Kerberos Digest, Vol 85, Issue 25
raj esh L
rrcrajesh2003 at yahoo.com
Tue Jan 19 15:00:27 EST 2010
Can some one reply my query ?
3. Windows event id 4 (kerberos) (raj esh L)
________________________________
From: "kerberos-request at mit.edu" <kerberos-request at mit.edu>
To: kerberos at mit.edu
Sent: Tue, 19 January, 2010 22:33:46
Subject: Kerberos Digest, Vol 85, Issue 25
Send Kerberos mailing list submissions to
kerberos at mit.edu
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
kerberos-request at mit.edu
You can reach the person managing the list at
kerberos-owner at mit.edu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."
Today's Topics:
1. Re: URG: Details abt Kerberos (Jason Edgecombe)
2. Re: guidance (Naveen BN)
3. Windows event id 4 (kerberos) (raj esh L)
4. Cannot run rlogind, telnetd (vinay kumar)
----------------------------------------------------------------------
Message: 1
Date: Mon, 18 Jan 2010 19:52:28 -0500
From: Jason Edgecombe <jason at rampaginggeek.com>
Subject: Re: URG: Details abt Kerberos
To: "Max (Weijun) Wang" <Weijun.Wang at Sun.COM>
Cc: vinay kumar <winay.l at gmail.com>, kerberos at mit.edu
Message-ID: <4B55024C.70406 at rampaginggeek.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Max (Weijun) Wang wrote:
>> What's the difference between hosts and usernames, seriously?
>
> I guess Vinay is talking about the different type of principal names.
>
> A username, say, dummy at EXAMPLE.COM, is used on the client side. The
> client gets an initial TGT for it at the kinit time.
>
> A host, prepended with a service name, say,
> ftp/me.example.com at EXAMPLE.COM, is used on the server side. Normally,
> you create a keytab file holding secret keys for this name and it's
> readable by the server process.
>
> Both names are created using the kadmin tool.
>
> --Max
>
> On Jan 19, 2010, at 4:28 AM, Jason Edgecombe wrote:
>
>> vinay kumar wrote:
>>> *Hi,*
>>>
>>> I am new to kerberos, I have been asked to setup KDC, kerberos
>>> client
>>> and application server. Using these i have to capture AP_REQ,
>>> AP_REP, AS_REQ
>>> and AS_REP in wireshark. I have two systems both are working on Red Hat
>>> Linux. I downloaded Kerberos from MIT version 5. I went through
>>> installation
>>> and user guide of kerberos. I successfully constructed KDC server
>>> and able
>>> to capture AS_REQ and AS_REP, but i was not able to setup kerberos
>>> client
>>> and application server. *I have few doubts like can application
>>> server and
>>> client can be on the same system?
>>> How client machine differs from application server?
>>> Is client recognized by IP address or Principal by the KDC?
>>> For configuration setting we need to modify /etc/inetd.conf but this
>>> file is
>>> not there in Red Hat, so which file to edit?
>>> What exactly client means (I have understood it as a system on which
>>> u can
>>> get ticket for any principal in that realm)?
>>> What exactly application server means(I have confusion like ftp,
>>> telnet ...
>>> etc are available on client system only, then what is the function of
>>> application server)?
>>> What is the difference between host and usernames?
>>> *Plz help me by showing how to configure client and application
>>> server.*Kindly help me out. Waiting for ur reply.
>>>
>>> Regards,
>>> Vinay
>>>
>> It's time to read the fine manual.
>>
>> Kerberos comes with RedHat Enterprise Linux, although it's not the
>> latest version, it is kept patched for security vulnerabilities.
>>
>> Read this:
>> http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/ch-kerberos.html
>>
>> The "next" link explains some of the kerberos terms.
>>
>> Kerberos is normally run as it's own service, not through inetd. Redhat
>> uses xinetd instead of inetd. Please read the manual page if you aren't
>> familiar with xinetd, especially the part about the HUP signal.
>>
>> What's the difference between hosts and usernames, seriously?
Hello Vinay and everyone,
I'm sorry for my grumpy response. I'm not normally that grouchy.
Sorry,
Jason
------------------------------
Message: 2
Date: Tue, 19 Jan 2010 11:53:45 +0530
From: Naveen BN <naveen.bn at globaledgesoft.com>
Subject: Re: guidance
To: Kevin Coffman <kwc at umich.edu>
Cc: kerberos at mit.edu
Message-ID: <4B554FF1.5040905 at globaledgesoft.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Dear Kevin,
I am using only on cache file called tkt for storing the credentials
received, I found that there was no support
in kerberos source for removing the credentials from a cache file. (
where the structure krb5_cc_file_ops
holds the file operation for credentials ).
Please let me know if there is a way to achieve the same.
Thanks and Regards
Naveen
------------------------------
Message: 3
Date: Mon, 18 Jan 2010 23:52:13 -0800 (PST)
From: raj esh L <rrcrajesh2003 at yahoo.com>
Subject: Windows event id 4 (kerberos)
To: kerberos-owner at mit.edu
Cc: kerberos at mit.edu
Message-ID: <799855.82143.qm at web50008.mail.re2.yahoo.com>
Content-Type: text/plain; charset=utf-8
We have observed Kerberos event id4 on one member server (Print server )BRAPRINT001 (10.1.37.167). Please find the description below about the event id. Can some one please help me on it ?
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 1/13/2010
Time: 6:16:35 PM
User: N/A
Computer: BRAPRINT001
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server SLH-001155$. The target name used was cifs/ATL017784.dir.ucb-group.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DIR.UCB-GROUP.COM), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ATL017784.dir.ucb-group.com [10.70.11.107]
We captured network for it. Can you please help here what is going on?
captured file is available at http://www.megaupload.com/?d=WDIG1CAT
------------------------------
Message: 4
Date: Tue, 19 Jan 2010 18:19:33 +0530
From: vinay kumar <winay.l at gmail.com>
Subject: Cannot run rlogind, telnetd
To: kerberos at mit.edu
Message-ID:
<dca721831001190449gf8b2caand38b184d8e001a2e at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
I want to capture AP_REQ and AP_REP, for that i want to run
telnetd, rlogind daemons on my application server. When i run rlogind i will
get the following error:
* rlogind: Can't get peer name of remote host: Socket operation on
non-socket
*
when i run rsh i get* host unknown *error
My krb5.conf is as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = GLOBAL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
preferred_preauth_types = 16
[realms]
GLOBAL.COM = {
kdc = 172.16.10.211
admin_server = 172.16.10.211
default_domain = global.com
}
[domain_realm]
.globaledgesoft.com = GLOBAL.COM
globaledgesoft.com = GLOBAL.COM
[kdc]
profile = /etc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
My kdc.conf is as follows
[kdcdefaults]
kdc_ports = 750,88
[realms]
GLOBAL.COM = {
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.GLOBAL.COM
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
Plz guide me.
Regards,
Vinay
------------------------------
_______________________________________________
Kerberos mailing list
Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
End of Kerberos Digest, Vol 85, Issue 25
****************************************
More information about the Kerberos
mailing list