f



MIT Kerberos: Cannot resolve network address for KDC in realm

Hi:

I've been having a hard time getting MIT Kerberos up and running on
solaris 10.

The latest of my problems is this error when i run kinit from the KDC.

dsldap01$ /krb5/bin/kinit rob/admin@alezeo.com
kinit(v5): Cannot resolve network address for KDC in realm alezeo.com
while getting initial credentials

This sounds like a DNS problem, but I don't think it is.

dsldap01$ host -t A dsldap01.alezeo.com
dsldap01.alezeo.com has address 10.93.120.72

Also in my hosts file:
127.0.0.1       localhost
10.93.120.72    dsldap01.alezeo.com        dsldap01        loghost

Here is my krb5.conf
=============
[libdefaults]
        dns_lookup_realm = false
        default_realm = ALEZEO.COM
        ticket_lifetime = 600
        kdc_req_checksum_type = 2
        checksum_type = 2
        ccache_type = 1
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc

[kdc]
        profile = /krb5/var/krb5kdc/kdc.conf


[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        admin_server = FILE:/var/krb5/adm.log

[realms]
        ALEZEO.COM = {
                kdc = dsldap01.alezeo.com:88
                admin_server = dsldap01.alezeo.com:749
                default_domain = alezeo.com
        }

[domain_realm]
        .alezeo.com = ALEZEO.COM
        alezeo.com = ALEZEO.COM

[login]
    krb4_convert = 0


Here is my kdc.conf
============
[kdcdefaults]
        kdc_ports = 88

[realms]
        alezeo.com = {
                profile = /etc/krb5.conf
                database_name = /krb5/var/krb5kdc/principal
                admin_database_name = /krb5/var/krb5kdc/kadm5_adb
                admin_database_lockfile = /krb5/var/krb5kdc/
kadm5_adb.lock
                admin_keytab = FILE:/krb5/var/krb5kdc/kadm5.keytab
                acl_file = /krb5/var/krb5kdc/kadm5.acl
                kdc_ports = 88
                kadmind_port = 749
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des-cbc-crc
                supported_enctypes = des-cbc-crc:normal des:v4
        }


Any suggestions are appreciated!

TIA!
0
4/30/2009 1:03:16 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

2 Replies
816 Views

Similar Articles

[PageSpeed] 38

alezeo.com should be upper case.
Realm names are always upper case! 


Met vriendelijke groet
Best regards
Bien � vous

Miguel SANDERS
ArcelorMittal Gent

UNIX Systems & Storage
IT Supply Western Europe | John Kennedylaan 51
B-9042 Gent

T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
E miguel.sanders@arcelormittal.com
www.arcelormittal.com/gent

-----Oorspronkelijk bericht-----
Van: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] Namens Rob
Verzonden: donderdag 30 april 2009 15:03
Aan: kerberos@mit.edu
Onderwerp: MIT Kerberos: Cannot resolve network address for KDC in realm

Hi:

I've been having a hard time getting MIT Kerberos up and running on solaris 10.

The latest of my problems is this error when i run kinit from the KDC.

dsldap01$ /krb5/bin/kinit rob/admin@alezeo.com
kinit(v5): Cannot resolve network address for KDC in realm alezeo.com while getting initial credentials

This sounds like a DNS problem, but I don't think it is.

dsldap01$ host -t A dsldap01.alezeo.com
dsldap01.alezeo.com has address 10.93.120.72

Also in my hosts file:
127.0.0.1       localhost
10.93.120.72    dsldap01.alezeo.com        dsldap01        loghost

Here is my krb5.conf
=============
[libdefaults]
        dns_lookup_realm = false
        default_realm = ALEZEO.COM
        ticket_lifetime = 600
        kdc_req_checksum_type = 2
        checksum_type = 2
        ccache_type = 1
        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc

[kdc]
        profile = /krb5/var/krb5kdc/kdc.conf


[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        admin_server = FILE:/var/krb5/adm.log

[realms]
        ALEZEO.COM = {
                kdc = dsldap01.alezeo.com:88
                admin_server = dsldap01.alezeo.com:749
                default_domain = alezeo.com
        }

[domain_realm]
        .alezeo.com = ALEZEO.COM
        alezeo.com = ALEZEO.COM

[login]
    krb4_convert = 0


Here is my kdc.conf
============
[kdcdefaults]
        kdc_ports = 88

[realms]
        alezeo.com = {
                profile = /etc/krb5.conf
                database_name = /krb5/var/krb5kdc/principal
                admin_database_name = /krb5/var/krb5kdc/kadm5_adb
                admin_database_lockfile = /krb5/var/krb5kdc/ kadm5_adb.lock
                admin_keytab = FILE:/krb5/var/krb5kdc/kadm5.keytab
                acl_file = /krb5/var/krb5kdc/kadm5.acl
                kdc_ports = 88
                kadmind_port = 749
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des-cbc-crc
                supported_enctypes = des-cbc-crc:normal des:v4
        }


Any suggestions are appreciated!

TIA!
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

**** 
This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. 
If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. 
Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. 
This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement.  
****  


0
4/30/2009 2:15:00 PM
On Apr 30, 10:15=A0am, miguel.sand...@arcelormittal.com wrote:
> alezeo.com should be upper case.
> Realm names are always upper case!
>


Thanks, that was it!
0
4/30/2009 5:33:02 PM
Reply:

Similar Artilces:

samba+kerberos "cannot resolve network address for KDC in requested realm"
Hi, i'm quite new on kerberos and samba so i hope my question is not so stupid and i hope somebody could help me. I'm trying to join a linux machine (3.0.14a-Debian) to a W2K3 domain a member . I would like to have ads security on it but i dont know why i get this message "cannot resolve network address for KDC in requested realm" when i try "net ads join -U myuser%mypassword". Maybe i did not give u enough information to know what's the problem. Thank's in advance --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m�viles desde 1 c�ntimo por minuto. http://es.voice.yahoo.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

Cannot resolve network address for KDC in requested realm while
Dear sir, When I join the windows 2003 domain using the command kinit, while I am getting the error "cannot resolve network address for KDC is requested realm while getting initial credentials" Another one when I join the windows 2003 domain using the command " net ads join -U administrator" I am getting following error "utils/net_ads.c:ads_startup(186) ads_connect:No such file (or) directory" So kindly send the mail How to rectify this problem. With Regards R.Balaji ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Cannot resolve network address for KDC in requested realm while getting initial credentials
On Red Hat linux 2.4.9 krb5-devel-1.2.2-24 krb5-libs-1.2.2-24 krb5-server-1.2.2-24 krb5-workstation-1.2.2-24 running everything on the local host I can run kinit.just fine: kinit test Password for test@host.COM: I can create a keytab file: kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5test test Entry for principal test with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. Entry for principal test with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5test. However, I can't kinit using this keytab file: [root@host/var/kerberos/krb5kdc]$ kinit -k kadm5test kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials klist shows: [root@bde-idm3 /var/kerberos/krb5kdc]$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@BDE-IDM3.US.ORACLE.COM Valid starting Expires Service principal 01/20/05 14:53:59 01/21/05 00:53:59 krbtgt/HOST.COM@HOST.COM Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached A secondary problem is now the password seems to have been changed after creating the keytab, and I can no longer kinit (without the keytab): [root@host /var/kerberos/krb5kdc]$ kinit test Password for test@host.US.ORACLE.COM: kinit(v5): Password incorrect while getting initial credentials For testing purposes I'm using my hostname as my realm name. I&#...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1.4.2. My krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.NET clockskew = 300 [realms] EXAMPLE.NET = { kdc = foo.example.net:88 admin_server = foo.example.net:749 default_domain = example.net kpasswd_server = foo.example.net } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Trying to analyze with tcpdump I s...

krb5 1.6 beta 3 on Debian Lenny : kinit(v5): Cannot resolve network address for KDC in realm
I have an issue standing, where I am unable to kinit to get my Krb5 TGT locally on the KDC, but have no problems doing the same on one of my client machines. I don't care too much about this issue for as long as we talk Kerberos credentials on the server itself, however I am really puzzled by this behaviour ... Whenever I execute: kinit <user> I get: kinit(v5): Cannot resolve network address for KDC in realm EXAMPLE.COM while getting initial credentials My /etc/resolv.conf looks like this: domain example.com search example.com nameserver 127.0.0.1 My /etc/hostname looks like this: 127.0.0.1 localhost My /etc/krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.COM ticket_lifetime = 12h renew_lifetime = 7d dns_fallback = no kdc_timesync = 3 ccache_type = 4 renewable = true forwardable = true forward = true proxiable = true noaddresses = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-c...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters ...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

MIT Kerberos production realm = mirror/copy to a test/dev realm?
Greetings, The production Kerberos realm is decades old. Never had a �real� test/development realm until now. Don�t ask! How to best create or mirror an existing realm of all principals and all their information, except its under a new realm for testing of all that is to be implemented in the future? My thinking with what I know its not possible considering how everything is meshed in a combination of realm/passwords/salts�etc. But I ask just in case I am missing something. Insights? Thank you, Tareq _____ Tareq.Alrashid@CASE.EDU ITS Middleware - 10900 Euclid Avenue, Crawford 422 Cleveland, OH 44106-7072 U.S.A. ...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially using our MIT Kerberos build (i.e. the same as we use on all of the Solaris 8 machines). I am now trying to get it to work with the Solaris 10 SEAM. One problem I see immediately (refreshing my memory with a couple quick tests) is that, when using the Sol10 SEAM to install the keytab, I immediately get: # kadmin -p rheilke/admin Authenticating as principal rheilke/admin@ATCOTEST.CA with password. Password for rheilke/admin@ATCOTEST.CA: kadmin: ktadd host/salty.atcotest.ca kadmin: Communication failure with server while changing host/salty.atcotest.ca's key kadmin: So, the Sol10 SEAM cannot seem to talk to the KDC. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > BTW, as a further clarification, the system was installed initially > using our MIT Kerberos build (i.e. the same as we use on all of the > Solaris 8 machines). I am now trying to get it to work with the Solaris > 10 SEAM. > > One problem I see immediately (refreshing my memory with a couple quick > tests) is that, when using the Sol10 SEAM to install the keytab, I > immediately get: > > # kadmin -p rheilke/admin > Authenticating as principal rheilke/admin@ATCOTEST.CA with password. > Password for rheilke/admin@ATCOTEST.CA: > kadmin: ktadd host/salty.atcotest.ca > kad...

RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes. Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because ...

RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline... > In Solaris 10, all of the Kerberos services are already bundled, > there is no longer any external packages that need to be added. Right. > Whoever told you 'ksu' was part of the encryption kit was mistaken, > ksu has never been part of SEAM. OK, thanks for that clarification. It was a bit of a surprise to me when I was told it was there. So, does the Solaris 10 SEAM have any functionality similar to ksu, or just the standard su command? > The encryption kit for Solaris 10 enhances the overall crypto > capabilities of the system, the only benefit Kerberos gets is > that it can support AES-256 with the S10 encryption kit. > Without the S10 encryption kit, the strongest AES crypto > available for Kerberos in S10 is AES-128. And this fits more with what I understood, before my co-worker's comments. > On the S10 system, you must make sure to enable the "eklogin" service. > Run this command (as root): > > # svcadm enable eklogin Hmm. That may be a good part of my problem. I added the inetd.conf entry for the old (MIT) eklogin, and ran inetconv. So, this is probably really confusing the system. I'll try to revert that, and do the svcadm. > For Solaris 8 with the SEAM rlogin daemon, make sure your > inetd.conf entries > are correct. We don't actually run SEAM on any Sol8 systems; it's all MIT. > Don't bother with inetd.conf in S10, ...

RE: MIT Kerberos and Solaris 10 Kerberos #6
OK, I think I have fixed the services. I have: # svcs -v | grep login online - 13:25:02 35 svc:/system/console-login:default online - 13:25:11 - svc:/network/login:eklogin online - 13:25:12 - svc:/network/login:klogin online - 13:25:12 - svc:/network/login:rlogin (Just to make sure, those ARE the correct versions? The ones I removed looked like: # svcadm disable svc:/network/klogin/tcp:default # svcadm disable svc:/network/eklogin/tcp:default The first entry in the svcs listing is, I assume, my root console login via the terminal server.) Or did I cancel the wrong two? If I use the MIT rlogin to go to another server, this fails (and no message gets logged on the KDC). I expect this is correct behaviour (needing the SEAM version). So, where do I find the Solaris 10 SEAM version of rlogin? The rlogin in /bin seems to be the old, un-Kerberized one, or is this actually a Kerberized one? In which case, it never seems to get a connection, and again, doesn't log anything on the KDC. I can use the Solaris 8/MIT rlogin to go from one of the old Solaris 8/MIT systems to the Solaris 10 box. Thanks again. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos e@atcoitek.com wrote: > OK, I think I have fixed the services. I have: > # svcs -v | grep login > online ...

A Query on MIT Kerberos code base and latest RFC on Kerberos ?
Hi All, I have a small query regarding MIT Kerberos and it will be kind if anyone can address it. I wanted to know whether the latest RFC's: RFC 4120 - The Kerberos Network Authentication Service (V5) RFC 4121 - The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 ...are already a part of MIT Kerberos code base or is it schedule to be a part for MIT code base ? If so what will be the rough time frame. � Thanks n regards, Prashant ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mw...

Important Notice Regarding Kerberos 4 Support in MIT Kerberos
This comes from a message distributed to another list but I thought it might be useful here too. On January 27th of this year, the MIT Kerberos Development team announced plans to phase out support for Kerberos 4 in MIT Kerberos, including v4 support in Kerberos for Macintosh and Kerberos for Windows. We strongly recommend that all sites currently using Kerberos 4 migrate their services and users to Kerberos 5 as soon as possible. The MIT Kerberos team is making substantial changes to the client-side initial ticket acquisition support in the next release of Kerberos. These changes will improve the user experience for users who get tickets for multiple realms that do not share keys. Because we are no longer dedicating resources for new Kerberos 4 features, this new code will only support Kerberos 5. As a result, sites using Kerberos 4 will not be able to take advantage of this new feature. In addition, since this feature will be replacing existing code in Kerberos for Macintosh and Kerberos for Windows, the Kerberos 4 user experience on Windows and Mac OS X will be noticeably worse than in previous releases. The first major changes which impact Kerberos 4 support are currently scheduled for krb5-1.5 (May of 2006), Kerberos for Macintosh 6.0 (which will ship with Mac OS X Leopard), and Kerberos for Windows 3.1 (approximately June 2006). We have no plans to remove Kerberos 4 support from earlier major releases of any of our products (ie: krb5 1.4.x, KfM 5.5.x (Tiger) a...

are referrals implemented in the MIT Kerberos KDC?
Hello, I saw some messages on this mailing from 2005 and last year on this topic, but I wanted to check what the current status of this is. Does the MIT Kerberos KDC currently implement client or server referrals, as per Internet draft http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-11 ? I can see that the MIT Kerberos client-side library implements referrals (at least server referrals) by setting hthe "canonicalize" bit in KDC requests. However, I can't see any code in the Kerberos KDC source code that checks this bit and canonicalizes the name. I am using the MIT Kerberos 1.6.3. release. The release notes say "Partial client implementation to handle server name referrals" Can you please shed a little light on this or point me to something that explains this? Thank you. Best Regards, Peter Djalaliev ...

Web resources about - MIT Kerberos: Cannot resolve network address for KDC in realm - comp.protocols.kerberos

Resources last updated: 3/10/2016 9:44:18 PM