f



Problem with MS Kerberos KDC and MIT KRB5

Hi,

I have a KDC Windows 2000 and a Linux Server (RH 7.3 with krb5-1.3.1).
I can authenticate with kinit without problem, but if I type a incorrect
password the KDC w2000 counts two attemps. The problem is that KDC lock
the account after five attemps ...

When I set "Don't require preauthentication" in KDC only counts one
attempts, but the accounts never locks.

Any ideas?

Thanks...

-- 
Diego Woitasen
www.lanux.linux.org.ar
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
diegows (3)
5/28/2004 2:33:23 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
462 Views

Similar Articles

[PageSpeed] 44

>>>>> "Diego" == Diego Woitasen (Lanux) <diegows@linux.org.ar> writes:

    Diego> Hi, I have a KDC Windows 2000 and a Linux Server (RH 7.3
    Diego> with krb5-1.3.1).  I can authenticate with kinit without
    Diego> problem, but if I type a incorrect password the KDC w2000
    Diego> counts two attemps. The problem is that KDC lock the
    Diego> account after five attemps ...

This is ticket #1692 in our bug database, resolved in krb5 1.3.2.

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
hartmans (370)
5/28/2004 7:01:55 PM
Reply:

Similar Artilces:

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missing entry in my DNS ? Is it mandatory for the MIT Kerberos KDC (I installed it on RedHat Linux) to have an LDAP service to resolve the CLDAP request ? and can LDAP actually entertains CLDAP request since LDAP is using TCP while CLDAP is using UDP ? Can I resolve the CLDAP request using Windows 2000 server instead ? Any ideas will be very appreciated Regards from newbie, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ____________________________________...

Problems with windows 2003 KDC and MIT kerberos
I have been having problems with getting a keytab file on a windows 2000 client running the MIT Kerberos utilities to interface properly with a windows 2003 KDC. I had the same client working correctly when the KDC was a windows 2000 server. The command "kinit rdop@INFRASTOR.US" works correctly but when I attempt to use "kinit -k" I get the following error message kinit(v5): Cannot find KDC for requested realm while getting initial credentials My krb5.ini file is as follows [libdefaults] ticket_lifetime = 600 default_realm = INFRASTOR.US default_keytab_name = C:/WINNT/krb5.keytab default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc [realms] INFRASTOR.US = { kdc = 192.168.0.3 admin_server = 192.168.0.3 } [domain_realm] .infrastor.us = INFRASTOR.US infrastor.us = INFRASTOR.US "klist -k -t -K" gives the following results. Keytab name: FILE:C:/WINNT/krb5.keytab KVNO Timestamp Principal ---- ----------------- ---------------------------------------- 3 07/28/04 17:52:06 rdop@INFRASTOR.US (0x158cefb5d56d5eab) This problem is frustrating because I had the system working correctly prior to upgrading the KDC to a windows 2003 machine. I need some suggestions on where to look next. kdkirmse wrote: > > I have been having problems with getting a keytab file on a windows > 2000 client running the MIT Kerberos utilities to interface properly > with a windows 2003 KDC. I had the same client working corr...

MS Exchange Kerberos Login to MIT KDC
Hi, With reference to the following posting: http://www.mail-archive.com/kerberos@mit.edu/msg06133.html Is there any follow-up information whether it is possible for users that do not belong to Windows domain (like those belong to workgroup) to logon to exchange server using OWA with their accounts in MIT KDC ? Thanks, lara ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ --------------------------------- Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Lara" == Lara Adianto <m1r4cle_26@yahoo.com> writes: Lara> Hi, With reference to the following posting: Lara> http://www.mail-archive.com/kerberos@mit.edu/msg06133.html Lara> Is there any follow-up information whether it is possible Lara> for users that do not belong to Windows domain (like those Lara> belong to workgroup) to logon to exchange server using OWA Lara> with their accounts in MIT KDC ? They could probably do so if you use the Outlook client and you have the Umich cross-realm ...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters such as the home directory could also be passed. This would then allow simple code in OpenSSH that does not depend on OpenAFS, Hiemdal or MIT code to fork/exec the process that does all the work. This would be called by the process that would eventially become the user's shell process and is run as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the Op...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

Solaris 10 Kerberos KDC ignores settings in /etc/krb5/kdc.conf
Greeting, sorry if I sent this in twice. I've configured Sun's Kerberos on a solaris 10 box. Everything seams to work straight, creating database, creating principles etc.. But the KDC ignores quite a few options in kdc.conf file, including: max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +forwardable Not matter how I set these options, I _always_ get these for principles: Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Attributes: It seams Sun has some defaults set and are unchangeable. The gkadmin GUI utility shows the two life period exactly as the above number. If you change and save the changes, next time you run gkadmin, the old values come back. Has anyone seen the same behavior? And how to fix it? MIT Kerberos works fine, but to utilize Sun's PAM migration module for our existing user base (900 users), I need to run Sun's at least when we are migrating users. Applying Sun's Kerberos patch 120469-07 did not fix the problem. TIA, Qing Chang ...

RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially using our MIT Kerberos build (i.e. the same as we use on all of the Solaris 8 machines). I am now trying to get it to work with the Solaris 10 SEAM. One problem I see immediately (refreshing my memory with a couple quick tests) is that, when using the Sol10 SEAM to install the keytab, I immediately get: # kadmin -p rheilke/admin Authenticating as principal rheilke/admin@ATCOTEST.CA with password. Password for rheilke/admin@ATCOTEST.CA: kadmin: ktadd host/salty.atcotest.ca kadmin: Communication failure with server while changing host/salty.atcotest.ca's key kadmin: So, the Sol10 SEAM cannot seem to talk to the KDC. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > BTW, as a further clarification, the system was installed initially > using our MIT Kerberos build (i.e. the same as we use on all of the > Solaris 8 machines). I am now trying to get it to work with the Solaris > 10 SEAM. > > One problem I see immediately (refreshing my memory with a couple quick > tests) is that, when using the Sol10 SEAM to install the keytab, I > immediately get: > > # kadmin -p rheilke/admin > Authenticating as principal rheilke/admin@ATCOTEST.CA with password. > Password for rheilke/admin@ATCOTEST.CA: > kadmin: ktadd host/salty.atcotest.ca > kad...

RE: MIT Kerberos and Solaris 10 Kerberos #6
OK, I think I have fixed the services. I have: # svcs -v | grep login online - 13:25:02 35 svc:/system/console-login:default online - 13:25:11 - svc:/network/login:eklogin online - 13:25:12 - svc:/network/login:klogin online - 13:25:12 - svc:/network/login:rlogin (Just to make sure, those ARE the correct versions? The ones I removed looked like: # svcadm disable svc:/network/klogin/tcp:default # svcadm disable svc:/network/eklogin/tcp:default The first entry in the svcs listing is, I assume, my root console login via the terminal server.) Or did I cancel the wrong two? If I use the MIT rlogin to go to another server, this fails (and no message gets logged on the KDC). I expect this is correct behaviour (needing the SEAM version). So, where do I find the Solaris 10 SEAM version of rlogin? The rlogin in /bin seems to be the old, un-Kerberized one, or is this actually a Kerberized one? In which case, it never seems to get a connection, and again, doesn't log anything on the KDC. I can use the Solaris 8/MIT rlogin to go from one of the old Solaris 8/MIT systems to the Solaris 10 box. Thanks again. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos e@atcoitek.com wrote: > OK, I think I have fixed the services. I have: > # svcs -v | grep login > online ...

MIT kerberos download problems
When I try to download from the web.mit.edu site, I go though the form asking if I'm a USA citizen then I get an error: Sorry... We are unable to honor your download request either because we determined that your computer is not in North America or we were unable to locate it at all! I am located in the USA, (California) and don't have a clue as to how to get the download site to believe that I am. Anyone have a suggestion? pacifican <none@given.org> writes: > I am located in the USA, (California) and don't have a clue as to how to > get the download site to believe that I am. Anyone have a suggestion? Download Kerberos from <http://www.crypto-publish.org/>. It doesn't have the country restrictions. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/> Russ Allbery wrote: > pacifican <none@given.org> writes: > >> I am located in the USA, (California) and don't have a clue as to how to >> get the download site to believe that I am. Anyone have a suggestion? > > Download Kerberos from <http://www.crypto-publish.org/>. It doesn't have > the country restrictions. > Thanks, but I was trying to get the binaries. I thought I had mentioned that, but when I re-read my original post, I see I had omitted that issue. Sorry. ...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes. Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because ...

RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline... > In Solaris 10, all of the Kerberos services are already bundled, > there is no longer any external packages that need to be added. Right. > Whoever told you 'ksu' was part of the encryption kit was mistaken, > ksu has never been part of SEAM. OK, thanks for that clarification. It was a bit of a surprise to me when I was told it was there. So, does the Solaris 10 SEAM have any functionality similar to ksu, or just the standard su command? > The encryption kit for Solaris 10 enhances the overall crypto > capabilities of the system, the only benefit Kerberos gets is > that it can support AES-256 with the S10 encryption kit. > Without the S10 encryption kit, the strongest AES crypto > available for Kerberos in S10 is AES-128. And this fits more with what I understood, before my co-worker's comments. > On the S10 system, you must make sure to enable the "eklogin" service. > Run this command (as root): > > # svcadm enable eklogin Hmm. That may be a good part of my problem. I added the inetd.conf entry for the old (MIT) eklogin, and ran inetconv. So, this is probably really confusing the system. I'll try to revert that, and do the svcadm. > For Solaris 8 with the SEAM rlogin daemon, make sure your > inetd.conf entries > are correct. We don't actually run SEAM on any Sol8 systems; it's all MIT. > Don't bother with inetd.conf in S10, ...

Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mwang@SYSTEST.abc.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_1023 Default principal: mwang@SYSTEST.abc.COM Valid starting Expires Service principal 10/31/03 17:53:08 11/01/03 03:50:48 krbtgt/SYSTEST.abc.COM@SYSTEST.abc.COM renew until 11/01/03 17:53:08 Kerberos 4 ticket cache: /tmp/tkt1023 klist: You have no tickets cached ===========> Then I tried to run adduser program, I made a little change to the code to set some default values. Here is the result: (New user account is: nweuser) LDAP service name: ldap@bloomber-vy45cz.systest.abc.com ==> client_establish_context Sending init_sec_context token (size=1254)... 60 82 04 e2 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 04 d1 30 82 04 cd a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 05 61 82 04 01 30 82 03 fd a0 03 02 01 05 a1 17 1b 15 53 59 53 54 45 53 54 2e 42 4c 4f 4f 4d 42 45 52...

A Query on MIT Kerberos code base and latest RFC on Kerberos ?
Hi All, I have a small query regarding MIT Kerberos and it will be kind if anyone can address it. I wanted to know whether the latest RFC's: RFC 4120 - The Kerberos Network Authentication Service (V5) RFC 4121 - The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 ...are already a part of MIT Kerberos code base or is it schedule to be a part for MIT code base ? If so what will be the rough time frame. � Thanks n regards, Prashant ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Important Notice Regarding Kerberos 4 Support in MIT Kerberos
This comes from a message distributed to another list but I thought it might be useful here too. On January 27th of this year, the MIT Kerberos Development team announced plans to phase out support for Kerberos 4 in MIT Kerberos, including v4 support in Kerberos for Macintosh and Kerberos for Windows. We strongly recommend that all sites currently using Kerberos 4 migrate their services and users to Kerberos 5 as soon as possible. The MIT Kerberos team is making substantial changes to the client-side initial ticket acquisition support in the next release of Kerberos. These changes will improve the user experience for users who get tickets for multiple realms that do not share keys. Because we are no longer dedicating resources for new Kerberos 4 features, this new code will only support Kerberos 5. As a result, sites using Kerberos 4 will not be able to take advantage of this new feature. In addition, since this feature will be replacing existing code in Kerberos for Macintosh and Kerberos for Windows, the Kerberos 4 user experience on Windows and Mac OS X will be noticeably worse than in previous releases. The first major changes which impact Kerberos 4 support are currently scheduled for krb5-1.5 (May of 2006), Kerberos for Macintosh 6.0 (which will ship with Mac OS X Leopard), and Kerberos for Windows 3.1 (approximately June 2006). We have no plans to remove Kerberos 4 support from earlier major releases of any of our products (ie: krb5 1.4.x, KfM 5.5.x (Tiger) a...

MIT Kerberos clients and Windows KDC
Hi all, I am trying to make an embedded device part of the windows domain and use windows DC as KDC for my embedded divice. Embedded device has MIT Kerberos. I am using GSS API . * How can we get the TGT for the server programatically ( transperently ) with out user intervention ? * If the device restarts, then do I need to store the TGT in persistent memory ? * If I am not wrong, microsoft adds the PAC data which no limitation of size. I have memory constraints. Is it required to store the TGT in non volatile memory ? I need this info since I am trying to find in case if the embedded device reboots ,then do I need to store the TGT in non volatile memory or I can get it again after the device comes up. * Assuming that a client is accessing services on embedded device via Kerberos and there is already a successful kerberos session is established. If at this point, if the embedded device reboots and the device gets TGT again, will it alter the communication in any way ? Could anybody please respond to these queries? Regards in article 1132304089.372626.30620@g49g2000cwa.googlegroups.com, sandypossible@gmail.com at sandypossible@gmail.com wrote on 11/18/05 2:54 AM: > Hi all, > > I am trying to make an embedded device part of the windows domain and > use windows DC as KDC for my embedded divice. Embedded device has MIT > Kerberos. I am using GSS API . > > * How can we get the TGT for the server programatically ( transperently > ) with out u...

are referrals implemented in the MIT Kerberos KDC?
Hello, I saw some messages on this mailing from 2005 and last year on this topic, but I wanted to check what the current status of this is. Does the MIT Kerberos KDC currently implement client or server referrals, as per Internet draft http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-11 ? I can see that the MIT Kerberos client-side library implements referrals (at least server referrals) by setting hthe "canonicalize" bit in KDC requests. However, I can't see any code in the Kerberos KDC source code that checks this bit and canonicalizes the name. I am using the MIT Kerberos 1.6.3. release. The release notes say "Partial client implementation to handle server name referrals" Can you please shed a little light on this or point me to something that explains this? Thank you. Best Regards, Peter Djalaliev ...

Kerberos Auth to WIN2003 KDC problem
I have a machine running AIX 5300-05. I installed Kerberos using the procedure in Integrating AIX into Heterogeneous LDAP environments. All users that have a Windows 2003 domain account can login using their Windows 2003 credentials except for two. Other users that do not have a Windws 2003 domain account have "traditional" user accounts. I had to create "traditional" user accounts for two users that had Windows 2003 domain accounts. One of the users, when he connected via VPN (cisco VPN client and VPN concentrator) could not login even though his account worked internally...

MIT Kerberos interoperability with Windows KDC?
Hi All, Are there any significant interoperability issues between MIT Kerberos runtime library and Microsoft Windows (2000, XP, and 2003 Server) KDC? Is the conversion of Microsoft KDC ticket to MIT Kerberos standard ticket (known as the process of ms2mit) done transparently in MIT Kerberos runtime library? Or, is there an API which can be called by applications for doing ms2mit? I am new to this list and the above questions may have been asked before. Pointing to some existing FAQ or resources will also be appreciated. Thanks. -- Kevin __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kevin: In Kerberos for Windows 2.5, if you are running the Leash ticket manager at startup Microsoft credential importation will occur automatically. In KfW 2.6, in addition to automatic importation by the Leash ticket manager there is also a new krb5 ccache type, "MSLSA:", which can be used by applications to cause ticket retrieval to be performed via the MS Kerberos LSA cache for the current logon session user instead of the default MIT credentials cache. KfW 2.6 is currently in beta. Downloads are available from the MIT web site. Jeffrey Altman KFW Maintainer Kevin Wang wrote: > Hi All, > > Are t...

Web resources about - Problem with MS Kerberos KDC and MIT KRB5 - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 3:05:35 PM