How can I get the GSS samples from KfW 3.2.2 to work on my Windows XP SP3 computer ?

Here is exactly what I did: 1/ I successfully built KfW 3.2.2 on my Windows XP SP3 platform 2/ I ran "leash32.exe" from the build then chose "Options" => "Kerberos v5 Properties..." => "File Location" + set "Ticket File field" to "C:\WINNT\krb5kt" + set "Configuration File" to our working company "C:\WINNT \krb5.ini" (this file is used for accessing our company's KDC which is known to work). 3/ Then I chose "Action" => "Import Ticket(s)/Token(s)" from my computer and I could see my "krb5kt" file created in "C:\WINNT \krb5kt". I do not exactly know neither what ha

windows 7 FAST configuration for HMAC time-based one-time password authentication

Hi, I am a master student and I am working on HMAC time-based One-time password (OTP) authentication for Windows systems. I would like to use Kerberos, therefore I need flexible authentication secure tunneling (FAST) that is available in krb5-1.8. However, I could not find any information concerning configuration of Kerberos FAST. I have found only the following information: http://k5wiki.kerberos.org/wiki/Projects/Fast_negotiation How can I configure Kerberos FAST? Thank you in advance. Best regards, Oleksandr

1.7.1 krb5kdc crash on Enterprise Linux version 5 u4 x86_64

Hi, We are testing a Kerberos version 1.7.1 environment on EL5u4 and the KDC crashed with the below in /var/log/messages: Mar 25 20:26:16 dadvil0122 kernel: krb5kdc[4124]: segfault at 0000000000000000 rip 0000003eeea7bcb4 rsp 00007fffe1f90c58 error 4 1.7.1 was built from source with ldap and we are using ldap as the back end. Looking at krb5kdc.log there was an AS_REQ about 26 minutes prior to the crash. Other than the message above, we are not sure what steps we should take to debug this issue? The krb5kdc was running for about 10 days when it crashed. Kerberos was built with

Regarding Replay cache usage in memory..

Hi, I am using MIT kerberos library for authentication in my project and I am seeing performance issue while using default replay cache i.e. dfl. I would like to know how can I enable the in memory replay cache. Thanks, Prashant

Microsoft SQL, kerberos, AD controller, unix clients?

My work place is moving towards MSSQL, and we're also moving towards AD as our LDAP/authentication mechanism. We have a large UNIX and OSX install base, which isn't going away, so there is a lot of work going into using freetds and JAVA database connections against MSSQL. Has anyone done this before, and perhaps point us in the right direction? -- -- John E. Jasen (jjasen@realityfailure.org) -- "Deserve Victory." -- Terry Goodkind, Naked Empire

Apache2, mod-auth-kerb, Active Directory, Windows 2003, single signon

Hi, Did you finally solve the problem to capture the active directory user? I=92m trying to find a solution, but I haven=92t succeed yet=85 Thanks. Tamar.

Local development database?

I'm trying to set up a development environment for an application that includes a kerberos realm. I'm running into a difficulty with the kerberos software though. I'm trying to change the "localstatedir" value to point to a directory within my project so that I can use utilities like kdb5_util to create, destroy and operate on a kerberos database. I see that this is an option that can be passed to 'configure' before building the kerberos binaries, but I'm not seeing a way to set it later, such as via an environment variable or command line option. Any help on this much appreciated

Kerberos and RSA SecureID

Hi, I'm looking to see if I can integrate RSA SecureID tokens to our MIT Kerberos infrastructure, and was wondering if anyone had any experience with setting that up, or could direct me to any documentation that might be out their! Ideally, I'd like to associate a policy with SecureID, so that administrative principles and users are required use keyfobs, were as normal users are not. If anyone has any thought, I'd be much obliged, I've run into a number of dead ends on google :( Thanks! Tim

max ticket/renew appears to not work in 1.7.1?

Hi, We are working on setting up a very large Kerberos environment and recently changed to 1.7.1 with a ldap back end for our testing. Since two things changed from our previous test environment, I'm not sure what might be the cause of user tickets not getting the requested max lifetime and max renewable? Our previous test environment was 1.7 with the local database option. I'll try and list some things that might be relevant: kadmin.local: getprinc krbtgt/DEV.COMPANY.COM@DEV.COMPANY.COM Principal: krbtgt/DEV.COMPANY.COM@DEV.COMPANY.COM Expiration date: [never] Last password c

Win 2008R2 kdc and linux client: no support for encryption type while getting initial credentials

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I want to setup a Windows 2008R2 server as a AD with a KDC to obtian krb5 tickets and later on obtain OpenAFS tokens with these tickets. Our setup: running Windows 2003 server with AD CGV.TUGRAZ.AT and running krb5 kdc on it. User, service principal afs for OpenAFS, works good so far. I added a second server with Windows 2008R2, added 2nd server to the AD domain and raised 2nd server as AD server. I set on the Win 2008R2: - - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value 1 at HKLM\SYSTEM\Curren

ldap_conns_per_server = 5

Hi, Going through krb5.conf for a kdc that will be using ldap as the back end, the variable ldap_conns_per_server = 5 seems low. Consider a kdc for 30k+ users will this setting be ok? What does this variable really limit? Having no practical experience with a large deployment using ldap as the back end, this variable caught my eye and concerns me as to low for a very large number of users? Thanks for any help with this. Kevin

ANNOUNCEMENT: Network Identity Manager Version 2.0 Available as an Update to Kerberos for Windows

This is a cryptographically signed message in MIME format. --------------ms030909030107080202020806 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable URL: http://www.secure-endpoints.com/netidmgr/v2/ Secure Endpoints Inc. is proud to announce the public availability of Network Identity Manager v2 (2.0.0.304). Version 2.0 is the end of a three year effort to improve the usability and capabilities of the product. Improved usability: * Users no longer have to type their username/realm each time they wish to obtain credentials for a

Help: IE doesn't work silently

Please Help! My environment: Server: Mit Kerberos and Jboss 4.2.3 on the same machine running Debian. Client: Windows XP with Kerberos for Windows. It works perfectly with Firefox, but prompts for user and password with IE. What can I do to work silently with IE? The big difference is that in Firefox I can set mit gssapi, but in IE I can't. So IE doesn't see my mit kerberos ticket. Is there a way to put kerberos ticket in ms cache? I'd really appreciate your help! Thanks in advance! Inacio -- Prodesan S/A (http://www.prodesan.com.br/)

Win 2008R2 DES eanble?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Sorry for a bit OT question: I want to extend our AD with a Windows 2008R2 server with KDC enabled. Now I know I need to enable DES enctype again to be able to use OpenAFS with such a KDC, but I am a bit lost where to enable this. Found a few point on google so far: - -administrative tools for server - -for each client seperate of the AD But what is the real solution? MfG, Lars Schimmer - -- - ------------------------------------------------------------- TU Graz, Institut f�r ComputerGraphik & WissensVisualisierung Tel:

experiences with krb clients on guest wireless networks?

Forgive me if this has been discussed before on this list... Some of our users have had the problem of being on "guest" wireless networks (e.g. at universities) which are heavily firewalled, blocking everything except tcp ports 22, 80, and 443 (and sometimes udp/tcp 53). Needless to say, clients can't talk to our KDC from that network. Has anyone else had experience with this? If so, what have you done about it? We're thinking about having our KDCs respond on tcp port 443, since that's almost always open, and it's rarely filtered for protocol compliance (e.g. some network che

remctld on windows XP

Hi Everyone, Looking at the remctl web site, it says that the remctl server is not supported on windows. We would like to use remctld on Windows XP. What would be involved in making that work? Is that possible? Thanks, Jason

Sendauth from windows(client) to linux(server)

Hi, I'm writing a client server application and i need to develop a windows client. Actually i developed the server and a basic linux client to test it. all it's working ok and the interaction between server and client is correct. Now i'm trying to port the client to windows, but i have problem with sendauth. Even if i can get the TGT for my client's pincipal and the TGS for my service when i use sendauth i got the -1765328178 error,on the linux client everything works ok so i wonder ho i can fix this problem, can anyone point me on the right direction ? Thanks Arturo Sandrigo

bind KDC to single interface?

Am I missing something in the documentation, or is there no way to tell krb5kdc to bind to a single network interface (as oppposed to binding to all of them)?

MAC cached credentials MIT Krb

We are trying to get our MACs to use our central MIT kerberos realm. We need the ability for users to use cached credentails in order to log in outside of work say on travel trips on an airline, etc... where a network connection is not available. So far the mobile account creation does not work. Does any one know how to make this work with a MIT Krb5 realm? Thanks Mark

KfW 3.2.2 - use_dns_lookup not using DNS responses on Win 7

I suspect this is something broken in our setup, and likely not an issue = with KfW itself, but I've exhausted just about everything I know trying to = figure this one out, so I'm sending it to the list and hoping someone's = already hit this one. =20 Using KfW 3.2.2 (w/ OpenAFS 1.5.68) on Win 7 (64 or 32), when setting = use_dns_lookup=3D1, I get a KDC not found error. Specifying a KDC works = fine. Doing a packet capture, I can see that it is actually doing the DNS = lookup and gets back the correct information. Its looking for both the = UDP and TCP records (we only use UDP), a

KDC name resolution question

I have a Kerberos 1.4 client configure to use DNS lookup for kdc. The environment has 23 AD servers for the domain. Everything is resiliently setup with 3 DNS servers. I now observe that when the first DNS server fails a kinit takes 80 seconds or more. Some application using Kerberos via pam_krb5 timeout after 20 or 30 seconds or even less. I wonder what would be the best way to configure the clients to reduce the authentication time ? When I only configure 3 servers with DNS names in krb5.conf I still get 20 seconds delays. A simple DNS lookup is about a second (e.g. it detec

Preauthentication Error

Hi all, I am implementing PKINIT. I have generated certificates using openssl tool, but i am not getting PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP fields in the reply ( KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. Its asking password to authenticate and sending encrypted time-stamp in the second AS_REQ to KDC, but i want to use certificate based authentication. So the fields PA-DASS, PA-PK-AS-REQ, PA-PK-AS-REP are needed in the reply(KRB5KDC_ERR_PREAUTH_REQUIRED) from KDC. I have compiled preauth pkinit plugin with '-DDEBUG' option, following data displ

krb5-strength 1.0 released

I'm pleased to announce release 1.0 of krb5-strength. krb5-strength provides mechanisms for checking the strength of Kerberos passwords against an external dictionary when a user changes passwords in a Kerberos KDC. It is roughly equivalent to checking password strength via CrackLib, except that it embeds a copy of Alec Muffett's CrackLib that has been modified to perform slightly more strenuous tests. It is usable as-is with Heimdal. With MIT Kerberos, it requires an included patch to libkadm5srv to support a dynamically loaded password check module. I was hoping to finish, for

Question about cryptographic protection of message fields

Hi all, Looking for into the Kerberos specification and the MIT = implementation, I've found that not all the fields defined in the = Kerberos messages are cryptographically protected. For example, in the = KDC-REQ/KDC-REP, the padata field is sent in clear and (at least) is not = integrity protected. Therefore, an attacker can change the information = contained in any of these fields and the client is not able to detect = this attack. For this reason, I was wondering if my conclusions are = right.=20 Thanks in advance, Fernando. ---=20 -------------------------------

Automatically distributing nfs/ssh host principals

Hello list. In order to allow our users to set up their own machines for kerberized NFS, we deployed a custom CGI application allowing them, once autenticated, to create nfs/hostname principals, and extract corresponding keytab file. As part of the process, they register themselves as owner of those principals, for extracting or deleting them later. We thereafter modifed the application to deliver host/hostname principals instead, as they allow both NFS and SSH services. However, this is still a bit painful, as it can't be included in automatic installation scenarios, for i