From john.hefferman at cern.ch Fri Oct 2 04:34:29 2009 From: john.hefferman at cern.ch (John Hefferman) Date: Fri, 2 Oct 2009 10:34:29 +0200 Subject: msktutil requires seperate account for each service principal? In-Reply-To: References: <4AC3237D.60001@censornet.com> Message-ID: <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch> Dear list, To my knowledge (and after some tests), msktutil requires a separate account in active directory for each service principal needed for a machine. For instance, if a Linux computer is going to need a host/ and a http/ service principal it would be nessesary to run msktutil twice, such as: msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k linuxComputer.keytab --server domainControllerFqdn msktutil -h fqdn --computer-name linux-computer-http --verbose -s http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn I just wanted to confirm this was the case, or whether it is possible to have both host/ and http/ under the same account in AD. Thanks in advance for any help, John From remi.ferrand at cc.in2p3.fr Fri Oct 2 04:57:24 2009 From: remi.ferrand at cc.in2p3.fr (Remi Ferrand) Date: Fri, 02 Oct 2009 10:57:24 +0200 Subject: Ticket Granting Ticket forge Message-ID: <4AC5C074.6070805@cc.in2p3.fr> Hye, I'm working with MIT Kerberos5 1.6.3 I would like to be able to refresh an existing TGT on my local machine, without using the KDC. My first idea was to decrypt the TGT, modifying its informations (start time, end time, renewable time) and encrypt it again. Is it possible ? Which key of the KDC do I need to do this little hack ? (the Master Key K/M at REALM ?) I'm reading the source code of the subdir src/kdc/ and especially do_tgs_req.c. I hope it could work ... Thanks in advance Remi -- Remi Ferrand | Institut National de Physique Nucleaire Tel. +33(0)4.78.93.08.80 | et de Physique des Particules Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4055 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091002/8307a86c/smime.bin From raeburn at MIT.EDU Fri Oct 2 07:23:33 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 2 Oct 2009 07:23:33 -0400 Subject: Ticket Granting Ticket forge In-Reply-To: <4AC5C074.6070805@cc.in2p3.fr> References: <4AC5C074.6070805@cc.in2p3.fr> Message-ID: <96013C9E-3A1D-46CA-A25D-0DADB9D9DA73@mit.edu> On Oct 2, 2009, at 04:57, Remi Ferrand wrote: > I'm working with MIT Kerberos5 1.6.3 > > I would like to be able to refresh an existing TGT on my local > machine, without using the KDC. > > My first idea was to decrypt the TGT, modifying its informations > (start time, end time, renewable time) and encrypt it again. > > Is it possible ? > Which key of the KDC do I need to do this little hack ? (the Master > Key K/M at REALM ?) You would need the key for the krbtgt/YOUR.REALM at YOUR.REALM principal in order to do this. In fact, with that key, you can forge a TGT for any client principal at all, without needing an existing TGT, so if anyone else gets their hands on it, your realm's security is compromised. So unless your local machine is secure enough that you could run a KDC on it, this would be a really bad idea. And even then, running a KDC as root is probably a better idea than leaving the TGS key sitting around accessible under your regular account. Ken From nigelbenns at rogers.com Fri Oct 2 10:17:38 2009 From: nigelbenns at rogers.com (Nigel Benns) Date: Fri, 2 Oct 2009 07:17:38 -0700 (PDT) Subject: Proxy authentication Message-ID: <252762.13008.qm@web88006.mail.re2.yahoo.com> Hi,? I'm trying to get mod_auth_kerb to proxy the HTTP service ticket to a weblogic installation. Both Apache and Weblogic can already authenticate via kerberos on their own, I just need to be able to get the HTTP ticket for weblogic on the apache/mod_auth_kerb server. I have been trying to get this to work for a while now and am getting frustrated with it. I am using Solaris 10 for both the apache server and weblogic server.? Weblogic version is 10.1. We are using Windows 2003 AD for the KDC and I have given the apache server's service account delegation ability to the weblogic servers HTTP service principal. Anyone have any ideas about how to get this to work? From nigelbenns at rogers.com Fri Oct 2 12:48:41 2009 From: nigelbenns at rogers.com (Nigel Benns) Date: Fri, 2 Oct 2009 09:48:41 -0700 (PDT) Subject: Proxy authentication In-Reply-To: <252762.13008.qm@web88006.mail.re2.yahoo.com> Message-ID: <357143.28213.qm@web88007.mail.re2.yahoo.com> I would like to add, I don't really care if I use proxying or forwarding, as long as it works. --- On Fri, 10/2/09, Nigel Benns wrote: From: Nigel Benns Subject: Proxy authentication To: kerberos at mit.edu Received: Friday, October 2, 2009, 10:17 AM Hi,? I'm trying to get mod_auth_kerb to proxy the HTTP service ticket to a weblogic installation. Both Apache and Weblogic can already authenticate via kerberos on their own, I just need to be able to get the HTTP ticket for weblogic on the apache/mod_auth_kerb server. I have been trying to get this to work for a while now and am getting frustrated with it. I am using Solaris 10 for both the apache server and weblogic server.? Weblogic version is 10.1. We are using Windows 2003 AD for the KDC and I have given the apache server's service account delegation ability to the weblogic servers HTTP service principal. Anyone have any ideas about how to get this to work? ________________________________________________ Kerberos mailing list? ? ? ? ???Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From remi.ferrand at cc.in2p3.fr Fri Oct 2 12:58:23 2009 From: remi.ferrand at cc.in2p3.fr (Remi Ferrand) Date: Fri, 02 Oct 2009 18:58:23 +0200 Subject: Ticket Granting Ticket forge In-Reply-To: <96013C9E-3A1D-46CA-A25D-0DADB9D9DA73@mit.edu> References: <4AC5C074.6070805@cc.in2p3.fr> <96013C9E-3A1D-46CA-A25D-0DADB9D9DA73@mit.edu> Message-ID: <4AC6312F.8040305@cc.in2p3.fr> Ken Raeburn a ?crit : > You would need the key for the krbtgt/YOUR.REALM at YOUR.REALM principal > in order to do this. In fact, with that key, you can forge a TGT for > any client principal at all, without needing an existing TGT, so if > anyone else gets their hands on it, your realm's security is > compromised. So unless your local machine is secure enough that you > could run a KDC on it, this would be a really bad idea. And even > then, running a KDC as root is probably a better idea than leaving the > TGS key sitting around accessible under your regular account. > > Ken I'm sure I'm very close of my goal, but it's still not working ... My KeyTab has been created using : # kadmin.local -q 'ktadd -k /tmp/krbtgt.keytab -norandkey krbtgt/TEST.IN2P3.FR at TEST.IN2P3.FR' My Cache has been feed with # kinit test # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test at TEST.IN2P3.FR Valid starting Expires Service principal 10/02/09 18:15:12 10/03/09 04:15:12 krbtgt/TEST.IN2P3.FR at TEST.IN2P3.FR renew until 10/03/09 18:15:11 I've written a little program to try to decrypt the TGT. This program is compiler using those libraries : /-lkrb5 -lkadm5srv -lkadm5clnt -lkdb5/ The main steps are : * read Keytab using krb5_kt_resolve, krb5_kt_start_seq_get, krb5_kt_next_entry, krb5_kt_end_seq_get. This step gives me a krb5_keytab_entry structure. * retrieve TGT from Ticket Cache using krb5_cc_default, krb5_cc_set_flags, krb5_cc_start_seq_get, krb5_cc_next_cred. This step gives me a krb5_creds structure. * My program then try to decode_ticket using krb5_decode_ticket and everything is successful. * The next step is to decrypt the TGT ticket with krb5_decrypt_tkt_part, but I encounter an error of this kind : *forge: Program lacks support for encryption type decrypting with krb5_decrypt_tkt_part* Debuging using GDB ensures me that krbtgt entry read from KeyTab has an enctype of 16 (Triple DES cbc mode with HMAC/sha1) and the same enctype for the ticket granting ticket krbtgt read from cache. Does anyone already encounter this kind of error using Kerberos V M.I.T API ? Do I have to load ciphers anywhere ? If you want me to send you my code, juste ask and I'll send you ... The main part of my code has been inspired from kinit or src/kdc/* utilities. Thanks in advance Remi -- Remi Ferrand | Institut National de Physique Nucleaire Tel. +33(0)4.78.93.08.80 | et de Physique des Particules Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4055 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091002/1a923958/smime.bin From tlyu at MIT.EDU Fri Oct 2 14:33:45 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Fri, 02 Oct 2009 14:33:45 -0400 Subject: FW: Windows 7 Kerb bug In-Reply-To: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> (Alexander Kozlov's message of "Tue, 29 Sep 2009 16:10:37 -0400") References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> Message-ID: Alexander Kozlov writes: > Hi, > > We run Windows 7 release project and got this report about Kerberos client issue with Windows 7. Are there any plans to update the client or windows client has been discontinued? Can you provide us with an update on any plans on a new client? > > Thanks, > > Alex We have a kfw-3.2.3 release in alpha testing. It should work on Windows 7 and amd64 Windows. http://web.mit.edu/kerberos/dist/testing.html The problem described below appears to be an OpenAFS issue, not a KfW issue, though. > _________________ > Important: MIT IT staff will *NEVER* ask you for your password, nor will MIT send you email requesting your password information. Please continue to ignore any email messages that claim to require you to provide such information. > > Alexander Kozlov > Windows Platform Coordinator > Software Release Team > Information Services and Technology > N42- 250C > (617) 253-5103 > > > -----Original Message----- > From: Patrick M McNeal [mailto:mcneal at MIT.EDU] > Sent: Friday, September 25, 2009 10:39 AM > To: akozlov at mit.edu > Subject: Fwd:Windows 7 Kerb bug > > FWI > > Begin forwarded message: > >> From: Arthur P Prokosch >> Date: September 25, 2009 10:22:39 AM EDT >> To: "mcneal at mit.edu" >> Subject: MacOS 10.6 licenses? and, Windows 7 Kerb bug >> >> Also, I wanted to pass on a report that we had of Kerberos for Windows >> hogging CPU and refusing to quit under Windows 7. Can you direct it >> to >> the right place (MIT's "manager of the Microsoft PSS account" was >> suggested), or is there somewhere else I should email this report to? >> >> Ridiculous amounts of detail follows. >> Thanks, >> -arthur. >> >> Subject: Bug in Windows 7 RTM causing netidmgr to max out CPU and >> can't be killed >> Date: Thu, 20 Aug 2009 10:19:53 -0400 >> To: help at csail.mit.edu >> From: Johnny Russ >> >> I am running Windows 7 on my machine at home. I know that it isn't >> supported by you guys obviously. However, I was having a problem with >> network identity manger becoming unresponsive sometimes, so I >> contacted >> the kerberos mailing list and Jeffrey Altman helped me track down a >> bug. >> Our conversation is detailed below. He came to the conclusion that >> this is >> a Windows 7 bug and said that best way to file it is through the >> individual that manages the Microsoft PSS at MIT. I couldn't figure >> out >> who this was. So I thought I would pass this along to TIG in hopes >> that >> the info can get to the right person. Also I thought you might want to >> know so that maybe some problems can be avoided when Windows 7 gets >> more >> popular in a few months. >> >> >> >> Forwarded conversation >> Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM >> ------------------------ >> >> From: *Johnny Russ* >> Date: Sat, Aug 15, 2009 at 3:40 PM >> To: kerberos at mit.edu >> >> >> I have a desktop PC running Windows 7 32-bit and a laptop running >> Windows 7 64-bit. I use kerberos and network identity manager to >> access my AFS files. Everything seems to work fine. Except that >> randomly (every few days or so) I will notice my CPU is maxed out. >> When I check the task manager netidmgr.exe and explorer.exe will be >> the 2 processes that are maxing out the CPU. This usually happens when >> I am not even directly using netidmgr or AFS. I cannot kill them from >> task manager, with taskkill, or with pskill from sysinternals. I have >> to reboot to stop them from maxing out the CPU. >> >> I realize that Windows 7 is not officially supported or even >> officially released yet, but it will be soon. Network Identity >> Manager, Kerberos, and AFS all seem to work fine without any issues. I >> was just curious if anybody else is running Windows 7 and seeing this >> issue. How can I confirm that this is actually a bug when running >> under Windows 7? Or even better any ideas how to avoid it would be >> appreciated. >> >> --------- >> >> From: *Johnny Russ* >> Date: Tue, Aug 18, 2009 at 7:35 PM >> To: netidmgr at secure-endpoints.com >> >> >> Here is a process monitor log file. I have filtered out everything but >> exporer.exe netidmgr.exe and afsd_service.exe. I had to truncate the >> log file because it was too big. After what I have in the log file >> explorer.exe continuously puts out the "CreateFile" operations with >> the "NAME NOT FOUND" result. I don't seen any more events from >> netidmgr or afsd_service. Let me know if there is something else I can >> provide. >> >> ---------- >> From: *Jeffrey Altman* >> Date: Tue, Aug 18, 2009 at 8:22 PM >> To: jruss at mit.edu, netidmgr at secure-endpoints.com >> >> >> afsd_service.exe is writing frequently to the Windows Application >> Event >> Log. What events are being logged? >> >> ---------- >> From: *Jeffrey Altman* >> Date: Tue, Aug 18, 2009 at 8:25 PM >> To: jruss at mit.edu, netidmgr at secure-endpoints.com >> >> >> I do not see a lot of activity from netidmgr.exe but I do see a ton >> from >> explorer.exe. Explorer.exe is attempting to open >> C:\Windows\CSC\v2.0.6\namespace\afs which might imply that \\AFS was >> marked for use as an offline folder. Can you check that? >> >> ---------- >> From: *Johnny Russ* >> Date: Wed, Aug 19, 2009 at 9:26 AM >> To: netidmgr at secure-endpoints.com >> >> >> I have attached an event file for the events that AFS was triggering >> at the time I created the process monitor log. It is a "Warning" and >> it says, "Unable to Send SMB Packet: NRC_SABORT session ended >> abnormally." >> >> ---------- >> From: *Jeffrey Altman* >> Date: Wed, Aug 19, 2009 at 9:32 AM >> To: jruss at mit.edu >> >> >> what is the output of "nbtstat -n" and "nbtstat -S" at the time of the >> error? >> >> Please also send the afsd_init.log at the time of the error. >> >> ---------- >> From: *Johnny Russ* >> Date: Wed, Aug 19, 2009 at 9:34 AM >> To: netidmgr at secure-endpoints.com >> >> >> On Tue, Aug 18, 2009 at 8:25 PM, Jeffrey >> I am not able to access that folder. I can get to C:\Windows\CSC but >> when I try to enter v2.0.6 it says that I don't have authorization, >> even with administrative privileges. If I go into the security >> settings it says I am not authorized to see that either. It says that >> it is unable to show me who the owner is. I could try taking ownership >> but I didn't want to do that, because I don't really know what the >> function of that folder is. >> >> I looked at the standard offline folders dialogue, and I don't see any >> reference to AFS in my current offline folders. There is and entry for >> "jruss" which may refer to my local home directory or to the one I >> have mapped via AFS I couldn't find any way to tell. But it is empty. >> >> ---------- >> From: *Johnny Russ* >> Date: Wed, Aug 19, 2009 at 9:38 AM >> To: jaltman at secure-endpoints.com >> >> >> I will have to wait to recreate the problem before I can check these. >> Here are the entries from afsd_init.log just prior to when I took the >> log from process monitor: >> >> 8/18/2009 6:40:57 PM: smb_LanAdapterChange >> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_BRIDGE, >> retrying >> ... >> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_NOWILD, >> retrying >> ... >> >> ---------- >> From: *Jeffrey Altman* >> Date: Wed, Aug 19, 2009 at 9:45 AM >> To: jruss at mit.edu >> >> >> the netbios name mapping for the "AFS" name has been lost. Attempts to >> contact \\AFS will fail. My guess is that the SMB redirector is >> forcing >> offline mode and this is causing pioctl requests to fail in a weird >> way. >> >> This may be a change in behavior / bug in the Microsoft SMB >> redirector. >> >> The next time the problem occurs I want you to add the following value >> to the registry >> >> HKLM\SOFTWARE\OpenAFS\Client DWORD "IoctlDebug" 0x01 >> >> and then from a command prompt execute "tokens" and then send me the >> output. >> >> >> ---------- >> From: *Johnny Russ* >> Date: Thu, Aug 20, 2009 at 9:09 AM >> To: jaltman at secure-endpoints.com >> >> >> Sorry everything behaved fine all day yesterday. This morning things >> are off again but it is only explorer.exe that is eating CPU cycles. I >> can get kerberos tickets but no AFS tokens in Network Identity >> Manager. I checked the afsd_init.log and it had that same error at the >> very bottom. I checked and the AFS service is running. Here are the >> outputs from the terminal that you requested: >> >> C:\Users\jruss>nbtstat -n >> >> AFS: >> Node IpAddress: [10.254.254.253] Scope Id: [] >> >> NetBIOS Local Name Table >> >> Name Type Status >> --------------------------------------------- >> OPTIMUS <00> UNIQUE Registered >> RUSSHOME <00> GROUP Registered >> RUSSHOME <1E> GROUP Registered >> RUSSHOME <1D> UNIQUE Registered >> ..__MSBROWSE__.<01> GROUP Registered >> AFS <20> UNIQUE Registered >> >> C:\Users\jruss>nbtstat -S >> >> AFS: >> Node IpAddress: [10.254.254.253] Scope Id: [] >> >> NetBIOS Connection Table >> >> Local Name State In/Out Remote Host Input >> Output >> >> >> ---------------------------------------------------------------------------- >> >> AFS Listening >> >> C:\Users\jruss>tokens >> >> Tokens held by the Cache Manager: >> >> pioctl CreateFile(\\afs\all\_._AFS_IOCTL_._) failed: 0x40 >> [The specified network name is no longer available. >> ] >> pioctl SamCompatible logon user: [Optimus\jruss] >> pioctl WNetAddConnection2(\\afs,Optimus\jruss) failed: 0x40 >> pioctl WNetAddConnection2(\\afs\all,Optimus\jruss) failed: 0x40 >> AFS device may not have started >> >> ---------- >> From: *Jeffrey Altman* >> Date: Thu, Aug 20, 2009 at 9:32 AM >> To: jruss at mit.edu >> >> >> This is a bug in Windows 7. Please file a bug report with Microsoft. >> Notice that "AFS" is a registered Netbios name on the adapter with >> address >> 10.254.254.253 and yet attempts to access \\afs\all\ fail with >> Jeffrey Altman >> >> ---------- >> From: *Johnny Russ* >> Date: Thu, Aug 20, 2009 at 9:43 AM >> To: jaltman at secure-endpoints.com >> >> >> Thanks for helping me track this down. Would it be worthwhile posting >> this with OpenAFS? What is the best way to file a bug with Microsoft? >> >> ---------- >> From: *Jeffrey Altman* >> Date: Thu, Aug 20, 2009 at 9:51 AM >> To: jruss at mit.edu >> >> >> There is nothing that I can do as OpenAFS Gatekeeper on this issue >> until >> a bug is filed with Microsoft. >> The best way for it to be filed would be for the manager of the >> Microsoft PSS account at MIT to do so. >> Otherwise, you can file it as an individual. >> >> Jeffrey Altman > > > --Patrick > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From huaraz at moeller.plus.com Fri Oct 2 15:21:02 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Fri, 2 Oct 2009 20:21:02 +0100 Subject: msktutil requires seperate account for each service principal? In-Reply-To: <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch> References: <4AC3237D.60001@censornet.com> <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch> Message-ID: John, That is correct. msktutil updates the key of the computer account. So the second msktutil call with the same computer-name will make the first entry invalid. But you can have host and http asssigned to the same AD account if you use other tools like net ads join with net ads keytab. Regards Markus "John Hefferman" wrote in message news:471AD4CD1F3AC846911E0C520A522E7204560F1C at cernxchg74.cern.ch... > Dear list, > > To my knowledge (and after some tests), msktutil requires a separate > account in active directory for each service principal needed for a > machine. > > For instance, if a Linux computer is going to need a host/ and a http/ > service principal it would be nessesary to run msktutil twice, such as: > > msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k > linuxComputer.keytab --server domainControllerFqdn > > msktutil -h fqdn --computer-name linux-computer-http --verbose -s > http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn > > I just wanted to confirm this was the case, or whether it is possible to > have both host/ and http/ under the same account in AD. > > Thanks in advance for any help, > > John > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From deengert at anl.gov Fri Oct 2 16:33:04 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 02 Oct 2009 15:33:04 -0500 Subject: msktutil requires seperate account for each service principal? In-Reply-To: References: <4AC3237D.60001@censornet.com> <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch> Message-ID: <4AC66380.5010709@anl.gov> Markus Moeller wrote: > John, > > That is correct. msktutil updates the key of the computer account. So the > second msktutil call with the same computer-name will make the first entry > invalid. But you can have host and http asssigned to the same AD account if > you use other tools like net ads join with net ads keytab. You can also use the msktutil feature to have multiple entries in the same keytab, for example principals for host and HTTP. They both have the same key which may not be what you really want. To do this use mutiple -s options when you create the keytab and account. Note in AD they will each have SPN, but a common UPN, in case you want to use kinit with a keytab. IMHO I would use separate accounts for each principal. > > Regards > Markus > > "John Hefferman" wrote in message > news:471AD4CD1F3AC846911E0C520A522E7204560F1C at cernxchg74.cern.ch... >> Dear list, >> >> To my knowledge (and after some tests), msktutil requires a separate >> account in active directory for each service principal needed for a >> machine. >> >> For instance, if a Linux computer is going to need a host/ and a http/ >> service principal it would be nessesary to run msktutil twice, such as: >> >> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k >> linuxComputer.keytab --server domainControllerFqdn >> >> msktutil -h fqdn --computer-name linux-computer-http --verbose -s >> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn >> >> I just wanted to confirm this was the case, or whether it is possible to >> have both host/ and http/ under the same account in AD. >> >> Thanks in advance for any help, >> >> John >> >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From john.hefferman at cern.ch Mon Oct 5 03:57:43 2009 From: john.hefferman at cern.ch (John Hefferman) Date: Mon, 5 Oct 2009 09:57:43 +0200 Subject: msktutil requires seperate account for each service principal? In-Reply-To: <4AC66380.5010709@anl.gov> References: <4AC3237D.60001@censornet.com> <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch> ,<4AC66380.5010709@anl.gov> Message-ID: <471AD4CD1F3AC846911E0C520A522E7204503074@cernxchg74.cern.ch> Thank you both for your replies. Using msktutil with multiple -s options would probably be better. > IMHO I would use separate accounts for each principal. Other than only being able to kinit -k as one of the SPN's, and having to specify all SPN's if a new SPN is to be added, are there any other disadvantages to doing it this way? Thanks again, John ________________________________________ From: kerberos-bounces at mit.edu [kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert [deengert at anl.gov] Sent: 02 October 2009 22:33 To: Markus Moeller Cc: kerberos at mit.edu Subject: Re: msktutil requires seperate account for each service principal? Markus Moeller wrote: > John, > > That is correct. msktutil updates the key of the computer account. So the > second msktutil call with the same computer-name will make the first entry > invalid. But you can have host and http asssigned to the same AD account if > you use other tools like net ads join with net ads keytab. You can also use the msktutil feature to have multiple entries in the same keytab, for example principals for host and HTTP. They both have the same key which may not be what you really want. To do this use mutiple -s options when you create the keytab and account. Note in AD they will each have SPN, but a common UPN, in case you want to use kinit with a keytab. IMHO I would use separate accounts for each principal. > > Regards > Markus > > "John Hefferman" wrote in message > news:471AD4CD1F3AC846911E0C520A522E7204560F1C at cernxchg74.cern.ch... >> Dear list, >> >> To my knowledge (and after some tests), msktutil requires a separate >> account in active directory for each service principal needed for a >> machine. >> >> For instance, if a Linux computer is going to need a host/ and a http/ >> service principal it would be nessesary to run msktutil twice, such as: >> >> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k >> linuxComputer.keytab --server domainControllerFqdn >> >> msktutil -h fqdn --computer-name linux-computer-http --verbose -s >> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn >> >> I just wanted to confirm this was the case, or whether it is possible to >> have both host/ and http/ under the same account in AD. >> >> Thanks in advance for any help, >> >> John >> >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From jaltman at secure-endpoints.com Mon Oct 5 05:23:10 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 05 Oct 2009 05:23:10 -0400 Subject: FW: Windows 7 Kerb bug In-Reply-To: References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> Message-ID: <4AC9BAFE.3050405@secure-endpoints.com> The problem is not an OpenAFS issue. The problem is a bug in netbios name resolution in Windows 7. Concerned organizations should report the issue to Microsoft in order to ensure that it will be fixed. Jeffrey Altman Tom Yu wrote: > Alexander Kozlov writes: > >> Hi, >> >> We run Windows 7 release project and got this report about Kerberos client issue with Windows 7. Are there any plans to update the client or windows client has been discontinued? Can you provide us with an update on any plans on a new client? >> >> Thanks, >> >> Alex > > We have a kfw-3.2.3 release in alpha testing. It should work on > Windows 7 and amd64 Windows. > > http://web.mit.edu/kerberos/dist/testing.html > > The problem described below appears to be an OpenAFS issue, not a KfW > issue, though. > >> _________________ >> Important: MIT IT staff will *NEVER* ask you for your password, nor will MIT send you email requesting your password information. Please continue to ignore any email messages that claim to require you to provide such information. >> >> Alexander Kozlov >> Windows Platform Coordinator >> Software Release Team >> Information Services and Technology >> N42- 250C >> (617) 253-5103 >> >> >> -----Original Message----- >> From: Patrick M McNeal [mailto:mcneal at MIT.EDU] >> Sent: Friday, September 25, 2009 10:39 AM >> To: akozlov at mit.edu >> Subject: Fwd:Windows 7 Kerb bug >> >> FWI >> >> Begin forwarded message: >> >>> From: Arthur P Prokosch >>> Date: September 25, 2009 10:22:39 AM EDT >>> To: "mcneal at mit.edu" >>> Subject: MacOS 10.6 licenses? and, Windows 7 Kerb bug >>> >>> Also, I wanted to pass on a report that we had of Kerberos for Windows >>> hogging CPU and refusing to quit under Windows 7. Can you direct it >>> to >>> the right place (MIT's "manager of the Microsoft PSS account" was >>> suggested), or is there somewhere else I should email this report to? >>> >>> Ridiculous amounts of detail follows. >>> Thanks, >>> -arthur. >>> >>> Subject: Bug in Windows 7 RTM causing netidmgr to max out CPU and >>> can't be killed >>> Date: Thu, 20 Aug 2009 10:19:53 -0400 >>> To: help at csail.mit.edu >>> From: Johnny Russ >>> >>> I am running Windows 7 on my machine at home. I know that it isn't >>> supported by you guys obviously. However, I was having a problem with >>> network identity manger becoming unresponsive sometimes, so I >>> contacted >>> the kerberos mailing list and Jeffrey Altman helped me track down a >>> bug. >>> Our conversation is detailed below. He came to the conclusion that >>> this is >>> a Windows 7 bug and said that best way to file it is through the >>> individual that manages the Microsoft PSS at MIT. I couldn't figure >>> out >>> who this was. So I thought I would pass this along to TIG in hopes >>> that >>> the info can get to the right person. Also I thought you might want to >>> know so that maybe some problems can be avoided when Windows 7 gets >>> more >>> popular in a few months. >>> >>> >>> >>> Forwarded conversation >>> Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM >>> ------------------------ >>> >>> From: *Johnny Russ* >>> Date: Sat, Aug 15, 2009 at 3:40 PM >>> To: kerberos at mit.edu >>> >>> >>> I have a desktop PC running Windows 7 32-bit and a laptop running >>> Windows 7 64-bit. I use kerberos and network identity manager to >>> access my AFS files. Everything seems to work fine. Except that >>> randomly (every few days or so) I will notice my CPU is maxed out. >>> When I check the task manager netidmgr.exe and explorer.exe will be >>> the 2 processes that are maxing out the CPU. This usually happens when >>> I am not even directly using netidmgr or AFS. I cannot kill them from >>> task manager, with taskkill, or with pskill from sysinternals. I have >>> to reboot to stop them from maxing out the CPU. >>> >>> I realize that Windows 7 is not officially supported or even >>> officially released yet, but it will be soon. Network Identity >>> Manager, Kerberos, and AFS all seem to work fine without any issues. I >>> was just curious if anybody else is running Windows 7 and seeing this >>> issue. How can I confirm that this is actually a bug when running >>> under Windows 7? Or even better any ideas how to avoid it would be >>> appreciated. >>> >>> --------- >>> >>> From: *Johnny Russ* >>> Date: Tue, Aug 18, 2009 at 7:35 PM >>> To: netidmgr at secure-endpoints.com >>> >>> >>> Here is a process monitor log file. I have filtered out everything but >>> exporer.exe netidmgr.exe and afsd_service.exe. I had to truncate the >>> log file because it was too big. After what I have in the log file >>> explorer.exe continuously puts out the "CreateFile" operations with >>> the "NAME NOT FOUND" result. I don't seen any more events from >>> netidmgr or afsd_service. Let me know if there is something else I can >>> provide. >>> >>> ---------- >>> From: *Jeffrey Altman* >>> Date: Tue, Aug 18, 2009 at 8:22 PM >>> To: jruss at mit.edu, netidmgr at secure-endpoints.com >>> >>> >>> afsd_service.exe is writing frequently to the Windows Application >>> Event >>> Log. What events are being logged? >>> >>> ---------- >>> From: *Jeffrey Altman* >>> Date: Tue, Aug 18, 2009 at 8:25 PM >>> To: jruss at mit.edu, netidmgr at secure-endpoints.com >>> >>> >>> I do not see a lot of activity from netidmgr.exe but I do see a ton >>> from >>> explorer.exe. Explorer.exe is attempting to open >>> C:\Windows\CSC\v2.0.6\namespace\afs which might imply that \\AFS was >>> marked for use as an offline folder. Can you check that? >>> >>> ---------- >>> From: *Johnny Russ* >>> Date: Wed, Aug 19, 2009 at 9:26 AM >>> To: netidmgr at secure-endpoints.com >>> >>> >>> I have attached an event file for the events that AFS was triggering >>> at the time I created the process monitor log. It is a "Warning" and >>> it says, "Unable to Send SMB Packet: NRC_SABORT session ended >>> abnormally." >>> >>> ---------- >>> From: *Jeffrey Altman* >>> Date: Wed, Aug 19, 2009 at 9:32 AM >>> To: jruss at mit.edu >>> >>> >>> what is the output of "nbtstat -n" and "nbtstat -S" at the time of the >>> error? >>> >>> Please also send the afsd_init.log at the time of the error. >>> >>> ---------- >>> From: *Johnny Russ* >>> Date: Wed, Aug 19, 2009 at 9:34 AM >>> To: netidmgr at secure-endpoints.com >>> >>> >>> On Tue, Aug 18, 2009 at 8:25 PM, Jeffrey >>> I am not able to access that folder. I can get to C:\Windows\CSC but >>> when I try to enter v2.0.6 it says that I don't have authorization, >>> even with administrative privileges. If I go into the security >>> settings it says I am not authorized to see that either. It says that >>> it is unable to show me who the owner is. I could try taking ownership >>> but I didn't want to do that, because I don't really know what the >>> function of that folder is. >>> >>> I looked at the standard offline folders dialogue, and I don't see any >>> reference to AFS in my current offline folders. There is and entry for >>> "jruss" which may refer to my local home directory or to the one I >>> have mapped via AFS I couldn't find any way to tell. But it is empty. >>> >>> ---------- >>> From: *Johnny Russ* >>> Date: Wed, Aug 19, 2009 at 9:38 AM >>> To: jaltman at secure-endpoints.com >>> >>> >>> I will have to wait to recreate the problem before I can check these. >>> Here are the entries from afsd_init.log just prior to when I took the >>> log from process monitor: >>> >>> 8/18/2009 6:40:57 PM: smb_LanAdapterChange >>> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_BRIDGE, >>> retrying >>> ... >>> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_NOWILD, >>> retrying >>> ... >>> >>> ---------- >>> From: *Jeffrey Altman* >>> Date: Wed, Aug 19, 2009 at 9:45 AM >>> To: jruss at mit.edu >>> >>> >>> the netbios name mapping for the "AFS" name has been lost. Attempts to >>> contact \\AFS will fail. My guess is that the SMB redirector is >>> forcing >>> offline mode and this is causing pioctl requests to fail in a weird >>> way. >>> >>> This may be a change in behavior / bug in the Microsoft SMB >>> redirector. >>> >>> The next time the problem occurs I want you to add the following value >>> to the registry >>> >>> HKLM\SOFTWARE\OpenAFS\Client DWORD "IoctlDebug" 0x01 >>> >>> and then from a command prompt execute "tokens" and then send me the >>> output. >>> >>> >>> ---------- >>> From: *Johnny Russ* >>> Date: Thu, Aug 20, 2009 at 9:09 AM >>> To: jaltman at secure-endpoints.com >>> >>> >>> Sorry everything behaved fine all day yesterday. This morning things >>> are off again but it is only explorer.exe that is eating CPU cycles. I >>> can get kerberos tickets but no AFS tokens in Network Identity >>> Manager. I checked the afsd_init.log and it had that same error at the >>> very bottom. I checked and the AFS service is running. Here are the >>> outputs from the terminal that you requested: >>> >>> C:\Users\jruss>nbtstat -n >>> >>> AFS: >>> Node IpAddress: [10.254.254.253] Scope Id: [] >>> >>> NetBIOS Local Name Table >>> >>> Name Type Status >>> --------------------------------------------- >>> OPTIMUS <00> UNIQUE Registered >>> RUSSHOME <00> GROUP Registered >>> RUSSHOME <1E> GROUP Registered >>> RUSSHOME <1D> UNIQUE Registered >>> ..__MSBROWSE__.<01> GROUP Registered >>> AFS <20> UNIQUE Registered >>> >>> C:\Users\jruss>nbtstat -S >>> >>> AFS: >>> Node IpAddress: [10.254.254.253] Scope Id: [] >>> >>> NetBIOS Connection Table >>> >>> Local Name State In/Out Remote Host Input >>> Output >>> >>> >>> ---------------------------------------------------------------------------- >>> >>> AFS Listening >>> >>> C:\Users\jruss>tokens >>> >>> Tokens held by the Cache Manager: >>> >>> pioctl CreateFile(\\afs\all\_._AFS_IOCTL_._) failed: 0x40 >>> [The specified network name is no longer available. >>> ] >>> pioctl SamCompatible logon user: [Optimus\jruss] >>> pioctl WNetAddConnection2(\\afs,Optimus\jruss) failed: 0x40 >>> pioctl WNetAddConnection2(\\afs\all,Optimus\jruss) failed: 0x40 >>> AFS device may not have started >>> >>> ---------- >>> From: *Jeffrey Altman* >>> Date: Thu, Aug 20, 2009 at 9:32 AM >>> To: jruss at mit.edu >>> >>> >>> This is a bug in Windows 7. Please file a bug report with Microsoft. >>> Notice that "AFS" is a registered Netbios name on the adapter with >>> address >>> 10.254.254.253 and yet attempts to access \\afs\all\ fail with >>> Jeffrey Altman >>> >>> ---------- >>> From: *Johnny Russ* >>> Date: Thu, Aug 20, 2009 at 9:43 AM >>> To: jaltman at secure-endpoints.com >>> >>> >>> Thanks for helping me track this down. Would it be worthwhile posting >>> this with OpenAFS? What is the best way to file a bug with Microsoft? >>> >>> ---------- >>> From: *Jeffrey Altman* >>> Date: Thu, Aug 20, 2009 at 9:51 AM >>> To: jruss at mit.edu >>> >>> >>> There is nothing that I can do as OpenAFS Gatekeeper on this issue >>> until >>> a bug is filed with Microsoft. >>> The best way for it to be filed would be for the manager of the >>> Microsoft PSS account at MIT to do so. >>> Otherwise, you can file it as an individual. >>> >>> Jeffrey Altman >> >> --Patrick >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091005/a64a482a/smime.bin From jaltman at secure-endpoints.com Mon Oct 5 05:26:08 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 05 Oct 2009 05:26:08 -0400 Subject: Fwd:Windows 7 Kerb bug In-Reply-To: <8DD7AD829AB61E499A433D6E558110A30843813D@EXPO7.exchange.mit.edu> References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> <8DD7AD829AB61E499A433D6E558110A30843813D@EXPO7.exchange.mit.edu> Message-ID: <4AC9BBB0.1090004@secure-endpoints.com> Richard Edelson wrote: > I have a separate installer the pismere build machine made of 2.6.5 which works fine, it's on DFS: > \\win.mit.edu\dfs\msi\MIT Windows Utilities\KfW\kfw2005-12-20.msi While you may believe that kfw 2.6.5 works fine on Vista and Win7, it really doesn't. Microsoft Crash Reporting receives more than 6000 crash reports a month from 2.6.5 leash32.exe, gssapi32.dll and krb5_32.dll. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091005/47d5a030/smime-0001.bin From deengert at anl.gov Mon Oct 5 10:35:15 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 05 Oct 2009 09:35:15 -0500 Subject: msktutil requires seperate account for each service principal? In-Reply-To: <471AD4CD1F3AC846911E0C520A522E7204503074@cernxchg74.cern.ch> References: <4AC3237D.60001@censornet.com> <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch> , <4AC66380.5010709@anl.gov> <471AD4CD1F3AC846911E0C520A522E7204503074@cernxchg74.cern.ch> Message-ID: <4ACA0423.9040600@anl.gov> John Hefferman wrote: > Thank you both for your replies. Using msktutil with multiple -s options would probably be better. > >> IMHO I would use separate accounts for each principal. > > Other than only being able to kinit -k as one of the SPN's, and having to specify all SPN's if a new SPN is to be added, are there any other disadvantages to doing it this way? > Keeping the DC and the keytab in sync is the main issue. There may be security issues, if the keytab is shared between two applications not at the same trust level. For example if you run your HTTP server as a non-root user for security reasons, you don't want to share the keytab with the host/fqdn principal. And AD complicates this even more, as with RC4 the same key is used for both. Best to use the conventional Kerberos wisdom of don't share keys between multiple principals. Its not hard to use msktutil in this way, just have a naming convention for the hosts. Use the --computer-name keeping it to 19 characters or less, all lower case. something like service-simplehostname works well. The base does not have to be in CNu=Computers either. Work with you AD admin on a location, and use the msktutil --base option. -- > Thanks again, > > John > > > ________________________________________ > From: kerberos-bounces at mit.edu [kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert [deengert at anl.gov] > Sent: 02 October 2009 22:33 > To: Markus Moeller > Cc: kerberos at mit.edu > Subject: Re: msktutil requires seperate account for each service principal? > > Markus Moeller wrote: >> John, >> >> That is correct. msktutil updates the key of the computer account. So the >> second msktutil call with the same computer-name will make the first entry >> invalid. But you can have host and http asssigned to the same AD account if >> you use other tools like net ads join with net ads keytab. > > You can also use the msktutil feature to have multiple entries in the same > keytab, for example principals for host and HTTP. They both have the same key > which may not be what you really want. > > To do this use mutiple -s options when you create the keytab and > account. Note in AD they will each have SPN, but a common UPN, in case > you want to use kinit with a keytab. > > IMHO I would use separate accounts for each principal. > >> Regards >> Markus >> >> "John Hefferman" wrote in message >> news:471AD4CD1F3AC846911E0C520A522E7204560F1C at cernxchg74.cern.ch... >>> Dear list, >>> >>> To my knowledge (and after some tests), msktutil requires a separate >>> account in active directory for each service principal needed for a >>> machine. >>> >>> For instance, if a Linux computer is going to need a host/ and a http/ >>> service principal it would be nessesary to run msktutil twice, such as: >>> >>> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k >>> linuxComputer.keytab --server domainControllerFqdn >>> >>> msktutil -h fqdn --computer-name linux-computer-http --verbose -s >>> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn >>> >>> I just wanted to confirm this was the case, or whether it is possible to >>> have both host/ and http/ under the same account in AD. >>> >>> Thanks in advance for any help, >>> >>> John >>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From nigelbenns at rogers.com Mon Oct 5 14:18:46 2009 From: nigelbenns at rogers.com (Nigel Benns) Date: Mon, 5 Oct 2009 11:18:46 -0700 (PDT) Subject: Proxy authentication In-Reply-To: Message-ID: <430856.79501.qm@web88008.mail.re2.yahoo.com> So these features haven't made it into a release yet? Is there an easier way to set this up without the constrained delegation? --- On Fri, 10/2/09, Luke Howard wrote: From: Luke Howard Subject: Re: Proxy authentication To: "Nigel Benns" Cc: kerberos at mit.edu Received: Friday, October 2, 2009, 3:49 PM > I am using Solaris 10 for both the apache server and weblogic server.? Weblogic version is 10.1. > We are using Windows 2003 AD for the KDC and I have given the apache server's service account delegation ability to the weblogic servers HTTP service principal. This (the fact that you have configured a specific principal to delegate to) is constrained delegation, you'll need libgssapi_krb5/libkrb5 from trunk for this. -- Luke From jaltman at secure-endpoints.com Tue Oct 6 06:51:48 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 06 Oct 2009 06:51:48 -0400 Subject: Fwd:Windows 7 Kerb bug In-Reply-To: <8DD7AD829AB61E499A433D6E558110A308438349@EXPO7.exchange.mit.edu> References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> <8DD7AD829AB61E499A433D6E558110A30843813D@EXPO7.exchange.mit.edu> <4AC9BBB0.1090004@secure-endpoints.com> <8DD7AD829AB61E499A433D6E558110A308438349@EXPO7.exchange.mit.edu> Message-ID: <4ACB2144.4020100@secure-endpoints.com> Richard: I too am frustrated by the lack of information being distributed by the MIT Kerberos Consortium regarding the future of KFW. I heard a rumor that Network Identity Manager was being removed from KFW last Summer and then KFW 3.2.3 Alpha shipped once again with v1.3. The Consortium Roadmap doesn't even make a reference to KFW. http://k5wiki.kerberos.org/wiki/Roadmap Whether or not the Consortium decides to stop shipping Network Identity Manager with KFW, it is not going away. Version 2.0 has been in a state of being just about ready for nearly six months. There are also active project proposals to implement Network Identity Manager on Linux and MacOS X. If you are aware of issues with Network Identity Manager that have not already been addressed I would like to hear about them. Many of the issues that I am aware of at large sites with complex multi-realm environments such as MIT can be avoided by applying the appropriate configuration information to the MSI as a transform or publishing configuration data via Group Policy to managed machines. One of the areas which has been confusing for sites that deploy Network Identity Manager is a lack of understanding that not all of the functionality that is exported via the user interface is actually part of Network Identity Manager. One of the primary development goals of Network Identity Manager was to remove the burden from the MIT Kerberos team of maintaining support for third party derivative credential types such as AFS tokens. Network Identity Manager provides an agnostic framework into which Identity Providers, Credential Providers, and Tool Providers permit the customization of the user experience for the organization based upon the identity sources and credential types required for the organization. Since the MIT Kerberos team could not support arbitrary credential types, there was always pressure from outside to add something new or tweak the support for AFS in a manner required by a local institution. The failure of MIT to respond was a forking of the user experience across institutions. Stanford, UMich, Cornell, Rose-Hulman, and many others had to expend resources to develop their own local credential management tools. Once the credential management tools are being distributed locally the temptation to fork the KFW sources and produce incompatible libraries is quite high. Incompatible libraries at different sites result in a high support cost for application developers. Convincing developers to add support for Kerberos is already hard enough without such challenges. The experience of Secure Endpoints when it was responsible for supporting MIT had significant input into the Network Identity Manager design. MIT has a centralized identity provider (the ATHENA.MIT.EDU realm) but it also has a large number of decentralized Windows domains that are also Kerberos providers. To obtain access to central resources and many of the department AFS cells the ATHENA.MIT.EDU identity must be used. However, the local Windows domain identity was required for accessing other resources. It was critical that users be able to make use of both identities when they are available. The primary frustrations that I am aware of with v1.3 is the Leash32 style "obtain credentials dialog" which requires the user to enter the user name, realm, and password along with the lack of a wizard to walk the user through the configuration of third party providers such as the OpenAFS provider. The OpenAFS provider was broken by the referrals support that went into KFW 3.2.x. No bug reports were filed against OpenAFS for more than a year. It was fixed immediately after a report was received but if your users had one of the broken builds I'm sure they were quite frustrated. In any case, Network Identity Manager v2 includes significant new functionality that is the result of feedback received at the 2007 SOAP conference at Carnegie-Mellon where the application underwent a usability evaluation as well as from the sites which rely upon it as their primary user interface to end users: 1. A new identity creation wizard which prompts the user for the type of identity and walks the user through the creation of the identity and configuration of all of the available credential providers that are compatible with that identity. 2. A new obtain credentials dialog which avoids the need for users to enter their name and realm for each request. Instead, once an identity is defined the users simply select it from a list. 3. Support for multiple identity providers. Kerberos v5 is no longer exclusive. This will permit the addition of X.509 identities in the future which can be used to obtain credentials for multiple Kerberos v5 principals perhaps from multiple realms. 4. A Keystore identity provider is included which permits acquiring TGTs and derived credentials for multiple identities with one local authentication. 5. A new progress dialog that explains what the various credential providers are doing during a new credential acquisition or a renewal. 6. User assignment of icons to each network identity 7. Addition of an animated battery for each identity which shows valid lifetime and can be used to initiate renewal. 8. Addition of a star to indicate the current default identity instead of a color palette change. Here are some screen shots: * http://www.secure-endpoints.com/netidmgr/v2/nim-basic-icons.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-idsel.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-basic-ks.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-idspec.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-adv-ks.PNG * http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-progress.PNG A presentation on Network Identity Manager v2 was given at the 2009 AFS & Kerberos Best Practices Workshop by Asanka Herath, Daniel Kou?il, and myself. http://workshop.openafs.org/afsbpw09/thu_3_3.html Many peer institutions including Stanford University, Carnegie Mellon and FermiLab are extremely happy with Network Identity Manager and Secure Endpoints has a direct channel to their help desks. Whenever there were problems with Network Identity Manager, they were addressed in subsequent releases. I should point out that due to MIT's discomfort with the switch from Leash32 to NetIdMgr that the KFW 3.2.x 32-bit MSI does include the leash32 binary and MIT can apply a transform to the MSI that will install leash32 and not Network Identity Manager 1.3. If the reason that MIT has continued to ship KFW 2.6.5 for all of these years is a dislike for Network Identity Manager, it has done so for no good reason. Of course, this is only true for 32-bit platforms because Leash32 will not compile on 64-bit platforms. Regarding Network Identity Manager release schedules, I am hoping to be able to ship v2 by the end of this month. I do not know whether it will be shipped as part of a KFW package, or standalone, or whether the Network Identity Manager distribution will include a bundled Kerberos distribution. If you have any questions regarding Network Identity Manager, please feel free to ask them. Jeffrey Altman Secure Endpoints Inc. Richard Edelson wrote: > I actually wanted to get rid of 2.6.5 this summer but I'm still holding off because of issues people are having with NIM. I heard NIM is going away.....do you have info on upcoming release schedules? > > Richard > > > -----Original Message----- > From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] > Sent: Monday, October 05, 2009 5:26 AM > To: redelson at mit.edu > Cc: akozlov at mit.edu; kerberos at mit.edu; windows7-release at mit.edu > Subject: Re: Fwd:Windows 7 Kerb bug > > Richard Edelson wrote: >> I have a separate installer the pismere build machine made of 2.6.5 which works fine, it's on DFS: >> \\win.mit.edu\dfs\msi\MIT Windows Utilities\KfW\kfw2005-12-20.msi > > While you may believe that kfw 2.6.5 works fine on Vista and Win7, it > really doesn't. Microsoft Crash Reporting receives more than 6000 > crash reports a month from 2.6.5 leash32.exe, gssapi32.dll and > krb5_32.dll. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091006/01312901/smime.bin From anu.persist at gmail.com Tue Oct 6 08:27:52 2009 From: anu.persist at gmail.com (anandhi jay) Date: Tue, 6 Oct 2009 17:57:52 +0530 Subject: Regd. Kerberos not authentication in IE Message-ID: Hi, I have installed the kerberos5 in linux and configured squid for that. From IE6 i configured the squid proxy ipaddress and port. It asked for the username and password. I have given the kerberos principal as username and password for that. But I am getting 407 authentication required response only. Herewith i have given the packets also , I think it is trying for NTLM, but i want kerberos. I have enabled the Enable Internet windows Authentication in the Internet options. Kindly help me to work on the kerberos authentication using squid. GET http://www.whatismyip.com/ HTTP/1.0 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1) Proxy-Connection: Keep-Alive Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== Host: www.whatismyip.com HTTP/1.0 407 Proxy Authentication Required Server: squid/2.6.STABLE22 Date: Tue, 06 Oct 2009 11:24:09 GMT Content-Type: text/html Content-Length: 1311 Expires: Tue, 06 Oct 2009 11:24:09 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate Proxy-Authenticate: Negotiate received X-Cache: MISS from EXAMPLE.COM Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) Proxy-Connection: close GET http://www.whatismyip.com/ HTTP/1.0 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1) Proxy-Connection: Keep-Alive Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Host: www.whatismyip.com Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== NTLMSSP HTTP/1.0 407 Proxy Authentication Required Server: squid/2.6.STABLE22 Date: Tue, 06 Oct 2009 11:24:10 GMT Content-Type: text/html Content-Length: 1311 Expires: Tue, 06 Oct 2009 11:24:10 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate Proxy-Authenticate: Negotiate received X-Cache: MISS from EXAMPLE.COM Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) Proxy-Connection: close Regards, anu. From john.hefferman at cern.ch Tue Oct 6 09:50:29 2009 From: john.hefferman at cern.ch (John Hefferman) Date: Tue, 6 Oct 2009 15:50:29 +0200 Subject: msktutil requires seperate account for each service principal? In-Reply-To: <4ACA0423.9040600@anl.gov> References: <4AC3237D.60001@censornet.com> <471AD4CD1F3AC846911E0C520A522E7204560F1C@cernxchg74.cern.ch> ,<4AC66380.5010709@anl.gov> <471AD4CD1F3AC846911E0C520A522E7204503074@cernxchg74.cern.ch> <4ACA0423.9040600@anl.gov> Message-ID: <471AD4CD1F3AC846911E0C520A522E7204560FD5@cernxchg74.cern.ch> We will do it this way, following a naming convention for the extra accounts. Thanks very much for your help on this. John -----Original Message----- From: Douglas E. Engert [mailto:deengert at anl.gov] Sent: 05 October 2009 16:35 To: John Hefferman Cc: Markus Moeller; kerberos at mit.edu Subject: Re: msktutil requires seperate account for each service principal? John Hefferman wrote: > Thank you both for your replies. Using msktutil with multiple -s options would probably be better. > >> IMHO I would use separate accounts for each principal. > > Other than only being able to kinit -k as one of the SPN's, and having to specify all SPN's if a new SPN is to be added, are there any other disadvantages to doing it this way? > Keeping the DC and the keytab in sync is the main issue. There may be security issues, if the keytab is shared between two applications not at the same trust level. For example if you run your HTTP server as a non-root user for security reasons, you don't want to share the keytab with the host/fqdn principal. And AD complicates this even more, as with RC4 the same key is used for both. Best to use the conventional Kerberos wisdom of don't share keys between multiple principals. Its not hard to use msktutil in this way, just have a naming convention for the hosts. Use the --computer-name keeping it to 19 characters or less, all lower case. something like service-simplehostname works well. The base does not have to be in CNu=Computers either. Work with you AD admin on a location, and use the msktutil --base option. -- > Thanks again, > > John > > > ________________________________________ > From: kerberos-bounces at mit.edu [kerberos-bounces at mit.edu] On Behalf Of Douglas E. Engert [deengert at anl.gov] > Sent: 02 October 2009 22:33 > To: Markus Moeller > Cc: kerberos at mit.edu > Subject: Re: msktutil requires seperate account for each service principal? > > Markus Moeller wrote: >> John, >> >> That is correct. msktutil updates the key of the computer account. So the >> second msktutil call with the same computer-name will make the first entry >> invalid. But you can have host and http asssigned to the same AD account if >> you use other tools like net ads join with net ads keytab. > > You can also use the msktutil feature to have multiple entries in the same > keytab, for example principals for host and HTTP. They both have the same key > which may not be what you really want. > > To do this use mutiple -s options when you create the keytab and > account. Note in AD they will each have SPN, but a common UPN, in case > you want to use kinit with a keytab. > > IMHO I would use separate accounts for each principal. > >> Regards >> Markus >> >> "John Hefferman" wrote in message >> news:471AD4CD1F3AC846911E0C520A522E7204560F1C at cernxchg74.cern.ch... >>> Dear list, >>> >>> To my knowledge (and after some tests), msktutil requires a separate >>> account in active directory for each service principal needed for a >>> machine. >>> >>> For instance, if a Linux computer is going to need a host/ and a http/ >>> service principal it would be nessesary to run msktutil twice, such as: >>> >>> msktutil -h fqdn --computer-name linux-computer --verbose -s host/fqdn -k >>> linuxComputer.keytab --server domainControllerFqdn >>> >>> msktutil -h fqdn --computer-name linux-computer-http --verbose -s >>> http/fqdn -k linuxComputerHttp.keytab --server domainControllerFqdn >>> >>> I just wanted to confirm this was the case, or whether it is possible to >>> have both host/ and http/ under the same account in AD. >>> >>> Thanks in advance for any help, >>> >>> John >>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From nigelbenns at rogers.com Tue Oct 6 10:08:46 2009 From: nigelbenns at rogers.com (Nigel Benns) Date: Tue, 6 Oct 2009 07:08:46 -0700 (PDT) Subject: Regd. Kerberos not authentication in IE In-Reply-To: Message-ID: <862610.88461.qm@web88002.mail.re2.yahoo.com> IE is not set up 100% I think.? You need to do more then check "Use windows integrated authentication" See this article under section "Configuring Microsoft Clients for Kerberos Authentication": http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm#i1101998 --- On Tue, 10/6/09, anandhi jay wrote: From: anandhi jay Subject: Regd. Kerberos not authentication in IE To: kerberos at mit.edu Received: Tuesday, October 6, 2009, 8:27 AM Hi, ? ???I have installed the kerberos5 in linux and configured squid for that. ? ???From IE6 i configured the squid proxy ipaddress and port. It asked for the username and password. ? ???I have given the kerberos principal as username and password for that. ? ???But I am getting 407 authentication required response only. Herewith i have given the packets also , I think it is trying for NTLM, but? i want kerberos. I have enabled the ? ???Enable Internet windows Authentication in the Internet options. Kindly help me to work on the kerberos authentication using squid. GET http://www.whatismyip.com/ HTTP/1.0 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1) Proxy-Connection: Keep-Alive Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== Host: www.whatismyip.com HTTP/1.0 407 Proxy Authentication Required Server: squid/2.6.STABLE22 Date: Tue, 06 Oct 2009 11:24:09 GMT Content-Type: text/html Content-Length: 1311 Expires: Tue, 06 Oct 2009 11:24:09 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate Proxy-Authenticate: Negotiate received X-Cache: MISS from EXAMPLE.COM Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) Proxy-Connection: close GET http://www.whatismyip.com/ HTTP/1.0 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1) Proxy-Connection: Keep-Alive Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Host: www.whatismyip.com Proxy-Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== NTLMSSP HTTP/1.0 407 Proxy Authentication Required Server: squid/2.6.STABLE22 Date: Tue, 06 Oct 2009 11:24:10 GMT Content-Type: text/html Content-Length: 1311 Expires: Tue, 06 Oct 2009 11:24:10 GMT X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Proxy-Authenticate: Negotiate Proxy-Authenticate: Negotiate received X-Cache: MISS from EXAMPLE.COM Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) Proxy-Connection: close Regards, anu. ________________________________________________ Kerberos mailing list? ? ? ? ???Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From tlyu at MIT.EDU Tue Oct 6 11:46:04 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 06 Oct 2009 11:46:04 -0400 Subject: FW: Windows 7 Kerb bug In-Reply-To: <4AC9BAFE.3050405@secure-endpoints.com> (Jeffrey Altman's message of "Mon, 5 Oct 2009 05:23:10 -0400") References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> <4AC9BAFE.3050405@secure-endpoints.com> Message-ID: Jeffrey Altman writes: > The problem is not an OpenAFS issue. The problem is a bug in netbios > name resolution in Windows 7. Concerned organizations should report > the issue to Microsoft in order to ensure that it will be fixed. > > Jeffrey Altman Based on the rather lengthy series of forwarded messages, it was not clear that the underlying issue was a NetBIOS name resolution bug. I would have found it helpful to have a summary of which bug to report, and what information was most important. > > > Tom Yu wrote: >> Alexander Kozlov writes: >> >>> Hi, >>> >>> We run Windows 7 release project and got this report about Kerberos client issue with Windows 7. Are there any plans to update the client or windows client has been discontinued? Can you provide us with an update on any plans on a new client? >>> >>> Thanks, >>> >>> Alex >> >> We have a kfw-3.2.3 release in alpha testing. It should work on >> Windows 7 and amd64 Windows. >> >> http://web.mit.edu/kerberos/dist/testing.html >> >> The problem described below appears to be an OpenAFS issue, not a KfW >> issue, though. >> >>> _________________ >>> Important: MIT IT staff will *NEVER* ask you for your password, nor will MIT send you email requesting your password information. Please continue to ignore any email messages that claim to require you to provide such information. >>> >>> Alexander Kozlov >>> Windows Platform Coordinator >>> Software Release Team >>> Information Services and Technology >>> N42- 250C >>> (617) 253-5103 >>> >>> >>> -----Original Message----- >>> From: Patrick M McNeal [mailto:mcneal at MIT.EDU] >>> Sent: Friday, September 25, 2009 10:39 AM >>> To: akozlov at mit.edu >>> Subject: Fwd:Windows 7 Kerb bug >>> >>> FWI >>> >>> Begin forwarded message: >>> >>>> From: Arthur P Prokosch >>>> Date: September 25, 2009 10:22:39 AM EDT >>>> To: "mcneal at mit.edu" >>>> Subject: MacOS 10.6 licenses? and, Windows 7 Kerb bug >>>> >>>> Also, I wanted to pass on a report that we had of Kerberos for Windows >>>> hogging CPU and refusing to quit under Windows 7. Can you direct it >>>> to >>>> the right place (MIT's "manager of the Microsoft PSS account" was >>>> suggested), or is there somewhere else I should email this report to? >>>> >>>> Ridiculous amounts of detail follows. >>>> Thanks, >>>> -arthur. >>>> >>>> Subject: Bug in Windows 7 RTM causing netidmgr to max out CPU and >>>> can't be killed >>>> Date: Thu, 20 Aug 2009 10:19:53 -0400 >>>> To: help at csail.mit.edu >>>> From: Johnny Russ >>>> >>>> I am running Windows 7 on my machine at home. I know that it isn't >>>> supported by you guys obviously. However, I was having a problem with >>>> network identity manger becoming unresponsive sometimes, so I >>>> contacted >>>> the kerberos mailing list and Jeffrey Altman helped me track down a >>>> bug. >>>> Our conversation is detailed below. He came to the conclusion that >>>> this is >>>> a Windows 7 bug and said that best way to file it is through the >>>> individual that manages the Microsoft PSS at MIT. I couldn't figure >>>> out >>>> who this was. So I thought I would pass this along to TIG in hopes >>>> that >>>> the info can get to the right person. Also I thought you might want to >>>> know so that maybe some problems can be avoided when Windows 7 gets >>>> more >>>> popular in a few months. >>>> >>>> >>>> >>>> Forwarded conversation >>>> Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM >>>> ------------------------ >>>> >>>> From: *Johnny Russ* >>>> Date: Sat, Aug 15, 2009 at 3:40 PM >>>> To: kerberos at mit.edu >>>> >>>> >>>> I have a desktop PC running Windows 7 32-bit and a laptop running >>>> Windows 7 64-bit. I use kerberos and network identity manager to >>>> access my AFS files. Everything seems to work fine. Except that >>>> randomly (every few days or so) I will notice my CPU is maxed out. >>>> When I check the task manager netidmgr.exe and explorer.exe will be >>>> the 2 processes that are maxing out the CPU. This usually happens when >>>> I am not even directly using netidmgr or AFS. I cannot kill them from >>>> task manager, with taskkill, or with pskill from sysinternals. I have >>>> to reboot to stop them from maxing out the CPU. >>>> >>>> I realize that Windows 7 is not officially supported or even >>>> officially released yet, but it will be soon. Network Identity >>>> Manager, Kerberos, and AFS all seem to work fine without any issues. I >>>> was just curious if anybody else is running Windows 7 and seeing this >>>> issue. How can I confirm that this is actually a bug when running >>>> under Windows 7? Or even better any ideas how to avoid it would be >>>> appreciated. >>>> >>>> --------- >>>> >>>> From: *Johnny Russ* >>>> Date: Tue, Aug 18, 2009 at 7:35 PM >>>> To: netidmgr at secure-endpoints.com >>>> >>>> >>>> Here is a process monitor log file. I have filtered out everything but >>>> exporer.exe netidmgr.exe and afsd_service.exe. I had to truncate the >>>> log file because it was too big. After what I have in the log file >>>> explorer.exe continuously puts out the "CreateFile" operations with >>>> the "NAME NOT FOUND" result. I don't seen any more events from >>>> netidmgr or afsd_service. Let me know if there is something else I can >>>> provide. >>>> >>>> ---------- >>>> From: *Jeffrey Altman* >>>> Date: Tue, Aug 18, 2009 at 8:22 PM >>>> To: jruss at mit.edu, netidmgr at secure-endpoints.com >>>> >>>> >>>> afsd_service.exe is writing frequently to the Windows Application >>>> Event >>>> Log. What events are being logged? >>>> >>>> ---------- >>>> From: *Jeffrey Altman* >>>> Date: Tue, Aug 18, 2009 at 8:25 PM >>>> To: jruss at mit.edu, netidmgr at secure-endpoints.com >>>> >>>> >>>> I do not see a lot of activity from netidmgr.exe but I do see a ton >>>> from >>>> explorer.exe. Explorer.exe is attempting to open >>>> C:\Windows\CSC\v2.0.6\namespace\afs which might imply that \\AFS was >>>> marked for use as an offline folder. Can you check that? >>>> >>>> ---------- >>>> From: *Johnny Russ* >>>> Date: Wed, Aug 19, 2009 at 9:26 AM >>>> To: netidmgr at secure-endpoints.com >>>> >>>> >>>> I have attached an event file for the events that AFS was triggering >>>> at the time I created the process monitor log. It is a "Warning" and >>>> it says, "Unable to Send SMB Packet: NRC_SABORT session ended >>>> abnormally." >>>> >>>> ---------- >>>> From: *Jeffrey Altman* >>>> Date: Wed, Aug 19, 2009 at 9:32 AM >>>> To: jruss at mit.edu >>>> >>>> >>>> what is the output of "nbtstat -n" and "nbtstat -S" at the time of the >>>> error? >>>> >>>> Please also send the afsd_init.log at the time of the error. >>>> >>>> ---------- >>>> From: *Johnny Russ* >>>> Date: Wed, Aug 19, 2009 at 9:34 AM >>>> To: netidmgr at secure-endpoints.com >>>> >>>> >>>> On Tue, Aug 18, 2009 at 8:25 PM, Jeffrey >>>> I am not able to access that folder. I can get to C:\Windows\CSC but >>>> when I try to enter v2.0.6 it says that I don't have authorization, >>>> even with administrative privileges. If I go into the security >>>> settings it says I am not authorized to see that either. It says that >>>> it is unable to show me who the owner is. I could try taking ownership >>>> but I didn't want to do that, because I don't really know what the >>>> function of that folder is. >>>> >>>> I looked at the standard offline folders dialogue, and I don't see any >>>> reference to AFS in my current offline folders. There is and entry for >>>> "jruss" which may refer to my local home directory or to the one I >>>> have mapped via AFS I couldn't find any way to tell. But it is empty. >>>> >>>> ---------- >>>> From: *Johnny Russ* >>>> Date: Wed, Aug 19, 2009 at 9:38 AM >>>> To: jaltman at secure-endpoints.com >>>> >>>> >>>> I will have to wait to recreate the problem before I can check these. >>>> Here are the entries from afsd_init.log just prior to when I took the >>>> log from process monitor: >>>> >>>> 8/18/2009 6:40:57 PM: smb_LanAdapterChange >>>> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_BRIDGE, >>>> retrying >>>> ... >>>> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_NOWILD, >>>> retrying >>>> ... >>>> >>>> ---------- >>>> From: *Jeffrey Altman* >>>> Date: Wed, Aug 19, 2009 at 9:45 AM >>>> To: jruss at mit.edu >>>> >>>> >>>> the netbios name mapping for the "AFS" name has been lost. Attempts to >>>> contact \\AFS will fail. My guess is that the SMB redirector is >>>> forcing >>>> offline mode and this is causing pioctl requests to fail in a weird >>>> way. >>>> >>>> This may be a change in behavior / bug in the Microsoft SMB >>>> redirector. >>>> >>>> The next time the problem occurs I want you to add the following value >>>> to the registry >>>> >>>> HKLM\SOFTWARE\OpenAFS\Client DWORD "IoctlDebug" 0x01 >>>> >>>> and then from a command prompt execute "tokens" and then send me the >>>> output. >>>> >>>> >>>> ---------- >>>> From: *Johnny Russ* >>>> Date: Thu, Aug 20, 2009 at 9:09 AM >>>> To: jaltman at secure-endpoints.com >>>> >>>> >>>> Sorry everything behaved fine all day yesterday. This morning things >>>> are off again but it is only explorer.exe that is eating CPU cycles. I >>>> can get kerberos tickets but no AFS tokens in Network Identity >>>> Manager. I checked the afsd_init.log and it had that same error at the >>>> very bottom. I checked and the AFS service is running. Here are the >>>> outputs from the terminal that you requested: >>>> >>>> C:\Users\jruss>nbtstat -n >>>> >>>> AFS: >>>> Node IpAddress: [10.254.254.253] Scope Id: [] >>>> >>>> NetBIOS Local Name Table >>>> >>>> Name Type Status >>>> --------------------------------------------- >>>> OPTIMUS <00> UNIQUE Registered >>>> RUSSHOME <00> GROUP Registered >>>> RUSSHOME <1E> GROUP Registered >>>> RUSSHOME <1D> UNIQUE Registered >>>> ..__MSBROWSE__.<01> GROUP Registered >>>> AFS <20> UNIQUE Registered >>>> >>>> C:\Users\jruss>nbtstat -S >>>> >>>> AFS: >>>> Node IpAddress: [10.254.254.253] Scope Id: [] >>>> >>>> NetBIOS Connection Table >>>> >>>> Local Name State In/Out Remote Host Input >>>> Output >>>> >>>> >>>> ---------------------------------------------------------------------------- >>>> >>>> AFS Listening >>>> >>>> C:\Users\jruss>tokens >>>> >>>> Tokens held by the Cache Manager: >>>> >>>> pioctl CreateFile(\\afs\all\_._AFS_IOCTL_._) failed: 0x40 >>>> [The specified network name is no longer available. >>>> ] >>>> pioctl SamCompatible logon user: [Optimus\jruss] >>>> pioctl WNetAddConnection2(\\afs,Optimus\jruss) failed: 0x40 >>>> pioctl WNetAddConnection2(\\afs\all,Optimus\jruss) failed: 0x40 >>>> AFS device may not have started >>>> >>>> ---------- >>>> From: *Jeffrey Altman* >>>> Date: Thu, Aug 20, 2009 at 9:32 AM >>>> To: jruss at mit.edu >>>> >>>> >>>> This is a bug in Windows 7. Please file a bug report with Microsoft. >>>> Notice that "AFS" is a registered Netbios name on the adapter with >>>> address >>>> 10.254.254.253 and yet attempts to access \\afs\all\ fail with >>>> Jeffrey Altman >>>> >>>> ---------- >>>> From: *Johnny Russ* >>>> Date: Thu, Aug 20, 2009 at 9:43 AM >>>> To: jaltman at secure-endpoints.com >>>> >>>> >>>> Thanks for helping me track this down. Would it be worthwhile posting >>>> this with OpenAFS? What is the best way to file a bug with Microsoft? >>>> >>>> ---------- >>>> From: *Jeffrey Altman* >>>> Date: Thu, Aug 20, 2009 at 9:51 AM >>>> To: jruss at mit.edu >>>> >>>> >>>> There is nothing that I can do as OpenAFS Gatekeeper on this issue >>>> until >>>> a bug is filed with Microsoft. >>>> The best way for it to be filed would be for the manager of the >>>> Microsoft PSS account at MIT to do so. >>>> Otherwise, you can file it as an individual. >>>> >>>> Jeffrey Altman >>> >>> --Patrick >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos From jaltman at secure-endpoints.com Tue Oct 6 12:48:09 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Tue, 06 Oct 2009 12:48:09 -0400 Subject: FW: Windows 7 Kerb bug In-Reply-To: References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> <4AC9BAFE.3050405@secure-endpoints.com> Message-ID: <4ACB74C9.2090908@secure-endpoints.com> Tom Yu wrote: > Jeffrey Altman writes: > >> The problem is not an OpenAFS issue. The problem is a bug in netbios >> name resolution in Windows 7. Concerned organizations should report >> the issue to Microsoft in order to ensure that it will be fixed. >> >> Jeffrey Altman > > Based on the rather lengthy series of forwarded messages, it was not > clear that the underlying issue was a NetBIOS name resolution bug. I > would have found it helpful to have a summary of which bug to report, > and what information was most important. Microsoft has reacted quite poorly in the past to cookie cutter bug reports being received from multiple sites. What they want are sites to experience the issue themselves and file their own bug report. * Install Windows 7. * Install OpenAFS and KFW * Boot the machine without network * Login to the machine * Obtain a network address * Determine that it is impossible to enumerate \\AFS * Call PSS and File a bug report If you have network when the machine boots, all is fine. The problem only occurs when the machine obtains a network address after logon. Jeffrey Altman -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091006/940cfdb4/smime.bin From redelson at MIT.EDU Tue Oct 6 01:13:54 2009 From: redelson at MIT.EDU (Richard Edelson) Date: Tue, 6 Oct 2009 01:13:54 -0400 Subject: Fwd:Windows 7 Kerb bug In-Reply-To: <4AC9BBB0.1090004@secure-endpoints.com> References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> <8DD7AD829AB61E499A433D6E558110A30843813D@EXPO7.exchange.mit.edu> <4AC9BBB0.1090004@secure-endpoints.com> Message-ID: <8DD7AD829AB61E499A433D6E558110A308438349@EXPO7.exchange.mit.edu> I actually wanted to get rid of 2.6.5 this summer but I'm still holding off because of issues people are having with NIM. I heard NIM is going away.....do you have info on upcoming release schedules? Richard -----Original Message----- From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] Sent: Monday, October 05, 2009 5:26 AM To: redelson at mit.edu Cc: akozlov at mit.edu; kerberos at mit.edu; windows7-release at mit.edu Subject: Re: Fwd:Windows 7 Kerb bug Richard Edelson wrote: > I have a separate installer the pismere build machine made of 2.6.5 which works fine, it's on DFS: > \\win.mit.edu\dfs\msi\MIT Windows Utilities\KfW\kfw2005-12-20.msi While you may believe that kfw 2.6.5 works fine on Vista and Win7, it really doesn't. Microsoft Crash Reporting receives more than 6000 crash reports a month from 2.6.5 leash32.exe, gssapi32.dll and krb5_32.dll. From Meraj.Mohammad at atosorigin.com Wed Oct 7 09:00:27 2009 From: Meraj.Mohammad at atosorigin.com (Mohammad, Meraj) Date: Wed, 7 Oct 2009 18:30:27 +0530 Subject: Assertion failed for krb5kdc Message-ID: Hi, When I tried to execute below command in sun Solaris operation system(version 9). Why I am getting Assertion fail error. /usr/local/sbin/krb5kdc Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 But /usr/local/sbin/kadmind command working fine for me . Please help for the same Regards Meraj Alam Meraj.mohammad at atosorigin.com From mark at mproehl.net Wed Oct 7 10:04:53 2009 From: mark at mproehl.net (=?ISO-8859-1?Q?Mark_Pr=F6hl?=) Date: Wed, 07 Oct 2009 16:04:53 +0200 Subject: kinit-1.7: wrong passwords lock active directory accounts Message-ID: <4ACCA005.9050605@mproehl.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I noticed a problem with kinit form krb-1.7. In case of a wrong password, kinit tries up to 8 times to get initial credentials. This happens if the KDC is an active directory controller: # kinit user Password for user at MYDOMAIN.EXAMPLE: kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials Wireshark shows the following sequence: AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED This leads to a problem if account lookout policies are enabled. Users get locked out after entering just one wrong password: # kinit user Password for user at MYDOMAIN.EXAMPLE: kinit: Clients credentials have been revoked while getting initial credentials # AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: NTATUS_ACCOUNT_LOCKED_OUT My active directory is a win2k3-r2. My /etc/krb5.conf looks like this: [libdefaults] default_realm = MYDOMAIN.EXAMPLE [realms] MYDOMAIN.EXAMPLE = { kdc = 10.10.10.26 } Is there an option to prevent kinit from looping? Regards, Mark Pr?hl -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J nngAnie9sNg/bimKdKYmKTDWLuBC3meD =tusl -----END PGP SIGNATURE----- From tlyu at MIT.EDU Wed Oct 7 11:39:32 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 07 Oct 2009 11:39:32 -0400 Subject: Assertion failed for krb5kdc In-Reply-To: (Meraj Mohammad's message of "Wed, 7 Oct 2009 09:00:27 -0400") References: Message-ID: "Mohammad, Meraj" writes: > Hi, > > > > When I tried to execute below command in sun Solaris operation > system(version 9). Why I am getting Assertion fail error. > > /usr/local/sbin/krb5kdc > > Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 > > > > But /usr/local/sbin/kadmind command working fine for me . What release of krb5? Does it always have an assertion failure, or only sometimes? Are you able to get a stack trace? From ghudson at MIT.EDU Wed Oct 7 12:45:44 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 07 Oct 2009 12:45:44 -0400 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <4ACCA005.9050605@mproehl.net> References: <4ACCA005.9050605@mproehl.net> Message-ID: <1254933944.9616.109.camel@ray> On Wed, 2009-10-07 at 10:04 -0400, Mark Pr?hl wrote: > # kinit user > Password for user at MYDOMAIN.EXAMPLE: > kinit: Looping detected inside krb5_get_in_tkt while getting initial > credentials That's definitely not supposed to happen. Against an MIT KDC, I see only one try, followed by: kinit: Password incorrect while getting initial credentials However, we do have at least one other report of looping with krb5 1.7's kinit: http://mailman.mit.edu/pipermail/kerberos/2009-September/015265.html so there is probably an interoperability issue against AD. I will see if I can replicate the issue; if I can't, a detailed packet trace from you might be sufficient. From mark at mproehl.net Wed Oct 7 15:03:05 2009 From: mark at mproehl.net (=?ISO-8859-1?Q?Mark_Pr=F6hl?=) Date: Wed, 07 Oct 2009 21:03:05 +0200 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu> References: <4ACCA005.9050605@mproehl.net> <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu> Message-ID: <4ACCE5E9.501@mproehl.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just build trunk and did the same test again. The problem doesn't occur with kinit from trunk Regards, Mark Luke Howard wrote: > Mark, > > Are you able to test whether this still occurs with trunk? > > regards, > > -- Luke > > On 07/10/2009, at 4:04 PM, Mark Pr?hl wrote: > > Hi, > > I noticed a problem with kinit form krb-1.7. In case of a wrong > password, kinit tries up to 8 times to get initial credentials. > This happens if the KDC is an active directory controller: > > # kinit user > Password for user at MYDOMAIN.EXAMPLE: > kinit: Looping detected inside krb5_get_in_tkt while getting initial > credentials > > Wireshark shows the following sequence: > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > > This leads to a problem if account lookout policies are enabled. > Users get locked out after entering just one wrong password: > > # kinit user > Password for user at MYDOMAIN.EXAMPLE: > kinit: Clients credentials have been revoked while getting initial > credentials > # > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: > NTATUS_ACCOUNT_LOCKED_OUT > > > My active directory is a win2k3-r2. > > My /etc/krb5.conf looks like this: > > [libdefaults] > default_realm = MYDOMAIN.EXAMPLE > [realms] > MYDOMAIN.EXAMPLE = { > kdc = 10.10.10.26 > } > > > Is there an option to prevent kinit from looping? > > Regards, > > Mark Pr?hl > ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrM5ekACgkQNP9kGj7lDw5u9ACfT2C+9NE6hYra11WTsfJKBKl3 YhgAniCsK+oMrwOxJGxKYwl84qTSfCLN =S3I6 -----END PGP SIGNATURE----- From ghudson at MIT.EDU Wed Oct 7 15:05:50 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 07 Oct 2009 15:05:50 -0400 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <4ACCA005.9050605@mproehl.net> References: <4ACCA005.9050605@mproehl.net> Message-ID: <1254942350.9616.116.camel@ray> An update: this turns out to be a known bug in krb5 1.7, which simply hadn't percolated into my conscience from the bug data. I can't offer you a runtime workaround (there aren't a lot of configuration knobs affecting client preauth), but I expect to fix it for a forthcoming 1.7.x release. I can offer you a code workaround if you're in a position to recompile the client code. From mark at mproehl.net Wed Oct 7 15:10:15 2009 From: mark at mproehl.net (=?ISO-8859-1?Q?Mark_Pr=F6hl?=) Date: Wed, 07 Oct 2009 21:10:15 +0200 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <505D4864-97B8-449D-ABF0-5CD324A0193E@mit.edu> References: <4ACCA005.9050605@mproehl.net> <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu> <4ACCE5E9.501@mproehl.net> <505D4864-97B8-449D-ABF0-5CD324A0193E@mit.edu> Message-ID: <4ACCE797.5060705@mproehl.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Luke, The problem doesn't occur in 1.6 (tested with debian lenny package). Regards, Mark Luke Howard wrote: > Hi Mark, > > Yes, I think this was a bug in the referral handling code that I fixed > whilst implementing something else (S4U). > > Do you know if it occurred with 1.6 or was a regression with 1.7? > > regards, > > -- Luke > > On 07/10/2009, at 9:03 PM, Mark Pr?hl wrote: > > I just build trunk and did the same test again. > The problem doesn't occur with kinit from trunk > > Regards, > > Mark > > Luke Howard wrote: >>>> Mark, >>>> >>>> Are you able to test whether this still occurs with trunk? >>>> >>>> regards, >>>> >>>> -- Luke >>>> >>>> On 07/10/2009, at 4:04 PM, Mark Pr?hl wrote: >>>> >>>> Hi, >>>> >>>> I noticed a problem with kinit form krb-1.7. In case of a wrong >>>> password, kinit tries up to 8 times to get initial credentials. >>>> This happens if the KDC is an active directory controller: >>>> >>>> # kinit user >>>> Password for user at MYDOMAIN.EXAMPLE: >>>> kinit: Looping detected inside krb5_get_in_tkt while getting initial >>>> credentials >>>> >>>> Wireshark shows the following sequence: >>>> >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> >>>> This leads to a problem if account lookout policies are enabled. >>>> Users get locked out after entering just one wrong password: >>>> >>>> # kinit user >>>> Password for user at MYDOMAIN.EXAMPLE: >>>> kinit: Clients credentials have been revoked while getting initial >>>> credentials >>>> # >>>> >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: >>>> NTATUS_ACCOUNT_LOCKED_OUT >>>> >>>> >>>> My active directory is a win2k3-r2. >>>> >>>> My /etc/krb5.conf looks like this: >>>> >>>> [libdefaults] >>>> default_realm = MYDOMAIN.EXAMPLE >>>> [realms] >>>> MYDOMAIN.EXAMPLE = { >>>> kdc = 10.10.10.26 >>>> } >>>> >>>> >>>> Is there an option to prevent kinit from looping? >>>> >>>> Regards, >>>> >>>> Mark Pr?hl >>>> > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrM55cACgkQNP9kGj7lDw4GpwCgp3mEeh07x28nTT2RBfwUhcNr HbQAniwBjPS+Sh02bSwiDeNxpTkgMfXr =tD6k -----END PGP SIGNATURE----- From mark at mproehl.net Wed Oct 7 15:17:26 2009 From: mark at mproehl.net (=?ISO-8859-1?Q?Mark_Pr=F6hl?=) Date: Wed, 07 Oct 2009 21:17:26 +0200 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <1254942350.9616.116.camel@ray> References: <4ACCA005.9050605@mproehl.net> <1254942350.9616.116.camel@ray> Message-ID: <4ACCE946.1030808@mproehl.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I would appreciate it to have a workaround until 1.7.x is released. Thanks, Mark Greg Hudson wrote: > An update: this turns out to be a known bug in krb5 1.7, which simply > hadn't percolated into my conscience from the bug data. > > I can't offer you a runtime workaround (there aren't a lot of > configuration knobs affecting client preauth), but I expect to fix it > for a forthcoming 1.7.x release. I can offer you a code workaround if > you're in a position to recompile the client code. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrM6UUACgkQNP9kGj7lDw4efgCgocCivKCGUwgGAOOjtEpyfaoZ A5wAnRhh/0gy3DexweDnzwI5JFVgDWdh =eG1D -----END PGP SIGNATURE----- From ghudson at MIT.EDU Wed Oct 7 15:33:43 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 7 Oct 2009 15:33:43 -0400 (EDT) Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <4ACCE946.1030808@mproehl.net> Message-ID: <200910071933.n97JXhcp001209@outgoing.mit.edu> The following patch is not the eventual fix, but should effectively prevent looping. Basically, it will cause kinit to stop after a KDC_ERR_PREAUTH_FAILED error, instead of attempting to try other preauth mechanisms. Index: get_in_tkt.c =================================================================== --- get_in_tkt.c (revision 22396) +++ get_in_tkt.c (working copy) @@ -1331,8 +1331,7 @@ &out_padata, &retry); if (ret !=0) goto cleanup; - if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED) -&& retry) { + if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) { /* reset the list of preauth types to try */ if (preauth_to_use) { krb5_free_pa_data(context, preauth_to_use); From lhoward at MIT.EDU Wed Oct 7 12:37:39 2009 From: lhoward at MIT.EDU (Luke Howard) Date: Wed, 7 Oct 2009 18:37:39 +0200 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <4ACCA005.9050605@mproehl.net> References: <4ACCA005.9050605@mproehl.net> Message-ID: <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu> Mark, Are you able to test whether this still occurs with trunk? regards, -- Luke On 07/10/2009, at 4:04 PM, Mark Pr?hl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I noticed a problem with kinit form krb-1.7. In case of a wrong > password, kinit tries up to 8 times to get initial credentials. > This happens if the KDC is an active directory controller: > > # kinit user > Password for user at MYDOMAIN.EXAMPLE: > kinit: Looping detected inside krb5_get_in_tkt while getting initial > credentials > > Wireshark shows the following sequence: > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > > This leads to a problem if account lookout policies are enabled. > Users get locked out after entering just one wrong password: > > # kinit user > Password for user at MYDOMAIN.EXAMPLE: > kinit: Clients credentials have been revoked while getting initial > credentials > # > > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED > AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED > AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: > NTATUS_ACCOUNT_LOCKED_OUT > > > My active directory is a win2k3-r2. > > My /etc/krb5.conf looks like this: > > [libdefaults] > default_realm = MYDOMAIN.EXAMPLE > [realms] > MYDOMAIN.EXAMPLE = { > kdc = 10.10.10.26 > } > > > Is there an option to prevent kinit from looping? > > Regards, > > Mark Pr?hl > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrMoAQACgkQNP9kGj7lDw71hACg4tV1INOAziMnrd89zfCTNC7J > nngAnie9sNg/bimKdKYmKTDWLuBC3meD > =tusl > -----END PGP SIGNATURE----- > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From lhoward at MIT.EDU Wed Oct 7 15:05:50 2009 From: lhoward at MIT.EDU (Luke Howard) Date: Wed, 7 Oct 2009 21:05:50 +0200 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <4ACCE5E9.501@mproehl.net> References: <4ACCA005.9050605@mproehl.net> <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu> <4ACCE5E9.501@mproehl.net> Message-ID: <505D4864-97B8-449D-ABF0-5CD324A0193E@mit.edu> Hi Mark, Yes, I think this was a bug in the referral handling code that I fixed whilst implementing something else (S4U). Do you know if it occurred with 1.6 or was a regression with 1.7? regards, -- Luke On 07/10/2009, at 9:03 PM, Mark Pr?hl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I just build trunk and did the same test again. > The problem doesn't occur with kinit from trunk > > Regards, > > Mark > > Luke Howard wrote: >> Mark, >> >> Are you able to test whether this still occurs with trunk? >> >> regards, >> >> -- Luke >> >> On 07/10/2009, at 4:04 PM, Mark Pr?hl wrote: >> >> Hi, >> >> I noticed a problem with kinit form krb-1.7. In case of a wrong >> password, kinit tries up to 8 times to get initial credentials. >> This happens if the KDC is an active directory controller: >> >> # kinit user >> Password for user at MYDOMAIN.EXAMPLE: >> kinit: Looping detected inside krb5_get_in_tkt while getting initial >> credentials >> >> Wireshark shows the following sequence: >> >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> >> This leads to a problem if account lookout policies are enabled. >> Users get locked out after entering just one wrong password: >> >> # kinit user >> Password for user at MYDOMAIN.EXAMPLE: >> kinit: Clients credentials have been revoked while getting initial >> credentials >> # >> >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: >> NTATUS_ACCOUNT_LOCKED_OUT >> >> >> My active directory is a win2k3-r2. >> >> My /etc/krb5.conf looks like this: >> >> [libdefaults] >> default_realm = MYDOMAIN.EXAMPLE >> [realms] >> MYDOMAIN.EXAMPLE = { >> kdc = 10.10.10.26 >> } >> >> >> Is there an option to prevent kinit from looping? >> >> Regards, >> >> Mark Pr?hl >> > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos >>> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrM5ekACgkQNP9kGj7lDw5u9ACfT2C+9NE6hYra11WTsfJKBKl3 > YhgAniCsK+oMrwOxJGxKYwl84qTSfCLN > =S3I6 > -----END PGP SIGNATURE----- From lhoward at MIT.EDU Wed Oct 7 15:40:13 2009 From: lhoward at MIT.EDU (Luke Howard) Date: Wed, 7 Oct 2009 21:40:13 +0200 Subject: kinit-1.7: wrong passwords lock active directory accounts In-Reply-To: <4ACCE797.5060705@mproehl.net> References: <4ACCA005.9050605@mproehl.net> <7659A1B9-C1C2-4037-9D9A-9BF5A55F1767@mit.edu> <4ACCE5E9.501@mproehl.net> <505D4864-97B8-449D-ABF0-5CD324A0193E@mit.edu> <4ACCE797.5060705@mproehl.net> Message-ID: <141F66BD-CB0A-4416-8504-0541C9930231@MIT.EDU> OK, it appears this bug was in 1.7 but the fix in trunk that I committed was wrong. But, it will be fixed (somehow) for 1.8. -- Luke On 07/10/2009, at 9:10 PM, Mark Pr?hl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Luke, > > The problem doesn't occur in 1.6 (tested with debian lenny package). > > Regards, > > Mark > Luke Howard wrote: >> Hi Mark, >> >> Yes, I think this was a bug in the referral handling code that I >> fixed >> whilst implementing something else (S4U). >> >> Do you know if it occurred with 1.6 or was a regression with 1.7? >> >> regards, >> >> -- Luke >> >> On 07/10/2009, at 9:03 PM, Mark Pr?hl wrote: >> >> I just build trunk and did the same test again. >> The problem doesn't occur with kinit from trunk >> >> Regards, >> >> Mark >> >> Luke Howard wrote: >>>>> Mark, >>>>> >>>>> Are you able to test whether this still occurs with trunk? >>>>> >>>>> regards, >>>>> >>>>> -- Luke >>>>> >>>>> On 07/10/2009, at 4:04 PM, Mark Pr?hl wrote: >>>>> >>>>> Hi, >>>>> >>>>> I noticed a problem with kinit form krb-1.7. In case of a wrong >>>>> password, kinit tries up to 8 times to get initial credentials. >>>>> This happens if the KDC is an active directory controller: >>>>> >>>>> # kinit user >>>>> Password for user at MYDOMAIN.EXAMPLE: >>>>> kinit: Looping detected inside krb5_get_in_tkt while getting >>>>> initial >>>>> credentials >>>>> >>>>> Wireshark shows the following sequence: >>>>> >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> >>>>> This leads to a problem if account lookout policies are enabled. >>>>> Users get locked out after entering just one wrong password: >>>>> >>>>> # kinit user >>>>> Password for user at MYDOMAIN.EXAMPLE: >>>>> kinit: Clients credentials have been revoked while getting initial >>>>> credentials >>>>> # >>>>> >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_PREAUTH_FAILED >>>>> AS-REQ -> KRB Error: KRB5KDC_ERR_CLIENT_REVOKED NT Status: >>>>> NTATUS_ACCOUNT_LOCKED_OUT >>>>> >>>>> >>>>> My active directory is a win2k3-r2. >>>>> >>>>> My /etc/krb5.conf looks like this: >>>>> >>>>> [libdefaults] >>>>> default_realm = MYDOMAIN.EXAMPLE >>>>> [realms] >>>>> MYDOMAIN.EXAMPLE = { >>>>> kdc = 10.10.10.26 >>>>> } >>>>> >>>>> >>>>> Is there an option to prevent kinit from looping? >>>>> >>>>> Regards, >>>>> >>>>> Mark Pr?hl >>>>> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >>>>>> >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrM55cACgkQNP9kGj7lDw4GpwCgp3mEeh07x28nTT2RBfwUhcNr > HbQAniwBjPS+Sh02bSwiDeNxpTkgMfXr > =tD6k > -----END PGP SIGNATURE----- From huaraz at moeller.plus.com Wed Oct 7 17:34:24 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 7 Oct 2009 22:34:24 +0100 Subject: Regd. Kerberos not authentication in IE In-Reply-To: References: Message-ID: I don't think IE 6 supports Negotiate/Kerberos for proxy authentication. Also you would have to use the FQDN not the IP-address of the proxy. Markus "anandhi jay" wrote in message news:mailman.60.1254832099.18120.kerberos at mit.edu... > Hi, > > I have installed the kerberos5 in linux and configured squid for that. > From IE6 i configured the squid proxy ipaddress and port. It asked for > the username and password. > I have given the kerberos principal as username and password for that. > But I am getting 407 authentication required response only. Herewith i > have given the packets also , I think it is trying for NTLM, but i want > kerberos. I have enabled the > Enable Internet windows Authentication in the Internet options. Kindly > help me to work on the kerberos authentication using squid. > > > > GET http://www.whatismyip.com/ HTTP/1.0 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, > application/x-ms-application, application/x-ms-xbap, > application/vnd.ms-xpsdocument, application/xaml+xml, > application/x-silverlight, */* > Accept-Language: en-us > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; > Trident/4.0; > .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; > InfoPath.1) > Proxy-Connection: Keep-Alive > Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; > __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) > Proxy-Authorization: Negotiate > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== > Host: www.whatismyip.com > > > HTTP/1.0 407 Proxy Authentication Required > Server: squid/2.6.STABLE22 > Date: Tue, 06 Oct 2009 11:24:09 GMT > Content-Type: text/html > Content-Length: 1311 > Expires: Tue, 06 Oct 2009 11:24:09 GMT > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > Proxy-Authenticate: Negotiate received > X-Cache: MISS from EXAMPLE.COM > Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) > Proxy-Connection: close > > GET http://www.whatismyip.com/ HTTP/1.0 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, > application/x-ms-application, application/x-ms-xbap, > application/vnd.ms-xpsdocument, application/xaml+xml, > application/x-silverlight, */* > Accept-Language: en-us > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; > Trident/4.0; > .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; > InfoPath.1) > Proxy-Connection: Keep-Alive > Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; > __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) > Host: www.whatismyip.com > Proxy-Authorization: Negotiate > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== > NTLMSSP > > HTTP/1.0 407 Proxy Authentication Required > Server: squid/2.6.STABLE22 > Date: Tue, 06 Oct 2009 11:24:10 GMT > Content-Type: text/html > Content-Length: 1311 > Expires: Tue, 06 Oct 2009 11:24:10 GMT > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > Proxy-Authenticate: Negotiate received > X-Cache: MISS from EXAMPLE.COM > Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) > Proxy-Connection: close > > > > > Regards, > anu. From Meraj.Mohammad at atosorigin.com Thu Oct 8 02:19:07 2009 From: Meraj.Mohammad at atosorigin.com (Mohammad, Meraj) Date: Thu, 8 Oct 2009 11:49:07 +0530 Subject: Assertion failed for krb5kdc In-Reply-To: References: Message-ID: Hi Kerberos 5 release 1.7". I am always getting assertion failure and program is aborted. I am not getting a stack trace and i have no idea, how to get stack trace. Regards Meraj Alam -----Original Message----- From: Tom Yu [mailto:tlyu at MIT.EDU] Sent: Wednesday, October 07, 2009 9:10 PM To: Mohammad, Meraj Cc: kerberos at mit.edu Subject: Re: Assertion failed for krb5kdc "Mohammad, Meraj" writes: > Hi, > > > > When I tried to execute below command in sun Solaris operation > system(version 9). Why I am getting Assertion fail error. > > /usr/local/sbin/krb5kdc > > Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 > > > > But /usr/local/sbin/kadmind command working fine for me . What release of krb5? Does it always have an assertion failure, or only sometimes? Are you able to get a stack trace? From raeburn at MIT.EDU Thu Oct 8 04:05:15 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 8 Oct 2009 04:05:15 -0400 Subject: Assertion failed for krb5kdc In-Reply-To: References: Message-ID: <563BACA5-6AB6-4DEE-87F8-B57113CEE83B@mit.edu> On Oct 8, 2009, at 02:19, Mohammad, Meraj wrote: > Kerberos 5 release 1.7". I am always getting assertion failure and > program is aborted. > I am not getting a stack trace and i have no idea, how to get stack > trace. Do you know how to use gdb? Something like this sequence of commands should work: At the shell prompt: gdb /path/to/krb5kdc At the (gdb) prompt: run -n # <- "-n" tells it not to fork into background After it hits the assertion failure you should get another "(gdb)" prompt. Run the gdb command "bt" (for "backtrace") and send the results. If it doesn't hit the assertion failure when run this way, try "set args" (that tells gdb to forget about the "-n" command line argument, as "run" without any extra arguments will re-run the program with the arguments you used the time before) and then "run" and see if that triggers the problem. Alternatively, if you got a file named "core" in the directory where you started the KDC, then "gdb /path/to/krb5kdc /path/to/core" will let you examine the memory image of the dead process, so you can run the "bt" command without having to start up a new KDC process under the debugger. If you don't have gdb installed and don't know how to get it installed, you can try a debugger shipped with Solaris, but I don't remember offhand which Solaris 9 might ship with... Based on the message, my guess is a bug in the library initialization code, perhaps triggered by a broken version of pthread_once. Our library jumps through some hoops to try to work with both single- threaded and multi-threaded programs (more precisely, programs built as multi-threaded programs, which get the thread support library linked in, and programs which are built as single-threaded programs, which don't) without requiring two different versions of the library. However, older version of Solaris included some broken dummy versions of thread-support functions which sometimes made it hard to figure out which mode was in use. It may be that some of the tests written to detect the Solaris stub versions got broken in 1.7 (or even earlier); since MIT's Kerberos group has been using Solaris 10 for testing for quite a while, this could've been overlooked for a long time. (That's the sort of thing beta testing is supposed to help uncover, isn't it?) If my guess is right, it probably wouldn't even be hard to fix, but the code has grown rather baroque and may take some time to understand first... Ken From shopik at inblock.ru Thu Oct 8 03:11:30 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Thu, 08 Oct 2009 11:11:30 +0400 Subject: Regd. Kerberos not authentication in IE In-Reply-To: References: Message-ID: On 06.10.2009 16:27, anandhi jay wrote: > Hi, > > I have installed the kerberos5 in linux and configured squid for that. > From IE6 i configured the squid proxy ipaddress and port. It asked for > the username and password. > I have given the kerberos principal as username and password for that. > But I am getting 407 authentication required response only. Herewith i > have given the packets also , I think it is trying for NTLM, but i want > kerberos. I have enabled the > Enable Internet windows Authentication in the Internet options. Kindly > help me to work on the kerberos authentication using squid. > > > > GET http://www.whatismyip.com/ HTTP/1.0 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, > application/x-ms-application, application/x-ms-xbap, > application/vnd.ms-xpsdocument, application/xaml+xml, > application/x-silverlight, */* > Accept-Language: en-us > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; > .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; > InfoPath.1) > Proxy-Connection: Keep-Alive > Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; > __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) > Proxy-Authorization: Negotiate > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== > Host: www.whatismyip.com > > > HTTP/1.0 407 Proxy Authentication Required > Server: squid/2.6.STABLE22 > Date: Tue, 06 Oct 2009 11:24:09 GMT > Content-Type: text/html > Content-Length: 1311 > Expires: Tue, 06 Oct 2009 11:24:09 GMT > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > Proxy-Authenticate: Negotiate received > X-Cache: MISS from EXAMPLE.COM > Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) > Proxy-Connection: close > > GET http://www.whatismyip.com/ HTTP/1.0 > Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, > application/x-ms-application, application/x-ms-xbap, > application/vnd.ms-xpsdocument, application/xaml+xml, > application/x-silverlight, */* > Accept-Language: en-us > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; > .NET CLR 2.0.50727; FDM; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; > InfoPath.1) > Proxy-Connection: Keep-Alive > Cookie: __utma=18138879.169229710.1251445998.1251445998.1251445998.1; > __utmz=18138879.1251445999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) > Host: www.whatismyip.com > Proxy-Authorization: Negotiate > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== > NTLMSSP > > HTTP/1.0 407 Proxy Authentication Required > Server: squid/2.6.STABLE22 > Date: Tue, 06 Oct 2009 11:24:10 GMT > Content-Type: text/html > Content-Length: 1311 > Expires: Tue, 06 Oct 2009 11:24:10 GMT > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > Proxy-Authenticate: Negotiate > Proxy-Authenticate: Negotiate received > X-Cache: MISS from EXAMPLE.COM > Via: 1.0 EXAMPLE.COM:3129 (squid/2.6.STABLE22) > Proxy-Connection: close > > > > > Regards, > anu. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > I could successfully configure only IE8, IE6 never works with Kerberos proxy, also IE7 had same problems both using NTLM only or basic. From google at asktoby.com Thu Oct 8 05:31:12 2009 From: google at asktoby.com (Toby Newman) Date: Thu, 8 Oct 2009 10:31:12 +0100 Subject: Getting a Windows username from an SID with Kerberos Message-ID: I am running Linux in a corporate windows environment. I need to convert user's Active Directory security identifiers (SIDs) to usernames, for example S-1-5-21-484763869-1275210071-682003330-34567 to mydomain\jbloggs. There are a few Windows tools that do this like SIDDecode and SidToName, but they don't work under wine. I've been reading about Kerberos and it seems it may be possible to achieve this. Does anyone here know how? -- -Toby Add the word afiduluminag to the subject to circumvent my email filters. From jwinius at umrk.nl Thu Oct 8 08:42:29 2009 From: jwinius at umrk.nl (Jaap Winius) Date: 08 Oct 2009 12:42:29 GMT Subject: preauth (timestamp) verify failure: Decrypt integrity check failed Message-ID: <4acdde35$0$12392$e4fe514c@dreader12.news.xs4all.nl> Hi all, Oct 08 16:09:14 bungarus krb5kdc[1710](info): preauth (timestamp) verify failure: Decrypt integrity check failed Oct 08 16:09:14 bungarus krb5kdc[1710](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.2.41: PREAUTH_FAILED: jjones at UMRK.NL for krbtgt/ UMRK.NL at UMRK.NL, Decrypt integrity check failed This is an error that I can't seem to figure out. I'm trying to use SSH to log into a Debian lenny system that uses MIT Kerberos V v1.6 and OpenLDAP v2.4.11. The lab host, bungarus, has both the server and client software installed. It was working for a while, but now this. I've been following this howto: http://www.debian-administration.org/articles/570 My PAM configuration is exactly the same. It can't be a timesync problem, because I'm using only a single host. The strange thing is, I can log in with user jjones as soon as I make a matching unix account on the host: then I can log in with either the unix password or the Kerberos password. But, as soon as I get rid of the unix account, the above error returns. Any ideas? Thanks, Jaap From ioplex at gmail.com Thu Oct 8 12:29:56 2009 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 8 Oct 2009 12:29:56 -0400 Subject: Getting a Windows username from an SID with Kerberos In-Reply-To: References: Message-ID: <78c6bd860910080929q2cd44042hbbb70ff6d57b3414@mail.gmail.com> On Thu, Oct 8, 2009 at 5:31 AM, Toby Newman wrote: > I am running Linux in a corporate windows environment. > > I need to convert user's Active Directory security identifiers (SIDs) > to usernames, for example S-1-5-21-484763869-1275210071-682003330-34567 > to mydomain\jbloggs. > > There are a few Windows tools that do this like SIDDecode and > SidToName, but they don't work under wine. > > I've been reading about Kerberos and it seems it may be > possible to achieve this. Does anyone here know how? Hi Toby, Kerberos has nothing to do with SIDs. SIDs are just the numeric id of an account in Windows. So this is off topic for this list but I'll give you some pointers: 1. Use rpcclient from the Samba package 2. Google for JCIFS, create a jcifs.smb.SID, use resolve() with suitable credentials and then toDisplayString(). Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From kerberos at noopy.org Thu Oct 8 21:16:50 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Thu, 8 Oct 2009 21:16:50 -0400 Subject: Zero-length entry in a keytab: why?! In-Reply-To: References: <4AB2D585.5050700@mit.edu> Message-ID: On Fri, Sep 18, 2009 at 7:17 AM, Nathan Patwardhan wrote: > On Thu, Sep 17, 2009 at 8:34 PM, Ezra Peisach wrote: > >> b) You mention a vendor app writing such a keytab with holes - care to >> mention who? I suspect they might have extended their definition of a keytab >> in a non-standard way... You can ask the vendor... > > Centrify. I resolved this issue a couple of weeks ago. I cannot say 100% what Centrify does behind the scenes to create a keytab but I *can* say that their implementation spewed a bunch of NULL records from their keytab when I bumped up the debugging in my code -- or at least their NULL stuff that wasn't on spec with either MIT or Heimdal keytab formats -- such that I had a problem parsing Centrify-created keytabs reliably with my code. I ended up skipping these NULL records and comparing 'klist -k -e -K -t' of my generated keytab (based on parsing the Centrify keytab and excluding about many lines of NULLs) versus the Centrify keytab and everything matched up. I am convinced that there's just some weirdness going on with Centrify keytab creation and I will file a bug report with them, in particular since their keytab was 10k and my rendition of the same was 2k. -- K From kerberos at noopy.org Thu Oct 8 21:26:00 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Thu, 8 Oct 2009 21:26:00 -0400 Subject: RFC 3962 and DK(tkey, "kerberos") function Message-ID: Hello, I've been working on generating AES keys for a keytab. I've been following RFC 3962 and 3961 and have gotten as far as implementing a PBKDF2 function in C# per RFC 2898. Following this high-level representation of AES 128 (http://msdn.microsoft.com/en-us/library/dd304065%28PROT.10%29.aspx) my results are correct thus far. I am having a heck of a time implementing a DK() function in C# however. I implemented PBKDF2(...) with C#'s Rfc2898DeriveBytes class and what I don't quite understand is how "kerberos" is hashed against the intermediate key generated by Rfc2898DeriveBytes to generate my AES 128, 256, etc key. It looks like "kerberos" has to be folded (maybe n-folded) somehow so that I can use it as my IV, but I am not quite sure I'm on the right track. I've been comparing my results with ktpass.exe (when I create a keytab w/an itercount of 4096 and type of AES128-SHA1) to what I'm generating but no dice. Can someone shed some light on this? -- K From ghudson at MIT.EDU Fri Oct 9 09:48:54 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Fri, 09 Oct 2009 09:48:54 -0400 Subject: RFC 3962 and DK(tkey, "kerberos") function In-Reply-To: References: Message-ID: <1255096134.24377.62.camel@ray> On Thu, 2009-10-08 at 21:26 -0400, kerberos at noopy.org wrote: > It looks like "kerberos" has to be folded (maybe > n-folded) somehow so that I can use it as my IV, but I am not quite > sure I'm on the right track. You do need to n-fold "kerberos" to the block size (128 bits). I'm not sure I can describe n-fold better than the RFC; I suggest using the test vectors from RFC 3961 to determine when you've gotten it right. You do not need to fiddle with IVs. Once you have n-folded "kerberos" to 128 bits, you just encrypt those 128 bits with the intermediate key to produce the 128 bits of the final key. For AES-256, you encrypt the first 128 bits of the final key with the intermediate key (again) to produce the other 128 bits of the final key. Again, I suggest using the test vectors from RFC 3962 as an authoritative check, in case you're making incorrect assumptions about the usage of ktpass.exe. Best of luck! From jjasen at realityfailure.org Fri Oct 9 10:38:12 2009 From: jjasen at realityfailure.org (John Jasen) Date: Fri, 09 Oct 2009 10:38:12 -0400 Subject: Getting a Windows username from an SID with Kerberos In-Reply-To: References: Message-ID: <4ACF4AD4.8030100@realityfailure.org> Toby Newman wrote: > I am running Linux in a corporate windows environment. > > I need to convert user's Active Directory security identifiers (SIDs) > to usernames, for example S-1-5-21-484763869-1275210071-682003330-34567 > to mydomain\jbloggs. > > There are a few Windows tools that do this like SIDDecode and > SidToName, but they don't work under wine. > > I've been reading about Kerberos and it seems it may be > possible to achieve this. Does anyone here know how? As someone else mentioned, kerberos has nothing to do with this. What are you trying to accomplish? Plugging the linux system into Active Directory? Or are you trying to convert Windows accounts to local UNIX accounts? Or something else? As a one time thing, you should be able to do an ldapsearch against AD with the SID, and return the principalname or some other useful field. -- -- John E. Jasen (jjasen at realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring From kerberos at noopy.org Fri Oct 9 12:05:40 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Fri, 9 Oct 2009 12:05:40 -0400 Subject: RFC 3962 and DK(tkey, "kerberos") function In-Reply-To: <1255096134.24377.62.camel@ray> References: <1255096134.24377.62.camel@ray> Message-ID: On Fri, Oct 9, 2009 at 9:48 AM, Greg Hudson wrote: > On Thu, 2009-10-08 at 21:26 -0400, kerberos at noopy.org wrote: >> It looks like "kerberos" has to be folded (maybe >> n-folded) somehow so that I can use it as my IV, but I am not quite >> sure I'm on the right track. > > You do need to n-fold "kerberos" to the block size (128 bits). ?I'm not > sure I can describe n-fold better than the RFC; I suggest using the test > vectors from RFC 3961 to determine when you've gotten it right. Okay, I think I found a older posting from the archives that might be useful: http://mailman.mit.edu/pipermail/krbdev/2009-April/007656.html In short: " The pseudocode for DES3string-to-key in RFC 3961 includes: s = passwordString + salt tmpKey = random-to-key(168-fold(s)) key = DK (tmpKey, KerberosConstant) So n-fold scrambles the salt and password together. The DK function basically iteratively encrypts the KerberosConstant (64-fold of the string "kerberos") and uses the output blocks concatenated to generate the final key. " Yes, I know it's about DES3, but I assume my version will instead 128-fold the string "kerberos" in my DK() method? -- K From tlyu at MIT.EDU Fri Oct 9 12:28:29 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Fri, 09 Oct 2009 12:28:29 -0400 Subject: RFC 3962 and DK(tkey, "kerberos") function In-Reply-To: (kerberos@noopy.org's message of "Thu, 8 Oct 2009 21:26:00 -0400") References: Message-ID: "kerberos at noopy.org" writes: > Hello, > > I've been working on generating AES keys for a keytab. I've been > following RFC 3962 and 3961 and have gotten as far as implementing a > PBKDF2 function in C# per RFC 2898. Following this high-level > representation of AES 128 > (http://msdn.microsoft.com/en-us/library/dd304065%28PROT.10%29.aspx) > my results are correct thus far. I am having a heck of a time > implementing a DK() function in C# however. > > I implemented PBKDF2(...) with C#'s Rfc2898DeriveBytes class and what > I don't quite understand is how "kerberos" is hashed against the > intermediate key generated by Rfc2898DeriveBytes to generate my AES > 128, 256, etc key. It looks like "kerberos" has to be folded (maybe > n-folded) somehow so that I can use it as my IV, but I am not quite > sure I'm on the right track. I've been comparing my results with > ktpass.exe (when I create a keytab w/an itercount of 4096 and type of > AES128-SHA1) to what I'm generating but no dice. > > Can someone shed some light on this? The IV is also known as the "cipher state" for CBC ciphers, and each cryptosystem specification includes a default initial cipher state. For "simplified profile" (e.g. DES3 and AES) cryptosystems, this is all-bits-zero. The DK function uses n-fold to expand the well-known constant "kerberos" to a full cipher block length and then uses a temporary key to encrypt that block. It does not use the n-folded constant as an IV. In the case of AES, the temporary key is the output of PBKDF2. From peter_sands at techemail.com Fri Oct 9 15:21:38 2009 From: peter_sands at techemail.com (peter sands) Date: Fri, 9 Oct 2009 12:21:38 -0700 (PDT) Subject: ftp GSSAPI messages Message-ID: Hello, On our internal private servers I have just created some ftp principles, now when ftping to a host I get GSSAPI errors messages, although I can connect to the host and I do get a (ftp) ticket. There are no errors on the kdc log, only messages about a connection, I have ran the ftp in debug ( ftp -d .), it states ' gssapi no file or directory found', the encrypted keys get displayed in the debug mode, so I am a bit confused. Does anybody know how to suppress these messages or what ' no directory or file' found means. I have chmod 666 the keytab on both hosts, but that makes no difference, so cannot be a permission problem. $ ftp eng01 Connected to eng01.mydomain.com 220 eng01 FTP server (Version 4.2 Fri Mar 13 12:08:31 CDT 2009) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: File or directory not found GSSAPI error: accepting context ADAT command failed Name (eng01:psands): .... .... thanks Pete. From Nicolas.Williams at sun.com Fri Oct 9 16:31:05 2009 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Fri, 9 Oct 2009 15:31:05 -0500 Subject: ftp GSSAPI messages In-Reply-To: References: Message-ID: <20091009203105.GH887@Sun.COM> On Fri, Oct 09, 2009 at 12:21:38PM -0700, peter sands wrote: > $ ftp eng01 > Connected to eng01.mydomain.com > 220 eng01 FTP server (Version 4.2 Fri Mar 13 12:08:31 CDT 2009) ready. > 334 Using authentication type GSSAPI; ADAT must follow > GSSAPI accepted as authentication type > GSSAPI error major: Miscellaneous failure > GSSAPI error minor: File or directory not found > GSSAPI error: accepting context > ADAT command failed > Name (eng01:psands): Trace the ftp server and look for ENOENT errors. I bet you'll find that either the krb5.conf file or the krb5.keytab file are missing. Nico -- From rra at stanford.edu Sun Oct 11 22:55:25 2009 From: rra at stanford.edu (Russ Allbery) Date: Sun, 11 Oct 2009 19:55:25 -0700 Subject: kadmin-remctl 2.4 released Message-ID: <87eip99v8i.fsf@windlord.stanford.edu> I'm pleased to announce release 2.4 of kadmin-remctl. kadmin-remctl provides a remctl backend that implements basic Kerberos account administration functions (create, delete, enable, disable, reset password, examine) plus user password changes and a call to strength-check a given password. It can also provide similar management of instances and creation, deletion, and management of accounts in MIT Kerberos, Active Directory, and an AFS kaserver where appropriate. Also included is a client for privileged users to use for password resets. Many of the defaults and namespace checks are Stanford-specific, but it can be modified for other sites. Changes from previous release: When enabling or disabling accounts in Active Directory via LDAP, send the required "replace: userAccountControl" portion of the LDIF. Enable Automake silent rules. For a quieter build, pass the --enable-silent-rules option to configure or build with make V=0. Update to rra-c-util 2.0: * Sanity-check the results of krb5-config before proceeding. * Fall back on manual probing if krb5-config results don't work. * Don't break if the user clobbers CPPFLAGS or LDFLAGS at build time. * Support Solaris 10's native generic GSS-API libraries. * Require Autoconf 2.64 and Automake 1.11. You can download it from: This package is maintained using Git; see the instructions on the above page to access the Git repository. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (rra at stanford.edu) From Guillaume.Rousse at inria.fr Mon Oct 12 07:44:26 2009 From: Guillaume.Rousse at inria.fr (Guillaume Rousse) Date: Mon, 12 Oct 2009 13:44:26 +0200 Subject: Using kerberos on windows machines without AD support Message-ID: <4AD3169A.9030000@inria.fr> Hello list. We're authenticating our Windows users against our Unix kerberos domain, through a trust relationship between our AD domain and this kerberos domain. It works well for windows machines that belong to this domain, because they automatically get a suitable TGT at login. However, there is an issue for machines that doesn't belong to this domain, either because they don't belong to any domain, or worse, because they belong to another one for which I can't setup a trust relationship. I know how to get a TGT with MIT kerberos client for windows, that can be used by third-party applications such as putty, for instance, but I can't have Explorer uses it for accessing CIFS shares, or kerberos-protected web sites. So, is there a way to manually populate the system kerberos credential caches when the login procedure doesn't handle it ? -- BOFH excuse #276: U.S. Postal Service From google at asktoby.com Mon Oct 12 09:00:01 2009 From: google at asktoby.com (Toby Newman) Date: Mon, 12 Oct 2009 14:00:01 +0100 Subject: Getting a Windows username from an SID with Kerberos References: Message-ID: On 2009-10-08, Michael B Allen wrote: > On Thu, Oct 8, 2009 at 5:31 AM, Toby Newman wrote: >> I am running Linux in a corporate windows environment. >> >> I need to convert user's Active Directory security identifiers (SIDs) >> to usernames, for example S-1-5-21-484763869-1275210071-682003330-34567 >> to mydomain\jbloggs. >> >> There are a few Windows tools that do this like SIDDecode and >> SidToName, but they don't work under wine. >> >> I've been reading about Kerberos and it seems it may be >> possible to achieve this. Does anyone here know how? > > Hi Toby, > > Kerberos has nothing to do with SIDs. SIDs are just the numeric id of > an account in Windows. > > So this is off topic for this list but I'll give you some pointers: > > 1. Use rpcclient from the Samba package Thanks for replying. I've found a way using rpcclient which was perfect for my needs: rpcclient -U user%pass -c "lookupsids " > 2. Google for JCIFS, create a jcifs.smb.SID, use resolve() with > suitable credentials and then toDisplayString(). > > Mike > -- -Toby Add the word afiduluminag to the subject to circumvent my email filters. From sanka at maffia.hu Tue Oct 13 11:35:00 2009 From: sanka at maffia.hu (sanka) Date: Tue, 13 Oct 2009 08:35:00 -0700 (PDT) Subject: Kerberos installation Message-ID: <25875232.post@talk.nabble.com> Hello everybody, I know that question I ask is a dummy one, but I hope someone can help me. I would like to install Kerberos V5 as follows: - a KDC server on a LINUX machine - a client on a Windows machine Which steps I should do? Where are the download able files I should obtain? How can I check that everything works correctly? Every comments are appreciated. Thanks in advance, Sanka -- View this message in context: http://www.nabble.com/Kerberos-installation-tp25875232p25875232.html Sent from the Kerberos - General mailing list archive at Nabble.com. From peter_sands at techemail.com Tue Oct 13 11:12:15 2009 From: peter_sands at techemail.com (peter sands) Date: Tue, 13 Oct 2009 08:12:15 -0700 (PDT) Subject: ftp GSSAPI messages References: Message-ID: <90e345ff-2f17-4100-8fef-d1e0ecd02121@k17g2000yqb.googlegroups.com> > Trace the ftp server and look for ENOENT errors. ?I bet you'll find that > either the krb5.conf file or the krb5.keytab file are missing. > > Nico > -- Thanks, you're right I had the keytab but with wrong filename. Now I get another error : GSSAPI error major: Miscellaneous failure GSSAPI error minor: Wrong principal in request GSSAPI error: accepting context If I run in debug mode it first tries the ftp principal , fails with the gssapi error, then falls back to the host principal and connects. All looks good with the DNS and /etc/hosts, which seems to be the main problem with this error. The main kdc logs show a ticket for the host principal eng01 , instead of ftp/eng01,: Oct 13 15:35:02 elec01 /usr/krb5/sbin/krb5kdc[508042](info): AS_REQ (5 etyp es {16 23 18 3 1}) 172.22.11.114(88): ISSUE: authtime 1255444502, etypes {rep=16 tkt=16 ses=16}, host/eng01.mydomain.com at MYDOMAIN.COM for kadmin/ admin at MYDOMAIN.COM $ ftp -d eng01.mydomain.com Connected to eng01.mydomain.com. 220 syg04 FTP server (Version 4.2 Fri Mar 13 12:08:31 CDT 2009) ready. ---> AUTH GSSAPI 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type Trying to authenticate to calling gss_init_sec_context ---> ADAT YIICIAYJKoZIhvcSAQICAQBuggIPMIICC6ADAgEFoQMCAQ6iBwMFACAAAACjggEnYYIBIz CCAR+gAwIBBaEMGwpBQ0VJTlMuQ09NoigwJqADAgEDoR8w ........ GSSAPI error major: Miscellaneous failure GSSAPI error minor: Wrong principal in request GSSAPI error: accepting context ADAT command failed Trying to authenticate to calling gss_init_sec_context ---> ADAT YIICIQYJKoZIhvcSAQICAQBuggIQMIICDKADAgEFoQMCA calling gss_init_sec_context Name (eng01.mydomain.com:psands): ftp> Any help please thanks Pete. From jdpf at hoozinga.com Tue Oct 13 12:09:45 2009 From: jdpf at hoozinga.com (Jonathan Ferguson) Date: Tue, 13 Oct 2009 12:09:45 -0400 Subject: Kerberos installation In-Reply-To: <25875232.post@talk.nabble.com> References: <25875232.post@talk.nabble.com> Message-ID: <4AD4A649.2070504@hoozinga.com> sanka wrote: > Hello everybody, > > I know that question I ask is a dummy one, but I hope someone can help me. > I would like to install Kerberos V5 as follows: > - a KDC server on a LINUX machine > - a client on a Windows machine I suggest that you start by Reading The Fine Manual: http://web.mit.edu/kerberos/krb5-1.7/#documentation > Which steps I should do? Where are the download able files I should obtain? > How can I check that everything works correctly? > Every comments are appreciated. Other than the manuals, for step by step, you may find the following tutorials helpful: http://techpubs.spinlocksolutions.com/dklar/ldap.html http://techpubs.spinlocksolutions.com/dklar/kerberos.html http://techpubs.spinlocksolutions.com/dklar/afs.html Kerberos requires a thoughtful implementation. Be sure you are prepared, and understand the implications of a Kerberized network. have a day.yad jdpf From chriscowleysound at googlemail.com Tue Oct 13 12:28:15 2009 From: chriscowleysound at googlemail.com (Chris Cowley) Date: Tue, 13 Oct 2009 09:28:15 -0700 (PDT) Subject: mod_auth_kerb realm stripping Message-ID: Hello all I am trying to tweak my mod_auth_kerb setup. Currently it works nicely, I am able to authenticate to web pages on our intranet and everything is dandy. The problem I am having is the contents of Apache's REMOTE_USER variable. Currently it has my REALM on the end, which I do not want. I have upgraded to mod_auth_kerb 5.4 which introduced an "KrbLocalUserMapping" option. As you can see in the log below it rewriting my principal, but then I am not found in AD. the value I am being re-written to matches my sAMAccount name, so it should be found. [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1578): [client 172.19.77.8] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1213): [client 172.19.77.8] Acquiring creds for HTTP/svn.snellwilcox.local [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1335): [client 172.19.77.8] Verifying client data using KRB5 GSS-API [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1351): [client 172.19.77.8] Client didn't delegate us their credential [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1370): [client 172.19.77.8] GSS-API token of length 161 bytes will be sent back [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1484): [client 172.19.77.8] kerb_authenticate_a_name_to_local_name ChrisCowley at SNELLWILCOX.LOCAL -> ChrisCowley [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(561): [client 172.19.77.8] ldap authorize: Creating LDAP req structure [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(573): [client 172.19.77.8] auth_ldap authorise: User DN not found, User not found http.conf: AuthType Kerberos AuthName "Subversion - use your SNELLWILCOX domain login (as used to log in to Windows" Krb5Keytab /etc/kerberos/svn.keytab KrbVerifyKDC On KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms SNELLWILCOX.LOCAL KrbLocalUserMapping on AuthLDAPBindDN AuthLDAPBindPassword AuthLDAPURL ldap:///OU=SnellWilcox,DC=snellwilcox,DC=local?userPrincipalName,sAMAccountName,mail,displayname,cn?sub?(objectClass=*) require ldap-attribute msSFU30PosixMemberOf="CN=SG_Linux_CVS_IT,OU=Linux Authentication Groups,OU=Security Groups,OU=SnellWilcox,DC=snellwilcox,DC=local" From chriscowleysound at googlemail.com Tue Oct 13 12:41:58 2009 From: chriscowleysound at googlemail.com (Chris Cowley) Date: Tue, 13 Oct 2009 09:41:58 -0700 (PDT) Subject: mod_auth_kerb realm stripping References: Message-ID: On 13 Oct, 17:28, Chris Cowley wrote: > Hello all > > I am trying to tweak my mod_auth_kerb setup. Currently it works > nicely, I am able to authenticate to web pages on our intranet and > everything is dandy. > > The problem I am having is the contents of Apache's REMOTE_USER > variable. Currently it has my REALM on the end, which I do not want. I > have upgraded to mod_auth_kerb 5.4 which introduced an > "KrbLocalUserMapping" option. As you can see in the log below it > rewriting my principal, but then I am not found in AD. the value I am > being re-written to matches my sAMAccount name, so it should be found. > > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1578): [client > 172.19.77.8] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1213): [client > 172.19.77.8] Acquiring creds for HTTP/svn.snellwilcox.local > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1335): [client > 172.19.77.8] Verifying client data using KRB5 GSS-API > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1351): [client > 172.19.77.8] Client didn't delegate us their credential > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1370): [client > 172.19.77.8] GSS-API token of length 161 bytes will be sent back > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1484): [client > 172.19.77.8] kerb_authenticate_a_name_to_local_name > ChrisCow... at SNELLWILCOX.LOCAL -> ChrisCowley > [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(561): [client > 172.19.77.8] ldap authorize: Creating LDAP req structure > [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(573): [client > 172.19.77.8] auth_ldap authorise: User DN not found, User not found > > http.conf: > AuthType Kerberos > ? ? ? ? AuthName "Subversion - use your SNELLWILCOX domain login (as > used to log in to Windows" > ? ? ? ? Krb5Keytab /etc/kerberos/svn.keytab > ? ? ? ? KrbVerifyKDC On > ? ? ? ? KrbMethodNegotiate On > ? ? ? ? KrbMethodK5Passwd On > ? ? ? ? KrbAuthRealms SNELLWILCOX.LOCAL > ? ? ? ? KrbLocalUserMapping on > > ? ? ? ? AuthLDAPBindDN > ? ? ? ? AuthLDAPBindPassword > ? ? ? ? AuthLDAPURL > ldap:///OU=SnellWilcox,DC=snellwilcox,DC=local?userPrincipalName,sAMAccountName,mail,displayname,cn?sub?(objectClass=*) > > ? ? ? ? require ldap-attribute > msSFU30PosixMemberOf="CN=SG_Linux_CVS_IT,OU=Linux Authentication > Groups,OU=Security Groups,OU=SnellWilcox,DC=snellwilcox,DC=local" Also, if anyone has a better way to do it (mod_rewrite) that would be considered. From kerberos at noopy.org Tue Oct 13 15:42:19 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Tue, 13 Oct 2009 15:42:19 -0400 Subject: RFC 3962 and DK(tkey, "kerberos") function In-Reply-To: References: Message-ID: Hello, Thanks for your response! Further stuff inline. On Fri, Oct 9, 2009 at 12:28 PM, Tom Yu wrote: > > The IV is also known as the "cipher state" for CBC ciphers, and each > cryptosystem specification includes a default initial cipher state. > For "simplified profile" (e.g. DES3 and AES) cryptosystems, this is > all-bits-zero. OK. > > The DK function uses n-fold to expand the well-known constant > "kerberos" to a full cipher block length and then uses a temporary key > to encrypt that block. ?It does not use the n-folded constant as an > IV. ?In the case of AES, the temporary key is the output of PBKDF2. > When using the following from test vectors as written in http://www.apps.ietf.org/rfc/rfc3962.html Appendix B, Example 1 (Iteration count = 1, Pass phrase = "password", Salt = "ATHENA.MIT.EDUraeburn"): - My Rfc2898DeriveBytes(...) function matches the 128-bit PBKDF2 output when I use the values above. - My N-fold function for "kerberos" matches the test vectors for 128-fold "kerberos" in http://www.apps.ietf.org/rfc/rfc3961.html#sec-A.1. My 128-bit AES key *doesn't* match the one in http://www.apps.ietf.org/rfc/rfc3962.html Appendix B, Example 1. I'm not clear why this is happening -- but suspect the problem lies somewhere in what I'm encrypting rather than in creating a temporary key or in my n-folding function. Basically what I'm trying to do in my DK function is: "encrypt my 'kerberos' block with the temporary key I got from my derive bytes function." Am I understanding how I create the final key correctly here? -- K From jblaine at kickflop.net Tue Oct 13 17:11:03 2009 From: jblaine at kickflop.net (Jeff Blaine) Date: Tue, 13 Oct 2009 17:11:03 -0400 Subject: password expiration/change request fails to ask Message-ID: <4AD4ECE7.6020309@kickflop.net> Solaris 10 SPARC OS Solaris 10 / Sun sshd MIT Kerberos 1.7 Russ Alberry's fantastic pam_krb5 3.15 linked to above Solaris 9 + MIT Kerberos + RA pam_krb5 works! RHELv5 with stock MIT Kerberos + RA pam_krb5 works! The setup above fails. On the client side, I merely see "Permission denied." instead of being asked to change my expired password. If anyone has any ideas, I would love to hear them. % ssh cairo jblaine at cairo's password: Permission denied, please try again. # # all krb5kdc.log info matching the timestamp # Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xx.10.14: CLIENT KEY EXPIRED: jblaine at FOO.COM for krbtgt/FOO.COM at FOO.COM, Password has expired Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xx.10.14: ISSUE: authtime 1255467250, etypes {rep=16 tkt=16 ses=16}, jblaine at FOO.COM for kadmin/changepw at FOO.COM # # all *.debug syslog info matching the timestamp # Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): jblaine: attempting authentication as jblaine at FOO.COM Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): jblaine: krb5_get_init_creds_password: Generic error (see e-text) Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): jblaine: pam_sm_authenticate: exit (failure) Oct 13 16:54:10 cairo sshd[13611]: [ID 800047 auth.notice] Failed password for jblaine from xxx.xx.xx.xxx port 36735 ssh2 # # /etc/pam.conf # sshd-password auth requisite pam_authtok_get.so.1 sshd-password auth sufficient pam_krb5RA.so try_first_pass forwardable minimum_uid=92 debug sshd-password auth required pam_unix_auth.so.1 sshd-password auth required pam_unix_cred.so.1 sshd-password auth optional pam_afs_session.so minimum_uid=92 debug sshd-password session optional pam_krb5RA.so minimum_uid=92 debug sshd-password session optional pam_afs_session.so minimum_uid=92 debug From rra at stanford.edu Tue Oct 13 17:40:03 2009 From: rra at stanford.edu (Russ Allbery) Date: Tue, 13 Oct 2009 14:40:03 -0700 Subject: password expiration/change request fails to ask In-Reply-To: <4AD4ECE7.6020309@kickflop.net> (Jeff Blaine's message of "Tue, 13 Oct 2009 17:11:03 -0400") References: <4AD4ECE7.6020309@kickflop.net> Message-ID: <873a5nynv0.fsf@windlord.stanford.edu> Jeff Blaine writes: > % ssh cairo > jblaine at cairo's password: > Permission denied, please try again. Judging from the password prompt that you're getting, you do not have ChallengeResponseAuthentication enabled on your ssh server, which means that it cannot do a full PAM dialogue. The simple PasswordAuthentication ssh protocol can only handle a password prompt and response, not any additional conversation such as an expired password change. Check your sshd_config; I suspect that if you enable ChallengeResponse, it will start working. -- Russ Allbery (rra at stanford.edu) From jblaine at kickflop.net Tue Oct 13 17:52:07 2009 From: jblaine at kickflop.net (Jeff Blaine) Date: Tue, 13 Oct 2009 17:52:07 -0400 Subject: password expiration/change request fails to ask In-Reply-To: <4AD4ECE7.6020309@kickflop.net> References: <4AD4ECE7.6020309@kickflop.net> Message-ID: <4AD4F687.6000004@kickflop.net> I had a look at sshd_config and saw this: # jblaine note: For some reason setting this to 'yes' does not work # with Solaris 10 sshd (not properly at least). PAMAuthenticationViaKBDInt no Who knows why or when I put that in our master Solaris 10 pam.conf. Turning it on solves the problem. Thanks again, Russ. Jeff Blaine wrote: > Solaris 10 SPARC OS > Solaris 10 / Sun sshd > MIT Kerberos 1.7 > Russ Alberry's fantastic pam_krb5 3.15 linked to above > > Solaris 9 + MIT Kerberos + RA pam_krb5 works! > > RHELv5 with stock MIT Kerberos + RA pam_krb5 works! > > The setup above fails. > > On the client side, I merely see "Permission denied." > instead of being asked to change my expired password. > > If anyone has any ideas, I would love to hear them. > > % ssh cairo > jblaine at cairo's password: > Permission denied, please try again. > > # > # all krb5kdc.log info matching the timestamp > # > Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 > 1 3 2}) xxx.xx.10.14: CLIENT KEY EXPIRED: jblaine at FOO.COM for > krbtgt/FOO.COM at FOO.COM, Password has expired > Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 > 1 3 2}) xxx.xx.10.14: ISSUE: authtime 1255467250, etypes {rep=16 tkt=16 > ses=16}, jblaine at FOO.COM for kadmin/changepw at FOO.COM > > > # > # all *.debug syslog info matching the timestamp > # > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: attempting authentication as jblaine at FOO.COM > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: krb5_get_init_creds_password: Generic error (see e-text) > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: pam_sm_authenticate: exit (failure) > Oct 13 16:54:10 cairo sshd[13611]: [ID 800047 auth.notice] Failed > password for jblaine from xxx.xx.xx.xxx port 36735 ssh2 > > # > # /etc/pam.conf > # > sshd-password auth requisite pam_authtok_get.so.1 > sshd-password auth sufficient pam_krb5RA.so try_first_pass forwardable > minimum_uid=92 debug > sshd-password auth required pam_unix_auth.so.1 > sshd-password auth required pam_unix_cred.so.1 > sshd-password auth optional pam_afs_session.so minimum_uid=92 debug > sshd-password session optional pam_krb5RA.so minimum_uid=92 debug > sshd-password session optional pam_afs_session.so minimum_uid=92 debug > > > From deengert at anl.gov Tue Oct 13 18:09:51 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Tue, 13 Oct 2009 17:09:51 -0500 Subject: password expiration/change request fails to ask In-Reply-To: <4AD4ECE7.6020309@kickflop.net> References: <4AD4ECE7.6020309@kickflop.net> Message-ID: <4AD4FAAF.7040405@anl.gov> Jeff Blaine wrote: > Solaris 10 SPARC OS > Solaris 10 / Sun sshd > MIT Kerberos 1.7 > Russ Alberry's fantastic pam_krb5 3.15 linked to above > > Solaris 9 + MIT Kerberos + RA pam_krb5 works! > > RHELv5 with stock MIT Kerberos + RA pam_krb5 works! > > The setup above fails. > > On the client side, I merely see "Permission denied." > instead of being asked to change my expired password. > > If anyone has any ideas, I would love to hear them. > > % ssh cairo > jblaine at cairo's password: > Permission denied, please try again. > > # > # all krb5kdc.log info matching the timestamp > # > Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 > 1 3 2}) xxx.xx.10.14: CLIENT KEY EXPIRED: jblaine at FOO.COM for > krbtgt/FOO.COM at FOO.COM, Password has expired > Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 > 1 3 2}) xxx.xx.10.14: ISSUE: authtime 1255467250, etypes {rep=16 tkt=16 > ses=16}, jblaine at FOO.COM for kadmin/changepw at FOO.COM > > > # > # all *.debug syslog info matching the timestamp > # > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: attempting authentication as jblaine at FOO.COM > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: krb5_get_init_creds_password: Generic error (see e-text) > Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): > jblaine: pam_sm_authenticate: exit (failure) > Oct 13 16:54:10 cairo sshd[13611]: [ID 800047 auth.notice] Failed > password for jblaine from xxx.xx.xx.xxx port 36735 ssh2 > > # > # /etc/pam.conf > # > sshd-password auth requisite pam_authtok_get.so.1 > sshd-password auth sufficient pam_krb5RA.so try_first_pass forwardable > minimum_uid=92 debug > sshd-password auth required pam_unix_auth.so.1 > sshd-password auth required pam_unix_cred.so.1 > sshd-password auth optional pam_afs_session.so minimum_uid=92 debug > sshd-password session optional pam_krb5RA.so minimum_uid=92 debug > sshd-password session optional pam_afs_session.so minimum_uid=92 debug > I think you also need: sshd_password password required pam_krb5RA.so minimum_uid=92 debug (and a copy of the "other password" entries as needed) I bet it is using the "other" password entries and not calling pam_krb5RA.so I would also use PAMAuthenticationViaKBDInt yes and in pam.conf: sshd-kbdint One way to test is to see what pam modules are being called by adding a /etc/pam_debug files with: debug_flags=0x37 log_priority=7 log_facility=1 #1024 max size of this file #http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libpam/pam_framework.c # flags=0 turn off, or no file # 8 is for pam.conf parse > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From pratap.m-k at hp.com Wed Oct 14 00:47:47 2009 From: pratap.m-k at hp.com (Keshava, Pratap M (STSD)) Date: Wed, 14 Oct 2009 04:47:47 +0000 Subject: kadmin on windows Message-ID: <552229D70CE76E4098440137E03766663CEF92C8BC@GVW1156EXB.americas.hpqcorp.net> Hi, I am working on a Windows Application. I need to administer Kerberos server present on Linux (or any other) from the application. I am looking for kadmin utility on windows which I can use to configure Kerberos server on Linux. I need to add principals, extract them to a file. Where can I find the kadmin utility for Windows? If it is available, can you provide the location from where it can be downloaded? If it is not available for download, can anyone provide the steps to build the kadmin from MIT sources for Windows? I have tried using source 3.2.2 from MIT for Windows. Thanks & Regards, Pratap M Keshava HP - System Tech & Software Division 91-80-251-65422 pratap.m-k at hp.com From tma at cwru.edu Wed Oct 14 15:26:49 2009 From: tma at cwru.edu (tma@cwru.edu) Date: Wed, 14 Oct 2009 15:26:49 -0400 Subject: Kadmind (v1.6.3) - Crash? RPC Errors!? Message-ID: Platform "Linux x86_64 x86_64 x86_64 GNU/Linux" Been running for many years without a hitch until this am when we noticed the following in the logs because kadmind displaying errors shown below and was basically brain dead. Restart of krb5kdc and kadmind seemed to fix it for now! Not sure what could have cause this, as I have never seen this happen in all of the 11 years since Kerberos v4! As I was typing this message, it started happening again, and I alerted my colleague who responded that his program may be the cause of this problem. He is running a script that is checking status of 100K alumni to see who has an kerberos principal or not. Thats all! We are wondering if running this by hand vs. from cron could be loading the LD_LIBRARY_PATH! (edit: yes paths were different, we changed it to correct load library path) But still is this a known bug and hopefully been fixed in the latest version or just normal behavior? Kind of scary that this can happen in the first place if you have the wrong load lib path. I thought I would share this with the list hoping someone could shed some light for us. Thank you in advance for any help you may provide, Tareq ---- Oct 14 09:52:11 kdcservername.fqdn.edu kadmind[19076](Notice): Miscellaneous RPC error: XXX.XX.XXX.XX, internal error unsealing sequence number ....a few thousands of identical lines in the logs and then: Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): Authentication attempt failed: XXX.XX.XXX.XX, GSS-API error strings are: Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): Authentication attempt failed: XXX.XX.XXX.XX, GSS-API error strings are: Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): Unspecified GSS failure. Minor code may provide more information Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): Unspecified GSS failure. Minor code may provide more information Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): Database is locked or in use--try again later Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): Database is locked or in use--try again later Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): GSS- API error strings complete. Oct 14 14:00:28 kdcservername.fqdn.edu kadmind[18419](Notice): GSS- API error strings complete. (IP address removed was for an application server where our user management perl tools are running.) From huaraz at moeller.plus.com Wed Oct 14 18:07:17 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 14 Oct 2009 23:07:17 +0100 Subject: mod_auth_kerb realm stripping In-Reply-To: References: Message-ID: Did you check http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_map_user/ ? Markus "Chris Cowley" wrote in message news:a804524e-f6d4-4b9d-93ca-a267ee356335 at j19g2000yqk.googlegroups.com... On 13 Oct, 17:28, Chris Cowley wrote: > Hello all > > I am trying to tweak my mod_auth_kerb setup. Currently it works > nicely, I am able to authenticate to web pages on our intranet and > everything is dandy. > > The problem I am having is the contents of Apache's REMOTE_USER > variable. Currently it has my REALM on the end, which I do not want. I > have upgraded to mod_auth_kerb 5.4 which introduced an > "KrbLocalUserMapping" option. As you can see in the log below it > rewriting my principal, but then I am not found in AD. the value I am > being re-written to matches my sAMAccount name, so it should be found. > > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1578): [client > 172.19.77.8] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1213): [client > 172.19.77.8] Acquiring creds for HTTP/svn.snellwilcox.local > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1335): [client > 172.19.77.8] Verifying client data using KRB5 GSS-API > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1351): [client > 172.19.77.8] Client didn't delegate us their credential > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1370): [client > 172.19.77.8] GSS-API token of length 161 bytes will be sent back > [Tue Oct 13 17:13:26 2009] [debug] src/mod_auth_kerb.c(1484): [client > 172.19.77.8] kerb_authenticate_a_name_to_local_name > ChrisCow... at SNELLWILCOX.LOCAL -> ChrisCowley > [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(561): [client > 172.19.77.8] ldap authorize: Creating LDAP req structure > [Tue Oct 13 17:13:26 2009] [debug] mod_authnz_ldap.c(573): [client > 172.19.77.8] auth_ldap authorise: User DN not found, User not found > > http.conf: > AuthType Kerberos > AuthName "Subversion - use your SNELLWILCOX domain login (as > used to log in to Windows" > Krb5Keytab /etc/kerberos/svn.keytab > KrbVerifyKDC On > KrbMethodNegotiate On > KrbMethodK5Passwd On > KrbAuthRealms SNELLWILCOX.LOCAL > KrbLocalUserMapping on > > AuthLDAPBindDN > AuthLDAPBindPassword > AuthLDAPURL > ldap:///OU=SnellWilcox,DC=snellwilcox,DC=local?userPrincipalName,sAMAccountName,mail,displayname,cn?sub?(objectClass=*) > > require ldap-attribute > msSFU30PosixMemberOf="CN=SG_Linux_CVS_IT,OU=Linux Authentication > Groups,OU=Security Groups,OU=SnellWilcox,DC=snellwilcox,DC=local" Also, if anyone has a better way to do it (mod_rewrite) that would be considered. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From bruno.medeiros at arcticlake.com Thu Oct 15 06:36:03 2009 From: bruno.medeiros at arcticlake.com (Bruno Medeiros) Date: Thu, 15 Oct 2009 11:36:03 +0100 Subject: Kerberos password change specification Message-ID: <4AD6FB13.9040309@arcticlake.com> Hello. I was wondering where is the specification for the original Kerberos Change Password protocol, as I could not find it so far. RFC 3244 only details the Windows extension, and for what I've seen of RFC 1510, there is no mention of how the Password change actually works. (or I've missed it somehow) Why does RFC 1510 refer to the password change service (example: "(The password-changing request must not be honored unless the requester can provide the old password (the user's current secret key)"), but not actually specify how it works, or refer to some other document that does? I've searched a bit more and found these documents: http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-00 Are these the specifications? If so, why are these still drafts, whereas Kerberos is fairly old and mature? I'm not familiar with Kerberos history unfortunately, so I'm confused by this. Regards -- Bruno Medeiros From ghudson at MIT.EDU Thu Oct 15 10:03:52 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 15 Oct 2009 10:03:52 -0400 Subject: RFC 3962 and DK(tkey, "kerberos") function In-Reply-To: References: Message-ID: <1255615432.23997.58.camel@ray> On Tue, 2009-10-13 at 15:42 -0400, kerberos at noopy.org wrote: > Basically what I'm trying to do in > my DK function is: "encrypt my 'kerberos' block with the temporary key > I got from my derive bytes function." > > Am I understanding how I create the final key correctly here? You have the right idea to the best of my understanding, with the proviso that you should be using the cipher's default input vector (which I believe is all-bits-zero) and not an IV left over from any previous encryption. So, I'm not immediately sure why you're not getting the right result. From kerberos at noopy.org Thu Oct 15 10:53:59 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Thu, 15 Oct 2009 10:53:59 -0400 Subject: RFC 3962 and DK(tkey, "kerberos") function In-Reply-To: <1255615432.23997.58.camel@ray> References: <1255615432.23997.58.camel@ray> Message-ID: On Thu, Oct 15, 2009 at 10:03 AM, Greg Hudson wrote: > On Tue, 2009-10-13 at 15:42 -0400, kerberos at noopy.org wrote: >> Basically what I'm trying to do in >> my DK function is: "encrypt my 'kerberos' block with the temporary key >> I got from my derive bytes function." >> >> Am I understanding how I create the final key correctly here? > > You have the right idea to the best of my understanding, with the > proviso that you should be using the cipher's default input vector > (which I believe is all-bits-zero) and not an IV left over from any > previous encryption. ?So, I'm not immediately sure why you're not > getting the right result. *blushing* I figured out the error of my ways this morning. Apparently some code I'd added for debugging was reading the result Rfc2898DeriveBytes(...) *twice*, like so: Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations); Console.WriteLine("debug me: " + BitConverter.ToString(k1.GetBytes(keySize / 8))); // correct result byte[] keyBytes = k1.GetBytes(keySize / 8); Console.WriteLine(BitConverter.ToString(keyBytes)); // wrong result The end result of calling GetBytes(...) twice was that my intermediate/temporary key was flat *wrong* (as it was generated by having read twice as many bits as it should've been) and this caused my DK(...) function to fail. I modified my code like so: Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(passPhrase, saltValueBytes, passwordIterations); byte[] keyBytes = k1.GetBytes(keySize / 8); Console.WriteLine(BitConverter.ToString(keyBytes)); // correct result Then I went back to each of the test vectors in RFC 3962 and everything matched up. Then I went back and compared to output of ktpass.exe and everything matched up. Sweet. :-) Thanks everyone for your clarification. Very helpful! -- K From sthgrau at gmail.com Thu Oct 15 18:00:01 2009 From: sthgrau at gmail.com (eightball) Date: Thu, 15 Oct 2009 15:00:01 -0700 (PDT) Subject: Assertion failed for krb5kdc References: Message-ID: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> I am having the same problem with Solaris 8 and 9, but not 10. The output is the same between 8 and 9, so I am just sending 8. Thanks for your help, Steve [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#gdb kdc/krb5kdc GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (gdb) run -n Starting program: /local/BuildArea/krb5/krb5-1.7/src/kdc/krb5kdc -n Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 Program received signal SIGABRT, Aborted. 0xfef9fe08 in _libc_kill () from /usr/lib/libc.so.1 (gdb) bt #0 0xfef9fe08 in _libc_kill () from /usr/lib/libc.so.1 #1 0xfef35a2c in abort () from /usr/lib/libc.so.1 #2 0xfef35cd0 in _assert () from /usr/lib/libc.so.1 #3 0xff21716c in krb5int_initialize_library () at krb5_libinit.c:63 #4 0xff2496b4 in init_common (context=0xffbef8d4, secure=0, kdc=1) at init_ctx.c:134 #5 0x00020370 in main (argc=2, argv=0xffbef94c) at main.c:855 (gdb) The program is running. Exit anyway? (y or n) y [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#gdb appl/bsd/ klogind GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (gdb) run Starting program: /local/BuildArea/krb5/krb5-1.7/src/appl/bsd/klogind Assertion failed: k5int_i->did_run != 0, file error_message.c, line 293 Program received signal SIGABRT, Aborted. 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 (gdb) bt #0 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 #1 0xff035a2c in abort () from /usr/lib/libc.so.1 #2 0xff035cd0 in _assert () from /usr/lib/libc.so.1 #3 0xff3411b0 in add_error_table (et=0x187b0) at error_message.c:309 #4 0x000174d8 in pty_init () at init.c:31 #5 0x00012c60 in main (argc=1, argv=0xffbef944) at krlogind.c:344 (gdb) The program is running. Exit anyway? (y or n) y [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#gdb appl/bsd/kshd GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (gdb) run Starting program: /local/BuildArea/krb5/krb5-1.7/src/appl/bsd/kshd Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 Program received signal SIGABRT, Aborted. 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 (gdb) bt #0 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 #1 0xff035a2c in abort () from /usr/lib/libc.so.1 #2 0xff035cd0 in _assert () from /usr/lib/libc.so.1 #3 0xff29716c in krb5int_initialize_library () at krb5_libinit.c:63 #4 0xff2c96b4 in init_common (context=0x130854, secure=0, kdc=0) at init_ctx.c:134 #5 0x000128f0 in main (argc=1, argv=0xffbef94c) at krshd.c:280 (gdb) The program is running. Exit anyway? (y or n) y From tlyu at MIT.EDU Thu Oct 15 19:20:29 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Thu, 15 Oct 2009 19:20:29 -0400 Subject: Assertion failed for krb5kdc In-Reply-To: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> (sthgrau@gmail.com's message of "Thu, 15 Oct 2009 18:00:01 -0400") References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: eightball writes: > I am having the same problem with Solaris 8 and 9, but not 10. The > output is the same between 8 and 9, so I am just sending 8. > Thanks for your help, > Steve A comment in k5-thread.h implies that Solaris < 10 have a broken pthread_once() that doesn't actually do anything. I thought we had a workaround for it. > [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#gdb kdc/krb5kdc > GNU gdb 5.3 > Copyright 2002 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. > This GDB was configured as "sparc-sun-solaris2.8"... > (gdb) run -n > Starting program: /local/BuildArea/krb5/krb5-1.7/src/kdc/krb5kdc -n > Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 > > Program received signal SIGABRT, Aborted. > 0xfef9fe08 in _libc_kill () from /usr/lib/libc.so.1 > (gdb) bt > #0 0xfef9fe08 in _libc_kill () from /usr/lib/libc.so.1 > #1 0xfef35a2c in abort () from /usr/lib/libc.so.1 > #2 0xfef35cd0 in _assert () from /usr/lib/libc.so.1 > #3 0xff21716c in krb5int_initialize_library () at krb5_libinit.c:63 > #4 0xff2496b4 in init_common (context=0xffbef8d4, secure=0, kdc=1) at > init_ctx.c:134 > #5 0x00020370 in main (argc=2, argv=0xffbef94c) at main.c:855 > (gdb) The program is running. Exit anyway? (y or n) y > [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#gdb appl/bsd/ > klogind > GNU gdb 5.3 > Copyright 2002 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. > This GDB was configured as "sparc-sun-solaris2.8"... > (gdb) run > Starting program: /local/BuildArea/krb5/krb5-1.7/src/appl/bsd/klogind > Assertion failed: k5int_i->did_run != 0, file error_message.c, line > 293 > > Program received signal SIGABRT, Aborted. > 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 > (gdb) bt > #0 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 > #1 0xff035a2c in abort () from /usr/lib/libc.so.1 > #2 0xff035cd0 in _assert () from /usr/lib/libc.so.1 > #3 0xff3411b0 in add_error_table (et=0x187b0) at error_message.c:309 > #4 0x000174d8 in pty_init () at init.c:31 > #5 0x00012c60 in main (argc=1, argv=0xffbef944) at krlogind.c:344 > (gdb) The program is running. Exit anyway? (y or n) y > [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#gdb appl/bsd/kshd > GNU gdb 5.3 > Copyright 2002 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. > This GDB was configured as "sparc-sun-solaris2.8"... > (gdb) run > Starting program: /local/BuildArea/krb5/krb5-1.7/src/appl/bsd/kshd > Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 > > Program received signal SIGABRT, Aborted. > 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 > (gdb) bt > #0 0xff09fe08 in _libc_kill () from /usr/lib/libc.so.1 > #1 0xff035a2c in abort () from /usr/lib/libc.so.1 > #2 0xff035cd0 in _assert () from /usr/lib/libc.so.1 > #3 0xff29716c in krb5int_initialize_library () at krb5_libinit.c:63 > #4 0xff2c96b4 in init_common (context=0x130854, secure=0, kdc=0) at > init_ctx.c:134 > #5 0x000128f0 in main (argc=1, argv=0xffbef94c) at krshd.c:280 > (gdb) The program is running. Exit anyway? (y or n) y > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From sthgrau at gmail.com Thu Oct 15 19:16:19 2009 From: sthgrau at gmail.com (eightball) Date: Thu, 15 Oct 2009 16:16:19 -0700 (PDT) Subject: Assertion failed for krb5kdc References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: I came across the klogind error since I am producing this for client machines not KDCs. I went back and checked the packages that were created for 1.6.1 and 1.6.2 and they both exhibit the same problem with krb5kdc. However at that time, the klogind binary worked fine. I poked at it some more and found that configuring with --disable- thread-support, I can get working binaries for Solaris 8 at least, working on 9 now. From raeburn at MIT.EDU Fri Oct 16 00:28:12 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Fri, 16 Oct 2009 00:28:12 -0400 Subject: Assertion failed for krb5kdc In-Reply-To: References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: <49B64EE1-2CE8-423A-8959-CC86FE03227F@mit.edu> On Oct 15, 2009, at 19:20, Tom Yu wrote: > eightball writes: > >> I am having the same problem with Solaris 8 and 9, but not 10. The >> output is the same between 8 and 9, so I am just sending 8. >> Thanks for your help, >> Steve > > A comment in k5-thread.h implies that Solaris < 10 have a broken > pthread_once() that doesn't actually do anything. I thought we had a > workaround for it. Yes... on Solaris it ought to be using the code paths that call krb5int_pthread_loaded in the support library. Among other things, that function may call pthread_once a couple of times, and the function passed (loaded_test_aux) will adjust a global variable (flag_pthread_loaded) to indicate whether it actually got invoked. So, some more things might help track down what's going on: - set a breakpoint in krb5int_pthread_loaded, to verify that it's getting called - set a breakpoint in loaded_test_aux, to see whether it's getting called - examine flag_pthread_loaded after the process aborts, to see how it's set >> #0 0xfef9fe08 in _libc_kill () from /usr/lib/libc.so.1 >> #1 0xfef35a2c in abort () from /usr/lib/libc.so.1 >> #2 0xfef35cd0 in _assert () from /usr/lib/libc.so.1 >> #3 0xff21716c in krb5int_initialize_library () at krb5_libinit.c:63 >> #4 0xff2496b4 in init_common (context=0xffbef8d4, secure=0, kdc=1) >> at >> init_ctx.c:134 >> #5 0x00020370 in main (argc=2, argv=0xffbef94c) at main.c:855 That's about what I'd expect, given the assertion message text... Ken From tomplast at gmail.com Fri Oct 16 10:53:02 2009 From: tomplast at gmail.com (Tomas Gustavsson) Date: Fri, 16 Oct 2009 16:53:02 +0200 Subject: Connecting Windows 2003 to separate MIT Kerberos Server? Message-ID: Hi! My name is Tomas and I'm trying to set up MIT Kerberos on a Linux server and I would like Microsoft Windows 2003 Server (and all clients connected to it) to my "Linux Kerberos" instead of the native one in Windows. Maybe I have misunderstood some parts here and there and I'm a beginners when it comes to Kerberos (started reading about it a couple of days ago) but I have chosen this as my final project, I'm studying to become a (junior) Linux administrator. I have Googled and looked into some documents but I can find anything useful that helps me do what I want. So if you can tell me if it's possible to make Windows 2003 Server to use an separate MIT Kerberos server and how it's done then I would be very happy. P.S I'm only having a couple of days to complete the project so time is of the essence. D.S Thank you. Best regards /Tomas Gustavsson From deengert at anl.gov Fri Oct 16 11:20:42 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 16 Oct 2009 10:20:42 -0500 Subject: Connecting Windows 2003 to separate MIT Kerberos Server? In-Reply-To: References: Message-ID: <4AD88F4A.4020804@anl.gov> Tomas Gustavsson wrote: > Hi! > > My name is Tomas and I'm trying to set up MIT Kerberos on a Linux server and > I would like Microsoft Windows 2003 Server (and all clients connected to it) > to my "Linux Kerberos" instead of the native one in Windows. Maybe I have > misunderstood some parts here and there and I'm a beginners when it comes to > Kerberos (started reading about it a couple of days ago) but I have chosen > this as my final project, I'm studying to become a (junior) Linux > administrator. Sound more like a master level project to me :-) > I have Googled and looked into some documents but I can find > anything useful that helps me do what I want. So if you can tell me if it's > possible to make Windows 2003 Server to use an separate MIT Kerberos server > and how it's done then I would be very happy. > Short answer, Windows expects Kerberos tickets to have a PAC which has authorization data with SUID and Group membership stuff maintained by Windows Active Directory. This is carried by an extension to the Kerberos protocol. The PAC is added by Windows AD. So you need either: (1) Cross realm between a kerberos realm and AD domain where you authenticate to Kerberos, and the cross realm TGT will get a PAC. Start here as this might give you other ideas too. Its old but short and most of it still applies. http://technet.microsoft.com/en-us/library/bb742433.aspx (2) Use Kerberos server which can add the PAC. But it then needs the Authorization database too. Have you looked at Samba yet? > > P.S I'm only having a couple of days to complete the project so time is of > the essence. D.S Good luck... > > Thank you. > > Best regards > /Tomas Gustavsson > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From sthgrau at gmail.com Fri Oct 16 19:19:28 2009 From: sthgrau at gmail.com (eightball) Date: Fri, 16 Oct 2009 16:19:28 -0700 (PDT) Subject: Assertion failed for krb5kdc References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: On Oct 16, 12:28?am, Ken Raeburn wrote: > Yes... on Solaris it ought to be using the code paths that call ? > krb5int_pthread_loaded in the support library. ?Among other things, ? > that function may call pthread_once a couple of times, and the ? > function passed (loaded_test_aux) will adjust a global variable ? > (flag_pthread_loaded) to indicate whether it actually got invoked. > > So, some more things might help track down what's going on: > ? - set a breakpoint in krb5int_pthread_loaded, to verify that it's ? > getting called > ? - set a breakpoint in loaded_test_aux, to see whether it's getting ? > called > ? - examine flag_pthread_loaded after the process aborts, to see how ? > it's set I am not familiar with gdb. If I did it incorrectly, some help would be appreciated: [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#gdb kdc/krb5kdc GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.8"... (gdb) break main Breakpoint 1 at 0x2033c: file main.c, line 838. (gdb) run -n Starting program: /local/BuildArea/krb5/krb5-1.7/src/kdc/krb5kdc -n Breakpoint 1, main (argc=2, argv=0xffbef934) at main.c:838 838 if (strrchr(argv[0], '/')) (gdb) break krb5int_pthread_loaded Breakpoint 2 at 0xff182024: file threads.c, line 135. (gdb) break loaded_test_aux Breakpoint 3 at 0xff181fe0: file threads.c, line 126. (gdb) continue Continuing. Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 Program received signal SIGABRT, Aborted. 0xfef9fe08 in _libc_kill () from /usr/lib/libc.so.1 (gdb) print flag_pthread_loaded $1 = -1 From lawrence-strickland at uiowa.edu Mon Oct 19 08:42:06 2009 From: lawrence-strickland at uiowa.edu (Strickland, Lawrence P) Date: Mon, 19 Oct 2009 07:42:06 -0500 Subject: I am having trouble building kerberos on AIX 6.1. Can anyone help? Message-ID: <2478C5B51E419E4AA72C069F6A0562E3037FA0BD@HC-MAIL13.healthcare.uiowa.edu> I am having trouble building kerberos on AIX 6.1. Can anyone help? My build looks like this: bash-3.00# cat my_build #edit conf/shlib.conf line 410 aix5 to aix make distclean CC=cc_r ./configure --prefix=/usr/local/krb5-1.6.3 --with-static \ --enable-log-preauth-logins --enable-login-print-issue \ --with-multihomed-fixes --enable-app-proxy --with-passive-mode-off \ --without-anonymous-ftp Make ends in errors as shown. rtl -L../../lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lc ld: 0706-026 The -b filelist option is ignored. rm -f libgssrpc.so ln -s libgssrpc.so.4.0 libgssrpc.so rm -f ../../lib/libgssrpc.so (cd ../../lib && ln -s rpc/libgssrpc.so .) rm -f ../../lib/libgssrpc.so.4.0 (cd ../../lib && ln -s rpc/libgssrpc.so.4.0 .) making all in lib/rpc/unit-test... Target "all" is up to date. cc_r -I../../../include -I./../../../include -I. -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -g -qhalt=e -O -D_THREAD_SAFE -c client.c cc_r -I../../../include -I./../../../include -I. -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -g -qhalt=e -O -D_THREAD_SAFE -c rpc_test_clnt.c cc_r -L../../../lib -blibpath:/usr/local/krb5-1.6.3/lib::/usr/lib:/lib -g -qhalt=e -O -D_THREAD_SAFE -o client client.o rpc_test_clnt.o -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lpthreads ld: 0706-006 Cannot find or open library file: -l k5crypto ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l com_err ld:open(): A file or directory in the path name does not exist. ld: 0706-006 Cannot find or open library file: -l krb5support ld:open(): A file or directory in the path name does not exist. make: 1254-004 The error code from the last command is 255. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. Larry Strickland Lead Systems Administrator lawrence-strickland at uiowa.edu University of Iowa Hospitals and Clinics From remi.ferrand at cc.in2p3.fr Mon Oct 19 11:37:44 2009 From: remi.ferrand at cc.in2p3.fr (Remi Ferrand) Date: Mon, 19 Oct 2009 17:37:44 +0200 Subject: AFS Token / Kerberos v5 ticket Message-ID: <4ADC87C8.9040002@cc.in2p3.fr> Hi, I'm trying to find a way to decrypt efficiently an AFS Token created with "kinit + aklog" in order to access the encrypted data. Every attempt I made to use the tkt_DecodeTicket5 function was unsuccessful (this function is supposed to exist for this purpose, isn't it ?) My last (and ultimate) idea is to map the AFS Token to a krb5_ticket and to decrypt it with the krb5_decrypt_tkt_part function. That's not an easy trick and I would like to know if someone has already written something about this .... My questions are : * Is it possible to map an AFS Token to a krb5_ticket and decrypt it using krb5_decrypt_tkt_part function ? The encrypted part of AFS Tokens created with "kinit+aklog" is based on the krb5_encrypt_tkt_part function so I think that's possible. * Does anyone have already tried something like this ? Anyone could help me doing this ? For sure, any other idea to access the encrypted content of the AFS Tokens created with "kinit + aklog" are accepted. Thanks in advance Remi -- Remi Ferrand | Institut National de Physique Nucleaire Tel. +33(0)4.78.93.08.80 | et de Physique des Particules Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4055 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091019/d425dcee/smime.bin From jaltman at secure-endpoints.com Mon Oct 19 12:26:39 2009 From: jaltman at secure-endpoints.com (Jeffrey Altman) Date: Mon, 19 Oct 2009 12:26:39 -0400 Subject: [OpenAFS] AFS Token / Kerberos v5 ticket In-Reply-To: <4ADC87C8.9040002@cc.in2p3.fr> References: <4ADC87C8.9040002@cc.in2p3.fr> Message-ID: <4ADC933F.4080100@secure-endpoints.com> Remi: Can you please explain what it is that you are attempting to accomplish? An AFS token can created in a number of methods. Not all of which are Kerberos v5. tkt_DecodeTicket5() can only be used when the kvno of the AFS token is RXKAD_TKT_TYPE_KERBEROS_V5 or RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY. To decrypt the ticket you need to have possession of the afs service principal key that matches the kvno in the Kerberos v5 ticket. >From your previous e-mail to kerberos at mit.edu I know that you are trying to print your own AFS tokens. I do not understand why you aren't simply using "aklog -keytab -principal -cell " which will produce a new token for the specified principal in the specified cell using the key in the provided keytab. Why do you need to decrypt the existing AFS token? In order to decrypt the old token you would need to have the key for the afs service principal, if you have that then you can simply print a token whenever you want for whomever you want. On 9/29 you said the reason for this project is to permit automated token renewal for users that remotely login via SSH. I would think long and hard as to the risks associated with placing copies of your afs service principal keys on such machines. If that key becomes compromised, the attacker can do anything they want to the data in your cell or pretend to be anyone to your cell. Are the benefits worth the risk? Jeffrey Altman Remi Ferrand wrote: > Hi, > > I'm trying to find a way to decrypt efficiently an AFS Token created > with "kinit + aklog" in order to access the encrypted data. > > Every attempt I made to use the tkt_DecodeTicket5 function was > unsuccessful (this function is supposed to exist for this purpose, isn't > it ?) > > My last (and ultimate) idea is to map the AFS Token to a krb5_ticket and > to decrypt it with the krb5_decrypt_tkt_part function. > That's not an easy trick and I would like to know if someone has already > written something about this .... > > My questions are : > * Is it possible to map an AFS Token to a krb5_ticket and decrypt it > using krb5_decrypt_tkt_part function ? > The encrypted part of AFS Tokens created with "kinit+aklog" is based > on the krb5_encrypt_tkt_part function so I think that's possible. > > * Does anyone have already tried something like this ? > Anyone could help me doing this ? > > For sure, any other idea to access the encrypted content of the AFS > Tokens created with "kinit + aklog" are accepted. > > Thanks in advance > > Remi > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3368 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091019/3e11fe88/smime.bin From raeburn at MIT.EDU Mon Oct 19 14:29:03 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 19 Oct 2009 14:29:03 -0400 Subject: Assertion failed for krb5kdc In-Reply-To: References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: <84BED0DD-D71E-4A1D-88D4-4AC4F723AF3A@mit.edu> On Oct 16, 2009, at 19:19, eightball wrote: > I am not familiar with gdb. If I did it incorrectly, some help would > be appreciated: No, it looks right... > (gdb) run -n > Starting program: /local/BuildArea/krb5/krb5-1.7/src/kdc/krb5kdc -n > > Breakpoint 1, main (argc=2, argv=0xffbef934) at main.c:838 > 838 if (strrchr(argv[0], '/')) > (gdb) break krb5int_pthread_loaded > Breakpoint 2 at 0xff182024: file threads.c, line 135. > (gdb) break loaded_test_aux > Breakpoint 3 at 0xff181fe0: file threads.c, line 126. > (gdb) continue > Continuing. > Assertion failed: k5int_i->did_run != 0, file krb5_libinit.c, line 63 Okay, it looks like it's never even calling krb5int_pthread_loaded, which should mean that it's always following the code path (in selecting macro definitions) that assumes the thread support is always linked in. This would be dependent on some configuration macros, HAVE_PRAGMA_WEAK_REF and NO_WEAK_PTHREADS; can you see which are set in include/autoconf.h in the build tree? The former should be defined (based on tests of the compiler, so it may also depend on which compiler you're using), and the latter should not (selected in the configure script based on the OS version). Ken From sthgrau at gmail.com Mon Oct 19 16:55:25 2009 From: sthgrau at gmail.com (eightball) Date: Mon, 19 Oct 2009 13:55:25 -0700 (PDT) Subject: Assertion failed for krb5kdc References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: On Oct 19, 2:29?pm, Ken Raeburn wrote: > > Okay, it looks like it's never even calling krb5int_pthread_loaded, ? > which should mean that it's always following the code path (in ? > selecting macro definitions) that assumes the thread support is always ? > linked in. ?This would be dependent on some configuration macros, ? > HAVE_PRAGMA_WEAK_REF and NO_WEAK_PTHREADS; can you see which are set ? > in include/autoconf.h in the build tree? ?The former should be defined ? > (based on tests of the compiler, so it may also depend on which ? > compiler you're using), and the latter should not (selected in the ? > configure script based on the OS version). > > Ken Both are set to 1. [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#grep HAVE_PRAGMA_WEAK_REF include/autoconf.h #define HAVE_PRAGMA_WEAK_REF 1 [root at localhost]/local/BuildArea/krb5/krb5-1.7/src#grep NO_WEAK_PTHREADS include/autoconf.h #define NO_WEAK_PTHREADS 1 I am using an old version of gcc (3.2.3) From caltri at gmail.com Mon Oct 19 19:35:54 2009 From: caltri at gmail.com (CT) Date: Mon, 19 Oct 2009 16:35:54 -0700 Subject: pam_krb5 3.15 (No credentials cache file found while setting cache flags ) Message-ID: Hi, I've just compiled pam_krb5 using Russ's version 3.15 with MIT krb5 1.7. Client is Solaris 8 and kerberos is setup to authenticate to Windows Active Directory. The issue is that the credentials cache file never gets created in /tmp after login. it accepts the password but I'm getting the message below when I do a klist klist: No credentials cache file found while setting cache flags (ticket cache /tmp/krb5cc_1256_7Ia4n0) Does anyone know what the problem is and how to resolve this ? Using kinit is fine. Here's the contents of /etc/pam.conf # more /etc/pam.conf # # ident "@(#)pam.conf 1.19 03/01/10 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so use_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # su (explicit to provide failsafe root access during testing su auth requisite pam_authtok_get.so.1 su auth required pam_unix_auth.so.1 # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth sufficient pam_krb5.so use_first_pass rlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_krb5.so use_first_pass forwardable other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account sufficient pam_krb5.so other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session optional pam_krb5.so debug other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass Thanks! From raeburn at MIT.EDU Mon Oct 19 20:46:20 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Mon, 19 Oct 2009 20:46:20 -0400 Subject: Assertion failed for krb5kdc In-Reply-To: References: <92147f06-2e2e-4dbb-af78-b05539b01512@w37g2000prg.googlegroups.com> Message-ID: <935ED09D-645D-4996-A9AD-F09D8C4759DD@mit.edu> On Oct 19, 2009, at 16:55, eightball wrote: >> This would be dependent on some configuration macros, >> HAVE_PRAGMA_WEAK_REF and NO_WEAK_PTHREADS; can you see which are set >> in include/autoconf.h in the build tree? The former should be >> defined >> (based on tests of the compiler, so it may also depend on which >> compiler you're using), and the latter should not (selected in the >> configure script based on the OS version). >> >> Ken > > Both are set to 1. Okay, that sounds like it's the problem. The configure script should be setting the latter only for Solaris 10, unless the patterns we're checking for are wrong: case "${host_os}" in [...] solaris2.[1-9]) # On Solaris 10 with gcc 3.4.3, the autoconf archive macro doesn't # get the right result. XXX What about Solaris 9 and earlier? if test "$GCC" = yes ; then PTHREAD_CFLAGS="-D_REENTRANT -pthreads" fi ;; solaris*) # On Solaris 10 with gcc 3.4.3, the autoconf archive macro doesn't # get the right result. if test "$GCC" = yes ; then PTHREAD_CFLAGS="-D_REENTRANT -pthreads" fi # On Solaris 10, the thread support is always available in libc. AC_DEFINE(NO_WEAK_PTHREADS,1,[Define if references to pthread routines should be non-weak.]) ;; Can you check the setting of the host config type? In the build tree for Solaris 8 or 9, run a grep command like this: $ grep cv_host config.cache ac_cv_host=${ac_cv_host=i386-apple-darwin9.8.0} krb5_cv_host=${krb5_cv_host=i386-apple-darwin9.8.0} $ For Solaris 9, we'd expect to see something like "sparc-sun- solaris2.9" in there. Oh... uh... just to check something that should've been obvious to me to ask before... by any chance did you: (a) use the Solaris 10-built binaries for Solaris 8 and 9, or (b) reuse a Solaris 10 build tree for making the Solaris 8/9 binaries, making "clean" and maybe reconfiguring but without getting rid of the "config.cache" file? In general (a) is not good; backwards compatibility options will often let you do the reverse, but sometimes software built for a newer OS version will wind up using new features that weren't available in the old system. In this case, a working pthread_once in libc. If (b) happened, it's sort of a similar issue but a little more specific to the krb5 setup -- our configure script knows that Solaris 10 has better thread support, and disables the workarounds needed for Solaris 9. And configure scripts generated with "autoconf" have the ability to cache results of tests; I think it's disabled by default in modern autoconf, but our script takes a while to run so we enable it, and maybe it needs to do better checking to ensure that the cached values were actually associated with the current system type. If you do reuse a krb5 build tree for a different OS, you should... hm, actually, one or two directories may get configured or not depending on system software available, and switching from "configured" to "not configured" may not work properly; I'd have to check. The simplest advice is: Use a fresh build tree for each OS version. Ken From rtb at pclella.cern.ch Tue Oct 20 06:59:45 2009 From: rtb at pclella.cern.ch (Rainer Toebbicke) Date: Tue, 20 Oct 2009 12:59:45 +0200 Subject: [OpenAFS] AFS Token / Kerberos v5 ticket In-Reply-To: <4ADD74A6.6070705@in2p3.fr> References: <4ADC87C8.9040002@cc.in2p3.fr> <4ADC933F.4080100@secure-endpoints.com> <4ADD74A6.6070705@in2p3.fr> Message-ID: <4ADD9821.6070105@pclella.cern.ch> Xavier, the "forge" code that Remi tried to get working is capable of decrypting an AFS token both for K4 and K5, however it can only re-encrypt a K4 one, not K5. When he asked me for advice I suggested to drop that code and rather use Heimdal's kadmin extract to temporarily extract a keytab entry for the user in question and then simply do a "kinit -k" + aklog to build a new token for shipment back to the batch worker. This is also possible with MIT Kerberos, using a mod to ktutil developed by Andrei. Sure enough, all this has to take place on a trusted server using an authenticated and secure channel, no keys are available to the batch worker. For both, once the batch job is running, within the ticket refresh period an occasional "kinit -R" + aklog is sufficient and safer. BTW: for the brave, "impersonating" as a user (which is what your batch system does in the end) is also possible without hacking or C-coding, using a suitably mapped certificate, with Heimdal and even Windows. Probably MIT as well. Just increasingly tricky to keep it hackerproof. Cheers, Rainer Xavier Canehan schrieb: > Our home made batch system used to save and forge kas tickets. No > Kerberos 5, not very secure, easiest. Moreover, it was just navigating > through bit fields to forge a ticket. No AFS primitive implied. > > We are migrating: away from current batch system and to Kerberos 5. > During process, we have to modify our batch system, whilst main > developer retired. > > As R??mi worked on Kerberos 5 migration here, he has been volunteered to > provided code to migrate our batch system. Thus, he is investigating > several options to cope either with kas, fakeka, K5. > He may have not been clear: we are not willing to put a keyfile in > unsecure places. We have to modify our batch master and prepare the > place for the next. > > Thanks to every one who helped, either with directions or code. > R??mi is adapting code from Rainer Toebbicke. If not successful, we will > certainly switch to Heimdal, as suggested by Derrick Brashear. > > -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rainer Toebbicke European Laboratory for Particle Physics(CERN) - Geneva, Switzerland Phone: +41 22 767 8985 Fax: +41 22 767 7155 From Xavier.Canehan at in2p3.fr Tue Oct 20 04:28:22 2009 From: Xavier.Canehan at in2p3.fr (Xavier Canehan) Date: Tue, 20 Oct 2009 10:28:22 +0200 Subject: [OpenAFS] AFS Token / Kerberos v5 ticket In-Reply-To: <4ADC933F.4080100@secure-endpoints.com> References: <4ADC87C8.9040002@cc.in2p3.fr> <4ADC933F.4080100@secure-endpoints.com> Message-ID: <4ADD74A6.6070705@in2p3.fr> Jeffrey Altman a ?crit : > Can you please explain what it is that you are attempting > to accomplish? Our home made batch system used to save and forge kas tickets. No Kerberos 5, not very secure, easiest. Moreover, it was just navigating through bit fields to forge a ticket. No AFS primitive implied. We are migrating: away from current batch system and to Kerberos 5. During process, we have to modify our batch system, whilst main developer retired. As R?mi worked on Kerberos 5 migration here, he has been volunteered to provided code to migrate our batch system. Thus, he is investigating several options to cope either with kas, fakeka, K5. He may have not been clear: we are not willing to put a keyfile in unsecure places. We have to modify our batch master and prepare the place for the next. Thanks to every one who helped, either with directions or code. R?mi is adapting code from Rainer Toebbicke. If not successful, we will certainly switch to Heimdal, as suggested by Derrick Brashear. R?mi is not trying to break AFS nor Kerberos. He is not trying to hack our cell. I know where he lives. :o) Best regards, X. Canehan -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4050 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091020/515d776e/smime.bin From huaraz at moeller.plus.com Wed Oct 21 19:20:31 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Thu, 22 Oct 2009 00:20:31 +0100 Subject: SEGV in krb5_free_cred_contents Message-ID: I have an application which creates a cache, stores a ticket and then destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris (but I think the code is the same as the MIT code). t at 1 (l at 1) signal SEGV (no mapping at the fault address) in krb5_free_cred_contents at line 180 in file "kfree.c" 180 if (val->client) { (dbx) where current thread: t at 1 =>[1] krb5_free_cred_contents(context = ???, val = ???) (optimized), at 0xd22ddf3b (line ~180) in "kfree.c" [2] krb5_free_creds(context = ???, val = ???) (optimized), at 0xd22de11c (line ~244) in "kfree.c" [3] krb5_mcc_free(context = ???, id = ???) (optimized), at 0xd22b6e74 (line ~176) in "cc_memory.c" [4] krb5_mcc_destroy(context = ???, id = ???) (optimized), at 0xd22b6f4a (line ~214) in "cc_memory.c" [5] krb5_cc_destroy(context = ???, cache = ???) (optimized), at 0xd22b8671 (line ~55) in "ccfns.c" [6] krb5_cleanup(), line 813 in "test.c" which is: 177 void KRB5_CALLCONV 178 krb5_free_cred_contents(krb5_context context, krb5_creds *val) 179 { 180 if (val->client) { 181 krb5_free_principal(context, val->client); 182 val->client = 0; 183 } 184 if (val->server) { 185 krb5_free_principal(context, val->server); 186 val->server = 0; 187 } 188 Do I need to check if the cache has credentials before a destroy the cache ? Markus From ghudson at MIT.EDU Thu Oct 22 10:00:48 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 22 Oct 2009 10:00:48 -0400 Subject: SEGV in krb5_free_cred_contents In-Reply-To: References: Message-ID: <1256220048.23997.307.camel@ray> On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote: > I have an application which creates a cache, stores a ticket and then > destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris (but > I think the code is the same as the MIT code). [...] > Do I need to check if the cache has credentials before a destroy the cache > ? >From reading the OpenSolaris and MIT krb5 code for memory ccaches, every entry in the ccache is supposed to have valid credentials; there is no operation which should put the credentials list into a state where one of the entries has ->creds == NULL. Because of optimization, it's hard to tell from your stack trace whether the credentials linked list structure has NULL credentials somehow, or if it's an invalid pointer. Either way, the next question would be what operation caused the credentials structure to get into the invalid state. From huaraz at moeller.plus.com Thu Oct 22 19:21:57 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Fri, 23 Oct 2009 00:21:57 +0100 Subject: SEGV in krb5_free_cred_contents In-Reply-To: <1256220048.23997.307.camel@ray> References: <1256220048.23997.307.camel@ray> Message-ID: "Greg Hudson" wrote in message news:1256220048.23997.307.camel at ray... > On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote: >> I have an application which creates a cache, stores a ticket and then >> destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris >> (but >> I think the code is the same as the MIT code). > [...] >> Do I need to check if the cache has credentials before a destroy the >> cache >> ? > >>From reading the OpenSolaris and MIT krb5 code for memory ccaches, every > entry in the ccache is supposed to have valid credentials; there is no > operation which should put the credentials list into a state where one > of the entries has ->creds == NULL. > > Because of optimization, it's hard to tell from your stack trace whether > the credentials linked list structure has NULL credentials somehow, or > if it's an invalid pointer. Either way, the next question would be what > operation caused the credentials structure to get into the invalid > state. > > OK I'll see if I can get a debug library without optimisation Thank you Markus From peter_sands at techemail.com Fri Oct 23 08:03:48 2009 From: peter_sands at techemail.com (peter sands) Date: Fri, 23 Oct 2009 05:03:48 -0700 (PDT) Subject: moving kerberos master to new server Message-ID: <374416a5-2b8a-419c-85ba-c1100b48cbbb@l34g2000vba.googlegroups.com> Hello, Currently using kerberos 5. Soon I plan to migrate this server onto another hardware that will have a new hostname and IP, but same O/S level (aix). My first thoughts in doing this was to: Stop the master server, all clients will then goto to the slave for authentication. Install the krb5 binaries, without configuring the new master. Tar up the /var/krb5 and /etc/krb5 directories, then untar it onto the new host. Change the kdc and krb5 conf files with the new hostname. Start the new master up Would that work, or is there another sequence I should follow. Thanks Pete. From punadikar.sachin at gmail.com Fri Oct 23 10:10:17 2009 From: punadikar.sachin at gmail.com (Sachin Punadikar) Date: Fri, 23 Oct 2009 19:40:17 +0530 Subject: moving kerberos master to new server In-Reply-To: <374416a5-2b8a-419c-85ba-c1100b48cbbb@l34g2000vba.googlegroups.com> References: <374416a5-2b8a-419c-85ba-c1100b48cbbb@l34g2000vba.googlegroups.com> Message-ID: <9549b1d80910230710n4fedc349rd4ce7704d256fc21@mail.gmail.com> Pete, Ideally it should work. But I would suggest you to take dump of KDC database and then move on to the new hardware. - Sachin. On Fri, Oct 23, 2009 at 5:33 PM, peter sands wrote: > Hello, > Currently using kerberos 5. > Soon I plan to migrate this server onto another hardware that will > have a new hostname and IP, but same O/S level (aix). > > My first thoughts in doing this was to: > Stop the master server, all clients will then goto to the slave for > authentication. > Install the krb5 binaries, without configuring the new master. > Tar up the /var/krb5 and /etc/krb5 directories, then untar it onto the > new host. > Change the kdc and krb5 conf files with the new hostname. Start the > new master up > > Would that work, or is there another sequence I should follow. > > Thanks > Pete. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From sd at msu.edu Fri Oct 23 13:31:45 2009 From: sd at msu.edu (Steve Devine) Date: Fri, 23 Oct 2009 13:31:45 -0400 Subject: moving kerberos master to new server In-Reply-To: <374416a5-2b8a-419c-85ba-c1100b48cbbb@l34g2000vba.googlegroups.com> References: <374416a5-2b8a-419c-85ba-c1100b48cbbb@l34g2000vba.googlegroups.com> Message-ID: <20091023133145.16862ygm2c0kzxj5@mail.msu.edu> Quoting "peter sands" : > Hello, > Currently using kerberos 5. > Soon I plan to migrate this server onto another hardware that will > have a new hostname and IP, but same O/S level (aix). > > My first thoughts in doing this was to: > Stop the master server, all clients will then goto to the slave for > authentication. > Install the krb5 binaries, without configuring the new master. > Tar up the /var/krb5 and /etc/krb5 directories, then untar it onto the > new host. > Change the kdc and krb5 conf files with the new hostname. Start the > new master up > > Would that work, or is there another sequence I should follow. > > Thanks > Pete. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > I have done this three times and this how I do it. Build the new server and kerberos software. Harden it. Grab a tar file of the principal db off of a slave server get the krb5.conf file and requisite ketabs and put it in place. Start it up - you should be able to kinit locally to it and do some kadmin functions. This will not have any effect on your production Realm (as long as you are not propagating to slaves from it)- make certain you are kinit ing to the new machine by inspecting logs. Once you are satisfied with the tests - schedule your down time bring the main server down and move the princs over. Make sure you local files (krb5.conf) are pointing to the right host and you should be ok. I usually don't start kadmin right away so no one can reset their passwords until I am sure that I am going to leave it up. Actual down time is usually 30 minutes or less. /sd Steve Devine Email & Storage Academic Technology Services Michigan State University 313 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. Albert Einstein From waynemonarch at gmail.com Fri Oct 23 17:49:57 2009 From: waynemonarch at gmail.com (Wayne Rasmussen) Date: Fri, 23 Oct 2009 14:49:57 -0700 Subject: Assertion failed for krb5kdc Message-ID: <74703cad0910231449x6b251e92j58d1e086c13cf528@mail.gmail.com> I am having this problem on Solaris 9 Sparc as well from a fresh set of source files. Ref: http://mailman.mit.edu/pipermail/kerberos/2009-October/015426.html Is there a fix for the configure? How to get this work compile properly on a solaris 9 sparc system? From huaraz at moeller.plus.com Sat Oct 24 07:40:19 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sat, 24 Oct 2009 12:40:19 +0100 Subject: SEGV in krb5_free_cred_contents In-Reply-To: <1256220048.23997.307.camel@ray> References: <1256220048.23997.307.camel@ray> Message-ID: "Greg Hudson" wrote in message news:1256220048.23997.307.camel at ray... > On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote: >> I have an application which creates a cache, stores a ticket and then >> destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris >> (but >> I think the code is the same as the MIT code). > [...] >> Do I need to check if the cache has credentials before a destroy the >> cache >> ? > >>From reading the OpenSolaris and MIT krb5 code for memory ccaches, every > entry in the ccache is supposed to have valid credentials; there is no > operation which should put the credentials list into a state where one > of the entries has ->creds == NULL. > > Because of optimization, it's hard to tell from your stack trace whether > the credentials linked list structure has NULL credentials somehow, or > if it's an invalid pointer. Either way, the next question would be what > operation caused the credentials structure to get into the invalid > state. > > I did debug and val is NIL, but I couldn't find yet why. When I change my application to use a file cache (e.g. replace MEMORY: with FILE: ) it works fine. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From huaraz at moeller.plus.com Sat Oct 24 11:10:11 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sat, 24 Oct 2009 16:10:11 +0100 Subject: SEGV in krb5_free_cred_contents In-Reply-To: References: <1256220048.23997.307.camel@ray> Message-ID: "Markus Moeller" wrote in message news:hbup3h$7mf$1 at ger.gmane.org... > > "Greg Hudson" wrote in message > news:1256220048.23997.307.camel at ray... >> On Wed, 2009-10-21 at 19:20 -0400, Markus Moeller wrote: >>> I have an application which creates a cache, stores a ticket and then >>> destroys the cache, but sometimes I get a SEGV. This is on OpenSolaris >>> (but >>> I think the code is the same as the MIT code). >> [...] >>> Do I need to check if the cache has credentials before a destroy the >>> cache >>> ? >> >>>From reading the OpenSolaris and MIT krb5 code for memory ccaches, every >> entry in the ccache is supposed to have valid credentials; there is no >> operation which should put the credentials list into a state where one >> of the entries has ->creds == NULL. >> >> Because of optimization, it's hard to tell from your stack trace whether >> the credentials linked list structure has NULL credentials somehow, or >> if it's an invalid pointer. Either way, the next question would be what >> operation caused the credentials structure to get into the invalid >> state. >> >> > > I did debug and val is NIL, but I couldn't find yet why. When I change my > application to use a file cache (e.g. replace MEMORY: with FILE: ) it > works > fine. > I stepped through my application and the cache entry is modified when I do an ldap sasl/GSSAPI bind fails (Using the SUN LDAP SDK). I have to check what happens when it is successful. Markus >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From epeisach at MIT.EDU Sat Oct 24 08:34:10 2009 From: epeisach at MIT.EDU (Ezra Peisach) Date: Sat, 24 Oct 2009 08:34:10 -0400 Subject: SEGV in krb5_free_cred_contents Message-ID: <4AE2F442.80202@mit.edu> a) Is this a multithreaded application? b) Are you sharing the same cache between threads? If so - destroying one while in use can cause this. c) Can you provide some sample code - if not - can you indicate how you are resolving the memory cache? Are you specifying "MEMORY:" or "MEMORY:fooo" (there is an app out there that assumes that "MEMORY:" will give a unique cache - which it doesn't - so it dies in a multithreaded app). d) If you have access to a linux box - valgrind is very useful for tracking down these problems... e) I suppose there could be a difference in OpenSolaris vs MIT code - you can trying to compile MIT's code base and see if the problem exists... Ezra From huaraz at moeller.plus.com Sat Oct 24 17:27:31 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Sat, 24 Oct 2009 22:27:31 +0100 Subject: SEGV in krb5_free_cred_contents In-Reply-To: <4AE2F442.80202@mit.edu> References: <4AE2F442.80202@mit.edu> Message-ID: "Ezra Peisach" wrote in message news:4AE2F442.80202 at mit.edu... > > a) Is this a multithreaded application? > b) Are you sharing the same cache between threads? If so - destroying > one while in use can cause this. It is not threaded. > c) Can you provide some sample code - if not - can you indicate how you > are resolving the memory cache? Are you specifying "MEMORY:" or > "MEMORY:fooo" (there is an app out there that assumes that "MEMORY:" I used MEMORY:mem_cache I will see if I can get a small sample app. > will give a unique cache - which it doesn't - so it dies in a > multithreaded app). > d) If you have access to a linux box - valgrind is very useful for > tracking down these problems... > e) I suppose there could be a difference in OpenSolaris vs MIT code - > you can trying to compile MIT's code base and see if the problem exists... > It looks like a OpenSolaris problem as I don't see it on Linux. > Ezra > Thank you Markus > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From holger.rauch at empic.de Mon Oct 26 07:15:50 2009 From: holger.rauch at empic.de (Holger Rauch) Date: Mon, 26 Oct 2009 12:15:50 +0100 Subject: Recommnended way to get krb5.keytab files for KfW installations on Windows Message-ID: <20091026111550.GA1241@heitec.de> Hi, since the kadmin utility is not included with the current KfW bundle from the MIT Kerberos web site (version 3.2.2), is it "safe" to create krb5.keytab files for KfW using kadmin on a Unix machine and transfer the file to the Windows box? (Yes, I heard about ktpass.exe, but that's kind of awkward to use because of the username/principal mapping stuff that needs to be taken into account. Or is ktpass.exe the recommended utility and the kadmin on Unix+file transfer approach thus discouraged?) I'm using KfW on a current (all updates applied) WinXP Professional system. So, what's the easiest (and recommended) way to get krb5.keytab files that are usable by KfW installations? (I need this for accessing a kerberized Samba server, a kerberized sshd using PuTTY/WinSCP, and a kerberized FTP server; all of these services are running on the same host). Thanks for any hints & kind regards, Holger -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091026/0fc4ef65/attachment.bin From deengert at anl.gov Mon Oct 26 10:35:56 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Mon, 26 Oct 2009 09:35:56 -0500 Subject: Recommnended way to get krb5.keytab files for KfW installations on Windows In-Reply-To: <20091026111550.GA1241@heitec.de> References: <20091026111550.GA1241@heitec.de> Message-ID: <4AE5B3CC.5040007@anl.gov> Holger Rauch wrote: > Hi, > > since the kadmin utility is not included with the current KfW bundle > from the MIT Kerberos web site (version 3.2.2), is it "safe" to > create krb5.keytab files for KfW using kadmin on a Unix machine and > transfer the file to the Windows box? > > (Yes, I heard about ktpass.exe, but that's kind of awkward to use > because of the username/principal mapping stuff that needs to be taken > into account. Or is ktpass.exe the recommended utility and the kadmin > on Unix+file transfer approach thus discouraged?) > > I'm using KfW on a current (all updates applied) WinXP Professional > system. > > So, what's the easiest (and recommended) way to get krb5.keytab files > that are usable by KfW installations? > > (I need this for accessing a kerberized Samba server, a kerberized > sshd using PuTTY/WinSCP, and a kerberized FTP server; all of these > services are running on the same host). > Are you sure you need the krb5.keytab on the Windows side? Sounds like the XP system is the client only. Unless you are trying to use a keytab with kinit, a keytab is normally only needed on the server side. Can you describe what OSes are running on the servers and the clients? Are you trying to run some non-interactive client? > Thanks for any hints & kind regards, > > Holger > > > ------------------------------------------------------------------------ > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From Qiang.Xu at fujixerox.com Tue Oct 27 01:56:28 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Tue, 27 Oct 2009 13:56:28 +0800 Subject: SASL binding with SSL encryption Message-ID: Hi, all: I am using Mozilla LDAP library to do SASL binding with SSL encryption against Active Directory. To make it work, it is necessary to set the security option "maxssf=0". Still, in testing against AD in Windows 2003 Server (or Windows 2000 Server), the binding result is good and bad alternatively, exhibiting a pingpong style. In contrast, if I do the same test against AD in Windows 2008 Server, the binding is always good. Is a known issue of AD in Windows 2003/2000 Server, and if there is any patch available? Just want to see if anyone in this list has had the same experience as mine. Thanks, Xu Qiang From ryan.b.lynch at gmail.com Tue Oct 27 11:13:54 2009 From: ryan.b.lynch at gmail.com (Ryan Lynch) Date: Tue, 27 Oct 2009 11:13:54 -0400 Subject: SASL binding with SSL encryption In-Reply-To: References: Message-ID: <115906d10910270813u222f3f86kfe19050446d66ea7@mail.gmail.com> On Tue, Oct 27, 2009 at 01:56, Xu, Qiang (FXSGSC) wrote: > Still, in testing against AD in Windows 2003 Server (or Windows 2000 Server), the binding result is good and bad alternatively, exhibiting a pingpong style. In contrast, if I do the same test against AD in Windows 2008 Server, the binding is always good. A suggestion, from my past experiences: Have you confirmed that your "ping-pong" results are always coming from the same AD domain controller? If not, try tracing the packet traffic, or just increasing your client-side debug verbosity. If the success vs. failure results can be correlated to different DCs, this may be a configuration issue on one of your DCs. -Ryan From Qiang.Xu at fujixerox.com Tue Oct 27 21:55:36 2009 From: Qiang.Xu at fujixerox.com (Xu, Qiang (FXSGSC)) Date: Wed, 28 Oct 2009 09:55:36 +0800 Subject: SASL binding with SSL encryption In-Reply-To: <115906d10910270813u222f3f86kfe19050446d66ea7@mail.gmail.com> References: <115906d10910270813u222f3f86kfe19050446d66ea7@mail.gmail.com> Message-ID: > -----Original Message----- > From: Ryan Lynch [mailto:ryan.b.lynch at gmail.com] > Sent: Tuesday, October 27, 2009 11:14 PM > To: Xu, Qiang (FXSGSC) > Cc: kerberos at mit.edu > Subject: Re: SASL binding with SSL encryption > > A suggestion, from my past experiences: Have you confirmed > that your "ping-pong" results are always coming from the same > AD domain controller? If not, try tracing the packet traffic, > or just increasing your client-side debug verbosity. If the > success vs. failure results can be correlated to different > DCs, this may be a configuration issue on one of your DCs. I have tried sasl binding with ssl encryption (unsuccessfully) against two different ADs. One in Windows 2003 Server, and the other is in Windows 2000 Server. This 2003 server and 2000 server are different domain controllers. In contrast, when the same thing is done against AD in Windows 2008 Server (patched with hotfix http://support.microsoft.com/kb/957072), it works perfectly. Therefore, I guess the problem is due to some bug in Windows 2000/2003 Server. By the way, tracing network packets is quite hard for sasl binding with ssl encryption, coz all the packets are encrypted, not plain LDAP ones. Thanks, Xu Qiang From romanbo at gmail.com Wed Oct 28 14:20:22 2009 From: romanbo at gmail.com (jim_bob) Date: Wed, 28 Oct 2009 11:20:22 -0700 (PDT) Subject: Server not found in Kerberos database Message-ID: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> Hello, I am trying to get ssh single sign on working with kerberos but it keeps failing with "server not found in Kerberos database" the optput of ssh -vvv: ssh -vvv krb1.testsetup.com OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to krb1.testsetup.com [64.85.166.148] port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug3: Not a RSA1 key file /home/user/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/user/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5 debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 debug2: fd 3 setting O_NONBLOCK debug3: Trying to reverse map address 64.85.166.148. debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie- hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman- group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss- group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay +al2g==,diffie-hellman-group-exchange-sha256,diffie-hellman-group- exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: none,zlib at openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 128/256 debug2: bits set: 524/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts debug3: check_host_in_hostfile: match line 5 debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host 'krb1.testsetup.com' is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:5 debug2: bits set: 503/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/user/.ssh/id_rsa (0xb9f629b0) debug2: key: /home/user/.ssh/identity ((nil)) debug2: key: /home/user/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,gssapi- keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi- keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with- mic,gssapi,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard- interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: gssapi,publickey,keyboard- interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug1: Unspecified GSS failure. Minor code may provide more information debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/user/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi- keyex,gssapi-with-mic,password debug1: Trying private key: /home/user/.ssh/identity debug3: no such identity: /home/user/.ssh/identity debug1: Trying private key: /home/user/.ssh/id_dsa debug3: no such identity: /home/user/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password user at krb1.testsetup.com's password: The output of nslookup: nslookup krb1.testsetup.com Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: Name: krb1.testsetup.com Address: 64.85.166.148 /etc/krb5.conf [libdefaults] default_realm = TESTSETUP.COM [realms] TESTSETUP.COM = { kdc = krb1.testsetup.com admin_server = krb1.testsetup.com [login] krb4_convert = true krb4_get_tickets = false kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log I am kind of new to this, any help would be appreciated. From deengert at anl.gov Wed Oct 28 16:57:02 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 28 Oct 2009 15:57:02 -0500 Subject: Server not found in Kerberos database In-Reply-To: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> References: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> Message-ID: <4AE8B01E.3010408@anl.gov> jim_bob wrote: > Hello, I am trying to get ssh single sign on working with kerberos but > it keeps failing with "server not found in Kerberos database" the > optput of ssh -vvv: > Have you added the host/krb1.testsetup.com at TESTSETUP.COM principal to the KDC, and created the matching krb5.keytab file on krb1.testsetup.com? > ssh -vvv krb1.testsetup.com > OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to krb1.testsetup.com [64.85.166.148] port 22. > debug1: Connection established. > debug1: identity file /home/user/.ssh/identity type -1 > debug3: Not a RSA1 key file /home/user/.ssh/id_rsa. > debug2: key_type_from_name: unknown key type '-----BEGIN' > debug3: key_read: missing keytype > debug2: key_type_from_name: unknown key type 'Proc-Type:' > debug3: key_read: missing keytype > debug2: key_type_from_name: unknown key type 'DEK-Info:' > debug3: key_read: missing keytype > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug3: key_read: missing whitespace > debug2: key_type_from_name: unknown key type '-----END' > debug3: key_read: missing keytype > debug1: identity file /home/user/.ssh/id_rsa type 1 > debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 > debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 > debug1: identity file /home/user/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 > debug2: fd 3 setting O_NONBLOCK > debug3: Trying to reverse map address 64.85.166.148. > debug1: Unspecified GSS failure. Minor code may provide more > information > Server not found in Kerberos database > > debug1: Unspecified GSS failure. Minor code may provide more > information > Server not found in Kerberos database > > debug1: Unspecified GSS failure. Minor code may provide more > information > > > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie- > hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman- > group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- > ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- > ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss- > group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay > +al2g==,diffie-hellman-group-exchange-sha256,diffie-hellman-group- > exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- > ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac- > ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: none,zlib at openssh.com > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_setup: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_setup: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 128/256 > debug2: bits set: 524/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 5 > debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 2 > debug1: Host 'krb1.testsetup.com' is known and matches the RSA host > key. > debug1: Found key in /home/user/.ssh/known_hosts:5 > debug2: bits set: 503/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/user/.ssh/id_rsa (0xb9f629b0) > debug2: key: /home/user/.ssh/identity ((nil)) > debug2: key: /home/user/.ssh/id_dsa ((nil)) > debug1: Authentications that can continue: publickey,gssapi- > keyex,gssapi-with-mic,password > debug3: start over, passed a different list publickey,gssapi- > keyex,gssapi-with-mic,password > debug3: preferred gssapi-keyex,gssapi-with- > mic,gssapi,publickey,keyboard-interactive,password > debug3: authmethod_lookup gssapi-keyex > debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard- > interactive,password > debug3: authmethod_is_enabled gssapi-keyex > debug1: Next authentication method: gssapi-keyex > debug1: No valid Key exchange context > debug2: we did not send a packet, disable method > debug3: authmethod_lookup gssapi-with-mic > debug3: remaining preferred: gssapi,publickey,keyboard- > interactive,password > debug3: authmethod_is_enabled gssapi-with-mic > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more > information > Server not found in Kerberos database > > debug1: Unspecified GSS failure. Minor code may provide more > information > Server not found in Kerberos database > > debug1: Unspecified GSS failure. Minor code may provide more > information > > > debug2: we did not send a packet, disable method > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering public key: /home/user/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: Authentications that can continue: publickey,gssapi- > keyex,gssapi-with-mic,password > debug1: Trying private key: /home/user/.ssh/identity > debug3: no such identity: /home/user/.ssh/identity > debug1: Trying private key: /home/user/.ssh/id_dsa > debug3: no such identity: /home/user/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > user at krb1.testsetup.com's password: > > The output of nslookup: > nslookup krb1.testsetup.com > Server: 192.168.1.1 > Address: 192.168.1.1#53 > > Non-authoritative answer: > Name: krb1.testsetup.com > Address: 64.85.166.148 > > > /etc/krb5.conf > [libdefaults] > default_realm = TESTSETUP.COM > > [realms] > TESTSETUP.COM = { > kdc = krb1.testsetup.com > admin_server = krb1.testsetup.com > > [login] > krb4_convert = true > krb4_get_tickets = false > kdc = FILE:/var/log/kerberos/krb5kdc.log > admin_server = FILE:/var/log/kerberos/kadmin.log > default = FILE:/var/log/kerberos/krb5lib.log > > I am kind of new to this, any help would be appreciated. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From mi+thun at aldan.algebra.com Wed Oct 28 17:33:49 2009 From: mi+thun at aldan.algebra.com (Mikhail T.) Date: Wed, 28 Oct 2009 17:33:49 -0400 Subject: stronger ciphers support for NFS on RHEL5 (Secure NFS under Red Hat Enterprise Linux 4) References: Pine.GSO.4.55.0803240934110.14915@loogie.intranet.csupomona.edu Message-ID: <4AE8B8BD.8000306@aldan.algebra.com> Hello! The message at http://mailman.mit.edu/pipermail/kerberos/2008-March/013398.html warns about using anything but des-cbc-crc for NFS-access on Linux, but ends with: RHEL 5 has MIT 1.6, so the problem shouldn't exist there. I'm currently struggling to make the KRB5-secured NFS-mounts work between RHEL-5.4 client and a Solaris-8 server. The mounts succeed: apdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=x.x.x.x) but any attempt to access the mounted share (/mnt) is denied. All such attempts also result in the following messages logged by rpc.gssd on the client: WARNING: Failed to create krb5 context for user with uid 18039 for server apdevl.dev.pathfinder.com Am I right thinking, the problem is due to des-cbc-crc being disabled realm-wide here? (The DES cipher is deemed too insecure by the network admins.) Should I still have this problem -- despite running RHEL-5.4? Any chance, support for stronger ciphers was added to Linux NFS-clients since RHEL-5.4 was released? Thanks a lot! Yours, -mi From kwc at citi.umich.edu Wed Oct 28 18:22:34 2009 From: kwc at citi.umich.edu (Kevin Coffman) Date: Wed, 28 Oct 2009 18:22:34 -0400 Subject: stronger ciphers support for NFS on RHEL5 (Secure NFS under Red Hat Enterprise Linux 4) In-Reply-To: <4AE8B8BD.8000306@aldan.algebra.com> References: <4AE8B8BD.8000306@aldan.algebra.com> Message-ID: <4d569c330910281522wcc0dfddt2d69a106c51a2496@mail.gmail.com> On Wed, Oct 28, 2009 at 5:33 PM, Mikhail T. wrote: > Hello! > > The message at > > ? ?http://mailman.mit.edu/pipermail/kerberos/2008-March/013398.html > > warns about using anything but des-cbc-crc for NFS-access on Linux, but > ends with: > > ? ?RHEL 5 has MIT 1.6, so the problem shouldn't exist there. > > > I'm currently struggling to make the KRB5-secured NFS-mounts work > between RHEL-5.4 client and a Solaris-8 server. The mounts succeed: > > ? ?apdevl:/krbexport on /mnt type nfs (rw,intr,sec=krb5,addr=x.x.x.x) > > but any attempt to access the mounted share (/mnt) is denied. All such > attempts also result in the following messages logged by rpc.gssd on the > client: > > ? ?WARNING: Failed to create krb5 context for user with uid 18039 for > ? ?server apdevl.dev.pathfinder.com > > Am I right thinking, the problem is due to des-cbc-crc being disabled > realm-wide here? (The DES cipher is deemed too insecure by the network > admins.) Should I still have this problem -- despite running RHEL-5.4? > Any chance, support for stronger ciphers was added to Linux NFS-clients > since RHEL-5.4 was released? > > Thanks a lot! Yours, > > ? ?-mi Yes, if des-cbc-crc is disabled realm-wide then I think you will have problems with Linux NFS. This is not a Kerberos problem. The "problem" I was referring to with the note, "RHEL 5 has MIT 1.6, so the problem shouldn't exist there.", was the necessity of limiting all applications on the client to des-cbc-crc by specifying "default_tgs_enctypes = des-cbc-crc" in /etc/krb5.conf. There is no need to do this for RHEL 5 machines since linux's rpc.gssd and Kerberos have the code to limit the negotiation to only des-cbc-crc for NFS. Unfortunately, the code to support stronger ciphers has not made it into the Linux kernel yet, and I don't have any idea when it will finally make it in. Let me know if you have other questions... K.C. From romanbo at gmail.com Wed Oct 28 17:40:10 2009 From: romanbo at gmail.com (jim_bob) Date: Wed, 28 Oct 2009 14:40:10 -0700 (PDT) Subject: Server not found in Kerberos database References: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> Message-ID: <97e74288-2909-490d-9386-ae8efd896850@r36g2000vbn.googlegroups.com> On Oct 28, 4:57?pm, "Douglas E. Engert" wrote: > jim_bob wrote: > > Hello, I am trying to get ssh single sign on working with kerberos but > > it keeps failing with "server not found in Kerberos database" the > > optput of ssh -vvv: > > Have you added the host/krb1.testsetup.... at TESTSETUP.COM principal > to the KDC, and created the matching krb5.keytab file on krb1.testsetup.com? > > > > > ssh -vvv krb1.testsetup.com > > OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007 > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: Applying options for * > > debug2: ssh_connect: needpriv 0 > > debug1: Connecting to krb1.testsetup.com [64.85.166.148] port 22. > > debug1: Connection established. > > debug1: identity file /home/user/.ssh/identity type -1 > > debug3: Not a RSA1 key file /home/user/.ssh/id_rsa. > > debug2: key_type_from_name: unknown key type '-----BEGIN' > > debug3: key_read: missing keytype > > debug2: key_type_from_name: unknown key type 'Proc-Type:' > > debug3: key_read: missing keytype > > debug2: key_type_from_name: unknown key type 'DEK-Info:' > > debug3: key_read: missing keytype > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug3: key_read: missing whitespace > > debug2: key_type_from_name: unknown key type '-----END' > > debug3: key_read: missing keytype > > debug1: identity file /home/user/.ssh/id_rsa type 1 > > debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 > > debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 > > debug1: identity file /home/user/.ssh/id_dsa type -1 > > debug1: Remote protocol version 2.0, remote software version > > OpenSSH_5.1p1 Debian-5 > > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5 > > debug2: fd 3 setting O_NONBLOCK > > debug3: Trying to reverse map address 64.85.166.148. > > debug1: Unspecified GSS failure. ?Minor code may provide more > > information > > Server not found in Kerberos database > > > debug1: Unspecified GSS failure. ?Minor code may provide more > > information > > Server not found in Kerberos database > > > debug1: Unspecified GSS failure. ?Minor code may provide more > > information > > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie- > > hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman- > > group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > > c... at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > > c... at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac... at openssh.com,hmac- > > ripemd160,hmac-ripemd... at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac... at openssh.com,hmac- > > ripemd160,hmac-ripemd... at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,z... at openssh.com,zlib > > debug2: kex_parse_kexinit: none,z... at openssh.com,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss- > > group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay > > +al2g==,diffie-hellman-group-exchange-sha256,diffie-hellman-group- > > exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > > c... at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- > > cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael- > > c... at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac... at openssh.com,hmac- > > ripemd160,hmac-ripemd... at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac... at openssh.com,hmac- > > ripemd160,hmac-ripemd... at openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,z... at openssh.com > > debug2: kex_parse_kexinit: none,z... at openssh.com > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_setup: found hmac-md5 > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug2: mac_setup: found hmac-md5 > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > debug2: dh_gen_key: priv key bits set: 128/256 > > debug2: bits set: 524/1024 > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts > > debug3: check_host_in_hostfile: match line 5 > > debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts > > debug3: check_host_in_hostfile: match line 2 > > debug1: Host 'krb1.testsetup.com' is known and matches the RSA host > > key. > > debug1: Found key in /home/user/.ssh/known_hosts:5 > > debug2: bits set: 503/1024 > > debug1: ssh_rsa_verify: signature correct > > debug2: kex_derive_keys > > debug2: set_newkeys: mode 1 > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: expecting SSH2_MSG_NEWKEYS > > debug2: set_newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: SSH2_MSG_SERVICE_REQUEST sent > > debug2: service_accept: ssh-userauth > > debug1: SSH2_MSG_SERVICE_ACCEPT received > > debug2: key: /home/user/.ssh/id_rsa (0xb9f629b0) > > debug2: key: /home/user/.ssh/identity ((nil)) > > debug2: key: /home/user/.ssh/id_dsa ((nil)) > > debug1: Authentications that can continue: publickey,gssapi- > > keyex,gssapi-with-mic,password > > debug3: start over, passed a different list publickey,gssapi- > > keyex,gssapi-with-mic,password > > debug3: preferred gssapi-keyex,gssapi-with- > > mic,gssapi,publickey,keyboard-interactive,password > > debug3: authmethod_lookup gssapi-keyex > > debug3: remaining preferred: gssapi-with-mic,gssapi,publickey,keyboard- > > interactive,password > > debug3: authmethod_is_enabled gssapi-keyex > > debug1: Next authentication method: gssapi-keyex > > debug1: No valid Key exchange context > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup gssapi-with-mic > > debug3: remaining preferred: gssapi,publickey,keyboard- > > interactive,password > > debug3: authmethod_is_enabled gssapi-with-mic > > debug1: Next authentication method: gssapi-with-mic > > debug1: Unspecified GSS failure. ?Minor code may provide more > > information > > Server not found in Kerberos database > > > debug1: Unspecified GSS failure. ?Minor code may provide more > > information > > Server not found in Kerberos database > > > debug1: Unspecified GSS failure. ?Minor code may provide more > > information > > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: keyboard-interactive,password > > debug3: authmethod_is_enabled publickey > > debug1: Next authentication method: publickey > > debug1: Offering public key: /home/user/.ssh/id_rsa > > debug3: send_pubkey_test > > debug2: we sent a publickey packet, wait for reply > > debug1: Authentications that can continue: publickey,gssapi- > > keyex,gssapi-with-mic,password > > debug1: Trying private key: /home/user/.ssh/identity > > debug3: no such identity: /home/user/.ssh/identity > > debug1: Trying private key: /home/user/.ssh/id_dsa > > debug3: no such identity: /home/user/.ssh/id_dsa > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup password > > debug3: remaining preferred: ,password > > debug3: authmethod_is_enabled password > > debug1: Next authentication method: password > > u... at krb1.testsetup.com's password: > > > The output of nslookup: > > ?nslookup krb1.testsetup.com > > Server: ? ? ? ? ? ?192.168.1.1 > > Address: ? 192.168.1.1#53 > > > Non-authoritative answer: > > Name: ? ? ?krb1.testsetup.com > > Address: 64.85.166.148 > > > /etc/krb5.conf > > ?[libdefaults] > > ? ? ? ? ? ? ? ?default_realm = TESTSETUP.COM > > > [realms] > > ? ? ? ? ? ? ? TESTSETUP.COM = { > > ? ? ? ? ? ? ? ? ? ? ? kdc = krb1.testsetup.com > > ? ? ? ? ? ? ? ? ? ? ? admin_server = krb1.testsetup.com > > > [login] > > ? ? ? ? ? ? ?krb4_convert = true > > ? ? ? ? ? ? ?krb4_get_tickets = false > > ? ? ? ? ? ? ?kdc = FILE:/var/log/kerberos/krb5kdc.log > > ? ? ? ? ? ? ?admin_server = FILE:/var/log/kerberos/kadmin.log > > ? ? ? ? ? ? ?default = FILE:/var/log/kerberos/krb5lib.log > > > I am kind of new to this, any help would be appreciated. > > ________________________________________________ > > Kerberos mailing list ? ? ? ? ? Kerbe... at mit.edu > >https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > ? Douglas E. Engert ? > ? Argonne National Laboratory > ? 9700 South Cass Avenue > ? Argonne, Illinois ?60439 > ? (630) 252-5444 Yes, the host/krb1 pric and krb5.keytab file are present. From LUIS.RAMOS at PFIZER.COM Thu Oct 29 11:04:13 2009 From: LUIS.RAMOS at PFIZER.COM (LUISRAMOS) Date: Thu, 29 Oct 2009 08:04:13 -0700 (PDT) Subject: Kerberos/Apache receiving Active Directory user/password in plain text Message-ID: <26114792.post@talk.nabble.com> Hi all, We have a unix web server with Apache were we installed kerberos to implement single sign on. The idea with this is to have the ability of autenticating through the Windows Active Directory once not needing to log again in the unix box. After the setup, the autentication works. When we log in to the unix server, a popup window asks for user/pwd. After entering user/pwd the credentials are autenticated against the windows active directory and the access to the unix/apache box is granted. However, what we want is to avoid this login popup. We noticed that when the popup window is displayed the following message is seeing in the popup: "Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection). Looks like the internet browser is sending the credentials in plain text to the unix box. Anybody has an idea on how we can configure Kerberos, or any other component to avoid this popup window. Thanks in advance -- View this message in context: http://www.nabble.com/Kerberos-Apache-receiving-Active-Directory-user-password-in-plain-text-tp26114792p26114792.html Sent from the Kerberos - General mailing list archive at Nabble.com. From deengert at anl.gov Thu Oct 29 11:11:06 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 29 Oct 2009 10:11:06 -0500 Subject: Server not found in Kerberos database In-Reply-To: <97e74288-2909-490d-9386-ae8efd896850@r36g2000vbn.googlegroups.com> References: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> <97e74288-2909-490d-9386-ae8efd896850@r36g2000vbn.googlegroups.com> Message-ID: <4AE9B08A.8050604@anl.gov> jim_bob wrote: > On Oct 28, 4:57 pm, "Douglas E. Engert" wrote: >> jim_bob wrote: >>> Hello, I am trying to get ssh single sign on working with kerberos but >>> it keeps failing with "server not found in Kerberos database" the >>> optput of ssh -vvv: >> Have you added the host/krb1.testsetup.... at TESTSETUP.COM principal >> to the KDC, and created the matching krb5.keytab file on krb1.testsetup.com? >> > > Yes, the host/krb1 pric and krb5.keytab file are present. Kerberos wants FQDN for host principals. Are they using the FQDN? The ssh says it could not find the name in the database. Wireshark or some other network tool can be very helpful too. It can parse the Kerberos packets for you. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From romanbo at gmail.com Thu Oct 29 10:40:30 2009 From: romanbo at gmail.com (jim_bob) Date: Thu, 29 Oct 2009 07:40:30 -0700 (PDT) Subject: Server not found in Kerberos database References: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> <97e74288-2909-490d-9386-ae8efd896850@r36g2000vbn.googlegroups.com> Message-ID: >From listprincs: host/krb1.testsetup.com at TESTSETUP.COM keytab file has proper entry From mikef at berkeley.edu Thu Oct 29 12:37:44 2009 From: mikef at berkeley.edu (Mike Friedman) Date: Thu, 29 Oct 2009 09:37:44 -0700 (PDT) Subject: GSS-API errors Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have several perl routines that use the Authen::Krb5::Admin module, which is linked with MIT K5 1.6.3 libraries. When attempting multiple admin transactions, each of which involves a new connection to kadmind and which occur in rapid succession (many per second), my functions now and then (definitely NOT always) get back a GSS-API error (RC=46). However no GSS-API errors are being logged by the KDC. This makes me suspect a client library issue. One consequence is that there's no more specific error message to work with. Any ideas about how, at least, to track down the cause of these particular errors? Is the mere attempt to make a couple of dozen or more kadmin connections per second likely to cause this problem? Thanks for any suggestions. Mike _________________________________________________________________________ Mike Friedman Information Services & Technology mikef at berkeley.edu 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkrpxNgACgkQFgKSfLOvZ1RQqwCfbrQSF76joOUd0fF0+QVyTBHH NPwAniRBBYrmjFOqh+0Hqpa4yXgOA0Xv =qL/L -----END PGP SIGNATURE----- From ghudson at MIT.EDU Thu Oct 29 13:00:07 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 29 Oct 2009 13:00:07 -0400 Subject: GSS-API errors In-Reply-To: References: Message-ID: <1256835607.5933.207.camel@ray> On Thu, 2009-10-29 at 12:37 -0400, Mike Friedman wrote: > Any ideas about how, at least, to track down the cause of these particular > errors? Is the mere attempt to make a couple of dozen or more kadmin > connections per second likely to cause this problem? You might be running into a replay cache issue. In krb5 1.6, the replay cache keyed mostly off of the timestamp of the authenticator, which could be the same if you make two connections in quick succession. In 1.7 we also key off a checksum of the encrypted authenticator, which is very unlikely to collide because of the confounder. As a workaround, it's possible to perform multiple operations within a single connection. I don't know if Authen::Krb5::Admin allows that, though. From mikef at berkeley.edu Thu Oct 29 13:14:15 2009 From: mikef at berkeley.edu (Mike Friedman) Date: Thu, 29 Oct 2009 10:14:15 -0700 (PDT) Subject: GSS-API errors In-Reply-To: <1256835607.5933.207.camel@ray> References: <1256835607.5933.207.camel@ray> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 Oct 2009 at 13:00 (-0400), Greg Hudson wrote: > On Thu, 2009-10-29 at 12:37 -0400, Mike Friedman wrote: >> Any ideas about how, at least, to track down the cause of these >> particular errors? Is the mere attempt to make a couple of dozen or >> more kadmin connections per second likely to cause this problem? > > You might be running into a replay cache issue. In krb5 1.6, the replay > cache keyed mostly off of the timestamp of the authenticator, which > could be the same if you make two connections in quick succession. In > 1.7 we also key off a checksum of the encrypted authenticator, which is > very unlikely to collide because of the confounder. > As a workaround, it's possible to perform multiple operations within a > single connection. I don't know if Authen::Krb5::Admin allows that, > though. Greg, Unfortunately, my library of Kerberos routines consists only of standalone functions, each of which makes its own kadmind connection. I realize I should also have provided a method that just returned a kadm5 handle so that calling routines could do multiple transactions on the same connection. But then it would be the responsibility of each such calling application to track the persistence of the connection. For example, updates will fail while kprop is unloading the db. Currently, an app can just retry the standalone function, which will establish a new connection. Anyway, wise or not, I didn't provide a connection-only perl method, so apps that call my functions (e.g., to add a principal) wind up connecting to kadmind each time. Are you saying that with 1.7 and later releases, this problem should go away (assuming its cause is as you speculate)? Mike _________________________________________________________________________ Mike Friedman Information Services & Technology mikef at berkeley.edu 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkrpzWcACgkQFgKSfLOvZ1Sx/ACeJDiBR6jNAH8bptDxG6svZjeA BfMAn3qFmD2VlrLFo+ZuMiHgmunmofPf =dlxd -----END PGP SIGNATURE----- From ghudson at MIT.EDU Thu Oct 29 13:50:07 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 29 Oct 2009 13:50:07 -0400 Subject: GSS-API errors In-Reply-To: References: <1256835607.5933.207.camel@ray> Message-ID: <1256838607.5933.208.camel@ray> On Thu, 2009-10-29 at 13:14 -0400, Mike Friedman wrote: > Are you saying that with 1.7 and later releases, this problem should go > away (assuming its cause is as you speculate)? It should, yes. From plamping at lake.ollusa.edu Thu Oct 29 18:45:52 2009 From: plamping at lake.ollusa.edu (Lamping, Paul A) Date: Thu, 29 Oct 2009 17:45:52 -0500 Subject: Kerberos error - KDC reply did not match expectations Message-ID: I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to authenticate against a Windows 2003 Active Directory server via Kerberos. I followed the instructions from the IBM website on Kerberos integration (http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.i bm.aix.security/doc/security/kerberos_auth_only_load_module.htm). Whatever I do, I can't get my Kerberos user to authenticate when I login or su to that user. I get an "unable to authenticate" message and the "KDC reply did not match expectations" in the syslog file. Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate] Error in getting TGT ... Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not match expectations Oct 29 17:23:44 olladmin_1 auth|security:crit su: BAD SU from plamping to krbtest at /dev/pts/60 Here's my config.krb5 command, run from our AIX server olladmin_1.ollusa.edu: config.krb5 -C -r OLLUSA -d ollusa.edu -c ollusa4.ollusa.edu -s ollusa4.ollusa.edu I think that my REALM (the -r parameter) is OLLUSA because when I open up "Active Directory Users and Computers" tool, the properties of the main entry, ollusa.edu, says that the Domain name = OLLUSA. I made sure that it is capitalized in the krb5.conf file. Our Active Directory admins ran the Ktpass command this way: Ktpass -princ host/olladmin_1.ollusa.edu at OLLUSA -mapuser olladmin_1 -pass ******** -out olladmin_1.keytab I transferred the keytab file and imported it using ktutil, creating krb5.keytab. I made sure that KVNO as listed in ktutil is the same as the output of the Ktpass command. I added these lines to my /usr/lib/security/methods.cfg KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no KRB5Afiles: options = db=BUILTIN,auth=KRB5A I updated /etc/krb5/krb5.conf so that the default_tkt_enctypes and default_tgs_enctypes were set to "des-cbc-md5 des-cbc-crc" and I added line "dns_lookup_kdc = true" Then I created users in both AD and AIX, making sure that the AIX user was setup with "registry=KRB5Afiles SYSTEM=KRB5Afiles" I checked the clocks. My AD server and my AIX server are 4 minutes apart. I think the Kerberos limit is 5 minutes. So I've exhausted all the hints and advice that I've seen on all the mailing lists and forums. Does anyone have any more ideas? Paul From Kanevsky_Arkady at emc.com Thu Oct 29 18:35:44 2009 From: Kanevsky_Arkady at emc.com (Kanevsky_Arkady@emc.com) Date: Thu, 29 Oct 2009 18:35:44 -0400 Subject: Capitalization question Message-ID: Can I use capitalization in names used in kerberos domain? I am bumping into a issue when capital letters are used in domain but not in the hostname only. Details below. Needless to say all sort of other authentication also fails. [root at nf-ArkTEST-sto ~]# hostname nf-ArkTEST-sto.ArkTEST.name.company.com >From listprincs: host/nf-ArkTEST-sto.ArkTEST.name.company.com at ARKTEST.NAME.COMPANY.COM nfs/nf-ArkTEST-sto.ArkTEST.name.company.com at ARKTEST.NAME.COMPANY.COM [root at nf-ArkTEST-sto ~]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 3 host/nf-ArkTEST-sto.ArkTEST.name.company.com at ARKTEST.NAME.COMPANY.COM 2 3 host/nf-ArkTEST-sto.ArkTEST.name.company.com at ARKTEST.NAME.COMPANY.COM 3 3 host/nf-ArkTEST-sto.ArkTEST.name.company.com at ARKTEST.NAME.COMPANY.COM 4 3 host/nf-ArkTEST-sto.ArkTEST.name.company.com at ARKTEST.NAME.COMPANY.COM 5 3 nfs/nf-ArkTEST-sto.ArkTEST.name.company.com at ARKTEST.NAME.COMPANY.COM ktutil: [root at nf-ArkTEST-sto ~]# kinit -k /etc/krb5.keytab kinit(v5): Client not found in Kerberos database while getting initial credentials -- Thanks, Arkady Kanevsky From raeburn at MIT.EDU Thu Oct 29 19:34:28 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Thu, 29 Oct 2009 19:34:28 -0400 Subject: Capitalization question In-Reply-To: References: Message-ID: <1EC828A3-2BE1-4DEC-8B3B-0882F3D13322@mit.edu> On Oct 29, 2009, at 18:35, wrote: > Can I use capitalization in names used in kerberos domain? > I am bumping into a issue when capital letters are used in domain > but not in the hostname only. > Details below. > Needless to say all sort of other authentication also fails. The DNS is case-insensitive for comparing names (though sometimes case- preserving for returning data). But Kerberos needs to have a canonical way of constructing host-based principal names from host names, and it is specified that the lower-case form of the host name is used. So, you can create the principals, but unless you make a bunch of code changes -- and force anyone else who wants to authenticate to your hosts to do so too -- they're not likely to get used. (Some of the alias handling in 1.7 might make it easier to implement, but I still wouldn't recommend it.) > [root at nf-ArkTEST-sto ~]# kinit -k /etc/krb5.keytab > kinit(v5): Client not found in Kerberos database while getting > initial credentials That's a different problem. "-k" specifies that a keytab is to be used instead of asking for a password. It doesn't take a parameter; you use "-t type:keytabname" if you need to specify a keytab (e.g., "- t FILE:/etc/krb5.keytab"). So "/etc/krb5.keytab" is taken as the client principal name, and that almost certainly isn't in your database.... Ken From lists at deksai.com Fri Oct 30 09:56:06 2009 From: lists at deksai.com (Chris) Date: Fri, 30 Oct 2009 09:56:06 -0400 Subject: Server not found in Kerberos database In-Reply-To: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> References: <0180c1d7-d5f9-45d1-b16a-10ba24f44729@d21g2000yqn.googlegroups.com> Message-ID: <20091030135606.GA15447@chris-laptop.a2hosting.com> On Wed, Oct 28, 2009 at 11:20:22AM -0700, jim_bob wrote: > Hello, I am trying to get ssh single sign on working with kerberos but > it keeps failing with "server not found in Kerberos database" the Tail the logs on the kerberos server when you try to log in, and see what ssh is really asking for. A lot of clients think they know what you really meant to ask for, and use whatever they get back from reverse DNS as the host name. If reverse DNS doesn't match what you tried to ssh into, it will fail. Chris From plamping at lake.ollusa.edu Fri Oct 30 17:08:02 2009 From: plamping at lake.ollusa.edu (Lamping, Paul A) Date: Fri, 30 Oct 2009 16:08:02 -0500 Subject: Kerberos error - KDC reply did not match expectations Message-ID: Problem solved! The trouble was the 'realm' parameter should have been named "OLLUSA.EDU" and not "OLLUSA." I had seen the OLLUSA name mentioned in the Active Directory tools area, but I learned that the Kerberos domain name is always the domain name (ollusa.edu) in upper case. By viewing the event logs on the AD server, I found a successful login that had used the OLLUSA.EDU realm, so that provided the necessary clue. Paul From: Lamping, Paul A Sent: Thursday, October 29, 2009 5:46 PM To: 'kerberos at mit.edu' Subject: Kerberos error - KDC reply did not match expectations I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to authenticate against a Windows 2003 Active Directory server via Kerberos. I followed the instructions from the IBM website on Kerberos integration (http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=/com.i bm.aix.security/doc/security/kerberos_auth_only_load_module.htm). Whatever I do, I can't get my Kerberos user to authenticate when I login or su to that user. I get an "unable to authenticate" message and the "KDC reply did not match expectations" in the syslog file. Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate] Error in getting TGT ... Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not match expectations Oct 29 17:23:44 olladmin_1 auth|security:crit su: BAD SU from plamping to krbtest at /dev/pts/60 Here's my config.krb5 command, run from our AIX server olladmin_1.ollusa.edu: config.krb5 -C -r OLLUSA -d ollusa.edu -c ollusa4.ollusa.edu -s ollusa4.ollusa.edu I think that my REALM (the -r parameter) is OLLUSA because when I open up "Active Directory Users and Computers" tool, the properties of the main entry, ollusa.edu, says that the Domain name = OLLUSA. I made sure that it is capitalized in the krb5.conf file. Our Active Directory admins ran the Ktpass command this way: Ktpass -princ host/olladmin_1.ollusa.edu at OLLUSA -mapuser olladmin_1 -pass ******** -out olladmin_1.keytab I transferred the keytab file and imported it using ktutil, creating krb5.keytab. I made sure that KVNO as listed in ktutil is the same as the output of the Ktpass command. I added these lines to my /usr/lib/security/methods.cfg KRB5A: program = /usr/lib/security/KRB5A program_64 = /usr/lib/security/KRB5A_64 options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no KRB5Afiles: options = db=BUILTIN,auth=KRB5A I updated /etc/krb5/krb5.conf so that the default_tkt_enctypes and default_tgs_enctypes were set to "des-cbc-md5 des-cbc-crc" and I added line "dns_lookup_kdc = true" Then I created users in both AD and AIX, making sure that the AIX user was setup with "registry=KRB5Afiles SYSTEM=KRB5Afiles" I checked the clocks. My AD server and my AIX server are 4 minutes apart. I think the Kerberos limit is 5 minutes. So I've exhausted all the hints and advice that I've seen on all the mailing lists and forums. Does anyone have any more ideas? Paul From michael at stroeder.com Fri Oct 30 16:41:21 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 30 Oct 2009 21:41:21 +0100 Subject: Kerberos/Apache receiving Active Directory user/password in plain text In-Reply-To: References: Message-ID: LUISRAMOS wrote: > We have a unix web server with Apache were we installed kerberos to > implement single sign on. I guess you're using mod_auth_kerb? > The idea with this is to have the ability of > autenticating through the Windows Active Directory once not needing to log > again in the unix box. After the setup, the autentication works. When we > log in to the unix server, a popup window asks for user/pwd. After entering > user/pwd the credentials are autenticated against the windows active > directory and the access to the unix/apache box is granted. However, what > we want is to avoid this login popup. We noticed that when the popup window > is displayed the following message is seeing in the popup: "Warning: This > server is requesting that your username and password be sent in an insecure > manner (basic authentication without a secure connection). Looks like the > internet browser is sending the credentials in plain text to the unix box. > > Anybody has an idea on how we can configure Kerberos, or any other component > to avoid this popup window. Set "KrbMethodK5Passwd off" in httpd.conf. See also: http://modauthkerb.sourceforge.net/configure.html Ciao, Michael. -- Michael Str?der E-Mail: michael at stroeder.com http://www.stroeder.com