From akshar.kerberos at gmail.com Sun Nov 1 09:02:06 2009 From: akshar.kerberos at gmail.com (akshar kanak) Date: Sun, 1 Nov 2009 19:32:06 +0530 Subject: [PKINIT]Invalid response for AS_REQ with win 2003 sever Message-ID: <5ff84dca0911010602y42967b06y154064a249c819ed@mail.gmail.com> Dear team I ma trying to perfrom Kerberos PKINIT authnetication with windows 2003 server .the clinet is able to send AS_REQ packet but the server is responding with KRB5KRB_AP_ERR_MODIFIED .In RFC 4120 i could not find whether KRB5KRB_AP_ERR_MODIFIED is a proper error response for AS_REQ . In the MIT 1.6.3 soucre code in file Pkinit_crypto_openssl , in function cms_signeddata_create() /* Some tokens can only do RSAEncryption without sha1 hash */ /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash * function and the hash value into an ASN.1 value of type DigestInfo * DigestInfo::=SEQUENCE { * digestAlgorithm AlgorithmIdentifier, * digest OCTET STRING } */ Are there any specific cards for which this fix needs to be appiled ? Thanks in advance Thanks and Regards Akshar From huaraz at moeller.plus.com Sun Nov 1 14:18:53 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 1 Nov 2009 19:18:53 -0000 Subject: SEGV in krb5_free_cred_contents on Opensolaris In-Reply-To: <1256220048.23997.307.camel@ray> References: <1256220048.23997.307.camel@ray> Message-ID: I got a bit further in identifying where the pointer is reset. It looks like the sasl library frees the memory cache. Strangely enough I don't see this behaviour with a file cache on OpenSolaris nor on a Linux platform. Any idea ? Thank you Markus (gdb) where #0 krb5_mcc_free (context=0x8930fc0, id=0x88e0d90) at ../krb5/ccache/cc_memory.c:182 #1 0xd226a307 in krb5_mcc_destroy (context=0x8930fc0, id=0x88e0d90) at ../krb5/ccache/cc_memory.c:214 #2 0xd226c7b4 in krb5_cc_destroy (context=0x8930fc0, cache=0x88e0d90) at ../krb5/ccache/ccfns.c:55 #3 0xd21e641f in krb5_gss_release_cred (minor_status=0x8022520, cred_handle=0x8022534) at /src/build/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c:71 #4 0xd21eb50f in krb5_gss_init_sec_context (minor_status=0x802268c, claimant_cred_handle=0x0, context_handle=0x88d3734, target_name=0x88c6990, mech_type=0xd1a08308, req_flags=42, time_req=0, input_chan_bindings=0x0, input_token=0x0, actual_mech_type=0x0, output_token=0x8022694, ret_flags=0x8022674, time_rec=0x0) at /src/build/usr/src/lib/gss_mechs/mech_krb5/mech/init_sec_context.c:997 #5 0xd21e3eec in k5glue_init_sec_context (ctx=0x0, minor_status=0x802268c, claimant_cred_handle=0x0, context_handle=0x88d3734, target_name=0x88c6990, mech_type=0xd1a08308, req_flags=42, time_req=0, input_chan_bindings=0x0, input_token=0x0, actual_mech_type=0x0, output_token=0x8022694, ret_flags=0x8022674, time_rec=0x0) at /src/build/usr/src/lib/gss_mechs/mech_krb5/mech/krb5_gss_glue.c:843 #6 0xd27451c8 in gss_init_sec_context () from /usr/lib/libgss.so.1 #7 0xd19f41d3 in ?? () #8 0x0802268c in ?? () #9 0x00000000 in ?? () #10 0x088e3d6c in ?? () #11 0x088d3cd8 in ?? () #12 0xd1a08308 in ?? () #13 0x0000002a in ?? () #14 0x00000000 in ?? () #15 0x00000000 in ?? () #16 0x00000000 in ?? () #17 0x00000000 in ?? () #18 0x08022694 in ?? () #19 0x08022674 in ?? () #20 0x00000000 in ?? () #21 0x00000000 in ?? () #22 0x00000000 in ?? () #23 0xd1a0834c in ?? () #24 0xd1f79000 in ?? () from /usr/lib/libsasl.so.1 #25 0xd19f6ecc in ?? () #26 0x00000128 in ?? () #27 0x5f676572 in ?? () #28 0xd19f3bcf in ?? () #29 0xd1bc27e8 in ?? () #30 0x00000000 in ?? () #31 0xd19f6ed8 in ?? () #32 0x00000000 in ?? () #33 0x00000000 in ?? () #34 0x00000000 in ?? () #35 0x0000013a in ?? () #36 0x0000002a in ?? () #37 0x00000003 in ?? () #38 0x00000019 in ?? () #39 0x00000000 in ?? () #40 0xd1f5bcf9 in _sasl_global_getopt (context=0x88e3d68, plugin_name=0x88d4ab0 "@7\215\b\b,\216\b\200=\215\b\230<\216\b", option=0x0, result=0x0, len=0x80227dc) at ../lib/common.c:1374 #41 0xd1f58dce in sasl_client_step (conn=0x88e30c8, serverin=0x0, serverinlen=0, prompt_need=0x80227dc, clientout=0x80227c4, clientoutlen=0x80227bc) at ../lib/client.c:1088 #42 0xd1f58c1d in sasl_client_start (conn=0x88e30c8, mechlist=0x808f675 "GSSAPI", prompt_need=0x80227dc, clientout=0x80227c4, clientoutlen=0x80227bc, mech=0x80227d0) at ../lib/client.c:1024 #43 0xd24a27be in nsldapi_sasl_do_bind (ld=0x88e1e00, dn=0x0, mechs=0x808f675 "GSSAPI", flags=1, callback=0x8078278 , defaults=0x88c6940, sctrl=0x0, cctrl=0x0) at ../sources/ldap/common/sasl.c:660 #44 0xd24a3121 in ldap_sasl_interactive_bind_s (ld=0x88e1e00, dn=0x0, saslMechanism=0x808f675 "GSSAPI", sctrl=0x0, cctrl=0x0, flags=1, callback=0x8078278 , defaults=0x88c6940) at ../sources/ldap/common/sasl.c:992 #45 0x08078400 in tool_sasl_bind (ld=0x88e1e00, binddn=0x0, ssl=0) at checkldapgroup.c:1840 #46 0x08079393 in checkldapgroup (username=0x803b450 "markus at SUSE.HOME", userdomain=0x803b457 "SUSE.HOME", group=0x88d3bb8 "USERS_ALLOW", groupdomain=0x0, rule=0x88d31b0) at checkldapgroup.c:2595 #47 0x08074753 in ldapgroupmatch (auth=0x803b21c, rule=0x88d0610) at accesscheck.c:155 #48 0x0806ec4b in rulespermit (s=3, peer=0x803fa00, local=0x803fa10, clientauth=0x803fa20, match=0x803cb30, srcauth=0x803b21c, state=0x803a9e4, src=0x803b564, dst=0x803b9f8, msg=0x803a490 "", msgsize=256) at serverconfig.c:1352 #49 0x08062e70 in run_request (mother=0x80412a0) at sockd_request.c:827 #50 0x0805e8c3 in addchild (type=4) at sockd_child.c:427 #51 0x0805f123 in childcheck (type=4) at sockd_child.c:541 #52 0x0805da28 in main (argc=143409904, argv=0x8047c64, envp=0x8047c70) at sockd.c:371 (gdb) "Greg Hudson" wrote in message news:1256220048.23997.307.camel at ray... > On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote: >> I have an application which creates a cache, stores a ticket and then >> destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris >> (but >> I think the code is the same as the MIT code). > [...] >> Do I need to check if the cache has credentials before a destroy the >> cache >> ? > >>From reading the OpenSolaris and MIT krb5 code for memory ccaches, every > entry in the ccache is supposed to have valid credentials; there is no > operation which should put the credentials list into a state where one > of the entries has ->creds == NULL. > > Because of optimization, it's hard to tell from your stack trace whether > the credentials linked list structure has NULL credentials somehow, or > if it's an invalid pointer. Either way, the next question would be what > operation caused the credentials structure to get into the invalid > state. > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From huaraz at moeller.plus.com Sun Nov 1 14:28:54 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sun, 1 Nov 2009 19:28:54 -0000 Subject: SEGV in krb5_free_cred_contents on Opensolaris In-Reply-To: References: <1256220048.23997.307.camel@ray> Message-ID: It looks like a OpenSolaris bug as I found in rel_cred.c the following special MEMORY cache handling. Would it make sense to check in krb5_free_cred_contents if val is != NULL ? 61 /* 62 * Solaris Kerberos 63 * If the ccache is a MEMORY ccache then this credential handle 64 * should be the only way to get to it, at least until the advent 65 * of a GSS_Duplicate_cred() (which is needed and may well be 66 * added some day). Until then MEMORY ccaches must be destroyed, 67 * not closed, else their contents (tickets, session keys) will 68 * leak. 69 */ 70 if (strcmp("MEMORY", krb5_cc_get_type(context, cred->ccache)) == 0) 71 code1 = krb5_cc_destroy(context, cred->ccache); 72 else 73 code1 = krb5_cc_close(context, cred->ccache); Markus "Markus Moeller" wrote in message news:hckmuv$iik$1 at ger.gmane.org... >I got a bit further in identifying where the pointer is reset. It looks >like > the sasl library frees the memory cache. Strangely enough I don't see > this > behaviour with a file cache on OpenSolaris nor on a Linux platform. > > Any idea ? > > Thank you > Markus > > (gdb) where > #0 krb5_mcc_free (context=0x8930fc0, id=0x88e0d90) at > ../krb5/ccache/cc_memory.c:182 > #1 0xd226a307 in krb5_mcc_destroy (context=0x8930fc0, id=0x88e0d90) at > ../krb5/ccache/cc_memory.c:214 > #2 0xd226c7b4 in krb5_cc_destroy (context=0x8930fc0, cache=0x88e0d90) at > ../krb5/ccache/ccfns.c:55 > #3 0xd21e641f in krb5_gss_release_cred (minor_status=0x8022520, > cred_handle=0x8022534) at > /src/build/usr/src/lib/gss_mechs/mech_krb5/mech/rel_cred.c:71 > #4 0xd21eb50f in krb5_gss_init_sec_context (minor_status=0x802268c, > claimant_cred_handle=0x0, context_handle=0x88d3734, target_name=0x88c6990, > mech_type=0xd1a08308, req_flags=42, time_req=0, input_chan_bindings=0x0, > input_token=0x0, actual_mech_type=0x0, output_token=0x8022694, > ret_flags=0x8022674, time_rec=0x0) at > /src/build/usr/src/lib/gss_mechs/mech_krb5/mech/init_sec_context.c:997 > #5 0xd21e3eec in k5glue_init_sec_context (ctx=0x0, > minor_status=0x802268c, > claimant_cred_handle=0x0, context_handle=0x88d3734, target_name=0x88c6990, > mech_type=0xd1a08308, req_flags=42, time_req=0, input_chan_bindings=0x0, > input_token=0x0, actual_mech_type=0x0, output_token=0x8022694, > ret_flags=0x8022674, time_rec=0x0) at > /src/build/usr/src/lib/gss_mechs/mech_krb5/mech/krb5_gss_glue.c:843 > #6 0xd27451c8 in gss_init_sec_context () from /usr/lib/libgss.so.1 > #7 0xd19f41d3 in ?? () > #8 0x0802268c in ?? () > #9 0x00000000 in ?? () > #10 0x088e3d6c in ?? () > #11 0x088d3cd8 in ?? () > #12 0xd1a08308 in ?? () > #13 0x0000002a in ?? () > #14 0x00000000 in ?? () > #15 0x00000000 in ?? () > #16 0x00000000 in ?? () > #17 0x00000000 in ?? () > #18 0x08022694 in ?? () > #19 0x08022674 in ?? () > #20 0x00000000 in ?? () > #21 0x00000000 in ?? () > #22 0x00000000 in ?? () > #23 0xd1a0834c in ?? () > #24 0xd1f79000 in ?? () from /usr/lib/libsasl.so.1 > #25 0xd19f6ecc in ?? () > #26 0x00000128 in ?? () > #27 0x5f676572 in ?? () > #28 0xd19f3bcf in ?? () > #29 0xd1bc27e8 in ?? () > #30 0x00000000 in ?? () > #31 0xd19f6ed8 in ?? () > #32 0x00000000 in ?? () > #33 0x00000000 in ?? () > #34 0x00000000 in ?? () > #35 0x0000013a in ?? () > #36 0x0000002a in ?? () > #37 0x00000003 in ?? () > #38 0x00000019 in ?? () > #39 0x00000000 in ?? () > #40 0xd1f5bcf9 in _sasl_global_getopt (context=0x88e3d68, > plugin_name=0x88d4ab0 "@7\215\b\b,\216\b\200=\215\b\230<\216\b", > option=0x0, > result=0x0, len=0x80227dc) at ../lib/common.c:1374 > #41 0xd1f58dce in sasl_client_step (conn=0x88e30c8, serverin=0x0, > serverinlen=0, prompt_need=0x80227dc, clientout=0x80227c4, > clientoutlen=0x80227bc) at ../lib/client.c:1088 > #42 0xd1f58c1d in sasl_client_start (conn=0x88e30c8, mechlist=0x808f675 > "GSSAPI", prompt_need=0x80227dc, clientout=0x80227c4, > clientoutlen=0x80227bc, mech=0x80227d0) at ../lib/client.c:1024 > #43 0xd24a27be in nsldapi_sasl_do_bind (ld=0x88e1e00, dn=0x0, > mechs=0x808f675 "GSSAPI", flags=1, callback=0x8078278 > , > defaults=0x88c6940, sctrl=0x0, cctrl=0x0) at > ../sources/ldap/common/sasl.c:660 > #44 0xd24a3121 in ldap_sasl_interactive_bind_s (ld=0x88e1e00, dn=0x0, > saslMechanism=0x808f675 "GSSAPI", sctrl=0x0, cctrl=0x0, flags=1, > callback=0x8078278 , defaults=0x88c6940) at > ../sources/ldap/common/sasl.c:992 > #45 0x08078400 in tool_sasl_bind (ld=0x88e1e00, binddn=0x0, ssl=0) at > checkldapgroup.c:1840 > #46 0x08079393 in checkldapgroup (username=0x803b450 "markus at SUSE.HOME", > userdomain=0x803b457 "SUSE.HOME", group=0x88d3bb8 "USERS_ALLOW", > groupdomain=0x0, rule=0x88d31b0) at checkldapgroup.c:2595 > #47 0x08074753 in ldapgroupmatch (auth=0x803b21c, rule=0x88d0610) at > accesscheck.c:155 > #48 0x0806ec4b in rulespermit (s=3, peer=0x803fa00, local=0x803fa10, > clientauth=0x803fa20, match=0x803cb30, srcauth=0x803b21c, state=0x803a9e4, > src=0x803b564, dst=0x803b9f8, msg=0x803a490 "", msgsize=256) at > serverconfig.c:1352 > #49 0x08062e70 in run_request (mother=0x80412a0) at sockd_request.c:827 > #50 0x0805e8c3 in addchild (type=4) at sockd_child.c:427 > #51 0x0805f123 in childcheck (type=4) at sockd_child.c:541 > #52 0x0805da28 in main (argc=143409904, argv=0x8047c64, envp=0x8047c70) at > sockd.c:371 > (gdb) > > > "Greg Hudson" wrote in message > news:1256220048.23997.307.camel at ray... >> On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote: >>> I have an application which creates a cache, stores a ticket and then >>> destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris >>> (but >>> I think the code is the same as the MIT code). >> [...] >>> Do I need to check if the cache has credentials before a destroy the >>> cache >>> ? >> >>>From reading the OpenSolaris and MIT krb5 code for memory ccaches, every >> entry in the ccache is supposed to have valid credentials; there is no >> operation which should put the credentials list into a state where one >> of the entries has ->creds == NULL. >> >> Because of optimization, it's hard to tell from your stack trace whether >> the credentials linked list structure has NULL credentials somehow, or >> if it's an invalid pointer. Either way, the next question would be what >> operation caused the credentials structure to get into the invalid >> state. >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From LUIS.RAMOS at PFIZER.COM Mon Nov 2 10:15:05 2009 From: LUIS.RAMOS at PFIZER.COM (LUISRAMOS) Date: Mon, 2 Nov 2009 07:15:05 -0800 (PST) Subject: Kerberos/Apache receiving Active Directory user/password in plain text In-Reply-To: References: <26114792.post@talk.nabble.com> Message-ID: <26157127.post@talk.nabble.com> Michael Str?der wrote: > > LUISRAMOS wrote: >> We have a unix web server with Apache were we installed kerberos to >> implement single sign on. > > I guess you're using mod_auth_kerb? > >> The idea with this is to have the ability of >> autenticating through the Windows Active Directory once not needing to >> log >> again in the unix box. After the setup, the autentication works. When >> we >> log in to the unix server, a popup window asks for user/pwd. After >> entering >> user/pwd the credentials are autenticated against the windows active >> directory and the access to the unix/apache box is granted. However, >> what >> we want is to avoid this login popup. We noticed that when the popup >> window >> is displayed the following message is seeing in the popup: "Warning: >> This >> server is requesting that your username and password be sent in an >> insecure >> manner (basic authentication without a secure connection). Looks like >> the >> internet browser is sending the credentials in plain text to the unix >> box. >> >> Anybody has an idea on how we can configure Kerberos, or any other >> component >> to avoid this popup window. > > Set "KrbMethodK5Passwd off" in httpd.conf. > > See also: http://modauthkerb.sourceforge.net/configure.html > > Ciao, Michael. > > -- > Michael Str?der > E-Mail: michael at stroeder.com > http://www.stroeder.com > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > ============================ Michael, I changed the parameter and got this message: Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. -------------------------------------------------------------------------------- Apache/2.0.52 (Unix) DAV/2 mod_auth_kerb/5.4 Server at prcognosweb Port 80 -- View this message in context: http://old.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26157127.html Sent from the Kerberos - General mailing list archive at Nabble.com. From deengert at anl.gov Mon Nov 2 16:24:41 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 02 Nov 2009 15:24:41 -0600 Subject: [PKINIT]Invalid response for AS_REQ with win 2003 sever In-Reply-To: <5ff84dca0911010602y42967b06y154064a249c819ed@mail.gmail.com> References: <5ff84dca0911010602y42967b06y154064a249c819ed@mail.gmail.com> Message-ID: <4AEF4E19.1030801@anl.gov> akshar kanak wrote: > Dear team > I ma trying to perfrom Kerberos PKINIT authnetication with windows > 2003 server .the clinet is able to send AS_REQ packet but the server is > responding with KRB5KRB_AP_ERR_MODIFIED .In RFC 4120 i could not find > whether KRB5KRB_AP_ERR_MODIFIED is a proper error response for AS_REQ . > In the MIT 1.6.3 soucre code in file Pkinit_crypto_openssl , in function > cms_signeddata_create() > > /* Some tokens can only do RSAEncryption without sha1 hash */ > /* to compute sha1WithRSAEncryption, encode the algorithm ID for the > hash > * function and the hash value into an ASN.1 value of type DigestInfo > * DigestInfo::=SEQUENCE { > * digestAlgorithm AlgorithmIdentifier, > * digest OCTET STRING } > */ > > Are there any specific cards for which this fix needs to be appiled ? It looks like this is testing if the PKCS11 supports CKM_SHA1_RSA_PKCS or only CKM_RSA_PKCS. If it does not support CKM_SHA1_RSA_PKCS the digest is done here in this code and then CKM_RSA_PKCS is use, so it should not be an issue. Are you running into this issue with your card? Do you require some policy where the digest needs to be done on the card? Does your pkcs11 driver have any debugging tools? Have you tried using the OpenSC pkcs11-spy to see all the PKCS11 calls? > > Thanks in advance > > Thanks and Regards > Akshar > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From William.Fiveash at sun.com Mon Nov 2 16:37:34 2009 From: William.Fiveash at sun.com (Will Fiveash) Date: Mon, 2 Nov 2009 15:37:34 -0600 Subject: SEGV in krb5_free_cred_contents on Opensolaris In-Reply-To: References: <1256220048.23997.307.camel@ray> Message-ID: <20091102213734.GA23973@sun.com> On Sun, Nov 01, 2009 at 07:28:54PM +0000, Markus Moeller wrote: > It looks like a OpenSolaris bug as I found in rel_cred.c the following > special MEMORY cache handling. Would it make sense to check in > krb5_free_cred_contents if val is != NULL ? You should report this on kerberos-discuss at opensolaris.org. If it really is a bug we can open a bug. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ Sent from mutt, a sweet ASCII MUA From huaraz at moeller.plus.com Mon Nov 2 18:24:35 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Mon, 2 Nov 2009 23:24:35 -0000 Subject: SEGV in krb5_free_cred_contents on Opensolaris In-Reply-To: <20091102213734.GA23973@sun.com> References: <1256220048.23997.307.camel@ray> <20091102213734.GA23973@sun.com> Message-ID: <34F07DFAE7B040F39010EEB652A92DB3@VAIOLaptop> I filed it under http://defect.opensolaris.org/bz/show_bug.cgi?id=12384 Markus ----- Original Message ----- From: "Will Fiveash" To: "Markus Moeller" Cc: Sent: Monday, November 02, 2009 9:37 PM Subject: Re: SEGV in krb5_free_cred_contents on Opensolaris > On Sun, Nov 01, 2009 at 07:28:54PM +0000, Markus Moeller wrote: >> It looks like a OpenSolaris bug as I found in rel_cred.c the following >> special MEMORY cache handling. Would it make sense to check in >> krb5_free_cred_contents if val is != NULL ? > > You should report this on kerberos-discuss at opensolaris.org. If it > really is a bug we can open a bug. > > -- > Will Fiveash > Sun Microsystems Inc. > http://opensolaris.org/os/project/kerberos/ > Sent from mutt, a sweet ASCII MUA > From christoph.fritz at gmail.com Tue Nov 3 02:34:04 2009 From: christoph.fritz at gmail.com (Christoph Fritz) Date: Tue, 3 Nov 2009 08:34:04 +0100 Subject: Problem with mit2ms - Tickets are not transfered to LSA cache Message-ID: <2ed6fd700911022334v2040befcw34c652c22ae33a7e@mail.gmail.com> Hi, I'm currently facing a problem when implementing a kerberos based SSO solution with SAP on Linux and an Active Directory. Usually this works fine for ABAP and JAVA but in the current environment I have a different situation. On the client machine I need the kerberos credentials (TGT) to be stored in the Windows LSA cache. Usually this happens automatically when logging on to a Microsoft Domain. Unfortunately I cannot logon from the workstations to my domain using the windows-logon because I'm using Novell. Besides my Novell eDirectory there is an Active directory domain. So I tried the following (maybe a stupid idea): After windows has logged on to Novell --> start MIT Kerberos Client and obtain credentials from the Domain controller. After that I get the following tickets in my local cache: C:\Programme\MIT\Kerberos\bin>klist Ticket cache: API:CFRITZ at CFRITZ.TEST Default principal: CFRITZ at CFRITZ.TEST Valid starting Expires Service principal 11/02/09 16:22:50 11/03/09 02:22:50 krbtgt/CFRITZ.CORP at CFRITZ.TEST renew until 11/09/09 16:21:35 Now I have tried to to copy these credential to windows LSA cache using mit2ms: C:\Programme\MIT\Kerberos\bin>mit2ms.exe mit2ms.exe: No credentials cache found while opening MS LSA ccache Unfortunately kerbtray does not show me any ticket in the LSY cache. Which parameters do I need for the mit2ms executable or is my idea not working at all? How can I transfer the tickets from the MIT Client cache to the LSA cache of Windows? Thanks in advance Christoph From jaltman at secure-endpoints.com Tue Nov 3 07:43:05 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 03 Nov 2009 07:43:05 -0500 Subject: Problem with mit2ms - Tickets are not transfered to LSA cache In-Reply-To: <2ed6fd700911022334v2040befcw34c652c22ae33a7e@mail.gmail.com> References: <2ed6fd700911022334v2040befcw34c652c22ae33a7e@mail.gmail.com> Message-ID: <4AF02559.1020506@secure-endpoints.com> Christoph Fritz wrote: > > Unfortunately kerbtray does not show me any ticket in the LSY cache. Which > parameters do I need for the mit2ms executable or is my idea not working at > all? How can I transfer the tickets from the MIT Client cache to the LSA > cache of Windows? > mit2ms worked on Vista. It does not work on XP and 2003. I have not tested it on Vista SP2 and Win7. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091103/c3c61166/smime.bin From jaltman at secure-endpoints.com Tue Nov 3 10:19:07 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 03 Nov 2009 10:19:07 -0500 Subject: Problem with mit2ms - Tickets are not transfered to LSA cache In-Reply-To: <4AF02559.1020506@secure-endpoints.com> References: <2ed6fd700911022334v2040befcw34c652c22ae33a7e@mail.gmail.com> <4AF02559.1020506@secure-endpoints.com> Message-ID: <4AF049EB.5090106@secure-endpoints.com> Jeffrey Altman wrote: > Christoph Fritz wrote: >> Unfortunately kerbtray does not show me any ticket in the LSY cache. Which >> parameters do I need for the mit2ms executable or is my idea not working at >> all? How can I transfer the tickets from the MIT Client cache to the LSA >> cache of Windows? >> > mit2ms worked on Vista. It does not work on XP and 2003. I have not > tested it on Vista SP2 and Win7. I just tested on Win7 and it won't work there until the krb5 library cc_mslsa.c is updated to handle the current behavior. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091103/832426d6/smime-0001.bin From X.Arbona at topdesk.com Tue Nov 3 12:38:07 2009 From: X.Arbona at topdesk.com (=?windows-1252?Q?Xesc_Arbona?=) Date: Tue, 3 Nov 2009 18:38:07 +0100 Subject: Forwarding Krb5 credentials to backend server Message-ID: Hi, I'm trying to set up a Reverse-Proxy with WebAuth (http://webauth.stanford.edu/) for several backend servers running Apache2 with mod_auth_kerb. We use Kerberos internally for authentication and SSO works pretty well with mod_auth_kerb. What I would like now is to provide access to these internal servers from outside. I want the user to enter their corporate credentials once on WebAuth, and then generate Kerberos tickets for the backend servers. I use WebAuthCred (http://webauth.stanford.edu/manual/mod/mod_webauth.html#webauthcred) for that, and the credentials get stored in a cache, but the reverse-proxy doesn't forward these credentials, and I get a 401 error message back. I would like to create an "Authorization: Negotiate [KRB5 ticket]" header, but I'm not sure this is the right thing to do, or how to do it. I've already sent a mail to the webauth-info mailing list, but it seems that this is outside the scope of WebAuth: "WebAuth can only get the Kerberos tickets as far as the server running mod_webauth, since it uses the WebAuth protocol to transfer them. At that point, what you want to have happen is for mod_proxy to do a Negotiate-Auth authentication to the internal host using the Kerberos ticket cache set up by WebAuth. This is possible at a technical level, but since mod_proxy doesn't know anything about Kerberos, Apache doesn't know how to do this. Unfortunately, what you'd need to make this happen is a modified version of mod_proxy that knows how to be a Negotiate-Auth Kerberos client, which is something I'm pretty sure no one has yet written." Has someone already worked on this? What it is the best thing to do? Modify mod_proxy? Use mod_header? Thank you very much for your help! Cheers, -- Xesc Arbona Sysadmin at TOPdesk From magicaldev at gmail.com Tue Nov 3 15:37:50 2009 From: magicaldev at gmail.com (Devang Verma) Date: Tue, 3 Nov 2009 12:37:50 -0800 Subject: Setting up local Kerberos network Message-ID: Hi all, I would like some information on how to set-up a small network of kerberos server and clients. I am planning to build secure network using Kerberos as a part of my Master's project. I have searched web and found nothing but topics related to some big institutions and companies where I will be needing their information. Is it possible to build a Kerberos KDC and realm for my own small network? If it is possible then please explain how should I proceed. Thank you. Have a nice day, Dev From non.sto.gioc at ndo.a.niente Wed Nov 4 04:08:22 2009 From: non.sto.gioc at ndo.a.niente (S2) Date: Wed, 04 Nov 2009 10:08:22 +0100 Subject: Setting up local Kerberos network In-Reply-To: References: Message-ID: Devang Verma wrote: > Is it possible to build a Kerberos KDC and realm for my own small network? Sure! > If it is possible then please explain how should I proceed. Thank you. (for a debian distro) on the machine you want to be the kdc apt-get install krb5-admin-server add some principals with kadmin.local on a client apt-get install krb5-user and the authenticate with kinit. done. From shopik at inblock.ru Thu Nov 5 06:56:45 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Thu, 05 Nov 2009 14:56:45 +0300 Subject: Problem with mit2ms - Tickets are not transfered to LSA cache In-Reply-To: <4AF049EB.5090106@secure-endpoints.com> References: <2ed6fd700911022334v2040befcw34c652c22ae33a7e@mail.gmail.com> <4AF02559.1020506@secure-endpoints.com> <4AF049EB.5090106@secure-endpoints.com> Message-ID: Jeffrey any chance this could be updated for XP/2003 or this is already out of scope? On 03.11.2009 18:19, Jeffrey Altman wrote: > Jeffrey Altman wrote: >> Christoph Fritz wrote: >>> Unfortunately kerbtray does not show me any ticket in the LSY cache. Which >>> parameters do I need for the mit2ms executable or is my idea not working at >>> all? How can I transfer the tickets from the MIT Client cache to the LSA >>> cache of Windows? >>> >> mit2ms worked on Vista. It does not work on XP and 2003. I have not >> tested it on Vista SP2 and Win7. > I just tested on Win7 and it won't work there until the krb5 library > cc_mslsa.c is updated to handle the current behavior. > > Jeffrey Altman > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From michael at stroeder.com Tue Nov 3 02:04:09 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue, 03 Nov 2009 08:04:09 +0100 Subject: Kerberos/Apache receiving Active Directory user/password in plain text In-Reply-To: References: <26114792.post@talk.nabble.com> Message-ID: LUISRAMOS wrote: > > Michael Str?der wrote: >> LUISRAMOS wrote: >>> We have a unix web server with Apache were we installed kerberos to >>> implement single sign on. >> I guess you're using mod_auth_kerb? >> >>> The idea with this is to have the ability of autenticating through the >>> Windows Active Directory once not needing to log again in the unix box. >>> After the setup, the autentication works. When we log in to the unix >>> server, a popup window asks for user/pwd. After entering user/pwd the >>> credentials are autenticated against the windows active directory and >>> the access to the unix/apache box is granted. However, what we want is >>> to avoid this login popup. We noticed that when the popup window is >>> displayed the following message is seeing in the popup: "Warning: This >>> server is requesting that your username and password be sent in an >>> insecure manner (basic authentication without a secure connection). >>> Looks like the internet browser is sending the credentials in plain >>> text to the unix box. >>> >>> Anybody has an idea on how we can configure Kerberos, or any other >>> component to avoid this popup window. >> >> Set "KrbMethodK5Passwd off" in httpd.conf. >> >> See also: http://modauthkerb.sourceforge.net/configure.html > > Michael, I changed the parameter and got this message: > > Authorization Required > This server could not verify that you are authorized to access the document > requested. Either you supplied the wrong credentials (e.g., bad password), > or your browser doesn't understand how to supply the credentials required. Well, you have to set up your environment to let the browser use SPNEGO/Kerberos. Ciao, Michael. From oximore at gmail.com Thu Nov 5 23:18:50 2009 From: oximore at gmail.com (Quenenni) Date: Thu, 5 Nov 2009 20:18:50 -0800 (PST) Subject: addprinc -randkey broken in 1.7? References: <87pr9q8x7q.fsf@windlord.stanford.edu> <1253158152.9347.37.camel@ray> Message-ID: On 21 sep, 19:44, Greg Hudson wrote: > On Wed, 2009-09-16 at 23:29 -0400, Greg Hudson wrote: > > It would be trivial to fix this regression by picking a temporary > > password which is valid UTF-8 but still contains all five character > > classes. ?I think that will be the best minimal fix for 1.7.1. ?For the > > trunk, time permitting, I will review and apply Marcus Watts's patch, > > which is a more elegant solution. > > Just to close the loop on this, both the minimal fix and the long-term > fix are checked in. ?We don't currently have a scheduled date for 1.7.1; > the schedule for 1.8 is March 2010 plus or minus three months. > > I failed to credit Marcus Watts in my commit of the long-term fix, which > was adapted from his patch. ?Apologies on that count. Sorry to bring back this topic. I had the same problem when using addprinc -policy service -randkey host/xxx.be My solution for -randkey to work, was to set -minclasses 1 for policy service. It was at 3 at the beginning and 2 didn't work aswell. Found the solution here: http://blogg.cefit.se/ Hope this help. Kenny My config: apt-cache show krb5-admin-server Package: krb5-admin-server Priority: optional Section: net Installed-Size: 288 Maintainer: Sam Hartman Architecture: i386 Source: krb5 Version: 1.7dfsg~beta3-1 Depends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.4), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>= 1.6.dfsg.2), libgssrpc4 (>= 1.6.dfsg. 2), libk5crypto3 (>= 1.6.dfsg.2), libkadm5srv6 (>= 1.7dfsg~beta1), libkdb5-4 (>= 1.7dfsg~alpha1), libkeyutils1, libkrb5-3 (= 1.7dfsg~beta3-1), libkrb5support0 (>= 1.7dfsg~beta2), libss2 (>= 1.01), krb5-kdc, lsb-base (>= 3.0-6) Filename: pool/main/k/krb5/krb5-admin-server_1.7dfsg~beta3-1_i386.deb From LUIS.RAMOS at PFIZER.COM Fri Nov 6 13:12:50 2009 From: LUIS.RAMOS at PFIZER.COM (LUISRAMOS) Date: Fri, 6 Nov 2009 10:12:50 -0800 (PST) Subject: Kerberos/Apache receiving Active Directory user/password in plain text In-Reply-To: References: <26114792.post@talk.nabble.com> Message-ID: <26230848.post@talk.nabble.com> We tried using the GSS module and it worked smoothly for Solaris 10, since the apache for this solaris version brings all the needed modules off the shelf. However, we havent been able to make it work in Solaris 9, looks like we might be having an issue with the libraries needed to replicate the same components Solaris 10 has. When we look at the error logs for Solaris 9 this is what we get. Client wants GSS mech: For Solaris 10, which it works nicely this is the meesage: Client wants GSS mech: spnego We are testing different alternatives with the compilation of the gss module to see what could we be missing. Regards Michael Str?der wrote: > > LUISRAMOS wrote: >> >> Michael Str?der wrote: >>> LUISRAMOS wrote: >>>> We have a unix web server with Apache were we installed kerberos to >>>> implement single sign on. >>> I guess you're using mod_auth_kerb? >>> >>>> The idea with this is to have the ability of autenticating through the >>>> Windows Active Directory once not needing to log again in the unix box. >>>> After the setup, the autentication works. When we log in to the unix >>>> server, a popup window asks for user/pwd. After entering user/pwd the >>>> credentials are autenticated against the windows active directory and >>>> the access to the unix/apache box is granted. However, what we want is >>>> to avoid this login popup. We noticed that when the popup window is >>>> displayed the following message is seeing in the popup: "Warning: This >>>> server is requesting that your username and password be sent in an >>>> insecure manner (basic authentication without a secure connection). >>>> Looks like the internet browser is sending the credentials in plain >>>> text to the unix box. >>>> >>>> Anybody has an idea on how we can configure Kerberos, or any other >>>> component to avoid this popup window. >>> >>> Set "KrbMethodK5Passwd off" in httpd.conf. >>> >>> See also: http://modauthkerb.sourceforge.net/configure.html >> >> Michael, I changed the parameter and got this message: >> >> Authorization Required >> This server could not verify that you are authorized to access the >> document >> requested. Either you supplied the wrong credentials (e.g., bad >> password), >> or your browser doesn't understand how to supply the credentials >> required. > > Well, you have to set up your environment to let the browser use > SPNEGO/Kerberos. > > Ciao, Michael. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- View this message in context: http://old.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26230848.html Sent from the Kerberos - General mailing list archive at Nabble.com. From jaltman at secure-endpoints.com Fri Nov 6 13:38:13 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Fri, 06 Nov 2009 13:38:13 -0500 Subject: Problem with mit2ms - Tickets are not transfered to LSA cache In-Reply-To: References: <2ed6fd700911022334v2040befcw34c652c22ae33a7e@mail.gmail.com> <4AF02559.1020506@secure-endpoints.com> <4AF049EB.5090106@secure-endpoints.com> Message-ID: <4AF46D15.7060806@secure-endpoints.com> Nikolay Shopik wrote: > Jeffrey any chance this could be updated for XP/2003 or this is already > out of scope? XP/2003 doesn't have the appropriate interfaces. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091106/bcc6f2a6/smime.bin From deengert at anl.gov Fri Nov 6 14:40:46 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 06 Nov 2009 13:40:46 -0600 Subject: Kerberos/Apache receiving Active Directory user/password in plain text In-Reply-To: <26230848.post@talk.nabble.com> References: <26114792.post@talk.nabble.com> <26230848.post@talk.nabble.com> Message-ID: <4AF47BBE.6070100@anl.gov> LUISRAMOS wrote: > We tried using the GSS module and it worked smoothly for Solaris 10, since > the apache for this solaris version brings all the needed modules off the > shelf. However, we havent been able to make it work in Solaris 9, looks > like we might be having an issue with the libraries needed to replicate the > same components Solaris 10 has. When we look at the error logs for Solaris > 9 this is what we get. > > Client wants GSS mech: > > For Solaris 10, which it works nicely this is the meesage: > > Client wants GSS mech: spnego > > We are testing different alternatives with the compilation of the gss module > to see what could we be missing. > Solaris 9 is pretty old, and Sun did not expose the Kerberos API. We always used the MIT Kerberos on Solair 9. Solaris 10 is much better, and Sun keeps it more up to date, and has exposed the Kerberos API. If you are not on the modauthkerb-help at lists.sourceforge.net you should be. There is a Solaris discussion going on there. > Regards > > > > Michael Str?der wrote: >> LUISRAMOS wrote: >>> Michael Str?der wrote: >>>> LUISRAMOS wrote: >>>>> We have a unix web server with Apache were we installed kerberos to >>>>> implement single sign on. >>>> I guess you're using mod_auth_kerb? >>>> >>>>> The idea with this is to have the ability of autenticating through the >>>>> Windows Active Directory once not needing to log again in the unix box. >>>>> After the setup, the autentication works. When we log in to the unix >>>>> server, a popup window asks for user/pwd. After entering user/pwd the >>>>> credentials are autenticated against the windows active directory and >>>>> the access to the unix/apache box is granted. However, what we want is >>>>> to avoid this login popup. We noticed that when the popup window is >>>>> displayed the following message is seeing in the popup: "Warning: This >>>>> server is requesting that your username and password be sent in an >>>>> insecure manner (basic authentication without a secure connection). >>>>> Looks like the internet browser is sending the credentials in plain >>>>> text to the unix box. >>>>> >>>>> Anybody has an idea on how we can configure Kerberos, or any other >>>>> component to avoid this popup window. >>>> Set "KrbMethodK5Passwd off" in httpd.conf. >>>> >>>> See also: http://modauthkerb.sourceforge.net/configure.html >>> Michael, I changed the parameter and got this message: >>> >>> Authorization Required >>> This server could not verify that you are authorized to access the >>> document >>> requested. Either you supplied the wrong credentials (e.g., bad >>> password), >>> or your browser doesn't understand how to supply the credentials >>> required. >> Well, you have to set up your environment to let the browser use >> SPNEGO/Kerberos. >> >> Ciao, Michael. >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From nicolas.greneche at gmail.com Sun Nov 8 09:20:56 2009 From: nicolas.greneche at gmail.com (garnett) Date: Sun, 8 Nov 2009 06:20:56 -0800 (PST) Subject: Maximum size of a Unix MIT Kerberos database backend Message-ID: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> Hi all, In our University I wish to centralize authentication in a Linux MIT KDC. This operation will spawn a KDC with about 30 000 principals. Is it a problem for Kerberos MIT implementation ? We will run the 1.6 version bundled with Debian Lenny. Is there a need for tricks to handle such a database ? Thanks for your piceces of advice. Nico (http://blog.garnett.fr) From tomisfaraway at gmail.com Sun Nov 8 22:33:22 2009 From: tomisfaraway at gmail.com (Tom Shaw) Date: Sun, 8 Nov 2009 19:33:22 -0800 (PST) Subject: Assertion failed for krb5kdc References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: <434c8970-2027-42d4-9c26-9e739af688a1@b36g2000prf.googlegroups.com> On Oct 20, 8:46?am, Ken Raeburn wrote: > On Oct 19, 2009, at 16:55, eightball wrote: > > >> ? This would be dependent on some configuration macros, > >> HAVE_PRAGMA_WEAK_REF and NO_WEAK_PTHREADS; can you see which are set > >> in include/autoconf.h in the build tree? ?The former should be ? > >> defined > >> (based on tests of the compiler, so it may also depend on which > >> compiler you're using), and the latter should not (selected in the > >> configure script based on the OS version). > > >> Ken > > > Both are set to 1. > > Okay, that sounds like it's the problem. ?The configure script should ? > be setting the latter only for Solaris 10, unless the patterns we're ? > checking for are wrong: > [...] > solaris2.[1-9]) > [...] I hadthe same problem on Solaris 9. I just downloaded the latest krb5-1.7-signed.tar (http://web.mit.edu/kerberos/dist/krb5/1.7/ krb5-1.7-signed.tar) and the configure script is not quite the same as you have listed. Instead of: solaris2.[1-9]) the configure script has: solaris2.1-9) Changing the configure script to your version (with the square brackets), and re-building fixed the problem. Regards Tom -- Tom Shaw Solid Systems Australia From raeburn at MIT.EDU Mon Nov 9 01:08:12 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 9 Nov 2009 01:08:12 -0500 Subject: Assertion failed for krb5kdc In-Reply-To: <434c8970-2027-42d4-9c26-9e739af688a1@b36g2000prf.googlegroups.com> References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> <434c8970-2027-42d4-9c26-9e739af688a1@b36g2000prf.googlegroups.com> Message-ID: <02E29DFF-7CA9-41F8-8ECD-18D142219BD4@mit.edu> On Nov 8, 2009, at 22:33, Tom Shaw wrote: > I hadthe same problem on Solaris 9. I just downloaded the latest > krb5-1.7-signed.tar (http://web.mit.edu/kerberos/dist/krb5/1.7/ > krb5-1.7-signed.tar) and the configure script is not quite the same as > you have listed. > > Instead of: > solaris2.[1-9]) > > the configure script has: > solaris2.1-9) Ah, darned m4 quoting... fixing it in the sources now. Thanks for spotting that. The code I had quoted was from the aclocal.m4 file supplying macros to be run through m4 to generate the configure script, and not the actual generated configure script itself. In most of the macro processing, [] are quoting characters, and one level of them (or more, depending on usage) get removed... Ken From raeburn at MIT.EDU Mon Nov 9 01:21:47 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 9 Nov 2009 01:21:47 -0500 Subject: Maximum size of a Unix MIT Kerberos database backend In-Reply-To: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> References: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> Message-ID: <9DFD9C16-E97F-45C7-961A-F1F3E879CC13@mit.edu> On Nov 8, 2009, at 09:20, garnett wrote: > In our University I wish to centralize authentication in a Linux MIT > KDC. This operation will spawn a KDC with about 30 000 principals. Is > it a problem for Kerberos MIT implementation ? We will run the 1.6 > version bundled with Debian Lenny. > > Is there a need for tricks to handle such a database ? No, there shouldn't be. You may want a slave KDC or two for redundancy in case of hardware problems -- with that many entries it's probably going to be a critical service for a lot of people -- but in terms of disk space and cpu load, just about any desktop or server system you can buy off the shelf these days should be able to handle it easily. Ken -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From vikrant at gslab.com Mon Nov 9 02:06:41 2009 From: vikrant at gslab.com (Vikrant Pawar) Date: Mon, 09 Nov 2009 12:36:41 +0530 Subject: gss-server, gss-client Message-ID: <4AF7BF81.90503@gslab.com> Hi , I want to install the gss-server on out lab m/c. I have setup the KDC it's up and running I can get the tickets. While running gss-server it asks for keytab entry, hence I have created them using kadmin: ktadd root no I get error as "GSS-API error acquiring credentials: Key table entry not found" -- Best Regards, * Vikrant Pawar * *Great Software Laboratory Pvt Ltd.* http://www.gslab.com From petesea at bigfoot.com Mon Nov 9 17:50:04 2009 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Mon, 09 Nov 2009 14:50:04 -0800 (PST) Subject: KfW 3.2.2 multiple users via SSH Message-ID: I'm using Kerberos for Windows 3.2.2 on Windows XP SP3 and noticed a problem using kinit/klist when multiple users ssh to the host. If I ssh to the windows host as "userA", then run klist, I see the following: (as userA - krbcc32s NOT running) $ klist klist.exe: No credentials cache found (ticket cache API:krb5cc) That's as expected. And... looking at ProcessExplorer, the krbcc32s process is now running as "userA". Now, ssh as "userB" and run klist: (as userB - krbcc32s running as userA) $ klist klist.exe: Credentials cache I/O operation failed XXX while getting default ccache If I kill krbcc32s and redo the test, but login as "userB" first, I see just the reverse, ie: (as userB - krbcc32s NOT running) $ klist klist.exe: No credentials cache found (ticket cache API:krb5cc) (as userA - krbcc32s running as userB) $ klist klist.exe: Credentials cache I/O operation failed XXX while getting default ccache My first suspicion was the fact that the CC is the same for both users (API:krb5cc), but if I redo the above tests and set KRB5CCNAME to something unique for each user (eg. API:krb5cc_userA, API:krb5cc_userB) it fails the same way. If I use a unique "FILE:" credentials cache for each user (eg. FILE:C:/tmp/krb5cc_userA, FILE:C:/tmp/krb5cc_userB), then it seems to work, but krb5cc32s is running as the first user who started it, which bothers me. Soooo... 2 questions: 1) Is is not possible to use an API: credentials cache for more then one user? 2) Is it OK to use a FILE: credentials cache in this case even though krb5cc32s is running as the first user who started it? From jaltman at secure-endpoints.com Mon Nov 9 18:23:44 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 09 Nov 2009 18:23:44 -0500 Subject: KfW 3.2.2 multiple users via SSH In-Reply-To: References: Message-ID: <4AF8A480.3020600@secure-endpoints.com> krbcc32s.exe is per session. You can't run two instances in the same session with different authentication contexts. I don't know how the sshd you are using is implemented but apparently it doesn't run the underlying users in distinct logon sessions. petesea at bigfoot.com wrote: > I'm using Kerberos for Windows 3.2.2 on Windows XP SP3 and noticed a > problem using kinit/klist when multiple users ssh to the host. > > If I ssh to the windows host as "userA", then run klist, I see the > following: > > (as userA - krbcc32s NOT running) > $ klist > klist.exe: No credentials cache found (ticket cache API:krb5cc) > > That's as expected. And... looking at ProcessExplorer, the krbcc32s > process is now running as "userA". > > Now, ssh as "userB" and run klist: > > (as userB - krbcc32s running as userA) > $ klist > klist.exe: Credentials cache I/O operation failed XXX while getting default ccache > > If I kill krbcc32s and redo the test, but login as "userB" first, I see > just the reverse, ie: > > (as userB - krbcc32s NOT running) > $ klist > klist.exe: No credentials cache found (ticket cache API:krb5cc) > > (as userA - krbcc32s running as userB) > $ klist > klist.exe: Credentials cache I/O operation failed XXX while getting default ccache > > My first suspicion was the fact that the CC is the same for both users > (API:krb5cc), but if I redo the above tests and set KRB5CCNAME to > something unique for each user (eg. API:krb5cc_userA, API:krb5cc_userB) it > fails the same way. > > If I use a unique "FILE:" credentials cache for each user (eg. > FILE:C:/tmp/krb5cc_userA, FILE:C:/tmp/krb5cc_userB), then it seems to > work, but krb5cc32s is running as the first user who started it, which > bothers me. > > Soooo... 2 questions: > > 1) Is is not possible to use an API: credentials cache for more then one > user? > > 2) Is it OK to use a FILE: credentials cache in this case even though > krb5cc32s is running as the first user who started it? > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091109/91405797/smime.bin From v.rathor at gmail.com Tue Nov 10 01:16:15 2009 From: v.rathor at gmail.com (Vipin Rathor) Date: Tue, 10 Nov 2009 11:46:15 +0530 Subject: gss-server, gss-client In-Reply-To: <4AF7BF81.90503@gslab.com> References: <4AF7BF81.90503@gslab.com> Message-ID: <33ab2aef0911092216w32640611l716517ba25ab7cc3@mail.gmail.com> > While running gss-server it asks for keytab entry, > > hence I have created them using kadmin: ktadd root > > no I get error as "GSS-API error acquiring credentials: Key table entry > not found" > The keytab entry that the gss-server was looking for, is infact an entry of GSS server (something like gss-server/@REALM ). Try creating & adding this to keytab. From vikrant at gslab.com Tue Nov 10 01:19:23 2009 From: vikrant at gslab.com (Vikrant Pawar) Date: Tue, 10 Nov 2009 11:49:23 +0530 Subject: gss-server, gss-client In-Reply-To: <33ab2aef0911092216w32640611l716517ba25ab7cc3@mail.gmail.com> References: <4AF7BF81.90503@gslab.com> <33ab2aef0911092216w32640611l716517ba25ab7cc3@mail.gmail.com> Message-ID: <4AF905EB.8050901@gslab.com> Thanks, I got this after much digging through documents. Best Regards, * Vikrant Pawar * *Great Software Laboratory Pvt Ltd.* http://www.gslab.com On 11/10/2009 11:46 AM, Vipin Rathor wrote: >> While running gss-server it asks for keytab entry, >> >> hence I have created them using kadmin: ktadd root >> >> no I get error as "GSS-API error acquiring credentials: Key table entry >> not found" >> >> > The keytab entry that the gss-server was looking for, is infact an > entry of GSS server (something like > gss-server/@REALM ). Try creating& adding this to > keytab. > > From jmontmartin at gmail.com Tue Nov 10 11:55:42 2009 From: jmontmartin at gmail.com (Julien Montmartin) Date: Tue, 10 Nov 2009 17:55:42 +0100 Subject: ktpass fails to create a service principal (win 2000 server SP4) Message-ID: Hi List, I'm working on a kerberized application server and I have some trouble when I try to generate the keytab with ktpass... Although evrything works nicely for demo in the lab, it fails in real world ! Here the command I use (windows 2000 server SP4) : ktpass -ptype KRB5_NT_PRINCIPAL -princ HTTP/ myComputer.private.myCompagnie.com at PRIVATE.MYCOMPAGNIE.COM -mapuser testUser at private.myCompagnie.com -pass xyz -out C:\temp\keytab Failed to get DN from search result: 0X80070057 Failed to locate user "(samAccountName=testUser at private.myCompagnie.com)". Failed to retrieve user info for testUser at private.myCompagnie.com: 0x8ad. Aborted. testUser is a brand new user created for the service. Are there any traps when you create new users in AD ? (I'm a beginner with AD). Any idea or pointer to investigate this error ? Thanks, Julien From deengert at anl.gov Tue Nov 10 12:25:54 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 10 Nov 2009 11:25:54 -0600 Subject: ktpass fails to create a service principal (win 2000 server SP4) In-Reply-To: References: Message-ID: <4AF9A222.8060500@anl.gov> Julien Montmartin wrote: > Hi List, > > I'm working on a kerberized application server and I have some trouble when > I try to generate the keytab with ktpass... Although evrything works nicely > for demo in the lab, it fails in real world ! > > Here the command I use (windows 2000 server SP4) : > > ktpass -ptype KRB5_NT_PRINCIPAL -princ HTTP/ > myComputer.private.myCompagnie.com at PRIVATE.MYCOMPAGNIE.COM -mapuser > testUser at private.myCompagnie.com -pass xyz -out C:\temp\keytab -mapuser testUser > Failed to get DN from search result: 0X80070057 > Failed to locate user "(samAccountName=testUser at private.myCompagnie.com)". > Failed to retrieve user info for testUser at private.myCompagnie.com: 0x8ad. > Aborted. > > testUser is a brand new user created for the service. Are there any traps > when you create new users in AD ? (I'm a beginner with AD). Any idea or > pointer to investigate this error ? > > Thanks, > > Julien > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From jawashin at illinois.edu Tue Nov 10 12:14:40 2009 From: jawashin at illinois.edu (John Washington) Date: Tue, 10 Nov 2009 11:14:40 -0600 Subject: Maximum size of a Unix MIT Kerberos database backend In-Reply-To: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> References: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> Message-ID: <20091110171440.GL12692@kyoto.cites.uiuc.edu> Our backend was last counted at over 200,000 principals and the only noticeable impact (at this time) is that propagation time is around two minutes. * garnett [2009-11-08 22:40]: > Hi all, > > In our University I wish to centralize authentication in a Linux MIT > KDC. This operation will spawn a KDC with about 30 000 principals. Is > it a problem for Kerberos MIT implementation ? We will run the 1.6 > version bundled with Debian Lenny. > > Is there a need for tricks to handle such a database ? > > Thanks for your piceces of advice. > > Nico (http://blog.garnett.fr) > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- John Washington Network Security Officer, University of Illinois Urbana-Champaign -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091110/9a247acc/attachment.bin From petesea at bigfoot.com Tue Nov 10 16:09:27 2009 From: petesea at bigfoot.com (petesea@bigfoot.com) Date: Tue, 10 Nov 2009 13:09:27 -0800 (PST) Subject: KfW 3.2.2 multiple users via SSH In-Reply-To: <4AF8A480.3020600@secure-endpoints.com> References: <4AF8A480.3020600@secure-endpoints.com> Message-ID: I only see the errors if I use an API: credentials cache. If I use a FILE: credentials cache it seems to work fine even though there's only one krbcc32s.exe running. I'm able to obtain unique credentials for both users and they appear to work fine. Is that a problem? Is there some reason not to rely on this? FYI... with regards to SSHD creating a new logon session for each user, apparently this is a Cygwin issue. I'm using Cygwin OpenSSH (5.1) and if I login via password authentication I do get a new session for each user. If I use pubkey authentication it uses the same session as the sshd process. This problem is supposed to be addressed in the forthcoming Cygwin 1.7 release. http://marc.info/?l=openssh-unix-dev&m=125784677826016&w=2 On Mon, 9 Nov 2009, Jeffrey Altman wrote: > krbcc32s.exe is per session. You can't run two instances in the same > session with different authentication contexts. I don't know how the > sshd you are using is implemented but apparently it doesn't run the > underlying users in distinct logon sessions. > > petesea at bigfoot.com wrote: >> I'm using Kerberos for Windows 3.2.2 on Windows XP SP3 and noticed a >> problem using kinit/klist when multiple users ssh to the host. >> >> If I ssh to the windows host as "userA", then run klist, I see the >> following: >> >> (as userA - krbcc32s NOT running) >> $ klist >> klist.exe: No credentials cache found (ticket cache API:krb5cc) >> >> That's as expected. And... looking at ProcessExplorer, the krbcc32s >> process is now running as "userA". >> >> Now, ssh as "userB" and run klist: >> >> (as userB - krbcc32s running as userA) >> $ klist >> klist.exe: Credentials cache I/O operation failed XXX while getting default ccache >> >> If I kill krbcc32s and redo the test, but login as "userB" first, I see >> just the reverse, ie: >> >> (as userB - krbcc32s NOT running) >> $ klist >> klist.exe: No credentials cache found (ticket cache API:krb5cc) >> >> (as userA - krbcc32s running as userB) >> $ klist >> klist.exe: Credentials cache I/O operation failed XXX while getting default ccache >> >> My first suspicion was the fact that the CC is the same for both users >> (API:krb5cc), but if I redo the above tests and set KRB5CCNAME to >> something unique for each user (eg. API:krb5cc_userA, API:krb5cc_userB) it >> fails the same way. >> >> If I use a unique "FILE:" credentials cache for each user (eg. >> FILE:C:/tmp/krb5cc_userA, FILE:C:/tmp/krb5cc_userB), then it seems to >> work, but krb5cc32s is running as the first user who started it, which >> bothers me. >> >> Soooo... 2 questions: >> >> 1) Is is not possible to use an API: credentials cache for more then one >> user? >> >> 2) Is it OK to use a FILE: credentials cache in this case even though >> krb5cc32s is running as the first user who started it? >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > From raeburn at MIT.EDU Tue Nov 10 16:21:07 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 10 Nov 2009 16:21:07 -0500 Subject: Maximum size of a Unix MIT Kerberos database backend In-Reply-To: <20091110171440.GL12692@kyoto.cites.uiuc.edu> References: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> <20091110171440.GL12692@kyoto.cites.uiuc.edu> Message-ID: <5EA7C8C3-5913-4986-B416-82C5FD7B91A7@mit.edu> On Nov 10, 2009, at 12:14, John Washington wrote: > Our backend was last counted at over 200,000 principals and the only > noticeable > impact (at this time) is that propagation time is around two minutes. Have you looked into the new (Sun-contributed) incremental propagation code in 1.7? Ken -- Ken Raeburn / raeburn at mit.edu / no longer at MIT Kerberos Consortium From nicolas.greneche at gmail.com Tue Nov 10 16:32:50 2009 From: nicolas.greneche at gmail.com (garnett) Date: Tue, 10 Nov 2009 13:32:50 -0800 (PST) Subject: Maximum size of a Unix MIT Kerberos database backend References: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> <20091110171440.GL12692@kyoto.cites.uiuc.edu> Message-ID: <8a6cae69-71af-475b-8d63-21a15ddf8f17@m26g2000yqb.googlegroups.com> On 10 nov, 22:21, Ken Raeburn wrote: > On Nov 10, 2009, at 12:14, John Washington wrote: > > > Our backend was last counted at over 200,000 principals and the only ? > > noticeable > > impact (at this time) is that propagation time is around two minutes. > > Have you looked into the new (Sun-contributed) incremental propagation ? > code in 1.7? > > Ken > > -- > Ken Raeburn / raeb... at mit.edu / no longer at MIT Kerberos Consortium Thanks to all for your responses ! I'm more confident in using Kerberos ;-) From Nicolas.Williams at sun.com Tue Nov 10 16:34:00 2009 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Tue, 10 Nov 2009 15:34:00 -0600 Subject: Maximum size of a Unix MIT Kerberos database backend In-Reply-To: <20091110171440.GL12692@kyoto.cites.uiuc.edu> References: <9ccb6aa6-ef2c-4517-a72d-72a6cc5d1a07@d21g2000yqn.googlegroups.com> <20091110171440.GL12692@kyoto.cites.uiuc.edu> Message-ID: <20091110213359.GG1105@Sun.COM> On Tue, Nov 10, 2009 at 11:14:40AM -0600, John Washington wrote: > Our backend was last counted at over 200,000 principals and the only noticeable > impact (at this time) is that propagation time is around two minutes. My previous experience was with ~100K principals, and indeed, it scales fine. I suspect it scales just fine to much larger sizes. Things to keep in mind: - The MIT krb5 KDC (and so the Solaris one) is single-threaded, and demand for KDC exchanges matters more than number of principals in KDB, but you're likely to have multi-code/multi-thread-CPU hardware, so you may want to create a VM/zone/jail per-core or per-hardware thread and run the KDC in as many as you need to scale to demand. You'll probably want to measure how many KDC exchanges you can get per-HW thread and decide how many KDCs you need based on expected demand. Estimating demand requires knowledge of what kerberized services you will have. In any case, if you will deploy incrementally, then you can add KDCs as you deploy. - Incremental propagation helps; I recommend it. Nico -- From akshar.kerberos at gmail.com Wed Nov 11 00:25:18 2009 From: akshar.kerberos at gmail.com (akshar kanak) Date: Wed, 11 Nov 2009 10:55:18 +0530 Subject: [PKINIT]A doubt regarding certificate chaining in PKINIT code Message-ID: <5ff84dca0911102125g5a98542bv1cab7595ed8d9d11@mail.gmail.com> Dear team I have one doubt regarding the certificate chaining code in PKINIT code .I am using kerberos 1.6.3 . In the function cms_signeddata_create() , why is variable "include_certchain" specifically set to 1 . Is there any specify reason to include the complete certificate chain in Signeddata ? Thanks in advance Thanks and Regards Akshar From braden at endoframe.com Wed Nov 11 04:46:04 2009 From: braden at endoframe.com (Braden McDaniel) Date: Wed, 11 Nov 2009 04:46:04 -0500 Subject: Problem using Kerberos for user authentication Message-ID: <1257932764.3112.444.camel@localhost> I'm trying to get off the ground setting up Kerberos on a Fedora 11 box. I've attempted to follow the instructions here: http://aput.net/~jheiss/krbldap/howto.html "kinit username/admin" appears to work. But I can't get system logins to work. I've used the authconfig-tui utility to enable Kerberos for authentication; /etc/pam.d/system-auth looks like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nis nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so I've tried both changing the password field for the user in /etc/shadow to "*K*" (as mentioned in the howto) and removing the user's entry in /etc/shadow altogether--in both cases login fails. Any ideas what the problem might be? Or where else I should be looking to find out? -- Braden McDaniel From ryan.b.lynch at gmail.com Wed Nov 11 10:33:58 2009 From: ryan.b.lynch at gmail.com (Ryan Lynch) Date: Wed, 11 Nov 2009 10:33:58 -0500 Subject: Problem using Kerberos for user authentication In-Reply-To: <1257932764.3112.444.camel@localhost> References: <1257932764.3112.444.camel@localhost> Message-ID: <115906d10911110733i375e077fi4eca958d30fe3f22@mail.gmail.com> On Wed, Nov 11, 2009 at 04:46, Braden McDaniel wrote: > I'm trying to get off the ground setting up Kerberos on a Fedora 11 box. > I've attempted to follow the instructions here: ... > Any ideas what the problem might be? Or where else I should be looking > to find out? I set this up recently on a few F11 boxes. When I get a chance, later today, I'll take a look at your configs and compare them with mine. Also, are you trying to login locally at the console, or through KDM/GDM/XDM, or via SSH, or what? -Ryan From javiplx at gmail.com Wed Nov 11 10:46:54 2009 From: javiplx at gmail.com (Javier Palacios) Date: Wed, 11 Nov 2009 16:46:54 +0100 Subject: Problem using Kerberos for user authentication In-Reply-To: <1257932764.3112.444.camel@localhost> References: <1257932764.3112.444.camel@localhost> Message-ID: > I'm trying to get off the ground setting up Kerberos on a Fedora 11 box. > I've attempted to follow the instructions here: > ? ? ? ?http://aput.net/~jheiss/krbldap/howto.html That is a pretty old howto (probably older than fedora). > I've tried both changing the password field for the user in /etc/shadow > to "*K*" (as mentioned in the howto) and removing the user's entry > in /etc/shadow altogether--in both cases login fails. The '*K*' thing is probably innacurate. I've never used, and had success in debian, fedora and RHEL. And removing the user entry in /etc/shadow (without changes in /etc/passwd) should produce a non-usable account, either with kerberos or whichever auth method. > Any ideas what the problem might be? Or where else I should be looking > to find out? Just in case, you need to be able to `kinit username` (without the /admin). And for the pam_krb5 lines on system-auth, you can add 'debug' and will get some extra info on syslog. And following the question from Ryan, I recommend you to check first with console, then with ssh and finally with any window based login. Javier Palacios From sgla9347 at gmail.com Wed Nov 11 11:21:31 2009 From: sgla9347 at gmail.com (Steve Glasser) Date: Wed, 11 Nov 2009 08:21:31 -0800 Subject: Problem using Kerberos for user authentication In-Reply-To: <115906d10911110733i375e077fi4eca958d30fe3f22@mail.gmail.com> References: <1257932764.3112.444.camel@localhost> <115906d10911110733i375e077fi4eca958d30fe3f22@mail.gmail.com> Message-ID: Where are your user accounts held? The instructions you site above assume your user accounts are kept in ldap. This may sound obvious, but you need to create valid user accounts in either ldap or the local passwd/shadow files (less working passwords, of course). Check your logs on both the client and server for clues. Please post any errors. If you are following the sited howto, I assume you did test Kerberos authentication separately and it is working, right? Cheers, Steve On Wed, Nov 11, 2009 at 7:33 AM, Ryan Lynch wrote: > On Wed, Nov 11, 2009 at 04:46, Braden McDaniel wrote: >> I'm trying to get off the ground setting up Kerberos on a Fedora 11 box. >> I've attempted to follow the instructions here: > ... -- Steve Glasser sgla9347 at gmail.com From deengert at anl.gov Wed Nov 11 11:23:33 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 11 Nov 2009 10:23:33 -0600 Subject: Problem using Kerberos for user authentication In-Reply-To: References: <1257932764.3112.444.camel@localhost> Message-ID: <4AFAE505.6060200@anl.gov> Javier Palacios wrote: >> I'm trying to get off the ground setting up Kerberos on a Fedora 11 box. >> I've attempted to follow the instructions here: >> http://aput.net/~jheiss/krbldap/howto.html > > That is a pretty old howto (probably older than fedora). > >> I've tried both changing the password field for the user in /etc/shadow >> to "*K*" (as mentioned in the howto) and removing the user's entry >> in /etc/shadow altogether--in both cases login fails. > > The '*K*' thing is probably innacurate. I've never used, and had > success in debian, fedora and RHEL. And removing the user entry in > /etc/shadow (without changes in /etc/passwd) should produce a > non-usable account, either with kerberos or whichever auth method. if shadow has * it would be a locked account, and the pam account should not allow login. Using NP i.e. no password works well as there is nopaswword that can match NP. (When in LDAP, use {crypt}NP) > >> Any ideas what the problem might be? Or where else I should be looking >> to find out? > > Just in case, you need to be able to `kinit username` (without the /admin). > > And for the pam_krb5 lines on system-auth, you can add 'debug' and > will get some extra info on syslog. > > And following the question from Ryan, I recommend you to check first > with console, then with ssh and finally with any window based login. > > Javier Palacios > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From manojm at us.ibm.com Wed Nov 11 11:24:22 2009 From: manojm at us.ibm.com (Manoj Mohan) Date: Wed, 11 Nov 2009 10:24:22 -0600 Subject: Memory Callback support in GSSAPI Message-ID: Hi, In order to ensure that server side code for Single-Sign-On runs can run on multiple processes, I wanted to find out if there any available APIs to register memory callback functions for malloc/realloc/free. Right now I can see that when I call functions like gss_acquire_cred/gss_sec_accept_context the credential handle will come out of heap/process memory and when the thread will migrate to another process it will be invalid. If memory callback functions are not there.. what is the best way to handle this? Thanks in advance.. Regards, Manoj From ryan.b.lynch at gmail.com Wed Nov 11 11:41:34 2009 From: ryan.b.lynch at gmail.com (Ryan Lynch) Date: Wed, 11 Nov 2009 11:41:34 -0500 Subject: Problem using Kerberos for user authentication In-Reply-To: <1257932764.3112.444.camel@localhost> References: <1257932764.3112.444.camel@localhost> Message-ID: <115906d10911110841g7d1d44bcw60f0248e4df3bb16@mail.gmail.com> On Wed, Nov 11, 2009 at 04:46, Braden McDaniel wrote: > ? ? ? ?#%PAM-1.0 > ? ? ? ?# This file is auto-generated. > ? ? ? ?# User changes will be destroyed the next time authconfig is run. > ? ? ? ?auth ? ? ? ?required ? ? ?pam_env.so > ? ? ? ?auth ? ? ? ?sufficient ? ?pam_unix.so nullok try_first_pass > ? ? ? ?auth ? ? ? ?requisite ? ? pam_succeed_if.so uid >= 500 quiet > ? ? ? ?auth ? ? ? ?sufficient ? ?pam_krb5.so use_first_pass > ? ? ? ?auth ? ? ? ?required ? ? ?pam_deny.so > > ? ? ? ?account ? ? required ? ? ?pam_unix.so broken_shadow > ? ? ? ?account ? ? sufficient ? ?pam_localuser.so > ? ? ? ?account ? ? sufficient ? ?pam_succeed_if.so uid < 500 quiet > ? ? ? ?account ? ? [default=bad success=ok user_unknown=ignore] pam_krb5.so > ? ? ? ?account ? ? required ? ? ?pam_permit.so > > ? ? ? ?password ? ?requisite ? ? pam_cracklib.so try_first_pass retry=3 > ? ? ? ?password ? ?sufficient ? ?pam_unix.so md5 shadow nis nullok try_first_pass use_authtok > ? ? ? ?password ? ?sufficient ? ?pam_krb5.so use_authtok > ? ? ? ?password ? ?required ? ? ?pam_deny.so > > ? ? ? ?session ? ? optional ? ? ?pam_keyinit.so revoke > ? ? ? ?session ? ? required ? ? ?pam_limits.so > ? ? ? ?session ? ? [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid > ? ? ? ?session ? ? required ? ? ?pam_unix.so > ? ? ? ?session ? ? optional ? ? ?pam_krb5.so > For starters, here's my '/etc/pam.d/system_auth': auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so minimum_uid=9999 debug auth required pam_deny.so account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account sufficient pam_krb5.so minimum_uid=9999 debug account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so minimum_uid=9999 debug password required pam_deny.so #session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_krb5.so minimum_uid=9999 debug session required pam_unix.so There are some differences between our setups. The biggest difference appears to be that I'm using 'pam_krb5' in combination with 'nss_ldap', because my user/group accounts are stored in LDAP (on an MS Active Directory DC). All accounts are either purely local (only exist in /etc/passwd, group, and shadow), or purely AD (only exist in Kerberos and LDAP)--there are no overlapping cases, where an account has a local /etc/passwd entry and a Kerberos principal, as well. So I don't think this will be very useful to you, after all. Sorry about that. But I do want to suggest a couple of things that might help: - Authenticating SSH logins via Kerberos tokens requires some changes to ssh_config, and possibly sshd_config, as well. If you haven't modified either the client or server for GSS/Kerberos operations, and you're not using any special command-line options, that may be part of your problem. - Can you post a copy of your /etc/krb5.conf file up here, as well? In my experience, it's awfully hard to distinguish between errors in the krb5.conf and pam.d/system_auth. - I wanted to echo Javier's suggestion about using the 'debug' parameter to 'pam_krb5'. You can activate it via the 'system_auth' lines, or via your 'krb5.conf'. I could not have gotten my setup to work without the debug messages. -Ryan From tlyu at MIT.EDU Wed Nov 11 12:30:40 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 11 Nov 2009 12:30:40 -0500 Subject: Memory Callback support in GSSAPI In-Reply-To: (Manoj Mohan's message of "Wed, 11 Nov 2009 11:24:22 -0500") References: Message-ID: Manoj Mohan writes: > In order to ensure that server side code for Single-Sign-On runs can run on > multiple processes, I wanted to find out if there any available APIs to > register memory callback functions for malloc/realloc/free. Right now I can > see that when I call functions like gss_acquire_cred/gss_sec_accept_context > the credential handle will come out of heap/process memory and when the > thread will migrate to another process it will be invalid. Would you please explain what sort of cross-process thread migration is involved? The gss_export_sec_context and gss_import_sec_context functions should accomplish most anticipated cross-process migration of GSS-API state; is there a particular reason you need to migrate a credential handle? > If memory callback functions are not there.. what is the best way to handle > this? Memory callback functions aren't present in the current API. Are you considering placing such structures in shared memory or something similar? The GSS-API is an IETF standards-track specification; it so happens that the IETF KITTEN Working Group is contemplating some API revisions, and we could use some input from application developers and others who have a desire to improve the API. The idea of memory management callback functions is one direction that some KITTEN Working Group participants have mentioned as a possible improvement. The Working Group charter is at http://www.ietf.org/dyn/wg/charter/kitten-charter.html and the mailing list archive is at http://www.ietf.org/mail-archive/web/kitten/current/maillist.html Please consider participating in the Working Group by joining its mailing list; while of course I can relay suggestions that people post to the Kerberos mailing list/newsgroup, direct participation in the Working Group is also valuable. -- Tom Yu Development Team Leader MIT Kerberos Consortium (and IETF KITTEN WG co-chair) From manojm at us.ibm.com Wed Nov 11 13:08:44 2009 From: manojm at us.ibm.com (Manoj Mohan) Date: Wed, 11 Nov 2009 12:08:44 -0600 Subject: Memory Callback support in GSSAPI In-Reply-To: References: Message-ID: Hi Tom, We have our own threading model and scheduler.. so that we can have better control. In this design, there can be multiple processes batched by the type of work they can do (Like encryption work will go on type of processes, IO on another etc). In order to ensure that work can be scheduled on any one of them, the structures should come out of shared memory. For instance, Server side code snippet/logic ======================== gss_cred_id_t verifier_cred_handle; gss_ctx_id_t context_handle; gss_name_t src_name = NULLPTR; gss_OID actual_mech_type=0; gss_channel_bindings_t input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS; gss_buffer_desc gss_input_token, gss_output_token; uint4 ret_flags=0; OM_uint32 time_ret=0; gss_cred_id_t delegated_cred_handle=0; ........................ /* called gss_import_name to convert the server principal */ maj_stat = gss_import_name(&min_stat, &name_buffer, #ifndef NT GSS_C_NT_USER_NAME, #else GSS_C_NULL_OID, #endif /* !NT */ &server_name_internal); ............................. /* Called gss_acquire_cred to get the credential */ /* Internally we are calling gss_acquire_cred with GSS_C_ACCEPT */ if (get_cred_from_keytab(server_name_internal, &verifier_cred_handle, time_req, &time_ret, status) ................................ /* This verifier_cred_handle is then passed to gss_accept_sec_context */ maj_stat = gss_accept_sec_context(&min_stat, &context_handle, verifier_cred_handle, &gss_input_token, input_chan_bindings, &src_name, &actual_mech_type, &gss_output_token, &ret_flags, &time_ret, &delegated_cred_handle); /* Once successful we go ahead and save this in our structure some where */ /* However this is NOT coming from shared memory, so when the thread migrates to a different process */ /* it bombs */ So far I have always worked with libraries which provide certain APIs to register our shared memory callbacks for malloc/realloc and free. However, in order to implement SSO (we support only Kerberos V), we decided to use os provided library (libgss) and somehow I don't see any such API... I am trying to read more on this but nothing too relevant is coming up on web.. any pointers would be great. I have registered my id in the mailing list... would love to contribute.. Regards, Manoj From: Tom Yu To: Manoj Mohan/Lenexa/IBM at IBMUS Cc: "kerberos at mit.edu" Date: 11/11/2009 11:31 AM Subject: Re: Memory Callback support in GSSAPI Manoj Mohan writes: > In order to ensure that server side code for Single-Sign-On runs can run on > multiple processes, I wanted to find out if there any available APIs to > register memory callback functions for malloc/realloc/free. Right now I can > see that when I call functions like gss_acquire_cred/gss_sec_accept_context > the credential handle will come out of heap/process memory and when the > thread will migrate to another process it will be invalid. Would you please explain what sort of cross-process thread migration is involved? The gss_export_sec_context and gss_import_sec_context functions should accomplish most anticipated cross-process migration of GSS-API state; is there a particular reason you need to migrate a credential handle? > If memory callback functions are not there.. what is the best way to handle > this? Memory callback functions aren't present in the current API. Are you considering placing such structures in shared memory or something similar? The GSS-API is an IETF standards-track specification; it so happens that the IETF KITTEN Working Group is contemplating some API revisions, and we could use some input from application developers and others who have a desire to improve the API. The idea of memory management callback functions is one direction that some KITTEN Working Group participants have mentioned as a possible improvement. The Working Group charter is at http://www.ietf.org/dyn/wg/charter/kitten-charter.html and the mailing list archive is at http://www.ietf.org/mail-archive/web/kitten/current/maillist.html Please consider participating in the Working Group by joining its mailing list; while of course I can relay suggestions that people post to the Kerberos mailing list/newsgroup, direct participation in the Working Group is also valuable. -- Tom Yu Development Team Leader MIT Kerberos Consortium (and IETF KITTEN WG co-chair) From braden at endoframe.com Wed Nov 11 14:18:11 2009 From: braden at endoframe.com (Braden McDaniel) Date: Wed, 11 Nov 2009 14:18:11 -0500 Subject: Problem using Kerberos for user authentication In-Reply-To: References: <1257932764.3112.444.camel@localhost> Message-ID: <1257967091.3112.1742.camel@localhost> On Wed, 2009-11-11 at 16:46 +0100, Javier Palacios wrote: > > I'm trying to get off the ground setting up Kerberos on a Fedora 11 box. > > I've attempted to follow the instructions here: > > http://aput.net/~jheiss/krbldap/howto.html > > That is a pretty old howto (probably older than fedora). I noticed that. I just haven't come across something of this nature more recent. > > I've tried both changing the password field for the user in /etc/shadow > > to "*K*" (as mentioned in the howto) and removing the user's entry > > in /etc/shadow altogether--in both cases login fails. > > The '*K*' thing is probably innacurate. I've never used, and had > success in debian, fedora and RHEL. And removing the user entry in > /etc/shadow (without changes in /etc/passwd) should produce a > non-usable account, either with kerberos or whichever auth method. Okay. > > Any ideas what the problem might be? Or where else I should be looking > > to find out? > > Just in case, you need to be able to `kinit username` (without the /admin). Argh. I missed this line in the howto: * Create additional username and username/admin principals as necessary using kadmin Having missed that, I made the incorrect assumption that adding "braden/admin" would have the effect of making "braden" available for system login. Now that I've added "braden" principal and changed /etc/shadow to have "NP" in the password field for this user (thanks, Douglas), login is working. Thanks, Javier and Steve, too. The feedback I've gotten here is bound to help me with the next problem. -- Braden McDaniel From braden at endoframe.com Wed Nov 11 17:11:26 2009 From: braden at endoframe.com (Braden McDaniel) Date: Wed, 11 Nov 2009 17:11:26 -0500 Subject: Problem using Kerberos for user authentication In-Reply-To: <115906d10911110841g7d1d44bcw60f0248e4df3bb16@mail.gmail.com> References: <1257932764.3112.444.camel@localhost> <115906d10911110841g7d1d44bcw60f0248e4df3bb16@mail.gmail.com> Message-ID: <4AFB368E.5000304@endoframe.com> Ryan Lynch wrote: [snip] > There are some differences between our setups. The biggest difference > appears to be that I'm using 'pam_krb5' in combination with > 'nss_ldap', because my user/group accounts are stored in LDAP (on an > MS Active Directory DC). All accounts are either purely local (only > exist in /etc/passwd, group, and shadow), or purely AD (only exist in > Kerberos and LDAP)--there are no overlapping cases, where an account > has a local /etc/passwd entry and a Kerberos principal, as well. Getting LDAP up and running is the next step for me; in my case, the directory will be hosted on this same machine. So I expect to be adding those bits shortly. > - Authenticating SSH logins via Kerberos tokens requires some changes > to ssh_config, and possibly sshd_config, as well. If you haven't > modified either the client or server for GSS/Kerberos operations, and > you're not using any special command-line options, that may be part of > your problem. ssh appears to be working without me doing anything special in sshd_config; my understanding is that once Kerberos is working with PAM, the things that can use PAM will Just Work. I'm attributing successful ssh logins to this. > - I wanted to echo Javier's suggestion about using the 'debug' > parameter to 'pam_krb5'. You can activate it via the 'system_auth' > lines, or via your 'krb5.conf'. I could not have gotten my setup to > work without the debug messages. No doubt that will come in handy. Thanks... -- Braden McDaniel e-mail: Jabber: From jeffrey.w.watts at gmail.com Thu Nov 12 02:28:52 2009 From: jeffrey.w.watts at gmail.com (Jeffrey Watts) Date: Thu, 12 Nov 2009 01:28:52 -0600 Subject: Problem using Kerberos for user authentication In-Reply-To: References: <1257932764.3112.444.camel@localhost> Message-ID: <65631e800911112328l698dec50y6ddcb9e2806390e@mail.gmail.com> On Wed, Nov 11, 2009 at 9:46 AM, Javier Palacios wrote: > The '*K*' thing is probably innacurate. I've never used, and had > success in debian, fedora and RHEL. And removing the user entry in > /etc/shadow (without changes in /etc/passwd) should produce a > non-usable account, either with kerberos or whichever auth method. > > I've just implemented Kerberos+LDAP on RHEL3-5 and HP-UX 11.11-11.31 using AD as the backend. Javier, creating an entry in /etc/passwd is a very useful tool for troubleshooting pam_krb5, as long as you have "passwd files ldap" in nsswitch.conf. The dummy entry allows you to verify the Kerberos piece, as the NSS lookup will hit the entry there. I usually just make a point of making it point to a different home directory so I can easily distinguish which is being used. Braden, please tell us more about your setup. PAM is, to be honest, the simplest part of the process. The nss_ldap config (/etc/ldap) is the most difficult piece. Kerberos is one of the easiest, though until you've learned the basic concepts of Kerberos and become familiar with the terminology and tools it can be a bit mystifying. One quick thing you must look at first, however, is your sshd_config. The stock F11 sshd setup is not compatible with pam_krb5. The following two options must be set: ChallengeResponseAuthentication yes UsePAM yes The latter is set by default, but the former is not. If ChallengeResponseAuthentication is disabled, sshd will not use PAM for authentication, which means pam_krb5 will never get invoked to handle the auth. You should also enable the two GSSAPI options so that sshd will take tickets. While I haven't done the integration work on Fedora11 (RHEL5 is the most current that I've done it on), here are some pieces of advice: 1) nscd likes to behave very badly and cause strange intermittent issues that will torment you. I had nightmares getting it to work reliably. Avoid it (it's the local cache option in authconfig). 2) Use pam_mkhomedir. It will make you happy. Read the man page for authconfig for the option, assuming you don't want to just add it directly. 3) 95% of the time a pam_krb5 problem isn't a pam_krb5 problem. It's a nss_ldap issue in getting the user information. As others have said, use the debug option to pam_krb5, and set debug to a non-zero number in /etc/ldap.conf. 4) Group based access control (we use a Windows-like model of local admin groups) can be accomplished by using pam_succeed_if.so or pam_access.so (pam_access.so is fuller featured). 5) Post your krb5.conf and your ldap.conf. Without those two key files folks can't help you much. 6) 90% of the howtos out there on this are incomplete or worse, incorrect. Pay attention to the date it was written, as there's a lot of outdated information - especially for use with AD. Keep in mind that you need to tailor your ldap.conf to your individual setup. 7) If you're using AD as the backend, the version of Windows you are using is a VERY IMPORTANT thing to know. The key question you need to find out is if the schema supports Unix attributes, and if so, which version? There are multiple Services For Unix extensions for older versions of AD (blech), and there is also the RFC2307 compliant schema found in Windows2003R2 (not 2003) and newer. Keep in mind that someone's posted ldap.conf may not help you if you're using a different backend. 8) I'd recommend using SASL and a credentials cache for securing your LDAP connection. krb5_ccname is your friend in ldap.conf. It's a bit tricky to set up (as it requires that you grasp the concepts and set up a cronjob to get a fresh ticket periodically), but once it's set up it's very elegant. I use the Samba 'net' command to join the system to the domain (creates a machine account) and to create the Kerberos keytab (since ktpass on the Windows side is a POS). If you're more comfortable using SSL/TLS, use that then. Anyhow, that should get you started. Good luck, Jeffrey. From sgla9347 at gmail.com Thu Nov 12 11:27:06 2009 From: sgla9347 at gmail.com (Steve Glasser) Date: Thu, 12 Nov 2009 08:27:06 -0800 Subject: Problem using Kerberos for user authentication -- ChallengeResponseAuthentication Message-ID: Hi all, We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We have found that if we set ChallengeResponseAuthentication yes in sshd_conf the result is no TGT ticket is created when a user logs in by ssh. This problem is detailed in a Debian bug report here; we don't see it having ever been fixed in redhat http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734 Setting PasswordAuthentication yes does work, at least in our environment. If anyone has any further information on this we'd appreciate it. Cheers, Steve On Wed, Nov 11, 2009 at 11:28 PM, Jeffrey Watts wrote: > On Wed, Nov 11, 2009 at 9:46 AM, Javier Palacios wrote: > < snip > > > One quick thing you must look at first, however, is your sshd_config. ?The > stock F11 sshd setup is not compatible with pam_krb5. ?The following two > options must be set: > ChallengeResponseAuthentication yes > UsePAM yes > > The latter is set by default, but the former is not. ?If > ChallengeResponseAuthentication is disabled, sshd will not use PAM for > authentication, which means pam_krb5 will never get invoked to handle the > auth. ?You should also enable the two GSSAPI options so that sshd will take > tickets. > < snip > > Good luck, > Jeffrey. > ________________________________________________ > Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Steve Glasser sgla9347 at gmail.com From Leon.Kemna at thomsonreuters.com Thu Nov 12 07:57:46 2009 From: Leon.Kemna at thomsonreuters.com (Leon.Kemna@thomsonreuters.com) Date: Thu, 12 Nov 2009 13:57:46 +0100 Subject: Assertion failed for krb5kdc Message-ID: <073DC81BC232A24C93C6A5C3F37306580457EA59@GVASMSXM01.emea.ime.reuters.com> Hi Ken, I'm following your thread on mailman.mit.edu/pipermail/kerberos, october 19 20:46:20 You mention a part of the configure script to detect the solaris version: case "${host_os}" in [...] solaris2.[1-9]) # On Solaris 10 with gcc 3.4.3, the autoconf archive macro doesn't # get the right result. XXX What about Solaris 9 and earlier? if test "$GCC" = yes ; then PTHREAD_CFLAGS="-D_REENTRANT -pthreads" fi ;; solaris*) # On Solaris 10 with gcc 3.4.3, the autoconf archive macro doesn't # get the right result. if test "$GCC" = yes ; then PTHREAD_CFLAGS="-D_REENTRANT -pthreads" fi # On Solaris 10, the thread support is always available in libc. AC_DEFINE(NO_WEAK_PTHREADS,1,[Define if references to pthread routines should be non-weak.]) ;; However the version that I just downloaded as krb5-1.7.tar.gz does not have these square brackets around [1-9] for checking the solaris version, i.e. it reads: [...] solaris2.1-9) # On Solaris 10 with gcc 3.4.3, the autoconf archive macro doesn't Maybe you're refering to a more recent repository version? Is there a version that I could download which would yield better results on solaris 8 for compilation? Regards Leon * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Leon Kemna Senior Consultant, System Integration Market Risk Management Thomson Reuters Antonio Vivaldistraat 50, Amsterdam 1083 HP, Netherlands Desk: +31-(0)20-5045060 | Mobile: +31-(0)6-29531329 Fax: +31-(0)20-5045910 | Reception: +31-(0)20-5045045 Support, Data & Applications: 0800 - 0200 385 Support, Technical: 0800 - 0200 386 For product support, updates and training, go to thomsonreuters.com This email was sent to you by Thomson Reuters, the global news and information company. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters. From raeburn at MIT.EDU Thu Nov 12 13:15:22 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 12 Nov 2009 13:15:22 -0500 Subject: Assertion failed for krb5kdc In-Reply-To: <073DC81BC232A24C93C6A5C3F37306580457EA59@GVASMSXM01.emea.ime.reuters.com> References: <073DC81BC232A24C93C6A5C3F37306580457EA59@GVASMSXM01.emea.ime.reuters.com> Message-ID: <85F5D26B-FC4B-472B-AF75-EE351CC7F950@mit.edu> On Nov 12, 2009, at 07:57, wrote: > Maybe you're refering to a more recent repository version? > Is there a version that I could download which would yield better > results on solaris 8 for compilation? Oh, and regarding Solaris 8... I'd forgotten when I sent my earlier email, but there are additional problems if you're working with multithreaded software. Arlene Berry reported details at http://krbdev.mit.edu/rt/Ticket/Display.html?id=6569 along with a patch, but we don't have a fix in the source tree as yet. (Arlene's patch should work fine for Solaris 8; a patch for the distribution probably shouldn't serialize DNS searches on platforms where it isn't necessary.) If your software is single-threaded (as all the Kerberos programs in the MIT distribution are), then this shouldn't present any problems. Ken From raeburn at MIT.EDU Thu Nov 12 13:06:33 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 12 Nov 2009 13:06:33 -0500 Subject: Assertion failed for krb5kdc In-Reply-To: <073DC81BC232A24C93C6A5C3F37306580457EA59@GVASMSXM01.emea.ime.reuters.com> References: <073DC81BC232A24C93C6A5C3F37306580457EA59@GVASMSXM01.emea.ime.reuters.com> Message-ID: <08866358-73C6-49C7-B59B-B559600141C7@mit.edu> On Nov 12, 2009, at 07:57, wrote: > Hi Ken, > > I'm following your thread on mailman.mit.edu/pipermail/kerberos, > october > 19 20:46:20 Check the messages from November -- Tom Shaw pointed this out too, and I tracked down the problem. There's also an entry in the bug database now, including a pointer to the fix(es) checked in. http://krbdev.mit.edu/rt/Ticket/Display.html?id=6579 With that patch applied, and the configure script regenerated with autoconf, you ought to be able to use 1.7 with Solaris 8, as far as I know. Ken From jmontmartin at gmail.com Thu Nov 12 13:23:47 2009 From: jmontmartin at gmail.com (Julien Montmartin) Date: Thu, 12 Nov 2009 19:23:47 +0100 Subject: ktpass fails to create a service principal (win 2000 server SP4) In-Reply-To: <4AF9A222.8060500@anl.gov> References: <4AF9A222.8060500@anl.gov> Message-ID: 2009/11/10 Douglas E. Engert > > Julien Montmartin wrote: > >> Hi List, >> >> I'm working on a kerberized application server and I have some trouble >> when >> I try to generate the keytab with ktpass... Although evrything works >> nicely >> for demo in the lab, it fails in real world ! >> >> Here the command I use (windows 2000 server SP4) : >> >> ktpass -ptype KRB5_NT_PRINCIPAL -princ HTTP/ >> myComputer.private.myCompagnie.com at PRIVATE.MYCOMPAGNIE.COM -mapuser >> testUser at private.myCompagnie.com -pass xyz -out C:\temp\keytab >> > > -mapuser testUser > > Thanks Douglas, now I get my ketab... But now gss_acquire_cred () fails with error : "No principal in keytab matches desired name". This is the kind of code I use : gss_buffer_desc tmpTok=GSS_C_EMPTY_BUFFER; tmpTok.value="HTTP at myComputer.private.myCompagnie.com"; //tmpTok.value="HTTP at myComputer" -> Doesn't work either gss_name_t srvName=GSS_C_NO_NAME; MS=gss_import_name(&ms, &tmpTok, (gss_OID) GSS_C_NT_HOSTBASED_SERVICE, &srvName); MS=gss_acquire_cred(&ms, srvName, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &fCredentials, NULL, NULL); Well, once again, this code works in the lab so I guess it's not totaly wrong... How can I know the "desired name" the library is looking for ? When I generate my keytab, ktpass said "vno = 1" but when I check it on the server with kvno it says : "HTTP/myComputer.private.myCompagnie.com at PRIVATE.MYCOMPAGNIE.COM: kvno = 0". Isn't it wrong ? I've also tried with kinit : kinit -k -t C:\keytab HTTP/myComputer.private.myCompagnie.com@ PRIVATE.MYCOMPAGNIE.COM It says nothing, but doesn't fail... Any idea ? From Leon.Kemna at thomsonreuters.com Fri Nov 13 03:26:53 2009 From: Leon.Kemna at thomsonreuters.com (Leon.Kemna@thomsonreuters.com) Date: Fri, 13 Nov 2009 09:26:53 +0100 Subject: Assertion failed for krb5kdc In-Reply-To: <08866358-73C6-49C7-B59B-B559600141C7@mit.edu> References: <073DC81BC232A24C93C6A5C3F37306580457EA59@GVASMSXM01.emea.ime.reuters.com> <08866358-73C6-49C7-B59B-B559600141C7@mit.edu> Message-ID: <073DC81BC232A24C93C6A5C3F37306580457EBCD@GVASMSXM01.emea.ime.reuters.com> Hi Ken, thanks for your reply! Yes this seems exactly the issue; I just solaris2.1-9) to solaris2.[1-9]) in the configure script and everything seems to work fine. I see the patch will be in 1.7.1 so maybe I can try to compile with that version once available :-) Regards Leon -----Original Message----- From: Ken Raeburn [mailto:raeburn at MIT.EDU] Sent: 12 Nov 2009 19:07 To: Kemna, Leon H. (M Risk) Cc: Kerberos mailing list Subject: Re: Assertion failed for krb5kdc On Nov 12, 2009, at 07:57, wrote: > Hi Ken, > > I'm following your thread on mailman.mit.edu/pipermail/kerberos, > october > 19 20:46:20 Check the messages from November -- Tom Shaw pointed this out too, and I tracked down the problem. There's also an entry in the bug database now, including a pointer to the fix(es) checked in. http://krbdev.mit.edu/rt/Ticket/Display.html?id=6579 With that patch applied, and the configure script regenerated with autoconf, you ought to be able to use 1.7 with Solaris 8, as far as I know. Ken This email was sent to you by Thomson Reuters, the global news and information company. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters. From chomette at ensil.unilim.fr Fri Nov 13 03:48:05 2009 From: chomette at ensil.unilim.fr (Hubert Chomette) Date: Fri, 13 Nov 2009 09:48:05 +0100 Subject: Question about cross realm authentification Message-ID: <59717EE4-008B-4524-A877-BBC83AEC88D8@ensil.unilim.fr> Hi, We try to unify authentification between two departements in our university. The two departments have their own kdc, so cross realm should be the more interesting thing. What I have understand, is that a client from site A with a TGT from A can ask for a cross realm TGT for B site and access to all SSOised application to B. But suppose that a user from site A go to site B. How can he authentificate on a machine from site B (linux/windows computers using kdc B authentification)? does cross realm permit such things? Or should this user have an account on site B to? Thank's for your help Regards, Hubert From jeffrey.w.watts at gmail.com Fri Nov 13 11:33:23 2009 From: jeffrey.w.watts at gmail.com (Jeffrey Watts) Date: Fri, 13 Nov 2009 10:33:23 -0600 Subject: Problem using Kerberos for user authentication -- ChallengeResponseAuthentication In-Reply-To: References: Message-ID: <65631e800911130833k5d3eb552o9aed059482816bd8@mail.gmail.com> That's really weird, I'm using that option and the ticket is created on login. When I'm back in town I'll look closer. Keep in mind, though, that I'm using current versions of PAM, pam_krb5 and Kerberos with my RHEL5 systems, so it's possible that it's a bug fixed later on. Jeffrey. On Thu, Nov 12, 2009 at 10:27 AM, Steve Glasser wrote: > Hi all, > > We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We > have found that if we set > ChallengeResponseAuthentication yes > in sshd_conf the result is no TGT ticket is created when a user logs > in by ssh. This problem is detailed in a Debian bug report here; we > don't see it having ever been fixed in redhat > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734 > Setting > PasswordAuthentication yes > does work, at least in our environment. > > If anyone has any further information on this we'd appreciate it. > > -- "He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine From Jeff.Davalos at momentumww.com Fri Nov 13 14:10:14 2009 From: Jeff.Davalos at momentumww.com (Davalos, Jeff (STL-MOM)) Date: Fri, 13 Nov 2009 13:10:14 -0600 Subject: SSO for Macintosh browsers Message-ID: Hey gang, I sincerely apologize if this is not the appropriate method to post my question. Please forward me to the correct place if so... If this is the correct place for a general question to the Keberos community, any thoughts you can provide will be received with open arms. The issue: I have been working to implement an SSO product across my enterprise. The product works by configuring browsers to read the Kerberos ticket information from the local machine and forward the information inside of the ticket to my SSO web service for verification. I can accomplish this on all my PCs using IE 7/8 and Firefox 3.x. PCs are running XP, Vista and Windows 7. Basically this is accomplished through the use of IWA in the PC browser configuration. I cannot accomplish this in Safari 3/4 or Firefox 3.x on any of my Macs. My Macs are all bound to my internal Active Directory service. Despite the browsers being configured similarly to how I would configure the browsers on my PCs, the browsers seem to be failing on the Macs, during one of these steps: 1. Reading the local Kerberos ticket 2. Decrypting the information in the ticket 3. Sending the information in the ticket to my SSO web service I have verified that the tickets exist and are valid (kerberos.app and klist). I'm stumped as to what my next steps are. How can I verify steps 1 through 3 are completing? Thanks again... Jeff From rra at stanford.edu Fri Nov 13 14:35:44 2009 From: rra at stanford.edu (Russ Allbery) Date: Fri, 13 Nov 2009 11:35:44 -0800 Subject: Problem using Kerberos for user authentication -- ChallengeResponseAuthentication In-Reply-To: (Steve Glasser's message of "Thu, 12 Nov 2009 08:27:06 -0800") References: Message-ID: <87vdhekyjz.fsf@windlord.stanford.edu> Steve Glasser writes: > We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We > have found that if we set > ChallengeResponseAuthentication yes > in sshd_conf the result is no TGT ticket is created when a user logs > in by ssh. This problem is detailed in a Debian bug report here; we > don't see it having ever been fixed in redhat > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734 > Setting > PasswordAuthentication yes > does work, at least in our environment. Red Hat and Debian use completely different code bases for pam-krb5. That particular bug (ssh running PAM in odd contexts and discarding PAM data) is something that I thought Red Hat's PAM module had its own workaround for using shared memory or some such thing, but since I don't use it, I'm not sure. -- Russ Allbery (rra at stanford.edu) From abe at ligo.caltech.edu Fri Nov 13 16:43:54 2009 From: abe at ligo.caltech.edu (Abe Singer) Date: Fri, 13 Nov 2009 13:43:54 -0800 Subject: unicode support on MIT Kerberos? Message-ID: <20091113213124.GF42340@ligo.caltech.edu> What's the state of Unicode support for principal names in Kerberos? I found an email from 2008 saying that it was being worked on, but no comment since then. From rra at stanford.edu Fri Nov 13 23:25:48 2009 From: rra at stanford.edu (Russ Allbery) Date: Fri, 13 Nov 2009 20:25:48 -0800 Subject: pam-krb5 4.0 released Message-ID: <877httvik3.fsf@windlord.stanford.edu> I'm pleased to announce release 4.0 of pam-krb5. pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports configuration either by PAM options or in krb5.conf or both. This upgrade has two non-backward-compatible changes to the option parsing that may need your attention during upgrades: * If you were using pam_krb5 with the use_authtok parameter in the password group, you will need to add use_first_pass to your configuration to keep the same behavior. See below for details. * If you used the use_authtok parameter in the authentication group, you should change it to force_first_pass. Changes from previous release: Previous versions of this module incorrectly implemented the standard use_authtok parameter. use_authtok applies only to the password group and says to use the new password stored in the PAM data rather than prompting for a new password. It doesn't imply anything about where to obtain the old password, but it was implemented as requiring both the old and new password be in the PAM stack already. This doesn't work when stacked with pam_cracklib. Change use_authtok to have the correct meaning, which means that password group configurations may need to add use_first_pass to use_authtok to get the desired behavior. use_first_pass and try_first_pass no longer affect how the new password is obtained during password changes. To use a password obtained by a previous module, use use_authtok instead. A new option, force_first_pass, is now supported for both the authentication and password groups. It tells the module to always get the user's current password from the PAM data and fail without prompting if it isn't already set. This is the meaning that use_authtok previously had for the current password. use_authtok no longer has any meaning for the authentication stack. Use force_first_pass instead, which does the same as use_authtok used to do. use_authtok will be temporarily converted to force_first_pass in the authentication group and log a diagnostic, but this will be removed in the future. Stop returning PAM_IGNORE from pam_setcred if the user is ignored or didn't log in via Kerberos and instead return PAM_USER_UNKNOWN. This works around a bug in older versions of the Linux PAM library where returning PAM_IGNORE would cause pam_setcred to fail even if other modules succeeded. Since pam_authenticate never returned PAM_IGNORE, this change should not cause any differences in behavior. Do not use issetugid on Solaris to determine when to avoid refreshing the ticket cache named in KRB5CCNAME during pam_setcred. Instead, compare effective and real UID and GID and permit KRB5CCNAME to be trusted if they match. This allows setuid screensavers on Solaris to refresh ticket caches and makes behavior on Solaris match other platforms. Using issetugid is arguably safer since it protects programs that switch users via setuid to a user other than the calling user but still should not trust the original environment, but such programs are rare in the PAM context and should not be calling pam_setcred anyway unless the calling user is permitted to generally act as the target user. Thanks, William Yang. Do the same logging in pam_sm_open_session and pam_sm_close_session as we do with the other functions. This will mean pam_sm_open_session calls will be logged as pam_sm_open_session, not as pam_sm_setcred as before. pam-krb5 is now built using Automake and Libtool to bring it more in line with other software packages. This means that it now relies on Libtool to know how to generate a loadable module rather than hand-configured linker rules. This may improve portability on some platforms and may hurt it on other platforms. If configured with a prefix of /usr on Linux, use /lib, /lib32, or /lib64 as an installation path based on the size of an integer in the compilation environment rather than based on known 64-bit Linux variants. Update to rra-c-util 2.0: * Sanity-check the results of krb5-config before proceeding. * Fall back on manual probing if krb5-config results don't work. * Don't break if the user clobbers CPPFLAGS at build time. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From kejzlar at civ.zcu.cz Mon Nov 16 07:22:09 2009 From: kejzlar at civ.zcu.cz (Lubos Kejzlar) Date: Mon, 16 Nov 2009 13:22:09 +0100 Subject: Early Announcement: 3rd European AFS & Kerberos Conference 2010 Message-ID: <4B0143F1.60607@civ.zcu.cz> Dear AFS & Kerberos friends! we are pleased to announce the final schedule for the 3rd European AFS & Kerberos Conference 2010 The conference will take place in Pilsen, Czech Republic, from September 13 to September 15, 2010. Further details will follow and can be found at http://afs2010.civ.zcu.cz Please, book your time in advance a feel free to contact us with any further questions or suggestions! The Organizers (JML) afs2010 at civ.zcu.cz From Maarten.Broekman at fmr.com Mon Nov 16 09:01:15 2009 From: Maarten.Broekman at fmr.com (Broekman, Maarten) Date: Mon, 16 Nov 2009 09:01:15 -0500 Subject: GSSAPI / Kerberos ticket authentication issues Message-ID: <466D8503CBF08E4190ECE2D302B8C72C02C1B62E@MSGBOSCLR2WIN.DMN1.FMR.COM> All, I'm trying to configure my RHEL5 servers to perform GSSAPI authentication via gssftp and ssh. I've enabled the gssftp service and GSSAPIAuthentication (in ssh). Everything works properly with Kerberos tickets over the "hostname" IP address (as well as any CNAMEs for it). However, when I try to connect to a secondary IP address on the same system, GSSAPI authentication fails. I have host principals in the keytab for all hostnames on the system and /etc/hosts contains all the appropriate host / IP entries. Example: $ kinit $ ftp -n -i hostname --> Works properly ... 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Remote system type is UNIX. Using binary mode to transfer files. ftp> quote user username 232 GSSAPI user username at DOMAIN.COM is authorized as username $ ftp -n -i hostname-alt --> Doesn't work. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Unspecified GSS failure. Minor code may provide more information GSSAPI error minor: Unknown code krb5 144 GSSAPI error: accepting context GSSAPI ADAT failed GSSAPI authentication failed 334 Using authentication type KERBEROS_V4; ADAT must follow KERBEROS_V4 accepted as authentication type Kerberos V4 krb_mk_req failed: You have no tickets cached Remote system type is UNIX. Using binary mode to transfer files. ftp> quote user username 331 Password required for username. Code 144 is "wrong principal in request" but I can't for the life of me figure out why. Running klist -k /etc/krb5.keytab on the target server shows: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------------------ -- 10 host/hostname-alt.domain.com at DOMAIN.COM 10 host/hostname-alt.domain.com at DOMAIN.COM 10 host/hostname-alt.domain.com at DOMAIN.COM 10 host/hostname-alt.domain.com at DOMAIN.COM 6 host/hostname.domain.com at DOMAIN.COM 6 host/hostname.domain.com at DOMAIN.COM 6 host/hostname.domain.com at DOMAIN.COM 6 host/hostname.domain.com at DOMAIN.COM Checking both of these host principals in our kerberos database shows that they are all valid. Running a klist on my ticket cache on the source system shows: $ klist Ticket cache: FILE:/tmp/krb5cc_62548_AdrweK Default principal: username at DOMAIN.COM Valid starting Expires Service principal 11/16/09 08:50:05 11/17/09 08:50:05 krbtgt/DOMAIN.COM at DOMAIN.COM 11/16/09 08:50:34 11/17/09 08:50:05 host/hostname.domain.com at DOMAIN.COM 11/16/09 08:50:40 11/17/09 08:50:05 host/hostname-alt.domain.com at DOMAIN.COM Kerberos 4 ticket cache: /tmp/tkt62548 klist: You have no tickets cached Any assistance with this would be greatly appreciated. Thanks in advance, --Maarten From ghudson at MIT.EDU Mon Nov 16 16:34:49 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 16 Nov 2009 16:34:49 -0500 Subject: GSSAPI / Kerberos ticket authentication issues In-Reply-To: <466D8503CBF08E4190ECE2D302B8C72C02C1B62E@MSGBOSCLR2WIN.DMN1.FMR.COM> References: <466D8503CBF08E4190ECE2D302B8C72C02C1B62E@MSGBOSCLR2WIN.DMN1.FMR.COM> Message-ID: <1258407289.24480.53.camel@ray> On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote: > $ ftp -n -i hostname --> Works properly > $ ftp -n -i hostname-alt --> Doesn't work. I believe this is a consequence of how ftpd uses GSSAPI. It's using gss_acquire_cred to get credentials for ftp at localhostname and host at localhostname, instead of just passing the default to gss_accept_sec_context, which would make it work for any key in the keytab. I don't see any good opportunities for workarounds without patching and recompiling gssftpd. The local hostname is determined by calling gethostbyname() on the result of gethostname(), so you can typically influence which hostname is picked by fiddling with /etc/hosts, but you can't make it try multiple hostnames. I'll bring this up on the dev list and see about getting it fixed for a future release. If you do want to patch and rebuild to work around this, I can probably come up with a provisional patch for you in short order. From Maarten.Broekman at fmr.com Mon Nov 16 16:39:57 2009 From: Maarten.Broekman at fmr.com (Broekman, Maarten) Date: Mon, 16 Nov 2009 16:39:57 -0500 Subject: GSSAPI / Kerberos ticket authentication issues References: <466D8503CBF08E4190ECE2D302B8C72C02C1B62E@MSGBOSCLR2WIN.DMN1.FMR.COM> <1258407289.24480.53.camel@ray> Message-ID: <466D8503CBF08E4190ECE2D302B8C72C02E96453@MSGBOSCLR2WIN.DMN1.FMR.COM> Thanks Greg. Getting it addressed in a future version would be great. Unfortunately, I don't think I'll be able to patch and rebuild. Maarten Broekman > -----Original Message----- > From: Greg Hudson [mailto:ghudson at MIT.EDU] > Sent: Monday, November 16, 2009 4:35 PM > To: Broekman, Maarten > Cc: kerberos at mit.edu > Subject: Re: GSSAPI / Kerberos ticket authentication issues > > On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote: > > $ ftp -n -i hostname --> Works properly > > $ ftp -n -i hostname-alt --> Doesn't work. > > I believe this is a consequence of how ftpd uses GSSAPI. It's using > gss_acquire_cred to get credentials for ftp at localhostname and > host at localhostname, instead of just passing the default to > gss_accept_sec_context, which would make it work for any key in the > keytab. > > I don't see any good opportunities for workarounds without patching and > recompiling gssftpd. The local hostname is determined by calling > gethostbyname() on the result of gethostname(), so you can typically > influence which hostname is picked by fiddling with /etc/hosts, but you > can't make it try multiple hostnames. > > I'll bring this up on the dev list and see about getting it fixed for a > future release. If you do want to patch and rebuild to work around > this, I can probably come up with a provisional patch for you in short > order. > From Maarten.Broekman at fmr.com Mon Nov 16 16:53:03 2009 From: Maarten.Broekman at fmr.com (Broekman, Maarten) Date: Mon, 16 Nov 2009 16:53:03 -0500 Subject: GSSAPI / Kerberos ticket authentication issues References: <466D8503CBF08E4190ECE2D302B8C72C02C1B62E@MSGBOSCLR2WIN.DMN1.FMR.COM><1258407289.24480.53.camel@ray> <466D8503CBF08E4190ECE2D302B8C72C02E96453@MSGBOSCLR2WIN.DMN1.FMR.COM> Message-ID: <466D8503CBF08E4190ECE2D302B8C72C02C1B633@MSGBOSCLR2WIN.DMN1.FMR.COM> Greg, One thing I realized is that I forgot to mention is that I also tried using the scan_interfaces and extra_addresses tags in my krb5.conf but that didn't help. From the manpage for the krb5.conf these looked like they might have addressed the issue. Also ssh suffers from the same problem as gssftp so I'm guessing this is a more general issue and not specific to gssftp. Maarten Broekman Fidelity | Investment Management Technology TSO Server Architecture and Engineering Office: (617) 563-9756 Cell: (617) 590-8005 Email: maarten.broekman at fmr.com > -----Original Message----- > From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On > Behalf Of Broekman, Maarten > Sent: Monday, November 16, 2009 4:40 PM > To: Greg Hudson > Cc: kerberos at MIT.EDU > Subject: RE: GSSAPI / Kerberos ticket authentication issues > > Thanks Greg. Getting it addressed in a future version would be great. > Unfortunately, I don't think I'll be able to patch and rebuild. > > Maarten Broekman > > > -----Original Message----- > > From: Greg Hudson [mailto:ghudson at MIT.EDU] > > Sent: Monday, November 16, 2009 4:35 PM > > To: Broekman, Maarten > > Cc: kerberos at mit.edu > > Subject: Re: GSSAPI / Kerberos ticket authentication issues > > > > On Mon, 2009-11-16 at 09:01 -0500, Broekman, Maarten wrote: > > > $ ftp -n -i hostname --> Works properly > > > $ ftp -n -i hostname-alt --> Doesn't work. > > > > I believe this is a consequence of how ftpd uses GSSAPI. It's using > > gss_acquire_cred to get credentials for ftp at localhostname and > > host at localhostname, instead of just passing the default to > > gss_accept_sec_context, which would make it work for any key in the > > keytab. > > > > I don't see any good opportunities for workarounds without patching > and > > recompiling gssftpd. The local hostname is determined by calling > > gethostbyname() on the result of gethostname(), so you can typically > > influence which hostname is picked by fiddling with /etc/hosts, but > you > > can't make it try multiple hostnames. > > > > I'll bring this up on the dev list and see about getting it fixed for > a > > future release. If you do want to patch and rebuild to work around > > this, I can probably come up with a provisional patch for you in short > > order. > > > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From ghudson at MIT.EDU Mon Nov 16 17:40:31 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 16 Nov 2009 17:40:31 -0500 Subject: GSSAPI / Kerberos ticket authentication issues In-Reply-To: <466D8503CBF08E4190ECE2D302B8C72C02C1B633@MSGBOSCLR2WIN.DMN1.FMR.COM> References: <466D8503CBF08E4190ECE2D302B8C72C02C1B62E@MSGBOSCLR2WIN.DMN1.FMR.COM> <1258407289.24480.53.camel@ray> <466D8503CBF08E4190ECE2D302B8C72C02E96453@MSGBOSCLR2WIN.DMN1.FMR.COM> <466D8503CBF08E4190ECE2D302B8C72C02C1B633@MSGBOSCLR2WIN.DMN1.FMR.COM> Message-ID: <1258411231.24480.57.camel@ray> On Mon, 2009-11-16 at 16:53 -0500, Broekman, Maarten wrote: > Greg, > One thing I realized is that I forgot to mention is that I also > tried using the scan_interfaces and extra_addresses tags in my krb5.conf > but that didn't help. From the manpage for the krb5.conf these looked > like they might have addressed the issue. Those settings don't pertain to this code. > Also ssh suffers from the > same problem as gssftp so I'm guessing this is a more general issue and > not specific to gssftp. Stock OpenSSH sshd has the same coding issue as ftpd, yes. If your sshd had the gss-keyex patch, you could control this behavior with the GSSAPIStrictAcceptorCheck config variable, but unfortunately Red Hat is not one of the OS vendors who incorporate the gss-keyex patch. From geniuslee at gmail.com Tue Nov 17 09:18:43 2009 From: geniuslee at gmail.com (nicholas lee) Date: Tue, 17 Nov 2009 22:18:43 +0800 Subject: [Kinit Fail]unable to contact any kdc Message-ID: <22a442e60911170618w3052ea69mefe9ab4a07985d8@mail.gmail.com> to ALL: In my network, I have several machins. One of them(IP: 1.1.1.1) fail to use kinit with the following err: --------------------------------------------------------------------------------------------------------------------------- kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials --------------------------------------------------------------------------------------------------------------------------- (P.S. the other machines in my network works perfect with the same config files) While, on the other hand, I search my kdc log and find the following: --------------------------------------------------------------------------------------------------------------------------- Nov 17 21:34:55 krb.mst.org krb5kdc[13475]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 1.1.1.1: ISSUE: authtime 1258464895, etypes {rep=16 tkt=16 ses=16}, kaka at REALM.COM for krbtgt/REALM.COM at REALM.COM Nov 17 21:34:55 krb.mst.org krb5kdc[13475]: AS_REQ (7 etypes {18 17 16 23 1 3 2}) 1.1.1.1: ISSUE: authtime 1258464895, etypes {rep=16 tkt=16 ses=16}, kaka at REALM.COM for krbtgt/REALM.COM at REALM.COM Nov 17 21:34:56 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response Nov 17 21:35:13 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response Nov 17 21:35:17 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response Nov 17 21:35:25 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response Nov 17 21:35:29 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response Nov 17 21:35:29 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response Nov 17 21:35:30 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response Nov 17 21:35:30 krb.mst.org krb5kdc[13475]: DISPATCH: repeated (retransmitted?) request from 1.1.1.1, resending previous response --------------------------------------------------------------------------------------------------------------------------- My kerberos version : ---------------------------------------- $ rpm -qa|grep krb krbafs-devel-1.2.2-6 krb5-workstation-1.3.4-27 krb5-devel-1.3.4-27 krb5-libs-1.3.4-27 krbafs-1.2.2-6 pam_krb5-2.1.8-1 ---------------------------------------- Has anyone met the above wired thing and can share his/her solution ? -- I come from the past to save the future........ From Jeff.Davalos at momentumww.com Tue Nov 17 18:07:35 2009 From: Jeff.Davalos at momentumww.com (Davalos, Jeff (STL-MOM)) Date: Tue, 17 Nov 2009 17:07:35 -0600 Subject: Cross realm and/or referral issue? Message-ID: <6A601FE545584844AF6E4A2C5E9EB04502C5675BA5@OMAEDCCMS53.na.corp.ipgnetwork.com> Hey everyone, Is there way to configure Safari 3.x or 4.x or Firefox 3.x on Mac OS X Leopard so that the browser will request a service ticket for a web server that is located in an extranet forest? Extranet forest trusts the internal forest. Is there any configuration on the internal forest to enable Mac OS X Leopard to obtain a referral for this service ticket, if necessary? Perhaps an additional SPN is needed? It is helpful to note that Internet Explorer 7.x and 8.x as well as Firefox 3.x users on PCs in the internal forest are receiving service tickets for the web server in the extranet forest without issue. Thank you all... Jeff From sbuckley at MIT.EDU Thu Nov 19 13:41:26 2009 From: sbuckley at MIT.EDU (Stephen Buckley) Date: Thu, 19 Nov 2009 13:41:26 -0500 Subject: Kerberos Conference Slides, Release 1.8 Message-ID: <1DBE2A1C-CFF6-4E61-AA75-6BFAEA43CBC6@mit.edu> Hello all, We have put the slides from our Kerberos Conference up on our web site at: http://www.kerberos.org/events/2009conf/ Keynoters included Kim Cameron, Chief Architect for Identity at Microsoft. Also, the 1.8 release feature set is now complete and documented at: http://k5wiki.kerberos.org/wiki/Release_1.8 We are on track to deliver 1.8 in March 2010. We also started a blog http://blog.kerberos.org/ Lastly, a reminder that we try to provide some useful information on the site as well: http://www.kerberos.org/docs/ Kind regards, s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director MIT Kerberos Consortium http://www.kerberos.org From Shahezad_Mirkar at bmc.com Fri Nov 20 00:41:39 2009 From: Shahezad_Mirkar at bmc.com (Mirkar, Shahezad) Date: Fri, 20 Nov 2009 11:11:39 +0530 Subject: Kerberos Conference Slides, Release 1.8 In-Reply-To: <1DBE2A1C-CFF6-4E61-AA75-6BFAEA43CBC6@mit.edu> References: <1DBE2A1C-CFF6-4E61-AA75-6BFAEA43CBC6@mit.edu> Message-ID: Thanks -----Original Message----- From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On Behalf Of Stephen Buckley Sent: Friday, November 20, 2009 12:11 AM To: kerberos at MIT.EDU Subject: Kerberos Conference Slides, Release 1.8 Hello all, We have put the slides from our Kerberos Conference up on our web site at: http://www.kerberos.org/events/2009conf/ Keynoters included Kim Cameron, Chief Architect for Identity at Microsoft. Also, the 1.8 release feature set is now complete and documented at: http://k5wiki.kerberos.org/wiki/Release_1.8 We are on track to deliver 1.8 in March 2010. We also started a blog http://blog.kerberos.org/ Lastly, a reminder that we try to provide some useful information on the site as well: http://www.kerberos.org/docs/ Kind regards, s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director MIT Kerberos Consortium http://www.kerberos.org ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From rra at stanford.edu Fri Nov 20 19:25:04 2009 From: rra at stanford.edu (Russ Allbery) Date: Fri, 20 Nov 2009 16:25:04 -0800 Subject: pam-krb5 4.1 released Message-ID: <87aaygu3kv.fsf@windlord.stanford.edu> I'm pleased to announce release 4.1 of pam-krb5. pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports extensive configuration either by PAM options or in krb5.conf or both. PKINIT is supported with recent versions of both MIT Kerberos and Heimdal. This release retrieves more PAM data than before to improve logging and also includes a replacement for pam_syslog for systems that don't have it, so I'm particularly interested in test results from non-Linux systems (since I cannot easily test there myself). There may be some portability regressions that will need to be fixed in a follow-on release. Please let me know if there are any problems. Changes from previous release: Return PAM_SUCCESS, not PAM_USER_UNKNOWN, for ignored users in pam_setcred. It's safe to return success when doing nothing in pam_setcred because the stack has already been frozen after the authentication step, and returning an error causes the stack to fail on some other Linux PAM implementations. Thanks, Ian Ward Comfort. In the second pass through the password group, prompt for the new password and store it in the PAM data even if the user is being ignored. This is required to allow this module to be stacked with another module that uses use_authtok. Without this behavior, the second module won't be able to work for any ignored user since it will see no saved password and use_authtok will reject the password change. Fix return status from pam_sm_acct_mgmt if we were unable to retrieve PAM_USER. Log successful authentications to syslog with priority LOG_INFO, including the Kerberos principal used for authentication. Log failed authentication to syslog with priority LOG_NOTICE, including roughly the same additional information that the Linux PAM pam_unix logs by default. Use pam_syslog for logging where available. This means pam-krb5 log messages will look like all other log messages for Linux PAM modules on Linux. Change the format of log messages on all platforms to hopefully be somewhat clearer. Rationalize logging. The module should now follow the recommendations of the Linux PAM Module Writers' Guide for log levels. More errors are logged at LOG_ERR instead of LOG_DEBUG, and system resource errors are now logged at LOG_CRIT instead of LOG_ERR. Add additional error and debug logging in places where significant actions or failures may happen without previously being logged. Also add failure information from PAM or Kerberos libraries to messages where appropriate. Add replacement snprintf, vsnprintf, and mkstemp functions for pointless portability to ancient systems. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From ioplex at gmail.com Fri Nov 20 19:48:25 2009 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 20 Nov 2009 19:48:25 -0500 Subject: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm? Message-ID: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> Hi, Is it possible to acquire credentials using kinit from AD using the userPrincipalName on an AD account if the DNS domain does not match the AD realm? Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM and userPrincipalName attributes on accounts in AD use the SMTP domain like alice at EXAMPLE.COM can initial credentials be acquired? If I try kinit I get: $ kinit -f alice at EXAMPLE.COM kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM while getting initial credentials If I then add the following to my krb5.conf: [realms] EXAMPLE.COM = { dc1.example.local } and try kinit again I get: $ kinit -f alice at EXAMPLE.COM kinit(v5): KRB5 error code 68 while getting initial credentials and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM. Error code 68 is KDC_ERR_WRONG_REALM. Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to have any effect. Of course using the implied principal name @ works: $ kinit -f alice at EXAMPLE.LOCAL Password for alice at EXAMPLE.LOCAL: ... Windows must be able to do this. How does a Windows client know that the SMTP domain should be substituted with a proper realm and which one? Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From ioplex at gmail.com Fri Nov 20 21:34:33 2009 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 20 Nov 2009 21:34:33 -0500 Subject: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm? In-Reply-To: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> References: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> Message-ID: <78c6bd860911201834n7909b6b3sf99249e481f1be3e@mail.gmail.com> Well it's all coming back to me now. It seems this has been discussed before: http://mailman.mit.edu/pipermail/kerberos/2007-October/012373.html The userPrincipalName is only used if the principal type is 10 (KRB5_NT_ENTERPRISE_PRINCIPAL or perhaps GSS_C_NT_ENTERPRISE_PRINCIPAL if GSSAPI supported such a thing). AD will also canonicalize the supplied name in the AS-REP to the sAMAccountName at dnsRoot. As for the domain, I'm still a little fuzzy there as well. I would have to take some captures to see if the Windows client tries to lookup the domain name supplied or if it simply ignored the @domain and sent the AS-REQ to the default authority. Mike On Fri, Nov 20, 2009 at 7:48 PM, Michael B Allen wrote: > Hi, > > Is it possible to acquire credentials using kinit from AD using the > userPrincipalName on an AD account if the DNS domain does not match > the AD realm? > > Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM > and userPrincipalName attributes on accounts in AD use the SMTP domain > like alice at EXAMPLE.COM can initial credentials be acquired? > > If I try kinit I get: > > ?$ kinit -f alice at EXAMPLE.COM > ?kinit(v5): Cannot resolve network address for KDC in realm > EXAMPLE.COM while getting initial credentials > > If I then add the following to my krb5.conf: > > ?[realms] > ? ?EXAMPLE.COM = { > ? ? ?dc1.example.local > ? ?} > > and try kinit again I get: > > ?$ kinit -f alice at EXAMPLE.COM > ?kinit(v5): KRB5 error code 68 while getting initial credentials > > and a capture shows the AS-REQ realm and service realm is EXAMPLE.COM. > Error code 68 is KDC_ERR_WRONG_REALM. > > Adding .example.com = EXAMPLE.COM to [domain_realm] doesn't appear to > have any effect. > > Of course using the implied principal name @ works: > > ?$ kinit -f alice at EXAMPLE.LOCAL > ?Password for alice at EXAMPLE.LOCAL: ... > > Windows must be able to do this. How does a Windows client know that > the SMTP domain should be substituted with a proper realm and which > one? > > Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From lukeh at padl.com Sat Nov 21 05:44:13 2009 From: lukeh at padl.com (Luke Howard) Date: Sat, 21 Nov 2009 11:44:13 +0100 Subject: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm? In-Reply-To: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> References: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> Message-ID: > Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM > and userPrincipalName attributes on accounts in AD use the SMTP domain > like alice at EXAMPLE.COM can initial credentials be acquired? > > If I try kinit I get: > > $ kinit -f alice at EXAMPLE.COM > kinit(v5): Cannot resolve network address for KDC in realm > EXAMPLE.COM while getting initial credentials kinit -E -f alice at example.com@EXAMPLE.LOCAL NB: if this doesn't work in 1.7, try trunk, I think it may have been broken in 1.7. -- Luke From ioplex at gmail.com Sat Nov 21 11:16:34 2009 From: ioplex at gmail.com (Michael B Allen) Date: Sat, 21 Nov 2009 11:16:34 -0500 Subject: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm? In-Reply-To: References: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> Message-ID: <78c6bd860911210816j531b0caay70b40fdcb1d66a06@mail.gmail.com> On Sat, Nov 21, 2009 at 5:44 AM, Luke Howard wrote: >> Meaning if I have a realm EXAMPLE.LOCAL and an SMTP domain EXAMPLE.COM >> and userPrincipalName attributes on accounts in AD use the SMTP domain >> like alice at EXAMPLE.COM can initial credentials be acquired? >> >> If I try kinit I get: >> >> ?$ kinit -f alice at EXAMPLE.COM >> ?kinit(v5): Cannot resolve network address for KDC in realm >> EXAMPLE.COM while getting initial credentials > > kinit -E -f alice at example.com@EXAMPLE.LOCAL > > NB: if this doesn't work in 1.7, try trunk, I think it may have been broken > in 1.7. Hi Luke, I understand now. Unfortunately, in practice, I need much more than kinit. I'm integrated with an old version of Heidmal so it seems I'll need to work on moving to a newer Heimdal and possibly work on krb5/principal.c:build_principal et al if the latest Heimdal doesn't already have it. I also want to do this with Java but given the spotted history of Java's builtin Kerberos implementation I don't expect that to be tackled easily. I kinda wish I just had a really solid ASN.1 compiler and crypto lib for the various languages. Ho-hum. Thanks, Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From lha at kth.se Sat Nov 21 11:34:46 2009 From: lha at kth.se (=?iso-8859-1?Q?Love_H=F6rnquist_=C5strand?=) Date: Sat, 21 Nov 2009 08:34:46 -0800 Subject: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm? In-Reply-To: <78c6bd860911210816j531b0caay70b40fdcb1d66a06@mail.gmail.com> References: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> <78c6bd860911210816j531b0caay70b40fdcb1d66a06@mail.gmail.com> Message-ID: > > I understand now. Unfortunately, in practice, I need much more than > kinit. I'm integrated with an old version of Heidmal so it seems I'll > need to work on moving to a newer Heimdal and possibly work on > krb5/principal.c:build_principal et al if the latest Heimdal doesn't > already have it. Heimdal 1.3.1 supports enterprise names. Both with PKINIT and password based initial credentials fetching. Love From lukeh at padl.com Sun Nov 22 06:53:30 2009 From: lukeh at padl.com (Luke Howard) Date: Sun, 22 Nov 2009 12:53:30 +0100 Subject: MIT kinit with AD userPrincipalName with SMTP domain and not proper realm? In-Reply-To: <78c6bd860911210816j531b0caay70b40fdcb1d66a06@mail.gmail.com> References: <78c6bd860911201648p6b1982c6rd47f9239406aa7a8@mail.gmail.com> <78c6bd860911210816j531b0caay70b40fdcb1d66a06@mail.gmail.com> Message-ID: <3C7D7603-6782-46D8-AD42-11EA6E25468A@padl.com> Hi Mike, > I understand now. Unfortunately, in practice, I need much more than > kinit. I'm integrated with an old version of Heidmal so it seems I'll > need to work on moving to a newer Heimdal and possibly work on > krb5/principal.c:build_principal et al if the latest Heimdal doesn't > already have it. I also want to do this with Java but given the > spotted history of Java's builtin Kerberos implementation I don't > expect that to be tackled easily. I kinda wish I just had a really > solid ASN.1 compiler and crypto lib for the various languages. Ho-hum. Ah, I assumed you were using MIT. For those that are, there is AS referral support in 1.7, but from memory there are some bugs (which really should be fixed in a patch release). I don't have the details on hand. It definitely works in trunk and thus 1.8. -- Luke From chantal at antenna.nl Mon Nov 23 02:04:49 2009 From: chantal at antenna.nl (Chantal Rosmuller) Date: Mon, 23 Nov 2009 08:04:49 +0100 Subject: kerberos/nfs problems: unmatched host Message-ID: <200911230804.49793.chantal@antenna.nl> Hi list, I can't get kerberos and NFS wotking on my Centos 5.4 testervers. This is the error I get: Nov 22 11:14:54 nfsserver mountd[3155]: refused mount request from 172.16.153.128 for /export/data (/export/data): unmatched host Does it have something to do with DNS? here's what I did: SETUP nfsserver.domein.nl 172.16.153.129 (vmware guest) nfsclient.domein.nl 172.16.153.128 (vmware guest) realm : DOMEIN.NL SERVER * get time right with ntpd * disable firewall * install packages yum install krb5-libs krb5-server krb5-workstation * edit /etc/hosts 172.16.153.129 nfsserver.domein.nl 127.0.0.1 nfsserver localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 172.16.153.128 nfsclient.domein.nl * edit /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMEIN.NL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] DOMEIN.NL = { kdc = nfsserver.domein.nl:88 admin_server = nfsserver.domein.nl:749 default_domain = domein.nl } [domain_realm] .domein.nl = DOMEIN.NL domein.nl = DOMEIN.NL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } * edit /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] DOMEIN.NL = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac- sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc- crc:afs3 } * edit /var/kerberos/krb5kdc/kadm5.acl */admin at DOMEIN.NL * * start services /sbin/service krb5kdc start /sbin/service kadmin start /sbin/service krb524 start * create database: /usr/kerberos/sbin/kdb5_util create -s * addroot principal addprinc root/admin * add host principal addprinc host/nfsserver.domein.nl * add nfs principal addprinc nfs/nfsserver.domein.nl * add client host and nfs principal addprinc host/nfsclient.domein.nl addprinc nfs/nfsclient.domein.nl * add keys ktadd host/nfsserver.domein.nl ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl * edit /etc/sysconfig/nfs SECURE_NFS="yes" * edit /etc/idmap.conf Domain = domein.nl * edit /etc/exports /export gss/krb5(sync,rw,fsid=0) * restart nfs /sbin/service nfs restart CLIENT * get time right with ntpd * disable firewall * install packages yum install krb5-libs pam_krb5 krb5-workstation * edit /etc/hosts 172.16.153.128 nfsclient.domein.nl 127.0.0.1 nfsclient nfsclient localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 172.16.153.129 nfsserver.domein.nl * copy /etc/krb5.conf from nfsserver * login with kadmin * add keys * add keys ktadd host/nfsclient.domein.nl ktadd -e des-cbc-crc:normal nfs/nfsserver.domein.nl ktadd -e des-cbc-crc:normal nfs/nfsclient.domein.nl * mount [root at nfsclient ~]# mount -t nfs -o sec=krb5 nfsserver.domein.nl:/ /mnt mount: nfsserver.domein.nl:/ failed, reason given by server: Permission denied SERVER * tail /var/log/messages Nov 22 11:40:42 nfsserver mountd[3155]: refused mount request from 172.16.153.128 for / (/): unmatched host * More logging: [root at nfsserver ~]# rpc.gssd -fvvv Using keytab file '/etc/krb5.keytab' Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL' We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL) Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL' We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL) Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL' We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL) Processing keytab entry for principal 'host/nfsserver.domein.nl at DOMEIN.NL' We will NOT use this entry (host/nfsserver.domein.nl at DOMEIN.NL) Processing keytab entry for principal 'nfs/nfsserver.domein.nl at DOMEIN.NL' We will use this entry (nfs/nfsserver.domein.nl at DOMEIN.NL) Using (machine) credentials cache: 'MEMORY:/tmp/krb5cc_machine_DOMEIN.NL' I have no idea what I am doing wrong here, I reinstalled kerberos/nfs a lot of times and checked a lot of howtos.......... Does anyone have any idea? Can it have anything to do with the fact that they are vmware guests and I use NAT networking or did I do something wrong in the configuration? From ulysse31 at gmail.com Mon Nov 23 05:28:56 2009 From: ulysse31 at gmail.com (Ulysse 31) Date: Mon, 23 Nov 2009 11:28:56 +0100 Subject: KfW 3.2.2 and Windows XP client login window Message-ID: <2b8c94520911230228v3c1cf194k7c19cc981f57c00c@mail.gmail.com> Hi, I am actually testing kerberos interoperability with windows on a SAMBA NT 2000 domain, and i'm having some troubles. Before I try to explain the problem, here's what i have : - I have a SAMBA NT 2000 domain with LDAP Backend and an MIT Kerberos with LDAP backend (same LDAP database). - Users account passwords are synced (SAMBA/KERBEROS) by using our intranet. - the realm of NT domain and Kerberos are the same. - I have 2 machines, one virtual machine with XP SP3 and the other a dell with the original dell system updated (XP SP3 but with some dell tools) , both are members of an NT 2000 samba domain (NT 2000 with LDAP backend). - on both clients I have installed Network Identity Manager 3.2.2. Now here's the problem: - when i login into the virtual machine, I just type the password on the windows login window, and with the correct krb5.ini, i get automatically a ticket from the KDC (without having to retrype password on the "Obtain Credentials"). I suppose it use MSLSA import ... which is the exact behaviour that I want. - When I log into the dell machine, the "Obtain Credential" Window pops-up and ask me to login, apparently it does NOT use MSLSA, which is NOT what I want. I have firstly installed KfW on the virtual machine, configured the krb5.ini, and when I got a working configuration file, a copy the krb5.ini and give it to the KfW installation wizard on the dell, so it should normally act the same way that on the virtual machine. And of course I have checked the configuration by comparing the netidmgr settings between the two machines, they are the same... Since there was some dell utilities, i thought it could come from those, and uninstall all of them ... it still acting the same way ... Does somebody knows from where this problem would come, or just a way to have more logs from netidmgr ? Thanks a lot, -- Gomes do Vale Victor Ing?nieur Syst?mes, R?seaux et Securit? From derplueck at gmx.de Mon Nov 23 08:20:24 2009 From: derplueck at gmx.de (=?iso-8859-1?Q?=22kai_pl=FCckhahn=22?=) Date: Mon, 23 Nov 2009 14:20:24 +0100 Subject: create principals fails Message-ID: <20091123132024.139990@gmx.net> i often read this question. but never seen an answer. i want to have openldap as a backend to kerberos. - kerberos 5 - openldap 2.4 i could create the subtree in the dit. But when i try to create principals with kadmin, it fails. My first step was, that i created the conf files...kdc.conf and krb5.conf.After this i created with the kdb5_ldap_util the subtree and the stash-pws. But then...to create principals with kadmin or kadmin.local fails. In my book there is a note, that i have to create first of all a local database with kdb5_util create -s to use the kadmin.local interface without problems... How a have to create the principals, is there a trick? I don?t know. Please help me. -- GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 From ghudson at MIT.EDU Mon Nov 23 23:19:39 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 23 Nov 2009 23:19:39 -0500 Subject: create principals fails In-Reply-To: <20091123132024.139990@gmx.net> References: <20091123132024.139990@gmx.net> Message-ID: <1259036379.616.67.camel@ray> On Mon, 2009-11-23 at 08:20 -0500, "kai pl?ckhahn" wrote: > i could create the subtree in the dit. But when i try to create > principals with kadmin, it fails. Can you show a transcript of the command and error message it fails with? From derplueck at gmx.de Tue Nov 24 05:20:58 2009 From: derplueck at gmx.de (=?iso-8859-1?Q?=22kai_pl=FCckhahn=22?=) Date: Tue, 24 Nov 2009 11:20:58 +0100 Subject: create principals fails In-Reply-To: <20091123132024.139990@gmx.net> References: <20091123132024.139990@gmx.net> Message-ID: <20091124102058.199670@gmx.net> Yes, of course. But i think, i have to offer you some further information. the kerberos authentication works befor i wanted openldap as back-end. then i wanted to switch to openldap-backend without setting up a clear system... ... the subtree is ok. <-- in the DIT. the conf-files are ok. i hope so! slapd.conf modified for kerberos. i think this is not the problem, too. stashpw generated. <-- file is there with both pws. -no service is started- Now i want to create with the command kadmin.local a root-user. But it fails with Authenticating as principal root/admin at LOCAL with password. kadmin.local: Server error while initializing kadmin.local interface when i now switch the krb5.conf to the old one i can start kadmin.local and i can start the services. but when i try now to start kadmin interface is there no root(admin)-user in the dit with which i can authenticate. i don?t know, what the problem could be...:( -------- Original-Nachricht -------- > Datum: Mon, 23 Nov 2009 14:20:24 +0100 > Von: "kai pl?ckhahn" > An: kerberos at mit.edu > Betreff: create principals fails > i often read this question. but never seen an answer. > i want to have openldap as a backend to kerberos. > - kerberos 5 > - openldap 2.4 > > i could create the subtree in the dit. But when i try to create principals > with kadmin, it fails. > My first step was, that i created the conf files...kdc.conf and > krb5.conf.After this i created with the kdb5_ldap_util the subtree and the stash-pws. > But then...to create principals with kadmin or kadmin.local fails. > In my book there is a note, that i have to create first of all a local > database with kdb5_util create -s to use the kadmin.local interface without > problems... > > How a have to create the principals, is there a trick? > > I don?t know. Please help me. > -- > GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser