Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

add principal to kerberos with ldap backend
Hi everyone, sorry if mu question is dump, but I can't find answer in documentation. I setup and running MIT Kerberos 1.6 with LDAP backend and can add principals with kadmin tool. Now I need a solution (if it's possible) to add principal directly to LDAP, but can't find info how to create ldif file, especially for values of krbPrincipalKey and krbExtraData. Is anyone know how these fields are constructed ? -- Nikolai Tenev Hosting Systems Support Engineer Orbitel EAD - office Sofia tel: +359 2 4004808 fax: +359 2 4004744 --------------------------------- Orbitel - Next Generation Telecom ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>> On Tue, May 15, 2007 at 2:48 PM, in message <200705151218.29970.ntenev@orbitel.bg>, Nikolai Tenev <ntenev@orbitel.bg> wrote: > Hi everyone, > sorry if mu question is dump, but I can't find answer in documentation. I > setup and running MIT Kerberos 1.6 with LDAP backend and can add principals > with kadmin tool. Now I need a solution (if it's possible) to add principal > directly to LDAP, but can't find info how to create ldif file, especially > for > values of krbPrincipalKey and krbExtraData. Is anyone know how these fields > are constructed ? > It is not possible to add the krbPrincipalKey attribute through a LDIF file. The format of the valu...

replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end
Hi all Since we are migrating from Debian to RedHat, we are considering replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT Kerberos server (again with LDAP back-end) since RedHat packages are only available for MIT Kerberos. In order to make this migration/upgrade as transparent as possible for our users, we want to convert all the necessary info in the Heimdal back-end to the MIT back-end. Are there any pointers available for this kind of operation? E.g. things like conversion tables mapping the corresponding Kerberos-specific LDAP attributes? Or even scripts? I'm especially looking at the Kerberos key attributes, i.e. - Heimdal: krb5Key - MIT: krbPrincipalKey Is it possible to convert the former into the latter? Is there any code available for this operation? If not, we would have to require all our users to change their passwords at the same time, which is not very feasible. Thanks in advance Bart ...

Creating a Kerberos user principal using LDAP
Given a KDC using the LDAP backend, has anyone created a stand alone tool to create user principals by directly adding a LDAP entry? Apparently the difficultly is correctly creating the ASN.1 encoded key attribute (krbPrincipalkey) which is harder still because of the need to encrypt it using the master key (krbMKey). In the LDAP world, it isn't unusual that the password attribute value is generated with a special tool (unless the plaintext password is used). I think two tools would be interesting. 1. A tool that only spits out the krbPrincipalkey attribute on STDOUT. 2. A tool that creates the whole user principal including the krbPrincipalkey. More specifically, I would like some perl or python code that I include in a larger project. If either tools has not been created, there is code from the FreeIPA project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that fetches the master key and properly create the ASN.1 encoded key. That code could be used as a starting point or inspiration. Dax Kelson Guru Labs Dax Kelson wrote: > If either tools has not been created, there is code from the FreeIPA > project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that > fetches the master key and properly create the ASN.1 encoded key. That > code could be used as a starting point or inspiration. Security wise catching the modify password extended operation at the LDAP server's side is IMHO the right thing to do. FreeIPA does that for Fedor...

Kerberos+LDAP: kadmin.local and kadmin show different principals
Hi, I'm trying to configure an Ubuntu system with MIT Kerberos (v1.8.1), with LDAP as the storage back-end (Sun OpenDS v2.2.1). I see a very odd behavior, where my host entries only show up when I list principals using 'kadmin.local', but not when I use 'kadmin'. From what I read, the two should behave identically if kadmin.local uses the same principal to connect. Here's what I see from the two tools. Notice the "host/..." principal in the kadmin.local case. root@hydrogen:/etc/krb5kdc# kadmin -p nick/admin Authenticating as principal nick/admin with password. Password for nick/admin@EXAMPLE.NET: kadmin: list_principals ben@EXAMPLE.NET nick@EXAMPLE.NET nick/admin@EXAMPLE.NET K/M@EXAMPLE.NET krbtgt/EXAMPLE.NET@EXAMPLE.NET kadmin/admin@EXAMPLE.NET kadmin/changepw@EXAMPLE.NET kadmin/history@EXAMPLE.NET kadmin/hydrogen@EXAMPLE.NET kadmin: ^D root@hydrogen:/etc/krb5kdc# kadmin.local -p nick/admin Authenticating as principal nick/admin with password. kadmin.local: list_principals host/myhost.example.net@EXAMPLE.NET <=== Not listed above ben@EXAMPLE.NET nick@EXAMPLE.NET nick/admin@EXAMPLE.NET K/M@EXAMPLE.NET krbtgt/EXAMPLE.NET@EXAMPLE.NET kadmin/admin@EXAMPLE.NET kadmin/changepw@EXAMPLE.NET kadmin/history@EXAMPLE.NET kadmin/hydrogen@EXAMPLE.NET kadmin.local: ^D When I look at the LDAP logs, the two commands behave quite differently. My realm has two search trees root@hydrogen:/etc/krb5kdc# kdb5_ldap_util -D "cn=director...

Renaming a Kerberos realm (all principal info stored in LDAP DIT)
--9amGYk9869ThD9tj Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hi, I would like to know whether it's possible to rename a Kerberos realm when all Kerberos related info is stored in an LDAP DIT (OpenLDAP and MIT Kerberos running an Debian Lenny AMD64)? Reason for this is that I will move my KDC to a new internal subnet (having a new internal DNS domain) and I would like my Kerberos realm to be "in sync" with the new DNS domain name. The Kerberos related info is stored in an "ou" (organizationUnit) subtree named "krb5" (initially populated with kdb5_ldap_util). Is it "safe" to - shutdown both KDC and kadmin server /etc/init.d/krb5-kdc stop /etc/init.d/krb5-admin-server stop - shutdown OpenLDAP (/etc/init.d/slapd stop) - dump the DIT (slpcat -l <file_name>) - open DIT file in editor and change all occurrences from MY.OLD.REALM to MY.NEW.REALM - modify the realm name in /etc/krb5.conf and /etc/krb5kdc/kdc.conf accordingly - delete old LDAP databases - start OpenLDAP in order to obtain a fresh database (/etc/init.d/slapd start) - shutdown OpenLDAP again (/etc/init.d/slapd stop) - add DIT again (slapadd -l <file_name>) - restart OpenLDAP (/etc/init.d/slapd start) or did I forget any relevant step(s)/substep(s)? Thanks in advance for sharing your thoughts & kind regards, Holger --9amGYk9869ThD9tj Content-Type: application/pgp-signature; name="signature.asc" Content...

Kerberos Principals
i'm replacing the NIS with LDAP and Kerberos, the question is , is there any way to automate the creation of the principals? do i have to add a pricipal for each user in my current system or there is a tool (like ldap migration) that can do that? thanks a lot Amir Saad Software Engineer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On Wed, 2005-12-21 at 14:38 +0200, Amir Saad wrote: > i'm replacing the NIS with LDAP and Kerberos, the question is , is there any way to automate the creation of the principals? do i have to add a pricipal for each user in my current system or there is a tool (like ldap migration) that can do that? Is any tool other than kadmin needed? I don't know about your specific situtation, but I'd do it with a shell command, like this: ypcat passwd | while IFS=: read name rest; do password=$(dd if=/dev/random bs=3 count=2 2>/dev/null | encode-base64) kadmin -c "$KRB5CCNAME" -q "ank -pw $password $name" echo "$name $password" >>/tmp/newpasswords done That requires your ccache to have a valid kadmin service ticket, though. Get it with a command like "kinit -S kadmin/admin yourname/admin". It also requires a base64 encoding program. The one I used comes from Perl's MIME-Base64 module. I don't know if there might be anything wrong with this way of doing it, but in that cas...

kerberos and LDAP.
hi :), Can someone list me the kerberos servers that store the principal information in the directory. we want to integrate the user info in ldap with the authentication info of kerberos. Is there any kerberos server and ldap server with this kind of a support? thanks you in advance. __________________________________ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Medha" == Medha B <ban_medha@yahoo.com> writes: Medha> hi :), Can someone list me the kerberos servers that store Medha> the principal information in the directory. we want to Medha> integrate the user info in ldap with the authentication Medha> info of kerberos. Is there any kerberos server and ldap Medha> server with this kind of a support? thanks you in advance. http://www.bayour.com/LDAPv3-HOWTO.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Hello medha, The latest verision on HP-UX Kerberos server 3.1, will have the necessary support to store Kerberos principals in the LDAP directory. The product will be available soon on http://software.hp.com. Please let me know if you have any further queries w.r.t ...

Kerberos + LDAP How-To
Thanks much to all of you for your responses. Much of what I wanted to do is actually answered more in depth on-line.... took me a long time to find good documentation on it. http://ofb.net/~jheiss/krbldap/howto.html Seems to be the best docs i've seen to date on the kerberos ldap link up. Just thought I'd share that. -Matt Joyce. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Matt" == Matt Joyce <syslists@vtsystems.com> writes: Matt> Thanks much to all of you for your responses. Much of what Matt> I wanted to do is actually answered more in depth Matt> on-line.... took me a long time to find good documentation Matt> on it. Matt> http://ofb.net/~jheiss/krbldap/howto.html Matt> Seems to be the best docs i've seen to date on the kerberos Matt> ldap link up. Just thought I'd share that. And I naturaly would like to take the chanse of promoting http://www.bayour.com/LDAPv3-HOWTO.html ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Matt, why do you use SSL and put extra load on the client/server if you already use Kerberos ? SASL/GSSAPI does authentication AND encryption !! Cyrus-sasl may show only a SSF of 56, but this is only because is hardcoded in cyrus, ...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Kerberos and LDAP
Hi, Im still trying to get this to work. Server: Debian Etch (3 hostnames=lookout, ldap and kerberos, ip=192.168.212.15) Workstation: Ubuntu 8.04 (hostname=rofe.one.com, ip=192.168.212.93) I have followed the following guides: http://techpubs.spinlocksolutions.com/dklar/kerberos.html http://techpubs.spinlocksolutions.com/dklar/ldap.html Created my own user "ronni" the same way as the user "mirko" is. >From my workstation I can do: kinit ronni ldapsearch -x which both work. ldapsearch -x gives this output: # extended LDIF # # LDAPv3 # base <dc=one,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # one.com dn: dc=one,dc=com objectClass: top objectClass: dcObject objectClass: organization o: one.com dc: one # admin, one.com dn: cn=admin,dc=one,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # People, one.com dn: ou=People,dc=one,dc=com ou: People objectClass: organizationalUnit # Group, one.com dn: ou=Group,dc=one,dc=com ou: Group objectClass: organizationalUnit # ronni, group, one.com dn: cn=ronni,ou=group,dc=one,dc=com cn: ronni gidNumber: 20000 objectClass: top objectClass: posixGroup # ronni, people, one.com dn: uid=ronni,ou=people,dc=one,dc=com uid: ronni uidNumber: 20000 gidNumber: 20000 cn: Ronni sn: Ronni objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /...

KERBEROS with LDAP
Hi all, I'm experiencing some problem between authentication and authorization through Kerberos and LDAP. This is my situation: I can authenticate on LDAP through the option -Y GSSAPI after having obtained a valid TGT from the KDC. I have some questions: Is it possible to authenticate via Kerberos on LDAP without obtaining prior a ticket (i.e. when i have to authenticate to the LDAP i want that username/password was asked and then these username/password allow to obtain the ticket from Kerberos). I'm asking this because i want that this new mechanism be invisible from a user point of view. Are there some solution to this problem or I need to implement by myself a customized client that communicate with kerberos and then with the ticket to LDAP^??? Another question is about how to map authentication to authorization in LDAP. The example found was very simple with a flat LDAP, I'm in an hard situation, with an extremely non-regular LDAP tree, how to find the correct mapping to the correct identity??? Thanks in advance, Andrea ...

Problem with LDAP Referrals and Kerberos LDAP Backend
Hello list, I have the following problem with the latest Kerberos Version (krb5-1.11.3) on Linux System. I use ldap as Backend module (with Sun / Oracle LDAP Directory Server). My setup is quite big, so we use also LDAP referrals. This works great with the Solaris (modified) Kerberos Release, but with Linux we have the following issue: DB module: db_library = kldap using LDAP hub or consumer server in "ldap_servers" (i.e. LDAP suffix containing KRB container (realm) is read-only and LDAP server sends referral(s) in case of LDAP MODs) does not work properly in case of modifications (e.g. change_password or updates of attributes (krbLoginFailedCount, ...)): KDC or KADMIN follow the LDAP referral but do not bind (LDAP) using a defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an anonymous LDAP-bind is performed. Log from LDAP consumer server: [19/Oct/2013:12:34:46 +0200] conn=11412 op=7 msgId=8 - SRCH base="ou=people,dc=adm" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbp rincipal))([1]krbPrincipalName=testuser@MITREALM))" attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicke tLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLog inFailedCount kr...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

Re: Re: Problem with LDAP Referrals and Kerberos LDAP Backend
Hello together, It seems that not much people use LDAP Referal together with MIT Kerberos. Never the less the missing support ("feature") is something I really need. Is it possible that anybody of the developers adds this functionality? If not: Greg, could you please precise the places or try to add it? I can do the necessary tests. Best regards Chris On 11/03/2013 03:13 PM, Christopher Racky wrote: > I don't understand why this behavior is expected. For my opinion this > is a bug. It's simplest to think of this as a missing feature. If I read the code correctly, callers of the OpenLDAP library follow referrals using anonymous binds by default. With additional effort, callers can control how referrals bind. Although I believe I know roughly how the preferred behavior could be implemented, it would not be trivial to develop or test, so I can't give you any guarantees as to when it might happen. - Hello Greg, Thank you very much for your reply. I don't understand why this behavior is expected. For my opinion this is a bug. I would expect that after processsing referrals the same credentials are still reused. Is that a missunderstanding on my side? If not: it seems to be, that you know very exactly the place where this must be fixed. I'm not sure if you are a developer. If yes, do ...

kerberos?
Is anyone out there using kerberos authentication with their NonStop hosts? Between this and ssh, I am having trouble keeping up! Thanks in advance. ...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters such as the home directory could also be passed. This would then allow simple code in OpenSSH that does not depend on OpenAFS, Hiemdal or MIT code to fork/exec the process that does all the work. This would be called by the process that would eventially become the user's shell process and is run as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the Op...

kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...

Kerberos?
Who's using Kerberos authentication? Any pointers to procedure or documentation will be appreciated! Hi James, Not Me! But have a look at Doc 317141. That explains it in some more detail than the normal manual. Martin Bowes > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! > _______________________________________________ > Info-ingres mailing list > Info-ingres@cariboulake.com > http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres > James Latimer wrote: > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! me neither, but this Chapter 13 may be of use: http://downloads.ingres.com/download/connect.pdf ...

kerberos
Hi I have kerberos server setup, and it works fine with iseries navigator, I have to create a AS400 object now using Java and kerberos ticket, has any one done it successfully, does anyone have any code sample "polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in news:fr3i5a$sn6$1@ss408.t-com.hr: > Hi > I have kerberos server setup, and it works fine with > iseries navigator, I have to create a AS400 object now > using Java and kerberos ticket, has any one done it > successfully, does anyone have any code sample You should read: http://publib.boulder...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...