MIT Kerberos and TN5250

Erez Pasternak Erez.Pasternak at ericom.co.il
Tue Jul 13 11:14:02 EDT 2004 

Jeffrey
 
Thank you for your quick response.
IBM are sending krbsvr400.krb400.ericom.co.il ticket.
 
Erez Pasternak
Ericom Software
 

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at mit.edu]
Sent: Tuesday, July 13, 2004 4:57 PM
To: Erez Pasternak
Cc: krbdev at mit.edu
Subject: Re: MIT Kerberos and TN5250


What I see you doing is reversing the order of the request for instance kerb400.ericom.co.il and ERICOM.CO.IL.
However, more than likely IBM is requesting the service ticket for ERICOM.CO.IL  with canonicalize set because
kerb400.ericom.co.il does not exist in the KDC or is not accepted by the service.  Which service ticket is IBM 
sending to the service?

As far as the canonicalize flag is concerned, it is entirely implemented on the KDC.  As long as you are communicating
to a Microsoft Active Directory as the KDC simply setting the flag in the client (even if it is undefined in the headers)
will work.

Jeffrey Altman



Erez Pasternak wrote:


Hi Jeffrey,
I am trying to connect to TN5250 with MIT Kerberos 
 
This is what IBM is doing :
 
1. Request (TGS-REQ) for krbtgt , instance  ERICOM.CO.IL ( Forwordable, Renewable, Canonicalize , Renewable OK)
2. Replay (TGS-REP) service krbtgt  ,instance ERICOM.CO.IL
3. Request (TGS-REQ) for service krbsvr400 , instance kerb400.ericom.co.il (Forwordable, Renewable)
4. Replay (TGS-REP) service krbsvr400 , instance kerb400.ericom.co.il   
5. Request (TGS-REQ) for service krbtgt , instance ERICOM.CO.IL ( Forwordable, Forward , Renewable , Canonicalize , Renewable OK)
6. Replay (TGS-REP) for service krbtgt , instance ERICOM.CO.IL

This is what I am doing 
1. Request (TGS-REQ) for service krbtgt , instance ERICOM.CO.IL (Forwordable, Renewable ,Canonicalize , Renewable OK )
2. Replay (TGS-REP) for service krbtgt , instance ERICOM.CO.IL
3. Request (TGS-REQ) for service krbsvr400 , instance ERICOM.CO.IL (Forwordable, Renewable)
4. Replay (TGS-REP) service krbsvr400 , instance ERICOM.CO.IL
5. Request (TGS-REQ) for service and host krbsvr400 , kerb400.ericom.co.il (Forwordable, Renewable)
6. Replay (TGS-REP) for service and host krbsvr400 , kerb400.ericom.co.il


As you can see the problem is in step 3 (btw I changed in the code from "host" to "krbsvr400").
 
Thanks
Erez Pasternak
Ericom Software
 
 

-----Original Message-----
From: Jeffrey Altman [ mailto:jaltman at mit.edu]
Sent: Tuesday, July 13, 2004 3:56 PM
To: Erez Pasternak
Cc: krbdev at mit.edu
Subject: Re: MIT Kerberos and TN5250


Erez:

As one of the editors of RFC 2942: Telnet Authentication: Kerberos 5, I can assure you that the 
use of the canonicalize flag is not a requirement for TELNET AUTH KRB5.  In fact, the canonicalize
flag did not exist in any implementation at the time that TELNET AUTH KRB5 was originally 
developed.

The most important thing to remember is that obtaining a TGT is not part of the specification.
The TELNET AUTH KRB5 exchange relies entirely on service tickets; not TGTs.  Of course, 
you must be in possession of a valid TGT in order to attempt to obtain the service ticket for
"host"/fqdn at REALM.

What is it that you are attempting to implement?  Are you attempting to perform the equivalent
of a "kinit" operation to obtain a TGT?  If so, this has nothing to do with TELNET AUTH KRB5.
Are you attempting to obtain a service ticket for the TN5250 service?  If so, that would make more
sense?   Then the question is "what service principal are you requesting and what do you expect back?"

Jeffrey Altman



Erez Pasternak wrote: 

Hi Sam,

Does anyone tried (and successed) to connect to Iseries in TN5250 with kerberos ?



Erez P







-----Original Message-----

From: Sam Hartman [ mailto:hartmans at mit.edu]

Sent: Tuesday, July 06, 2004 10:00 PM

To: Erez Pasternak

Cc:   <mailto:krbcore at mit.edu> krbcore at mit.edu;   <mailto:krbdev at mit.edu> krbdev at mit.edu

Subject: Re: MIT Kerberos and TN5250





  

"Erez" == Erez Pasternak   <mailto:Erez.Pasternak at ericom.co.il> <Erez.Pasternak at ericom.co.il> writes:

            



    Erez> Hi MIT developers, We are using MIT Kerberos to provide

    Erez> Kerberos support for Terminal Emulation.  When connecting

    Erez> with AS/400 (iseries) in TN5250 protocol we saw that AS/400

    Erez> uses a flag name "canonicalize" when asking for a TGT.  I

    Erez> see in the source code that this flag is missing (

    Erez> TKT_FLG_RESERVED 0x00010000 ) Is there any ways to make this

    Erez> work?



You failed to explain what is actually failing or not working.





What erronious behavior do you see?  Is some request failing?  If so,

how/why?





_______________________________________________

krbdev mailing list               <mailto:krbdev at mit.edu> krbdev at mit.edu

 <https://mailman.mit.edu/mailman/listinfo/krbdev> https://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list