Login to AD 200 failed for some users
Chan Vu
kerberos_seam99 at yahoo.com
Tue Sep 23 03:44:03 EDT 2003
Hi Uli & Ken,
I'm Chan from Vietnam, I tested SEAM 1.0 & krb5_1.2.7 which included pam_krb5.so library as Kerberos client. After created ticket and added AD windows 2000's users to /etc/passwd & /etc/shadow, I entered 2 user groups in the /etc/shadow: valid password and invalid password :
I try to authenticated first valid password case, the result are: 98% of user with valid password can be authenticated successfully and 2% with valid password have been authenticated failed with "krb5 error code 52".
In invalid password case, users can be entered any anonymous password to authenticate with AD 2000 server
Please help me to solve this problem, thanks
CHAN VM
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design softwareeFrom kerberos_seam99 at yahoo.com Tue Sep 23 03:53:10 2003
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id h8N7rAgH019041
for <kerberos at PCH.mit.edu>; Tue, 23 Sep 2003 03:53:10 -0400 (EDT)
Received: from web60109.mail.yahoo.com (web60109.mail.yahoo.com
[216.109.118.88])h8N7r9Ot028168
for <kerberos at MIT.EDU>; Tue, 23 Sep 2003 03:53:09 -0400 (EDT)
Message-ID: <20030923075309.58602.qmail at web60109.mail.yahoo.com>
Received: from [203.162.39.190] by web60109.mail.yahoo.com via HTTP;
Tue, 23 Sep 2003 00:53:09 PDT
Date: Tue, 23 Sep 2003 00:53:09 -0700 (PDT)
From: Chan Vu <kerberos_seam99 at yahoo.com>
To: raeburn at MIT.EDU, uli.schroeder at gmx.net
In-Reply-To: <20030923074403.19809.qmail at web60108.mail.yahoo.com>
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 23 Sep 2003 09:32:34 -0400
Content-Type: text/plain; charset=us-ascii
X-Content-Filtered-By: Mailman/MimeDel 2.1
cc: kerberos at MIT.EDU
Subject: Re: Login to AD 200 failed for some users
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 23 Sep 2003 07:53:10 -0000
All,
For your infomation, I installed on Sun Solaris 2.7 & 2.8, Windows AD 2000's users
I want to use the valid password case of the /etc/shadow file.
regards,
CHAN VM
Chan Vu <kerberos_seam99 at yahoo.com> wrote:
Hi Uli & Ken,
I'm Chan from Vietnam, I tested SEAM 1.0 & krb5_1.2.7 which included pam_krb5.so library as Kerberos client. After created ticket and added AD windows 2000's users to /etc/passwd & /etc/shadow, I entered 2 user groups in the /etc/shadow: valid password and invalid password :
I try to authenticated first valid password case, the result are: 98% of user with valid password can be authenticated successfully and 2% with valid password have been authenticated failed with "krb5 error code 52".
In invalid password case, users can be entered any anonymous password to authenticate with AD 2000 server
Please help me to solve this problem, thanks
CHAN VM
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design softwareeFrom markus_moeller at compuserve.com Tue Sep 23 14:31:56 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id h8NIVtgH026502
for <kerberos at PCH.mit.edu>; Tue, 23 Sep 2003 14:31:56 -0400 (EDT)
Received: from zinc.btinternet.com (zinc.btinternet.com [194.73.73.148])
h8NIVrsQ025832
for <kerberos at mit.edu>; Tue, 23 Sep 2003 14:31:53 -0400 (EDT)
Received: from host213-122-209-223.in-addr.btopenworld.com ([213.122.209.223]
helo=home) by zinc.btinternet.com with smtp (Exim 3.22 #23)
id 1A1rx1-0004LE-00
for kerberos at mit.edu; Tue, 23 Sep 2003 19:31:52 +0100
Message-ID: <001401c38200$f7749750$dfd17ad5 at home>
From: "Markus Moeller" <markus_moeller at compuserve.com>
To: <kerberos at mit.edu>
Date: Tue, 23 Sep 2003 19:31:49 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_01C38209.55488B40"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Patch for Simons openssh gssapi patch for multihomed systems
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Tue, 23 Sep 2003 18:31:56 -0000
This is a multi-part message in MIME format.
------=_NextPart_000_0011_01C38209.55488B40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Here is a patch on top of Simons gssapi patch for openssh 3.6.1p2 to support
multihomed systems.
Markus
------=_NextPart_000_0011_01C38209.55488B40
Content-Type: application/octet-stream;
name="openssh-3.6.1p-mm.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="openssh-3.6.1p-mm.patch"
*** canohost.c 2003-06-16 18:48:56.000000000 +0100=0A=
--- canohost_new.c 2003-09-23 17:38:33.000000000 +0100=0A=
***************=0A=
*** 26,31 ****=0A=
--- 26,104 ----=0A=
* caller should free the returned string with xfree.=0A=
*/=0A=
=0A=
+ const char *=0A=
+ get_local_hostname(int socket)=0A=
+ {=0A=
+ struct sockaddr_storage addr_6or4;=0A=
+ int i;=0A=
+ socklen_t addr_6or4_len;=0A=
+ char name[NI_MAXHOST], ntop[NI_MAXHOST];=0A=
+ =0A=
+ /* Get local IP address*/=0A=
+ addr_6or4_len =3D sizeof(addr_6or4);=0A=
+ memset(&addr_6or4, 0, sizeof(addr_6or4));=0A=
+ if (getsockname(socket, (struct sockaddr *) &addr_6or4, =
&addr_6or4_len) < 0) {=0A=
+ debug("getsockname failed: %.100s", strerror(errno));=0A=
+ fatal_cleanup();=0A=
+ }=0A=
+ #ifdef IPV4_IN_IPV6=0A=
+ if (addr_6or4.ss_family =3D=3D AF_INET6) {=0A=
+ struct sockaddr_in6 *addr6 =3D (struct sockaddr_in6 =
*)&addr_6or4;=0A=
+ =0A=
+ /* Detect IPv4 in IPv6 mapped address and convert it =
to */=0A=
+ /* plain (AF_INET) IPv4 address */=0A=
+ if (IN6_IS_ADDR_V4MAPPED(&addr6->sin6_addr)) {=0A=
+ struct sockaddr_in *addr4 =3D (struct =
sockaddr_in *)&addr_6or4;=0A=
+ struct in_addr addr;=0A=
+ u_int16_t port;=0A=
+ =0A=
+ memcpy(&addr, ((char *)&addr6->sin6_addr) + =
12, sizeof(addr));=0A=
+ port =3D addr6->sin6_port;=0A=
+ =0A=
+ memset(&addr_6or4, 0, sizeof(addr_6or4));=0A=
+ =0A=
+ addr4->sin_family =3D AF_INET;=0A=
+ memcpy(&addr4->sin_addr, &addr, sizeof(addr));=0A=
+ addr4->sin_port =3D port;=0A=
+ }=0A=
+ }=0A=
+ #endif=0A=
+ if (addr_6or4.ss_family =3D=3D AF_INET)=0A=
+ check_ip_options(socket, ntop);=0A=
+ =0A=
+ if (getnameinfo((struct sockaddr *)&addr_6or4, addr_6or4_len, =
ntop, sizeof(ntop),=0A=
+ NULL, 0, NI_NUMERICHOST) !=3D 0)=0A=
+ fatal("get_local_hostname: getnameinfo NI_NUMERICHOST =
failed");=0A=
+ =0A=
+ debug3("Trying to resolve local address %.100s to hostname", =
ntop);=0A=
+ /* Map the IP address to a host name. */=0A=
+ if (getnameinfo((struct sockaddr *)&addr_6or4, addr_6or4_len, =
name, sizeof(name),=0A=
+ NULL, 0, NI_NAMEREQD) !=3D 0) {=0A=
+ /* Host name not found. Use ip address. */=0A=
+ log("Could not resolve local address %.100s to =
hostname", ntop);=0A=
+ return xstrdup(ntop);=0A=
+ }=0A=
+ =0A=
+ /* Got host name. */=0A=
+ name[sizeof(name) - 1] =3D '\0';=0A=
+ /*=0A=
+ * Convert it to all lowercase (which is expected by the rest=0A=
+ * of this software).=0A=
+ */=0A=
+ for (i =3D 0; name[i]; i++)=0A=
+ if (isupper(name[i]))=0A=
+ name[i] =3D tolower(name[i]);=0A=
+ =0A=
+ debug("Resolved local address %.100s to hostname %s", =
ntop,name);=0A=
+ =0A=
+ return xstrdup(name);=0A=
+ }=0A=
+ =0A=
+ /*=0A=
+ * Return the canonical name of the host at the other end of the =
socket. The=0A=
+ * caller should free the returned string with xfree.=0A=
+ */=0A=
+ =0A=
static char *=0A=
get_remote_hostname(int socket, int verify_reverse_mapping)=0A=
{=0A=
*** canohost.h 2003-09-23 17:37:57.000000000 +0100=0A=
--- canohost_new.h 2003-09-23 17:38:27.000000000 +0100=0A=
***************=0A=
*** 15,20 ****=0A=
--- 15,21 ----=0A=
const char *get_canonical_hostname(int);=0A=
const char *get_remote_ipaddr(void);=0A=
const char *get_remote_name_or_ip(u_int, int);=0A=
+ const char *get_local_hostname(int);=0A=
=0A=
char *get_peer_ipaddr(int);=0A=
int get_peer_port(int);=0A=
*** gss-genr.c 2003-06-16 18:51:03.000000000 +0100=0A=
--- gss-genr_new.c 2003-09-23 17:38:47.000000000 +0100=0A=
***************=0A=
*** 38,43 ****=0A=
--- 38,44 ----=0A=
#include "log.h"=0A=
#include "compat.h"=0A=
#include "monitor_wrap.h"=0A=
+ #include "canohost.h"=0A=
=0A=
#include <netdb.h>=0A=
=0A=
***************=0A=
*** 395,409 ****=0A=
OM_uint32=0A=
ssh_gssapi_acquire_cred(Gssctxt *ctx) {=0A=
OM_uint32 status;=0A=
! char lname[MAXHOSTNAMELEN];=0A=
gss_OID_set oidset;=0A=
=0A=
gss_create_empty_oid_set(&status,&oidset);=0A=
gss_add_oid_set_member(&status,ctx->oid,&oidset);=0A=
=0A=
! if (gethostname(lname, MAXHOSTNAMELEN)) {=0A=
! return(-1);=0A=
! }=0A=
if (GSS_ERROR(ssh_gssapi_import_name(ctx,lname))) {=0A=
return(ctx->major);=0A=
}=0A=
--- 396,408 ----=0A=
OM_uint32=0A=
ssh_gssapi_acquire_cred(Gssctxt *ctx) {=0A=
OM_uint32 status;=0A=
! char *lname;=0A=
gss_OID_set oidset;=0A=
=0A=
gss_create_empty_oid_set(&status,&oidset);=0A=
gss_add_oid_set_member(&status,ctx->oid,&oidset);=0A=
=0A=
! lname =3D get_local_hostname(packet_get_connection_in());=0A=
if (GSS_ERROR(ssh_gssapi_import_name(ctx,lname))) {=0A=
return(ctx->major);=0A=
}=0A=
------=_NextPart_000_0011_01C38209.55488B40--
More information about the Kerberos
mailing list