f



failed to create kerberos key: 5

Hi,
 
I have a strange problem with cross-realm authentication.
It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document.
 
However, this is what happen in my environment:
1. The user is able to login into windows 2000 machine with his credential in MT KDC. The windows 2000 is configured to be a member of workgroup. However, when I examine the setting setup using ksetup, this is what I got:
ksetup:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
 kdc = kerberos.adianto.com
Failed to create Kerberos key: 5 (0x5)
 
I'm not sure whether the last line is fatal.
 
2. When the user tried to access a computer in a windows domain (should be possible due to the cross realm setup), the following error occured:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date:  7/29/2004
Time:  7:37:30 PM
User:  N/A
Computer: TEST
Description:
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time: 
 Server Time: 
 Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
 Extended Error: KRB_AP_ERR_MODIFIED
 Client Realm: 
 Client Name: 
 Server Realm: WINDOMAIN.COM
 Server Name: krbtgt/WINDOMAIN.COM
 Target Name: HOST/Win2kServer@WINDOMAIN.COM
 Error Text: 
 File: 
 Line: 
 Error Data is in record data. 

Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is a windows domain.
 
My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
but I can't confirm it...
I'm not sure what caused it to fail to generate the key...
 
I've followed the steps in the step by step kerberos interoperability document carefully...
 
Any clue ?
 
regards,
lara


------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
m1r4cle_26 (40)
7/29/2004 12:03:51 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
1584 Views

Similar Articles

[PageSpeed] 39


Lara Adianto wrote:
> 
> Hi,
> 
> I have a strange problem with cross-realm authentication.
> It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document.
> 
> However, this is what happen in my environment:
> 1. The user is able to login into windows 2000 machine with his credential in MT KDC. The windows 2000 is configured to be a member of workgroup. However, when I examine the setting setup using ksetup, this is what I got:
> ksetup:
> default realm = ADIANTO.COM (external)
> ADIANTO.COM:
>  kdc = kerberos.adianto.com
> Failed to create Kerberos key: 5 (0x5)

I don't see the Failed message on my machine which is setup similiarly, but I do
have some Mappings of principals to local accounts. 

> 
> I'm not sure whether the last line is fatal.

Since you where able to login, and you next note show you got 
a host/test.adianto.com@ADIANTO.COM ticket during login, 
the kerberos on the w2000 box looks good. 

> 
> 2. When the user tried to access a computer in a windows domain (should be possible due to the cross realm setup), the following error occured:

What do you mean "tried to access a computer in a windows domain"? 

What applicaiton are you using? 

 


> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 594
> Date:  7/29/2004
> Time:  7:37:30 PM
> User:  N/A
> Computer: TEST
> Description:
> A Kerberos Error Message was received:
>          on logon session InitializeSecurityContext
>  Client Time:
>  Server Time:
>  Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
>  Extended Error: KRB_AP_ERR_MODIFIED
>  Client Realm:
>  Client Name:
>  Server Realm: WINDOMAIN.COM
>  Server Name: krbtgt/WINDOMAIN.COM
>  Target Name: HOST/Win2kServer@WINDOMAIN.COM
>  Error Text:
>  File:
>  Line:
>  Error Data is in record data.


Doing a google search for KRB_AP_ERR_MODIFIED shows this in one of the messages:

  The kerberos client received a KRB_AP_ERR_MODIFIED error from the server 
  COMPANY$.  This indicates that the password used to encrypt the kerberos 
  service ticket is different than that on the target server. Commonly, 
  this is due to identically named  machine accounts in the target realm 
  (COMPANY.NET), and the client realm.   Please contact your system 
  administrator.

This might also mean the cross realm keys don't match, i.e. the user's realm
issued a tgt for the service realm, but the service realm can not decrypt it.
Did you ever get any cross realm to work with the user in the MIT realm, and the 
service in the AD?

Did the UMich modification make any changes in this area?


> 
> Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is a windows domain.
> 
> My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
> but I can't confirm it...
> I'm not sure what caused it to fail to generate the key...
> 
> I've followed the steps in the step by step kerberos interoperability document carefully...
> 
> Any clue ?
> 
> regards,
> lara
> 
> ------------------------------------------------------------------------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                         - Guy de Maupassant -
> ------------------------------------------------------------------------------------
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
deengert (574)
7/29/2004 2:56:08 PM
Reply:

Similar Artilces:

Re: failed to create kerberos key: 5
I think I need to provide more information about my setup: - I used UMICH patch for cross realm auth, I can see from the log file that the cross-realm ticket is issued by MIT Realm - The krbtgt/adianto.com@windomain.com and krbtgt/windomain.com@adianto.com key is des-cbc-crc32 - the TGT in win client: Cached TGT: ServiceName: krbtgt TargetName: krbtgt FullServiceName: lara DomainName: ADIANTO.COM TargetDomainName: ADIANTO.COM AltTargetDomainName: ADIANTO.COM TicketFlags: 0x40c00000 KeyExpirationTime: 1/1/1601 8:00:00 StartTime: 7/29/2004 19:32:15 EndTime: 7/30/2004 19:32:15 RenewUntil: 7/29/2004 19:32:15 TimeSkew: 1/1/1601 8:00:00 - the tickets: Cached Tickets: (2) Server: krbtgt/ADIANTO.COM@ADIANTO.COM KerbTicket Encryption Type: Kerberos DES-CBC-MD5 End Time: 7/30/2004 19:32:15 Renew Time: 7/29/2004 19:32:15 Server: host/test.adianto.com@ADIANTO.COM KerbTicket Encryption Type: Kerberos DES-CBC-MD5 End Time: 7/30/2004 19:32:15 Renew Time: 7/29/2004 19:32:15 regards, lara Lara Adianto <m1r4cle_26@yahoo.com> wrote: Hi, I have a strange problem with cross-realm authentication. It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document. However, this is what happen in my environment: 1. The user is able to login into window...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

Kerberos 5 Administration Protocol
Hello everyone, I need to implement a Kadmin client in Java. That is, I need to be able to add and remove kerberos principals and change passwords from a Java application. The first approach was to try doing that based only on the C source code of MIT Kerberos implementation, but it looks like it's to hard to implement it this way. I think it would be easier if I could find the specification of the Kerberos Administration Protocol. Can anyone tell me if there exists such specification? And, where can I find it? Thanks, Anderson Luiz Brunozi ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos failed to create a principal
Hello, We are running kerberos server that use LDAP as his DB. Until today everything works fine but suddenly user creation failed as you can see in the following example: kadmin.local: addprinc -randkey user40 NOTICE: no policy specified for user40@REALM assigning "default". Note that policy may be overridden by ACL restrictions. Unable to randomize key for "user40@REALM" Status 0x29c250c - Principal does not exist. kadmin.local: getprinc user40 Unable to retrieve principal "user40@REALM" Status 0x29c250c - Principal does not exist. The error message we get in kadmin.log file is: local6:err|error kadmin.local[782428]: LDAP: /blddir/krb514/src/plugins/ldap/ira_entry.c(193), 32: LDAP_NO_SUCH_OBJECT If you did encounter similar problem any advice/direction in how to isolate/find/understand where is the problem would be appreciated. Thank You !! Ido Levy ...

RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes. Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because ...

Fw: Kerberos failed to create a principal
Hello, In continue to my e-mail below we detected the attribute DISALLOW_TGT_BASED for the kadmin/admin principal. kadmin.local: getprinc kadmin/admin@REALM Principal: kadmin/admin@REALM Expiration date: [never] Last password change: Tue Oct 16 18:01:25 IST 2007 Password expiration date: [none] Maximum ticket life: 0 day 03:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Nov 21 15:02:00 IST 2007 (admin/admin@REALM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 3, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 3, ArcFour with HMAC/md5, no salt Key: vno 3, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 3, DES cbc mode with RSA-MD5, no salt Attributes: DISALLOW_TGT_BASED REQUIRES_PRE_AUTH Policy: [none] Although that from googling we understand that it shouldn't be a problem we unset this attribute for the kadmin/admin principal and it seems to stabilize the system. Does it make sense ? Thanks, Ido Levy Ido Levy/Haifa/IBM@IB MIL To ...

Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3
Any one had any success compiling KRB5 1.5.1 on AIX 5.2 or 5.3 ? I am experiencing the same errors as a previous poster; but have not seen any solutions. Configure is successful with the following flags: export CC=cc export CFLAGS='-D_LARGE_FILES -DLANL -DLANL_ICN'; export CFLAGS ../configure --prefix=/usr/local/kerberos --enable-dns-for-realm --with-tcl=/usr/local --with-vague-errors Same config I use to compile 1.4.4 successfully with the LANL patches provided by Milton Turley. After running make, I get the following errors: making all in util... making all in util/support... cc -I../../include -I./../../include -I. -I. -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE=1 -D_LARGE_FILES -DLA L -DLANL_ICN -qhalt=e -O -D_THREAD_SAFE -c fake-addrinfo.c "fake-addrinfo.c", line 1212.9: 1506-045 (S) Undeclared identifier my_h_ent. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. Same errors on AIX 5.2 as well as AIX 5.3. Also, same errors with CC or GCC 4. Any help is appreciated and I can beta test any patches. Thanks ! Lamar Privileged and Confidential. This e-mail, and any attachments there to, is intended only for use by the addressee(s) named herein and may contain privileged or confidential information. If you have received this e-mail in error, please notify me immediately by a return e-mail and ...

replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end
Hi all Since we are migrating from Debian to RedHat, we are considering replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT Kerberos server (again with LDAP back-end) since RedHat packages are only available for MIT Kerberos. In order to make this migration/upgrade as transparent as possible for our users, we want to convert all the necessary info in the Heimdal back-end to the MIT back-end. Are there any pointers available for this kind of operation? E.g. things like conversion tables mapping the corresponding Kerberos-specific LDAP attributes? Or even scripts? I'm especially looking at the Kerberos key attributes, i.e. - Heimdal: krb5Key - MIT: krbPrincipalKey Is it possible to convert the former into the latter? Is there any code available for this operation? If not, we would have to require all our users to change their passwords at the same time, which is not very feasible. Thanks in advance Bart ...

RE: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3
Believe it or not; both solutions seem to work and compilation succeeds ! #define GET_HOST_BY_NAME(NAME, HP, ERR, TMP) \ { \ (HP) = (gethostbyname_r((NAME), &TMP.ent, &TMP.data) \ ? 0 \ : &TMP.data); \ (ERR) = h_errno; \ } Worked and so did... #define GET_HOST_BY_NAME(NAME, HP, ERR, TMP) \ { \ struct hostent my_h_ent; \ (HP) = (gethostbyname_r((NAME), &TMP.ent, &TMP.data) \ ? 0 \ : &my_h_ent); \ (ERR) = h_errno; \ } Thanks for the help ! I will continue testing with my current install base on AIX. I really appreciate the rapid responses and solutions ! Lamar -----Original Message----- From: Ken Raeburn [mailto:raeburn@MIT.EDU] Sent: Monday, September 18, 2006 5:13 PM To: Marcus Watts Cc: Saxon, Lamar; kerberos@mit.edu Subject: Re: Kerberos 5 v1.5.1 on AIX 5.2 or AIX 5.3 On Sep 18, 2006, at 17:56, Marcus Watts wrote: > Lamar.Saxon@americredit.com writes: > ... >> making all in util... >> making all in util/support... >> cc -I../../include -...

Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type
Colleagues, What could be the reason that I cannot telnet from FreeBSD to Solaris 10 with the following error: Connected to oracle.sibptus.tomsk.ru. Escape character is '^]'. [ Trying mutual KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] [ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ] [ Trying KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] [ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ] Password: Kerberized telnet and ssh work fine between FreeBSD systems, but Solaris is a problem. The kdc is Heimdal running on FreeBSD. The keytab for the host principal was exported on FreeBSD and then transferred to Solaris and imported there. Thank you in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ I believe that solaris (as as solaris 9) only supports des-cbc-crc encrypion. Hope that helps, Steven --- Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote: > Colleagues, > > What could be the reason that I cannot telnet from > FreeBSD to Solaris 10 > with the following error: > > Connected to oracle.sibptus.tomsk.ru. > Escape character is '^]'. > [ Trying mutual KERBEROS5 > (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ] > [ Kerberos V5 refuses authentication because > Kerberos checksum verification failed: Ba...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Kerberos on AIX 5.3 : error :Cannot retrieve key from keytab file
Hi , Following is the output of some of the commands are ran after adding principals on kerberos database. kadmin.local: getprinc nfs/vcsaix6.vxindia.veritas.co=ADm Principal: nfs/vcsaix6.vxindia.veritas....@vxindia.veritas.com Expiration date: [never] Last password change: Tue Jul 19 17:21:56 CDT 2005 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Jul 19 17:21:56 CDT 2005 (root/ad...@vxindia.veritas.com) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 4, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 4, ArcFour with HMAC/md5, no salt Key: vno 4, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 4, DES cbc mode with RSA-MD5, no salt Attributes: Policy: [none] kadmin.local: ------------------------------=AD-- bash-2.05b# klist -k /etc/krb5/krb5.keytab Key table: /etc/krb5/krb5.keytab Number of entries: 4 [1] principal: nfs/vcsaix6.vxindia.veritas....@vxindia.veritas.com KVNO: 4 [2] principal: nfs/vcsaix6.vxindia.veritas....@vxindia.veritas.com KVNO: 4 [3] principal: nfs/vcsaix6.vxindia.veritas....@vxindia.veritas.com KVNO: 4 [4] principal: nfs/vcsaix6.vxindia.veritas....@vxindia.veritas.com KVNO: 4 bash-2.05b# klist -k /etc/krb5/krb5.keytab bash-2.05b# kinit -k -t /etc/krb5/krb5.keytab nfs/vcsaix6.vxindia.veritas.co=ADm com.ibm.security.krb5.K...

MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2
Hi, I'm not sure if I've found a bug in MIT Kerberos 5 v1.9.1, or a bug in Windows 2003 R2, or both. So let me explain what I've found. I'm using http://fuhm.net/software/msktutil/ on RHEL 5 and Solaris 10 to create computer objects and keytab files in an environment with Active Directory running on Windows 2003 R2. This works fine on RHEL 5.5 with MIT Kerberos 5 v1.6.1, and also works ok on Solaris 10 Update 8 with MIT Kerberos 5 v1.4.4 obtained from http://mirror.opencsw.org/opencsw/stable/i386/5.10/. However, when attempted on Solaris 10 with MIT Kerberos 5 v1.9.1 obtained from http://www.opencsw.org/packages/CSWlibkrb5-3/ the process fails to obtain a kadmin/changepw ticket after successfully creating the computer object. The C++ code launches krb5_set_password_using_ccache(), and promptly fails with: Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm) Error: set_password failed Analysing network packets and comparing successful and unsuccessful attempts, when it works I see: TGS-REQ for kadmin/changepw, KDC option bit 15 (canonicalize) is NOT set. TGS-REP supplies kadmin/changepw as requested. When it fails I see: TGS-REQ for kadmin/changepw, KDC option bit 15 (canonicalize) is set. TGS-REP provides a TGT, not kadmin/changepw. So it appears to be a problem with KDC option bit 15. Reading around this subject, RFC 4120 only mentions in section 5.4.1 (KRB_KDC_REQ Definition) that bit "15 is reserved for ...

Kerberos 5-1.5 database plugins
Where would one find the plethora of Kerberos database plugins, besides the obvious? src/test/../util/fakedest/usr/local/lib/kerberos/krb5/plugins/kdb/db2.so ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On Aug 1, 2006, at 15:32, Kenneth Grady wrote: > Where would one find the plethora of Kerberos database plugins, > besides > the obvious? > src/test/../util/fakedest/usr/local/lib/kerberos/krb5/plugins/kdb/ > db2.so Well, that and the "real" installed version (under $prefix) are it for now, AFAIK. We're planning to include an LDAP-based back end in the 1.6 release. But if you want to write one up using Oracle or Postgres or MySQL or some such, I'm guessing there'd be some interest... currently the database plugin interface is considered internal and subject to change without warning in future releases. Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue
I am currently attempting to set up a kerberos primary server on a machine running CentOS4 to serve a WAN that I am working on. I've been using the Red Hat Enterprise Linux 4 Reference Guide (in .pdf format) to do so. It's served me far better than any of the other FAQs that I've used on previous failed attempts to get kerberos running on other systems. I have got the servers running with seemingly nothing wrong already. I used the example krb5.conf and kdc.conf files to create ones that parsed with no errors. I created a key database with no issues using the '/usr/kerberos...

CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue
I am currently attempting to set up a kerberos primary server on a machine running CentOS4 to serve a WAN that I am working on. I've been using the Red Hat Enterprise Linux 4 Reference Guide (in .pdf format) to do so. It's served me far better than any of the other FAQs that I've used on previous failed attempts to get kerberos running on other systems. I have got the servers running with seemingly nothing wrong already. I used the example krb5.conf and kdc.conf files to create ones that parsed with no errors. I created a key database with no issues using the '/usr/kerberos/sbin/kdb5_util create -s' command. I created kadm5.acl with appropriate administrators specified and added an administrator account with '/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"'. I started the three daemons, also with no issues with the following invocation: /sbin/service krb5kdc start /sbin/service kadmin start /sbin/service krb524 start I then used kinit, klist, and kdestroy to verify that under my account I could create, view, and destroy a ticket properly. So the next step is, I get all of the client software and dependencies installed on another machine on the network that I want to connect from using kerberos auth. That's all installed correctly on a Ubuntu 7.10 machine that I'm currently on. Next is to create a host principal for my Ubuntu machine stored on the KDC host. THIS is where I'm running into the issue. When...

CentOS attempting to set up Kerberos 5-tickets created & destroyed successfully, now an issue
I am currently attempting to set up a kerberos primary server on a machine running CentOS4 to serve a WAN that I am working on. I've been using the Red Hat Enterprise Linux 4 Reference Guide (in .pdf format) to do so. It's served me far better than any of the other FAQs that I've used on previous failed attempts to get kerberos running on other systems. I have got the servers running with seemingly nothing wrong already. I used the example krb5.conf and kdc.conf files to create ones that parsed with no errors. I created a key database with no issues using the '/us...

Re: MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2
On 11/09/2011 02:50 PM, Greg Hudson wrote: > On 11/09/2011 08:40 AM, Mark R Bannister wrote: > > This implies to me that Windows 2003 R2 has a bug. It ought to be ignoring bit > > 15 in a TGS-REQ, but this would not appear to be the case. > > The canonicalize bit is still meaningful for TGS requests; see section 8 > on server referrals. The text you quoted is about alias > canonicalization, not referrals to another realm. I'm not sure section 8 applies in this case, there should be no referral as there's only one realm in play here. > > However, what's the rationale for the change in behaviour to MIT Kerberos v5? > > Why is MIT Kerberos now setting KDC option bit 15 on a TGS-REQ for a changepw? > > Evidence shows that previous versions did not set this bit. > > Starting with version 1.6, we set the canonicalize bit on TGS requests > in order to support server referrals to other realms. In many error > cases, we fall back to a request without the canonicalize bit; there is > a bug in 1.9 and 1.9.1 (fixed in 1.9.2, which was issued very recently) > which reduces the number of cases where we make that fallback. I'm > guessing that bug is the source of your problems: > > http://krbdev.mit.edu/rt/Ticket/Display.html?id=6917&user=guest&pass=guest > > although the situation in your case seems to be more complicated. I've installed v1.9.2 from http://buildfarm.opencs...

Re: Re: MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2
On Mon 14/11/11 17:30 , Greg Hudson ghudson@MIT.EDU sent: > On 11/14/2011 11:49 AM, Greg Hudson wrote: > > I would expect 1.6.1 to send the TGS request with > the canonicalize bit> set. Can you look at the packet trace for 1.6.1 > (or post results if> you've already looked at it)? Perhaps there's a > difference there which> will explain the different outcome. > > Nevermind, I think I know why 1.6.1 succeeds and 1.9 fails. 1.6 > through1.8 have a workaround for this specific AD behavior (fall back to a > non-referral request if you get back a TGT to the same realm), and 1.9 > only has a workaround for a related but different behavior (fall back > ifyou get a non-TGT service name other than the requested service) > described in the same ticket (#4955). > > I am guessing that this version of AD is implementing the behavior > described in appendix A of the referrals draft. It wants to change the > client-visible server name, and the way it does so is by returning a > TGTto the same realm with a PA-SVR-REFERRAL-DATA entry in the encrypted > padata. > This should be easy enough to fix, since I have a test case in a local > AD realm. If you are in a position to test a patch, I can furnish one; > otherwise it should hit a 1.9 patch release at some point. Yes please Greg, happy to test a patch. Thanks, Mark. ...

[rfc-dist] RFC 6251 on Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
A new Request for Comments is now available in online RFC libraries. RFC 6251 Title: Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol Author: S. Josefsson Status: Informational Stream: IETF Date: May 2011 Mailbox: simon@josefsson.org Pages: 8 Characters: 17051 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-josefsson-kerberos5-starttls-09.txt URL: http://www.rfc-editor.org/rfc/rfc6251.txt This document specifies how the Kerberos V5 protocol can be transported over the Transport Layer Security (TLS) protocol in order to provide additional security features. This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Kerberos WG Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc...

Kerberos failing pthreads assert when running in php+Apache2? (Mac OS X 10.4.5)
Hello, I've been using a port of phpkrb5 (PHP3/4) to PHP5 (http:// homepages.nyu.edu/~jcw9/phpkrb5php5.tar.gz ~12 K, run `phpize` to make all the Makefiles, etc.). This is *REALLY SIMPLE* code. One of Apple's most recent updates to Tiger seems to have caused Kerberos within the Apache2 context to fail a pthreads assertation. (However, applications using mod_auth_kerberos for HTTP Authentication are working fine still.) error.log: [Tue Mar 14 17:49:06 2006] [notice] child pid 24389 exit signal Abort trap (6) .../../../include/fake-addrinfo.h:687: failed assertion `pthread_equal((&(&krb5int_fac.lock)->os)->owner, pthread_self())' Apache is and has been using the prefork mpm, not the pthreads one. Disabling threads support in kerberos5 yields a different error message: ../../include/k5-thread.h:667: failed assertion `(&m->os)->initialized == K5_MUTEX_DEBUG_PARTLY_INITIALIZED' [Tue Mar 14 18:54:24 2006] [notice] child pid 8617 exit signal Abort trap (6) However, the same code executed within the standalone CLI PHP binary works fine. Perhaps the update broke pthreads? It worked before(tm). Is there someway I can change the source of phpkrb5 to work better within Apache2? -- Jonathan C. Williams Web Programmer Steinhardt School of Education jonathan.williams@nyu.edu :: 212-998-5308 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listin...

[rfc-dist] RFC 5021 on Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP
A new Request for Comments is now available in online RFC libraries. RFC 5021 Title: Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP Author: S. Josefsson Status: Standards Track Date: August 2007 Mailbox: simon@josefsson.org Pages: 7 Characters: 13431 Updates: RFC4120 See-Also: I-D Tag: draft-ietf-krb-wg-tcp-expansion-02.txt URL: http://www.rfc-editor.org/rfc/rfc5021.txt This document describes an extensibility mechanism for the Kerberos V5 protocol when used over TCP transports. The mechanism uses the reserved high-bit in the length field. It can be used to negotiate TCP-specific Kerberos extensions. [STANDARDS TRACK] This document is a product of the Kerberos WG Working Group of the IETF. This is now a Proposed Standard Protocol. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements.Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from the IETF distribution list should be sent to IETF...

Kerberos failing pthreads assert when running in php+Apache2? (Mac OS X 10.4.5) #2
Hello, I've been using a port of phpkrb5 (PHP3/4) to PHP5 (http:// homepages.nyu.edu/~jcw9/phpkrb5php5.tar.gz ~12 K, run `phpize` to make all the Makefiles, etc.). This is *REALLY SIMPLE* code. One of Apple's most recent updates to Tiger seems to have caused Kerberos within the Apache2 context to fail a pthreads assertation. (However, applications using mod_auth_kerberos for HTTP Authentication are working fine still.) error.log: [Tue Mar 14 17:49:06 2006] [notice] child pid 24389 exit signal Abort trap (6) .../../../include/fake-addrinfo.h:687: failed assertion `pthread_equal((&(&krb5int_fac.lock)->os)->owner, pthread_self())' Apache is and has been using the prefork mpm, not the pthreads one. Disabling threads support in kerberos5 yields a different error message: ../../include/k5-thread.h:667: failed assertion `(&m->os)->initialized == K5_MUTEX_DEBUG_PARTLY_INITIALIZED' [Tue Mar 14 18:54:24 2006] [notice] child pid 8617 exit signal Abort trap (6) However, the same code executed within the standalone CLI PHP binary works fine. Perhaps the update broke pthreads? It worked before(tm). Is there someway I can change the source of phpkrb5 to work better within Apache2? -- Jonathan C. Williams Web Programmer Steinhardt School of Education jonathan.williams@nyu.edu :: 212-998-5308 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/list...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

Web resources about - failed to create kerberos key: 5 - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 3:00:05 PM