krshd, groups and Irix

pat pat bo_em_2003 at
Wed Oct 8 16:19:36 EDT 2003

Hi all...I have a problem with krshd and IRIX.I do not understand why in case of a SGI machine, the call to initgroups is not done:in krshd.c we found :#ifndef sgi    if (getuid() == 0 || getuid() != pwd->pw_uid) {        /* For testing purposes, we don't call initgroups if we           already have the right uid, and it is not root.  This is           because on some systems initgroups outputs an error message           if not called by root.  */        initgroups(pwd->pw_name, pwd->pw_gid);    }#endifAs a consequence, I only have my primary group on the destination machine:mach1% groupsg4 www krbmach1% rsh mach2 groupsg4mach1%   

Has any one encounter that?

Yahoo! Mail - Gratis: 6 MB lagerplads, spamfilter og virusscannFrom Tim.Alsop at CyberSafe.Ltd.UK Fri Oct 10 16:05:01 2003
	by (8.12.8p2/8.12.8) with ESMTP id h9AK50qb006746
	for <kerberos at>; Fri, 10 Oct 2003 16:05:00 -0400 (EDT)
Received: from (
	for <kerberos at>; Fri, 10 Oct 2003 16:04:59 -0400 (EDT)
Received: from (
	[])h9AK4qV0018307;	Fri, 10 Oct 2003 21:04:53 +0100
Message-ID: <815D636CDFAAD611A2DA006097AC6157DE4229 at>
From: Tim Alsop <Tim.Alsop at CyberSafe.Ltd.UK>
To: sanford.sham at, kerberos at
Date: Fri, 10 Oct 2003 20:55:05 +0100
MIME-Version: 1.0
X-Scanned-By: MailControl A-01-00-04-90 (
Content-Type: text/plain
X-Content-Filtered-By: Mailman/MimeDel 2.1
Subject: RE: Kerberos Implementation in a distributed Windows environment
X-BeenThere: kerberos at
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <>
List-Help: <mailto:kerberos-request at>
List-Post: <mailto:kerberos at>
List-Subscribe: <>,
	<mailto:kerberos-request at>
List-Archive: <>
List-Unsubscribe: <>,
	<mailto:kerberos-request at>
X-List-Received-Date: Fri, 10 Oct 2003 20:05:01 -0000


Is it possible for you to use a unique Kerberos principal for each service on the EAI boxes ? This would avoid replay attack detection issues.

Thanks, Tim.

-----Original Message-----
From: sanford.sham at [mailto:sanford.sham at] 
Sent: 08 October 2003 00:52
To: kerberos at
Subject: Re: Kerberos Implementation in a distributed Windows environment


I'm just writing to ask a question, currently related to my project.

We are trying to implement Kerberos security in our distributed Windows environment. We have, more than one, dedicated Windows 2k boxes (let's called them EAI boxes) that are used to communicate with WebSphere servers, using Kerberos tickets etc.

We have more than one EAI boxes that's online at any given time. All the NT services are hosted under the same Windows domain account. Bascially, it's as if the same domain account is used to host multiple services, on multiple machines.

The problem comes when simultaneous transactions are conducted. Let's say all EAI boxes fires a transactions to the same Websphere services at the same time. Since it's hosted by the same domain account, the user that is seen on the kerberos ticket is the same. Also, since it is fired at the same time, the timestamp is the same (or very close). Therefore, after receiving the first transactions, Websphere rejects all subsequent transactions on the basis of duplicate Kerberos tickets being sent (or replay).

Microsoft says that there is nothing they can do to fix this. They argue that the standard specifies that only [Client Id, Timestamp] is used in the authenticator, and they would not modify this to make the authenticator more unique.

Can you provide a view on this? Thanks very much for you help.


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list