolv.conf file (e.g. search 
sesswin2003.com)


>
>> > [libdefaults]
>> >  default_realm = durian.fujixerox.com
>> > [..]
>> > In this configuration file, "durian" is the hostname of the client
>> > machine. Is there anything wrong with it?
>>
>> I'm confused. Why do you put in durian.fujixerox.com here.
>>
>> default_realm MUST point to a Kerberos realm. In a MS AD
>> environment this is simply the upper-case DNS domain name of
>> the AD domain.
>
> durian is the hostname of the client Linux box. fujixerox.com is the 
> domain name in which the client lies.
> Yes, I also feel this is strange setting. durian.fujixerox.com is FQDN of 
> the client, not a domain name.
>
> But since it has nothing to do with the LDAP traffic, I don't want to 
> change it now.
>
>> > [realms]
>> >  SESSWIN2003.COM = {
>> >   kdc = 13.198.98.35:88
>>           ^^^^^^^^^^^^
>> Is that the IP address of your AD domain controller? Is
>> SESSWIN2003.COM your AD domain?
>
> Yes, this is the IP address of the AD domain controller. And Yes again, 
> SESSWIN2003.COM is my AD domain.
>
>> >  durian.fujixerox.com = {
>> >   kdc = kerberos.durian.fujixerox.com:88
>> >   admin_server = kerberos.durian.fujixerox.com:749  }
>>
>> Likely you should remove that.
>>
>> You should try to find a working setup with AD using your
>> favourite search engine. Please read a little bit more what
>> the different parameters really mean.
>
> Thanks a lot,
> Xu Qiang
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Markus 



From huaraz at moeller.plus.com  Tue Mar 24 20:04:01 2009
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Wed, 25 Mar 2009 00:04:01 -0000
Subject: Kerberos authetication against multiple Windows Domains
In-Reply-To: <3154FEBCFB92804DA39A2560E17183760341FE80@ukaprdembx02.rd.astrazeneca.net>
References: <3154FEBCFB92804DA39A2560E17183760341FE80@ukaprdembx02.rd.astrazeneca.net>
Message-ID: <gqbskd$d6d$1@ger.gmane.org>


"Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message 
news:3154FEBCFB92804DA39A2560E17183760341FE80 at ukaprdembx02.rd.astrazeneca.net...
> Hello,
>
> I'm after some advice on how to configure Kerberos v5 to authenticate 
> users from different Windows domains to the same Apache hosted 
> application.  Is this possible?  If so, is there a simple guide on what 
> needs to be done in order to achieve it that can be shared with me?
>
> I have Kerberos v5 installed with a Kerberos-capable version of Apache on 
> AIX 5.3.
> I have had a keytab file generated in the Windows "EU" domain, and have 
> configured the server so the application authenticates users from the "EU" 
> domain.
>
> /etc/krb5.conf is similar to:
>
> [libdefaults]
>        default_realm = EU.COMPANY.NET
>
> [realms]
>        EU.COMPANY.NET = {
>                kdc = eudc01.eu.company.net
>                admin_server = eudc01.eu.company.net
>                default_domain = eu.company.net
>                }
>
> [domain_realm]
>        .svr_domain.company.net = EU.COMPANY.NET
>        svr_domain.company.net = EU.COMPANY.NET
>
> What do I need to do in order to also authenticate users from the 
> companies "US" domain, which is controlled by separate domain 
> controller(s), to the application?
>

If the domains have a trust you son't need to do anything. If they don't 
have trust then you need to create a second keytab entry for the host in the 
US DC with a sceond DNS name.

e.g. In the EU domain the server is server.eu.company.net with a key 
HTTP/server.eu.company.net at EU.COMPANY.NET in eudc01 and in the US domain the 
sever is server.us.company.net with a key 
HTTP/server.us.company.net at US.COMPANY.NET in usdc01.

Merge both keys in one keytab for apache and configure the apache kerbereos 
module to accept all names (I think it is KrbServiceName Any  in 
mod-auth-kerb)


> Any help anyone can give me would be very greatfully received.
>
> Regards,
> Kevan Earl
>

Regards
Markus
>
> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with 
> registered number: 03674842 and a registered office at 15 Stanhope Gate, 
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain 
> confidential, proprietary and legally privileged information. If you have 
> received this message in error, please notify us and remove it from your 
> system and note that you must not copy, distribute or take any action in 
> reliance on it. Any unauthorised use or disclosure of the contents of this 
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception, 
> non-delivery and unauthorised alterations. Therefore, information 
> expressed in this message is not given or endorsed by AstraZeneca UK 
> Limited unless otherwise notified by an authorised representative 
> independent of this message. No contractual relationship is created by 
> this message by any person unless specifically indicated by agreement in 
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and 
> content for the purposes of the prevention and detection of crime, 
> ensuring the security of our computer systems and checking Compliance with 
> our Code of Conduct and Policies.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From Qiang.Xu at fujixerox.com  Wed Mar 25 05:28:29 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Wed, 25 Mar 2009 17:28:29 +0800
Subject: SASL authentication
In-Reply-To: <gqbroh$auj$1@ger.gmane.org>
References: <mailman.110.1237190641.14058.kerberos@mit.edu><p3p196-ukk.ln1@nb2.stroeder.com><mailman.115.1237256662.14058.kerberos@mit.edu><d4h496-tvf.ln1@nb2.stroeder.com><mailman.118.1237357164.14058.kerberos@mit.edu><68h696-ul2.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C2ECAF.4080405@anl.gov><D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net><mailman.139.1237575932.14058.kerberos@mit.edu><9vmd96-1dp.ln1@nb2.stroeder.com><mailman.143.1237800736.14058.kerberos@mit.edu><v34l96-gkf.ln1@nb2.stroeder.com>
	<D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<gqbroh$auj$1@ger.gmane.org>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C1729059820E0@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Markus Moeller
> Sent: Wednesday, March 25, 2009 7:53 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> You need to do nslookup sesswin2003.sesswin2003.com or 
> nslookup sesswin2003.com  or add a search path to your 
> resolv.conf file (e.g. search
> sesswin2003.com)

Yesterday, my resolve.conf was like this:
=================================
search sgp.fujixerox.com sesswin2003.com
nameserver 13.198.8.83 
nameserver 13.198.96.10 
nameserver 13.198.98.35
=================================
To my dismay, it didn't work. The hostname "sesswin2003" still couldn't be resolved to its IP address.

Today, with the help of our local SA, the file is changed to: 
=================================
search sgp.fujixerox.com sesswin2003.com
nameserver 13.198.98.35
nameserver 13.198.96.10
=================================
It seems the order of nameserver list is important. Quite strange. Or it may be the problem of some DNS server. Because if I put the nameserver 13.198.96.10 in front of 13.198.98.35, it still doesn't work. By right, if a hostname can't be located by the first nameserver, it should continue to look for the hostname in the second nameserver, right?

Anyway, now nslookup works perfectly:
=================================
qxu at durian(pts/1):/etc[17]$ nslookup sesswin2003
Server:         13.198.98.35
Address:        13.198.98.35#53

Name:   sesswin2003.sesswin2003.com
Address: 13.198.98.35

qxu at durian(pts/1):/etc[18]$ nslookup sesswin2003.sesswin2003.com
Server:         13.198.98.35
Address:        13.198.98.35#53

Name:   sesswin2003.sesswin2003.com
Address: 13.198.98.35
=================================
For me, it is quite promising. 

Then I did what Michael and Doug told me, i.e. kinit, klist and ldapsearch: 
=================================
qxu at durian(pts/1):/etc[19]$ kinit qxu at SESSWIN2003.COM
Password for qxu at SESSWIN2003.COM: 

qxu at durian(pts/1):/etc[20]$ klist 
Ticket cache: FILE:/tmp/krb5cc_20153
Default principal: qxu at SESSWIN2003.COM

Valid starting     Expires            Service principal
03/25/09 17:21:13  03/26/09 03:21:11  krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
        renew until 03/26/09 17:21:13


Kerberos 4 ticket cache: /tmp/tkt20153
klist: You have no tickets cached

qxu at durian(pts/1):/etc[21]$ ldapsearch -Y GSSAPI -H 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s sub -LLL 'cn=xuan' mail
SASL/GSSAPI authentication started
SASL username: qxu at SESSWIN2003.COM
SASL SSF: 56
SASL installing layers
dn: CN=xuan,CN=Users,DC=sesswin2003,DC=com
mail: Xuan.Shangguan at fujixerox.com

# refldap://ForestDnsZones.sesswin2003.com/DC=ForestDnsZones,DC=sesswin2003,D
 C=com

# refldap://DomainDnsZones.sesswin2003.com/DC=DomainDnsZones,DC=sesswin2003,D
 C=com

# refldap://sesswin2003.com/CN=Configuration,DC=sesswin2003,DC=com
=================================
It works perfectly. Next I will use this as a bench against my own coding.

Thanks to all,
Xu Qiang

From Kevan.Earl at astrazeneca.com  Wed Mar 25 06:20:33 2009
From: Kevan.Earl at astrazeneca.com (Earl, Kevan C)
Date: Wed, 25 Mar 2009 10:20:33 -0000
Subject: Kerberos authetication against multiple Windows Domains
In-Reply-To: <gqbskd$d6d$1@ger.gmane.org>
Message-ID: <3154FEBCFB92804DA39A2560E171837604CD7FBF@ukaprdembx02.rd.astrazeneca.net>

Hello Markus,

Thank you for this advice.  I shall try out your suggestion.

When I run kinit -V us_domain_uid at EU.COMPANY.NET I get the message:

kinit(v5): Client not found in Kerberos database while getting initial credentials

while kinit -V eu_domain_uid at EU.COMPANY.NET prompts for password.

I understood that there were trusts between the domains, but this looks like there isn't.

Regards,
Kevan Earl



--------------------------------------------------------------------------
AstraZeneca UK Limited is a company incorporated in England and Wales with registered number: 03674842 and a registered office at 15 Stanhope Gate, London W1K 1LN.
Confidentiality Notice: This message is private and may contain confidential, proprietary and legally privileged information. If you have received this message in error, please notify us and remove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorised use or disclosure of the contents of this message is not permitted and may be unlawful.
Disclaimer: Email messages may be subject to delays, interception, non-delivery and unauthorised alterations. Therefore, information expressed in this message is not given or endorsed by AstraZeneca UK Limited unless otherwise notified by an authorised representative independent of this message. No contractual relationship is created by this message by any person unless specifically indicated by agreement in writing other than email.
Monitoring: AstraZeneca UK Limited may monitor email traffic data and content for the purposes of the prevention and detection of crime, ensuring the security of our computer systems and checking Compliance with our Code of Conduct and Policies.
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
Behalf Of Markus Moeller
Sent: 25 March 2009 00:04
To: kerberos at mit.edu
Subject: Re: Kerberos authetication against multiple Windows Domains



"Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message 
news:3154FEBCFB92804DA39A2560E17183760341FE80 at ukaprdembx02.rd.astrazeneca.net...
> Hello,
>
> I'm after some advice on how to configure Kerberos v5 to authenticate 
> users from different Windows domains to the same Apache hosted 
> application.  Is this possible?  If so, is there a simple guide on what 
> needs to be done in order to achieve it that can be shared with me?
>
> I have Kerberos v5 installed with a Kerberos-capable version of Apache on 
> AIX 5.3.
> I have had a keytab file generated in the Windows "EU" domain, and have 
> configured the server so the application authenticates users from the "EU" 
> domain.
>
> /etc/krb5.conf is similar to:
>
> [libdefaults]
>        default_realm = EU.COMPANY.NET
>
> [realms]
>        EU.COMPANY.NET = {
>                kdc = eudc01.eu.company.net
>                admin_server = eudc01.eu.company.net
>                default_domain = eu.company.net
>                }
>
> [domain_realm]
>        .svr_domain.company.net = EU.COMPANY.NET
>        svr_domain.company.net = EU.COMPANY.NET
>
> What do I need to do in order to also authenticate users from the 
> companies "US" domain, which is controlled by separate domain 
> controller(s), to the application?
>

If the domains have a trust you son't need to do anything. If they don't 
have trust then you need to create a second keytab entry for the host in the 
US DC with a sceond DNS name.

e.g. In the EU domain the server is server.eu.company.net with a key 
HTTP/server.eu.company.net at EU.COMPANY.NET in eudc01 and in the US domain the 
sever is server.us.company.net with a key 
HTTP/server.us.company.net at US.COMPANY.NET in usdc01.

Merge both keys in one keytab for apache and configure the apache kerbereos 
module to accept all names (I think it is KrbServiceName Any  in 
mod-auth-kerb)


> Any help anyone can give me would be very greatfully received.
>
> Regards,
> Kevan Earl
>

Regards
Markus
>
> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with 
> registered number: 03674842 and a registered office at 15 Stanhope Gate, 
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain 
> confidential, proprietary and legally privileged information. If you have 
> received this message in error, please notify us and remove it from your 
> system and note that you must not copy, distribute or take any action in 
> reliance on it. Any unauthorised use or disclosure of the contents of this 
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception, 
> non-delivery and unauthorised alterations. Therefore, information 
> expressed in this message is not given or endorsed by AstraZeneca UK 
> Limited unless otherwise notified by an authorised representative 
> independent of this message. No contractual relationship is created by 
> this message by any person unless specifically indicated by agreement in 
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and 
> content for the purposes of the prevention and detection of crime, 
> ensuring the security of our computer systems and checking Compliance with 
> our Code of Conduct and Policies.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


From frank.gruellich at navteq.com  Wed Mar 25 06:46:34 2009
From: frank.gruellich at navteq.com (Frank Gruellich)
Date: Wed, 25 Mar 2009 11:46:34 +0100
Subject: Obtaining Service Ticket with TGT only (via shell commands)
In-Reply-To: <1237913069.6246.263.camel@ray>
References: <49C8C883.8040708@navteq.com> <1237909309.6246.237.camel@ray>	
	<49C90976.9010609@navteq.com> <1237913069.6246.263.camel@ray>
Message-ID: <49CA0B8A.1020109@navteq.com>

Greg Hudson wrote:
> On Tue, 2009-03-24 at 17:25 +0100, Frank Gruellich wrote:
>> But for some reason it does not work with the kadmin/admin service
>> principal:
> If you go into kadmin and run "getprinc kadmin/admin", you should see:
> 
>         Attributes: DISALLOW_TGT_BASED
> 
> which means you can only get a ticket for this principal with an initial
> ticket request and not with a TGT.  You can change this with "modprinc
> +allow_tgs_req kadmin/admin"

True, works.  Thanks.

> but I believe that would compromise the requirement that people have
> to reenter their passwords in order to run kadmin.

But that's, in fact, my intention.  I know, that kadmin is some kind of
critical tool.  If security aspects are the only problem with this set
up I'll drop them.  I accept that kadmin/admin service is just something
like host/eloy.example.com.

> For the purposes of your script, you can either treat a "KDC policy
> rejects request" error as an indication that the principal exists, or
> you can assume you won't run into that situation on any of the
> principals you are managing with the script.

Oh, that's a good idea, too.  But at some point the script's caller has
to do changes to the KDC database, so I need the kadmin/admin ticket
anyway.

Thanks a lot for your help.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

From rra at stanford.edu  Wed Mar 25 11:00:46 2009
From: rra at stanford.edu (Russ Allbery)
Date: Wed, 25 Mar 2009 08:00:46 -0700
Subject: Obtaining Service Ticket with TGT only (via shell commands)
In-Reply-To: <49CA0B8A.1020109@navteq.com> (Frank Gruellich's message of "Wed\,
	25 Mar 2009 11\:46\:34 +0100")
References: <49C8C883.8040708@navteq.com> <1237909309.6246.237.camel@ray>
	<49C90976.9010609@navteq.com> <1237913069.6246.263.camel@ray>
	<49CA0B8A.1020109@navteq.com>
Message-ID: <87hc1hve8x.fsf@windlord.stanford.edu>

Frank Gruellich <frank.gruellich at navteq.com> writes:
> Greg Hudson wrote:

>> but I believe that would compromise the requirement that people have to
>> reenter their passwords in order to run kadmin.

> But that's, in fact, my intention.  I know, that kadmin is some kind of
> critical tool.  If security aspects are the only problem with this set
> up I'll drop them.  I accept that kadmin/admin service is just something
> like host/eloy.example.com.

The primary practical effect of this restriction is to implement the
common security requirement that people re-enter their passwords in order
to change their password.  If you drop the special configuration for
kadmin, you will drop that requirement.  If you don't care, then you don't
care.  :)

What I would do if I were you is have your script switch ticket caches,
prompt the admin to authenticate and thereby obtain a kadmin/admin ticket
using kinit -S, and then use that ticket cache for all your operations.
Then, when you're done, kdestroy and switch back to their current ticket
cache.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

From frank.gruellich at navteq.com  Wed Mar 25 13:30:52 2009
From: frank.gruellich at navteq.com (Frank Gruellich)
Date: Wed, 25 Mar 2009 18:30:52 +0100
Subject: Obtaining Service Ticket with TGT only (via shell commands)
In-Reply-To: <87hc1hve8x.fsf@windlord.stanford.edu>
References: <49C8C883.8040708@navteq.com>
	<1237909309.6246.237.camel@ray>	<49C90976.9010609@navteq.com>
	<1237913069.6246.263.camel@ray>	<49CA0B8A.1020109@navteq.com>
	<87hc1hve8x.fsf@windlord.stanford.edu>
Message-ID: <49CA6A4C.70201@navteq.com>

Russ Allbery wrote:
> Frank Gruellich <frank.gruellich at navteq.com> writes:
>> Greg Hudson wrote:
>>> but I believe that would compromise the requirement that people have to
>>> reenter their passwords in order to run kadmin.
>> But that's, in fact, my intention.  I know, that kadmin is some kind of
>> critical tool.  If security aspects are the only problem with this set
>> up I'll drop them.  I accept that kadmin/admin service is just something
>> like host/eloy.example.com.
> The primary practical effect of this restriction is to implement the
> common security requirement that people re-enter their passwords in order
> to change their password.  If you drop the special configuration for
> kadmin, you will drop that requirement.  If you don't care, then you don't
> care.  :)

Oh, damn, that's a true impact...

> What I would do if I were you is have your script switch ticket caches,
> prompt the admin to authenticate and thereby obtain a kadmin/admin ticket
> using kinit -S, and then use that ticket cache for all your operations.
> Then, when you're done, kdestroy and switch back to their current ticket
> cache.

Then I'll prefer that way.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

From huaraz at moeller.plus.com  Wed Mar 25 17:43:18 2009
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Wed, 25 Mar 2009 21:43:18 -0000
Subject: SASL authentication
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1729059820E0@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
References: <mailman.110.1237190641.14058.kerberos@mit.edu><p3p196-ukk.ln1@nb2.stroeder.com><mailman.115.1237256662.14058.kerberos@mit.edu><d4h496-tvf.ln1@nb2.stroeder.com><mailman.118.1237357164.14058.kerberos@mit.edu><68h696-ul2.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C2ECAF.4080405@anl.gov><D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net><mailman.139.1237575932.14058.kerberos@mit.edu><9vmd96-1dp.ln1@nb2.stroeder.com><mailman.143.1237800736.14058.kerberos@mit.edu><v34l96-gkf.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net><gqbroh$auj$1@ger.gmane.org>
	<D8C9BC7FFCF8154FB7141EB8DB609C1729059820E0@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
Message-ID: <gqe8ig$khb$1@ger.gmane.org>


"Xu, Qiang (FXSGSC)" <Qiang.Xu at fujixerox.com> wrote in message 
news:D8C9BC7FFCF8154FB7141EB8DB609C1729059820E0 at SGPAPHQ-EXSCC01.dc01.fujixerox.net...
>> -----Original Message-----
>> From: kerberos-bounces at mit.edu
>> [mailto:kerberos-bounces at mit.edu] On Behalf Of Markus Moeller
>> Sent: Wednesday, March 25, 2009 7:53 AM
>> To: kerberos at mit.edu
>> Subject: Re: SASL authentication
>>
>> You need to do nslookup sesswin2003.sesswin2003.com or
>> nslookup sesswin2003.com  or add a search path to your
>> resolv.conf file (e.g. search
>> sesswin2003.com)
>
> Yesterday, my resolve.conf was like this:
> =================================
> search sgp.fujixerox.com sesswin2003.com
> nameserver 13.198.8.83
> nameserver 13.198.96.10
> nameserver 13.198.98.35
> =================================
> To my dismay, it didn't work. The hostname "sesswin2003" still couldn't be 
> resolved to its IP address.
>
> Today, with the help of our local SA, the file is changed to:
> =================================
> search sgp.fujixerox.com sesswin2003.com
> nameserver 13.198.98.35
> nameserver 13.198.96.10
> =================================
> It seems the order of nameserver list is important. Quite strange. Or it 
> may be the problem of some DNS server. Because if I put the nameserver 
> 13.198.96.10 in front of 13.198.98.35, it still doesn't work. By right, if 
> a hostname can't be located by the first nameserver, it should continue to 
> look for the hostname in the second nameserver, right?
>

No it wouldn't. If the first server says unknown domain it is a valid 
reponse and the next server wouldn't be queried. Only if the first server 
does not reply the second will be used (afaik)

> Anyway, now nslookup works perfectly:
> =================================
> qxu at durian(pts/1):/etc[17]$ nslookup sesswin2003
> Server:         13.198.98.35
> Address:        13.198.98.35#53
>
> Name:   sesswin2003.sesswin2003.com
> Address: 13.198.98.35
>
> qxu at durian(pts/1):/etc[18]$ nslookup sesswin2003.sesswin2003.com
> Server:         13.198.98.35
> Address:        13.198.98.35#53
>
> Name:   sesswin2003.sesswin2003.com
> Address: 13.198.98.35
> =================================
> For me, it is quite promising.
>
> Then I did what Michael and Doug told me, i.e. kinit, klist and 
> ldapsearch:
> =================================
> qxu at durian(pts/1):/etc[19]$ kinit qxu at SESSWIN2003.COM
> Password for qxu at SESSWIN2003.COM:
>
> qxu at durian(pts/1):/etc[20]$ klist
> Ticket cache: FILE:/tmp/krb5cc_20153
> Default principal: qxu at SESSWIN2003.COM
>
> Valid starting     Expires            Service principal
> 03/25/09 17:21:13  03/26/09 03:21:11 
> krbtgt/SESSWIN2003.COM at SESSWIN2003.COM
>        renew until 03/26/09 17:21:13
>
>
> Kerberos 4 ticket cache: /tmp/tkt20153
> klist: You have no tickets cached
>
> qxu at durian(pts/1):/etc[21]$ ldapsearch -Y GSSAPI -H 
> 'ldap://sesswin2003.sesswin2003.com' -b 'dc=sesswin2003,dc=com' -s 
> sub -LLL 'cn=xuan' mail
> SASL/GSSAPI authentication started
> SASL username: qxu at SESSWIN2003.COM
> SASL SSF: 56
> SASL installing layers
> dn: CN=xuan,CN=Users,DC=sesswin2003,DC=com
> mail: Xuan.Shangguan at fujixerox.com
>
> # 
> refldap://ForestDnsZones.sesswin2003.com/DC=ForestDnsZones,DC=sesswin2003,D
> C=com
>
> # 
> refldap://DomainDnsZones.sesswin2003.com/DC=DomainDnsZones,DC=sesswin2003,D
> C=com
>
> # refldap://sesswin2003.com/CN=Configuration,DC=sesswin2003,DC=com
> =================================
> It works perfectly. Next I will use this as a bench against my own coding.
>
> Thanks to all,
> Xu Qiang
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From huaraz at moeller.plus.com  Wed Mar 25 17:51:24 2009
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Wed, 25 Mar 2009 21:51:24 -0000
Subject: Kerberos authetication against multiple Windows Domains
In-Reply-To: <3154FEBCFB92804DA39A2560E171837604CD7FBF@ukaprdembx02.rd.astrazeneca.net>
References: <gqbskd$d6d$1@ger.gmane.org>
	<3154FEBCFB92804DA39A2560E171837604CD7FBF@ukaprdembx02.rd.astrazeneca.net>
Message-ID: <gqe914$m15$1@ger.gmane.org>


"Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message 
news:3154FEBCFB92804DA39A2560E171837604CD7FBF at ukaprdembx02.rd.astrazeneca.net...
> Hello Markus,
>
> Thank you for this advice.  I shall try out your suggestion.
>
> When I run kinit -V us_domain_uid at EU.COMPANY.NET I get the message:
>

Mustn't that be kinit -V us_domain_uid at US.COMPANY.NET  ?

> kinit(v5): Client not found in Kerberos database while getting initial 
> credentials
>
> while kinit -V eu_domain_uid at EU.COMPANY.NET prompts for password.
>
> I understood that there were trusts between the domains, but this looks 
> like there isn't.

The kinit of a user has nothing to do with trust.

>
> Regards,
> Kevan Earl
>
>
>
> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with 
> registered number: 03674842 and a registered office at 15 Stanhope Gate, 
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain 
> confidential, proprietary and legally privileged information. If you have 
> received this message in error, please notify us and remove it from your 
> system and note that you must not copy, distribute or take any action in 
> reliance on it. Any unauthorised use or disclosure of the contents of this 
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception, 
> non-delivery and unauthorised alterations. Therefore, information 
> expressed in this message is not given or endorsed by AstraZeneca UK 
> Limited unless otherwise notified by an authorised representative 
> independent of this message. No contractual relationship is created by 
> this message by any person unless specifically indicated by agreement in 
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and 
> content for the purposes of the prevention and detection of crime, 
> ensuring the security of our computer systems and checking Compliance with 
> our Code of Conduct and Policies.
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
> Behalf Of Markus Moeller
> Sent: 25 March 2009 00:04
> To: kerberos at mit.edu
> Subject: Re: Kerberos authetication against multiple Windows Domains
>
>
>
> "Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message
> news:3154FEBCFB92804DA39A2560E17183760341FE80 at ukaprdembx02.rd.astrazeneca.net...
>> Hello,
>>
>> I'm after some advice on how to configure Kerberos v5 to authenticate
>> users from different Windows domains to the same Apache hosted
>> application.  Is this possible?  If so, is there a simple guide on what
>> needs to be done in order to achieve it that can be shared with me?
>>
>> I have Kerberos v5 installed with a Kerberos-capable version of Apache on
>> AIX 5.3.
>> I have had a keytab file generated in the Windows "EU" domain, and have
>> configured the server so the application authenticates users from the 
>> "EU"
>> domain.
>>
>> /etc/krb5.conf is similar to:
>>
>> [libdefaults]
>>        default_realm = EU.COMPANY.NET
>>
>> [realms]
>>        EU.COMPANY.NET = {
>>                kdc = eudc01.eu.company.net
>>                admin_server = eudc01.eu.company.net
>>                default_domain = eu.company.net
>>                }
>>
>> [domain_realm]
>>        .svr_domain.company.net = EU.COMPANY.NET
>>        svr_domain.company.net = EU.COMPANY.NET
>>
>> What do I need to do in order to also authenticate users from the
>> companies "US" domain, which is controlled by separate domain
>> controller(s), to the application?
>>
>
> If the domains have a trust you son't need to do anything. If they don't
> have trust then you need to create a second keytab entry for the host in 
> the
> US DC with a sceond DNS name.
>
> e.g. In the EU domain the server is server.eu.company.net with a key
> HTTP/server.eu.company.net at EU.COMPANY.NET in eudc01 and in the US domain 
> the
> sever is server.us.company.net with a key
> HTTP/server.us.company.net at US.COMPANY.NET in usdc01.
>
> Merge both keys in one keytab for apache and configure the apache 
> kerbereos
> module to accept all names (I think it is KrbServiceName Any  in
> mod-auth-kerb)
>
>
>> Any help anyone can give me would be very greatfully received.
>>
>> Regards,
>> Kevan Earl
>>
>
> Regards
> Markus
>>
>> --------------------------------------------------------------------------
>> AstraZeneca UK Limited is a company incorporated in England and Wales 
>> with
>> registered number: 03674842 and a registered office at 15 Stanhope Gate,
>> London W1K 1LN.
>> Confidentiality Notice: This message is private and may contain
>> confidential, proprietary and legally privileged information. If you have
>> received this message in error, please notify us and remove it from your
>> system and note that you must not copy, distribute or take any action in
>> reliance on it. Any unauthorised use or disclosure of the contents of 
>> this
>> message is not permitted and may be unlawful.
>> Disclaimer: Email messages may be subject to delays, interception,
>> non-delivery and unauthorised alterations. Therefore, information
>> expressed in this message is not given or endorsed by AstraZeneca UK
>> Limited unless otherwise notified by an authorised representative
>> independent of this message. No contractual relationship is created by
>> this message by any person unless specifically indicated by agreement in
>> writing other than email.
>> Monitoring: AstraZeneca UK Limited may monitor email traffic data and
>> content for the purposes of the prevention and detection of crime,
>> ensuring the security of our computer systems and checking Compliance 
>> with
>> our Code of Conduct and Policies.
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From huaraz at moeller.plus.com  Wed Mar 25 20:09:01 2009
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Thu, 26 Mar 2009 00:09:01 -0000
Subject: Kerberos authetication against multiple Windows Domains
In-Reply-To: <gqe914$m15$1@ger.gmane.org>
References: <gqbskd$d6d$1@ger.gmane.org><3154FEBCFB92804DA39A2560E171837604CD7FBF@ukaprdembx02.rd.astrazeneca.net>
	<gqe914$m15$1@ger.gmane.org>
Message-ID: <gqeh33$dbu$1@ger.gmane.org>

Here is a small program which you could use to test to get a service ticket.

If you do

# kinit markus at SUSE.HOME
Password for markus at SUSE.HOME:

# klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: markus at SUSE.HOME

Valid starting     Expires            Service principal
03/25/09 23:44:21  03/26/09 09:44:21  krbtgt/SUSE.HOME at SUSE.HOME
        renew until 03/26/09 23:44:21


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
# ./get_service_ticket opensuse11.suse.home HTTP
# klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: markus at SUSE.HOME

Valid starting     Expires            Service principal
03/25/09 23:44:21  03/26/09 09:44:21  krbtgt/SUSE.HOME at SUSE.HOME
        renew until 03/26/09 23:44:21
03/25/09 23:44:32  03/26/09 09:44:21  HTTP/opensuse11.suse.home at SUSE.HOME
        renew until 03/26/09 23:44:21


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
# kdestroy


You should see that you got the service ticket in your credential cache.

Regards
Markus


#include <string.h>
#include <stdio.h>
#include <krb5.h>
#include <com_err.h>

int main(argc, argv)
        int argc;
        char *argv[];
{
        krb5_creds creds;
        krb5_creds *new_creds = 0;
        krb5_error_code kret;
        krb5_ccache ccache;
        krb5_cc_cursor cursor;
        krb5_context kcontext = 0;
        krb5_get_init_creds_opt options;
        krb5_principal *principal;
        char* hostname;
        char* service;

        if (argc<3) {
           fprintf(stderr, "Usage: %s hostname service\n",argv[0]);
           return(1);
        }
        hostname = strdup(argv[1]);
        service = strdup(argv[2]);

        kret = krb5_init_context(&kcontext);
        if (kret) {
            com_err(argv[0], kret,
                            "while initialising context");
            exit(1);
        }

        if ((kret = krb5_cc_default(kcontext, &ccache))) {
            com_err(argv[0], kret,
                            "while initialising ccache");
            exit(2);
        }

        if ((kret = krb5_cc_get_principal( kcontext, ccache, principal))) {
            com_err(argv[0], kret,
                            "while initialising ccache");
            exit(3);
        }

        if ((kret = krb5_cc_start_seq_get( kcontext, ccache, &cursor))) {
            com_err(argv[0], kret,
                            "while initialising ccache");
            exit(4);
        }

        if ((kret = krb5_cc_next_cred( kcontext, ccache, &cursor,  &creds))) 
{
            com_err(argv[0], kret,
                            "while initialising ccache");
            exit(5);
        }


        if ((kret = krb5_sname_to_principal(kcontext, hostname,
                                         service, KRB5_NT_UNKNOWN,
                                         &creds.server))) {
            com_err(argv[0], kret,
                            "while initialising server creds");
            exit(6);
        }

        if ((kret = krb5_get_credentials(kcontext, 0,
                                      ccache, &creds, &new_creds))) {
            com_err(argv[0], kret,
                            "while getting credentials");
            exit(7);
        }

}



From Qiang.Xu at fujixerox.com  Wed Mar 25 22:07:32 2009
From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC))
Date: Thu, 26 Mar 2009 10:07:32 +0800
Subject: SASL authentication
In-Reply-To: <gqe8ig$khb$1@ger.gmane.org>
References: <mailman.110.1237190641.14058.kerberos@mit.edu><p3p196-ukk.ln1@nb2.stroeder.com><mailman.115.1237256662.14058.kerberos@mit.edu><d4h496-tvf.ln1@nb2.stroeder.com><mailman.118.1237357164.14058.kerberos@mit.edu><68h696-ul2.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1727084681CD@SGPAPHQ-EXSCC01.dc01.fujixerox.net><49C2ECAF.4080405@anl.gov><D8C9BC7FFCF8154FB7141EB8DB609C1727084B37F3@SGPAPHQ-EXSCC01.dc01.fujixerox.net><mailman.139.1237575932.14058.kerberos@mit.edu><9vmd96-1dp.ln1@nb2.stroeder.com><mailman.143.1237800736.14058.kerberos@mit.edu><v34l96-gkf.ln1@nb2.stroeder.com><D8C9BC7FFCF8154FB7141EB8DB609C1729058B3A83@SGPAPHQ-EXSCC01.dc01.fujixerox.net><gqbroh$auj$1@ger.gmane.org>
	<D8C9BC7FFCF8154FB7141EB8DB609C1729059820E0@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
	<gqe8ig$khb$1@ger.gmane.org>
Message-ID: <D8C9BC7FFCF8154FB7141EB8DB609C172905982601@SGPAPHQ-EXSCC01.dc01.fujixerox.net>

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Markus Moeller
> Sent: Thursday, March 26, 2009 5:43 AM
> To: kerberos at mit.edu
> Subject: Re: SASL authentication
> 
> 
> "Xu, Qiang (FXSGSC)" <Qiang.Xu at fujixerox.com> wrote 
> > Or it may be the problem of some DNS server. Because if I put 
> > the nameserver 13.198.96.10 in front of 13.198.98.35, it still 
> > doesn't work. By right, if a hostname can't be located by the first 
> > nameserver, it should continue to look for the hostname in the 
> > second nameserver, right?
> 
> No it wouldn't. If the first server says unknown domain it is 
> a valid reponse and the next server wouldn't be queried. Only 
> if the first server does not reply the second will be used (afaik)

Now my resolve.conf is as follows:
================================
search sgp.fujixerox.com sesswin2003.com
nameserver 13.198.98.35
nameserver 13.198.96.10
================================
The machine "durian" can only be resolved by "13.198.98.10". 

This is the result of nslookup: 
================================
qxu at durian(pts/1):~[5]$ nslookup durian
Server:         13.198.96.10
Address:        13.198.96.10#53

Non-authoritative answer:
Name:   durian.sgp.fujixerox.com
Address: 13.198.98.190
================================
Why doesn't it go to the first nameserver (13.198.98.35) to try to resolve "durian"? 13.198.98.10 is the second server. 

And I can verify the first server is alive and working: 
================================
qxu at durian(pts/1):~[6]$ nslookup sesswin2003
Server:         13.198.98.35
Address:        13.198.98.35#53

Name:   sesswin2003.sesswin2003.com
Address: 13.198.98.35
================================
So if the first server is alive, when the request to resolve "durian" arrives, the first nameserver (13.198.98.35) should be queried. Is it? But in fact, the first server was skipped, and the query was done with the second server. How to explain this behavior?

Thanks,
Xu Qiang

From chinmay.soman at in.ibm.com  Thu Mar 26 02:59:15 2009
From: chinmay.soman at in.ibm.com (Chinmay P Soman)
Date: Thu, 26 Mar 2009 12:29:15 +0530
Subject: clustered NFS - kerberos - mount failure
Message-ID: <OF203D58C1.1BFFCA01-ON65257585.0025C8FE-65257585.002661C0@in.ibm.com>

Hi,

I am trying to configure a NFS server with kerberos support. The catch is, 
the NFS server is part of a cluster.  Therefore, all the client mounts are 
done using the 
cluster name and not the server name.

For eg:    Let  cluster name =  Mycluster.domain.com     ,  server = 
server1.domain.com

-----------------------

In this case, when my NFS client mounts as :
mount -o vers=3,sec=krb5 server1.domain.com:/tmp_share /mnt     =>  This 
passes

However,
mount -o vers=3,sec=krb5 Mycluster.domain.com:/tmp_share /mnt     =>  This 
fails.


I am guessing the gssd daemon on the server side is creating a context for 
its localhost, which is => server1.domain.com

However, the request is meant for Mycluster.domain.com.  Hence, it fails 
due to the mismatch.


Please clarify if my reasoning is correct. If yes, also please let me know 
a possible solution




Thanks and regards

Chinmay P Soman
ctdb/panache research activities, SoNAS
IBM India Systems & Technology Lab
Ozone-2, Saswad Road, Pune.
Tel : 91-020-26901666

From kwcoffman at gmail.com  Thu Mar 26 11:13:47 2009
From: kwcoffman at gmail.com (Kevin Coffman)
Date: Thu, 26 Mar 2009 11:13:47 -0400
Subject: clustered NFS - kerberos - mount failure
In-Reply-To: <OF203D58C1.1BFFCA01-ON65257585.0025C8FE-65257585.002661C0@in.ibm.com>
References: <OF203D58C1.1BFFCA01-ON65257585.0025C8FE-65257585.002661C0@in.ibm.com>
Message-ID: <4d569c330903260813x50e36899g9e9360fae6be2bf0@mail.gmail.com>

Hi,
You don't say what OS you're dealing with here. Different OS's have
different gssd implementations which have a bearing on the issue.

If Linux is involved, you'll get more help mailing the linux-nfs
mailing list (linux-nfs.vger.kernel.org).  If the server is Linux, a
patch has been submitted to work around this issue.  That patch isn't
yet in a release.  Contact me directly, or via the linux list above
for more info.

K.C.

On Thu, Mar 26, 2009 at 2:59 AM, Chinmay P Soman
<chinmay.soman at in.ibm.com> wrote:
> Hi,
>
> I am trying to configure a NFS server with kerberos support. The catch is,
> the NFS server is part of a cluster. ?Therefore, all the client mounts are
> done using the
> cluster name and not the server name.
>
> For eg: ? ?Let ?cluster name = ?Mycluster.domain.com ? ? , ?server =
> server1.domain.com
>
> -----------------------
>
> In this case, when my NFS client mounts as :
> mount -o vers=3,sec=krb5 server1.domain.com:/tmp_share /mnt ? ? => ?This
> passes
>
> However,
> mount -o vers=3,sec=krb5 Mycluster.domain.com:/tmp_share /mnt ? ? => ?This
> fails.
>
>
> I am guessing the gssd daemon on the server side is creating a context for
> its localhost, which is => server1.domain.com
>
> However, the request is meant for Mycluster.domain.com. ?Hence, it fails
> due to the mismatch.
>
>
> Please clarify if my reasoning is correct. If yes, also please let me know
> a possible solution
>
>
>
>
> Thanks and regards
>
> Chinmay P Soman
> ctdb/panache research activities, SoNAS
> IBM India Systems & Technology Lab
> Ozone-2, Saswad Road, Pune.
> Tel : 91-020-26901666
> ________________________________________________
> Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


From miguel.sanders at arcelormittal.com  Thu Mar 26 12:53:11 2009
From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com)
Date: Thu, 26 Mar 2009 17:53:11 +0100
Subject: Question on renewable lifetime 
Message-ID: <7DF29B50FFF41848BB2281EC2E71A206ABC0E7@GEN-MXB-V04.msad.arcelor.net>

Hi

I'm having a background process which requires a service principal to
work correctly.
Currently, I'm having a cron job which does a kinit (with the keytab
supplied) for that service principal.
Wouldn't it be better to renew the ticket instead of doing the above?
As a result, I would have to set the renewable lifetime for that service
principal to unlimited. 

What is your idea on this? What is the best way?

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****  


From kdorf at cems.umn.edu  Thu Mar 26 13:48:20 2009
From: kdorf at cems.umn.edu (John Koelndorfer)
Date: Thu, 26 Mar 2009 12:48:20 -0500
Subject: Getting user info via LDAP, authenticating via Kerberos
Message-ID: <49CBBFE4.5040008@cems.umn.edu>

Hello everyone,

I've got a tricky problem that's been gnawing at me for the past few 
days or so. First, a little background:

We're running an active directory setup with the usual Windows domain 
controllers (they're Windows 2000, if it matters) but users' home 
directories are stored on a Linux box running Samba. Our other Linux 
servers will need to get at these homes for various reasons. Our setup 
is fine with NFSv3, but we were looking to gain security and move up to 
NFSv4 with Kerberos authentication. NFSv4 won't allow people to access 
their home directories without a valid Kerberos ticket for their 
principal. If this could be turned off somehow, that'd be one way to fix 
this issue (all_squashing to root doesn't sound particularly appealing) 
otherwise I need users to be able to get their Kerberos ticket on login.

That works fine as long as ldap is not listed in nsswitch.conf. The 
problem is we need to use ldap to fetch user info.

So, here's a quick example in case I wasn't clear enough:
I ssh to our server using my domain credentials, kdorf and password.

If I have a local user account on that machine and ldap is *not* listed 
in nsswitch.conf, I can login using my domain password and a valid 
Kerberos ticket is fetched for me -- I get access to my home.

If I don't have a local account on that machine and ldap *is* listed in 
nsswitch.conf, I can login using my domain password but `klist` shows 
that I do *not* have a valid Kerberos ticket. Home directory access is 
denied.

I need to have valid Kerberos tickets fetched for ldap users. 
Alternatively, I would like NFSv4 to not sweat people about Kerberos 
tickets to access their homes. Is this possible?

Thanks in advance for your help.
John

From javiplx at gmail.com  Thu Mar 26 17:02:06 2009
From: javiplx at gmail.com (Javier Palacios)
Date: Thu, 26 Mar 2009 22:02:06 +0100
Subject: Getting user info via LDAP, authenticating via Kerberos
In-Reply-To: <49CBBFE4.5040008@cems.umn.edu>
References: <49CBBFE4.5040008@cems.umn.edu>
Message-ID: <a64bf030903261402o3650a0adoa2b405e99e223aae@mail.gmail.com>

On Thu, Mar 26, 2009 at 6:48 PM, John Koelndorfer <kdorf at cems.umn.edu> wrote:
> So, here's a quick example in case I wasn't clear enough:
> I ssh to our server using my domain credentials, kdorf and password.
>
> If I have a local user account on that machine and ldap is *not* listed
> in nsswitch.conf, I can login using my domain password and a valid
> Kerberos ticket is fetched for me -- I get access to my home.
>
> If I don't have a local account on that machine and ldap *is* listed in
> nsswitch.conf, I can login using my domain password but `klist` shows
> that I do *not* have a valid Kerberos ticket. Home directory access is
> denied.

You are basically looking at the wrong place.
To use or not kerberos ticket you need to look at pam configuration,
and be careful to disable pam_ldap. If your distro is RedHat derived,
it is quite easy to see either with authconfig-tui or the
Administration->Authentication menu. User information is clearly
separated from authentication. LDAP is in both places, but kerberos
only in one. I don't know a similar tool for debian distros (there was
a helper for ubuntu which I cannot find right now), and lack expertise
enough for other distros.

The distro you are using is an important detail that could help you
clarify that.

The NFSv4, might introduce differences, but for the other parts maybe
this reference could help you a bit
http://kad.wiki.sourceforge.net/ActiveDirectoryIntegration

Javier Palacios

From mizmoose at gmail.com  Thu Mar 26 22:12:50 2009
From: mizmoose at gmail.com (Esther Filderman)
Date: Thu, 26 Mar 2009 22:12:50 -0400
Subject: Book your room for the ABPW09 NOW!
Message-ID: <cff20b320903261912r33842b93o47fbb3c3fa6f6a24@mail.gmail.com>

Folks,

If you're even thinking about attending the AFS & Kerberos Best
Practices workshop this year, please reserve a room now!   The block
is up as of April 1, and we're low on reservations.

We know times are tough and travel budgets are getting eaten left and
right.  But there's no penalty if it turns out you can't come and have
to cancel the reservation.

So please  -- help us out and book your room if you think you might be
able to come.  Hopefully things will work out and we will get to see
you this year.

Hurry -- you only have until April 1 to make the reservation.  No joke!

Hotel info here:  http://workshop.openafs.org/afsbpw09/hotel.html
Our room block is for $94/night at the Stanford Guest House.

Thanks!

The AFS & Kerberos Best Practices Workshop Organizers
http://workshop.openafs.org/

From ghudson at MIT.EDU  Fri Mar 27 12:52:05 2009
From: ghudson at MIT.EDU (Greg Hudson)
Date: Fri, 27 Mar 2009 12:52:05 -0400
Subject: Question on renewable lifetime
In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206ABC0E7@GEN-MXB-V04.msad.arcelor.net>
References: <7DF29B50FFF41848BB2281EC2E71A206ABC0E7@GEN-MXB-V04.msad.arcelor.net>
Message-ID: <1238172725.6246.293.camel@ray>

I would personally stick with using a supplied keytab.

If you do switch to renewing tickets, be aware that renewal has to
happen while the old tickets are still valid.  If your crontab ever
misses a renewal, it will break until you kinit again by hand.

The theoretical advantage of renewal over a known password is that
renewable tickets can be blacklisted if stolen.  But blacklisting is not
implemented in the MIT KDC, so it's hard to realize this advantage.

On Thu, 2009-03-26 at 17:53 +0100, miguel.sanders at arcelormittal.com
wrote:
> I'm having a background process which requires a service principal to
> work correctly.
> Currently, I'm having a cron job which does a kinit (with the keytab
> supplied) for that service principal.
> Wouldn't it be better to renew the ticket instead of doing the above?
> As a result, I would have to set the renewable lifetime for that service
> principal to unlimited. 



From miguel.sanders at arcelormittal.com  Fri Mar 27 13:08:00 2009
From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com)
Date: Fri, 27 Mar 2009 18:08:00 +0100
Subject: Question on renewable lifetime
In-Reply-To: <1238172725.6246.293.camel@ray>
References: <7DF29B50FFF41848BB2281EC2E71A206ABC0E7@GEN-MXB-V04.msad.arcelor.net>
	<1238172725.6246.293.camel@ray>
Message-ID: <7DF29B50FFF41848BB2281EC2E71A206AF3A94@GEN-MXB-V04.msad.arcelor.net>

Hi Greg

Thanks for the feedback.
Much appreciated! 


Met vriendelijke groet
Best regards
Bien ? vous

Miguel SANDERS
ArcelorMittal Gent

UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent

T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel.sanders at arcelormittal.com
www.arcelormittal.com/gent

-----Oorspronkelijk bericht-----
Van: Greg Hudson [mailto:ghudson at MIT.EDU] 
Verzonden: vrijdag 27 maart 2009 17:52
Aan: SANDERS Miguel
CC: kerberos at mit.edu
Onderwerp: Re: Question on renewable lifetime

I would personally stick with using a supplied keytab.

If you do switch to renewing tickets, be aware that renewal has to happen while the old tickets are still valid.  If your crontab ever misses a renewal, it will break until you kinit again by hand.

The theoretical advantage of renewal over a known password is that renewable tickets can be blacklisted if stolen.  But blacklisting is not implemented in the MIT KDC, so it's hard to realize this advantage.

On Thu, 2009-03-26 at 17:53 +0100, miguel.sanders at arcelormittal.com
wrote:
> I'm having a background process which requires a service principal to 
> work correctly.
> Currently, I'm having a cron job which does a kinit (with the keytab
> supplied) for that service principal.
> Wouldn't it be better to renew the ticket instead of doing the above?
> As a result, I would have to set the renewable lifetime for that 
> service principal to unlimited.



**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****  



From kdorf at cems.umn.edu  Fri Mar 27 12:00:57 2009
From: kdorf at cems.umn.edu (John Koelndorfer)
Date: Fri, 27 Mar 2009 11:00:57 -0500
Subject: Getting user info via LDAP, authenticating via Kerberos
In-Reply-To: <49CBBFE4.5040008@cems.umn.edu>
References: <49CBBFE4.5040008@cems.umn.edu>
Message-ID: <49CCF839.9090109@cems.umn.edu>

Hello again,

Firstly, thanks to those who have taken time to shoot an e-mail my way 
to try and help. It's greatly appreciated.  Secondly, sorry to be 
sending out another list mail but I notice that the suggestions I got 
were all more or less the same -- look at PAM. I think I may not have 
been clear enough in my last e-mail, so I'll try to explain again. I 
also forgot to include version numbers and attach some config files. 
Again, my apologies.

Also, I don't do much in the realm of mailing lists so I'm unsure if it 
is expected that most people that write in are subscribed. I happen not 
to be, so please reply directly to my address if you would.

Our servers are primarily running RHEL4:
`cat /etc/issue`
Red Hat Enterprise Linux AS release 4 (Nahant Update 7)
Kernel \r on an \m

Some important lib versions (I don't think I missed any but I am far 
from an expert):
`rpm -qa | grep krb5`
krb5-workstation-1.3.4-60.el4
krb5-auth-dialog-0.2-1
krb5-libs-1.3.4-60.el4
pam_krb5-2.1.17-6.el4

`rpm -q "nss_ldap"`
nss_ldap-253-5.el4

Finally, a kernel version:
`uname -r`
2.6.9-78.ELsmp

The suggestions I got via e-mail were to look at my PAM configuration. 
What I was attempting to convey before was that I have indeed gone over 
PAM settings and here's what I have:

I can successfully get a Kerberos ticket (it is shown in `klist` after 
login) **if ldap is not listed in nsswitch.conf**. Here's a snippet to 
show what I mean:

passwd:     files
shadow:     files
group:      files

The above works. However, I have to create a local user account for the 
user I want to log in with. This is not something I'd like to have to 
do. Now, here's a non-working snippet:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

The above causes `klist` to not show Kerberos tickets (and in fact they 
aren't retrieved as users cannot access homes). Nothing in the PAM 
configuration changed in this test.

I've provided somewhat censored versions of /etc/krb5.conf, 
/etc/ldap.conf, /etc/pam.d/system-auth, and /etc/nsswitch.conf. I hope 
these will be helpful if anyone would be kind enough to help. If 
something else is needed, please do let me know.

John Koelndorfer wrote:
> Hello everyone,
>
> I've got a tricky problem that's been gnawing at me for the past few 
> days or so. First, a little background:
>
> We're running an active directory setup with the usual Windows domain 
> controllers (they're Windows 2000, if it matters) but users' home 
> directories are stored on a Linux box running Samba. Our other Linux 
> servers will need to get at these homes for various reasons. Our setup 
> is fine with NFSv3, but we were looking to gain security and move up 
> to NFSv4 with Kerberos authentication. NFSv4 won't allow people to 
> access their home directories without a valid Kerberos ticket for 
> their principal. If this could be turned off somehow, that'd be one 
> way to fix this issue (all_squashing to root doesn't sound 
> particularly appealing) otherwise I need users to be able to get their 
> Kerberos ticket on login.
>
> That works fine as long as ldap is not listed in nsswitch.conf. The 
> problem is we need to use ldap to fetch user info.
>
> So, here's a quick example in case I wasn't clear enough:
> I ssh to our server using my domain credentials, kdorf and password.
>
> If I have a local user account on that machine and ldap is *not* 
> listed in nsswitch.conf, I can login using my domain password and a 
> valid Kerberos ticket is fetched for me -- I get access to my home.
>
> If I don't have a local account on that machine and ldap *is* listed 
> in nsswitch.conf, I can login using my domain password but `klist` 
> shows that I do *not* have a valid Kerberos ticket. Home directory 
> access is denied.
>
> I need to have valid Kerberos tickets fetched for ldap users. 
> Alternatively, I would like NFSv4 to not sweat people about Kerberos 
> tickets to access their homes. Is this possible?
>
> Thanks in advance for your help.
> John

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5.conf
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20090327/465475f7/krb5.bat
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ldap.conf
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20090327/465475f7/ldap.bat
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nsswitch.conf
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20090327/465475f7/nsswitch.bat
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: system-auth
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20090327/465475f7/system-auth.bat

From deengert at anl.gov  Fri Mar 27 17:25:09 2009
From: deengert at anl.gov (Douglas E. Engert)
Date: Fri, 27 Mar 2009 16:25:09 -0500
Subject: Getting user info via LDAP, authenticating via Kerberos
In-Reply-To: <49CCF839.9090109@cems.umn.edu>
References: <49CBBFE4.5040008@cems.umn.edu> <49CCF839.9090109@cems.umn.edu>
Message-ID: <49CD4435.1010602@anl.gov>



John Koelndorfer wrote:
> Hello again,
> 
> Firstly, thanks to those who have taken time to shoot an e-mail my way 
> to try and help. It's greatly appreciated.  Secondly, sorry to be 
> sending out another list mail but I notice that the suggestions I got 
> were all more or less the same -- look at PAM. I think I may not have 
> been clear enough in my last e-mail, so I'll try to explain again. I 
> also forgot to include version numbers and attach some config files. 
> Again, my apologies.
> 
> Also, I don't do much in the realm of mailing lists so I'm unsure if it 
> is expected that most people that write in are subscribed. I happen not 
> to be, so please reply directly to my address if you would.
> 
> Our servers are primarily running RHEL4:
> `cat /etc/issue`
> Red Hat Enterprise Linux AS release 4 (Nahant Update 7)
> Kernel \r on an \m
> 
> Some important lib versions (I don't think I missed any but I am far 
> from an expert):
> `rpm -qa | grep krb5`
> krb5-workstation-1.3.4-60.el4
> krb5-auth-dialog-0.2-1
> krb5-libs-1.3.4-60.el4
> pam_krb5-2.1.17-6.el4
> 
> `rpm -q "nss_ldap"`
> nss_ldap-253-5.el4
> 
> Finally, a kernel version:
> `uname -r`
> 2.6.9-78.ELsmp
> 
> The suggestions I got via e-mail were to look at my PAM configuration. 
> What I was attempting to convey before was that I have indeed gone over 
> PAM settings and here's what I have:
> 
> I can successfully get a Kerberos ticket (it is shown in `klist` after 
> login) **if ldap is not listed in nsswitch.conf**. Here's a snippet to 
> show what I mean:
> 
> passwd:     files
> shadow:     files
> group:      files
> 
> The above works. However, I have to create a local user account for the 
> user I want to log in with. This is not something I'd like to have to 
> do. Now, here's a non-working snippet:
> 
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> 
> The above causes `klist` to not show Kerberos tickets (and in fact they 
> aren't retrieved as users cannot access homes). Nothing in the PAM 
> configuration changed in this test.
> 
> I've provided somewhat censored versions of /etc/krb5.conf, 
> /etc/ldap.conf, /etc/pam.d/system-auth, and /etc/nsswitch.conf. I hope 
> these will be helpful if anyone would be kind enough to help. If 
> something else is needed, please do let me know.

Some other things to try to see if nss-ldap is working as expected:

   As root, does getent passwd some-user-in-ldap
   give you the results expected?
   Does it show you a password field?

   As a user, does getent passed some-user-in-ldap
   give you everything but the password?

   Also try the other getent passwd uid, getent group groupname and
   getent group gid.

Since you said ssh is failing, can you start sshd on a different port
with debugging, and see where it fails?


> 
> John Koelndorfer wrote:
>> Hello everyone,
>>
>> I've got a tricky problem that's been gnawing at me for the past few 
>> days or so. First, a little background:
>>
>> We're running an active directory setup with the usual Windows domain 
>> controllers (they're Windows 2000, if it matters) but users' home 
>> directories are stored on a Linux box running Samba. Our other Linux 
>> servers will need to get at these homes for various reasons. Our setup 
>> is fine with NFSv3, but we were looking to gain security and move up 
>> to NFSv4 with Kerberos authentication. NFSv4 won't allow people to 
>> access their home directories without a valid Kerberos ticket for 
>> their principal. If this could be turned off somehow, that'd be one 
>> way to fix this issue (all_squashing to root doesn't sound 
>> particularly appealing) otherwise I need users to be able to get their 
>> Kerberos ticket on login.
>>
>> That works fine as long as ldap is not listed in nsswitch.conf. The 
>> problem is we need to use ldap to fetch user info.
>>
>> So, here's a quick example in case I wasn't clear enough:
>> I ssh to our server using my domain credentials, kdorf and password.
>>
>> If I have a local user account on that machine and ldap is *not* 
>> listed in nsswitch.conf, I can login using my domain password and a 
>> valid Kerberos ticket is fetched for me -- I get access to my home.
>>
>> If I don't have a local account on that machine and ldap *is* listed 
>> in nsswitch.conf, I can login using my domain password but `klist` 
>> shows that I do *not* have a valid Kerberos ticket. Home directory 
>> access is denied.

Does it show any tickets?

As a test to see if the problem is related to the home directory,
in NFS, can you set up a AD user account with the msSFU30HomeDirectory
to point at a local file system, rather then NFS? This
would show if the issues are with LDAP, or the way sshd
uses Kerberos and NFSv4 to access the home directory.


The following is speculation, as I have not tried this...
Since sshd want to use session based accounts, and will set
the KRB5CCNAME=/tmp/krb5cc_uid_xxxxxx
where xxxxx is different for each session.

But the NFS daemons may be expecting Kerberos tickets to be in
the default ticket cache for a user: /tmp/krb5cc_uid
the NFS daemon may not be able to access the home, and
sshd may not be able to change and of the dot files.

AFS has some of the same issues with having to use a ticket
to access home directories as NFSv4 would have. Some of the
dot files may need to be accessed by the daemon before
the login is complete. One is the .k5login file.


>>
>> I need to have valid Kerberos tickets fetched for ldap users. 
>> Alternatively, I would like NFSv4 to not sweat people about Kerberos 
>> tickets to access their homes. Is this possible?

The issue of session based ticket caches vs NFSv4's gssd using
the default ticket cache is one of those issues that may not be
being addressed.

>>
>> Thanks in advance for your help.
>> John
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

From adriana.gologaneanu at rcs-rds.ro  Mon Mar 30 03:49:23 2009
From: adriana.gologaneanu at rcs-rds.ro (Adriana Gologaneanu)
Date: Mon, 30 Mar 2009 10:49:23 +0300
Subject: LDAP-Kerberos sync passwords
Message-ID: <49D07983.9070005@rcs-rds.ro>

Hi,

I'm using LDAP for authorization and Kerberos for authentication. The 
workstations are configured with pam_krb5 module.
There is a way to sync passwords between LDAP and Kerberos? Both are on 
same machine and the passwords to ldap db are sent in MD5 via a virtual 
java machine. I can't do same with Kerberos cause there are no free java 
libraries. Also, I want to avoid ssh connection between java machine and 
LDAP/Kerberos server. 

Many thanks,
Adriana

From jjasen at realityfailure.org  Mon Mar 30 12:06:42 2009
From: jjasen at realityfailure.org (John Jasen)
Date: Mon, 30 Mar 2009 12:06:42 -0400
Subject: confusion with service principal names in Active Directory
Message-ID: <49D0EE12.2070907@realityfailure.org>


Please forgive me if this is not the right venue.

I seem to have not found the magic required to use kerberos service
principal names on unix systems against an Active Directory server.

In the one particular example, we're trying to use kerberized NFS, so
the server daemon needs to be able to find nfs/fqdn at REALM.

I can see the entries in the computer accounts servicePrincipalName
field, but the various UNIX systems can't find them -- either on service
initialization, or attempting kinit from commandline with the system keytab.

IE:

klist -ke /etc/krb5.keytab | grep host

2 host/kernelpanic.example.com at EXAMPLE.REALM (DES cbc mode with CRC-32)

[root at kernelpanic ~]# kinit host/kernelpanic.example.com -kt
/etc/krb5.keytab
kinit(v5): Client not found in Kerberos database while getting initial
credentials

(same results if I do host/kernelpanic.example.com at EXAMPLE.REALM)

This behavior holds true for OS X kerberos clients, Red Hat 4 and 5
kerberos clients, and Solaris 10 kerberos clients. I can provide the
versions if required.

The AD server in question is Windows 2003 R2.

The only way I've found around this is to set the userPrincipalName in
AD to the service I really really need.

ie: in the case above, userPrincipalName is set to
nfs/kernelpanic.example.com at EXAMPLE.REALM. After doing that, I can kinit
that service principal successfully, and the service dependent on it can
also initialize correctly.

>From my testing, using ktpass.exe to write a keytab file seems to pretty
much automatically set the userPrincipalName to the last entry created.
Unfortunately, if you have a multi-role server, this creates
difficulties. (ie: trying to use http/hostname and sql/hostname).

Is there a way around this that I've missed? An option either on the
client side or the server side that I've missed?

-- 
-- John E. Jasen (jjasen at realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring

From jjasen at realityfailure.org  Mon Mar 30 13:23:58 2009
From: jjasen at realityfailure.org (John Jasen)
Date: Mon, 30 Mar 2009 13:23:58 -0400
Subject: confusion with service principal names in Active Directory
In-Reply-To: <BB7E16A14DE689469A181EC770AFBF4D02E2066F@exch-one.centrify.com>
References: <49D0EE12.2070907@realityfailure.org>
	<BB7E16A14DE689469A181EC770AFBF4D02E2066F@exch-one.centrify.com>
Message-ID: <49D1002E.6030801@realityfailure.org>

Paul Moore wrote:
> use adsiedit (GUI) to set the spn on the AD rpincipal 
> or setspn cli tool

I don't think that's the problem. The SPN is listed in Active Directory,
and can be queried through ldapsearch, listed via setspn, seen through
ADSIedit or jxplorer, etc. Its definitely in there, just stock kerberos
doesn't see it for some reason.

-- 
-- John E. Jasen (jjasen at realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring

From paul.moore at centrify.com  Mon Mar 30 12:59:49 2009
From: paul.moore at centrify.com (Paul Moore)
Date: Mon, 30 Mar 2009 09:59:49 -0700
Subject: confusion with service principal names in Active Directory
In-Reply-To: <49D0EE12.2070907@realityfailure.org>
References: <49D0EE12.2070907@realityfailure.org>
Message-ID: <BB7E16A14DE689469A181EC770AFBF4D02E2066F@exch-one.centrify.com>

use adsiedit (GUI) to set the spn on the AD rpincipal 
or setspn cli tool

http://technet.microsoft.com/en-us/library/cc773257.aspx

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of John Jasen
Sent: Monday, March 30, 2009 9:07 AM
To: kerberos at mit.edu
Subject: confusion with service principal names in Active Directory


Please forgive me if this is not the right venue.

I seem to have not found the magic required to use kerberos service
principal names on unix systems against an Active Directory server.

In the one particular example, we're trying to use kerberized NFS, so
the server daemon needs to be able to find nfs/fqdn at REALM.

I can see the entries in the computer accounts servicePrincipalName
field, but the various UNIX systems can't find them -- either on service
initialization, or attempting kinit from commandline with the system
keytab.

IE:

klist -ke /etc/krb5.keytab | grep host

2 host/kernelpanic.example.com at EXAMPLE.REALM (DES cbc mode with CRC-32)

[root at kernelpanic ~]# kinit host/kernelpanic.example.com -kt
/etc/krb5.keytab
kinit(v5): Client not found in Kerberos database while getting initial
credentials

(same results if I do host/kernelpanic.example.com at EXAMPLE.REALM)

This behavior holds true for OS X kerberos clients, Red Hat 4 and 5
kerberos clients, and Solaris 10 kerberos clients. I can provide the
versions if required.

The AD server in question is Windows 2003 R2.

The only way I've found around this is to set the userPrincipalName in
AD to the service I really really need.

ie: in the case above, userPrincipalName is set to
nfs/kernelpanic.example.com at EXAMPLE.REALM. After doing that, I can kinit
that service principal successfully, and the service dependent on it can
also initialize correctly.

>From my testing, using ktpass.exe to write a keytab file seems to
pretty
much automatically set the userPrincipalName to the last entry created.
Unfortunately, if you have a multi-role server, this creates
difficulties. (ie: trying to use http/hostname and sql/hostname).

Is there a way around this that I've missed? An option either on the
client side or the server side that I've missed?

-- 
-- John E. Jasen (jjasen at realityfailure.org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


From michael at stroeder.com  Mon Mar 30 05:49:27 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Mon, 30 Mar 2009 11:49:27 +0200
Subject: LDAP-Kerberos sync passwords
In-Reply-To: <mailman.172.1238399596.14058.kerberos@mit.edu>
References: <mailman.172.1238399596.14058.kerberos@mit.edu>
Message-ID: <86h6a6-fm4.ln1@nb2.stroeder.com>

Adriana Gologaneanu wrote:
> 
> I'm using LDAP for authorization and Kerberos for authentication. The
> workstations are configured with pam_krb5 module.
> There is a way to sync passwords between LDAP and Kerberos? Both are on
> same machine and the passwords to ldap db are sent in MD5 via a virtual
> java machine. I can't do same with Kerberos cause there are no free java
> libraries. Also, I want to avoid ssh connection between java machine and
> LDAP/Kerberos server.

Which LDAP server and which KDC are you using?

Ciao, Michael.

From ioplex at gmail.com  Mon Mar 30 14:23:53 2009
From: ioplex at gmail.com (Michael B Allen)
Date: Mon, 30 Mar 2009 14:23:53 -0400
Subject: confusion with service principal names in Active Directory
In-Reply-To: <49D1002E.6030801@realityfailure.org>
References: <49D0EE12.2070907@realityfailure.org>
	<BB7E16A14DE689469A181EC770AFBF4D02E2066F@exch-one.centrify.com>
	<49D1002E.6030801@realityfailure.org>
Message-ID: <78c6bd860903301123x1226c6b5r3290e5855c2ffc8e@mail.gmail.com>

On Mon, Mar 30, 2009 at 1:23 PM, John Jasen <jjasen at realityfailure.org> wrote:
> Paul Moore wrote:
>> use adsiedit (GUI) to set the spn on the AD rpincipal
>> or setspn cli tool
>
> I don't think that's the problem. The SPN is listed in Active Directory,
> and can be queried through ldapsearch, listed via setspn, seen through
> ADSIedit or jxplorer, etc. Its definitely in there, just stock kerberos
> doesn't see it for some reason.

Make sure that you do not have the same SPN set on more than one
account. If you do, AD will consider the request ambigous and it will
NOT grant a ticket for that SPN.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

From huaraz at moeller.plus.com  Mon Mar 30 15:57:02 2009
From: huaraz at moeller.plus.com (Markus Moeller)
Date: Mon, 30 Mar 2009 20:57:02 +0100
Subject: confusion with service principal names in Active Directory
In-Reply-To: <49D0EE12.2070907@realityfailure.org>
References: <49D0EE12.2070907@realityfailure.org>
Message-ID: <gqr86k$i4q$1@ger.gmane.org>


"John Jasen" <jjasen at realityfailure.org> wrote in message 
news:49D0EE12.2070907 at realityfailure.org...
>
> Please forgive me if this is not the right venue.
>
> I seem to have not found the magic required to use kerberos service
> principal names on unix systems against an Active Directory server.
>
> In the one particular example, we're trying to use kerberized NFS, so
> the server daemon needs to be able to find nfs/fqdn at REALM.
>
> I can see the entries in the computer accounts servicePrincipalName
> field, but the various UNIX systems can't find them -- either on service
> initialization, or attempting kinit from commandline with the system 
> keytab.
>
> IE:
>
> klist -ke /etc/krb5.keytab | grep host
>
> 2 host/kernelpanic.example.com at EXAMPLE.REALM (DES cbc mode with CRC-32)
>
> [root at kernelpanic ~]# kinit host/kernelpanic.example.com -kt
> /etc/krb5.keytab
> kinit(v5): Client not found in Kerberos database while getting initial
> credentials
>
> (same results if I do host/kernelpanic.example.com at EXAMPLE.REALM)
>
> This behavior holds true for OS X kerberos clients, Red Hat 4 and 5
> kerberos clients, and Solaris 10 kerberos clients. I can provide the
> versions if required.
>
> The AD server in question is Windows 2003 R2.
>
> The only way I've found around this is to set the userPrincipalName in
> AD to the service I really really need.
>
> ie: in the case above, userPrincipalName is set to
> nfs/kernelpanic.example.com at EXAMPLE.REALM. After doing that, I can kinit
> that service principal successfully, and the service dependent on it can
> also initialize correctly.
>
>>From my testing, using ktpass.exe to write a keytab file seems to pretty
> much automatically set the userPrincipalName to the last entry created.
> Unfortunately, if you have a multi-role server, this creates
> difficulties. (ie: trying to use http/hostname and sql/hostname).
>
> Is there a way around this that I've missed? An option either on the
> client side or the server side that I've missed?
>

You might want to use a tool like msktutil from Dan Perry 
http://dag.wieers.com/rpm/packages/msktutil/ to create your AD entry and 
keytab.

 1) kinit administrator at DOMAIN  ( or an account which has access to a newly 
created OU (e.g. OU=UnixKerberos).  You need to replace below CN=COMPUTERS 
with OU=UnixKerberos)
 2) msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k
/etc/krb5.keytab --computer-name <host>-host --upn host/<fqdn> --server
<domain controller>  --verbose
3) msktutil -c -b "CN=COMPUTERS" -s nfs/<fqdn> -h <fqdn> -k
/etc/krb5.keytab --computer-name <host>-nfs --upn nfs/<fqdn> --server
<domain controller>  --verbose


Regards
Markus

> -- 
> -- John E. Jasen (jjasen at realityfailure.org)
> -- No one will sorrow for me when I die, because those who would
> -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



From adriana.gologaneanu at rcs-rds.ro  Tue Mar 31 03:13:14 2009
From: adriana.gologaneanu at rcs-rds.ro (Adriana Gologaneanu)
Date: Tue, 31 Mar 2009 10:13:14 +0300
Subject: LDAP-Kerberos sync passwords
In-Reply-To: <86h6a6-fm4.ln1@nb2.stroeder.com>
References: <mailman.172.1238399596.14058.kerberos@mit.edu>
	<86h6a6-fm4.ln1@nb2.stroeder.com>
Message-ID: <49D1C28A.6030904@rcs-rds.ro>

Debian Etch
- slapd: 2.3.30-5+etch2
- krb5-kdc: 1.4.4-7etch6

I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data 
to be stored in an LDAP server.
Let me test it and I will give you a feedback.

Regards,
Adriana

Michael Str?der wrote:
> Adriana Gologaneanu wrote:
>   
>> I'm using LDAP for authorization and Kerberos for authentication. The
>> workstations are configured with pam_krb5 module.
>> There is a way to sync passwords between LDAP and Kerberos? Both are on
>> same machine and the passwords to ldap db are sent in MD5 via a virtual
>> java machine. I can't do same with Kerberos cause there are no free java
>> libraries. Also, I want to avoid ssh connection between java machine and
>> LDAP/Kerberos server.
>>     
>
> Which LDAP server and which KDC are you using?
>
> Ciao, Michael.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>   


From afscon09 at dia.uniroma3.it  Tue Mar 31 06:22:42 2009
From: afscon09 at dia.uniroma3.it (European AFS meeting 2009)
Date: Tue, 31 Mar 2009 12:22:42 +0200
Subject: European AFS meeting 2009 - 6 months ahead
Message-ID: <1238494962.2860.29.camel@campus00.dia.uniroma3.it>

Dear colleagues,

we wish to announce the call for participation to the European AFS
meeting 2009, which will take place in Rome, Italy, from September 28 to
30 - details can be found at http://www.dia.uniroma3.it/~afscon09/

This workshop is to give some overview of AFS technology, provide
information about selected recent developments, and your are invited to
present short site reports with your experience.

The Arla and Heimdal communities are explicitly encouraged to
contribute; registration to the event is by fax with an Adobe form which
can be downloaded, questions should be directed to this mail address.

The Meeting Organizers

-- 
Wolfgang A. Gehrke / Franco Milicchio UNIVERSITA' degli Studi "Roma Tre"
Dipartimento di Informatica e Automazione     Via della Vasca Navale, 79
00146 Roma ITALY fax +39 06 57333211 {wgehrke,milicchio}@dia.uniroma3.it



From michael at stroeder.com  Tue Mar 31 06:12:10 2009
From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Date: Tue, 31 Mar 2009 12:12:10 +0200
Subject: LDAP-Kerberos sync passwords
In-Reply-To: <mailman.178.1238483818.14058.kerberos@mit.edu>
References: <mailman.172.1238399596.14058.kerberos@mit.edu>	<86h6a6-fm4.ln1@nb2.stroeder.com>
	<mailman.178.1238483818.14058.kerberos@mit.edu>
Message-ID: <qs69a6-7o4.ln1@nb2.stroeder.com>

Adriana Gologaneanu wrote:
> Debian Etch
> - slapd: 2.3.30-5+etch2
> - krb5-kdc: 1.4.4-7etch6
> 
> I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data
> to be stored in an LDAP server.
> Let me test it and I will give you a feedback.

It won't help since the credentials are stored in different attributes.

You need something which syncs the credential attributes. This is e.g.
possible with OpenLDAP/Heimdal and a server-side overlay (server-side
plugin) called smbk5pwd which intercepts the LDAP Password Modify
Extended Operation requests and then sets all relevant attributes. The
FreeIPA folks have implemented something similar for MIT KDC with Fedora
Directory Server. I don't know a solution for OpenLDAP / MIT KDC though.

Also note that the LDAP schema for MIT KDC and heimdal KDC differ.

Ciao, Michael.

From ssorce at redhat.com  Tue Mar 31 10:37:30 2009
From: ssorce at redhat.com (Simo Sorce)
Date: Tue, 31 Mar 2009 10:37:30 -0400
Subject: LDAP-Kerberos sync passwords
In-Reply-To: <qs69a6-7o4.ln1@nb2.stroeder.com>
References: <mailman.172.1238399596.14058.kerberos@mit.edu>
	<86h6a6-fm4.ln1@nb2.stroeder.com>
	<mailman.178.1238483818.14058.kerberos@mit.edu>
	<qs69a6-7o4.ln1@nb2.stroeder.com>
Message-ID: <1238510250.4858.13.camel@localhost.localdomain>

On Tue, 2009-03-31 at 12:12 +0200, Michael Str?der wrote:
> Adriana Gologaneanu wrote:
> > Debian Etch
> > - slapd: 2.3.30-5+etch2
> > - krb5-kdc: 1.4.4-7etch6
> > 
> > I just found with Lenny a plugin: krb5-kdc-ldap that allows the KDC data
> > to be stored in an LDAP server.
> > Let me test it and I will give you a feedback.
> 
> It won't help since the credentials are stored in different attributes.
> 
> You need something which syncs the credential attributes. This is e.g.
> possible with OpenLDAP/Heimdal and a server-side overlay (server-side
> plugin) called smbk5pwd which intercepts the LDAP Password Modify
> Extended Operation requests and then sets all relevant attributes. The
> FreeIPA folks have implemented something similar for MIT KDC with Fedora
> Directory Server. I don't know a solution for OpenLDAP / MIT KDC though.
> 
> Also note that the LDAP schema for MIT KDC and heimdal KDC differ.

The FreeIPA plugin has been written using the SLAPI interface. I think
OpenLDAP still support that interface too, so maybe it is not too
difficult to port the plugin to OpenLDAP.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York