Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to
use a windows 2003 server as our Kerberos server, along with our
openldap on solaris as our directory server. The machines we want to
authenticate on are all Solaris 9.
The ldap tree is fully populated, and working properly. With our
current nsswitch.conf, logins work using the ldap directory (with
posixAccount & shadowAccount records), as does a getent passwd
Also, we have our Windows 2003 server's directory setup with named
users, and with our current pam.conf, we can authenticate aga...replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end
Since we are migrating from Debian to RedHat, we are considering
replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT
Kerberos server (again with LDAP back-end) since RedHat packages are only
available for MIT Kerberos. In order to make this migration/upgrade as
transparent as possible for our users, we want to convert all the
necessary info in the Heimdal back-end to the MIT back-end. Are there
any pointers available for this kind of operation? E.g. things like
conversion tables mapping the corresponding Kerberos-specific LDAP
attributes? Or even scripts?
I'm especially looking at the Kerberos key attributes, i.e.
- Heimdal: krb5Key
- MIT: krbPrincipalKey
Is it possible to convert the former into the latter? Is there any code
available for this operation? If not, we would have to require all our
users to change their passwords at the same time, which is not very
Thanks in advance
...Kerberos and LDAP
Im still trying to get this to work.
Server: Debian Etch (3 hostnames=lookout, ldap and kerberos,
Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93)
I have followed the following guides:
Created my own user "ronni" the same way as the user "mirko" is.
>From my workstation I can do:
which both work.
ldapsearch -x gives this output:
# extended LDIF
# base <dc=one,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# admin, one.com
description: LDAP administrator
# People, one.com
# Group, one.com
# ronni, group, one.com
# ronni, people, one.com
homeDirectory: /...Kerberos + LDAP How-To
Thanks much to all of you for your responses. Much of what I wanted to
do is actually answered more in depth on-line.... took me a long time to
find good documentation on it.
Seems to be the best docs i've seen to date on the kerberos ldap link
up. Just thought I'd share that.
Kerberos mailing list Kerberos@mit.edu
>>>>> "Matt" == Matt Joyce <firstname.lastname@example.org> writes:
Matt> Thanks much to all of you for your responses. Much of what
Matt> I wanted to do is actually answered more in depth
Matt> on-line.... took me a long time to find good documentation
Matt> on it.
Matt> Seems to be the best docs i've seen to date on the kerberos
Matt> ldap link up. Just thought I'd share that.
And I naturaly would like to take the chanse of promoting
Kerberos mailing list Kerberos@mit.edu
why do you use SSL and put extra load on the client/server if you already
use Kerberos ? SASL/GSSAPI does authentication AND encryption !!
Cyrus-sasl may show only a SSF of 56, but this is only because is hardcoded
in cyrus, ...MIT Kerberos or Heimdal Kerberos?
How do I know the server install in the system is MIT Kerberos or Heimdal?
I m using FreeBSD 5.2.1
...KERBEROS with LDAP
I'm experiencing some problem between authentication and authorization
through Kerberos and LDAP.
This is my situation:
I can authenticate on LDAP through the option -Y GSSAPI after having
obtained a valid TGT from the KDC.
I have some questions:
Is it possible to authenticate via Kerberos on LDAP without obtaining
prior a ticket (i.e. when i have to authenticate to the LDAP i want
that username/password was asked and then these username/password
allow to obtain the ticket from Kerberos). I'm asking this because i
want that this new mechanism be invisible from a user point of view.
Are there some solution to this problem or I need to implement by
myself a customized client that communicate with kerberos and then
with the ticket to LDAP^???
Another question is about how to map authentication to authorization
in LDAP. The example found was very simple with a flat LDAP, I'm in an
hard situation, with an extremely non-regular LDAP tree, how to find
the correct mapping to the correct identity???
Thanks in advance,
...Problem with LDAP Referrals and Kerberos LDAP Backend
I have the following problem with the latest Kerberos Version
(krb5-1.11.3) on Linux System.
I use ldap as Backend module (with Sun / Oracle LDAP Directory
Server). My setup is quite big, so we use also LDAP referrals.
This works great with the Solaris (modified) Kerberos Release, but
with Linux we have the following issue:
DB module: db_library = kldap
using LDAP hub or consumer server in "ldap_servers" (i.e. LDAP suffix
containing KRB container (realm) is read-only and LDAP server sends
referral(s) in case of LDAP MODs) does not work properly in case of
modifications (e.g. change_password or updates of attributes
KDC or KADMIN follow the LDAP referral but do not bind (LDAP) using a
defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an anonymous
LDAP-bind is performed.
Log from LDAP consumer server:
[19/Oct/2013:12:34:46 +0200] conn=11412 op=7 msgId=8 - SRCH
attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey
tLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference
krbUPEnabled krbPwdPolicyReference krbPasswordExpiration
inFailedCount kr...MIT Kerberos and Solaris 10 Kerberos
We run a number of Solaris 8 systems using Sun's SEAM PAM implementation
and MIT's Kerberos (which we're up to date on). We are starting to look
at Solaris 10, and are hoping to move towards Sun's implementation of
Kerberos. We are having a bit of trouble getting the two to talk
If we SSH (from production to test, for example) to a Solaris 8 machine,
then we can rlogin (Kerberized) to the Solaris 10 machine and, from
there, rlogin to a Sol8 machine again. If, however, we SSH directly to
the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing
various experiments (for example, trying to ksu on the Sol 10 machine),
the only error we ever get is:
WARNING: Your password may be exposed if you enter it here and are
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for ux5p@ATCOTEST.CA: :
ksu: Server not found in Kerberos database while geting credentials from
Doing an rlogin to a Sol 8 machine gives no errors at all; it just
The above error seems to indicate that the Solaris 10 Kerberos isn't
passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon
certain differences, would not be a big surprise). Has anyone gotten
this to work? The Sol 10 system is using the default Solaris 10 PAM
implementation as well; not sure if this is part of the problem, but the
configuration files are significantly different. Th...FTP and Kerberos
I get the following Kerberos related error
when i do FTP from another machine(redhat 9.0)
to my machine(redhat 9.0).
How to solve this problem ?
Should i Need to start/stop some daemons ?
here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>>
Connected to 184.108.40.206.
220 localhost.localdomain FTP server (Version 5.60)
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No credentials cache found
GSSAPI error: in...migration from Kerberos 4 to Kerberos 5
I have a few questions about migration to a new Kerberos version. In
fact, the goal is to migrate a network with Kerberos 4 to the Kerberos
1) Do I have to reinstall Kerberos from the scratch or are there
packages that allow to update the version?
2) What about the users that I created, are they still valid or will
user information be lost. Part of the network uses already an LDAP
directory, do I suppose this will not be a problem for this part, but
in general, how can I migrate my user-accounts to the new version?
3) What about the clients, do I have to re-install the Kerberos-client
on each workstation or can I use the "old" Kerberos clients?
Could anybody answer my questions and perhaps give me some good hints
for the migration respectively point me to some good documents?
...Re: Re: Problem with LDAP Referrals and Kerberos LDAP Backend
It seems that not much people use LDAP Referal together with MIT
Never the less the missing support ("feature") is something I really
Is it possible that anybody of the developers adds this functionality?
If not: Greg, could you please precise the places or try to add it? I
can do the necessary tests.
On 11/03/2013 03:13 PM, Christopher Racky wrote:
> I don't understand why this behavior is expected. For my opinion
> is a bug.
It's simplest to think of this as a missing feature. If I read the
correctly, callers of the OpenLDAP library follow referrals using
anonymous binds by default. With additional effort, callers can
how referrals bind.
Although I believe I know roughly how the preferred behavior could be
implemented, it would not be trivial to develop or test, so I can't
you any guarantees as to when it might happen.
Thank you very much for your reply.
I don't understand why this behavior is expected. For my opinion this
is a bug.
I would expect that after processsing referrals the same credentials
are still reused.
Is that a missunderstanding on my side?
If not: it seems to be, that you know very exactly the place where
this must be fixed.
I'm not sure if you are a developer. If yes, do ...Kerberos and LDAP for Authorization
I am working on using Kerberos and LDAP together. Replacing the kdb with
LDAP seems simple enough. What I am wondering is: is it possible to send
back Authorization details from LDAP with the Kerberos ticket or do
Applications have to talk directly to LDAP to get the users
Canadian Bank Note Co. Ltd.
...Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD
base system with the MIT Kerberos libraries installed from the security/krb5
port? I know about the KRB5_HOME make option. I'm concerned about other
"Kerberized" applications not working properly because they use the wrong client
libraries, hence my desire to completely replace Heimdal with MIT Kerberos.
The Heimdal Kerberos libraries shipped with the FreeBSD base system don't
support TCP, so when a KDC replies to a client request with a response larger
than the maximum UDP packet size, the Kerberos libraries return an error to the
client instead of switching to TCP (which can handle large responses). I
routinely encounter this problem when integrating FreeBSD servers and
workstations into Windows Active Directory domains, where the KDC responses
include additional authorization data derived from a security principal's group
memberships: Samba's "net ads join" command fails with a "response too big for
for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and
everything else works properly) when linked against MIT Kerberos.
(Note that I'm not willing to debate the semi-standard/non-standard inclusion of
authorization data in a Kerberos ticket's PAC, nor am I willing to argue the
applicability of the aforementioned operating systems to their assigned tasks.)
Who's using Kerberos authentication? Any pointers to procedure
or documentation will be appreciated!
But have a look at Doc 317141. That explains it in some more detail
than the normal manual.
> Who's using Kerberos authentication? Any pointers to procedure
> or documentation will be appreciated!
> Info-ingres mailing list
James Latimer wrote:
> Who's using Kerberos authentication? Any pointers to procedure
> or documentation will be appreciated!
me neither, but this Chapter 13 may be of use:
Is anyone out there using kerberos authentication with their NonStop
Between this and ssh, I am having trouble keeping up!
Thanks in advance.
I read on the ibm site that KRB5A authentication is only supported on
5.2. We are currently runnin 5.1 and have an MCA based machine so
there is no chance in upgrading to 5.2. Is there an open-source
kerberos package for AIX, and how would you go about installing it.
Any help would be greatly appreciated.
...RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response.
> > We run a number of Solaris 8 systems using Sun's SEAM PAM
> > and MIT's Kerberos (which we're up to date on). We are
> starting to look
> > at Solaris 10, and are hoping to move towards Sun's
> implementation of
> > Kerberos. We are having a bit of trouble getting the two to talk
> > properly, however.
> I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
> It is linked directly with the Solaris Kerberos libraries (private).
I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to
talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems.
> Solaris 10 Kerberos interops very well with MIT, Heimdal, and
> It has support for all of the enctypes (AES, RC4, 3DES, DES) finally.
But I can't seem to get it to work.
> > If we SSH (from production to test, for example) to a
> Solaris 8 machine,
> > then we can rlogin (Kerberized) to the Solaris 10 machine and, from
> > there, rlogin to a Sol8 machine again. If, however, we SSH
> directly to
> > the Solaris 10 machine, we cannot rlogin to a Solaris 8
> machine. Doing
> > various experiments (for example, trying to ksu on the Sol
> 10 machine),
> > the only error we ever get is:
> > ksu
> > WARNING: Your password may be exposed if you enter it here and are
...FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of
keeping the thread complete, I'll put it to the list as well.
> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and
> MIT uses a slightly different RPC protocol. This is not a new
> issue, its been a problem ever since we introduced SEAM.
> The solution is that if your KDC is MIT, then you must use the MIT
> 'kadmin' client to manage it.
OK, thanks. So, I'll have to keep the MIT binaries around as well...
Kerberos mailing list Kerberos@mit.edu
I have kerberos server setup, and it works fine with
iseries navigator, I have to create a AS400 object now
using Java and kerberos ticket, has any one done it
successfully, does anyone have any code sample
"polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in
> I have kerberos server setup, and it works fine with
> iseries navigator, I have to create a AS400 object now
> using Java and kerberos ticket, has any one done it
> successfully, does anyone have any code sample
You should read: http://publib.boulder...OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to
suggest an alternative which has advantages to all parties.
The OpenSSH sshd needs to do two things:
(1) sets a PAG in the kernel,
(2) obtains an AFS token storing it in the kernel.
It can use the Kerberos credentials either obtained via GSSAPI
delegation, PAM or other kerberos login code in the sshd.
The above two actions can be accomplished by a separate process,
which can be forked and execd by the sshd and passed the environment
which may have a KREB5CCNAME pointing at the Kerberos ticket cache
Other parameters such as the home directory could also be passed.
This would then allow simple code in OpenSSH that does not depend
on OpenAFS, Hiemdal or MIT code to fork/exec the process that does
all the work. This would be called by the process that would
eventially become the user's shell process and is run as the user.
OpenSSH could be built on systems that may or may not have AFS
installed and run on a system with or without AFS. The decision
is based on the existence of the executable and any options
In its simplest form, all that is needed is:
This is a little over simplified as there should be a test if the
executable exists, processing of some return codes, making sure the
environment is set, setting some time limit. etc. But the point is
there is no compile dependence on OpenAFS, MIT or Hiemdal by the
Op...Kerberos + LDAP + RADIUS?
We are re-architecting our whole authentication backend, and I am having a
hard time trying to understand how Kerberos, LDAP, and RADIUS can all fit
together. We currently use RADIUS and LDAP to do AAA, and group based
security, but we are going to want to have an SSO functionality (thus
I think I can see how Kerberos and LDAP fit together, with group based
A user will authenticate with Kerberos=B9 authentication server, then attempt
to be assigned a ticket with the ticket granting server =AD the ticket
granting server will query LDAP to see if a user has access to the resource=
based on the groups that user is a part of.
My problem is trying to figure out where RADIUS comes into the mix. It
seems like there can be two options, but both seem to have problems:
1. Have authentication point to Kerberos server which will authenticate
against radius : but this doesn=B9t make sense because when you authenticate
against Kerberos, there is no password passed from client to server, so how
will Kerberos be able to tell if that user/pass is accepted via Radius.
2. Have authentication point to radius, and have it authenticate against
Kerberos : this defeats a whole security aspect of Kerberos =AD not passing
the users password to the server, and how is it possible for the client to
have the Kerberos ticket?
Maybe I am missing something, or maybe this is just not possible. Any
insight/tutorials/etc. would be helpful =AD there is not much on this t...LDAP with kerberos auth
I am trying to bring up a LDAP server with kerberos
authentication. Is it necessary the LDAP and kerberos client run on a
seperate machine or they can run on the same machine ? This is for
testing a system. Also what are the steps to configurng the kerberos
client and server ? How do I test the client ?
On 2007-05-27 07:32:06 +0200, email@example.com said:
> Hi All,
> I am trying to bring up a LDAP server with kerberos
> authentication. Is it necessary the LDAP and kerberos client run on a
> seperate machine or they can run on the same machine ? This is for
> testing a system. Also what are the steps to configurng the kerberos
> client and server ? How do I test the client ?
If you intend to use kerberos principals in ldap, allowing them to act
on the database, you should look for SASL and GSSAPI. Of course you can
run ldap and kerberos on whatever machine you want.
Sensei <senseiwa at Apple's mac dot com>
Error. Keyboard not attached. Press F1 to continue...
(Real BIOS Error)
We'd like to deploy Kerberos it on our network. We already have a
working Kerberos setup in our Lab which has a Master Kerberos server
with an OpenLDAP backend and a Slave Kerberos server which also uses an
Before we go live into production, we're looking for information on how
to build the Kerberos infrastrucure (i.e. In which network DMZ do I
install the KDC? Where should we install the slave Kerberos servers? Can
we run a "hidden" KDC, much like a hidden Primary DNS server? How would
that affect users who want to change their passwords? etc).
Unfortunately, we didn't find a lot of documentation which talks
specifically about Kerberos architecture. That's why we're looking for
experienced Kerberos users to help us deploy a good Kerberos
Our goals are to create a Hidden Master Kerberos and several Slaves. We
plan to use the Kerberos/OpenLDAP services for authentication via SSH,
OpenAFS, autofs maps, sudo rights plus users and groups. The Kerberos
architecture has to support two different data centers. Both sites have
serveral DMZ networks (WWW, Application and Database for the classic
three tiered environment plus le local LAN). We'd like to use Kerberos
to login on all of these networks. One slave in the LAN to support
workstations and LAN servers. Other two slaves in a DMZ (which one?) for
DMZ Servers support and as Workstation backup support. We need to have
redundancy of co...