From nikos at ece.ntua.gr Tue Sep 1 06:55:01 2009 From: nikos at ece.ntua.gr (Nikos Nikoleris) Date: Tue, 01 Sep 2009 12:55:01 +0200 Subject: CISCO and kerberos In-Reply-To: References: Message-ID: jarek wrote: > Hi all! > > I'd like to configure CISCO Catalyst to use kerberos against AD server > W2008. I'd like to login to cisco using ticket and telnet.krb5 from > krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm > getting: > > [ Kerberos V5 refuses authentication ] > kerberos_server_auth: Couldn't authenticate client from > test-nms.test.local. > > What can be wrong ? > > Has someone working example of CISCO config for such scenario ? > > J. Hi Jarek, A cisco working here with kerberos authentication but the kdc is heidmal kerberos. Some suggestions are: * Timing issues, you have to make sure both the kdc and the cisco are sync'd... (That's very important) * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco principal... * Your cisco should have a configuration like: aaa new-model aaa authentication login default krb5-telnet krb5 local enable aaa authorization exec default krb5-instance kerberos local-realm YOUR.REALM kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH at YOUR.REALM (there should be some numbers here as well) kerberos clients mandatory kerberos server YOUR.REALM $(IP of your KDC) kerberos instance map admin 15 # this will map kerberos users */admin to the superuser of cisco kerberos credentials forward # that's optinal # I strongly suggest this as well adjusted to your case ntp server your.ntp.server clock timezone GMT -6 clock summer-time CDT recurring -- Nikos From shopik at inblock.ru Tue Sep 1 09:41:03 2009 From: shopik at inblock.ru (Nikolay Shopik) Date: Tue, 01 Sep 2009 17:41:03 +0400 Subject: CISCO and kerberos In-Reply-To: References: Message-ID: On 01.09.2009 14:55, Nikos Nikoleris wrote: > jarek wrote: >> Hi all! >> >> I'd like to configure CISCO Catalyst to use kerberos against AD server >> W2008. I'd like to login to cisco using ticket and telnet.krb5 from >> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm >> getting: >> >> [ Kerberos V5 refuses authentication ] >> kerberos_server_auth: Couldn't authenticate client from >> test-nms.test.local. >> >> What can be wrong ? >> >> Has someone working example of CISCO config for such scenario ? >> >> J. > > Hi Jarek, > > A cisco working here with kerberos authentication but the kdc is heidmal > kerberos. Some suggestions are: > * Timing issues, you have to make sure both the kdc and the cisco are > sync'd... (That's very important) > * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco > principal... > * Your cisco should have a configuration like: > aaa new-model > aaa authentication login default krb5-telnet krb5 local enable > aaa authorization exec default krb5-instance > kerberos local-realm YOUR.REALM > kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH at YOUR.REALM (there should > be some numbers here as well) > kerberos clients mandatory > kerberos server YOUR.REALM $(IP of your KDC) > kerberos instance map admin 15 # this will map kerberos users */admin to > the superuser of cisco > kerberos credentials forward # that's optinal > > # I strongly suggest this as well adjusted to your case > ntp server your.ntp.server > clock timezone GMT -6 > clock summer-time CDT recurring > > -- Nikos > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > Hi Nikos, If I'm not mistaken they don't yet support kerberos for SSH aren't they? From Tim.Alsop at CyberSafe.com Tue Sep 1 11:28:04 2009 From: Tim.Alsop at CyberSafe.com (Tim Alsop) Date: Tue, 1 Sep 2009 16:28:04 +0100 Subject: CISCO and kerberos In-Reply-To: References: Message-ID: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E6C1FFD9@exchange.cybersafe.local> Hi, You can use telnet and only if using DES (etype 1 or 3) or DES3-CBC-MD5 (etype 5). The code in the cisco IOS is based on CyberSafe code and a very very old release of it, so might not work with MS AD, and not with Heimdal code. Thanks, Tim -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Nikolay Shopik Sent: 01 September 2009 14:41 To: kerberos at mit.edu Subject: Re: CISCO and kerberos On 01.09.2009 14:55, Nikos Nikoleris wrote: > jarek wrote: >> Hi all! >> >> I'd like to configure CISCO Catalyst to use kerberos against AD server >> W2008. I'd like to login to cisco using ticket and telnet.krb5 from >> krb5-clients package. When I'm trying telnet.krb5 -a -f cisco_ip, I'm >> getting: >> >> [ Kerberos V5 refuses authentication ] >> kerberos_server_auth: Couldn't authenticate client from >> test-nms.test.local. >> >> What can be wrong ? >> >> Has someone working example of CISCO config for such scenario ? >> >> J. > > Hi Jarek, > > A cisco working here with kerberos authentication but the kdc is heidmal > kerberos. Some suggestions are: > * Timing issues, you have to make sure both the kdc and the cisco are > sync'd... (That's very important) > * Try uploading the keytab using only the DES-CBC-CRC enc of the cisco > principal... > * Your cisco should have a configuration like: > aaa new-model > aaa authentication login default krb5-telnet krb5 local enable > aaa authorization exec default krb5-instance > kerberos local-realm YOUR.REALM > kerberos srvtab entry host/FQDN.OF.YOUR.SWITCH at YOUR.REALM (there should > be some numbers here as well) > kerberos clients mandatory > kerberos server YOUR.REALM $(IP of your KDC) > kerberos instance map admin 15 # this will map kerberos users */admin to > the superuser of cisco > kerberos credentials forward # that's optinal > > # I strongly suggest this as well adjusted to your case > ntp server your.ntp.server > clock timezone GMT -6 > clock summer-time CDT recurring > > -- Nikos > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > Hi Nikos, If I'm not mistaken they don't yet support kerberos for SSH aren't they? ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From nikos at ece.ntua.gr Tue Sep 1 11:39:27 2009 From: nikos at ece.ntua.gr (Nikos Nikoleris) Date: Tue, 01 Sep 2009 17:39:27 +0200 Subject: CISCO and kerberos In-Reply-To: References: Message-ID: <4A9D402F.1090007@ece.ntua.gr> Nikolay Shopik wrote: > Hi Nikos, > > If I'm not mistaken they don't yet support kerberos for SSH aren't they? > Hey Nikolay, as far as I know cisco supports ssh with kerberos but not in a "kerberized" way but in a pam way. I mean that I can login with the password I have for my kerberos principal like ssh nikos/admin at switch but I cannot login if I first acquire the ticket with kinit nikos/admin and then ssh nikos/admin at switch without entering the password again. I don't know if it is supported on new versions or other versions other than that we are running: Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(40)SE, RELEASE SOFTWARE (fc3) -- Nikos From nikos at ece.ntua.gr Tue Sep 1 12:00:45 2009 From: nikos at ece.ntua.gr (Nikos Nikoleris) Date: Tue, 01 Sep 2009 18:00:45 +0200 Subject: How to set up NIS->Krb5 user migration? In-Reply-To: References: Message-ID: <4A9D452D.8020403@ece.ntua.gr> Lu?s Eterovick wrote: > Hello, > what I need is to create Kerberos principals for every NIS user in a > network. I have a working MIT Kerberos 5 in my computer that i made to test. > I've read about pam_krb5_migrate, but i didn't use pam for anything until > now. How can I do this user creation and is it possible to test it in my own > Kerberos realm using the NIS information? Hello Luis, well you can use pam_krb5_migrate so as to achieve a smooth migration to kerberos. What we did when we migrated passwords from an ldap server to a heimdal kdc was to migrate users while they were authenticating for some of our services (ex mail or ssh). Thus each machine which hosted some service would do the migration. First you have to add the principal in /etc/security/pam_krb5.keytab: pam_migrate/FQDN_OF_THE_MACHINE Then delegate the credentials to those principals to be able to add new principals to the KDC. Add to the acl file (/etc/heimdal-kdc/kadmind.acl in mit kerberos this is named kadm5.acl and it could be under etc as well or under /usr/local/var/krb5kdc if your are using BSD) something like: pam_migrate/fqdn at REALM a *@REALM Then add to the pam auth stack (/etc/pam.d/common-auth) auth sufficient pam_krb5.so use_first_pass auth required pam_unix.so nullok_secure nis use_first_pass auth optional pam_krb5_migrate.so debug That way when someone is using any service that uses pam for auth should be migrated to your KDC. The only side-effect is that users have to enter their passwords twice. But this shouldn't be a problem sometimes they won't even notice, if that is done by some program (ex. mail client) -- Nikos From huaraz at moeller.plus.com Tue Sep 1 19:30:53 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 2 Sep 2009 00:30:53 +0100 Subject: kinit: Looping detected inside Message-ID: What does "Loopong detected ..." mean ? #/opt/krb5-1.7/bin/kinit -kt /opt/squid-3.0/etc/HTTP.keytab HTTP/centos.dom.local kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials klist -ekKt /opt/squid-3.0/etc/HTTP.keytab Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 09/02/09 08:27:05 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with HMAC/md5) (0x1603c8427ad621cf11d28a733b9d0cce) 2 09/02/09 08:27:05 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC) (0x7fa6440ae30375c781c90003495575f0) 2 09/02/09 08:27:05 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0x4115bc30a9aca0078b69640b3086c877a00635775e5572de9aab8d64796fd26e) Thank you Markus From raeburn at MIT.EDU Tue Sep 1 20:00:31 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Tue, 1 Sep 2009 20:00:31 -0400 Subject: kinit: Looping detected inside In-Reply-To: References: Message-ID: <2B52BB08-4525-47C1-AE80-CFB3FCC4DAA6@mit.edu> On Sep 1, 2009, at 19:30, Markus Moeller wrote: > What does "Loopong detected ..." mean ? > > #/opt/krb5-1.7/bin/kinit -kt /opt/squid-3.0/etc/HTTP.keytab > HTTP/centos.dom.local > kinit: Looping detected inside krb5_get_in_tkt while getting initial > credentials The get_in_tkt code goes into a loop when it's told certain preauth data is needed, or a WRONG_REALM error is returned and it's told to try a different realm. A counter is used to prevent it from retrying too long. Unfortunately, it doesn't seem to provide much information beyond its inability to terminate the loop... You may have to try a packet trace to see what it's doing. Ken From huaraz at moeller.plus.com Wed Sep 2 01:40:49 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 2 Sep 2009 06:40:49 +0100 Subject: msktutil problem with Windows 2008 In-Reply-To: References: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> Message-ID: <75mdneuw04AJmwPXnZ2dnUVZ8mydnZ2d@brightview.co.uk> I found the problem with msktutil. It uses the wrong salt. For a computer name with uppercase parts (e.g. squid-HTTP) it uses DOM.LOCALhostsquid-HTTP.dom.local as salt instead of DOM.LOCALhostsquid-http.dom.local. Markus "Markus Moeller" wrote in message news:mailman.35.1251548728.12456.kerberos at mit.edu... > Is it possible that Windows 2008 is maping HTTP principal to host > principals ? > > With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my > apache/squid module created an error "Decrypt integrity check failed" and > a kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt > /etc/host.keytab host/fqdn works. > > When I remove the AD entry which msktutil created for HTTP/fqdn and leave > the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn. Now > I used ktutil to create a HTTP keytab > > # ktutil > ktutil: addent -key -p HTTP/centos.dom.local at DOM.LOCAL -k 2 -e > aes256-cts-hmac-sha1-96 > Key for HTTP/centos.dom.local at DOM.LOCAL (hex): > 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03 > ktutil: wkt /etc/HTTP.keytab > ktutil: quit > > I can use the HTTP. keytab with kinit and I can also use it now for > apache/squid. > > It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a > request for host/fqdn and ignores entries with a serviceprincipal set to > HTTP/fqdn. > > Can anybody confirm that ? Oe what do I do wrong ? > > Thank you > Markus > > "Markus Moeller" wrote in message > news:h7b5a5$tb0$1 at ger.gmane.org... >>I was too quick. I get it to work with host/fqdn (e.g. kinit -kt >> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use >> AES-256 CTS mode with 96-bit SHA-1 HMAC. >> >> klist -ekt /etc/krb5.keytab >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Timestamp Principal >> ---- ----------------- -------------------------------------------------------- >> 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (ArcFour with >> HMAC/md5) >> 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-128 CTS mode >> with 96-bit SHA-1 HMAC) >> 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-256 CTS mode >> with 96-bit SHA-1 HMAC) >> >> klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: host/centos.dom.local at DOM.LOCAL >> >> Valid starting Expires Service principal >> 08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/DOM.LOCAL at DOM.LOCAL >> renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode >> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC >> >> >> >> klist -ekt /etc/HTTP.keytab >> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab >> KVNO Timestamp Principal >> ---- ----------------- -------------------------------------------------------- >> 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with >> HMAC/md5) >> 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode >> with 96-bit SHA-1 HMAC) >> 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode >> with 96-bit SHA-1 HMAC) >> >> >> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local >> kinit(v5): Preauthentication failed while getting initial credentials >> >> Markus >> >> >> "Markus Moeller" wrote in message >> news:CF5A795E7B16440FA314ED54D5645C0B at VAIOLaptop... >>> Wolf-Agathon, >>> >>> I did export the keytab, but I found out the Hotfix 951191 was not >>> installed on the 2008 DC. >>> >>> Markus >>> >>> ----- Original Message ----- >>> From: "Wolf-Agathon Schaly" >>> To: ; >>> Sent: Saturday, August 29, 2009 11:27 AM >>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows >>> 2008 >>> >>> >>>> Howdy Markus >>>> >>>> Sound to me that you're trying to use a kaytab without expoting the key >>>> to >>>> your keytab file test.keytab >>>> >>>> am I right ? >>>> >>>> cheers >>>> Wolf-Agathon >>>> >>>> >>>> ----- Original Nachricht ---- >>>> Von: Markus Moeller >>>> An: kerberos at mit.edu >>>> Datum: 29.08.2009 00:07 >>>> Betreff: msktutil problem with Windows 2008 >>>> >>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows >>>>> 2008, >>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get >>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need >>>>> to >>>>> be >>>>> >>>>> changed ? >>>>> >>>>> Thank you >>>>> Markus >>>>> >>>>> >>>>> ________________________________________________ >>>>> Kerberos mailing list Kerberos at mit.edu >>>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> >>>> >>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > From deengert at anl.gov Wed Sep 2 10:40:31 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 02 Sep 2009 09:40:31 -0500 Subject: msktutil problem with Windows 2008 In-Reply-To: <75mdneuw04AJmwPXnZ2dnUVZ8mydnZ2d@brightview.co.uk> References: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> <75mdneuw04AJmwPXnZ2dnUVZ8mydnZ2d@brightview.co.uk> Message-ID: <4A9E83DF.6080904@anl.gov> Markus Moeller wrote: > I found the problem with msktutil. It uses the wrong salt. For a computer > name with uppercase parts (e.g. squid-HTTP) it uses > DOM.LOCALhostsquid-HTTP.dom.local as salt instead of > DOM.LOCALhostsquid-http.dom.local. I would like to reword this... Windows AD appears to generate a salt for computer accounts using the concatenation of: uppercase(domain) "host" lowercase(SAMAccountName) "." lowercase(domain) But msktutil was using: uppercase(domain) "host" SAMAccountName "." lowercase(domain) So only accounts where the account name had mixed case would this be a problem. The circumvention is it use msktutil --computername some-lowercase-name i.e. always use lower case for the computer name. Windows 2003 does the same thing. All of our computer accounts had been lowercase, so we never ran across this problem. > > Markus > > > "Markus Moeller" wrote in message > news:mailman.35.1251548728.12456.kerberos at mit.edu... >> Is it possible that Windows 2008 is maping HTTP principal to host >> principals ? >> >> With two AD entries created by msktutil for host/fqdn and HTTP/fqdn my >> apache/squid module created an error "Decrypt integrity check failed" and >> a kinit -kt /etc/HTTP.keytab HTTP/fqdn fails, whereas kinit -kt >> /etc/host.keytab host/fqdn works. >> >> When I remove the AD entry which msktutil created for HTTP/fqdn and leave >> the AD entry for host/fqdn I still got an answer for kvno HTTP/fqdn. Now >> I used ktutil to create a HTTP keytab >> >> # ktutil >> ktutil: addent -key -p HTTP/centos.dom.local at DOM.LOCAL -k 2 -e >> aes256-cts-hmac-sha1-96 >> Key for HTTP/centos.dom.local at DOM.LOCAL (hex): >> 3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03 >> ktutil: wkt /etc/HTTP.keytab >> ktutil: quit >> >> I can use the HTTP. keytab with kinit and I can also use it now for >> apache/squid. >> >> It looks like when IE requests a HTTP/fqdn ticket 2008 converts it in a >> request for host/fqdn and ignores entries with a serviceprincipal set to >> HTTP/fqdn. >> >> Can anybody confirm that ? Oe what do I do wrong ? >> >> Thank you >> Markus >> >> "Markus Moeller" wrote in message >> news:h7b5a5$tb0$1 at ger.gmane.org... >>> I was too quick. I get it to work with host/fqdn (e.g. kinit -kt >>> /etc/krb5.keytab host/centos.dom.local) but not with HTTP/fqdn. I use >>> AES-256 CTS mode with 96-bit SHA-1 HMAC. >>> >>> klist -ekt /etc/krb5.keytab >>> Keytab name: FILE:/etc/krb5.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- -------------------------------------------------------- >>> 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (ArcFour with >>> HMAC/md5) >>> 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-128 CTS mode >>> with 96-bit SHA-1 HMAC) >>> 3 08/29/09 20:54:49 host/centos.dom.local at DOM.LOCAL (AES-256 CTS mode >>> with 96-bit SHA-1 HMAC) >>> >>> klist -e >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: host/centos.dom.local at DOM.LOCAL >>> >>> Valid starting Expires Service principal >>> 08/29/09 21:48:32 08/30/09 07:47:42 krbtgt/DOM.LOCAL at DOM.LOCAL >>> renew until 08/30/09 21:48:32, Etype (skey, tkt): AES-256 CTS mode >>> with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC >>> >>> >>> >>> klist -ekt /etc/HTTP.keytab >>> Keytab name: FILE:/opt/squid-3.0/etc/HTTP.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- -------------------------------------------------------- >>> 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (ArcFour with >>> HMAC/md5) >>> 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-128 CTS mode >>> with 96-bit SHA-1 HMAC) >>> 2 08/29/09 21:39:35 HTTP/centos.dom.local at DOM.LOCAL (AES-256 CTS mode >>> with 96-bit SHA-1 HMAC) >>> >>> >>> kinit -kt /etc/HTTP.keytab HTTP/centos.dom.local >>> kinit(v5): Preauthentication failed while getting initial credentials >>> >>> Markus >>> >>> >>> "Markus Moeller" wrote in message >>> news:CF5A795E7B16440FA314ED54D5645C0B at VAIOLaptop... >>>> Wolf-Agathon, >>>> >>>> I did export the keytab, but I found out the Hotfix 951191 was not >>>> installed on the 2008 DC. >>>> >>>> Markus >>>> >>>> ----- Original Message ----- >>>> From: "Wolf-Agathon Schaly" >>>> To: ; >>>> Sent: Saturday, August 29, 2009 11:27 AM >>>> Subject: **SPAM ZEN 91.53.127.108** Aw: msktutil problem with Windows >>>> 2008 >>>> >>>> >>>>> Howdy Markus >>>>> >>>>> Sound to me that you're trying to use a kaytab without expoting the key >>>>> to >>>>> your keytab file test.keytab >>>>> >>>>> am I right ? >>>>> >>>>> cheers >>>>> Wolf-Agathon >>>>> >>>>> >>>>> ----- Original Nachricht ---- >>>>> Von: Markus Moeller >>>>> An: kerberos at mit.edu >>>>> Datum: 29.08.2009 00:07 >>>>> Betreff: msktutil problem with Windows 2008 >>>>> >>>>>> I use the latest msktutil (0.3.16-7) and can add an entry to Windows >>>>>> 2008, >>>>>> but when I run kinit -kt test.keytab HTTP/fqdn I get >>>>>> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need >>>>>> to >>>>>> be >>>>>> >>>>>> changed ? >>>>>> >>>>>> Thank you >>>>>> Markus >>>>>> >>>>>> >>>>>> ________________________________________________ >>>>>> Kerberos mailing list Kerberos at mit.edu >>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>>>> >>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos at mit.edu >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> >>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos at mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From priya9907 at gmail.com Wed Sep 2 10:28:46 2009 From: priya9907 at gmail.com (Priya B) Date: Wed, 2 Sep 2009 07:28:46 -0700 (PDT) Subject: Kerberos service ticket issue!!! Message-ID: Hello everybody, We are in the process of implementing Kerberos Authentication (Single Sign On) using JAAS. We've been facing a problem to which we (and everybody we've approached so far :) ) have no solution since many weeks. We're trying to get the service ticket from the KDC but unable to. (NOTE - The client and the service are in different realms.) Java throws the following exception: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds) When we monitor the packets, we observed the below errors: KRB_ERR_RESPONSE_TOO_BIG KDC_ERR_WRONG_REALM We have tried setting the Registry value as mentioned in the other posts, but to no avail. Any solution please? It would be gratefully appreciated !! From deengert at anl.gov Wed Sep 2 11:45:19 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 02 Sep 2009 10:45:19 -0500 Subject: Kerberos service ticket issue!!! In-Reply-To: References: Message-ID: <4A9E930F.5010502@anl.gov> Priya B wrote: > Hello everybody, > > We are in the process of implementing Kerberos Authentication (Single > Sign On) using JAAS. We've been facing a problem to which we (and > everybody we've approached so far :) ) have no solution since many > weeks. What version of Java? > > We're trying to get the service ticket from the KDC but unable to. > (NOTE - The client and the service are in different realms.) Do you have cross realm setup between the two realms? Do you have the krb5.conf on the client setup for cross realm? > > Java throws the following exception: > GSSException: No valid credentials provided (Mechanism level: Fail to > create credential. (63) - No service creds) > > When we monitor the packets, we observed the below errors: > KRB_ERR_RESPONSE_TOO_BIG Is one or both of the realms Window AD? The KRB_ERR_RESPONSE_TOO_BIG could be caused by Windows adding a PAC to the ticket, and the older versions of Java can only use UDP. New versions might be able to use TCP to handle large tickets, In which case the request would have been retried using TCP. If you don't need the PAC, there are ways to tell the DC not to add it. (The PAC can be 12K or more, where as a ticket with out a PAC can is about 400 bytes.) > KDC_ERR_WRONG_REALM Sounds like either krb5.conf is not setup correctly, or AD gave you a referral which Java could not handle. You appear to have done some tracing, but have not said where you are seeing these messages or how far along the process of getting tickets has gotten. i.e. client to client's KDC or client to server's KDC. > > We have tried setting the Registry value as mentioned in the other > posts, but to no avail. > > Any solution please? It would be gratefully appreciated !! > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From huaraz at moeller.plus.com Wed Sep 2 19:17:24 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Thu, 3 Sep 2009 00:17:24 +0100 Subject: msktutil problem with Windows 2008 In-Reply-To: References: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> <75mdneuw04AJmwPXnZ2dnUVZ8mydnZ2d@brightview.co.uk> Message-ID: "Douglas E. Engert" wrote in message news:mailman.48.1251902470.12456.kerberos at mit.edu... > Markus Moeller wrote: >> I found the problem with msktutil. It uses the wrong salt. For a computer >> name with uppercase parts (e.g. squid-HTTP) it uses >> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of >> DOM.LOCALhostsquid-http.dom.local. > > I would like to reword this... > > Windows AD appears to generate a salt for computer accounts using the > concatenation of: > uppercase(domain) "host" lowercase(SAMAccountName) "." > lowercase(domain) > > But msktutil was using: > uppercase(domain) "host" SAMAccountName "." lowercase(domain) > > So only accounts where the account name had mixed case would this be a > problem. > The circumvention is it use msktutil --computername some-lowercase-name > i.e. always use lower case for the computer name. > > Windows 2003 does the same thing. All of our computer accounts had been > lowercase, so we never ran across this problem. > Also on 2003 you mainly use RC4 which doesn't use a salt. I assume you will create a vers 8 of msktutil. If so can you fix the VERBOSE calls ? --- msktkrb5.c 2007-12-22 14:02:40.000000000 +0000 +++ msktkrb5.c.new 2009-09-03 00:13:55.000000000 +0100 @@ -446,7 +446,7 @@ } } - VERBOSE(" Using salt of %s", (char *) salt.data); + VERBOSE(" Using salt of %.*s", salt.length, (char *) salt.data); pass.data = flags->password; pass.length = PASSWORD_LEN; ret = krb5_string_to_key(flags->context, &eblock, &key, &pass, &salt); @@ -501,7 +501,7 @@ } } - VERBOSE(" Using salt of %s", (char *) salt.saltvalue.data); + VERBOSE(" Using salt of %.*s", salt.saltvalue.length, (char *) salt.saltvalue.data); pass.data = &(flags->password[0]); pass.length = PASSWORD_LEN; ret = krb5_string_to_key_data_salt(flags->context, eblock, pass, salt, &key); Regards Markus From deengert at anl.gov Thu Sep 3 09:19:50 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Thu, 03 Sep 2009 08:19:50 -0500 Subject: msktutil problem with Windows 2008 In-Reply-To: References: <6507112.1251541645412.JavaMail.ngmail@webmail19.ha2.local> <75mdneuw04AJmwPXnZ2dnUVZ8mydnZ2d@brightview.co.uk> Message-ID: <4A9FC276.9010107@anl.gov> Markus Moeller wrote: > "Douglas E. Engert" wrote in message > news:mailman.48.1251902470.12456.kerberos at mit.edu... >> Markus Moeller wrote: >>> I found the problem with msktutil. It uses the wrong salt. For a computer >>> name with uppercase parts (e.g. squid-HTTP) it uses >>> DOM.LOCALhostsquid-HTTP.dom.local as salt instead of >>> DOM.LOCALhostsquid-http.dom.local. >> I would like to reword this... >> >> Windows AD appears to generate a salt for computer accounts using the >> concatenation of: >> uppercase(domain) "host" lowercase(SAMAccountName) "." >> lowercase(domain) >> >> But msktutil was using: >> uppercase(domain) "host" SAMAccountName "." lowercase(domain) >> >> So only accounts where the account name had mixed case would this be a >> problem. >> The circumvention is it use msktutil --computername some-lowercase-name >> i.e. always use lower case for the computer name. >> >> Windows 2003 does the same thing. All of our computer accounts had been >> lowercase, so we never ran across this problem. >> > > Also on 2003 you mainly use RC4 which doesn't use a salt. I assume you will > create a vers 8 of msktutil. If so can you fix the VERBOSE calls ? Yes, but not soon. I will add your fix. Thanks. > > --- msktkrb5.c 2007-12-22 14:02:40.000000000 +0000 > +++ msktkrb5.c.new 2009-09-03 00:13:55.000000000 +0100 > @@ -446,7 +446,7 @@ > } > } > > - VERBOSE(" Using salt of %s", (char *) salt.data); > + VERBOSE(" Using salt of %.*s", salt.length, (char *) > salt.data); > pass.data = flags->password; > pass.length = PASSWORD_LEN; > ret = krb5_string_to_key(flags->context, &eblock, &key, > &pass, &salt); > @@ -501,7 +501,7 @@ > } > } > > - VERBOSE(" Using salt of %s", (char *) > salt.saltvalue.data); > + VERBOSE(" Using salt of %.*s", salt.saltvalue.length, > (char *) salt.saltvalue.data); > pass.data = &(flags->password[0]); > pass.length = PASSWORD_LEN; > ret = krb5_string_to_key_data_salt(flags->context, eblock, > pass, salt, &key); > > > Regards > Markus > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From 0813082 at beds.ac.uk Thu Sep 3 11:38:19 2009 From: 0813082 at beds.ac.uk (Raymond Brown) Date: Thu, 03 Sep 2009 16:38:19 +0100 Subject: Use of Biometric data for Pre-authentication in Kerberos v5 Message-ID: <1251992299.88322140813082@beds.ac.uk> Hi, I'm an MSc student currently doing a paper on using Biometric (fingerprint) data for pre-authentication in Kerberos v5. The proposal is for the client to be identified to the KDC using verified biometric output as pre-authentication data. I propose an extension to the existing protocol, which will obviously take into consideration recommendations in the current draft ' A Generalized Framework for Kerberos Pre-Authentication', such as FAST. I propose adding the biometric authentication factor to the existing need for a password and would also propose an alternative option of replacing the password with a biometric input. Can anyone advise me if you are aware of any existing work being done on this subject matter that could possibly assist me or anyone interested who can provide useful guidance. Your response will be much appreciated. Ray Brown MSc Computer Forensics and Security University of Bedfordshire email: 0813082 at beds.ac.uk From lists at deksai.com Thu Sep 3 15:10:04 2009 From: lists at deksai.com (Chris) Date: Thu, 3 Sep 2009 15:10:04 -0400 Subject: ldap principal aliases In-Reply-To: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> <20090829150119.GA26450@chris-laptop.a2hosting.com> <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com> Message-ID: <20090903191003.GB20299@chris-laptop.a2hosting.com> On Sun, Aug 30, 2009 at 09:21:22AM +0200, Luke Howard wrote: > >Yep, sure enough. The version on wopr is pretty old. > > > >Are there any known scenarios where forcing canonicalization on > >the KDC > >would be bad? I was thinking about just removing the check for that > >flag from our KDCs, since there are quite a few servers that have the > >old libraries. > > > This will create problems in the AS path, because the client library > won't expect a different principal name. In the TGS path, I think > Greg is right (but if you're going to disable to check, I'd do it in > libkdb_ldap rather than the KDC). > > -- Luke Thank you both for the input (and the patch). I apologize, I was out on vacation for several days, so I didn't mean to ignore you! I see that the patch made it into svn. I will apply it here, and let you know if I run into any problems. Chris From priya9907 at gmail.com Fri Sep 4 10:15:41 2009 From: priya9907 at gmail.com (Priya B) Date: Fri, 4 Sep 2009 07:15:41 -0700 (PDT) Subject: Kerberos service ticket issue!!! References: Message-ID: Thank you so much for your response! We modified the krb5.conf file (as below) and also switched from UDP to TCP. Now we're not getting any errors in the trace. But still we don't get the service ticket (same exception). In the trace for some reason, after the client gets the TGS response, the client closes the TCP connection, and never tries to get a service ticket. It is not querying regarding the service at all. Anyway, below are some answers to your questions: What version of Java? >>> 1.6 Do you have cross realm setup between the two realms? >>> It should be there, because we have another application (based on SSPI) using which we are able to sign-in to the same service. Do you have the krb5.conf on the client setup for cross realm? >>> We have. Below is the conf file. Do let us know if it needs any corrections. -------------------------------------------------------------- [libdefaults] udp_preference_limit = 1 default_realm = REALM1.COM dns_lookup_kdc = true [realms] REALM1.COM = { kdc = host1.realm1.com default_domain = realm1.com } REALM2.COM = { realm_type = WINNTv1 ENC_TYPES_LIST = RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC kdc = { name = host2.realm2.com default_domain = .realm2.com protocol = TCP } } [domain_realm] .realm1.com = REALM1.COM .realm2.com =REALM2.COM [capaths] REALM1.COM = { REALM2.COM = . } REALM2.COM = { REALM1.COM = . } [logging] -------------------------------------------------------------- Is one or both of the realms Window AD? >>> Shall confirm that soon. You appear to have done some tracing, but have not said where you are seeing these messages or how far along the process of getting tickets has gotten. i.e. client to client's KDC or client to server's KDC. >>> client to client's KDC From deengert at anl.gov Fri Sep 4 16:13:18 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Fri, 04 Sep 2009 15:13:18 -0500 Subject: Kerberos service ticket issue!!! In-Reply-To: References: Message-ID: <4AA174DE.7090800@anl.gov> Priya B wrote: > Thank you so much for your response! > > We modified the krb5.conf file (as below) and also switched from UDP > to TCP. Now we're not getting any errors in the trace. But still we > don't get the service ticket (same exception). In the trace for some > reason, after the client gets the TGS response, the client closes the > TCP connection, and never tries to get a service ticket. It is not > querying regarding the service at all. > > Anyway, below are some answers to your questions: > > What version of Java? >>>> 1.6 > > > Do you have cross realm setup between the two realms? >>>> It should be there, because we have another application (based on SSPI) using which we are able to sign-in to the same service. > > > Do you have the krb5.conf on the client setup for cross realm? >>>> We have. Below is the conf file. Do let us know if it needs any corrections. Note that Kerberos implementations just ignore unknown lines in the krb5.conf, so you must be careful to get them correct. > > -------------------------------------------------------------- > > > [libdefaults] > udp_preference_limit = 1 > default_realm = REALM1.COM > dns_lookup_kdc = true > [realms] > REALM1.COM = { > kdc = host1.realm1.com > default_domain = realm1.com > > } > > REALM2.COM = { > > realm_type = WINNTv1 > > ENC_TYPES_LIST = RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC > What are the above two lines? What documentation where you reading on how to setup a krb5.conf for Java? And what is "WINNTv1"? "NT" implies a very old OS. Windows 2000 was the first that I know of that supports Kerberos. > > kdc = { > > name = host2.realm2.com > default_domain = .realm2.com > > protocol = TCP > > } > > } > > > > [domain_realm] > .realm1.com = REALM1.COM > .realm2.com =REALM2.COM > > > > > [capaths] > REALM1.COM = { > REALM2.COM = . > } > > REALM2.COM = { > REALM1.COM = . > } > > > [logging] > > > -------------------------------------------------------------- > > Is one or both of the realms Window AD? >>>> Shall confirm that soon. > > > You appear to have done some tracing, but have not said where you are > seeing these messages or how far along the process of getting tickets > has gotten. i.e. client to client's KDC or client to server's KDC. >>>> client to client's KDC > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From ravi.channavajhala at dciera.com Mon Sep 7 08:18:57 2009 From: ravi.channavajhala at dciera.com (ravi channavajhala) Date: Mon, 7 Sep 2009 17:48:57 +0530 Subject: Preauthentication error with Samba Message-ID: <4aa4fa3a.02c3f10a.17da.3217@mx.google.com> Can anyone suggest how to get around the following? [2009/09/05 00:32:55, 3] libads/sasl.c:ads_sasl_spnego_bind(300) ads_sasl_spnego_bind: got server principal name = exdc1$@domain.example.com [2009/09/05 00:32:55, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2009/09/05 00:32:56, 0] libads/kerberos.c:ads_kinit_password(228) kerberos_kinit_password samserv1$@domain.example.com failed: Preauthentication failed This is what my samba RPMs are # rpm -qa | grep -i samb samba-client-3.0.33-3.7.el5 system-config-samba-1.2.41-3.el5 samba-common-3.0.33-3.7.el5 samba-3.0.33-3.7.el5 # uname -a Linux samserv1.domain.example.com 2.6.18-128.el5PAE #1 SMP Wed Dec 17 12:02:33 EST 2008 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.3 (Tikanga) The smb.conf file uses Security = ads Use Kerberos keytab = true AD logins from Linux work just fine (ruling out the obvious such as time synchronization etc.), 'net ads info' and 'net ads status' show relevant information. The Kerberos keytab was generated with net ads keytab create. Information from net ads status (partial) sAMAccountName: SAMSERV1$ sAMAccountType: 805306369 dNSHostName: samserv1.domain.example.com userPrincipalName: host/samserv1.domain.example.com at SAMSERV1.DOMAIN.EXAMPLE.COM objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=example,DC=com Regards, Ravi K. Channavajhala From frostisch at yahoo.de Wed Sep 9 06:12:28 2009 From: frostisch at yahoo.de (=?UTF-8?B?SnVsaWFuIFRob23DqQ==?=) Date: Wed, 09 Sep 2009 12:12:28 +0200 Subject: ldap-backend with kerberos Message-ID: <4AA77F8C.9070201@yahoo.de> Hello mailing list, We want to integrate Kerberos with our existing User-Authentication-System using PAM-LDAP thus ... we want to use ldap as a backend for kerberos. That means that user data like password, username, uid etc. ist stored in the LDAP-DB and we want kerberos to user this data. Is this possible in this way ? Thank you very much Julian Thome ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de From jsanders at TechFak.Uni-Bielefeld.DE Wed Sep 9 08:28:07 2009 From: jsanders at TechFak.Uni-Bielefeld.DE (Jan Sanders) Date: Wed, 09 Sep 2009 14:28:07 +0200 Subject: kpasswd changes password successfully but also complains about kdc not reachable Message-ID: <4AA79F57.4010005@TechFak.Uni-Bielefeld.DE> Hello List, on my client machine I can get kerberos tickets for my principal using the correct principalname-password combination. I can also use kadmin on the client machine providing the correct principalname-password combination for an admin principal. Changing the password for a principal is no problem using kadmin. But then I trzy to use kpasswd on the client machine. I provide kpasswd with correct the principalname-password combination and twiche state what the new password should be and then I wait for a couple of seconds before kpasswd returns. On returning it complains: Cannot contact any KDC for requested realm But it also changed the password. After invoking kpasswd and observing the above stated behaviour I have to provide the new password to obtain a ticket. Even though kpasswd works as advertised (changes the password) it will cause some trouble telling users that the error message can safely be ignored (if it can!!). Using strace I could see some timeouts of select syscalls. kpasswd obtained a file descriptor for an IP connection, connects to the KDC and successfully sends 490 byte of data. Then kpasswd uses the select syscall to monitor the filedescriptor which times out twice. kpasswd resends the 490 bytes and again waits for two select syscalls to time out. Then again and finally returns with the "Cannot contact any KDC for requested realm" complaint. strace was invoked like this: #strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc What strikes me is the invocation of the select syscall. According to the select specification the first parameter of the syscall is the number of monitored file descriptors + 1. The select calls as used here only monitor 2 file descriptors (better: one filedescriptor is monitored twice). The number of file descriptors is set to 5. I do not know how select behaves when invoked like that and it seems not to be specified. The (slightly sanitized) output of strace starting from the socket request for connecting to the KDC: 8006 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 8006 connect(4, {sa_family=AF_INET, sin_port=htons(464), sin_addr=inet_addr("[IP of KDC]")}, 16) = 0 8006 getsockname(4, {sa_family=AF_INET, sin_port=htons(35498), sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 8006 gettimeofday({1252498115, 459404}, NULL) = 0 8006 gettimeofday({1252498115, 459444}, NULL) = 0 8006 select(5, [4], [], [4], {0, 999960}) = 0 (Timeout) 8006 gettimeofday({1252498116, 457725}, NULL) = 0 8006 gettimeofday({1252498116, 457765}, NULL) = 0 8006 select(5, [4], [], [4], {2, 1639}) = 0 (Timeout) 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 8006 gettimeofday({1252498118, 462172}, NULL) = 0 8006 gettimeofday({1252498118, 462214}, NULL) = 0 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) 8006 gettimeofday({1252498119, 461724}, NULL) = 0 8006 gettimeofday({1252498119, 461763}, NULL) = 0 8006 select(5, [4], [], [4], {4, 409}) = 0 (Timeout) 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 8006 gettimeofday({1252498123, 466171}, NULL) = 0 8006 gettimeofday({1252498123, 466213}, NULL) = 0 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) 8006 gettimeofday({1252498124, 465728}, NULL) = 0 8006 gettimeofday({1252498124, 465767}, NULL) = 0 8006 select(5, [4], [], [4], {8, 404}) = 0 (Timeout) 8006 close(4) = 0 8006 write(2, "kpasswd", 7) = 7 8006 write(2, ": ", 2) = 2 8006 write(2, "Cannot contact any KDC for requested realm", 42) = 42 8006 write(2, " ", 1) = 1 8006 write(2, "changing password", 17) = 17 8006 write(2, "\r\n", 2) = 2 8006 exit_group(1) = ? End of strace output. I hope all this is helpful for finding the cause of the "Cannot contact ..." error. cheers Jan Sanders From tlyu at MIT.EDU Wed Sep 9 09:48:04 2009 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 09 Sep 2009 09:48:04 -0400 Subject: kpasswd changes password successfully but also complains about kdc not reachable In-Reply-To: <4AA79F57.4010005@TechFak.Uni-Bielefeld.DE> (Jan Sanders's message of "Wed, 9 Sep 2009 08:28:07 -0400") References: <4AA79F57.4010005@TechFak.Uni-Bielefeld.DE> Message-ID: Jan Sanders writes: > Hello List, > > on my client machine I can get kerberos tickets for my principal using > the correct principalname-password combination. I can also use kadmin on > the client machine providing the correct principalname-password > combination for an admin principal. Changing the password for a > principal is no problem using kadmin. > But then I trzy to use kpasswd on the client machine. I provide kpasswd > with correct the principalname-password combination and twiche state > what the new password should be and then I wait for a couple of seconds > before kpasswd returns. > On returning it complains: Cannot contact any KDC for requested realm > But it also changed the password. After invoking kpasswd and observing > the above stated behaviour I have to provide the new password to obtain > a ticket. > Even though kpasswd works as advertised (changes the password) it will > cause some trouble telling users that the error message can safely be > ignored (if it can!!). > > Using strace I could see some timeouts of select syscalls. > kpasswd obtained a file descriptor for an IP connection, connects to the > KDC and successfully sends 490 byte of data. > Then kpasswd uses the select syscall to monitor the filedescriptor which > times out twice. > kpasswd resends the 490 bytes and again waits for two select syscalls to > time out. > Then again and finally returns with the "Cannot contact any KDC for > requested realm" complaint. > > strace was invoked like this: > #strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc > > What strikes me is the invocation of the select syscall. According to > the select specification the first parameter of the syscall is the > number of monitored file descriptors + 1. The select calls as used here > only monitor 2 file descriptors (better: one filedescriptor is monitored > twice). The number of file descriptors is set to 5. I do not know how > select behaves when invoked like that and it seems not to be specified. I believe the call to select() is correct. The first parameter should be an integer that is one greater than the number of the highest-numbered file descriptor, i.e., the highest-numbered file descriptor that select() should look at here is file descriptor #4, which means that select(5, ....) is correct. What is probably happening is that the UDP reply packet from the KDC's kpasswd service is not reaching you, which is could be caused by a firewall or other factors related to network topology. Can you get a packet trace on UDP port 464, both on the client's network and on the KDC's network? > The (slightly sanitized) output of strace starting from the socket > request for connecting to the KDC: > > 8006 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 > 8006 connect(4, {sa_family=AF_INET, sin_port=htons(464), > sin_addr=inet_addr("[IP of KDC]")}, 16) = 0 > 8006 getsockname(4, {sa_family=AF_INET, sin_port=htons(35498), > sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0 > 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 > 8006 gettimeofday({1252498115, 459404}, NULL) = 0 > 8006 gettimeofday({1252498115, 459444}, NULL) = 0 > 8006 select(5, [4], [], [4], {0, 999960}) = 0 (Timeout) > 8006 gettimeofday({1252498116, 457725}, NULL) = 0 > 8006 gettimeofday({1252498116, 457765}, NULL) = 0 > 8006 select(5, [4], [], [4], {2, 1639}) = 0 (Timeout) > 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 > 8006 gettimeofday({1252498118, 462172}, NULL) = 0 > 8006 gettimeofday({1252498118, 462214}, NULL) = 0 > 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) > 8006 gettimeofday({1252498119, 461724}, NULL) = 0 > 8006 gettimeofday({1252498119, 461763}, NULL) = 0 > 8006 select(5, [4], [], [4], {4, 409}) = 0 (Timeout) > 8006 send(4, "[snipped 490 bytes]"..., 490, 0) = 490 > 8006 gettimeofday({1252498123, 466171}, NULL) = 0 > 8006 gettimeofday({1252498123, 466213}, NULL) = 0 > 8006 select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) > 8006 gettimeofday({1252498124, 465728}, NULL) = 0 > 8006 gettimeofday({1252498124, 465767}, NULL) = 0 > 8006 select(5, [4], [], [4], {8, 404}) = 0 (Timeout) > 8006 close(4) = 0 > 8006 write(2, "kpasswd", 7) = 7 > 8006 write(2, ": ", 2) = 2 > 8006 write(2, "Cannot contact any KDC for requested realm", 42) = 42 > 8006 write(2, " ", 1) = 1 > 8006 write(2, "changing password", 17) = 17 > 8006 write(2, "\r\n", 2) = 2 > 8006 exit_group(1) = ? > > End of strace output. > > > I hope all this is helpful for finding the cause of the "Cannot contact > ..." error. > > cheers > > Jan Sanders > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From ghudson at MIT.EDU Wed Sep 9 11:08:31 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 09 Sep 2009 11:08:31 -0400 Subject: ldap-backend with kerberos In-Reply-To: <4AA77F8C.9070201@yahoo.de> References: <4AA77F8C.9070201@yahoo.de> Message-ID: <1252508911.18351.245.camel@ray> On Wed, 2009-09-09 at 06:12 -0400, Julian Thom? wrote: > Hello mailing list, > > We want to integrate Kerberos with our existing > User-Authentication-System using PAM-LDAP thus ... we want to use ldap > as a backend for kerberos. > That means that user data like password, username, uid etc. ist stored > in the LDAP-DB and we want kerberos to user this data. > Is this possible in this way ? Yes, this is possible in krb5 1.6 and later. There are instructions in the admin guide. You may need a copy of the source tree to get kerberos.schema from. Setup can be a little tricky to get right, depending on how familiar you are with your OpenLDAP setup. From peter_sands at techemail.com Wed Sep 9 15:14:14 2009 From: peter_sands at techemail.com (peter sands) Date: Wed, 9 Sep 2009 12:14:14 -0700 (PDT) Subject: max life for a ticket Message-ID: <2042774b-7119-406b-9d24-36ed65cbca06@a7g2000yqo.googlegroups.com> Hello, What is the maximum ticket life in days or hoursyou can supply with the max_life stanza in krd5.conf thanks Pete. From ghudson at MIT.EDU Wed Sep 9 17:01:16 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 09 Sep 2009 17:01:16 -0400 Subject: max life for a ticket In-Reply-To: <2042774b-7119-406b-9d24-36ed65cbca06@a7g2000yqo.googlegroups.com> References: <2042774b-7119-406b-9d24-36ed65cbca06@a7g2000yqo.googlegroups.com> Message-ID: <1252530076.18351.264.camel@ray> On Wed, 2009-09-09 at 15:14 -0400, peter sands wrote: > What is the maximum ticket life in days or hoursyou can supply with > the max_life stanza in krd5.conf In MIT krb5, the limit appears to be 2^31-1 seconds, based on my reading of the code. From candrecn at gmail.com Thu Sep 10 08:16:40 2009 From: candrecn at gmail.com (=?ISO-8859-1?Q?Carlos_Andr=E9?=) Date: Thu, 10 Sep 2009 09:16:40 -0300 Subject: kpasswd changes password successfully but also complains about kdc not reachable In-Reply-To: References: <4AA79F57.4010005@TechFak.Uni-Bielefeld.DE> Message-ID: Jan Sanders, Probably u have a firewall problem like Tom said :) Trace UDP/464 return from server to client... non-stateful firewalls, ACL on switches, etc... On Wed, Sep 9, 2009 at 10:48 AM, Tom Yu wrote: > Jan Sanders writes: > >> Hello List, >> >> on my client machine I can get kerberos tickets for my principal using >> the correct principalname-password combination. I can also use kadmin on >> the client machine providing the correct principalname-password >> combination for an admin principal. Changing the password for a >> principal is no problem using kadmin. >> But then I trzy to use kpasswd on the client machine. I provide kpasswd >> with correct the principalname-password combination and twiche state >> what the new password should be and then I wait for a couple of seconds >> before kpasswd returns. >> On returning it complains: Cannot contact any KDC for requested realm >> But it also changed the password. After invoking kpasswd and observing >> the above stated behaviour I have to provide the new password to obtain >> a ticket. >> Even though kpasswd works as advertised (changes the password) it will >> cause some trouble telling users that the error message can safely be >> ignored (if it can!!). >> >> Using strace I could see some timeouts of select syscalls. >> kpasswd obtained a file descriptor for an IP connection, connects to the >> KDC and successfully sends 490 byte of data. >> Then kpasswd uses the select syscall to monitor the filedescriptor which >> times out twice. >> kpasswd resends the 490 bytes and again waits for two select syscalls to >> time out. >> Then again and finally returns with the "Cannot contact any KDC for >> requested realm" complaint. >> >> strace was invoked like this: >> #strace -o /tmp/kpasswd.strace -s 512 -f kpasswd testprinc >> >> What strikes me is the invocation of the select syscall. According to >> the select specification the first parameter of the syscall is the >> number of monitored file descriptors + 1. The select calls as used here >> only monitor 2 file descriptors (better: one filedescriptor is monitored >> twice). The number of file descriptors is set to 5. I do not know how >> select behaves when invoked like that and it seems not to be specified. > > I believe the call to select() is correct. ?The first parameter should > be an integer that is one greater than the number of the > highest-numbered file descriptor, i.e., the highest-numbered file > descriptor that select() should look at here is file descriptor #4, > which means that select(5, ....) is correct. > > What is probably happening is that the UDP reply packet from the KDC's > kpasswd service is not reaching you, which is could be caused by a > firewall or other factors related to network topology. ?Can you get a > packet trace on UDP port 464, both on the client's network and on the > KDC's network? > >> The (slightly sanitized) output of strace starting from the socket >> request for connecting to the KDC: >> >> 8006 ?socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 >> 8006 ?connect(4, {sa_family=AF_INET, sin_port=htons(464), >> sin_addr=inet_addr("[IP of KDC]")}, 16) = 0 >> 8006 ?getsockname(4, {sa_family=AF_INET, sin_port=htons(35498), >> sin_addr=inet_addr("[IP of self, aka client machine]")}, [16]) = 0 >> 8006 ?send(4, "[snipped 490 bytes]"..., 490, 0) = 490 >> 8006 ?gettimeofday({1252498115, 459404}, NULL) = 0 >> 8006 ?gettimeofday({1252498115, 459444}, NULL) = 0 >> 8006 ?select(5, [4], [], [4], {0, 999960}) = 0 (Timeout) >> 8006 ?gettimeofday({1252498116, 457725}, NULL) = 0 >> 8006 ?gettimeofday({1252498116, 457765}, NULL) = 0 >> 8006 ?select(5, [4], [], [4], {2, 1639}) = 0 (Timeout) >> 8006 ?send(4, "[snipped 490 bytes]"..., 490, 0) = 490 >> 8006 ?gettimeofday({1252498118, 462172}, NULL) = 0 >> 8006 ?gettimeofday({1252498118, 462214}, NULL) = 0 >> 8006 ?select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) >> 8006 ?gettimeofday({1252498119, 461724}, NULL) = 0 >> 8006 ?gettimeofday({1252498119, 461763}, NULL) = 0 >> 8006 ?select(5, [4], [], [4], {4, 409}) = 0 (Timeout) >> 8006 ?send(4, "[snipped 490 bytes]"..., 490, 0) = 490 >> 8006 ?gettimeofday({1252498123, 466171}, NULL) = 0 >> 8006 ?gettimeofday({1252498123, 466213}, NULL) = 0 >> 8006 ?select(5, [4], [], [4], {0, 999958}) = 0 (Timeout) >> 8006 ?gettimeofday({1252498124, 465728}, NULL) = 0 >> 8006 ?gettimeofday({1252498124, 465767}, NULL) = 0 >> 8006 ?select(5, [4], [], [4], {8, 404}) = 0 (Timeout) >> 8006 ?close(4) ? ? ? ? ? ? ? ? ? ? ? ? ?= 0 >> 8006 ?write(2, "kpasswd", 7) ? ? ? ? ? ?= 7 >> 8006 ?write(2, ": ", 2) ? ? ? ? ? ? ? ? = 2 >> 8006 ?write(2, "Cannot contact any KDC for requested realm", 42) = 42 >> 8006 ?write(2, " ", 1) ? ? ? ? ? ? ? ? ?= 1 >> 8006 ?write(2, "changing password", 17) = 17 >> 8006 ?write(2, "\r\n", 2) ? ? ? ? ? ? ? = 2 >> 8006 ?exit_group(1) ? ? ? ? ? ? ? ? ? ? = ? >> >> End of strace output. >> >> >> I hope all this is helpful for finding the cause of the "Cannot contact >> ..." error. >> >> cheers >> >> Jan Sanders >> ________________________________________________ >> Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ > Kerberos mailing list ? ? ? ? ? Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From peter_sands at techemail.com Thu Sep 10 09:41:37 2009 From: peter_sands at techemail.com (peter sands) Date: Thu, 10 Sep 2009 06:41:37 -0700 (PDT) Subject: max life for a ticket References: <2042774b-7119-406b-9d24-36ed65cbca06@a7g2000yqo.googlegroups.com> Message-ID: <28b0ba6c-f9ea-4513-9584-cbeb03fadfb7@t13g2000yqn.googlegroups.com> > In MIT krb5, the limit appears to be 2^31-1 seconds, based on my reading > of the code. thanks Pete From peter_sands at techemail.com Thu Sep 10 09:45:16 2009 From: peter_sands at techemail.com (peter sands) Date: Thu, 10 Sep 2009 06:45:16 -0700 (PDT) Subject: automatically refreshing tickets for all users Message-ID: <6929ab98-6fd9-48af-afe5-480becb7ae51@o10g2000yqa.googlegroups.com> Hello, Starting to get the hang of this slowly. One question I have is , is there a way where user root can automatically refresh all tickets for users. Do not seem to be able to get around where kinit keeps prompting the user for their own password. thanks Pete. From frostisch at yahoo.de Thu Sep 10 12:02:24 2009 From: frostisch at yahoo.de (=?UTF-8?B?SnVsaWFuIFRob23DqQ==?=) Date: Thu, 10 Sep 2009 18:02:24 +0200 Subject: ldap-backend with kerberos In-Reply-To: <1252508911.18351.245.camel@ray> References: <4AA77F8C.9070201@yahoo.de> <1252508911.18351.245.camel@ray> Message-ID: <4AA92310.7080005@yahoo.de> Thank you very much so far, is it possible to compile the smbk5pwd-module, that it can be used with MIT kerberos so that we can sync passwords between ldap and kerberos ? It seems that this module with this configuration only works with heimdal-kerberos. Or are there any alternatives ? Thank you !! > On Wed, 2009-09-09 at 06:12 -0400, Julian Thomé wrote: > >> Hello mailing list, >> >> We want to integrate Kerberos with our existing >> User-Authentication-System using PAM-LDAP thus ... we want to use ldap >> as a backend for kerberos. >> That means that user data like password, username, uid etc. ist stored >> in the LDAP-DB and we want kerberos to user this data. >> Is this possible in this way ? >> > > Yes, this is possible in krb5 1.6 and later. There are instructions in > the admin guide. You may need a copy of the source tree to get > kerberos.schema from. > > Setup can be a little tricky to get right, depending on how familiar you > are with your OpenLDAP setup. > > > > ___________________________________________________________ Der frühe Vogel fängt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de From Christian.Caron at NRCan-RNCan.gc.ca Fri Sep 11 08:56:21 2009 From: Christian.Caron at NRCan-RNCan.gc.ca (Caron, Christian) Date: Fri, 11 Sep 2009 08:56:21 -0400 Subject: Multiple Apache websites using Kerberos authentication (through the mod_auth_kerb module) Message-ID: <98CF07D50CB82044B99BC153F889C91D0DAA853A@S0-OTT-X3.nrn.nrcan.gc.ca> Hi list, We have been successful in having users authenticate through the Kerberos mechanism on one website. The website has the same name and uses the same IP as the server itself (this is the name that was used to create the Service Principal account). When trying to use the same mechanism for a second website (different name, different IP, same physical server), it doesn't work. Is it possible to have only one Service Principal account and "attach" multiple websites to it and how can we achieve that? We would like to minimize the number of accounts in AD (if possible, only one per physical server). Thanks! - Christian Caron From michael at stroeder.com Fri Sep 11 06:37:22 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Fri, 11 Sep 2009 12:37:22 +0200 Subject: ldap-backend with kerberos In-Reply-To: References: <4AA77F8C.9070201@yahoo.de> <1252508911.18351.245.camel@ray> Message-ID: <2slpn6-1q4.ln1@nb2.stroeder.com> Julian Thom? wrote: > is it possible to compile the smbk5pwd-module, that it can be used with > MIT kerberos so that we can sync passwords between ldap and kerberos ? > It seems that this module with this configuration only works with > heimdal-kerberos. OpenLDAP's slapo-smbk5pwd only works with heimdal since currently heimdal's and MIT's LDAP backends use different LDAP schema. Ciao, Michael. From ioplex at gmail.com Fri Sep 11 15:31:57 2009 From: ioplex at gmail.com (Michael B Allen) Date: Fri, 11 Sep 2009 15:31:57 -0400 Subject: Multiple Apache websites using Kerberos authentication (through the mod_auth_kerb module) In-Reply-To: <98CF07D50CB82044B99BC153F889C91D0DAA853A@S0-OTT-X3.nrn.nrcan.gc.ca> References: <98CF07D50CB82044B99BC153F889C91D0DAA853A@S0-OTT-X3.nrn.nrcan.gc.ca> Message-ID: <78c6bd860909111231x5c846199s941c38b3cd4cd7da@mail.gmail.com> On Fri, Sep 11, 2009 at 8:56 AM, Caron, Christian wrote: > Hi list, > > We have been successful in having users authenticate through the > Kerberos mechanism on one website. The website has the same name and > uses the same IP as the server itself (this is the name that was used to > create the Service Principal account). > > When trying to use the same mechanism for a second website (different > name, different IP, same physical server), it doesn't work. > > Is it possible to have only one Service Principal account and "attach" > multiple websites to it and how can we achieve that? We would like to > minimize the number of accounts in AD (if possible, only one per > physical server). Yes. Unfortunately because the MS ktpass.exe utilitiy is very simple, it's not exactly easy. But first, perhaps it is better to explain how this works. Then you can actually make sense of the solution. When a browser on an AD network authenticates with a website using Kerberos, it goes something like this (this is mostly the same for a non-AD Kerberos authority but most people are using AD so I'll describe it with AD specific language): 1. Browser looks at the URL and derives a Service Principal Name (SPN). For example, if the URL is http://www.example.com/ the SPN will be HTTP/www.example.com at EXAMPLE.COM. This is just simple text manipulation. 2. Browser asks AD for a "ticket" for that SPN. AD will search through all accounts for one that has a servicePrincipalName attribute that matches the supplied SPN. If one matches, it uses that account and it's corresponding password to create and return the requested ticket. 3. Browser submits the ticket to the HTTP server which decodes it (such as with mod_auth_kerb), looks at the SPN, key version number (kvno) and encryption type and tries to locate a keytab file entry that matches those three criteria exactly. If it finds one, it uses that keytab entry to decrypt the ticket and in doing so authenticate the client. In your case, the relevant part is that the servicePrincipalName attribute on AD accounts is multi-valued. So you can add any number of SPNs to an account using either setspn.exe or ADSI Edit. AD will find the account by any of those names. In fact, people frequently use both long and short names like HTTP/as1.example.com and HTTP/as1 (note that the actual servicePrincipalName attribute value does not include the @EXAMPLE.COM domain part) so that people can authenticate with the site using either http://as1/ as well as http://as1.example.com/. Personally I think using the short names is a bad idea but it seems to work and the short name does not require Intranet zone configuration on the client browser. Note that one thing to watch out for is that AD will fail to return a ticket if the SPN requested is found on more than one account (because it doesn't know which account to use). So be careful that you do not accidentally create multiple service accounts with the same SPN. Now for the bad news. As I stated, ktpass.exe is very simple. It only generates a keytab with *one* entry. Uhg! So it will simply not do the job. However, if you know the password, you can create a keytab yourself using ktutil on a *nix machine with any number of entries. To do that, first run ktpass.exe once and make a note of the output. In particular you want to note the key version number (kvno), encryption type and of course the password you entered. The encryption type might displayed as a name whereas you will need to know the numeric value for that name. Currently this is usally RC4 which I believe is 23 (I don't remember off the top of my head). Now run ktutil on *nix and create an entry for each SPN with the same password, encryption type and kvno, save the keytab and use that with mod_auth_kerb. There are also utilities that can set the password and generate a keytab with multiple SPNs in one go. Also, professional software that does Kerberos auth usually includes some capability to do all of this for you. If you're using a bare-bones solution like mod_auth_kerb, it's up to you to create a keytab. Good luck, Mike -- Michael B Allen PHP Active Directory Integration http://www.ioplex.com/plexcel.html From Christian.Caron at NRCan-RNCan.gc.ca Fri Sep 11 17:58:58 2009 From: Christian.Caron at NRCan-RNCan.gc.ca (Caron, Christian) Date: Fri, 11 Sep 2009 17:58:58 -0400 Subject: =?iso-8859-1?Q?RE=A0=3A_Multiple_Apache_websites_using_Kerberos_authentic?= =?iso-8859-1?Q?ation_=28through_the_mod=5Fauth=5Fkerb_module=29?= References: <98CF07D50CB82044B99BC153F889C91D0DAA853A@S0-OTT-X3.nrn.nrcan.gc.ca> <78c6bd860909111231x5c846199s941c38b3cd4cd7da@mail.gmail.com> Message-ID: <98CF07D50CB82044B99BC153F889C91D31977B@S0-OTT-X3.nrn.nrcan.gc.ca> Very detailed information. I'll give it a try in the lab and I'm pretty sure it will work as expected. Thanks a lot! From frostisch at yahoo.de Tue Sep 15 11:02:40 2009 From: frostisch at yahoo.de (=?UTF-8?B?SnVsaWFuIFRob23DqQ==?=) Date: Tue, 15 Sep 2009 17:02:40 +0200 Subject: ldap-backend with kerberos In-Reply-To: <2slpn6-1q4.ln1@nb2.stroeder.com> References: <4AA77F8C.9070201@yahoo.de> <1252508911.18351.245.camel@ray> <2slpn6-1q4.ln1@nb2.stroeder.com> Message-ID: <4AAFAC90.6090900@yahoo.de> Thank you, Now we want new users to be automatically available as kerberos principals. We want to create our user-accounts directly in LDAP. For each user created in the ldap we need a kerberos principal with the same password of his unix-account. For authentification kerberos should be used. Is it possible (with the smbk5pwd-Module), to give newly created ldap-entries (posixAccounts) a kerberos-password automatically ?? Thanks !! Bye Julian > Julian Thom? wrote: > >> is it possible to compile the smbk5pwd-module, that it can be used with >> MIT kerberos so that we can sync passwords between ldap and kerberos ? >> It seems that this module with this configuration only works with >> heimdal-kerberos. >> > > OpenLDAP's slapo-smbk5pwd only works with heimdal since currently heimdal's > and MIT's LDAP backends use different LDAP schema. > > Ciao, Michael. > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de From magicaldev at gmail.com Tue Sep 15 17:51:49 2009 From: magicaldev at gmail.com (dxv7631) Date: Tue, 15 Sep 2009 14:51:49 -0700 (PDT) Subject: Network Security Protocol like Kerberos Message-ID: <25462467.post@talk.nabble.com> Hi All, I have a simple question regarding Kerberos. Is there any Network Security Protocol like Kerberos? If yes please give some examples. -- View this message in context: http://www.nabble.com/Network-Security-Protocol-like-Kerberos-tp25462467p25462467.html Sent from the Kerberos - General mailing list archive at Nabble.com. From lukeh at padl.com Wed Sep 16 02:06:00 2009 From: lukeh at padl.com (Luke Howard) Date: Wed, 16 Sep 2009 08:06:00 +0200 Subject: Network Security Protocol like Kerberos In-Reply-To: <25462467.post@talk.nabble.com> References: <25462467.post@talk.nabble.com> Message-ID: <24946EDB-FCF8-451C-9C39-66A20888EE90@padl.com> Hmm, maybe DASS? http://www.faqs.org/rfcs/rfc1507.html -- Luke On 15/09/2009, at 11:51 PM, dxv7631 wrote: > > Hi All, > I have a simple question regarding Kerberos. Is there any Network > Security > Protocol like Kerberos? If yes please give some examples. > -- > View this message in context: http://www.nabble.com/Network-Security-Protocol-like-Kerberos-tp25462467p25462467.html > Sent from the Kerberos - General mailing list archive at Nabble.com. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- www.padl.com | www.fghr.net From deengert at anl.gov Wed Sep 16 09:08:24 2009 From: deengert at anl.gov (Douglas E. Engert) Date: Wed, 16 Sep 2009 08:08:24 -0500 Subject: Network Security Protocol like Kerberos In-Reply-To: <25462467.post@talk.nabble.com> References: <25462467.post@talk.nabble.com> Message-ID: <4AB0E348.8030008@anl.gov> dxv7631 wrote: > Hi All, > I have a simple question regarding Kerberos. Is there any Network Security > Protocol like Kerberos? If yes please give some examples. "like" is a very vague term. What are you trying to do? Hmm, maybe Globus GSI? Google for Globus GSI -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From michael at stroeder.com Wed Sep 16 09:16:39 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Wed, 16 Sep 2009 15:16:39 +0200 Subject: ldap-backend with kerberos In-Reply-To: References: <4AA77F8C.9070201@yahoo.de> <1252508911.18351.245.camel@ray> <2slpn6-1q4.ln1@nb2.stroeder.com> Message-ID: Julian Thom? wrote: > > Now we want new users to be automatically available as kerberos principals. > We want to create our user-accounts directly in LDAP. For each user > created in the ldap we need a kerberos principal with the same password > of his unix-account. Yes, I understand that quite well. > For authentification kerberos should be used. > Is it possible (with the smbk5pwd-Module), to give newly created > ldap-entries (posixAccounts) a kerberos-password automatically ?? As already said: > Michael Str?der wrote: >> OpenLDAP's slapo-smbk5pwd only works with heimdal since currently >> heimdal's and MIT's LDAP backends use different LDAP schema. Again: Yes, it is possible with heimdal as KDC. But not with MIT Kerberos. slapo-smbk5pwd intercepts and handles the Password Modify extended operation request. So you have to use that instead of simple modify request when setting the password. Ciao, Michael. From suma.s.gururaj at gmail.com Wed Sep 16 02:34:41 2009 From: suma.s.gururaj at gmail.com (suma) Date: Tue, 15 Sep 2009 23:34:41 -0700 (PDT) Subject: Replay I/O operation failed XXX message Message-ID: <7e0828fd-9257-4fcd-a607-af1b5831487c@g1g2000vbr.googlegroups.com> Hi, I am running several Kerberos authentications in a multithreaded application. The application abruptly stopped with the message "Replay I/O operation failed XXX" When would the GSSAPI throw this error. Did the I/O not go through... Any pointers are appreciated. Thanks, --Suma From daniel.savard at gmail.com Wed Sep 16 10:19:50 2009 From: daniel.savard at gmail.com (Daniel Savard) Date: Wed, 16 Sep 2009 10:19:50 -0400 Subject: Network Security Protocol like Kerberos In-Reply-To: <4AB0E348.8030008@anl.gov> References: <25462467.post@talk.nabble.com> <4AB0E348.8030008@anl.gov> Message-ID: <1ba2520b0909160719t734de225we36e204b749eb0fc@mail.gmail.com> 2009/9/16 Douglas E. Engert > > dxv7631 wrote: > > Hi All, > > I have a simple question regarding Kerberos. Is there any Network > Security > > Protocol like Kerberos? If yes please give some examples. > > "like" is a very vague term. What are you trying to do? > > Hmm, maybe Globus GSI? > > Google for Globus GSI > > And why not Kerberos? What shortcomes are you trying to avoid? -- ----------------- Daniel Savard From raeburn at MIT.EDU Wed Sep 16 14:23:53 2009 From: raeburn at MIT.EDU (Ken Raeburn) Date: Wed, 16 Sep 2009 14:23:53 -0400 Subject: Replay I/O operation failed XXX message In-Reply-To: <7e0828fd-9257-4fcd-a607-af1b5831487c@g1g2000vbr.googlegroups.com> References: <7e0828fd-9257-4fcd-a607-af1b5831487c@g1g2000vbr.googlegroups.com> Message-ID: On Sep 16, 2009, at 02:34, suma wrote: > I am running several Kerberos authentications in a multithreaded > application. The application abruptly stopped with the message > "Replay I/O operation failed XXX" > > When would the GSSAPI throw this error. Did the I/O not go through... It should probably say "Replay cache I/O operation failed", and give some more detail. Unfortunately, there are several places where some kind of failing operation on the replay cache gets mapped into this one internal error code. My first guess would be that a replay cache might have been left around under a different uid; it's expected that all services sharing a given principal will operate under the same uid, since they all need access to the same service principal key. Ken From leonard.peirce at gmail.com Wed Sep 16 15:33:19 2009 From: leonard.peirce at gmail.com (Leonard J. Peirce) Date: Wed, 16 Sep 2009 12:33:19 -0700 (PDT) Subject: addprinc -randkey broken in 1.7? Message-ID: When running (in kadmin) addprinc -randkey host/host.domain I get a complaint about the password not containing enough character classes. Did I miss something? Not really a big deal since I can just specify a password. It used to work in 1.6. - Leonard From hardjono at MIT.EDU Wed Sep 16 15:58:24 2009 From: hardjono at MIT.EDU (Thomas Hardjono) Date: Wed, 16 Sep 2009 15:58:24 -0400 Subject: Network Security Protocol like Kerberos In-Reply-To: <25462467.post@talk.nabble.com> References: <25462467.post@talk.nabble.com> Message-ID: <84CCEFE8EA8A94499391B96064A1B24D12C28AEDC6@w92expo4.exchange.mit.edu> ________________________________________ >> From: kerberos-bounces at MIT.EDU [kerberos-bounces at MIT.EDU] On Behalf Of dxv7631 [magicaldev at gmail.com] >> Sent: Tuesday, September 15, 2009 5:51 PM >> To: kerberos at mit.edu >> Subject: Network Security Protocol like Kerberos >> Hi All, >> I have a simple question regarding Kerberos. Is there any Network Security >> Protocol like Kerberos? If yes please give some examples. >> -- You may need to be specific about the term "network". If you are looking for a plain IP layer (layer 3) pair-wise authentication protocol there is IKE (for IPsec) and some password based protocols that can be used at the IP layer (e.g. CHAP). If you are looking at layer-2 and "layer 2.5", there is a whole slew of pair-wise "authentication protocols" that are enveloped within the EAP protocol (as EAP-methods). Examples: EAP-TLS, EAP-TTLS, EAP-FAST, etc. etc. Plus there is the IEEE802 related MAC-layer security protocols. There is no reason why one could not run EAP directly above IP. If you are looking for a "network admission/control protocol" (which includes the end-point authentication), then you should look at the NAE (TNC) set of protocols in the IETF NEA WG. Its vendor/proprietary counterpart is CNAC (Cisco) and NAP (Microsoft). /thomas/ From rra at stanford.edu Wed Sep 16 16:13:13 2009 From: rra at stanford.edu (Russ Allbery) Date: Wed, 16 Sep 2009 13:13:13 -0700 Subject: addprinc -randkey broken in 1.7? In-Reply-To: (Leonard J. Peirce's message of "Wed, 16 Sep 2009 12:33:19 -0700 (PDT)") References: Message-ID: <87pr9q8x7q.fsf@windlord.stanford.edu> "Leonard J. Peirce" writes: > When running (in kadmin) > addprinc -randkey host/host.domain > I get a complaint about the password not containing enough character > classes. Did I miss something? Not really a big deal since I can > just specify a password. > It used to work in 1.6. addprinc -randkey hasn't worked for principals that have a password policy set for somet time for me. The way -randkey works under the hood is that it adds the principal disabled with a fixed password (which is indeed pretty bad except that it's very long), then randomizes the key, and then enables the principal. This has other strange artifacts (or at least did -- I don't know if they've been fixed). For example, adding a principal with -randkey and -disallow_all_tix results in an enabled principal, igoring the -disallow_all_tix option. -- Russ Allbery (rra at stanford.edu) From mdw at umich.edu Wed Sep 16 17:04:00 2009 From: mdw at umich.edu (Marcus Watts) Date: Wed, 16 Sep 2009 17:04:00 -0400 Subject: addprinc -randkey broken in 1.7? In-Reply-To: <87pr9q8x7q.fsf@windlord.stanford.edu> References: <87pr9q8x7q.fsf@windlord.stanford.edu> Message-ID: Russ Allbery writes: > Date: Wed, 16 Sep 2009 13:13:13 PDT > To: "Leonard J. Peirce" > cc: kerberos at mit.edu > From: Russ Allbery > Subject: Re: addprinc -randkey broken in 1.7? > > "Leonard J. Peirce" writes: > > > When running (in kadmin) > > > addprinc -randkey host/host.domain > > > I get a complaint about the password not containing enough character > > classes. Did I miss something? Not really a big deal since I can > > just specify a password. > > > It used to work in 1.6. > > addprinc -randkey hasn't worked for principals that have a password policy > set for somet time for me. The way -randkey works under the hood is that > it adds the principal disabled with a fixed password (which is indeed > pretty bad except that it's very long), then randomizes the key, and then > enables the principal. > > This has other strange artifacts (or at least did -- I don't know if > they've been fixed). For example, adding a principal with -randkey and > -disallow_all_tix results in an enabled principal, igoring the > -disallow_all_tix option. Ah! I have a patch for this. I thought I had submitted this to MIT long since, but I can't find any record that this happened. Here's the patch: /afs/umich.edu/user/m/d/mdw/build/krb5.15x/patches/krb5-1.6.3-ankfix1.patch This changes the protocol to use a 'null' password to indicate randkey operation. If a new client talks to an old server, the behavior is to fall back to the old case. Obviously this was for 1.6.3, but it might apply to 1.7. -Marcus Watts From mikef at berkeley.edu Wed Sep 16 18:39:37 2009 From: mikef at berkeley.edu (Mike Friedman) Date: Wed, 16 Sep 2009 15:39:37 -0700 (PDT) Subject: addprinc -randkey broken in 1.7? In-Reply-To: <87pr9q8x7q.fsf@windlord.stanford.edu> References: <87pr9q8x7q.fsf@windlord.stanford.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 16 Sep 2009 at 13:13 (-0700), Russ Allbery wrote: > "Leonard J. Peirce" writes: > >> When running (in kadmin) > >> addprinc -randkey host/host.domain > >> I get a complaint about the password not containing enough character >> classes. Did I miss something? Not really a big deal since I can just >> specify a password. > >> It used to work in 1.6. > > addprinc -randkey hasn't worked for principals that have a password > policy set for somet time for me. The way -randkey works under the hood > is that it adds the principal disabled with a fixed password (which is > indeed pretty bad except that it's very long), then randomizes the key, > and then enables the principal. Russ, I'm running 1.6.3 and don't have this problem. In fact, looking at the code in src/kadmin/cli/kadmin.c, it appears that when '-randkey' is used for addprinc, the password is set initially to a 256 character string containing all possible character values from 1 thru 255 plus a terminating 0 (and then randomized in a separate step). This, I would think, should satisfy any password policy. OK, so maybe I'm misinterpreting the code. But the fact is that I add host principals with -randkey all the time with no problem. I've been doing this for several releases up to and including our current 1.6.3. We may go to 1.7 soon, so possibly something's changed there, but in the meantime, could someone clarify all this? Thanks. _________________________________________________________________________ Mike Friedman Information Services & Technology mikef at berkeley.edu 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkqxaSkACgkQFgKSfLOvZ1R4AQCfXFXtJkRSnWJ674knaWY9lwep v4QAnjeWdiKCZmF3U84Jvc5hcQpLU2px =FcNU -----END PGP SIGNATURE----- From rra at stanford.edu Wed Sep 16 18:50:13 2009 From: rra at stanford.edu (Russ Allbery) Date: Wed, 16 Sep 2009 15:50:13 -0700 Subject: addprinc -randkey broken in 1.7? In-Reply-To: (Mike Friedman's message of "Wed, 16 Sep 2009 15:39:37 -0700 (PDT)") References: <87pr9q8x7q.fsf@windlord.stanford.edu> Message-ID: <87ljkezeqi.fsf@windlord.stanford.edu> Mike Friedman writes: > I'm running 1.6.3 and don't have this problem. In fact, looking at the > code in src/kadmin/cli/kadmin.c, it appears that when '-randkey' is used > for addprinc, the password is set initially to a 256 character string > containing all possible character values from 1 thru 255 plus a > terminating 0 (and then randomized in a separate step). This, I would > think, should satisfy any password policy. Well, it's certainly rejected by our password policy. :) I don't know how it interacts with the character class checking. We have to always clear policies on keys before using randkey. -- Russ Allbery (rra at stanford.edu) From ghudson at MIT.EDU Wed Sep 16 23:29:12 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 16 Sep 2009 23:29:12 -0400 Subject: addprinc -randkey broken in 1.7? In-Reply-To: References: <87pr9q8x7q.fsf@windlord.stanford.edu> Message-ID: <1253158152.9347.37.camel@ray> On Wed, 2009-09-16 at 18:39 -0400, Mike Friedman wrote: > OK, so maybe I'm misinterpreting the code. But the fact is that I add > host principals with -randkey all the time with no problem. I've been > doing this for several releases up to and including our current 1.6.3. > We may go to 1.7 soon, so possibly something's changed there, but in the > meantime, could someone clarify all this? Here's the history of the temporary password used for addprinc -randkey: * Through krb5 1.1, it was "dummy", which would fail any password policy requiring multiple character classes or more than five characters. This might explain Russ's experiences. * In r9210 (October 1996), it was changed to a 255 byte string containing all possible nonzero byte values, which would pass any policy with a reasonable minimum length. I believe this change first hit the field in krb5 1.2. * In r20650 (August 2008), it was changed to 255 weakly random lowercase letters, which would fail any policy requiring multiple character classes. According to the commit log, this was to avoid a problem where the RC4 string-to-key function requires the password to be valid UTF-8. This change first hit the field in krb5 1.7. It would be trivial to fix this regression by picking a temporary password which is valid UTF-8 but still contains all five character classes. I think that will be the best minimal fix for 1.7.1. For the trunk, time permitting, I will review and apply Marcus Watts's patch, which is a more elegant solution. From rra at stanford.edu Thu Sep 17 00:13:00 2009 From: rra at stanford.edu (Russ Allbery) Date: Wed, 16 Sep 2009 21:13:00 -0700 Subject: addprinc -randkey broken in 1.7? In-Reply-To: <1253158152.9347.37.camel@ray> (Greg Hudson's message of "Wed, 16 Sep 2009 23:29:12 -0400") References: <87pr9q8x7q.fsf@windlord.stanford.edu> <1253158152.9347.37.camel@ray> Message-ID: <874or2w6nn.fsf@windlord.stanford.edu> Greg Hudson writes: > Here's the history of the temporary password used for addprinc -randkey: > * Through krb5 1.1, it was "dummy", which would fail any password > policy requiring multiple character classes or more than five > characters. This might explain Russ's experiences. > * In r9210 (October 1996), it was changed to a 255 byte string > containing all possible nonzero byte values, which would pass any policy > with a reasonable minimum length. I believe this change first hit the > field in krb5 1.2. Ah, sorry, my experience is better explained by the fact that we patch the KDC to apply cracklib checks on a password policy, and cracklib fails this password. Sorry about the confusion. -- Russ Allbery (rra at stanford.edu) From kerberos at noopy.org Thu Sep 17 13:03:20 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Thu, 17 Sep 2009 13:03:20 -0400 Subject: Zero-length entry in a keytab: why?! Message-ID: Hello, I came across an issue when working with the keytab file format (0x502). My code follows the instructions at http://www.ioplex.com/utilities/keytab.txt and I've been able to parse/verify all the keytabs in my environment -- until today -- when I came across a keytab whose int32_t size for a particular entry was *zero*, not a negative number, but *zero*. This caused my code to explode and not be able to parse the keytab any further -- even tho I can use klist and ktutil to read the keytab and can kinit using the same keytab. Following the keytab format document, I'd expect that "holes" in a keytab would be represented by a negative number and by using an unsigned integer I'd just read X bytes to get to the next entry. However, the zero length of my entry is really throwing me off because I'm not sure if I should seek(...) forwards or backwards to read the next entry or if there is another way to deal with a zero-length entry or if it's all a lost cause or what have you. Why might the entry length be zero? And if the zero does indeed represent a hole in the keytab, how many bytes do I have to read to skip the hole and move to the next entry? -- K From ghudson at MIT.EDU Thu Sep 17 17:05:31 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 17 Sep 2009 17:05:31 -0400 Subject: Zero-length entry in a keytab: why?! In-Reply-To: References: Message-ID: <1253221531.9347.47.camel@ray> On Thu, 2009-09-17 at 13:03 -0400, kerberos at noopy.org wrote: > Why might the entry length be zero? And if the zero does indeed > represent a hole in the keytab, how many bytes do I have to read to > skip the hole and move to the next entry? By my reading of the MIT krb5 code, you can treat a zero-value length entry as the end of the keytab. (I wasn't able to figure out any normal sequence of events which would lead to such an entry in our code base, but I didn't look too hard.) From kerberos at noopy.org Thu Sep 17 17:33:37 2009 From: kerberos at noopy.org (kerberos@noopy.org) Date: Thu, 17 Sep 2009 17:33:37 -0400 Subject: Zero-length entry in a keytab: why?! In-Reply-To: <1253221531.9347.47.camel@ray> References: <1253221531.9347.47.camel@ray> Message-ID: On Thu, Sep 17, 2009 at 5:05 PM, Greg Hudson wrote: > On Thu, 2009-09-17 at 13:03 -0400, kerberos at noopy.org wrote: >> Why might the entry length be zero? ?And if the zero does indeed >> represent a hole in the keytab, how many bytes do I have to read to >> skip the hole and move to the next entry? > > By my reading of the MIT krb5 code, you can treat a zero-value length > entry as the end of the keytab. ?(I wasn't able to figure out any normal > sequence of events which would lead to such an entry in our code base, > but I didn't look too hard.) Unfortunately for me the zero-value entry appears somewhere in the middle of the keytab! Arggh! Looking at my code further, if I assign a bytesRemain variable to entryLength and decrement bytesRemain by bytesRead each time I read an item from a keytab entry I've noticed there are *definitely* holes throughout the keytab -- or at very least chunks that I can't explain -- such that (bytesRemain > 0) for some but not all entries. During this re-examination I thought bytesRemain might actually represent uint32_t vno but the size of bytesRemain varies greatly (sometimes 5, sometimes 8, sometimes whatever else) so I am not sure that I'm seeing vno. As described in http://www.ioplex.com/utilities/keytab.txt: "The last field of the keytab_entry structure is optional. If the size of the keytab_entry indicates that there are at least 4 bytes remaining, a 32 bit value representing the key version number is present. " When I modify my code to seek(...) bytesRemain positions ahead, I can get further in reading the keytab than I did previously but it still ends up barfing someplace or another. What are your thoughts about me actually forgetting to deal with vno hence the "holes" I'm seeing? Also, if I'm understanding vno correctly, how would it even be possible for a 32-bit value to be 8, 15, or 24 characters long?! :-) FWIW, for the keytabs that I write *myself* I *never* have the problem I'm explaining here. This keytab was created by one of our vendor's apps and something is amiss. -- K From epeisach at MIT.EDU Thu Sep 17 20:34:13 2009 From: epeisach at MIT.EDU (Ezra Peisach) Date: Thu, 17 Sep 2009 20:34:13 -0400 Subject: Zero-length entry in a keytab: why?! Message-ID: <4AB2D585.5050700@mit.edu> Howdy, a) You describe a variable bytesRemain - neither MIT nor Heimdal use such a variable - so this might be your code. b) You mention a vendor app writing such a keytab with holes - care to mention who? I suspect they might have extended their definition of a keytab in a non-standard way... You can ask the vendor... c) If the size field is 0, I can envision that this means the rest of the structure is empty. I agree with Greg in a preliminary reading of the MIT code that a size of zero is treated as an end of keytab. A quick reading of Heimdal's code looks like it would ignore the size field being zero and try to continue parsing the keytab until EOF. Shishi does not handle negative sizes.... d) Heimdal has another extension -after the version number, if there are 4 bytes - a flag for the entry can be stored.... Not sure off hand what for... e) You mention that klist and ktutil can read the keytab - which vendor program are you using? I suspect not MIT. So - I suspect that this might be caused by some vendor's interpretation of a keytab... From suma.s.gururaj at gmail.com Fri Sep 18 00:48:06 2009 From: suma.s.gururaj at gmail.com (suma) Date: Thu, 17 Sep 2009 21:48:06 -0700 (PDT) Subject: Replay I/O operation failed XXX message References: <7e0828fd-9257-4fcd-a607-af1b5831487c@g1g2000vbr.googlegroups.com> Message-ID: On Sep 16, 11:23?pm, Ken Raeburn wrote: > On Sep 16, 2009, at 02:34, suma wrote: > > > I am running several Kerberos authentications in a multithreaded > > application. ?The application abruptly stopped with the message > > "Replay I/O operation failed XXX" > > > When would the GSSAPI throw this error. Did the I/O not go through... > > It should probably say "Replay cache I/O operation failed", and give ? > some more detail. ?Unfortunately, there are several places where some ? > kind of failing operation on the replay cache gets mapped into this ? > one internal error code. ?My first guess would be that a replay cache ? > might have been left around under a different uid; it's expected that ? > all services sharing a given principal will operate under the same ? > uid, since they all need access to the same service principal key. > > Ken Hi Ken and All, Thanks for your reply. Appreciate it. I modified my program to see if the multiple threads are causing the I/ O error. Now my program is single-threaded and performs the following in a loop. 1. Get TGT 2. Sleep for 2 mins - to ensure the ST and the timestamp are unique 3. Obtain ST 4. Authenticate a user. 5. Get a session for this user and disconnect the session. When the program is run for a longer duration - typically after an hour. I run into the "Replay I/O operation failed XXX" error. I am using kerberos login module from JAAS for authentication. Below is the Java code that I am using to create ST ============================================================== GSSManager manager = GSSManager.getInstance(); Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2"); GSSName clientName = manager.createName(m_user, GSSName.NT_USER_NAME); GSSCredential clientCreds = manager.createCredential( clientName, GSSCredential.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY); GSSName peerName = manager.createName( m_spnName, null); GSSContext secContext = manager.createContext( peerName, krb5Mechanism, clientCreds, GSSContext.DEFAULT_LIFETIME); ============================================================== Am I doing something wrong that is causing the Replay I/O error. I sincerely appreciate any pointers. Thanks, --Suma From noopy.org at gmail.com Fri Sep 18 07:17:32 2009 From: noopy.org at gmail.com (Nathan Patwardhan) Date: Fri, 18 Sep 2009 07:17:32 -0400 Subject: Zero-length entry in a keytab: why?! In-Reply-To: <4AB2D585.5050700@mit.edu> References: <4AB2D585.5050700@mit.edu> Message-ID: On Thu, Sep 17, 2009 at 8:34 PM, Ezra Peisach wrote: > ---------- Forwarded message ---------- > From: Ezra Peisach > To: kerberos at noopy.edu > Date: Thu, 17 Sep 2009 20:34:13 -0400 > Subject: Re: Zero-length entry in a keytab: why?! > Howdy, > > a) You describe a variable bytesRemain - neither MIT nor Heimdal use such a > variable - so this might be your code. Yes, these variables are in my code. Thought I'd mentioned that. Sorry if I wasn't clear. :-( > > b) You mention a vendor app writing such a keytab with holes - care to > mention who? I suspect they might have extended their definition of a keytab > in a non-standard way... You can ask the vendor... Centrify. > d) Heimdal has another extension -after the version number, if there are 4 > bytes - a flag for the entry can be stored.... Not sure off hand what for... Yeah, I think this describes what I'm seeing -- even if not specific to Heimdal. http://www.gnu.org/software/shishi/manual/html_node/The-Keytab-Binary-File-Format.html http://www.h5l.org/manual/heimdal-1-2-branch/krb5/page_fileformats.html > > e) You mention that klist and ktutil can read the keytab - which vendor > program are you using? I suspect not MIT. If I'm seeing things correctly, Centrify ships with its own version of the MIT binaries (klist, kinit, etc). But your assertion made me think about Heimdal a lot. I am going to read their keytab code and see if I can understand where things might be amiss here. Certainly there are many, many cases in my existing keytab where there are *NO* extra bytes after the keyblock, and even when i look at the bytes after the keyblock I can't figure how these would represent a vno for that matter. Also, looking further at the keytab in a binary editor I see a ton of @^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^ffffff at the end of the file -- without any other keytab entries following that data. This just doesn't seem like the case in any other keytabs I've looked at. -- K From linuxtrap at yahoo.co.in Sun Sep 20 10:44:31 2009 From: linuxtrap at yahoo.co.in (satish patel) Date: Sun, 20 Sep 2009 20:14:31 +0530 (IST) Subject: Redhat gnome-screen-saver TGT issue problem Message-ID: <545349.28264.qm@web94901.mail.in2.yahoo.com> Hi, I have Redhat base KDC and couple of redhat client, when gnome-screen-saver execute on client that time i am getting many TGT failed request from gnome-screen-save. look like gnome-screen-saver is not able to re-issue TGT ticket from kerberos. Any solution i can disable TGT from gnome-screen-saver ? or disable TGT at client side ? Thanks satish Try the new Yahoo! India Homepage. Click here. http://in.yahoo.com/trynew From ghudson at MIT.EDU Mon Sep 21 14:44:11 2009 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 21 Sep 2009 14:44:11 -0400 Subject: addprinc -randkey broken in 1.7? In-Reply-To: <1253158152.9347.37.camel@ray> References: <87pr9q8x7q.fsf@windlord.stanford.edu> <1253158152.9347.37.camel@ray> Message-ID: <1253558651.9347.108.camel@ray> On Wed, 2009-09-16 at 23:29 -0400, Greg Hudson wrote: > It would be trivial to fix this regression by picking a temporary > password which is valid UTF-8 but still contains all five character > classes. I think that will be the best minimal fix for 1.7.1. For the > trunk, time permitting, I will review and apply Marcus Watts's patch, > which is a more elegant solution. Just to close the loop on this, both the minimal fix and the long-term fix are checked in. We don't currently have a scheduled date for 1.7.1; the schedule for 1.8 is March 2010 plus or minus three months. I failed to credit Marcus Watts in my commit of the long-term fix, which was adapted from his patch. Apologies on that count. From mikkel at linet.dk Tue Sep 22 04:53:40 2009 From: mikkel at linet.dk (Mikkel Kruse Johnsen) Date: Tue, 22 Sep 2009 10:53:40 +0200 Subject: Trust between AD and MIT Kerberos Message-ID: <1253609620.2059.11.camel@tux.lib.cbs.dk> Hi All I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT Kerberos (CBS.DK). On the Windows machines I have: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK KdcNames: kdc1.cbs.dk kdc2.cbs.dk Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens. In my log file "/var/log/krb5kdc.log" I could see that a lot of request came from windows machines. Now the IT department created a UPN suffix on the AD called CBS.DK and SSO stopped working on Windows clients. The request in "/var/log/krb5kdc.log" stopped. We removing the UPN suffix from the AD, but Windows clients is not working and the request to "/var/log/krb5kdc.log" do not happen anymore. Everything is fine on Linux. It seems that Windows clients no longer uses the "HKLM\SYSTEM \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg. Have been searching the net for month now. Anyone has any ideas what is wrong ? Is there a way to map domain to realms in Windows like [domain_realm] in krb5.conf ? Med Venlig Hilsen / Kind Regards Mikkel Kruse Johnsen Adm.Dir. Linet ?rholmgade 6 st tv Copenhagen N 2200 Denmark Work: +45 21287793 Mobile: +45 21287793 Email: mikkel at linet.dk IM: mikkel at linet.dk (MSN) Professional Profile Healthcare Network Consultant From lists at deksai.com Tue Sep 22 10:13:48 2009 From: lists at deksai.com (Chris) Date: Tue, 22 Sep 2009 10:13:48 -0400 Subject: ldap principal aliases In-Reply-To: <20090829150119.GA26450@chris-laptop.a2hosting.com> References: <20090827234627.GA23653@chris-laptop.a2hosting.com> <1251479327.20047.263.camel@ray> <20090828200452.GA24489@chris-laptop.a2hosting.com> <1251509264.20047.273.camel@ray> <20090829150119.GA26450@chris-laptop.a2hosting.com> Message-ID: <20090922141347.GA30857@chris-laptop.a2hosting.com> On Sat, Aug 29, 2009 at 11:01:19AM -0400, Chris wrote: > On Fri, Aug 28, 2009 at 09:27:44PM -0400, Greg Hudson wrote: > > On Fri, 2009-08-28 at 16:04 -0400, Chris wrote: > > > [root at wopr ~]# kvno host/sf9ca98.domain.com > > > host/sf9ca98.domain.com at DOMAIN.COM: kvno = 7 > > > [root at wopr ~]# kvno host/ns4.domain.com > > > host/ns4.domain.com at DOMAIN.COM: Server not found in Kerberos > > > database while getting credentials > > > > I just tried a simple test like this myself and it worked for me. > > > > However, I noted that success in the latter case depends on the client > > setting KDC_OPT_CANONICALIZE in the TGS request. The client sets this > > bit in krb5 1.6 and krb5 1.7, but not in krb5 1.5 and prior. So if > > you're trying to get aliases to work for older versions of the client > > library, that's going to be an issue. > > > > > On Sat, Aug 29, 2009 at 08:38:21PM -0400, Greg Hudson wrote: > Let's say host/aliasname is an alias for host/realname. The client > performs a TGS request for host/aliasname service tickets, and gets a > host/aliasname service ticket encrypted in the key for host/realname. > Now the client presents this ticket to the server in an AP request, > saying it wants to authenticate to host/aliasname. > > * With krb5 1.7.x, krb5_rd_req will ignore the stated target of the AP > request and look for any key in the keytab which can decode the > presented ticket. It will find the host/realname key and succeed. > > * With krb5 1.6.x and prior, the krb5_rd_req will look specifically for > a host/aliasname key in the keytab, and will fail if the keytab contains > only a host/realname entry. I realize that this thread is pretty old, but I figured I'd update this for the sake of posterity. I tried several nice ways to get what I needed. I ended up just getting hacky and rolled a "Frankenkerberos" package for our servers. It basically patches 1.7 to export an old symbol, keeps some old krb4 related library files if needed to not break linkage for old binaries (we don't use that functionality at all), and updates everything else to 1.7. I've tested it out on a couple hundred servers short of a month, and haven't had any noticeable problems yet. The new behavior in 1.7 has been very nice :-) Chris From peter at motyka.org Tue Sep 22 12:50:19 2009 From: peter at motyka.org (Peter) Date: Tue, 22 Sep 2009 09:50:19 -0700 (PDT) Subject: MS IWA - extended protection - SSPI - channel binding References: Message-ID: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com> On Aug 27, 1:26?pm, Jeffrey Altman wrote: > Markus Moeller wrote: > > I am reading the MS article aboutIWAand extended protection > >http://msdn.microsoft.com/en-us/library/dd639324.aspx?and wonder if this > > affects GSSAPI based applications like Apache with mod_auth_kerb ? ?Does > > this mean MS has addedchannelbindings to SSPI ? > > > Unfortunately I don't have Windows 7 to test. > > > Thank you > > Markus > > You do not need Windows 7. ? The change was backported all the way to XP > SP2 and the update was pushed as critical two weeks ago. > When activated GSS-API over TLS will usechannelbindings if the > application requests extended protection. > > Jeffrey Altman >From what I can tell, this change was not pushed as a critical update, I had to install a patch manually to get channel binding capability for Windows XP (http://support.microsoft.com/kb/968389). I've done some experimenting with both Windows 7 and Windows XP and channel binding definitely behaves differently on the two platforms. With Windows 7, IWA authentication appears to provide channel binding regardless if the application requests extended protection. Actually, this is causing a runtime failure in my Java application using jgss without any channel bindings defined on the acceptor: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) The only way I can get around this error message with Windows 7 is to disable extended protection via the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa \SuppressExtendedProtection (0 disabled - 1 enabled) I can't get Windows XP to send channel binding information in my IWA scenario. I suspect it has something to do with my acceptor not specifying the need for extended protection, I'm not really sure. The major difference between the platform implementations I can see is, Windows 7 always sends extended protected data for IWA, Windows XP only sends extended protected data when necessary (can't verify this...) Peter Motyka From huaraz at moeller.plus.com Tue Sep 22 16:22:02 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Tue, 22 Sep 2009 21:22:02 +0100 Subject: MS IWA - extended protection - SSPI - channel binding In-Reply-To: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com> References: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com> Message-ID: What is the java problem ? Does java not ignore channel bindings when set to GSS_C_NO_CHANNEL_BINDINGS in gss_accept as C does ? Does Windows use any data in the channel binding or just the src/dest IPs ? Where is that documented ( I couldn't find it ) ? Thank you Markus "Peter" wrote in message news:8072f979-c6b4-42d1-a5f8-f80f5dee5191 at p15g2000vbl.googlegroups.com... On Aug 27, 1:26 pm, Jeffrey Altman wrote: > Markus Moeller wrote: > > I am reading the MS article aboutIWAand extended protection > >http://msdn.microsoft.com/en-us/library/dd639324.aspx and wonder if this > > affects GSSAPI based applications like Apache with mod_auth_kerb ? Does > > this mean MS has addedchannelbindings to SSPI ? > > > Unfortunately I don't have Windows 7 to test. > > > Thank you > > Markus > > You do not need Windows 7. The change was backported all the way to XP > SP2 and the update was pushed as critical two weeks ago. > When activated GSS-API over TLS will usechannelbindings if the > application requests extended protection. > > Jeffrey Altman >From what I can tell, this change was not pushed as a critical update, I had to install a patch manually to get channel binding capability for Windows XP (http://support.microsoft.com/kb/968389). I've done some experimenting with both Windows 7 and Windows XP and channel binding definitely behaves differently on the two platforms. With Windows 7, IWA authentication appears to provide channel binding regardless if the application requests extended protection. Actually, this is causing a runtime failure in my Java application using jgss without any channel bindings defined on the acceptor: GSSException: Channel binding mismatch (Mechanism level: ChannelBinding not provided!) The only way I can get around this error message with Windows 7 is to disable extended protection via the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa \SuppressExtendedProtection (0 disabled - 1 enabled) I can't get Windows XP to send channel binding information in my IWA scenario. I suspect it has something to do with my acceptor not specifying the need for extended protection, I'm not really sure. The major difference between the platform implementations I can see is, Windows 7 always sends extended protected data for IWA, Windows XP only sends extended protected data when necessary (can't verify this...) Peter Motyka ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From Nicolas.Williams at sun.com Tue Sep 22 16:33:50 2009 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Tue, 22 Sep 2009 15:33:50 -0500 Subject: MS IWA - extended protection - SSPI - channel binding In-Reply-To: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com> References: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com> Message-ID: <20090922203350.GS1033@Sun.COM> On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote: > From what I can tell, this change was not pushed as a critical update, > I had to install a patch manually to get channel binding capability > for Windows XP (http://support.microsoft.com/kb/968389). I've done > some experimenting with both Windows 7 and Windows XP and channel > binding definitely behaves differently on the two platforms. With > Windows 7, IWA authentication appears to provide channel binding > regardless if the application requests extended protection. Actually, > this is causing a runtime failure in my Java application using jgss > without any channel bindings defined on the acceptor: > > GSSException: Channel binding mismatch (Mechanism level: > ChannelBinding not provided!) The JGSS issue is CR #6851973: 6851973 ignore incoming channel binding if acceptor does not set one The fix will be in the October 2009 updates. (The fix was integrated into build b64.) Nico -- From huaraz at moeller.plus.com Tue Sep 22 16:48:01 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Tue, 22 Sep 2009 21:48:01 +0100 Subject: Trust between AD and MIT Kerberos In-Reply-To: References: Message-ID: <39ydnT8l-eaapSTXnZ2dnUVZ8lCdnZ2d@brightview.co.uk> Do you look for something like ? netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home This tells the w2k3 domain WINDOWS2003.HOME that hosts with in the domain suse.home belong to the MIT domain SUSE.HOME Markus "Mikkel Kruse Johnsen" wrote in message news:mailman.20.1253609653.18120.kerberos at mit.edu... > Hi All > > I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT > Kerberos (CBS.DK). > > On the Windows machines I have: > > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK > KdcNames: kdc1.cbs.dk kdc2.cbs.dk > > > Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in > Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens. > > In my log file "/var/log/krb5kdc.log" I could see that a lot of request > came from windows machines. > > > Now the IT department created a UPN suffix on the AD called CBS.DK and > SSO stopped working on Windows clients. The request in > "/var/log/krb5kdc.log" stopped. > > We removing the UPN suffix from the AD, but Windows clients is not > working and the request to "/var/log/krb5kdc.log" do not happen anymore. > Everything is fine on Linux. > > It seems that Windows clients no longer uses the "HKLM\SYSTEM > \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg. > > Have been searching the net for month now. Anyone has any ideas what is > wrong ? > > Is there a way to map domain to realms in Windows like [domain_realm] in > krb5.conf ? > > > Med Venlig Hilsen / Kind Regards > > > > > Mikkel Kruse > Johnsen > Adm.Dir. > > Linet > ?rholmgade 6 st tv > Copenhagen N 2200 > Denmark > > Work: +45 > 21287793 > Mobile: +45 > 21287793 > Email: > mikkel at linet.dk > IM: > mikkel at linet.dk > (MSN) > Professional > Profile > Healthcare > > > Network > Consultant > From peter at motyka.org Tue Sep 22 19:04:02 2009 From: peter at motyka.org (Peter) Date: Tue, 22 Sep 2009 16:04:02 -0700 (PDT) Subject: MS IWA - extended protection - SSPI - channel binding References: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com> Message-ID: <7f07a383-9624-4acf-9794-311b6e5b66a6@l35g2000vba.googlegroups.com> On Sep 22, 2:33?pm, Nicolas Williams wrote: > On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote: > > From what I can tell, this change was not pushed as a critical update, > > I had to install a patch manually to get channel binding capability > > for Windows XP (http://support.microsoft.com/kb/968389). ?I've done > > some experimenting with both Windows 7 and Windows XP and channel > > binding definitely behaves differently on the two platforms. ?With > > Windows 7, IWA authentication appears to provide channel binding > > regardless if the application requests extended protection. ?Actually, > > this is causing a runtime failure in my Java application using jgss > > without any channel bindings defined on the acceptor: > > > GSSException: Channel binding mismatch (Mechanism level: > > ChannelBinding not provided!) > > The JGSS issue is CR #6851973: > > 6851973 ignore incoming channel binding if acceptor does not set one > > The fix will be in the October 2009 updates. ?(The fix was integrated > into build b64.) > > Nico > -- Thanks for the info, Nico. I went to preview the update, but I'm not seeing a b64. Am I looking in the wrong place? http://download.java.net/jdk6/latest_binaries/ Latest available seems to be b02. Peter From peter at motyka.org Tue Sep 22 22:41:57 2009 From: peter at motyka.org (Peter) Date: Tue, 22 Sep 2009 19:41:57 -0700 (PDT) Subject: MS IWA - extended protection - SSPI - channel binding References: <8072f979-c6b4-42d1-a5f8-f80f5dee5191@p15g2000vbl.googlegroups.com> <7f07a383-9624-4acf-9794-311b6e5b66a6@l35g2000vba.googlegroups.com> Message-ID: <4123d4d6-7213-403a-943a-2e24459bfba9@l35g2000vba.googlegroups.com> On Sep 22, 5:04?pm, Peter wrote: > On Sep 22, 2:33?pm, Nicolas Williams wrote: > > > > > On Tue, Sep 22, 2009 at 09:50:19AM -0700, Peter wrote: > > > From what I can tell, this change was not pushed as a critical update, > > > I had to install a patch manually to get channel binding capability > > > for Windows XP (http://support.microsoft.com/kb/968389). ?I've done > > > some experimenting with both Windows 7 and Windows XP and channel > > > binding definitely behaves differently on the two platforms. ?With > > > Windows 7, IWA authentication appears to provide channel binding > > > regardless if the application requests extended protection. ?Actually, > > > this is causing a runtime failure in my Java application using jgss > > > without any channel bindings defined on the acceptor: > > > > GSSException: Channel binding mismatch (Mechanism level: > > > ChannelBinding not provided!) > > > The JGSS issue is CR #6851973: > > > 6851973 ignore incoming channel binding if acceptor does not set one > > > The fix will be in the October 2009 updates. ?(The fix was integrated > > into build b64.) > > > Nico > > -- > > Thanks for the info, Nico. ?I went to preview the update, but I'm not > seeing a b64. ?Am I looking in the wrong place?http://download.java.net/jdk6/latest_binaries/ > > Latest available seems to be b02. > > Peter Apologies Nico, I assumed you meant 6851973 would be part of updates for the Java SE 6 Update 18 release. I noticed the fix in the OpenJDK7 code base (http://hg.openjdk.java.net/jdk7/tl/jdk/rev/ 37ed72fe7561) and will see about having backported to OpenJDK6 for Update 18 via the jdk6-dev mail list. Peter From mikkel at linet.dk Wed Sep 23 02:52:47 2009 From: mikkel at linet.dk (Mikkel Kruse Johnsen) Date: Wed, 23 Sep 2009 08:52:47 +0200 Subject: Trust between AD and MIT Kerberos In-Reply-To: <39ydnT8l-eaapSTXnZ2dnUVZ8lCdnZ2d@brightview.co.uk> References: <39ydnT8l-eaapSTXnZ2dnUVZ8lCdnZ2d@brightview.co.uk> Message-ID: <1253688767.1990.3.camel@tux.lib.cbs.dk> Hi Markus Is it possible to do: netdom trust HHK.DK /domain:CBS.DK /addtln:od.cbs.dk And only have windows clients ask my MIT kerberos server when accessing https://od.cbs.dk ? or is it only for the whole domain. Med Venlig Hilsen / Kind Regards Mikkel Kruse Johnsen Adm.Dir. Linet ?rholmgade 6 st tv Copenhagen N 2200 Denmark Work: +45 21287793 Mobile: +45 21287793 Email: mikkel at linet.dk IM: mikkel at linet.dk (MSN) Professional Profile Healthcare Network Consultant tir, 22 09 2009 kl. 21:48 +0100, skrev Markus Moeller: > Do you look for something like ? > > netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home > > This tells the w2k3 domain WINDOWS2003.HOME that hosts with in the domain > suse.home belong to the MIT domain SUSE.HOME > > Markus > > "Mikkel Kruse Johnsen" wrote in message > news:mailman.20.1253609653.18120.kerberos at mit.edu... > > Hi All > > > > I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT > > Kerberos (CBS.DK). > > > > On the Windows machines I have: > > > > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK > > KdcNames: kdc1.cbs.dk kdc2.cbs.dk > > > > > > Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in > > Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens. > > > > In my log file "/var/log/krb5kdc.log" I could see that a lot of request > > came from windows machines. > > > > > > Now the IT department created a UPN suffix on the AD called CBS.DK and > > SSO stopped working on Windows clients. The request in > > "/var/log/krb5kdc.log" stopped. > > > > We removing the UPN suffix from the AD, but Windows clients is not > > working and the request to "/var/log/krb5kdc.log" do not happen anymore. > > Everything is fine on Linux. > > > > It seems that Windows clients no longer uses the "HKLM\SYSTEM > > \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg. > > > > Have been searching the net for month now. Anyone has any ideas what is > > wrong ? > > > > Is there a way to map domain to realms in Windows like [domain_realm] in > > krb5.conf ? > > > > > > Med Venlig Hilsen / Kind Regards > > > > > > > > > > Mikkel Kruse > > Johnsen > > Adm.Dir. > > > > Linet > > ?rholmgade 6 st tv > > Copenhagen N 2200 > > Denmark > > > > Work: +45 > > 21287793 > > Mobile: +45 > > 21287793 > > Email: > > mikkel at linet.dk > > IM: > > mikkel at linet.dk > > (MSN) > > Professional > > Profile > > Healthcare > > > > > > Network > > Consultant > > > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From priya9907 at gmail.com Wed Sep 23 13:33:25 2009 From: priya9907 at gmail.com (Priya B) Date: Wed, 23 Sep 2009 10:33:25 -0700 (PDT) Subject: Kerberos service ticket issue!!! References: Message-ID: <1b6fe470-db8e-4f5f-98ae-19263e264a5f@f18g2000prf.googlegroups.com> Hi, We've overcome this problem at last. Just got the conf file verified by kinit.exe and made the necessary changes. Now the next hurdle!! The service ticket size is about 3000+ bytes, when we monitor the packets on NetMon. But when the application fetches it, it is 6000+ bytes. We believe it is because of this problem that the service is not authenticating the client. Any ideas? Thanks so much for your time! From decrosby at tiscali.co.uk Wed Sep 23 13:56:30 2009 From: decrosby at tiscali.co.uk (damian crosby) Date: Wed, 23 Sep 2009 18:56:30 +0100 Subject: Ksetup and DNS SRV for X Real resolution. Message-ID: <398094A1DFB54248B93C70C68E1B9F65@crosbyxp> Hi, When creating xrealm trusts to enable the Windows domain to locate the MIT equivalent you typically run ksetup /addkdc Realm kdc.realm This creates an entry in the registry which is an equivalent to the Krb5.conf file. The Windows Kerberos SSP looks in the registry for the DNS domain name and uses DNS to resolve this to the appropriate IP. Q. Instead of manually specifying the KDC's can Windows use DNS SRV records to locate the MIT KDC as per RFC 2052? Has anyone had success with this? Thanks. From decrosby at tiscali.co.uk Wed Sep 23 15:26:55 2009 From: decrosby at tiscali.co.uk (damian crosby) Date: Wed, 23 Sep 2009 20:26:55 +0100 Subject: Ksetup and DNS SRV for X Real resolution. In-Reply-To: References: <398094A1DFB54248B93C70C68E1B9F65@crosbyxp> Message-ID: Right but will the Windows Kerberos SSP use the SRV lookup to resolve the KDC correctly if you just specify the realm and what form should the SRV records take? Do you have an example? Thanks. Damian. -----Original Message----- From: Yi Zeng [mailto:yizen at microsoft.com] Sent: 23 September 2009 20:09 To: damian crosby Subject: RE: Ksetup and DNS SRV for X Real resolution. "Ksetup /addkdc REALM" should do it. Thanks, yizeng -----Original Message----- From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of damian crosby Sent: Wednesday, September 23, 2009 10:57 AM To: kerberos at mit.edu Subject: Ksetup and DNS SRV for X Real resolution. Hi, When creating xrealm trusts to enable the Windows domain to locate the MIT equivalent you typically run ksetup /addkdc Realm kdc.realm This creates an entry in the registry which is an equivalent to the Krb5.conf file. The Windows Kerberos SSP looks in the registry for the DNS domain name and uses DNS to resolve this to the appropriate IP. Q. Instead of manually specifying the KDC's can Windows use DNS SRV records to locate the MIT KDC as per RFC 2052? Has anyone had success with this? Thanks. ________________________________________________ Kerberos mailing list Kerberos at mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos From huaraz at moeller.plus.com Wed Sep 23 17:33:58 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 23 Sep 2009 22:33:58 +0100 Subject: Trust between AD and MIT Kerberos In-Reply-To: <1253688767.1990.3.camel@tux.lib.cbs.dk> References: <39ydnT8l-eaapSTXnZ2dnUVZ8lCdnZ2d@brightview.co.uk> <1253688767.1990.3.camel@tux.lib.cbs.dk> Message-ID: Unfortunately you can not, it is only for DNS name suffixes not for hosts. Markus "Mikkel Kruse Johnsen" wrote in message news:1253688767.1990.3.camel at tux.lib.cbs.dk... > Hi Markus > > Is it possible to do: > > netdom trust HHK.DK /domain:CBS.DK /addtln:od.cbs.dk > > And only have windows clients ask my MIT kerberos server when accessing > https://od.cbs.dk ? > or is it only for the whole domain. > > > Med Venlig Hilsen / Kind Regards > > > > > Mikkel Kruse > Johnsen > Adm.Dir. > > Linet > ?rholmgade 6 st tv > Copenhagen N 2200 > Denmark > > Work: +45 > 21287793 > Mobile: +45 > 21287793 > Email: > mikkel at linet.dk > IM: > mikkel at linet.dk > (MSN) > Professional > Profile > Healthcare > > > Network > Consultant > > > tir, 22 09 2009 kl. 21:48 +0100, skrev Markus Moeller: > >> Do you look for something like ? >> >> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home >> >> This tells the w2k3 domain WINDOWS2003.HOME that hosts with in the >> domain >> suse.home belong to the MIT domain SUSE.HOME >> >> Markus >> >> "Mikkel Kruse Johnsen" wrote in message >> news:mailman.20.1253609653.18120.kerberos at mit.edu... >> > Hi All >> > >> > I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT >> > Kerberos (CBS.DK). >> > >> > On the Windows machines I have: >> > >> > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK >> > KdcNames: kdc1.cbs.dk kdc2.cbs.dk >> > >> > >> > Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in >> > Apache. SSO worked on both Windows and Linux clients with HHK.DK >> > tokens. >> > >> > In my log file "/var/log/krb5kdc.log" I could see that a lot of request >> > came from windows machines. >> > >> > >> > Now the IT department created a UPN suffix on the AD called CBS.DK and >> > SSO stopped working on Windows clients. The request in >> > "/var/log/krb5kdc.log" stopped. >> > >> > We removing the UPN suffix from the AD, but Windows clients is not >> > working and the request to "/var/log/krb5kdc.log" do not happen >> > anymore. >> > Everything is fine on Linux. >> > >> > It seems that Windows clients no longer uses the "HKLM\SYSTEM >> > \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg. >> > >> > Have been searching the net for month now. Anyone has any ideas what is >> > wrong ? >> > >> > Is there a way to map domain to realms in Windows like [domain_realm] >> > in >> > krb5.conf ? >> > >> > >> > Med Venlig Hilsen / Kind Regards >> > >> > >> > >> > >> > Mikkel Kruse >> > Johnsen >> > Adm.Dir. >> > >> > Linet >> > ?rholmgade 6 st tv >> > Copenhagen N 2200 >> > Denmark >> > >> > Work: +45 >> > 21287793 >> > Mobile: +45 >> > 21287793 >> > Email: >> > mikkel at linet.dk >> > IM: >> > mikkel at linet.dk >> > (MSN) >> > Professional >> > Profile >> > Healthcare >> > >> > >> > Network >> > Consultant >> > >> >> ________________________________________________ >> Kerberos mailing list Kerberos at mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From frostisch at yahoo.de Thu Sep 24 09:32:48 2009 From: frostisch at yahoo.de (=?UTF-8?B?SnVsaWFuIFRob23DqQ==?=) Date: Thu, 24 Sep 2009 15:32:48 +0200 Subject: Problem mounting shares using mount.cifs Message-ID: <4ABB7500.2070906@yahoo.de> Hello mailing list, I have a problem mounting samba-shares using mount.cifs with kerberos authentication. A snippet of the samba-configuration-file with the important kerberos option is as follows: >8-------------------------------------------smb.conf [global] client use spnego = yes security = user realm = REALM ... use kerberos keytab = yes ... wins support = yes domain logons = yes domain master = yes -----------------------------------------------------8< A snippet of the kerberos-configuration-file is as follows: >8-------------------------------------------krb5.conf [libdefaults] default_realm = REALM [realms] REALM = { kdc = ... admin_server = ... } [domain_realm] .intern.kmux.de = REALM [kdc] database = { realm = REALM dbname = ldap:ou=Benutzer,dc=kmux,dc=de hdb-ldap-structural-object = inetOrgPerson acl-file = /etc/heimdal-kdc/kadmind.acl mkey_file = /var/lib/heimdal-kdc/m-key } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5default.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = true } -----------------------------------------------------8< The /etc/request-key.conf -file on the Client has the following content: >8------------------------------------request-key.conf create cifs.spnego * * /usr/sbin/cifs.upcall -c %k create dns_resolver * * /usr/sbin/cifs.upcall %k -----------------------------------------------------8< After login i receive a ticket, but if i want to mount a share with the command: mount.cifs //sambaserver//public /home/admin/test -o sec=krb5 an error occurs with the error message: mount error (126): Required key not available the full dmesg: >8------------------------------------dmesg [ 658.349644] fs/cifs/cifsfs.c: Devname: //sambaserver/public flags: 64 [ 658.349644] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 18 with uid: 0 [ 658.349644] fs/cifs/connect.c: Username: admin [ 658.349644] fs/cifs/connect.c: UNC: \\sambaserver\public ip: 192.168.32.22 [ 658.349644] fs/cifs/connect.c: Socket created [ 658.349644] fs/cifs/connect.c: sndbuf 655360 rcvbuf 873800 rcvtimeo 0x7fffffff [ 658.349644] fs/cifs/connect.c: Existing smb sess not found [ 658.565617] fs/cifs/connect.c: Demultiplex PID: 5409 [ 658.349644] fs/cifs/cifssmb.c: secFlags 0x8 [ 658.349644] fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security [ 658.349644] fs/cifs/transport.c: For smb_command 114 [ 658.349644] fs/cifs/transport.c: Sending smb of length 78 [ 658.569617] fs/cifs/connect.c: rfc1002 length 0xbf [ 658.569617] fs/cifs/cifssmb.c: Dialect: 2 [ 658.569617] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 [ 658.569617] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 [ 658.569617] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [ 658.569617] fs/cifs/asn1.c: Need to call asn1_octets_decode() function for cifs/sambaserver at REALM [ 658.569617] fs/cifs/cifssmb.c: Signing disabled [ 658.569617] fs/cifs/cifssmb.c: negprot rc 0 [ 658.569617] fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8080e3fd TimeAdjust: -7200 [ 658.569617] fs/cifs/sess.c: sess setup type 6 [ 658.569617] fs/cifs/cifs_spnego.c: key description = ver=0x1;host=sambaserver;ip4=192.168.32.22;sec=krb5;uid=0x0;user=admin [ 658.569617] fs/cifs/sess.c: ssetup freeing small buf f7bb7740 [ 658.569617] CIFS VFS: Send error in SessSetup = -126 [ 658.705643] fs/cifs/connect.c: No session or bad tcon [ 658.705643] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 18) rc = -126 [ 658.705643] CIFS VFS: cifs_mount failed w/return code = -126 -----------------------------------------------------8< The principal cifs/sambaserver exists. It would be very nice if someone could help me and/or explain this error to me ;-) Thank you in advance !! ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de From frostisch at yahoo.de Thu Sep 24 09:32:48 2009 From: frostisch at yahoo.de (=?UTF-8?B?SnVsaWFuIFRob23DqQ==?=) Date: Thu, 24 Sep 2009 15:32:48 +0200 Subject: Problem mounting shares using mount.cifs Message-ID: <4ABB7500.2070906@yahoo.de> Hello mailing list, I have a problem mounting samba-shares using mount.cifs with kerberos authentication. A snippet of the samba-configuration-file with the important kerberos option is as follows: >8-------------------------------------------smb.conf [global] client use spnego = yes security = user realm = REALM ... use kerberos keytab = yes ... wins support = yes domain logons = yes domain master = yes -----------------------------------------------------8< A snippet of the kerberos-configuration-file is as follows: >8-------------------------------------------krb5.conf [libdefaults] default_realm = REALM [realms] REALM = { kdc = ... admin_server = ... } [domain_realm] .intern.kmux.de = REALM [kdc] database = { realm = REALM dbname = ldap:ou=Benutzer,dc=kmux,dc=de hdb-ldap-structural-object = inetOrgPerson acl-file = /etc/heimdal-kdc/kadmind.acl mkey_file = /var/lib/heimdal-kdc/m-key } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5default.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = true } -----------------------------------------------------8< The /etc/request-key.conf -file on the Client has the following content: >8------------------------------------request-key.conf create cifs.spnego * * /usr/sbin/cifs.upcall -c %k create dns_resolver * * /usr/sbin/cifs.upcall %k -----------------------------------------------------8< After login i receive a ticket, but if i want to mount a share with the command: mount.cifs //sambaserver//public /home/admin/test -o sec=krb5 an error occurs with the error message: mount error (126): Required key not available the full dmesg: >8------------------------------------dmesg [ 658.349644] fs/cifs/cifsfs.c: Devname: //sambaserver/public flags: 64 [ 658.349644] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 18 with uid: 0 [ 658.349644] fs/cifs/connect.c: Username: admin [ 658.349644] fs/cifs/connect.c: UNC: \\sambaserver\public ip: 192.168.32.22 [ 658.349644] fs/cifs/connect.c: Socket created [ 658.349644] fs/cifs/connect.c: sndbuf 655360 rcvbuf 873800 rcvtimeo 0x7fffffff [ 658.349644] fs/cifs/connect.c: Existing smb sess not found [ 658.565617] fs/cifs/connect.c: Demultiplex PID: 5409 [ 658.349644] fs/cifs/cifssmb.c: secFlags 0x8 [ 658.349644] fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security [ 658.349644] fs/cifs/transport.c: For smb_command 114 [ 658.349644] fs/cifs/transport.c: Sending smb of length 78 [ 658.569617] fs/cifs/connect.c: rfc1002 length 0xbf [ 658.569617] fs/cifs/cifssmb.c: Dialect: 2 [ 658.569617] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 [ 658.569617] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 [ 658.569617] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [ 658.569617] fs/cifs/asn1.c: Need to call asn1_octets_decode() function for cifs/sambaserver at REALM [ 658.569617] fs/cifs/cifssmb.c: Signing disabled [ 658.569617] fs/cifs/cifssmb.c: negprot rc 0 [ 658.569617] fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8080e3fd TimeAdjust: -7200 [ 658.569617] fs/cifs/sess.c: sess setup type 6 [ 658.569617] fs/cifs/cifs_spnego.c: key description = ver=0x1;host=sambaserver;ip4=192.168.32.22;sec=krb5;uid=0x0;user=admin [ 658.569617] fs/cifs/sess.c: ssetup freeing small buf f7bb7740 [ 658.569617] CIFS VFS: Send error in SessSetup = -126 [ 658.705643] fs/cifs/connect.c: No session or bad tcon [ 658.705643] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 18) rc = -126 [ 658.705643] CIFS VFS: cifs_mount failed w/return code = -126 -----------------------------------------------------8< The principal cifs/sambaserver exists. It would be very nice if someone could help me and/or explain this error to me ;-) Thank you in advance !! ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de From bill at uauthz.com Wed Sep 23 22:45:33 2009 From: bill at uauthz.com (Bill Iab) Date: Wed, 23 Sep 2009 21:45:33 -0500 Subject: Kerberos service ticket issue!!! In-Reply-To: <1b6fe470-db8e-4f5f-98ae-19263e264a5f@f18g2000prf.googlegroups.com> References: <1b6fe470-db8e-4f5f-98ae-19263e264a5f@f18g2000prf.googlegroups.com> Message-ID: <4ABADD4D.7070700@uauthz.com> Service ticket is embedded in SPNEGO token, which contains a lot of other information, the size should be much bigger than the service ticket size. http://msdn.microsoft.com/en-us/library/ms995330.aspx Priya B wrote: > Hi, > > We've overcome this problem at last. Just got the conf file verified > by kinit.exe and made the necessary changes. > > Now the next hurdle!! > > The service ticket size is about 3000+ bytes, when we monitor the > packets on NetMon. But when the application fetches it, it is 6000+ > bytes. We believe it is because of this problem that the service is > not authenticating the client. > > Any ideas? > > Thanks so much for your time! > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > From ma3oxuct at gmail.com Mon Sep 28 12:01:27 2009 From: ma3oxuct at gmail.com (Andrey Falko) Date: Mon, 28 Sep 2009 09:01:27 -0700 Subject: Need help setting up kerberos for the first time Message-ID: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> Hi everyone, I am new to Kerberos and having some trouble setting it up. Here are the steps that I took: a) Edited /etc/krb5.conf: [libdefaults] default_realm = USDSTORAGE.COM krb4_config = /usr/kerberos/lib/krb.conf krb4_realms = /usr/kerberos/lib/krb.realms [realms] USSTORAGE.COM = { admin_server = USDSTORAGE.COM default_domain = USDSTORAGE.COM kdc = USDSTORAGE.COM } [domain_realm] .usdstorage.com = USDSTORAGE.COM usdstorage.com = USDSTORAGE.COM b) mkdir /var/lib/krb5kdc c) Edit /etc/kdc.conf: [kdcdefaults] kdc_ports = 750,88 [realms] USDSTORAGE.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab acl_file = /var/lib/krb5kdc/kadm5.acl key_stash_file = /var/lib/krb5kdc/.k5.USDSTORAGE.COM kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } d) Edit /var/lib/krb5kdc/kadm5.acl: */admin at USDSTORAGE.COM * e) cd /var/lib/krb5kdc kdb5_util create -r USDSTORAGE.COM -s f) Edit /etc/hosts: 127.0.0.1 localhost USDSTORAGE.COM KRB.USDSTORAGE.COM Gentoo-testvm1 usdsstorage.com krb.usdstorage.com g) kadmin.local kadmin.local: afsadmin at USDSTORAGE.COM kadmin.local: afsadmin/admin at USDSTORAGE.COM addprinc -randkey afs/USDSTORAGE.com at USDSTORAGE.COM ktadd -e des-cbc-crc:normal -k /etc/krb5.keytab.afs afs/USDSTORAGE.com h) /etc/init.d/mit-krb5kadmind start /etc/init.d/mit-krb5kdc start I then try a simple test: # kinit afsadmin kinit(v5): Cannot resolve network address for KDC in realm USDSTORAGE.COMwhile getting initial credentials What am I doing wrong, if anything? Everything appears consistent to me in terms of network config as well as the kerberos config files. Can someone hint to things I can do in order to troubleshoot this at a deeper level? Thank you in advance for any help. I've been struggling with this for weeks. Googling has not helped :(. -Andrey From danny at cs.huji.ac.il Mon Sep 28 12:13:57 2009 From: danny at cs.huji.ac.il (Daniel Braniss) Date: Mon, 28 Sep 2009 18:13:57 +0200 Subject: passwd/otp/nfs Message-ID: Hi, We provide Unix service to the Computer Science Dep. (since 76), with about 1500 accounts (staff, researchers, students), and probably one of the last few sites using Hesiod :-) Since more and more users are requesting access from 'unfriendly' environments, we are evaluating the feasibility of allowing nfs access to a wider population, and krb5 could be the solution, but our system has a few drawbacks: - no Active Directory - no LDAP - getpwnam() does not provide the encryped password just plain hesiod and authentication is done via pam. After some googleing, I'm not that wiser :-( So I'm wandering, can I roll my own authentication module/library/plugin? thanks, danny From docelic at spinlocksolutions.com Mon Sep 28 12:28:13 2009 From: docelic at spinlocksolutions.com (Davor Ocelic) Date: Mon, 28 Sep 2009 18:28:13 +0200 Subject: Need help setting up kerberos for the first time In-Reply-To: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> References: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> Message-ID: <20090928182813.326f31c4@sl1.spinlock.hr> On Mon, 28 Sep 2009 09:01:27 -0700 Andrey Falko wrote: > Hi everyone, > > I am new to Kerberos and having some trouble setting it up. Here are > the steps that I took: > > ... > > What am I doing wrong, if anything? Everything appears consistent to > me in terms of network config as well as the kerberos config files. > Can someone hint to things I can do in order to troubleshoot this at > a deeper level? > > Thank you in advance for any help. I've been struggling with this for > weeks. Googling has not helped :(. In case of Debian GNU or for general introduction, you might find this hands-on guide useful: http://techpubs.spinlocksolutions.com/dklar/kerberos.html Regards, -doc From docelic at spinlocksolutions.com Mon Sep 28 12:27:58 2009 From: docelic at spinlocksolutions.com (Davor Ocelic) Date: Mon, 28 Sep 2009 18:27:58 +0200 Subject: Need help setting up kerberos for the first time In-Reply-To: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> References: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> Message-ID: <20090928182758.147687eb@sl1.spinlock.hr> On Mon, 28 Sep 2009 09:01:27 -0700 Andrey Falko wrote: > Hi everyone, > > I am new to Kerberos and having some trouble setting it up. Here are > the steps that I took: > > ... > > What am I doing wrong, if anything? Everything appears consistent to > me in terms of network config as well as the kerberos config files. > Can someone hint to things I can do in order to troubleshoot this at > a deeper level? > > Thank you in advance for any help. I've been struggling with this for > weeks. Googling has not helped :(. In case of Debian GNU or for general introduction, you might find this guide useful: http://techpubs.spinlocksolutions.com/dklar/kerberos.html Regards, -doc From javiplx at gmail.com Mon Sep 28 14:43:52 2009 From: javiplx at gmail.com (Javier Palacios) Date: Mon, 28 Sep 2009 20:43:52 +0200 Subject: Need help setting up kerberos for the first time In-Reply-To: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> References: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> Message-ID: > f) Edit /etc/hosts: > 127.0.0.1 ? ? ? localhost USDSTORAGE.COM KRB.USDSTORAGE.COM Gentoo-testvm1 > usdsstorage.com krb.usdstorage.com Try locating the USDSTORAGE.COM (or whichever name you want to be the main name) in the first place. Although honestly, I'm not very confident in that this will work. Javier Palacios From edward at murrell.co.nz Mon Sep 28 15:43:35 2009 From: edward at murrell.co.nz (Edward Murrell) Date: Tue, 29 Sep 2009 08:43:35 +1300 Subject: Need help setting up kerberos for the first time In-Reply-To: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> References: <350fc7cf0909280901s2968937drdf254d78a004fdb@mail.gmail.com> Message-ID: <1254167015.30130.9.camel@entropy> There's a bunch of things there that are a bit messed up. Firstly, if you aren't sure what the hostname is, run; hostname -s If this tells you it's 'localhost', you should edit the /etc/hostname to be something more descriptive (and the same as whatever you pick for myserverhostname below) and then run hostname -f /etc/hostname Also, this bit... On Mon, 2009-09-28 at 09:01 -0700, Andrey Falko wrote: > [realms] > USSTORAGE.COM = { > admin_server = USDSTORAGE.COM > default_domain = USDSTORAGE.COM > kdc = USDSTORAGE.COM > } ...should be something like; [realms] USSTORAGE.COM = { admin_server = myserverhostname.usdstorage.com kdc = myserverhostname.usdstorage.com } This is also odd > f) Edit /etc/hosts: > 127.0.0.1 localhost USDSTORAGE.COM KRB.USDSTORAGE.COM Gentoo-testvm1 > usdsstorage.com krb.usdstorage.com It should look like; 127.0.0.1 localhost 10.2.3.4 myserverhostname.usdstorage.com Where 10.2.3.4 is the IP address of the network card (NOT localhost/loopback). Hope that helps, Cheers, Edward From remi.ferrand at cc.in2p3.fr Tue Sep 29 04:31:16 2009 From: remi.ferrand at cc.in2p3.fr (Remi Ferrand) Date: Tue, 29 Sep 2009 10:31:16 +0200 Subject: Hack Kerberos / AFS Message-ID: <4AC1C5D4.8040903@cc.in2p3.fr> Hye, I need help to create a little hack on Kerberos / AFS. My final aim is to forge Tokens (Ticket Granting Server for AFS (Andrew File System)) without any passwords from the users (directly with the Master Key). Our production system works as follow : - the client SSH onto a machine and is granted an AFS Token obtained with aklog. At this very step, the user have the Ticket Granting Ticket krbtgt/REALM at REALM ticket and the afs/cell at REALM Ticket Granting Service. It also have an AFS Token obtained with aklog. - the user will then submit a job to our Batch system. - the job will be processed X hours/minutes later and could last a long time. Our problem is that some jobs could last more than the AFS token lifetime. Once this lifetime is expired, jobs could not access AFS filesystems anymore and will abort. My idea is to implement a new functionnality to our Batch system: the capacity of "Token regeneration". My first idea was to : * store the Master Key K/M at REALM in a KeyTab. * store the TGT somewhere once the user has been granted the TGT (on the client side). * once the Token is going to expire, I would like to read the K/M from the KeyTab and use it to decrypt the user TGT stored at the previous step. * once the user TGT has been decrypted with the K/M I will then be able to modify expiration time and other fields. I still have many questions about details: * the stash file is used to decrypt the DataBase, isn't it ? * Every DataBase entry is crypted with the Master Key, isn't it ? * On the KDC side, the TGT is decrypted with the Master Key in the DataBase (is this the K/M at REALM entry ?) * when the TGT is in the client cache, the TGT is encrypted with the user password, isn't it ? * If I have my K/M in a KeyTab, am I able to decrypt the TGT stored in the client cache ? Is this possible ? Any other is accepted... Thanks in advance for your help :) -- Remi Ferrand | Institut National de Physique Nucleaire Tel. +33(0)4.78.93.08.80 | et de Physique des Particules Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4055 bytes Desc: S/MIME Cryptographic Signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090929/78202e3f/smime.bin From simon at sxw.org.uk Tue Sep 29 05:00:00 2009 From: simon at sxw.org.uk (Simon Wilkinson) Date: Tue, 29 Sep 2009 11:00:00 +0200 Subject: Hack Kerberos / AFS In-Reply-To: <4AC1C5D4.8040903@cc.in2p3.fr> References: <4AC1C5D4.8040903@cc.in2p3.fr> Message-ID: On 29 Sep 2009, at 10:31, Remi Ferrand wrote: > Hye, > > I need help to create a little hack on Kerberos / AFS. You'd be much better off asking this question on the openafs-devel list, to which I've directed follows. This is definitely off-topic for krb-devel, and is actually not particularly Kerberos dependent at all. > My final aim is to forge Tokens (Ticket Granting Server for AFS > (Andrew File System)) without any passwords from the users (directly > with the Master Key). You don't need to use the Kerberos master key for this - you can forge AFS tokens using just the afs/@ key that's stored in your servers keyfiles. The daemon that lives behind gssklog already forges AFS tokens - that's probably a good location to look for code. Hope that helps, Simon. > Our production system works as follow : > - the client SSH onto a machine and is granted an AFS Token obtained > with aklog. > At this very step, the user have the Ticket Granting Ticket krbtgt/ > REALM at REALM ticket and the afs/cell at REALM Ticket Granting Service. > It also have an AFS Token obtained with aklog. > - the user will then submit a job to our Batch system. > - the job will be processed X hours/minutes later and could last a > long time. > > Our problem is that some jobs could last more than the AFS token > lifetime. > Once this lifetime is expired, jobs could not access AFS filesystems > anymore and will abort. > > My idea is to implement a new functionnality to our Batch system: > the capacity of "Token regeneration". > My first idea was to : > * store the Master Key K/M at REALM in a KeyTab. > * store the TGT somewhere once the user has been granted the TGT (on > the client side). > * once the Token is going to expire, I would like to read the K/M > from the KeyTab and use it to decrypt the user TGT stored at the > previous step. > * once the user TGT has been decrypted with the K/M I will then be > able to modify expiration time and other fields. > > I still have many questions about details: > * the stash file is used to decrypt the DataBase, isn't it ? > * Every DataBase entry is crypted with the Master Key, isn't it ? > * On the KDC side, the TGT is decrypted with the Master Key in the > DataBase (is this the K/M at REALM entry ?) > * when the TGT is in the client cache, the TGT is encrypted with the > user password, isn't it ? > * If I have my K/M in a KeyTab, am I able to decrypt the TGT stored > in the client cache ? > > Is this possible ? > Any other is accepted... > > Thanks in advance for your help :) > > > -- > > Remi Ferrand | Institut National de Physique Nucleaire > Tel. +33(0)4.78.93.08.80 | et de Physique des Particules > Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/ > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From Volker.Lendecke at SerNet.DE Tue Sep 29 04:40:19 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue, 29 Sep 2009 10:40:19 +0200 Subject: Hack Kerberos / AFS In-Reply-To: <4AC1C5D4.8040903@cc.in2p3.fr> References: <4AC1C5D4.8040903@cc.in2p3.fr> Message-ID: On Tue, Sep 29, 2009 at 10:31:16AM +0200, Remi Ferrand wrote: > Is this possible ? > Any other is accepted... You might want to install Samba with the fake-kaserver option and look at the net afs key and net afs impersonate commands. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Digital signature Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090929/0a76fa47/attachment.bin From shadow at gmail.com Tue Sep 29 05:04:44 2009 From: shadow at gmail.com (Derrick Brashear) Date: Tue, 29 Sep 2009 05:04:44 -0400 Subject: [OpenAFS-devel] Re: Hack Kerberos / AFS In-Reply-To: References: <4AC1C5D4.8040903@cc.in2p3.fr> Message-ID: On Tue, Sep 29, 2009 at 5:00 AM, Simon Wilkinson wrote: > > On 29 Sep 2009, at 10:31, Remi Ferrand wrote: > >> Hye, >> >> I need help to create a little hack on Kerberos / AFS. > > You'd be much better off asking this question on the openafs-devel list, to > which I've directed follows. This is definitely off-topic for krb-devel, and > is actually not particularly Kerberos dependent at all. > >> My final aim is to forge Tokens (Ticket Granting Server for AFS (Andrew >> File System)) without any passwords from the users (directly with the Master >> Key). > > You don't need to use the Kerberos master key for this - you can forge AFS > tokens using just the afs/@ key that's stored in your servers > keyfiles. The daemon that lives behind gssklog already forges AFS tokens - > that's probably a good location to look for code. aklog includes such a thing based on heimdal kimpersonate From akozlov at MIT.EDU Tue Sep 29 16:10:37 2009 From: akozlov at MIT.EDU (Alexander Kozlov) Date: Tue, 29 Sep 2009 16:10:37 -0400 Subject: FW: Fwd:Windows 7 Kerb bug Message-ID: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> Hi, We run Windows 7 release project and got this report about Kerberos client issue with Windows 7. Are there any plans to update the client or windows client has been discontinued? Can you provide us with an update on any plans on a new client? Thanks, Alex _________________ Important: MIT IT staff will *NEVER* ask you for your password, nor will MIT send you email requesting your password information. Please continue to ignore any email messages that claim to require you to provide such information. Alexander Kozlov Windows Platform Coordinator Software Release Team Information Services and Technology N42- 250C (617) 253-5103 -----Original Message----- From: Patrick M McNeal [mailto:mcneal at MIT.EDU] Sent: Friday, September 25, 2009 10:39 AM To: akozlov at mit.edu Subject: Fwd:Windows 7 Kerb bug FWI Begin forwarded message: > From: Arthur P Prokosch > Date: September 25, 2009 10:22:39 AM EDT > To: "mcneal at mit.edu" > Subject: MacOS 10.6 licenses? and, Windows 7 Kerb bug > > Also, I wanted to pass on a report that we had of Kerberos for Windows > hogging CPU and refusing to quit under Windows 7. Can you direct it > to > the right place (MIT's "manager of the Microsoft PSS account" was > suggested), or is there somewhere else I should email this report to? > > Ridiculous amounts of detail follows. > Thanks, > -arthur. > > Subject: Bug in Windows 7 RTM causing netidmgr to max out CPU and > can't be killed > Date: Thu, 20 Aug 2009 10:19:53 -0400 > To: help at csail.mit.edu > From: Johnny Russ > > I am running Windows 7 on my machine at home. I know that it isn't > supported by you guys obviously. However, I was having a problem with > network identity manger becoming unresponsive sometimes, so I > contacted > the kerberos mailing list and Jeffrey Altman helped me track down a > bug. > Our conversation is detailed below. He came to the conclusion that > this is > a Windows 7 bug and said that best way to file it is through the > individual that manages the Microsoft PSS at MIT. I couldn't figure > out > who this was. So I thought I would pass this along to TIG in hopes > that > the info can get to the right person. Also I thought you might want to > know so that maybe some problems can be avoided when Windows 7 gets > more > popular in a few months. > > > > Forwarded conversation > Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM > ------------------------ > > From: *Johnny Russ* > Date: Sat, Aug 15, 2009 at 3:40 PM > To: kerberos at mit.edu > > > I have a desktop PC running Windows 7 32-bit and a laptop running > Windows 7 64-bit. I use kerberos and network identity manager to > access my AFS files. Everything seems to work fine. Except that > randomly (every few days or so) I will notice my CPU is maxed out. > When I check the task manager netidmgr.exe and explorer.exe will be > the 2 processes that are maxing out the CPU. This usually happens when > I am not even directly using netidmgr or AFS. I cannot kill them from > task manager, with taskkill, or with pskill from sysinternals. I have > to reboot to stop them from maxing out the CPU. > > I realize that Windows 7 is not officially supported or even > officially released yet, but it will be soon. Network Identity > Manager, Kerberos, and AFS all seem to work fine without any issues. I > was just curious if anybody else is running Windows 7 and seeing this > issue. How can I confirm that this is actually a bug when running > under Windows 7? Or even better any ideas how to avoid it would be > appreciated. > > --------- > > From: *Johnny Russ* > Date: Tue, Aug 18, 2009 at 7:35 PM > To: netidmgr at secure-endpoints.com > > > Here is a process monitor log file. I have filtered out everything but > exporer.exe netidmgr.exe and afsd_service.exe. I had to truncate the > log file because it was too big. After what I have in the log file > explorer.exe continuously puts out the "CreateFile" operations with > the "NAME NOT FOUND" result. I don't seen any more events from > netidmgr or afsd_service. Let me know if there is something else I can > provide. > > ---------- > From: *Jeffrey Altman* > Date: Tue, Aug 18, 2009 at 8:22 PM > To: jruss at mit.edu, netidmgr at secure-endpoints.com > > > afsd_service.exe is writing frequently to the Windows Application > Event > Log. What events are being logged? > > ---------- > From: *Jeffrey Altman* > Date: Tue, Aug 18, 2009 at 8:25 PM > To: jruss at mit.edu, netidmgr at secure-endpoints.com > > > I do not see a lot of activity from netidmgr.exe but I do see a ton > from > explorer.exe. Explorer.exe is attempting to open > C:\Windows\CSC\v2.0.6\namespace\afs which might imply that \\AFS was > marked for use as an offline folder. Can you check that? > > ---------- > From: *Johnny Russ* > Date: Wed, Aug 19, 2009 at 9:26 AM > To: netidmgr at secure-endpoints.com > > > I have attached an event file for the events that AFS was triggering > at the time I created the process monitor log. It is a "Warning" and > it says, "Unable to Send SMB Packet: NRC_SABORT session ended > abnormally." > > ---------- > From: *Jeffrey Altman* > Date: Wed, Aug 19, 2009 at 9:32 AM > To: jruss at mit.edu > > > what is the output of "nbtstat -n" and "nbtstat -S" at the time of the > error? > > Please also send the afsd_init.log at the time of the error. > > ---------- > From: *Johnny Russ* > Date: Wed, Aug 19, 2009 at 9:34 AM > To: netidmgr at secure-endpoints.com > > > On Tue, Aug 18, 2009 at 8:25 PM, Jeffrey > I am not able to access that folder. I can get to C:\Windows\CSC but > when I try to enter v2.0.6 it says that I don't have authorization, > even with administrative privileges. If I go into the security > settings it says I am not authorized to see that either. It says that > it is unable to show me who the owner is. I could try taking ownership > but I didn't want to do that, because I don't really know what the > function of that folder is. > > I looked at the standard offline folders dialogue, and I don't see any > reference to AFS in my current offline folders. There is and entry for > "jruss" which may refer to my local home directory or to the one I > have mapped via AFS I couldn't find any way to tell. But it is empty. > > ---------- > From: *Johnny Russ* > Date: Wed, Aug 19, 2009 at 9:38 AM > To: jaltman at secure-endpoints.com > > > I will have to wait to recreate the problem before I can check these. > Here are the entries from afsd_init.log just prior to when I took the > log from process monitor: > > 8/18/2009 6:40:57 PM: smb_LanAdapterChange > 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_BRIDGE, > retrying > ... > 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_NOWILD, > retrying > ... > > ---------- > From: *Jeffrey Altman* > Date: Wed, Aug 19, 2009 at 9:45 AM > To: jruss at mit.edu > > > the netbios name mapping for the "AFS" name has been lost. Attempts to > contact \\AFS will fail. My guess is that the SMB redirector is > forcing > offline mode and this is causing pioctl requests to fail in a weird > way. > > This may be a change in behavior / bug in the Microsoft SMB > redirector. > > The next time the problem occurs I want you to add the following value > to the registry > > HKLM\SOFTWARE\OpenAFS\Client DWORD "IoctlDebug" 0x01 > > and then from a command prompt execute "tokens" and then send me the > output. > > > ---------- > From: *Johnny Russ* > Date: Thu, Aug 20, 2009 at 9:09 AM > To: jaltman at secure-endpoints.com > > > Sorry everything behaved fine all day yesterday. This morning things > are off again but it is only explorer.exe that is eating CPU cycles. I > can get kerberos tickets but no AFS tokens in Network Identity > Manager. I checked the afsd_init.log and it had that same error at the > very bottom. I checked and the AFS service is running. Here are the > outputs from the terminal that you requested: > > C:\Users\jruss>nbtstat -n > > AFS: > Node IpAddress: [10.254.254.253] Scope Id: [] > > NetBIOS Local Name Table > > Name Type Status > --------------------------------------------- > OPTIMUS <00> UNIQUE Registered > RUSSHOME <00> GROUP Registered > RUSSHOME <1E> GROUP Registered > RUSSHOME <1D> UNIQUE Registered > ..__MSBROWSE__.<01> GROUP Registered > AFS <20> UNIQUE Registered > > C:\Users\jruss>nbtstat -S > > AFS: > Node IpAddress: [10.254.254.253] Scope Id: [] > > NetBIOS Connection Table > > Local Name State In/Out Remote Host Input > Output > > > ---------------------------------------------------------------------------- > > AFS Listening > > C:\Users\jruss>tokens > > Tokens held by the Cache Manager: > > pioctl CreateFile(\\afs\all\_._AFS_IOCTL_._) failed: 0x40 > [The specified network name is no longer available. > ] > pioctl SamCompatible logon user: [Optimus\jruss] > pioctl WNetAddConnection2(\\afs,Optimus\jruss) failed: 0x40 > pioctl WNetAddConnection2(\\afs\all,Optimus\jruss) failed: 0x40 > AFS device may not have started > > ---------- > From: *Jeffrey Altman* > Date: Thu, Aug 20, 2009 at 9:32 AM > To: jruss at mit.edu > > > This is a bug in Windows 7. Please file a bug report with Microsoft. > Notice that "AFS" is a registered Netbios name on the adapter with > address > 10.254.254.253 and yet attempts to access \\afs\all\ fail with > Jeffrey Altman > > ---------- > From: *Johnny Russ* > Date: Thu, Aug 20, 2009 at 9:43 AM > To: jaltman at secure-endpoints.com > > > Thanks for helping me track this down. Would it be worthwhile posting > this with OpenAFS? What is the best way to file a bug with Microsoft? > > ---------- > From: *Jeffrey Altman* > Date: Thu, Aug 20, 2009 at 9:51 AM > To: jruss at mit.edu > > > There is nothing that I can do as OpenAFS Gatekeeper on this issue > until > a bug is filed with Microsoft. > The best way for it to be filed would be for the manager of the > Microsoft PSS account at MIT to do so. > Otherwise, you can file it as an individual. > > Jeffrey Altman --Patrick From redelson at MIT.EDU Tue Sep 29 16:13:57 2009 From: redelson at MIT.EDU (Richard Edelson) Date: Tue, 29 Sep 2009 16:13:57 -0400 Subject: Fwd:Windows 7 Kerb bug In-Reply-To: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> References: <42553961FD54AE41BF83834CB917221F0313AD8316@w92expo2.exchange.mit.edu> Message-ID: <8DD7AD829AB61E499A433D6E558110A30843813D@EXPO7.exchange.mit.edu> I have a separate installer the pismere build machine made of 2.6.5 which works fine, it's on DFS: \\win.mit.edu\dfs\msi\MIT Windows Utilities\KfW\kfw2005-12-20.msi __________________________________________ Richard Edelson Network & Infrastructure Services Team Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room W92-168 Cambridge, MA 02139 617-253-3347 redelson at mit.edu -----Original Message----- From: Alexander Kozlov [mailto:akozlov at MIT.EDU] Sent: Tuesday, September 29, 2009 4:11 PM To: kerberos at mit.edu Cc: windows7-release at mit.edu Subject: FW: Fwd:Windows 7 Kerb bug Hi, We run Windows 7 release project and got this report about Kerberos client issue with Windows 7. Are there any plans to update the client or windows client has been discontinued? Can you provide us with an update on any plans on a new client? Thanks, Alex _________________ Important: MIT IT staff will *NEVER* ask you for your password, nor will MIT send you email requesting your password information. Please continue to ignore any email messages that claim to require you to provide such information. Alexander Kozlov Windows Platform Coordinator Software Release Team Information Services and Technology N42- 250C (617) 253-5103 -----Original Message----- From: Patrick M McNeal [mailto:mcneal at MIT.EDU] Sent: Friday, September 25, 2009 10:39 AM To: akozlov at mit.edu Subject: Fwd:Windows 7 Kerb bug FWI Begin forwarded message: > From: Arthur P Prokosch > Date: September 25, 2009 10:22:39 AM EDT > To: "mcneal at mit.edu" > Subject: MacOS 10.6 licenses? and, Windows 7 Kerb bug > > Also, I wanted to pass on a report that we had of Kerberos for Windows > hogging CPU and refusing to quit under Windows 7. Can you direct it > to > the right place (MIT's "manager of the Microsoft PSS account" was > suggested), or is there somewhere else I should email this report to? > > Ridiculous amounts of detail follows. > Thanks, > -arthur. > > Subject: Bug in Windows 7 RTM causing netidmgr to max out CPU and > can't be killed > Date: Thu, 20 Aug 2009 10:19:53 -0400 > To: help at csail.mit.edu > From: Johnny Russ > > I am running Windows 7 on my machine at home. I know that it isn't > supported by you guys obviously. However, I was having a problem with > network identity manger becoming unresponsive sometimes, so I > contacted > the kerberos mailing list and Jeffrey Altman helped me track down a > bug. > Our conversation is detailed below. He came to the conclusion that > this is > a Windows 7 bug and said that best way to file it is through the > individual that manages the Microsoft PSS at MIT. I couldn't figure > out > who this was. So I thought I would pass this along to TIG in hopes > that > the info can get to the right person. Also I thought you might want to > know so that maybe some problems can be avoided when Windows 7 gets > more > popular in a few months. > > > > Forwarded conversation > Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM > ------------------------ > > From: *Johnny Russ* > Date: Sat, Aug 15, 2009 at 3:40 PM > To: kerberos at mit.edu > > > I have a desktop PC running Windows 7 32-bit and a laptop running > Windows 7 64-bit. I use kerberos and network identity manager to > access my AFS files. Everything seems to work fine. Except that > randomly (every few days or so) I will notice my CPU is maxed out. > When I check the task manager netidmgr.exe and explorer.exe will be > the 2 processes that are maxing out the CPU. This usually happens when > I am not even directly using netidmgr or AFS. I cannot kill them from > task manager, with taskkill, or with pskill from sysinternals. I have > to reboot to stop them from maxing out the CPU. > > I realize that Windows 7 is not officially supported or even > officially released yet, but it will be soon. Network Identity > Manager, Kerberos, and AFS all seem to work fine without any issues. I > was just curious if anybody else is running Windows 7 and seeing this > issue. How can I confirm that this is actually a bug when running > under Windows 7? Or even better any ideas how to avoid it would be > appreciated. > > --------- > > From: *Johnny Russ* > Date: Tue, Aug 18, 2009 at 7:35 PM > To: netidmgr at secure-endpoints.com > > > Here is a process monitor log file. I have filtered out everything but > exporer.exe netidmgr.exe and afsd_service.exe. I had to truncate the > log file because it was too big. After what I have in the log file > explorer.exe continuously puts out the "CreateFile" operations with > the "NAME NOT FOUND" result. I don't seen any more events from > netidmgr or afsd_service. Let me know if there is something else I can > provide. > > ---------- > From: *Jeffrey Altman* > Date: Tue, Aug 18, 2009 at 8:22 PM > To: jruss at mit.edu, netidmgr at secure-endpoints.com > > > afsd_service.exe is writing frequently to the Windows Application > Event > Log. What events are being logged? > > ---------- > From: *Jeffrey Altman* > Date: Tue, Aug 18, 2009 at 8:25 PM > To: jruss at mit.edu, netidmgr at secure-endpoints.com > > > I do not see a lot of activity from netidmgr.exe but I do see a ton > from > explorer.exe. Explorer.exe is attempting to open > C:\Windows\CSC\v2.0.6\namespace\afs which might imply that \\AFS was > marked for use as an offline folder. Can you check that? > > ---------- > From: *Johnny Russ* > Date: Wed, Aug 19, 2009 at 9:26 AM > To: netidmgr at secure-endpoints.com > > > I have attached an event file for the events that AFS was triggering > at the time I created the process monitor log. It is a "Warning" and > it says, "Unable to Send SMB Packet: NRC_SABORT session ended > abnormally." > > ---------- > From: *Jeffrey Altman* > Date: Wed, Aug 19, 2009 at 9:32 AM > To: jruss at mit.edu > > > what is the output of "nbtstat -n" and "nbtstat -S" at the time of the > error? > > Please also send the afsd_init.log at the time of the error. > > ---------- > From: *Johnny Russ* > Date: Wed, Aug 19, 2009 at 9:34 AM > To: netidmgr at secure-endpoints.com > > > On Tue, Aug 18, 2009 at 8:25 PM, Jeffrey > I am not able to access that folder. I can get to C:\Windows\CSC but > when I try to enter v2.0.6 it says that I don't have authorization, > even with administrative privileges. If I go into the security > settings it says I am not authorized to see that either. It says that > it is unable to show me who the owner is. I could try taking ownership > but I didn't want to do that, because I don't really know what the > function of that folder is. > > I looked at the standard offline folders dialogue, and I don't see any > reference to AFS in my current offline folders. There is and entry for > "jruss" which may refer to my local home directory or to the one I > have mapped via AFS I couldn't find any way to tell. But it is empty. > > ---------- > From: *Johnny Russ* > Date: Wed, Aug 19, 2009 at 9:38 AM > To: jaltman at secure-endpoints.com > > > I will have to wait to recreate the problem before I can check these. > Here are the entries from afsd_init.log just prior to when I took the > log from process monitor: > > 8/18/2009 6:40:57 PM: smb_LanAdapterChange > 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_BRIDGE, > retrying > ... > 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_NOWILD, > retrying > ... > > ---------- > From: *Jeffrey Altman* > Date: Wed, Aug 19, 2009 at 9:45 AM > To: jruss at mit.edu > > > the netbios name mapping for the "AFS" name has been lost. Attempts to > contact \\AFS will fail. My guess is that the SMB redirector is > forcing > offline mode and this is causing pioctl requests to fail in a weird > way. > > This may be a change in behavior / bug in the Microsoft SMB > redirector. > > The next time the problem occurs I want you to add the following value > to the registry > > HKLM\SOFTWARE\OpenAFS\Client DWORD "IoctlDebug" 0x01 > > and then from a command prompt execute "tokens" and then send me the > output. > > > ---------- > From: *Johnny Russ* > Date: Thu, Aug 20, 2009 at 9:09 AM > To: jaltman at secure-endpoints.com > > > Sorry everything behaved fine all day yesterday. This morning things > are off again but it is only explorer.exe that is eating CPU cycles. I > can get kerberos tickets but no AFS tokens in Network Identity > Manager. I checked the afsd_init.log and it had that same error at the > very bottom. I checked and the AFS service is running. Here are the > outputs from the terminal that you requested: > > C:\Users\jruss>nbtstat -n > > AFS: > Node IpAddress: [10.254.254.253] Scope Id: [] > > NetBIOS Local Name Table > > Name Type Status > --------------------------------------------- > OPTIMUS <00> UNIQUE Registered > RUSSHOME <00> GROUP Registered > RUSSHOME <1E> GROUP Registered > RUSSHOME <1D> UNIQUE Registered > ..__MSBROWSE__.<01> GROUP Registered > AFS <20> UNIQUE Registered > > C:\Users\jruss>nbtstat -S > > AFS: > Node IpAddress: [10.254.254.253] Scope Id: [] > > NetBIOS Connection Table > > Local Name State In/Out Remote Host Input > Output > > > ---------------------------------------------------------------------------- > > AFS Listening > > C:\Users\jruss>tokens > > Tokens held by the Cache Manager: > > pioctl CreateFile(\\afs\all\_._AFS_IOCTL_._) failed: 0x40 > [The specified network name is no longer available. > ] > pioctl SamCompatible logon user: [Optimus\jruss] > pioctl WNetAddConnection2(\\afs,Optimus\jruss) failed: 0x40 > pioctl WNetAddConnection2(\\afs\all,Optimus\jruss) failed: 0x40 > AFS device may not have started > > ---------- > From: *Jeffrey Altman* > Date: Thu, Aug 20, 2009 at 9:32 AM > To: jruss at mit.edu > > > This is a bug in Windows 7. Please file a bug report with Microsoft. > Notice that "AFS" is a registered Netbios name on the adapter with > address > 10.254.254.253 and yet attempts to access \\afs\all\ fail with > Jeffrey Altman > > ---------- > From: *Johnny Russ* > Date: Thu, Aug 20, 2009 at 9:43 AM > To: jaltman at secure-endpoints.com > > > Thanks for helping me track this down. Would it be worthwhile posting > this with OpenAFS? What is the best way to file a bug with Microsoft? > > ---------- > From: *Jeffrey Altman* > Date: Thu, Aug 20, 2009 at 9:51 AM > To: jruss at mit.edu > > > There is nothing that I can do as OpenAFS Gatekeeper on this issue > until > a bug is filed with Microsoft. > The best way for it to be filed would be for the manager of the > Microsoft PSS account at MIT to do so. > Otherwise, you can file it as an individual. > > Jeffrey Altman --Patrick From dan.searle at censornet.com Wed Sep 30 05:23:09 2009 From: dan.searle at censornet.com (Dan Searle) Date: Wed, 30 Sep 2009 10:23:09 +0100 Subject: msktutil HTTP service principal ticket help Message-ID: <4AC3237D.60001@censornet.com> Hi, I'm new to Kerberos and don't fully appreciate it's complexities so please excuse my ignorance. I'm using msktutil to create a service principal for authenticating users of a squid proxy server with Active Directory (server version 2008 R2) using the Negotiate (Kerberos) method. This all works fine, however I'm at a loss as to whether I should be or need to periodically refresh (update) the HTTP service principal keytab. I have had some instances where the keytab generated by msktutil seemingly works indefinably (for days at a time) without the need to refresh the keytab. However, in other instances (different AD servers), after a while (a few hours or days) the authentication stops working and I have to refresh (update) the keytab using msktutil again. In the failed instances, I use the squid negotiate auth test program, then run the token through the squid helper process and I get an error similar to: Token header is malformed or corrupt. Why is this? Should the service principal keys in a keytab file last forever? What settings in AD would effect this? Regards, Dan... -- Dan Searle CensorNet Ltd - professional & affordable Web & E-mail filtering email: dan.searle at censornet.com web: www.censornet.com tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592 snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK. CensorNet Ltd is a registered company in England & Wales No. 05518629 VAT registration number 901-2048-78 Any views expressed in this email communication are those of the individual sender, except where the sender specifically states them to be the views of a member of Censornet Ltd. Censornet Ltd. does not represent, warrant or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors or interference. ------------------------------------------------------------------------------------ Scanned for viruses, spam and offensive content by CensorNet MailSafe Try CensorNet free for 14 days. Provide Internet access on your terms. Visit www.censornet.com for more information. From huaraz at moeller.plus.com Wed Sep 30 17:40:02 2009 From: huaraz at moeller.plus.com (Markus Moeller) Date: Wed, 30 Sep 2009 22:40:02 +0100 Subject: msktutil HTTP service principal ticket help In-Reply-To: <4AC3237D.60001@censornet.com> References: <4AC3237D.60001@censornet.com> Message-ID: Is the AD account which you used for the HTTP principal used for samba too or used in any other way ? (e.g. do you use net ads join and msktutil --computer-name ?) Is the kvno in AD still the same ? Markus "Dan Searle" wrote in message news:4AC3237D.60001 at censornet.com... > Hi, > > I'm new to Kerberos and don't fully appreciate it's complexities so > please excuse my ignorance. > > I'm using msktutil to create a service principal for authenticating > users of a squid proxy server with Active Directory (server version 2008 > R2) using the Negotiate (Kerberos) method. > > This all works fine, however I'm at a loss as to whether I should be or > need to periodically refresh (update) the HTTP service principal keytab. > > I have had some instances where the keytab generated by msktutil > seemingly works indefinably (for days at a time) without the need to > refresh the keytab. However, in other instances (different AD servers), > after a while (a few hours or days) the authentication stops working and > I have to refresh (update) the keytab using msktutil again. In the > failed instances, I use the squid negotiate auth test program, then run > the token through the squid helper process and I get an error similar > to: Token header is malformed or corrupt. > > Why is this? Should the service principal keys in a keytab file last > forever? What settings in AD would effect this? > > Regards, Dan... > > -- > > Dan Searle > > CensorNet Ltd - professional & affordable Web & E-mail filtering > email: dan.searle at censornet.com web: www.censornet.com > tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592 > snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK. > > CensorNet Ltd is a registered company in England & Wales No. 05518629 > VAT registration number 901-2048-78 > Any views expressed in this email communication are those of the > individual sender, except where the sender specifically states them to > be the views of a member of Censornet Ltd. Censornet Ltd. does not > represent, warrant or guarantee that the integrity of this > communication has been maintained nor that the communication is free of > errors or interference. > > ------------------------------------------------------------------------------------ > Scanned for viruses, spam and offensive content by CensorNet MailSafe > > Try CensorNet free for 14 days. Provide Internet access on your terms. > Visit www.censornet.com for more information. > > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos >