f



Kadmin GSS-API Error

Hello,

I am testing the  MIT kerberos 1.3.4 now. The KDC is still on version
1.2.8. I got a GSS-API error when I tried to use the kadmin client from
the 1.3.4 talking to the 1.2.8 server.

here is the error,

/opt/sbin/kadmin -p admabcd/admin
Couldn't open log file /var/log/kadmind.log.20040917: Permission denied
Authenticating as principal admabcd/admin with password.
Password for admabcd/admin@LANGUAGE.UMICH.EDU:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface

I could not find logs related to this on the KDC.
I guess I could ignore the "Couldn't open log" error, but I do not
understand the GSS-API error.

If I used the kadmin from the 1.2.8 on the same client machine, I am
connecting OK, no errors appear.

Should the kadmin and kadmind be the same version?

Can some one help on this?

Thanks in advance,


*=======================================*
*	Lynn Zhang             	        *
*	LS&A System Services Team       *
*	lyzhang@umich.edu               *
*=======================================*
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
lyzhang (4)
9/17/2004 12:25:39 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

7 Replies
1073 Views

Similar Articles

[PageSpeed] 0

Should the kadmin form 1.3.4 talks to kadmind from 1.2.8? Or I may ignore
the error, just upgrade the KDC first, then the client, so the kadmin
client and server  will be the same version.

On Fri, 17 Sep 2004, Lynn Zhang wrote:

>
> Hello,
>
> I am testing the  MIT kerberos 1.3.4 now. The KDC is still on version
> 1.2.8. I got a GSS-API error when I tried to use the kadmin client from
> the 1.3.4 talking to the 1.2.8 server.
>
> here is the error,
>
> /opt/sbin/kadmin -p admabcd/admin
> Couldn't open log file /var/log/kadmind.log.20040917: Permission denied
> Authenticating as principal admabcd/admin with password.
> Password for admabcd/admin@LANGUAGE.UMICH.EDU:
> kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
>
> I could not find logs related to this on the KDC.
> I guess I could ignore the "Couldn't open log" error, but I do not
> understand the GSS-API error.
>
> If I used the kadmin from the 1.2.8 on the same client machine, I am
> connecting OK, no errors appear.
>
> Should the kadmin and kadmind be the same version?
>
> Can some one help on this?
>
> Thanks in advance,
>
>
> *=======================================*
> *	Lynn Zhang             	        *
> *	LS&A System Services Team       *
> *	lyzhang@umich.edu               *
> *=======================================*
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




*=======================================*
*	Lynn Zhang             	        *
*	LS&A System Services Team       *
*	lyzhang@umich.edu               *
*=======================================*
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
lyzhang (4)
9/17/2004 5:48:03 PM
>>>>> "Lynn" == Lynn Zhang <lyzhang@umich.edu> writes:

    Lynn> Should the kadmin form 1.3.4 talks to kadmind from 1.2.8? 

Yes.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
hartmans (370)
9/17/2004 7:31:35 PM
>>>>> "lyzhang" == Lynn Zhang <lyzhang@umich.edu> writes:

lyzhang> Should the kadmin form 1.3.4 talks to kadmind from 1.2.8? Or
lyzhang> I may ignore the error, just upgrade the KDC first, then the
lyzhang> client, so the kadmin client and server will be the same
lyzhang> version.

The kadmin client from 1.3.4 should be able to talk to the kadmind
from 1.2.8.  If it can't, it could be a bug.

---Tom
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tlyu (271)
9/17/2004 7:32:13 PM
On Fri, 17 Sep 2004, Tom Yu wrote:

> >>>>> "lyzhang" == Lynn Zhang <lyzhang@umich.edu> writes:

>
> lyzhang> Should the kadmin form 1.3.4 talks to kadmind from 1.2.8? Or
> lyzhang> I may ignore the error, just upgrade the KDC first, then the
> lyzhang> client, so the kadmin client and server will be the same
> lyzhang> version.
>
> The kadmin client from 1.3.4 should be able to talk to the kadmind
> from 1.2.8.  If it can't, it could be a bug.
>
> ---Tom
>

That's what I hope. Because from the same machine, I could use
kadmin (which is from 1.2.8, and it is same version as the KDC) to
contact the same KDC without a problem.  The client and the KDC 's environment
are not changed, except the kadmin's version is different.


I would like to get more useful error msgs, maybe in the future I could do
thing like "kadmind -D" or "kadmin -D"
The next is the out put of the snoop command, hope you could find some
hints from it.

Using device /dev/eri (non promiscuous)

hyp is the client machine, fly is the KDC.

Thanks so much,
Lynn

The next will get the "GSS-API (or Kerberos) error while initializing
kadmin interface"

hypatia.lsait.lsa.umich.edu -> fleming.lsa.umich.edu TCP D=749 S=32876 Syn
Seq=3893305037 Len=0 Win=32850 Options=<nop,wscale 1,nop,nop,tstamp 63001
0,nop,nop,sackOK,mss 1460>
fleming.lsa.umich.edu -> hypatia.lsait.lsa.umich.edu TCP D=32876 S=749 Syn
Ack=3893305038 Seq=1319902512 Len=0 Win=33304 Options=<nop,nop,tstamp
694866642 63001,nop,wscale 1,nop,nop,sackOK,mss 1460>
hypatia.lsait.lsa.umich.edu -> fleming.lsa.umich.edu TCP D=749 S=32876
Ack=1319902513 Seq=3893305038 Len=0 Win=33304 Options=<nop,nop,tstamp
63001 694866642>
hypatia.lsait.lsa.umich.edu -> fleming.lsa.umich.edu RPC C XID=1095061077
PROG=2112 (?) VERS=2 PROC=1
fleming.lsa.umich.edu -> hypatia.lsait.lsa.umich.edu TCP D=32876 S=749
Ack=3893305594 Seq=1319902513 Len=0 Win=33304 Options=<nop,nop,tstamp
694866647 63006>
fleming.lsa.umich.edu -> hypatia.lsait.lsa.umich.edu RPC R (#11)
XID=1095061077 Success
hypatia.lsait.lsa.umich.edu -> fleming.lsa.umich.edu TCP D=749 S=32876
Ack=1319902733 Seq=3893305594 Len=0 Win=33304 Options=<nop,nop,tstamp
63008 694866649>
hypatia.lsait.lsa.umich.edu -> fleming.lsa.umich.edu RPC C XID=1095061076
PROG=2112 (?) VERS=2 PROC=13
fleming.lsa.umich.edu -> hypatia.lsait.lsa.umich.edu RPC R (#15)
XID=1095061076
hypatia.lsait.lsa.umich.edu -> fleming.lsa.umich.edu TCP D=749 S=32876
Ack=1319902885 Seq=3893305778 Len=0 Win=33304 Options=<nop,nop,tstamp
63019 694866649>


This is connecting OK

hyp.language.umich.edu -> fly.language.umich.edu TCP D=749 S=32876 Syn
Seq=3893305037 Len=0 Win=32850 Options=<nop,wscale 1
,nop,nop,tstamp 63001 0,nop,nop,sackOK,mss 1460>
fly.language.umich.edu -> hyp.language.umich.edu TCP D=32876 S=749 Syn
Ack=3893305038 Seq=1319902512 Len=0 Win=33304 Option
s=<nop,nop,tstamp 694866642 63001,nop,wscale 1,nop,nop,sackOK,mss 1460>
hyp.language.umich.edu -> fly.language.umich.edu TCP D=749 S=32876
Ack=1319902513 Seq=3893305038 Len=0 Win=33304 Option
s=<nop,nop,tstamp 63001 694866642>
hyp.language.umich.edu -> fly.language.umich.edu RPC C XID=1095061077
PROG=2112 (?) VERS=2 PROC=1
fly.language.umich.edu -> hyp.language.umich.edu TCP D=32876 S=749
Ack=3893305594 Seq=1319902513 Len=0 Win=33304 Option
s=<nop,nop,tstamp 694866647 63006>
fly.language.umich.edu -> hyp.language.umich.edu RPC R (#11)
XID=1095061077 Success
hyp.language.umich.edu -> fly.language.umich.edu TCP D=749 S=32876
Ack=1319902733 Seq=3893305594 Len=0 Win=33304 Option
s=<nop,nop,tstamp 63008 694866649>
hyp.language.umich.edu -> fly.language.umich.edu RPC C XID=1095061076
PROG=2112 (?) VERS=2 PROC=13
fly.language.umich.edu -> hyp.language.umich.edu RPC R (#15)
XID=1095061076
hyp.language.umich.edu -> fly.language.umich.edu TCP D=749 S=32876
Ack=1319902885 Seq=3893305778 Len=0 Win=33304 Option
s=<nop,nop,tstamp 63019 694866649>




*=======================================*
*	Lynn Zhang             	        *
*	LS&A System Services Team       *
*	lyzhang@umich.edu               *
*=======================================*
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
lyzhang (4)
9/17/2004 8:51:12 PM
I still need to examine the trace in detail, but did you notice
whether there was a ticket request processed by the KDC in both cases?

---Tom
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tlyu (271)
9/17/2004 8:55:37 PM
On Fri, 17 Sep 2004, Tom Yu wrote:

> I still need to examine the trace in detail, but did you notice
> whether there was a ticket request processed by the KDC in both cases?
>
> ---Tom
>

The kadmin from 1.2.8 wrote information to the log,
Sep 17 17:02:47 Request: kadm5_init, admabcd/admin@LAUGUAGE.UMICH.EDU,
success,
client=admabcd/admin@LSA.UMICH.EDU, service=kadmin/admin@LAUGUAGE.UMICH.EDU,
addr=141.211.X.X


The one from 1.3.4 did not write any information to the log.


*=======================================*
*	Lynn Zhang             	        *
*	LS&A System Services Team       *
*	lyzhang@umich.edu               *
*=======================================*
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
lyzhang (4)
9/17/2004 9:31:56 PM
>>>>> "lyzhang" == Lynn Zhang <lyzhang@umich.edu> writes:

lyzhang> The kadmin from 1.2.8 wrote information to the log,
lyzhang> Sep 17 17:02:47 Request: kadm5_init, admabcd/admin@LAUGUAGE.UMICH.EDU,
lyzhang> success,
lyzhang> client=admabcd/admin@LSA.UMICH.EDU, service=kadmin/admin@LAUGUAGE.UMICH.EDU,
lyzhang> addr=141.211.X.X

lyzhang> The one from 1.3.4 did not write any information to the log.

Interesting.  Did you see any logs from krb5kdc for an AS_REQ from the
1.3.4 client that failed?  I assume you see an AS_REQ logged from the
1.2.8 client.

---Tom
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tlyu (271)
9/17/2004 9:47:38 PM
Reply:

Similar Artilces:

Kadmin error: "kadmin: GSS-API (or Kerberos) error while initializing kadmin interface"
Hi There, I'm setting up a test kerberos/afs realm and I'm having a problem with kadmin. kadmin and kadmin.local run fine from the kdc, but kadmin gives the folloowing error when run from another machine: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface The krbadm log shows no output, but kadmin.log on the kdc shows the following: Oct 11 23:15:02 kdc1 kadmind[3821](Notice): Request: kadm5_init, coeadmin/admin@MYREALM.COM, success, client=coeadmin/admin@MYREALM.COM, service=kadmin/admin@MYREALM.COM, addr=x.x.x.191, flavor=300001 I can kinit and everything else from the client, I just can't run kadmin. both client and server are RHEL4 with MIT krb5-1.5.1. compiled from source. I get the same error using RedHat's kadmin and the source-compiled one. kdc1 is the server and as1 is the client # on kdc kadmin: listprincs K/M@MYREALM.COM coeadmin/admin@MYREALM.COM host/as1.myrealm.com@MYREALM.COM host/kdc1.myrealm.com@MYREALM.COM kadmin/admin@MYREALM.COM kadmin/kdc1.myrealm.com@MYREALM.COM kadmin/changepw@MYREALM.COM kadmin/history@MYREALM.COM krbtgt/MYREALM.COM@MYREALM.COM I had fixed a previous error about not having kadmin/kdc.myrealm.com in the DB by adding the service principal. Now I have no errors in any of the logs, just an error on the console when I run kadmin What am I missing? Jason Edgecombe Solaris & Linux Administrator Mosaic Computing Group, College of Engineering UNC-Charlotte Phone: (704) 687-3514 ______________...

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Hi We have run into problems running kadmin from one host. Error is kadmin: GSS-API (or Kerberos) error while initializing kadmin interface krb version 1.4 linux kernel version 2.4.21 Another host on the same subnet can connect (as well as lots of hosts from different subnets) and we see the reply from port 749 on the kadmind server at the interface of the host with the GSS-API error. Any ideas. Cheers Matt ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

kadmin: GSS-API (or Kerberos) error while initializing kadmin interface #2
Hi, Can somebody tell me why I can't use kadmin remotely? I can start kadmin on the kdc server by using "kadmin -O". But when I tried to use /usr/kerberos/sbin/kadmin from a client machine to visit the kerberos database, the error as the email title occured. [root@gcnode029 sbin]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@test.com Valid starting Expires Service principal 07/20/06 17:54:02 07/21/06 17:54:00 krbtgt/test.com@test.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root@gcnode029 sbin]# kadmin admin/admin Authenticating as principal <mailto:admin/admin@test.com> admin/admin@test.com with password. Password for <mailto:admin/admin@test.com> admin/admin@test.com: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface Thank you for any help! -- LiZhong ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Re: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
Hi there, That problem may be fixed by "sync"ing the time of the server and client machines, before running kadmin. cheers, Nima D. Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca ...

Re: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface #2
Hi there, That problem may be fixed by "sync"ing the time of the server and client machines, before running kadmin. cheers, Nima D. Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

kadmin: GSS-API (or Kerberos) error
Hi Guys, This is my first email to this mailing list. I've encountered some issue with my kerberos implementation. I've already setup my kdc and i'm able to kinit and klist my tickets. The only problem left is that i'm unable to execute kadmin in remote client. Whenever i try to do that the following errors popped up. kadmin: GSS-API (or Kerberos) error while initializing kadmin interface I'm actually connecting from my client pc bar.intra.foobar.com to foo.intra.foobar.com(kdc) my current krb5.conf is [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = INTRA.FOOBAR.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] INTRA.FOOBAR.COM = { kdc = kerberos1.intra.foobar.com:88 admin_server = kerberos1.intra.foobar.com:749 default_domain = intra.foobar.com } [domain_realm] .intra.foobar.com = INTRA.FOOBAR.COM intra.foobar.com = INTRA.FOOBAR.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } *** NOTE *** kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com my current kadm5.keytab is slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 8 kadmin/admin@INTRA.FOOB...

kadmin: GSS-API (or Kerberos) error #2
Hi Guys, This is my first email to this mailing list. I've encountered some issue with my kerberos implementation. I've already setup my kdc and i'm able to kinit and klist my tickets. The only problem left is that i'm unable to execute kadmin in remote client. Whenever i try to do that the following errors popped up. kadmin: GSS-API (or Kerberos) error while initializing kadmin interface I'm actually connecting from my client pc bar.intra.foobar.com to foo.intra.foobar.com(kdc) my current krb5.conf is [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = INTRA.FOOBAR.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] INTRA.FOOBAR.COM = { kdc = kerberos1.intra.foobar.com:88 admin_server = kerberos1.intra.foobar.com:749 default_domain = intra.foobar.com } [domain_realm] .intra.foobar.com = INTRA.FOOBAR.COM intra.foobar.com = INTRA.FOOBAR.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } *** NOTE *** kerberos1.intra.foobar.com is actually an alias to foo.intra.foobar.com my current kadm5.keytab is slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 8 kadmin/admin@INTRA.FOOB...

GSS-API (or Kerberos) error while initializing kadmin interface
I am seeing the below error while connecting to KDC from remote client. Did any one experience this error and resolve ? [root@blr11~]# kadmin Authenticating as principal root/admin@IPS.COM with password. Password for root/admin@IPS.COM: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface [root@blr11~]# On Tuesday, 17 December 2013 10:35:19 UTC, Suresh Tirumalasetti wrote: > I am seeing the below error while connecting to KDC from remote client. > > > > Did any one experience this error and resolve ? > > > > [root@blr11~]# kadmin > > Authenticating as principal root/admin@IPS.COM with password. > > Password for root/admin@IPS.COM: > > kadmin: GSS-API (or Kerberos) error while initializing kadmin interface > > [root@blr11~]# the following correctly identified the issue for me http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml .... out of sync clocks. ...

SNC
Hello Gurus , I am trying to get SNC (SSO) on the SAPGUI working after migrating from Windows 2008 / Oracle to the Linux RHEL 6.4 /Sybase . Currently we are testing on the target LINUX [RHEL 6.4 ] server, against a Windows AD domain. The OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. Kinit works fine with the Linux server getting authenticated at the Windows AD [via root] <h2>Kinit via sbqadm</h2> orsapbisbx01:sbqadm 51> kinit -V -k SBQADM/<hostname.mydomain.com...

GSS-API error: No Kerberos SSPI credentials available
Hello Juan, did you find as solution to the problem below? It's the one you mentioned in your post to the kerberos mailing list a while ago - I cite you here: I have implemented an SSO solution with kerberos5, SNC, Active Directory 2K3 with SAP(Unix Server). It Works fine, but I found an error in some clients that I want to investigate. Some days, in the morning (note: users don't close the windows sessions at the end of work-day, they block-out their computers), when users try to connect to SAP, they receive the following client error (in the SAP client log): ************************************************** Sapgui 620 [Build 8966] Wed Feb 16 10:03:14 2005: 'GSS-API(maj): No valid credentials provided (or available) GSS-API(min): No Kerberos SSPI credentials available for requested nam name="p:user at SITE.DOMAIN.COM" Component SNC (Secure Network Communication) Release 620 Version 5 Module sncxxall.c Line 1223 Method SncPAcquireCred Return Code -4 System Call gss_acquire_cred Counter 4 ************************************************** or this one: ************************************************** Sapgui 620 [Build 8966] Tue Feb 15 10:21:59 2005 : 'SNCERR_GSSAPI An operation failed at the GSS-API level sec_avail="false" Component SNC (Secure Network Communication) Release 620 Version 5 Module sncxx.c Method SncInit Return Code -4 Counter 2 ************************************************** The problem ends if the user ...

AW: GSS-API error: No Kerberos SSPI credentials available
Hi, yes, SSO works well for me. Some colleague is experiencing that error message. You are right, SAP uses an AD account, which is then exported to a keytab using ktpass. Which gives an entry like you said: <service>/f.q.d.n@REALM where REALM = AD domain in uppercase (in Windows). Best regards Calin -----Urspr�ngliche Nachricht----- Von: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] Im Auftrag von Sensei Gesendet: Dienstag, 29. November 2005 20:49 An: kerberos@MIT.EDU Betreff: Re: GSS-API error: No Kerberos SSPI credentials available On 2005-11-29 09:35:05 +0100, c.barbat@osram.de ("Barbat, Calin") said: > Hello Juan, > > did you find as solution to the problem below? It's the one you > mentioned in your post to the kerberos mailing list a while ago - I > cite you here: > > I have implemented an SSO solution with kerberos5, SNC, Active > Directory 2K3 with SAP(Unix Server). It Works fine, but I found an > error in some clients that I want to investigate. > > Some days, in the morning (note: users don't close the windows > sessions at the end of work-day, they block-out their computers), when > users try to connect to SAP, they receive the following client error > (in the SAP client log): I do not know SAP, I use other softwares, but I give my 2 cents, it might help you. Does SAP need principals in the keytab file like host/hostname@REALM service/hostname@REALM (like ldap/ldap.m...

GSS-API
Hello, Is there any method of "extracting" the Kerberos key from a GSS ticket? Microsoft sends the Kerberos ticket (SPNEGO over http) using the GSS methods. If one attempts to handle the internal Kerberos ticket information (such as the case of the PAC data) he will have to use the Kerberos ticket. Any idea? Any explicit function I've missed ? such as gss_extract_krb5_ticket()..? Eitan. > Hello, > > Is there any method of "extracting" the Kerberos key from a GSS ticket? > > Microsoft sends the Kerberos ticket (SPNEGO over http) using the GSS > methods. If one attempts to handle the internal Kerberos ticket > information (such as the case of the PAC data) he will have to use the > Kerberos ticket. > > Any idea? > Any explicit function I've missed ? such as > gss_extract_krb5_ticket()..? In 1.4 MIT added gss_krb5_export_lucid_sec_context() to obtain information from the negotiated context. (This is a mechanism- specific routine currently available only in the MIT distribution AFAIK.) Is this close to what you are looking for? K.C. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos --===============55702843351696818== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-ezZXZy8yNP9A71OyCZn2" --=-ezZXZy8yNP9A71OyCZn2 Content-Type: text/p...

Kerberos / GSS-API for SCTP
Hello, I am looking into GSS-API as a protection mechanism for SCTP connections. SCTP connects multiple independent streams at once, and can decide on in-order or out-of-order delivery on a per-frame basis. SCTP has reliable delivery by default. I found that the Kerberos mechanism for GSS-API includes a sequence number that is incremented with each wrapped or MIC�d message. I assume that the receiving side would verify that sequence number, and drop any thing too old, and perhaps also anything too new. This would mean that Kerberos over GSS-API enforces a strict ordering, and is thus...

[rfc-dist] RFC 5179 on Generic Security Service Application Program Interface (GSS-API) Domain-Based Service Names Mapping for the Kerberos V GSS Mechanism
A new Request for Comments is now available in online RFC libraries. RFC 5179 Title: Generic Security Service Application Program Interface (GSS-API) Domain-Based Service Names Mapping for the Kerberos V GSS Mechanism Author: N. Williams Status: Standards Track Date: May 2008 Mailbox: Nicolas.Williams@sun.com Pages: 5 Characters: 8017 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-kitten-krb5-gssapi-domain-based-names-05.txt URL: http://www.rfc-editor.org/rfc/rfc5179.txt This document describes the mapping of Generic Security Service Application Program Interface (GSS-API) domain-name-based service principal names onto Kerberos V principal names. [STANDARDS TRACK] This document is a product of the Kitten (GSS-API Next Generation) Working Group of the IETF. This is now a Proposed Standard Protocol. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from t...

GSS-API/Kerberos v5 Authentication
Hi, I try to run the example from http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html The login on Kerberos succeeds and i get this ticket: Principal: user@MY-DOMAIN.ORG Private Authentisierung: Ticket (hex) = 0000: 61 81 EF 30 81 EC A0 03 02 01 05 A1 0F 1B 0D 4D a..0...........M 0010: 49 4E 44 4D 41 54 49 43 53 2E 44 45 A2 22 30 20 Y-DOMAIN.ORG."0 0020: A0 03 02 01 00 A1 19 30 17 1B 06 6B 72 62 74 67 ........0...krbtg 0030: 74 1B 0D 4D 49 4E 44 4D 41 54 49 43 53 2E 44 45 t..MY-DOMAIN.ORG 0040: A3 81 AF 30 81 AC A0 03 02 01 10 A1 03 02...

SSH1 - gss-api - kerberos
Hello, I am trying to develop a Java SSH client targeting a version of Kerberised SSH1 server talking GSS-API. Does anybody know of anybody else dealing with this scenario? Is there a place I can find SSH1 Java API that support communication using GSS-API? Any help in this regard is much appreciated. thanks Ranga Samudrala ...

Java GSS-API and kerberos Service Tickets
Can someone please tell me what should be the correct behaviour of Java GSS API if get the service token for Service Principal 1 ( SPN1) and on server accept it using Service Principal 2( SPN2) where both service principal are mapped to single user account in KDC( windows 2003). I am using windows 2003 as KDC and both SPN1 & SPN2 are registered in single user account. for example, if my user account is websvr then i run following command setspn to set these SPN's to websvr account. setSPN -A HTTP/SPN1@MyRealm websvr setSPN -A HTTP/SPN2@MyRealm websvr I have also mapped SPN1 as primary SPN using ktpass mapuser. In my Java Client program, i request the service ticket for HTTP/SPN2@MyRealm and pass it to Java Server code. On Server side, i have following kerberos config file com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required isInitiator=false storeKey=true doNotPrompt=true useKeyTab=true keyTab="c://websvrKeys.keytab" principal="HTTP/SPN1@MyRealm" realm="MyRealm" debug=true; }; Please note that i am using JDK5 and i cant upgrade to JDK6 so i cant use isInitiator flag to false to avoid contact with KDC for authentication. Is this Principal Name is mandatory attribute here ? Since HTTP/SPN1 is my primary SPN and JDK5 GSS first perform the authentication in KDC so i cant use HTTP/SPN2 as principal in kerberos config file. I am seeing following behaviour. 1) Java GSS Server code i...

Kerberos- GSS-API C code issues
Hi, I have written an GSSAPI server application and the kerberos is MIT V5. When I run my application on the sun solaris I get the following message I have checked that the kerberos is running or not, and I see that kerberos is running fine. This code is written in C =20 Please find the below message after running the GSS API testserver. =20 Undefined first referenced symbol in file gss_display_status testserver.o gss_import_name testserver.o gss_release_oid testserver.o GSS_C_NT_HOSTBASED_SERVICE testserver.o __gss_oid_to_mech testserver.o gss_accept_sec_context testserver.o gss_unwrap testserver.o gss_delete_sec_context testserver.o gss_release_buffer testserver.o gss_oid_to_str testserver.o gss_str_to_oid testserver.o gss_display_name testserver.o gss_get_mic testserver.o gss_acquire_cred testserver.o gss_release_name testserver.o ld: fatal: Symbol referencing errors. No output written to a.out =20 I would greatly appreciate if anyone can help me solve this issue. =20 regards Vilas ...

GSS-API error deleting large number of principals
Hi, I have a perl program that uses *Auth::Krb5::Admin* to talk to the KDC for admin functions. In particular, to add or delete principals. It almost always works perfectly. However, now I find that if I try to delete a large number of principals, even with a delay of 1 second between each delete, I occasionally get a return code of 46 from the KDC, which corresponds to error message "GSS-API (or Kerberos) error". In the KDC logs, I see the following: check_rpcsec_auth: failed inquire_context, stat=786432 Authentication attempt failed: 169.229.248.136, GSS-API error strings are: The referenced context has expired Unknown error GSS-API error strings complete. authentication attempt failed: 169.229.248.136, RPC authentication flavor 6 This has been happening only when I've been deleting over about 3500 principals. Most of the time, and even with as many as 3300 principals, the problem hasn't occurred. I should say the the code establishes a new kadmin connection and obtains a new Kerberos context, for each transaction, using the connection handle as the basis for object references that correspond to the admin function, in this case delete_principal. After each transaction succeeds or fails, the Kerberos context is dropped. Does the above ring any bells? What conditions might cause this problem? Thanks. Mike -- Mike Friedman mikef@berkeley.edu http://mikefber...

Re: Java GSS-API and kerberos Service Tickets
To give some background of my application, i am developing web application which will support Kerberos SSO on windows platform. It means that if some user logs in to Windows Client Machine and opens my application then my application will not throw any login screen . It will use Logged-in user credentials to login to my system. >From browser perspective, i am using SPNEGO support to get Kerberos ticket. My Web application can be deployed in reverseProxy or load balanced environments. In addition to that, there is a requirment to support kerberos login even if some end user tries to access internal app server directly i.e. by passing proxy. For example, i have deployed my appllication on node01.mydomain.com and revese proxy url is myapp.mydomain.com. So basically user can use both url to access my application. URL1 : myapp.mydomain.com ( Reverse Proxy ) URL2: node01.mydomain.com ( actual app server ) SInce i am using browser SPNEGO support so browser takes care of creating SPN to get Service Ticket from KDC. For example, if enduser opens URL1 ( myapp.mydomain.com ) then browser create SPN like below: HTTP/myapp.mydomain.com@MYDOMAIN.COM However, if enduser access intenal server URL2 ( node01.mydomain.com ) then browser create SPN like below: HTTP/node01mydomain.com@MYDOMAIN.COM I could register both these service in different accounts in Windows KDC. however, to make things simpler i tried putting all services in same account. However, irrespective of how i crea...

Kerberos GSS-API library for UNIX (running SAP)
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------=_NextPartTM-000-d3bd5f00-e1ba-4d22-875d-7fca5d588dcc Content-Type: text/plain Hello - I am on the SAP Basis Team at Bose Corporation, and we are looking to implement SAP's SNC solution between SAP servers, across interfaces, and even within a Single Sign On solution for our end users (integrating with SAP GUI). I have seen some literature which indicates that this is available for SAP systems which run on Win2K. However, one mentioned the following, which indicated that we may be able to obtain a GSS-API library for UNIX (HP-UX) hosts: To use SSO with application servers on Unix and Windows 2000 front ends with gsskrb5.dll, you might have to purchase a Kerberos implementation for the Unix machine(s). Do you know if and/or where this is available for HP-UX? Additionally, any standard documentation you have related to the kerberos GSS-API library and it's compatibility with SAP would be appreciated. Please advise. Thanks, Michael Michael Harding SAP Competency Center Bose Corporation (508) 766-8762 ------=_NextPartTM-000-d3bd5f00-e1ba-4d22-875d-7fca5d588dcc Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ----...

SSPI/GSS-API : mech_dh: Invalid or unknown error
Hi folks, I wrote a SSPI Client / GSS-API Server application that works fine in a tree of ActiveDirectory domains / Solaris realm environment where the KDC are the AD domain controlers. Server application is located in mytree.dom and users in child.mytree.dom. However, I sometimes get an error for some users. These users can establish a context from W2K workstations but cannot from WinXP workstations (both workstations are located in child.mytree.dom). The Solaris GSS-API server shows the following error message for connections established on WinXP ws: MAJOR(gss_accept_sec_context) : Unspecified GSS failure. Minor code may provide more information MINOR(gss_accept_sec_context) : mech_dh: Invalid or unknown error What does 'mech_dh' mean ? Diffie-Hellman mechanism ??? What differences between Kerberos SSP W2K SP4 and WinXP SP 1 ? Thanks for any hint, -- Jacques Jacques Lebastard wrote: > > Hi folks, > > I wrote a SSPI Client / GSS-API Server application that works fine in a > tree of ActiveDirectory domains / Solaris realm environment where the > KDC are the AD domain controlers. > > Server application is located in mytree.dom and users in child.mytree.dom. > > However, I sometimes get an error for some users. These users can > establish a context from W2K workstations but cannot from WinXP > workstations (both workstations are located in child.mytree.dom). > > The Solaris GSS-API server shows the foll...

Error using GSS-API on Solaris 9 Platform
Hi All: I'm a newbie to Kerberos world and this is my first time using GSS-API ever. I'm trying to use GSS-API on Solaris 9 platform. From what I have read so far, it seems like there is no need to install the MIT version of Kerberos on Solaris since SUN is fully compatible with it. While writing a program and using GSS-API, I'm getting the following Major and Minor errors: ********Errors****************** GSS-API error: acquiring credentials: Major Error: No credentials were supplied, or the credentials were unavailable or inaccessible GSS-API error: acquiring credentials: Minor Error: mech_dh: Success Acquiring credentials - Maj Stat: 458752 Min Stat: 0 ***********Error End************************************* I'm using the following GSS-API call and the at the completion of the call I get the above major and minor errors. maj_stat = gss_acquire_cred(&min_stat, server_name, 0, desiredMechs, GSS_C_ACCEPT, server_cred, NULL, NULL); I'm acting as Kerberos Service which will only accept Contexts. I beleive I have my krb5.conf properly setup and also KDC is running on a different machine The way I understand GSS-API and Solaris, I don't need to construct mechanism OIDs since by default Kerberos V5 is the default mechanism of GSS-API. So, I'm using the default mechanism by specifying "GSS_C_NULL_OID" for the desired mechanism. I get the above mentioned errors. T...

Kerberos GSS-API library for UNIX (running SAP) #3
Hi MIT Team, I am with the SAP Basis Team at SABIC(Saudi Arabia - A Leading Petrochemical Company), and we are looking to implement SAP's SNC solution between SAP servers, and even within a Single Sign On solution for our end users (integrating with SAP GUI). I have seen some literature which indicates that this is available for SAP systems which run on Win2K. However, one mentioned the following, which indicated that we may be able to obtain a GSS-API library for UNIX (HP-UX) hosts: To use SSO with application servers on Unix and Windows 2000 front ends with gsskrb5.dll, you might have to purchase a Kerberos implementation for the Unix machine(s). Do you know if and/or where this is available for AIX/HP-UX? Additionally, any standard documentation you have related to the kerberos GSS-API library and it's compatibility with SAP would be appreciated. Please advise. We are on SAP 4.6C / AIX 5.2. We would be upgrading to SAP- ECC 6.0 either on HP or AIX platform. Hence we are looking for SAP-SSO solution via SAPGUI. Please advise. Thanks, Gokul. SAP Basis Team 00966-508474199 ----------------------------------------- This e-mail (including any file attachment) contains confidential information and/or may also be legally privileged. It is intended solely for the use of the named addressees and any unauthorized dissemination or use by any other person or entity is strictly prohibited. If you are not the intended recipient you should n...

Web resources about - Kadmin GSS-API Error - comp.protocols.kerberos

Resources last updated: 3/10/2016 2:55:54 PM