MIT KDC & Windows ClientHello,
I've been experimenting with heimdal kerberos on the
cross-realm authentication, for windows 2000 clients
to authenticate to heimdal KDC, and just found out
that there seems to be a problem with the changing
password interoperability between the win2k client and
heimdal KDC.
Therefore, I intend to switch to MIT Kerberos but need
to confirm the interoperability features of MIT KDC
and windows clients:
1. Is the any issue of change password incompatibility
between MIT KDC and windows clients ? Will a user from
a win2k / winXP machine be able to change his/her
password in MIT KDC using ctrl-alt-del or when the
password is expired ?
In the following link:
http://mailman.mit.edu/pipermail/kerberos/2004-April/005326.html,
Jeffrey Altman wrote:
"I have just tested MIT KDC 1.3.3 with two machines.
One which is part of a Windows domain which uses
cross-realm
trust with a MIT KDC to perform login. In this case
the
password change does not appear to work on
expiration."
Has anyone found a way to solve the above problem ? or
is this still a limitation of the interoperability
between MIT Kerberos KDC and windows client ?
2. Quoting from the paper of Michael Swift, Irina
Kosinovsky and Johathan Trostle titled Implementation
of Crossrealm Referral Handling in the MIT Kerberos
Client:
"The Windows 2000 client does not canonicalize names
at all, so the short name is sent to the KDC."
Hence, if my understanding is correct, a request for
service: host...
Request to change MIT Kerberos behavior when principal is expired, deleted or password changedHi everyone,
I would like to request a change in how MIT Kerberos behaves. I would like for KDC's to reject all requests to issue or renew tickets if the principal is deleted or expired.
On a different note, it couldn't hurt to discuss rejecting old tickets after a password change as well.
The current behavior is that a valid ticket may be renewed even if the principal has expired, the principal is deleted or the password has been changed after tickets were issued.
I appreciate any help in how to request this.
Thanks,
Jason
-------------------------------------------...
Password change (MIT kerberos & Windows AD)Hi
I have following problem.
MIT kerberos working together with Windows 2000 domain with cross-realm
trust.
Users can authenticate themselves in W2K workstation against MIT
kerberos realm.
As I see everything works fine with authentication.
But....
When user attempts to change his/her Kerberos password password change
attempt fail with following error:
"Unable to change the password on this account due to the following
error: 1326: Logon Failure : unknown user name or bad password"
Currently we have implemented Kerberos user names with first capital
letter.
For testing purpouse I created user name with only small letters. And
Voila. Password changed successfully.
So when user name consist only small letters password change works but
when user name first letter is capitalized password change does not
work..... Where is the problem????
******
kdc.log
Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3
1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3
tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM
Nov 2 12:03:32 src@host krb5kdc[19607]: AS_REQ (7 etypes {23 -133-128 3
1 24 -135}) 192.168.0.100: ISSUE: authtime 1099389812, etypes {rep=3
tkt=1 ses=1}, Username@REALM.COM for kadmin/changepw@REALM.COM
Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated
(retransmitted?) request from 192.168.0.100, resending previous response
Nov 2 12:03:32 src@london2 krb5kdc[19607]: DISPATCH: repeated
(retransmitted?)...
RHEL6 not forcing password change when logging in with expired kerberos passwordHello
I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 forcing users to change their kerberos password when it is expired.
RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I log in.
The RHEL6 server knows the kerb pw is expired (and shows the message "Warning: password has expired.") but then continues to give me an interactive session (albeit without a valid ticket - klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_541)).
Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted...
Help on Unix kerberos client->win2k3 kerberos KDCHello,
I am a newbie to kerberos authentication, and what I am trying to do is to use a
Unix ldap client authenticate to the win2k3
server, and add a user to it.
The way I tried to do is by following MIT's tutorial and sample code under
www.mit.edu/afs/athena/astaff/project/
ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft
tutorial
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
=========>
I can successfully import a tgt from win2k3 KDC server by running kinit,
here is the result:
$ kdestroy
$ kinitPassword for mwang@SYSTEST.abc.COM:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1023
Default principal: mwang@SYSTEST.abc.COM
Valid starting Expires Service principal
10/31/03 17:53:08 11/01/03 03:50:48 krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM
renew until 11/01/03 17:53:08
Kerberos 4 ticket cache: /tmp/tkt1023
klist: You have no tickets cached
===========>
Then I tried to run adduser program, I made a little change to the code to set
some default values. Here is the result: (New
user account is: nweuser)
LDAP service name: ldap@bloomber-vy45cz.systest.abc.com
==> client_establish_context
Sending init_sec_context token (size=1254)...
60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01
00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03
02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05
61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b
15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45
52...
MIT Kerberos password changeI have a MIT Kerberos with ldap backend. I change my password simple
with kadmin or kpasswd, but now I want include our designers and some
other people include in the kerberos auth.
But I can't show them, how they can change the password on the command
line :P
So, is there any nice webinterface to change a kerberos password?
Thanks
...
MIT Kerberos clients and Windows KDCHi all,
I am trying to make an embedded device part of the windows domain and
use windows DC as KDC for my embedded divice. Embedded device has MIT
Kerberos. I am using GSS API .
* How can we get the TGT for the server programatically ( transperently
) with out user intervention ?
* If the device restarts, then do I need to store the TGT in persistent
memory ?
* If I am not wrong, microsoft adds the PAC data which no limitation of
size. I have memory constraints. Is it required to store the TGT in non
volatile memory ? I need this info since I am trying to find in case if
the embedded device reboots ,then do I need to store the TGT in non
volatile memory or I can get it again after the device comes up.
* Assuming that a client is accessing services on embedded device via
Kerberos and there is already a successful kerberos session is
established. If at this point, if the embedded device reboots and the
device gets TGT again, will it alter the communication in any way ?
Could anybody please respond to these queries?
Regards
in article 1132304089.372626.30620@g49g2000cwa.googlegroups.com,
sandypossible@gmail.com at sandypossible@gmail.com wrote on 11/18/05 2:54
AM:
> Hi all,
>
> I am trying to make an embedded device part of the windows domain and
> use windows DC as KDC for my embedded divice. Embedded device has MIT
> Kerberos. I am using GSS API .
>
> * How can we get the TGT for the server programatically ( transperently
> ) with out u...
Change password without old password in kerberos 5 on linuxHello
I'm having a problem changing a user's password, in the event that
they forgot their password.
I'm creating a CGI script in C, since we're trying to automate
forgotten password.
I can use the script to change a user's password by using the
function krb5_get_init_creds_password in krb5.h. Unfortunately I can't
use the function krb5_change_password without calling the previous
function.
I've read that krb5_get_init_creds_password creates a TGT for the user,
so he or she is able to change their password.
But the idea is that the user can change their password without
authenticating with their old password first.
Is this possible?
Hope you all can help!
Regards
Claus Nielsen
...
Kerberos password expirationHello All,
I am searching the right way to implement a password expiration in base
of users. My goal is to set the password expiration of the users into 90
Days, but is not that clear how it works.
I have the users already working, but now how i can set a password
expiration policy?
Any hint (i have googled a little, but i don't find anything
interesting) is well accepted.
Cordially,
Claudio Prono.
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
...
Changing password with MIT Kerberos for Windows 2.5Hello everyone:
I've downloaded and installed MIT Kerberos for Windows 2.5 on a Windows XP
system. I've configured it to connect to a Heimdal KDC, a non windows
realm. I'm able to obtain a ticket using Leash Kerberos Ticket Manager and
the kinit utility from the command line. The problem I'm having is not
being able to change the password from Leash and not having a kpasswd
utility available.
The error I get, using Leash, when I attempt to change the password is:
"could not connect to server." Can I do it from the command line? How do I
obtain a kpasswd utitility to change the password.
Can somebody help me... Thanks!
-Ruben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>> "Ruben" == Ruben Becerra <Ruben.H.Becerra@jpl.nasa.gov> writes:
Ruben> Hello everyone: I've downloaded and installed MIT Kerberos
Ruben> for Windows 2.5 on a Windows XP system. I've configured it
Ruben> to connect to a Heimdal KDC, a non windows realm. I'm able
Ruben> to obtain a ticket using Leash Kerberos Ticket Manager and
Ruben> the kinit utility from the command line. The problem I'm
Ruben> having is not being able to change the password from Leash
Ruben> and not having a kpasswd utility available.
I'm not sure this is the problem you are having, but until fai...
linux clients for W2K domains. (key words samba kerberos ldap winbind clients)I want to have my linux workstations (20-30 of them) authenticate against
the domain and automount user home directories into /home/username. (rather
like a NIS domain does for our Solaris network).
The howtos I am reading on this topic seem to refer to linux and windows
clients
talking to samba servers.
I do have one linux server on the domain but the users home shares (for
normal Windows sessions) are on a W2K fileserver and to get the linux server
authenticating for users web spaces I have used pam_smd and the users are
all known to the linux server because they have accounts on it.
Wher...
Kerberos Password change over WWWHi,
I'm using Linux, OpenLDAP and MIT Kerberos with mod_auth_kerb over SSL for
website authentication and single-sign-on.
Is there an open-source product that is secure and will permit password
changes to kerberos via the web (e.g. .cgi program or similar). I am
expecting the user to have already authenticated with their existing
username / password - this is so they can then change their current
password.
Thanks,
Brett
...
Kerberos password change specificationHello.
I was wondering where is the specification for the original Kerberos
Change Password protocol, as I could not find it so far. RFC 3244 only
details the Windows extension, and for what I've seen of RFC 1510, there
is no mention of how the Password change actually works. (or I've missed
it somehow)
Why does RFC 1510 refer to the password change service (example: "(The
password-changing request must not be honored unless the requester can
provide the old password (the user's current secret key)"), but not
actually specify how it works, or refer to some other document that does?
I've searched a bit more and found these documents:
http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-set-passwd-00
Are these the specifications? If so, why are these still drafts, whereas
Kerberos is fairly old and mature?
I'm not familiar with Kerberos history unfortunately, so I'm confused by
this.
Regards
--
Bruno Medeiros
...
password expiration field set to none after password changeIs there a way to set the 'password expiration' field with modprinc
( pwexpire) to be constant.
Currently I've set it at @ 30 days.
When this date is reached , the user changes their expiring password,
which is all good.
However the password expiration field is then reset to 'None':
Password expiration date: [none]
I have a script that goes round and changes the expiration for another
30 days, so that's OK. But is there a way the value for password
expiration can be constant and not reset.
(using aix nas/kerberos 5)
Thanks
pete
On Wed, 2010-10-13 at 11:23 -0400, peter sands wrote:
> I have a script that goes round and changes the expiration for another
> 30 days, so that's OK. But is there a way the value for password
> expiration can be constant and not reset.
Create a password policy, set its maxlife parameter, and associate that
policy with the user principals (perhaps with a script). Example:
addpol -maxlife "30 days" users
modprinc -policy users user1
Or, if you already have a password policy for user principals, just use
something like:
modpol -maxlife "30 days" policyname
> (using aix nas/kerberos 5)
I think the functionality I've described has been in MIT krb5 for a long
time, and thus should be present in the version you're using, but I
can't be certain.
thanks that works
pete
...
How to change the password password expiration time- using a telephoneI need to reset a Norstar Call Pilot "password expiration time" to "0" , by
using a telephone.
I do not want to keep having to changing the password.
--
posted via
http://forums.cabling-design.com/telecomtech/how-to-change-the-password-password-expiration-time-using-a-5972-.htm
using Cabling-Design's Web, RSS and Social Media Interface to
comp.dcom.telecom.tech and other telecom groups
...
krb5-kdc: Cannot change passwords if password history is used-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
we recently updated our master KDC from Debian Lenny to Debian
Squeeze. This included a kerberos upgrade from 1.6 to 1.8. After the
update several users were not able anymore to change their passwords,
no matter if kpasswd or kadmin.local was used:
change_password: Message size is incompatible with encryption type
while changing password for "tex1@UNI-PADERBORN.DE".
All our user principals use a policy which sets a password history of
6. The problem disappeared as we set the history to 1, so that no
history was used at all.
Further investigation showed the involved code parts:
#0 krb5_k_decrypt (context=0x6129f0, key=0x636fc0, usage=0, ivec=0x0,
input=0x7fffffffc010, output=0x7fffffffc030)
at ../../../../src/lib/crypto/krb/decrypt.c:54
#1 0x00007ffff6c31739 in krb5_c_decrypt (context=0x6129f0,
keyblock=0x7fffffffc2f0, usage=0, ivec=0x0, input=0x7fffffffc010,
output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:100
#2 0x00007ffff77a4171 in krb5_dbekd_def_decrypt_key_data
(context=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0,
dbkey=0x7fffffffc100,
keysalt=0x0) at ../../../src/lib/kdb/decrypt_key.c:92
#3 0x00007ffff77a3c67 in krb5_dbekd_decrypt_key_data
(kcontext=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0,
dbkey=0x7fffffffc100,
keysalt=0x0) at ../../../src/lib/kdb/kdb5.c:2481
#4 0x00007ffff79c27be in check_pw_reuse (context=0x6129f0,
mkey=0x6171b0, hist_keyblock=0x7fff...
Kerberos password forced expiration failI am running the following configuration:
Kerberos 1.4.0
Solaris 9
/usr/lib/ssh/sshd, /usr/bin/ssh
/usr/lib/security/pam_krb5.so.1
My /etc/pam.conf for sshd is:
sshd auth sufficient pam_krb5.so.1 try_first_pass
sshd auth required pam_unix.so.1
I've even included the password entry into the pam.conf
other password sufficient pam_krb5.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
Here is my problem. Using kadmin, I force expire the password using:
kadmin> modprinc -pwexpire now <principal>
After expiration, I then use ssh to log onto a kerberos client,
using the expired kerberos password.
I've modified the local shadow file so that the password field is an "*"!
After expiration, I am still able to log onto the server.
If I expire the shadow file, then I am challenged for a password change...
the password change, via the pam.conf password entry will change the
kerberos password and leave the shadow file with the 0 in the time field of
the shadow file, thus the next time a password is requested, it will again
show the password has expired for that server.
How do I get the sshd / pam_krb5.so.1 to recognize that the kerberos
password has expired???
kinit will show that the password in kerberos has expired... but that
doesn't
help me to insure ...
Fw: Kerberos Password change over WWWBrett Delle Grazie <bdellegrazie@hotmail.com> wrote:
> Is there an open-source product that is secure and will permit
> password changes to kerberos via the web (e.g. .cgi program or
> similar). I am expecting the user to have already authenticated with
> their existing username / password - this is so they can then change
> their current password.
Try kpasswd.cgi from here:
http://www.umich.edu/~umweb/software/
<<CDC
...
question about MIT Kerberos KDC processing PROXY KDC requestsHello,
I understand that proxiable/proxy tickets are rarely used and the
corresponding code in the MIT Kerberos implementation is not very well
tested. However, I found two possibly buggy places in the KDC code,
so I think this is worth asking about.
I used the MIT Kerberos distribution and was able to make proxiable/
proxy tickets work, but had two make two changes in the KDC source
code. I would like to ask if these are really bugs or not. We use
the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/
kdc_util.c, validate_tgs_request():
1. line 1144:
if (request->kdc_options & NO_TGT_OPTION) {
if (!krb5_principal_compare(kdc_context, ticket->server,
request_server)) {
*status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC";
return(KDC_ERR_SERVER_NOMATCH);
}
}
NOT_TGT_OPTION is defined as:
#define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY |
KDC_OPT_RENEW | KDC_OPT_VALIDATE)
The KDC returns an error here if the server principal in the ticket
does not match the one in the KDC request. I can see how this check
is required for the "forwarded", "renew" and "validate" KDC requests.
However, for a proxy ticket request, it seems that:
- the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for
some R1 and R2
- the KDC request must have a server principal request->server = the
target application server's Kerberos principal
Should the #define NO_TGT_OPTI...
Can a user which "password is expired" change its own password?Hi,
Obviously, the ALTER USER statement to change an expired password
works from an existing connection.
But can a user - with an expired password - change his/her password?
--
With regards,
Martijn Tonies
Database Workbench - tool for InterBase, Firebird, MySQL, Oracle & MS SQL
Server
Upscene Productions
http://www.upscene.com
Martijn Tonies wrote:
> Hi,
>
> Obviously, the ALTER USER statement to change an expired password
> works from an existing connection.
>
> But can a user - with an expired password - change his/her password?
Depends on whether there is a...
How to synchronize the change of a user password in Kerberos and OpenLDAP.Hi everybody,
I have the following situation.
I have a Debian enviroment with user accounts centralized with Kerberos and
OpenLDAP for more information of that users.
In kerberos y have the hash of the users of the debian system and in
OpenLDAP too because there is many web applications that use that LDAP.
The problem is the password change. How can I do that a user could do
"passwd" in debian system and the password update in Kerberos and LDAP
system?
can be done with pam system in commom-.password?
Thank you everybody.
Sorry about my english.
Regards
Jeluks
...
Can't change kerberos passwordI have kerberos authentication installed on my Solaris 8 x86 machine, and I can login fine using my AD credentials. When I try and change my password with kpasswd I get the following error 'kpasswd: unable to get host based service name for realm myrealm.net ' I have the krb5.conf file pointing to our AD domain controller. Is there any special setup for kpasswd in the krb5.conf file?
thank you,
Tyson Oswald
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
Can't change password in Kerberos !Hi all
I installed a KDC named ker1.eab.com.vn successfully with krb5-1.6 version, then I add a principal named hung@EAB.COM.VN. These above step go through smoothly, but there is a trouble when I change password for hung@EAB.COM.VN.
kpasswd
Password for hung@EAB.COM.VN:
Enter new password: :
Enter it again: :
kpasswd: Connection timed out changing password
After that I come to Window OS computer, and install kfw-3.2 in it. I get the ticket for hungtt@EAB.COM.VN, and change the password. This software show me following error :
"requested protocol version not supported"
The same action on other Linux client, and another error :
"requested protocol version not supported changing password"
It take a lot of time for me to search Internet without any good result. Please help me find out this problem.
Thank you very much
Hung Ta
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
Password Changing failing from Windows to MIT KDC-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I posted on this a few days ago but haven't received any replies, so I
figure it may have fallen through the cracks.
It seems that with the current release of KfW, password changing fails to
either a 1.3.4 or 1.4.2 KDC. Yet, earlier versions of KfW don't have this
problem. Similarly with Windows native Kerberos password changing. I
haven't done testing of the latter myself, but a colleague who works on
Windows has.
The message he receives is this:
Server error: Failed decrypting request
The KDC logs show a successful issuing of the kadmin/changepw service
credential, but no further action indicating a change password
transaction.
I suspected a client host firewall problem (re: UDP 464), but the problem
continues even with no firewall rules in place.
Has something changed with the new versions of KfW?
Thanks.
Mike
_____________________________________________________________________
Mike Friedman System and Network Security
mikef@ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
_____________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQA/AwUBQwpeNa0bf1iNr4mCEQJMfACguSLN/kmNmUtxMo5ycWBKe6kUtCoAn3ns
ExreoCkJTbrHJ/AYjkQSQ18u
=9jE3
-----END PGP SIGNATURE-----
__________________________________...