Kerberos error 1765328368 KRB5KDC_ERR_PADATA_TYPE_NOSUPP
Hi there, we have configured a 802.1x with Smartcard logon since 2008 with no problems at all. Suddenly, on last Dec. we have found error in logon phase with the above mentioned error. Does anybody had the same problem? Should it be possible that as the Smartcard logon requires full certificate path validation, something has been changed due to a Microsoft path? We are have a similar error on a CheckPoint FullDisk Encryption issues: suddenly the user's name is too long (data lenght problem) and this causes BSOD on pc.
How to detect the correct problem/resolution?
Thank you for your precious he
|
7/23/2010 12:48:30 PM
|
0
|
Gabry <u...@compgroups.net/>
|
|
|
How can I get the GSS samples from KfW 3.2.2 to work on my Windows XP SP3 computer ?
Here is exactly what I did:
1/ I successfully built KfW 3.2.2 on my Windows XP SP3 platform
2/ I ran "leash32.exe" from the build then chose "Options" =>
"Kerberos v5 Properties..." => "File Location"
+ set "Ticket File field" to "C:\WINNT\krb5kt"
+ set "Configuration File" to our working company "C:\WINNT
\krb5.ini" (this file is used for accessing our company's KDC which is
known to work).
3/ Then I chose "Action" => "Import Ticket(s)/Token(s)" from my
computer and I could see my "krb5kt" file created in "C:\WINNT
\krb5kt".
I do not exactly know neither what ha
|
3/30/2010 12:20:04 PM
|
0
|
Guilbert STABILO <guilbert.stab...@yahoo.fr>
|
Multi REALM krb config file.
Hello,
The krb5.conf man page seems to indicate that you can have multiple
Kerberos REALMS defined in a single krb5.conf file.
Will doing this allow authentication to multiple realms?
If so, will it try and contact each defined realm until it sees a
matching principal?
Thank you
|
3/29/2010 5:55:44 PM
|
0
|
Techie <techcha...@gmail.com>
|
windows 7 FAST configuration for HMAC time-based one-time password authentication
Hi,
I am a master student and I am working on HMAC time-based One-time
password (OTP) authentication for Windows systems. I would like to use
Kerberos, therefore I need flexible authentication secure tunneling
(FAST) that is available in krb5-1.8. However, I could not find any
information concerning configuration of Kerberos FAST. I have found
only the following information:
http://k5wiki.kerberos.org/wiki/Projects/Fast_negotiation
How can I configure Kerberos FAST?
Thank you in advance.
Best regards,
Oleksandr
|
3/29/2010 2:11:29 PM
|
0
|
Oleksandr Bodriagov <neww...@gmail.com>
|
Shibboleth IDP and mixed Windows 2003/2008 AD servers
We have a problem which sounds related to, but different from, that
described in thread http://marc.info/?l=kerberos&m=126927485320222&w=2 and
addressed by http://support.microsoft.com/?kbid=978055
We use Kerberos authentication against AD for controlling access to web
resources using shibboleth (java IdP, Tomcat, Apache, Centos 5.2).
Initial problem was that one account was intermittently failing
authorisation after changing password. This happened to be my account so
after deciding that it wasn't just poor typing we investigated further.
We have five AD servers; four run
|
3/28/2010 8:26:10 AM
|
0
|
Paul Haldane <Paul.Hald...@newcastle.ac.uk>
|
1.7.1 krb5kdc crash on Enterprise Linux version 5 u4 x86_64
Hi,
We are testing a Kerberos version 1.7.1 environment on EL5u4 and the KDC crashed with the below in /var/log/messages:
Mar 25 20:26:16 dadvil0122 kernel: krb5kdc[4124]: segfault at 0000000000000000 rip 0000003eeea7bcb4 rsp 00007fffe1f90c58 error 4
1.7.1 was built from source with ldap and we are using ldap as the back end. Looking at krb5kdc.log there was an AS_REQ about 26 minutes prior to the crash. Other than the message above, we are not sure what steps we should take to debug this issue? The krb5kdc was running for about 10 days when it crashed.
Kerberos was built with
|
3/26/2010 1:12:16 PM
|
0
|
Kevin Longfellow <klong...@yahoo.com>
|
Experience with Windows 7 NFS and KRB5/KRB5i?
Supposedly Windows 7 Enterprise and Ultimate Edition contain an NFS v3
client with KRB5/KRB5i support. Does anyone any have any feedback on how
well it works or have interoperability notes?
Thanks,
Dax Kelson
Guru Labs
|
3/25/2010 10:54:18 PM
|
0
|
Dax Kelson <dkel...@gurulabs.com>
|
Regarding Replay cache usage in memory..
Hi,
I am using MIT kerberos library for authentication in my project and I am
seeing performance issue while using default replay cache i.e. dfl. I would
like to know how can I enable the in memory replay cache.
Thanks,
Prashant
|
3/23/2010 5:27:02 AM
|
0
|
Prashant Gupta <prashant1...@gmail.com>
|
Kerberos help required.
Hi,
I=20require=20some=20help=20in=20understanding=20Kerberos.=20I=20am=20ver=
y=20new=20to=20this=20concept=20and=20hence=20required=20help=20in=20some=
=20basic=20commands.
My=20application=20uses=20Kerberos=20and=20I=20wanted=20to=20know=20wheth=
er=20there=20is=20some=20unix=20command=20which=20I=20can=20execute=20to=
=20know=20which=20vendor/version=20of=20Kerberos=20I=20have=20installed=
=20on=20my=20unix=20box.
Please=20help=20me.
Thanks,
Regards,
Sayali=20Patankar|=20ATT07=20-=20CCB=20Usage-Billing=20|Tech=20Mahindra
Phase=20III,=20Rajiv=20Gandhi=20IT=20Park,=20Hinjew
|
3/23/2010 4:18:23 AM
|
0
|
Sayali Patankar <SP0039...@techmahindra.com>
|
Microsoft SQL, kerberos, AD controller, unix clients?
My work place is moving towards MSSQL, and we're also moving towards AD
as our LDAP/authentication mechanism.
We have a large UNIX and OSX install base, which isn't going away, so
there is a lot of work going into using freetds and JAVA database
connections against MSSQL.
Has anyone done this before, and perhaps point us in the right direction?
--
-- John E. Jasen (jjasen@realityfailure.org)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
|
3/18/2010 7:40:31 PM
|
0
|
John Jasen <jja...@realityfailure.org>
|
Kerberos training
Does anyone know of anyone doing Kerberos (MIT/Heimdal) training for
sysadmins in Northern Europe? Something along the lines of:
- Technical details, how the technology works
- Practical implementation on:
- Linux servers and clients
- Solaris servers
- Interaction with Windows/AD
Regards,
-BT
--
Bj�rn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
|
3/17/2010 2:01:19 PM
|
0
|
Bjoern Tore Sund <bjorn.s...@it.uib.no>
|
Apache2, mod-auth-kerb, Active Directory, Windows 2003, single signon
Hi,
Did you finally solve the problem to capture the active directory user?
I=92m trying to find a solution, but I haven=92t succeed yet=85
Thanks.
Tamar.
|
3/17/2010 11:45:15 AM
|
0
|
Tamar <chel...@gmail.com>
|
Oracle JDBC and Kerberos
Hi everyone,
This is just FYI for those who use an Oracle database: the JDBC thin
driver (the Oracle JDBC type 4 driver, 100% Java) now supports kerberos
authentication with the database (new in 11gR1). In 11.2.0.2, we've also
added support for Kerberos forwardable tickets.
Regards,
--
Jean de Lavarene
Oracle JDBC dev team
|
3/17/2010 11:07:49 AM
|
0
|
Jean de Lavarene <jean.de.lavar...@oracle.com>
|
Local development database?
I'm trying to set up a development environment for an application that
includes a kerberos realm. I'm running into a difficulty with the
kerberos software though.
I'm trying to change the "localstatedir" value to point to a directory
within my project so that I can use utilities like kdb5_util to
create, destroy and operate on a kerberos database. I see that this is
an option that can be passed to 'configure' before building the
kerberos binaries, but I'm not seeing a way to set it later, such as
via an environment variable or command line option.
Any help on this much appreciated
|
3/17/2010 12:58:45 AM
|
0
|
charlieok <charli...@gmail.com>
|
Kerberos Direct Service Authentication without Client / KDC Communication?
Hi All,
Is there a mode of operation where a Kerberos client can directly
authenticate with a service without first communicating with a KDC?
Kerberos currently requires that clients are using a suitable DNS
server, have access to whatever KDCs DNS is referring it to and have
relatively accurate time. In many environments these requirements are
too demanding.
There should be a mode of operation where a client can compose a
kerberos request without communicating with the KDC, DNS or time
services and which can be submitted directly to a Kerberos service.
This request would conta
|
3/15/2010 7:08:42 PM
|
0
|
Michael B Allen <iop...@gmail.com>
|
Kerberos and RSA SecureID
Hi,
I'm looking to see if I can integrate RSA SecureID tokens to our MIT Kerberos infrastructure, and was wondering if anyone had any experience with setting that up, or could direct me to any documentation that might be out their! Ideally, I'd like to associate a policy with SecureID, so that administrative principles and users are required use keyfobs, were as normal users are not.
If anyone has any thought, I'd be much obliged, I've run into a number of dead ends on google :(
Thanks!
Tim
|
3/15/2010 6:26:21 PM
|
0
|
"Hartmann, Tim" <hartm...@fas.harvard.edu>
|
Fw: Kerberos Digest, Vol 87, Issue 10
RE: max ticket/renew appears to not work in 1.7.1
We found the issue. The wrong kdc.conf was getting read because of the way I configured the directory structure.
Thanks, Kevin
--- On Mon, 3/15/10, kerberos-request@mit.edu <kerberos-request@mit.edu> wrote:
> From: kerberos-request@mit.edu <kerberos-request@mit.edu>
> Subject: Kerberos Digest, Vol 87, Issue 10
> To: kerberos@mit.edu
> Date: Monday, March 15, 2010, 12:03 PM
> Send Kerberos mailing list
> submissions to
> ��� kerberos@mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> ��� https://ma
|
3/15/2010 6:13:52 PM
|
0
|
Kevin Longfellow <klong...@yahoo.com>
|
max ticket/renew appears to not work in 1.7.1?
Hi,
We are working on setting up a very large Kerberos environment and recently changed to 1.7.1 with a ldap back end for our testing. Since two things changed from our previous test environment, I'm not sure what might be the cause of user tickets not getting the requested max lifetime and max renewable? Our previous test environment was 1.7 with the local database option.
I'll try and list some things that might be relevant:
kadmin.local: getprinc krbtgt/DEV.COMPANY.COM@DEV.COMPANY.COM
Principal: krbtgt/DEV.COMPANY.COM@DEV.COMPANY.COM
Expiration date: [never]
Last password c
|
3/15/2010 2:23:01 PM
|
0
|
Kevin Longfellow <klong...@yahoo.com>
|
KfW killing Cisco VPN under Windows 7
This is a multi-part message in MIME format.
--------------090109040801040506020500
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cisco VPN is working great. As soon as KfW 3.2.2
(with stock NIDmgr and also 2.0 NIDmgr from Secure
Endpoints) tries to get creds, the VPN connection
drops.
I can repeat this at will.
OpenAFS 1.5.72 for Windows
Kerberos for Windows 3.2.2
Windows 7 32-bit
Has anyone else run into this?
--------------090109040801040506020500--
|
3/13/2010 3:04:16 AM
|
0
|
Jeff Blaine <jbla...@kickflop.net>
|
Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
I want to setup a Windows 2008R2 server as a AD with a KDC to obtian
krb5 tickets and later on obtain OpenAFS tokens with these tickets.
Our setup:
running Windows 2003 server with AD CGV.TUGRAZ.AT and running krb5 kdc
on it.
User, service principal afs for OpenAFS, works good so far.
I added a second server with Windows 2008R2, added 2nd server to the AD
domain and raised 2nd server as AD server.
I set on the Win 2008R2:
- - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
value 1 at HKLM\SYSTEM\Curren
|
3/9/2010 10:06:16 AM
|
0
|
Lars Schimmer <l.schim...@cgv.tugraz.at>
|
wallet 0.11 released
I'm pleased to announce release 0.11 of wallet.
The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data. Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users. The wallet
tracks ACLs, metadata, and trace information. It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication. One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadm
|
3/9/2010 3:31:51 AM
|
0
|
Russ Allbery <...@stanford.edu>
|
ldap_conns_per_server = 5
Hi,
Going through krb5.conf for a kdc that will be using ldap as the back end, the variable ldap_conns_per_server = 5 seems low. Consider a kdc for 30k+ users will this setting be ok? What does this variable really limit? Having no practical experience with a large deployment using ldap as the back end, this variable caught my eye and concerns me as to low for a very large number of users?
Thanks for any help with this.
Kevin
|
3/8/2010 8:35:01 PM
|
0
|
Kevin Longfellow <klong...@yahoo.com>
|
MIT Kerberos and Windows 2008 R2 Trust relationship misunderstanding
Hi,
We have the following architecture :
- 1 MIT Kerberos storing all of our users (17 000 users) on CentOS 5.4
- 1 Active Directory based on Windows 2008 R2 storing all of our users
whithout password
We have made a trust relationship between MIT Kerberos and AD 2008 R2.
The goal is to permit a MIT Kerberos user to login on AD domain from
Windows Xp and Windows 7 machine.
All seems to work fine since we have understand the encryption
problematic (RC4,AES,etc....).
A user can connect to the AD domain authenticating against the MIT Kerberos.
But we notice these logs on the
|
3/8/2010 1:21:59 PM
|
0
|
Frederic SOULIER <frederic.soul...@univ-tlse1.fr>
|
ANNOUNCEMENT: Network Identity Manager Version 2.0 Available as an Update to Kerberos for Windows
This is a cryptographically signed message in MIME format.
--------------ms030909030107080202020806
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
URL: http://www.secure-endpoints.com/netidmgr/v2/
Secure Endpoints Inc. is proud to announce the public availability of
Network Identity Manager v2 (2.0.0.304). Version 2.0 is the end of a
three year effort to improve the usability and capabilities of
the product.
Improved usability:
* Users no longer have to type their username/realm each time they
wish to obtain credentials for a
|
3/6/2010 3:45:56 AM
|
0
|
Jeffrey Altman <jalt...@secure-endpoints.com>
|
AES-CTS, SHA-96bit in Kerberos are FIPS 140-2 Compliant ?
Hi
Does anyone know AES-CTS and SHA-96bit (mandatory cipher suites for
Kerberos) are FIPS 140-2 compliant or not ?
AES-CBS and SHA1 (160bit) are listed in the NIST FIPS140-2 approved
crypto/hash list,
but AES-CTS and SHA-96bit are NOT listed in the list.
In case of Windows Vista/7/Sever 2k8, Kerberos is FIPS140-2 compliant and
AES128/256-CTS-SHA-96 is available in FIPS140-2 compliant mode.
Regards,
|
3/6/2010 3:00:10 AM
|
0
|
Kerberos Athena <athena.kerbe...@gmail.com>
|
Help: IE doesn't work silently
Please Help!
My environment:
Server: Mit Kerberos and Jboss 4.2.3 on the same machine running Debian.
Client: Windows XP with Kerberos for Windows.
It works perfectly with Firefox, but prompts for user and password with IE.
What can I do to work silently with IE?
The big difference is that in Firefox I can set mit gssapi, but in IE I
can't. So IE doesn't see my mit kerberos ticket.
Is there a way to put kerberos ticket in ms cache?
I'd really appreciate your help!
Thanks in advance!
Inacio
--
Prodesan S/A (http://www.prodesan.com.br/)
|
3/5/2010 8:44:18 PM
|
0
|
"=?UTF-8?Q?Jos=C3=A9_In=C3=A1cio_da_S?==?UTF-8?Q?ilva_J=C3=BAnior?=" <inacio-si...@prodesan.com.br>
|
kpropd brain dead?
Hi list,
After working perfectly for quite some time, kprop(d) went brain dead
on our master server and forgot where the host keytab file
(/etc/krb5.keytab) was. We now have to specify the location of the
keytab file with the '-s' option to kprop to make propagation to our
slave servers work.
Has anyone seen this behavior before?
Thanks,
--
Steve Glasser
sgla9347@gmail.com
|
3/4/2010 11:16:10 PM
|
0
|
Steve Glasser <sgla9...@gmail.com>
|
Win 2008R2 DES eanble?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
Sorry for a bit OT question:
I want to extend our AD with a Windows 2008R2 server with KDC enabled.
Now I know I need to enable DES enctype again to be able to use OpenAFS
with such a KDC, but I am a bit lost where to enable this.
Found a few point on google so far:
- -administrative tools for server
- -for each client seperate of the AD
But what is the real solution?
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f�r ComputerGraphik & WissensVisualisierung
Tel:
|
3/4/2010 3:38:54 PM
|
0
|
Lars Schimmer <l.schim...@cgv.tugraz.at>
|
krb5-1.8 is released
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.8. Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.
RETRIEVING KERBEROS 5 RELEASE 1.8
=================================
You may retrieve the Kerberos 5 Release 1.8 source from the
following URL:
http://web.mit.edu/kerberos/dist/
The homepage for the krb5-1.8 release is:
http://web.mit.edu/kerberos/krb5-1.8/
Further informatio
|
3/2/2010 11:44:38 PM
|
0
|
Tom Yu <t...@MIT.EDU>
|
experiences with krb clients on guest wireless networks?
Forgive me if this has been discussed before on this list...
Some of our users have had the problem of being on "guest" wireless
networks (e.g. at universities) which are heavily firewalled, blocking
everything except tcp ports 22, 80, and 443 (and sometimes udp/tcp 53).
Needless to say, clients can't talk to our KDC from that network.
Has anyone else had experience with this? If so, what have you done
about it?
We're thinking about having our KDCs respond on tcp port 443, since
that's almost always open, and it's rarely filtered for protocol
compliance (e.g. some network che
|
2/26/2010 3:13:09 AM
|
0
|
Abe Singer <...@ligo.caltech.edu>
|
remctld on windows
hi Everyone,
I noticed that remctld is not supported on windows. Is it possible to
run on windows XP? It would be ideal for some in-house programs that are
needed. what issues are involved when running remctld on windows?
Thanks,
Jason
|
2/26/2010 1:25:18 AM
|
0
|
Jason Edgecombe <ja...@rampaginggeek.com>
|
remctld on windows XP
Hi Everyone,
Looking at the remctl web site, it says that the remctl server is not
supported on windows. We would like to use remctld on Windows XP. What
would be involved in making that work? Is that possible?
Thanks,
Jason
|
2/25/2010 9:55:46 PM
|
0
|
Jason Edgecombe <ja...@rampaginggeek.com>
|
Couldn't authenticate to server
Hi all,
I have setup kerberos client, server and application server,
but when i try to do rlogin i am getting following error:
***********************************ERROR***************************************************
Couldn't authenticate to server: Connection reset by peer
************************************************************************************************
I have obtained tickets TGS_REQ, TGS_REP and also created keytab file
for application server. What is this error? Plz guide me.
Regards,
Vinay
|
2/25/2010 4:45:31 AM
|
0
|
vinay kumar <winay....@gmail.com>
|
Sendauth from windows(client) to linux(server)
Hi,
I'm writing a client server application and i need to develop a windows
client.
Actually i developed the server and a basic linux client to test it.
all it's working ok and the interaction between server and client is
correct.
Now i'm trying to port the client to windows, but i have problem with
sendauth.
Even if i can get the TGT for my client's pincipal and the TGS for my
service when
i use sendauth i got the -1765328178 error,on the linux client everything
works ok
so i wonder ho i can fix this problem, can anyone point me on the right
direction ?
Thanks
Arturo Sandrigo
|
2/24/2010 4:23:38 PM
|
0
|
Arturo Sandrigo <arturo.sandr...@gmail.com>
|
Invalid signature while getting initial credentials
Hi all,
I have enabled PKINIT, but when i try to do kinit -X
X509_user_identity=FILE:/client/client.crt,/client/client.key vinay
i am getting following error:
kinit(v5): Invalid signature while getting initial credentials
client.crt and kdc.crt both are signed by ca.key. The method i have
adopted to generate certificate is as follows:
/************ CA certificates ***********/
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
at the end of this i have ca.crt and ca.key which is self si
|
2/23/2010 11:28:33 AM
|
0
|
vinay kumar <winay....@gmail.com>
|
bind KDC to single interface?
Am I missing something in the documentation, or is there no way to tell
krb5kdc to bind to a single network interface (as oppposed to binding to
all of them)?
|
2/22/2010 9:56:17 PM
|
0
|
Abe Singer <...@ligo.caltech.edu>
|
another (different) KDC name resolution question
I'm trying to understand whether this is a bug or a feature, but
it's problematic for us:
When a Kerberized daemon (server) gets contacts by a client, the server
does a name lookup of *all* the KDCs in the realm before attempting to contact
any KDC. Normally this doesn't pose a problem. But if the KDCs are hosted
in different domains, with different authoritative servers, and one of
those DNS servers is not responding, then the server waits for timeout
before eventually contacting the first KDC on the list for ticket validation.
In other words, if your krb5.conf has this:
[
|
2/22/2010 9:54:19 PM
|
0
|
Abe Singer <...@ligo.caltech.edu>
|
MAC cached credentials MIT Krb
We are trying to get our MACs to use our central MIT kerberos realm. We
need the ability for users to use cached credentails in order to log in
outside of work say on travel trips on an airline, etc... where a
network connection is not available. So far the mobile account creation
does not work. Does any one know how to make this work with a MIT Krb5
realm?
Thanks
Mark
|
2/22/2010 3:16:05 PM
|
0
|
Mark Campbell <mcc...@psu.edu>
|
krb5kdc: Invalid message type - while dispatching (udp)
Hi,
We are testing using a F5 BigIP load balancer for the kdc's. Setting the F5 for port 88 UDP works but the F5 probe produces the below kdc issue in the log file. The response from F5 is to "paste a proper Kerberos UDP payload into the health monitor". I think if F5 knew what that was they would tell us. Anyone know what should be put in send string under properties for the UDP probe?
[root@dadvig0065 log]# tail krb5kdc.log
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispa
|
2/22/2010 3:02:49 PM
|
0
|
Kevin Longfellow <klong...@yahoo.com>
|
KfW 3.2.2 - use_dns_lookup not using DNS responses on Win 7
I suspect this is something broken in our setup, and likely not an issue =
with KfW itself, but I've exhausted just about everything I know trying to =
figure this one out, so I'm sending it to the list and hoping someone's =
already hit this one.
=20
Using KfW 3.2.2 (w/ OpenAFS 1.5.68) on Win 7 (64 or 32), when setting =
use_dns_lookup=3D1, I get a KDC not found error. Specifying a KDC works =
fine. Doing a packet capture, I can see that it is actually doing the DNS =
lookup and gets back the correct information. Its looking for both the =
UDP and TCP records (we only use UDP), a
|
2/22/2010 2:52:04 PM
|
0
|
"Billy Beaudoin" <wrbea...@eos.ncsu.edu>
|
wallet 0.10 released
I'm pleased to announce release 0.10 of wallet.
The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data. Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users. The wallet
tracks ACLs, metadata, and trace information. It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication. One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadm
|
2/22/2010 6:06:10 AM
|
0
|
Russ Allbery <...@stanford.edu>
|
KDC name resolution question
I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The
environment has 23 AD servers for the domain. Everything is resiliently
setup with 3 DNS servers. I now observe that when the first DNS server
fails a kinit takes 80 seconds or more. Some application using Kerberos via
pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what would
be the best way to configure the clients to reduce the authentication time ?
When I only configure 3 servers with DNS names in krb5.conf I still get 20
seconds delays. A simple DNS lookup is about a second (e.g. it detec
|
2/21/2010 5:28:12 PM
|
0
|
"Markus Moeller" <hua...@moeller.plus.com>
|
preauth pkinit failed to initialize
Hi all,=0A=0A=A0=A0=A0=A0=A0=A0=A0=A0=A0 I have enabled pkinit, but i am no=
t getting PA-DASS, PA-PK-AS-REQ,=0APA-PK-AS-REP fields in the reply( KRB5KD=
C_ERR_PREAUTH_REQUIRED) from KDC.=0A=0AIn the kdc log file i found followin=
g data:=0Apreauth pkinit failed to initialize: No realms configured correct=
ly for pkinit support=0A=A0=0APlz tell me how to configure the realms. plz =
guide me.=0A=0ARegards,=0AVinay=0A=0A=0A The INTERNET now has a person=
ality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/
|
2/21/2010 4:47:54 PM
|
0
|
lokesh kumar <l_v_k_1...@yahoo.co.in>
|
Preauthentication Error
Hi all,
I am implementing PKINIT. I have generated certificates using
openssl tool, but i am not getting PA-DASS, PA-PK-AS-REQ,
PA-PK-AS-REP fields in the reply (
KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. Its asking password to
authenticate and sending encrypted time-stamp in the second AS_REQ to
KDC, but i want to use certificate based authentication. So the fields
PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the
reply(KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC.
I have compiled preauth pkinit plugin with '-DDEBUG' option,
following data displ
|
2/19/2010 10:57:32 AM
|
0
|
vinay kumar <winay....@gmail.com>
|
MIT Kerberos version 1.6 with F5 BigIP
Hi,
Just wondering if anyone can tell me if it's possible or reasonable to put multiple kdc's behind a F5 BigIP for load balance purposes? We have tried a simple configuration with port 88 UDP but it seems to causes some issues with the kdc's. Getting a TGT with kinit seems to work just fine but using an application (e.g. nfs) the TGS seems to fail. It would be nice to use the F5 load balancer since we have to use krb5.conf deploying it on Thousands of systems.
KDC issue in log file:
tail -f /var/log/krb5kdc.log
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: I
|
2/18/2010 10:00:51 PM
|
0
|
Kevin Longfellow <klong...@yahoo.com>
|
krb5-strength 1.0 released
I'm pleased to announce release 1.0 of krb5-strength.
krb5-strength provides mechanisms for checking the strength of Kerberos
passwords against an external dictionary when a user changes passwords in
a Kerberos KDC. It is roughly equivalent to checking password strength
via CrackLib, except that it embeds a copy of Alec Muffett's CrackLib that
has been modified to perform slightly more strenuous tests. It is usable
as-is with Heimdal. With MIT Kerberos, it requires an included patch to
libkadm5srv to support a dynamically loaded password check module.
I was hoping to finish, for
|
2/17/2010 7:42:59 AM
|
0
|
Russ Allbery <...@stanford.edu>
|
krb5-sync 2.0 released
I'm pleased to announce release 2.0 of krb5-sync.
krb5-sync is a toolkit for updating passwords and account status from an
MIT or Heimdal Kerberos master KDC to Active Directory. It is implemented
as a patch to libkadm5srv and a plugin module that will push password
changes and selected account flag changes to Active Directory at the same
time as they are made to the local KDC database.
Changes from previous release:
Dropped support for AFS synchronization and all Kerberos v4 support.
This package now only synchronizes with Active Directory.
Add plugin support for
|
2/16/2010 7:36:30 AM
|
0
|
Russ Allbery <...@stanford.edu>
|
Question about cryptographic protection of message fields
Hi all,
Looking for into the Kerberos specification and the MIT =
implementation, I've found that not all the fields defined in the =
Kerberos messages are cryptographically protected. For example, in the =
KDC-REQ/KDC-REP, the padata field is sent in clear and (at least) is not =
integrity protected. Therefore, an attacker can change the information =
contained in any of these fields and the client is not able to detect =
this attack. For this reason, I was wondering if my conclusions are =
right.=20
Thanks in advance,
Fernando.
---=20
-------------------------------
|
2/15/2010 1:51:55 PM
|
0
|
=?iso-8859-1?Q?Fernando_Pere=F1=EDguez_Garcia?= <perenig...@um.es>
|
Testing master key?
Remind me again how to test my master key? I can't find
that I documented it anywhere in my safe, so now it's time to
start guessing and hope for a hit :/
|
2/11/2010 4:48:57 PM
|
0
|
Jeff Blaine <jbla...@kickflop.net>
|
Automatically distributing nfs/ssh host principals
Hello list.
In order to allow our users to set up their own machines for kerberized
NFS, we deployed a custom CGI application allowing them, once
autenticated, to create nfs/hostname principals, and extract
corresponding keytab file. As part of the process, they register
themselves as owner of those principals, for extracting or deleting them
later. We thereafter modifed the application to deliver host/hostname
principals instead, as they allow both NFS and SSH services.
However, this is still a bit painful, as it can't be included in
automatic installation scenarios, for i
|
2/9/2010 10:17:49 AM
|
0
|
Guillaume Rousse <Guillaume.Rou...@inria.fr>
|