f



Help on Unix kerberos client->win2k3 kerberos KDC

Hello,

I am a newbie to kerberos authentication, and what I am trying to do is to use a
 Unix ldap client  authenticate to the win2k3 
server, and add a user to it.

The way I tried to do is by following MIT's tutorial and sample code under 
www.mit.edu/afs/athena/astaff/project/ 
ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft
 tutorial 
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

=========>
I can successfully import a tgt from win2k3 KDC server by running kinit, 
here is the result:

$ kdestroy
$ kinitPassword for mwang@SYSTEST.abc.COM: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_1023
Default principal: mwang@SYSTEST.abc.COM

Valid starting     Expires            Service principal
10/31/03 17:53:08  11/01/03 03:50:48  krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM
    renew until 11/01/03 17:53:08


Kerberos 4 ticket cache: /tmp/tkt1023
klist: You have no tickets cached

===========>
Then I tried to run adduser program, I made a little change to the code to set 
some default values. Here is the result: (New 
user account is: nweuser)
LDAP service name: ldap@bloomber-vy45cz.systest.abc.com
==> client_establish_context
Sending init_sec_context token (size=1254)...
60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01 
00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03 
02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05 
61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b 
15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45 
52 47 2e 43 4f 4d a2 38 30 36 a0 03 02 01 03 a1 
2f 30 2d 1b 04 6c 64 61 70 1b 25 62 6c 6f 6f 6d 
62 65 72 2d 76 79 34 35 63 7a 2e 73 79 73 74 65 
73 74 2e 62 6c 6f 6f 6d 62 65 72 67 2e 63 6f 6d 
a3 82 03 a1 30 82 03 9d a0 03 02 01 17 a1 03 02 
01 07 a2 82 03 8f 04 82 03 8b e4 1d 62 08 62 77 
79 65 d7 19 25 3f 5e 22 7f cd dd a9 87 4b 01 68 
d8 4c 2a 31 45 9b 13 3c cb 2a 48 27 35 9e e2 e8 
75 18 43 42 81 3a 64 d7 fc 47 15 12 94 5d 37 f7 
76 ef a4 d8 7b ea e8 6c c1 73 3f 04 be ce 61 0d 
6c bc e9 be 21 76 01 ba 2e bb 97 0c 37 c6 0c 70 
d4 75 c2 e2 88 aa 50 c7 93 8d c6 c1 ab d8 dd 0b 
79 86 c0 93 cb a5 fb 64 29 12 6a 42 81 68 3c 1b 
cb 72 c3 90 0d d4 bc fb 12 30 56 73 55 1d d9 15 
f6 a5 93 c5 99 20 ef 74 3c 27 c0 7a 88 e4 d7 a2 
83 3d f7 25 9b 9b 90 c1 61 ee 7f 44 36 58 fd b9 
6e 3c e1 2f a6 1c 65 97 22 40 4e 0c bf 68 a6 2f 
56 03 da 1f 99 d4 0e 12 02 3b 67 42 f4 eb a5 d6 
dd 1e a6 04 68 60 60 7a 59 18 f0 a5 d0 58 20 8f 
ff 49 6f a3 08 ad b7 45 cc 7d e2 2c 9b 12 36 a5 
1c b5 88 25 3b 1d fe 51 71 1d 8a 5a 4e 0a 69 2b 
bb 49 69 75 3d 1b a5 a5 fb 33 e4 8c a7 b8 83 58 
23 b2 43 b3 01 88 50 c0 9b c4 be f8 c2 4f b0 3f 
ab e2 de 6a f5 62 ae 04 4e c2 d1 58 32 14 af 58 
9f 6d f9 80 03 5e af d5 f0 d8 55 33 80 8a 00 3c 
96 ac c6 5d 0d 11 e5 ed 4a d5 16 87 d7 f7 a0 57 
fe 07 fc 3e a8 db 0f 5c 59 2c 39 e1 b3 bb f6 fd 
89 e6 88 39 6a 9c b6 80 a8 46 0d b5 86 74 c7 a5 
40 63 31 a9 e1 23 a3 66 8e 5b d1 6f d4 96 55 e8 
7e 54 2f b8 8d 85 3f e8 27 28 38 ed e4 19 3e a3 
d8 8e d0 6f 23 ca c8 30 3d 16 97 2b f5 08 cc 26 
ee 33 38 2a e7 02 64 c0 17 8c 7f 25 f3 c6 95 54 
ac 35 12 7b 16 5e 14 56 14 e3 f5 0d 38 40 f9 0b 
bb eb 4b 60 0b ba 74 98 42 cc 02 38 73 96 b8 a3 
e0 fe fc 4f d9 b5 e8 6c 38 3b a2 0c 2a 11 5a e5 
90 75 f7 08 ad 6d de 30 7c 50 88 dd 17 4a 64 47 
59 8c c8 6a db e6 0f d1 75 78 9a 33 10 d6 5f 85 
16 61 93 aa fd a3 b3 6c e4 e3 09 b1 05 f0 31 21 
44 a9 00 2a 2c 61 c0 ad 7a fe f6 94 c4 84 26 2c 
f5 98 1d f1 6e d1 fa 5c 52 fc 8e 82 24 54 5a 66 
3e e3 27 c6 ec 25 a6 1a e3 78 b4 bb d9 29 28 29 
39 a1 6c 9a e3 6d 39 2b 12 69 ae 38 ea 27 be c7 
3d 5a b4 69 03 18 b9 69 af e4 ff a9 dc f7 18 cf 
c8 78 68 b9 d7 f8 0e 9c b8 ec e2 c4 83 81 8d dd 
3b 7a 97 ef 26 a4 ab f8 c4 e1 b3 3c 9f 17 ee d5 
97 84 40 3b 73 c5 a6 56 38 59 7a a2 c6 88 4e 35 
77 64 95 5b 91 93 5b aa 3c 7e 4d 3a 66 34 3a ed 
c4 87 0c b3 6a 87 9c 6e 0c af 98 70 c4 75 b0 d9 
2b 26 c5 19 2d 10 6b e9 21 0d 30 c6 a9 f1 d3 35 
28 ae e4 e9 dd 71 1b 3c 79 0f d2 c5 5e ec 04 fa 
e7 7a 7d 8b ed 41 a1 d3 a4 98 75 42 ef c0 f5 7f 
a5 4a 96 09 6d 6e c5 b4 bc 29 16 fc 8b 7d 25 d3 
dd a0 2e 70 a3 4f bf 8e 67 b8 fb d1 ee 7e 32 2c 
a4 18 19 a3 01 36 8f 51 87 b3 7b df 89 f8 3e d2 
d4 c8 2f 46 a8 d8 cc 33 c2 a4 74 2b b4 df 38 62 
20 c8 cd 4a 88 a0 54 f9 06 12 0a 51 d6 44 ed bd 
72 ec a7 72 0c 59 aa b9 2c e3 1f ad 65 20 b1 9b 
0e fd 0d 52 15 e9 4d 5d 88 fc 8b f5 68 ca 78 95 
6a 54 4b 83 d8 72 89 92 d7 10 6d 68 0c ef 49 b8 
09 da 1b de 52 91 28 a7 27 80 37 1d dd 33 28 63 
2e ea 37 47 b6 09 22 db 58 26 c4 04 8b 59 88 2e 
fb 6a 56 0e ed 9d 7b be ed d5 85 ee 0f b3 10 05 
bb 23 11 0b 22 a4 81 ae 30 81 ab a0 03 02 01 01 
a2 81 a3 04 81 a0 e4 16 92 7a c9 46 c6 eb da b8 
0a 41 35 11 0a 9c 7f 4a 90 65 e1 bd 4b 17 91 76 
3d f0 ab ed ac 98 fb 7d 44 51 22 a7 cf 3a 8d 1f 
a7 7d 06 30 8b 00 56 65 b7 e5 a8 24 d5 1a 15 e4 
0f e8 41 9e 5e bc d6 7f 28 81 e2 67 e5 e9 4c 47 
48 4b 0f 6f 7e 79 99 29 69 f5 4c a5 bb 6a 45 10 
b9 9c 49 c9 d9 24 9a f2 c6 06 41 54 4a 9e c4 33 
38 d9 20 af ba d0 13 d8 fe 48 0f 1d f2 6c ca c1 
b7 a3 11 a4 98 0f a2 6c 5d 49 07 55 6d bc 40 71 
9b ed 42 f1 88 27 57 ee 14 96 9d ee bb ad 82 03 
31 bb df 50 e1 f9 
==> send_token
<== send_token
continue needed...
==> recv_token
<== recv_token
<== recv_token
Received token (size=114)...
60 70 06 09 2a 86 48 86 f7 12 01 02 02 02 00 6f 
61 30 5f a0 03 02 01 05 a1 03 02 01 0f a2 53 30 
51 a0 03 02 01 01 a2 4a 04 48 07 91 af 30 09 98 
7f bb 18 dd c7 36 59 73 fb de df a3 dc cf e9 33 
83 01 a0 58 41 0c f6 1a fe b3 94 36 f1 ee a9 4b 
85 fb de ca 52 5a a5 d0 fc f8 f6 e8 fd 5e c2 8c 
f3 b9 df 49 38 45 cc 92 a2 c1 65 06 c1 60 44 8f 
6c 2f 
Sending init_sec_context token (size=0)...

==> send_token
<== send_token
<== client_establish_context
==> negotiate_security_options
==> recv_token
<== recv_token
<== recv_token
Received token (size=53)...
60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 
00 ff ff ff ff 5c 18 82 8e 8c a0 6c a0 0f 47 1f 
6c 01 5b d4 25 57 ec 73 3f 7a 52 fc 45 07 a0 00 
00 04 04 04 04 
Received security token level 7 size -6291456
Sending security token level 1 size -6291456
==> send_token
<== send_token
==> parse_bind_result
<== parse_bind_result
<== negotiate_security_options
ldap_gssapi_bind: Invalid credentials
$ klist
Ticket cache: FILE:/tmp/krb5cc_1023
Default principal: mwang@SYSTEST.abc.COM

Valid starting     Expires            Service principal
10/31/03 17:53:08  11/01/03 03:50:48  krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM
    renew until 11/01/03 17:53:08
10/31/03 17:50:55  11/01/03 03:50:48  
ldap/bloomber-vy45cz.systest.abc.com@SYSTEST.abc.COM
    renew until 11/01/03 17:53:08


Kerberos 4 ticket cache: /tmp/tkt1023
klist: You have no tickets cached

==============>
I see from the result, that I retrieved the service ticket from ldap service. 
But somehow, the authentication still failed. 
The Received security token level 7 has a size -6291456, which is abnormal.  
Does anyone know which step is wrong with the 
authentcation?

Unfortunately  I have no idea what is happening here!!

Any suggestion will be happily received.

Thanks a lot.

Sincerely, Howard



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
MWANG12 (1)
11/1/2003 12:04:39 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
610 Views

Similar Articles

[PageSpeed] 10

Reply:

Similar Artilces:

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters such as the home directory could also be passed. This would then allow simple code in OpenSSH that does not depend on OpenAFS, Hiemdal or MIT code to fork/exec the process that does all the work. This would be called by the process that would eventially become the user's shell process and is run as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the Op...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...

Help
Hi I am using MIT kerberos for authentication. Currently the client needs to do kinit (or call krb5_get_init_creds_password()) to get the TGT in which it direcly communicates with KDC. The envoirnment is that i dont want to make client directly communicate with the KDC and still want to achieve kerberos authentication. Are there any ways in which I can achieve this. How can i implement Authorization(giving access to specific service for a client) I will really appreciate your help.. Thanks and Regards kul ...

kerberos?
Is anyone out there using kerberos authentication with their NonStop hosts? Between this and ssh, I am having trouble keeping up! Thanks in advance. ...

Kerberos
Hello, I read on the ibm site that KRB5A authentication is only supported on 5.2. We are currently runnin 5.1 and have an MCA based machine so there is no chance in upgrading to 5.2. Is there an open-source kerberos package for AIX, and how would you go about installing it. Any help would be greatly appreciated. Rich ...

Help with Kerberos client choice for TCP
Hello I am struggling to determine why a client would select to use TCP over UDP and not fall back when it is not successful in contacting any KDCs. Here are more details The version on the clients/servers is 1.4.3 + all relevant patches. This is a scheduled job that obtains credentials from a keytab file. Every once in a blue moon the job would fail with the error "cannot contact any KDCs in the defined realm". Of course when executed manually or the next time it runs everything works properly. Because this is such a rare event, a simple credentials obtaining event was set up to run nightly on all clients (a few 1000s of systems). Maybe once a week one or 2 would fail with the same error. The additional data gathered shows that the client chooses to use TCP over UDP, iterates over the list of KDCs twice and fails. KDCs are not configured for TCP. One system started exhibiting this behavior more often - several times a day so there is some more useful data that was collected. Preauth is turned on for the principal used for this purpose. The initial request starts with UDP. I see the packet makes it to the KDC (first one defined) and the need for preauthentication is logged as well. That response makes it back to the client. At that stage the client attempts to establish a TCP connection to the KDCs and as expected receives resets from all of them. It iterates over the list twice and fails with the 'cannot contact any KDC..." message. In all controlled t...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

Kerberos
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Help with the Kerberos
Hello=2C I am working with the kerberos in the university=2C in a research = project=2C and I am trying to use th Kerberos=2C but I have the following errors: When I type kinit: kinit: Cannot resolve network address for KDC in realm teste.uem while gett= ing initial credentials When I type kadmind in /usr/sbin: Oct 21 10:00:36 paulo-laptop kadmind[1148](Error): Cannot find/read stored = master key while initializing=2C aborting When I type krb5kdc in /usr/sbin: krb5kdc: Can not fetch master key (error: No such file or directory). - whi= le fetching master key K/M for realm teste.uem My Krb5.conf [libdefaults] default_realm =3D teste.uem [realms] teste.uem =3D { kdc =3D kerberos.teste.uem:88 admin_server =3D kerberos.teste.uem:749 default_domain =3D teste.uem } [domain_realm] .teste.uem =3D TESTE.UEM teste.uem =3D TESTE.UEM [login] krb4_convert =3D false krb4_get_tickets =3D false [logging] kdc =3D FILE:/var/log/krb5kdc.log admin_server =3D FILE:/var/log/kadmin.log default =3D FILE:/var/log/krb5lib.log I wait your reply! I really need your help. Thanks. Paulo. = ...

Kerberos KDC
Hello All, I am trying to set up a Kerberos 5 KDC on my servers. I run Windows IIS 6.0 and our management does not want to use Kerberos through AD. I was wondering if anyone could help me on where to start. Thanks in advance ...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

MIT Kerberos clients and Windows KDC
Hi all, I am trying to make an embedded device part of the windows domain and use windows DC as KDC for my embedded divice. Embedded device has MIT Kerberos. I am using GSS API . * How can we get the TGT for the server programatically ( transperently ) with out user intervention ? * If the device restarts, then do I need to store the TGT in persistent memory ? * If I am not wrong, microsoft adds the PAC data which no limitation of size. I have memory constraints. Is it required to store the TGT in non volatile memory ? I need this info since I am trying to find in case if the embedded device reboots ,then do I need to store the TGT in non volatile memory or I can get it again after the device comes up. * Assuming that a client is accessing services on embedded device via Kerberos and there is already a successful kerberos session is established. If at this point, if the embedded device reboots and the device gets TGT again, will it alter the communication in any way ? Could anybody please respond to these queries? Regards in article 1132304089.372626.30620@g49g2000cwa.googlegroups.com, sandypossible@gmail.com at sandypossible@gmail.com wrote on 11/18/05 2:54 AM: > Hi all, > > I am trying to make an embedded device part of the windows domain and > use windows DC as KDC for my embedded divice. Embedded device has MIT > Kerberos. I am using GSS API . > > * How can we get the TGT for the server programatically ( transperently > ) with out u...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Kerberos?
Who's using Kerberos authentication? Any pointers to procedure or documentation will be appreciated! Hi James, Not Me! But have a look at Doc 317141. That explains it in some more detail than the normal manual. Martin Bowes > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! > _______________________________________________ > Info-ingres mailing list > Info-ingres@cariboulake.com > http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres > James Latimer wrote: > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! me neither, but this Chapter 13 may be of use: http://downloads.ingres.com/download/connect.pdf ...

kerberos
Hi I have kerberos server setup, and it works fine with iseries navigator, I have to create a AS400 object now using Java and kerberos ticket, has any one done it successfully, does anyone have any code sample "polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in news:fr3i5a$sn6$1@ss408.t-com.hr: > Hi > I have kerberos server setup, and it works fine with > iseries navigator, I have to create a AS400 object now > using Java and kerberos ticket, has any one done it > successfully, does anyone have any code sample You should read: http://publib.boulder...

RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes. Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because ...

Web resources about - Help on Unix kerberos client->win2k3 kerberos KDC - comp.protocols.kerberos

Resources last updated: 3/10/2016 3:17:58 PM