f



MIT Kerberos clients and Windows KDC

Hi all,

I am trying to make an embedded device part of the windows domain and
use windows DC as KDC for my embedded divice. Embedded device has MIT
Kerberos. I am using GSS API .

* How can we get the TGT for the server programatically ( transperently
)  with out user intervention ?

* If the device restarts, then do I need to store the TGT in persistent
memory ?

* If I am not wrong, microsoft adds the PAC data which no limitation of
size. I have memory constraints. Is it required to store the TGT in non
volatile memory ? I need this info since I am trying to find in case if
the embedded device reboots ,then do I need to store the TGT in non
volatile memory or I can get it again after the device comes up.

* Assuming that a client is accessing services on embedded device via
Kerberos and there is already  a successful kerberos session is
established. If at this point, if the embedded  device reboots and the
device gets TGT again, will it alter the communication in any way ?

Could anybody please respond to these queries?

Regards

0
11/18/2005 8:54:49 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
557 Views

Similar Articles

[PageSpeed] 51

in article 1132304089.372626.30620@g49g2000cwa.googlegroups.com,
sandypossible@gmail.com at sandypossible@gmail.com wrote on 11/18/05 2:54
AM:

> Hi all,
> 
> I am trying to make an embedded device part of the windows domain and
> use windows DC as KDC for my embedded divice. Embedded device has MIT
> Kerberos. I am using GSS API .
> 
> * How can we get the TGT for the server programatically ( transperently
> )  with out user intervention ?

Just think of the device as a person - you create an AD account and assign a
password.  Put the password in the device in a way that does not disclose
the password to anyone that should not know it.  You also need to put the
device account's user principal name in the device.

Store the device password in non-volatile memory.  Use the password and
device account user principal name to call krb5_get_init_creds_password.
You need to store the The TGT lifetime will be 10 hours by default.

> 
> * If the device restarts, then do I need to store the TGT in persistent
> memory ?
You would probably be better off just using your stored password to get a
new TGT using krb5_get_init_creds_password.
> 
> * If I am not wrong, microsoft adds the PAC data which no limitation of
> size. I have memory constraints. Is it required to store the TGT in non
> volatile memory ? I need this info since I am trying to find in case if
> the embedded device reboots ,then do I need to store the TGT in non
> volatile memory or I can get it again after the device comes up.
I doubt that you would need to put an embedded device account into very many
groups.  The fewer groups, the less PAC data.  PAC data doesn't just get
added for no reason, so you can limit its size by limiting the data that
gets stored in PAC.  Limit the groups the embedded device is in.
> 
> * Assuming that a client is accessing services on embedded device via
> Kerberos and there is already  a successful kerberos session is
> established. If at this point, if the embedded  device reboots and the
> device gets TGT again, will it alter the communication in any way ?
> 
It is hard to imagine how your device can reboot, but maintain its network
connection state.  If the device needs to make new network connections.
Getting new service tickets should not really be a concern to you, since it
happens automatically when you use GSSAPI.  All you really need to worry
about is getting your initial credentials (tgt) using the device password.

> Could anybody please respond to these queries?
> 
> Regards
> 


0
kerygma2 (10)
11/20/2005 7:42:16 PM
Reply:

Similar Artilces:

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

Kerberos MIT
Hi, I have a LDAP/GSSAPI/Kerberos system up and running. I have 2 questions: 1. In the moment this system does only authentication. But what I want is that "somewhere in this system" I can define to which of our servers the specific user has access. Clearly, I need information about how to do the authorization. 2. Last night, I fiddled around with authenticating windows clients to kerberos. I used the information in http://sial.org/howto/kerberos/windows/. Well, the authorization works, but after that Windows does not "know" what to do with this user. Are there any tools out there that do that job (like creating a volatile user and giving him some default rights)? Any ideas? Many thanks in advance Didi Dieter Schicker wrote: > Hi, > > I have a LDAP/GSSAPI/Kerberos system up and running. I have 2 questions: > > 1. In the moment this system does only authentication. But what I want > is that "somewhere in this system" I can define to which of our servers > the specific user has access. Clearly, I need information about how to > do the authorization. > > 2. Last night, I fiddled around with authenticating windows clients to > kerberos. I used the information in > http://sial.org/howto/kerberos/windows/. Well, the authorization works, Err. Of course that should read "authentication". Sorry > but after that Windows does not "know" what to do with this user. Are > the...

MIT Kerberos interoperability with Windows KDC?
Hi All, Are there any significant interoperability issues between MIT Kerberos runtime library and Microsoft Windows (2000, XP, and 2003 Server) KDC? Is the conversion of Microsoft KDC ticket to MIT Kerberos standard ticket (known as the process of ms2mit) done transparently in MIT Kerberos runtime library? Or, is there an API which can be called by applications for doing ms2mit? I am new to this list and the above questions may have been asked before. Pointing to some existing FAQ or resources will also be appreciated. Thanks. -- Kevin __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kevin: In Kerberos for Windows 2.5, if you are running the Leash ticket manager at startup Microsoft credential importation will occur automatically. In KfW 2.6, in addition to automatic importation by the Leash ticket manager there is also a new krb5 ccache type, "MSLSA:", which can be used by applications to cause ticket retrieval to be performed via the MS Kerberos LSA cache for the current logon session user instead of the default MIT credentials cache. KfW 2.6 is currently in beta. Downloads are available from the MIT web site. Jeffrey Altman KFW Maintainer Kevin Wang wrote: > Hi All, > > Are t...

Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mwang@SYSTEST.abc.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_1023 Default principal: mwang@SYSTEST.abc.COM Valid starting Expires Service principal 10/31/03 17:53:08 11/01/03 03:50:48 krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM renew until 11/01/03 17:53:08 Kerberos 4 ticket cache: /tmp/tkt1023 klist: You have no tickets cached ===========> Then I tried to run adduser program, I made a little change to the code to set some default values. Here is the result: (New user account is: nweuser) LDAP service name: ldap@bloomber-vy45cz.systest.abc.com ==> client_establish_context Sending init_sec_context token (size=1254)... 60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05 61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b 15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45 52...

Mit kerberos client with windows AD
Hi All, is it required that, for a linux client application to get tickets from windows AD, the linux box have to join the windows domain ? -- Regards, Rasanth ...

Problems with windows 2003 KDC and MIT kerberos
I have been having problems with getting a keytab file on a windows 2000 client running the MIT Kerberos utilities to interface properly with a windows 2003 KDC. I had the same client working correctly when the KDC was a windows 2000 server. The command "kinit rdop@INFRASTOR.US" works correctly but when I attempt to use "kinit -k" I get the following error message kinit(v5): Cannot find KDC for requested realm while getting initial credentials My krb5.ini file is as follows [libdefaults] ticket_lifetime = 600 default_realm = INFRASTOR.US default_keytab_name = C:/WINNT/krb5.keytab default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc [realms] INFRASTOR.US = { kdc = 192.168.0.3 admin_server = 192.168.0.3 } [domain_realm] .infrastor.us = INFRASTOR.US infrastor.us = INFRASTOR.US "klist -k -t -K" gives the following results. Keytab name: FILE:C:/WINNT/krb5.keytab KVNO Timestamp Principal ---- ----------------- ---------------------------------------- 3 07/28/04 17:52:06 rdop@INFRASTOR.US (0x158cefb5d56d5eab) This problem is frustrating because I had the system working correctly prior to upgrading the KDC to a windows 2003 machine. I need some suggestions on where to look next. kdkirmse wrote: > > I have been having problems with getting a keytab file on a windows > 2000 client running the MIT Kerberos utilities to interface properly > with a windows 2003 KDC. I had the same client working corr...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

RE: Mit kerberos client with windows AD [Partenaire]
Try that, it's free: http://centrifyexpress.cerberis.com/ ----------------------------- Sylvain Cortes - CERBERIS Partnership & Alliances Manager Tel: +33 4 76 21 17 03 Fax: +33 4 76 84 68 10 Email: s.cortes@cerberis.com CERBERIS http://www.cerberis.com 30, boulevard de la lib�ration 38100 Grenoble France ----------------------------- -----Message d'origine----- De : kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] De la part de Rasanth Akali Kandoth Envoy� : vendredi 19 avril 2013 11:34 � : kerberos@mit.edu Objet : Mit kerberos client with windows AD Hi All, is it required that, for a linux client application to get tickets from windows AD, the linux box have to join the windows domain ? -- Regards, Rasanth ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- CronLab scanned this message. We don't think it was spam. If it was, please report by copying this link into your browser: https://swe02.antispam.cronlab.com/mail/index.php?id=D3B1D170A69C.A1EB1-&learn=spam&host=46.22.116.104 Ce message a �t� class� Partenaire par Sylvain Cortes le vendredi 19 avril 2013. Les labels de classification ont �t� ajout�s par Titus Message Classification -- This message has been scanned for viruses and dangerous content by CronLab (www.cronlab.com), and is believed to be clean. ...

Is it possible to authenticate Windows clients against MIT Kerberos (no AD)?
Hi folks, I have been trying to configure a WinXP client to authenticate against MIT Kerberos V with no success (linux clients all work fine)... I would be very grateful if anyone can help me. I have used ksetup.exe on the windows clients to configure REALM, KDC and so on. This is what I have configured so far: ========================== kdc.conf =============================== [root@centos]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] v4_mode = nopreauth kdc_tcp_ports = 88 [realms] EXAMPLE.COM = { database_name = /var/kerberos/krb5kdc/principal master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/krb5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 default_principal_flags = -preauth } ========================= [root@centos]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: listprincs K/M@EXAMPLE.COM *user@EXAMPLE.COM host/winxp.example.com@EXAMPLE.COM* kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM kadmin/history@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM root/admin@EXAMPLE.COM ============================ named.conf ============================= centos IN A 172.24.16.97 winxp IN A 172.24.16.135 _ldap._tcp. IN SRV 0 0 3...

Authentication Windows client against Kerberos MIT and authorizing against OpenLDAP.
Hello all, =20 I am thinking of configuring our Windows XP Prof workstation to authenticate against our Kerberos servers. I have so far configured them successfully though the use of ksetup.exe. I have mapped the user * to * and it works well authorizing these users that have already been created locally on the workstation. Ksetup can map 1 to 1 user and the use of the wildcard * for all; obviously ksetup doesn't help me much in terms of authorization. =20 My next step is using the Openldap to authorize them and better control who logs into what workstation and manage group memberships. =20 In my online searches I found a lot of third parties directory services, but many cost money. I want to use my existing LDAP setup. We currently have Solaris, *nix, AIX and Red Hat Linux server being authenticated and authorized by our KRB5 and LDAP DBs. =20 Have anyone done this before? can you guide me through the path? =20 Thank you in advance for your time and information, =20 Franklyn Mendez ...

Active Directory Kerberos Server and Windows MIT Tools Client
Hello, I currently have an AD 2003 environment that serves as a Kerberos server. Normally, with a standard Windows XP / Vista client (that is joined to the domain), when I login with a domain account I get a TGT for the AD domain / realm. This TGT is then used to get tickets for various other services that require Kerberos. When I run a klist from the MIT tools installed on this client, I show my ticket cache: MSLSA. I need to log in with a local account on this same computer (still joined to the domain). I'd like to be able via command line to enter in my AD credentials to acquire a tgt just as if I was a login from the original CTRL+ALT+DEL screen. Also, MYDOMAIN.COM = MYREALM.COM After logging in locally, I tried to do a simple kinit myuser@MYDOMAIN.COM and it took the password. However, if I use Internet Explorer to go to an IIS server that requires kerberos authentication, I am still prompted for my username and password. I then drilled in to the GUI Network Identity Manager. Under Kerberos v5 Credential Cache I have Include Windows LSA cache (MSLSA:) checked. Uner Realms I added a new realm MYDOMAIN.COM. I added an AD DC for the Kerberos Server, but I left Domains that map to MYDOMAIN.COM empty (not sure what's supposed to go here). I then entered my kerberos authentication in to the GUI and it took my password. However, it still doesn't see the tgt in the MSLSA (if I try to use a klist from the Windows NT Resource Kit). If I run klist fr...

Problem with KDC on Windows and kerberos client on redhat-linux-9
Once I installed both KDC and client on redhat linux-9 and tested.It worked well. Then I installed KDC on a windows machine and changed domain,realm,my host name in configuration files: /etc/krb5.conf,/var/kerberos/krb5kdc/kdc.conf. many principal* files were existing as before in /var/kerberos/krb5kdc directory. I created principal on windows machine with ktpass with options pass/,princ/,ptype/ out/ etc.I copied .keytab file generated by out/ option of ktpass to /etc/krb5.keytab file on my redhat9 client machine. then I ran kadmin -p princ.kadmin I got error:"kadmin: Client not found in Kerberos database while initializing kadmin interface" Can any one help kindly? B.M. ________________________________________________________________________ Yahoo! India Matrimony: Find your partner online. Go to http://yahoo.shaadi.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Have you read the Windows Kerberos Interop doc? : http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/kerbstep.asp I followed these steps and I could retrieve tickets on a Linux box from a Windows 2000 KDC and use them against Kerberized services on my Linux box. On Wed, 2003-12-10 at 03:34, Murugan wrote: > Once I installed both KDC and client on redhat > linux-9 and tested.It worked well. > Then I installed KDC on a windows machine...

Login to XP workstation in WIndows Server 2003 2k3 AD domain with MIT kerberos KDC
I am new to Kerberos and I probably have the terminiology wrong so I apologize right off. We are trying to build an environment where students are allowed to log into a Windows XP desktop workstation that is part of a Windows Server 2003 (we could use win2k3 or win2000 if need be...) Active Directory domain, but we would like them to authenticate to an MIT Kerberos KDC through a trust arrangement. We don't want the MIT Kerberos KDC to have to know and trust each individual workstation, we want it to only know about the Windows Server 2003 domain controller. In other words I don't want to point 100 XP workstations at the KDC for authentication, I want them to just sign into the AD domain but get authenticated by the fact that they have a valid account in the MIT kerberos KDC. Is this even possible? TIA tj > Active Directory domain, but we would like them to authenticate to an MIT > Kerberos KDC through a trust arrangement. We don't want the MIT > Kerberos KDC to have to know and trust each individual workstation, we > want it to only know about the Windows Server 2003 domain controller. > In other words I don't want to point 100 XP workstations at the KDC > for authentication, I want them to just sign into the AD domain but > get authenticated by the fact that they have a valid account in the > MIT kerberos KDC. > > Is this even possible? Yes that's possible. It should be quite easy to setup (some time ago I got it to w...

XP Workstation logging into Windows 2000/2003 AD Domain using MIT Kerberos KDC
I am pretty new to Kerberos so I may mess up the terminology. We have had a couple of people attempt what I am describing below and we have failed so far. I just wanted to consult the group with the basic "is this possible" question first, then expand on to broader questions like "who has done it" and "how is it done" We have a student lab of Windows XP computers and we want the students to have to authenticate to use them. We have an MIT Kerberos KDC that "knows" all the students but we do not want the MIT KDC to have to know each and every XP workstation. We would like to set up a Windows Server 2003 (or 2000 if that makes a difference) AD Domain Controller that the students log into, but we ant that AD Domain controller to contact the MIT KDC for authentication purposes. If we have to create explicit user accounts for each student in the Windows Active Directory Domain we will, but if we could map them all to a single account that would also be good. In other words, we are willing to let the MIT KDC talk to the Windows AD Domain Controller, not all the workstations. We want the XP workstations to contact the Windows Domain Controller and have the Windows Domain COntroller touch base with the MIT KDC to authenticate them. I have set up a Windows Server 2003 AD Domain controller, It is all working well from a DNS point of view. It is actually talking to the MIT KDC but so far all I have gotten is Windows error from the tickets ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

MIT Kerberos for Windows
Hi there. Is it possible to automatically disable KRB4 when installing Kerberos for Windows ? Right now I can provide a URL, so it will automatically get the configuration like krb5.conf etc... But can I use the same simple URL to automatically disable KRB4 ? Thank you JY ...

Kerberos Windows Client
Does any onw knows about a kerberos windows client (for nt4 mainly) I know 2k and XP has one but I rather use something different without supporting AD. Any GINA DLL wthat works with Krb support? (I use heimdal) thnks. LD ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters such as the home directory could also be passed. This would then allow simple code in OpenSSH that does not depend on OpenAFS, Hiemdal or MIT code to fork/exec the process that does all the work. This would be called by the process that would eventially become the user's shell process and is run as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the Op...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

ssh from windows xp (putty with kerberos) using NetIDMgr 1.1.8.0 (Kerberos for windows 3.1)
Has anyone got a version of putty to work with the Kerberos for Windows release 3.1? I'm running win xp and am able to get my kerberos 5 tokens fine (from CSAIL.MIT.EDU) in NetIDMgr, but I've tried various supposedly kerberos-aware versions of putty with no luck. Thanks. -- Greg -- Greg Sullivan gregs@csail.mit.edu (617)417-4746 (cell) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos MIT + windows workstations
Hi, I have a working Kerberos/LDAP environment. Now I'm trying to authenticate Windows clients against Kerberos. I followed the instructions in http://sial.org/howto/kerberos/windows/ but get an error message at login. Unfortunately the message is in German: Sie k�nnen aufgrund folgenden Fehlers nicht angemeldet werden: Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgef�hrt. This means that the account mapping does not work. On the server I can see that the authentication is successful. So there must be some problem after authentication. Can anybody point me to useful information on authenticating windows clients to Kerberos MIT, especially on automatic user profile creation. Thanks in advance Didi ...

Web resources about - MIT Kerberos clients and Windows KDC - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 2:31:05 PM